I've just installed PC Tools Firewall. I'm running XP, SP2 with all critical updates, SuperAntiSpyware and NOD 32.
In looking at the logs, and I find 10 or 15 entries in about 1 or two minutes which read as follows:
Rule: TCP/UDP: Any other packet Zone: Internet Zone Action: blocked Type: UDP Additional: Port Dest: 137 Src 137 (some are to 138)
What are these?
TIA
Louise
Yes. For what purpose?
So you don't really need this socalled "firewall".
Log entries.
You should'nt be running software you don't understand. Otherwise there is
Being as smart as you seem to think you are, I'm surprised you're not aware that PC Tools is not providing support for their free firewall.
So, if you know the answer to my question, I'd really appreciate the information. People post here to learn and to help others. In this case, I'm hoping to learn.
Louise
Louise, you made an outstanding response. Casey
I'm not surprised they don't.
Your logs seem to indicate that your "firewall" has blocked some packets from other machines destined for your machines port 137. Just like your build-in packet filter (the XP firewall) would have done.
And I'm trying to point you in a direction to learn that you don't need a "personal firewall". Since you seem unable (or reluctant) to answer why you installed one in the first place I assume I'm right.
And nowhere did you indicate what version you were running.
For the record, although PC Tools says they do not offer "support" for the firewall they do offer bug fixes (they are working on an update at the moment for a problem with version 2.0.0.9). They also have a public, moderated forum where you can post questions and have them answered by other knowledgeable users. The advantage over an NG (which is not moderated) is that rude and otherwise inappropriate posts are deleted.
Thanks for your help - I will read it.
Louise
It's very clear who has the sole advantage of such forums. You sure will be among friends :-)
BTW, are you somehow related to the xyz.com domain? If not may I suggest you use an e-mail address of your own or use a .invalid domain?
.invalid still doesn't make a valid mailbox. As by RFC definition, a mailbox is an SMTP-reachable mail account that receives mail. And the purpose is obviously that you don't create any errors for those who are trying to send you mail.
Ports 137/udp and 138/udp are most likely NetBIOS traffic. However, that's a mere guess, because the logs lack significant information (including at least IP addresses, interface and direction), which makes them pretty much worthless.
cu
59cobalt
I ran into problems with PCTools because something they're doing is provoking AV software (NOD and AVG), even their newest version. I decided I really didn't want something that was so buggy because I couldn't trust it. I read the forums on their site and decided to wait quite a while before going near it.
So I tried Kerio 2.1.5 which is light and "to the point". I added the rules you suggested about port blocking and all is running beautifully and taking minimal resources. I also found a site that gave tips on setting rules for kerio and, for whatever they are worth, I'm passing the Shields UP tests on both my desktop and my portable.
Thanks for your suggestions about port blocking.
Louise
And has known vulnerabilities. I rest my case.
And messing up your network connectivity.
Ehm... and you don't consider this as a *bad* thing?
This seems questionable as to just what are you trying to accomplish.
So, it's to be assumed that the two machines that are connected to your router, the LAN or Local Area Network, are never to share resources or network between the two, which are the ports you're blocking below with the PFW.
Ports 137-139 are your NetBios ports, which, unless you are on a local area network, probably should be blocked. Most firewalls have NetBios
If the machine is never to network, then simply remove MS File & Print Sharing and Client for MS Network off of the NIC (Network Interface Card) and those ports you have blocked including port TCP 445(NT based O/S such as XP) are not open *period*. You don't need to set any rules with a PFW for those ports as they are not open.
Why are you blocking the Windows Networking Ports while your machines are setting behind a NAT router and those ports are closed to the WAN/Wide Area Network - the Internet, by default?
No computer from the Internet can get to your machines on those ports and network with a machine, because they are behind the router.
That's unless *you* configured the router to open those ports. If you didn't do that, then it's a moot point of you setting rules with the PFW running on the computer to block the ports.
It only makes sense to set PFW rules to close those ports if the machine had a direct connection to the modem and therefore to the Internet. You don't want the machine in that networking situation -- that's bad.
The other reason would be that your laptop was on a LAN wireless or wired and it was not your LAN. It would be another reason you would want to set rules to close 137-139 UDP and 445 TCP with a PFW or remove the services off of the NIC to close the ports so that the machine couldn't network.
You seem very confused.
I may be very confused - but I'm not sure where my confusion is and perhaps someone could explain it.
My laptop and desktop are not networked and do not share files and/or printers. I don't want to remove this capacity (by removing files), as I might want to network them at some point in the future, but right now they are not networked and I don't want them to be.
I sometimes use my laptop on other wireless connections that are open and available either in other locations, or even in my own house if I'm doing a lot of uploading with my desktop. I also use it at friend's houses - they frequently haven't secured their networks. In other words, there are times when I hook into someone else' network - someone who has left their network unsecured. So, I certainly want my ports blocked at those times, don't I? My laptop travels many places and finds signals when possible.
Why is Kerio such a questionable product? My impression was that it was more reliable than Sygate, clearly doesn't transmit the virus that PC Tools seems to be transmitting and does not drain resources the way Sunbelt/Kerio or Outpost do. I regret being unable to use Comodo but it conflicted with both WinFaxPro and also with the spam filter I use with OUtlook.
So, could you please explain what I'm confused about so that I can learn? I thought I'd done a good job :-)
Louise
What doesn't have "known vulnerabilities" - the same applied to Sygate, as I understood it. And Comodo simply doesn't play well with some other software on my machine.
Blocking the ports doesn't appear to have messed up my network connectivity at all - what "mess" are you referring to?
Why is it a "bad" thing to pass the Shield UP test?
Thanks.
Louise
About any serious security software. After all, any reasonable person would cinsider such a thing unacceptable.
Non RFC-conformant behaviour, broken PMTUD, broken Load Balancing, ... if you actually had a clue what you're doing, this would be obvious.
Because is testifies that your network connectivity is broken and your configuration is messed up.
You're not removing files. All you're doing is removing the services off of the NIC, unbinding them off of the NIC, so no networking with the machine is possible. If you do want to network the machine at a later time, then you simply bind the services/protocols back on the NIC.
If you unbind the networking services off of the NIC, the machine cannot network. The networking ports are not open, period, because the services that would open the networking ports to allow networking are not on the NIC and are not active.
This has nothing to do with the PFW, but rather, your ability to understand, control and protect the O/S, which removing the networking services off of the NIC protects the O/S, since you have no intention of the a machine ever being in a networking situation -- not even on your LAN.
You remove the services off of the NIC, the machine cannot network no matter what you connect the machine to in a LAN situation or the machine is directly connected to a modem and the Internet/no router between the modem and the computer. It flat-out cannot network when the services are not there.
You go to the O/S and configure it/harden it to attack, not the PFW. You understand and learn how to control and protect the O/S.
Known and unfixed vulnerabilities that are not going to be fixed, because the product is out of support.
Aside from Sygate having a serious design flaw: the same applies to any software that isn't supported by its vendor anymore.
[...]My experience with personal firewalls as well as what I hear from users of personal firewalls is that many of them will sometimes fsck up the network connection(s) for no apparent reason.
It's not a bad thing per se. However, Steve Gibson doesn't really have a clue when it comes to network and computer security, so his conclusions and recommendations usually are misleading, to say the least. "Shields UP" is okay if you can distinguish between fact and superstition. However, in that case you'd probably be using something else (like nmap) anyway.
cu
59cobaltCabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.