Possible firewall problem?

Thanks Duane, I have both here. I see nothing unusual. It's a brand new Win2k install, just reformatted and installed yesterday. No viruses or other malware and so on. Installed the firewall before I even did my windows updates or connected to the net. Very unusual. It could be the firewall acting up since it's beta software though. I'll have to do more research I guess...

Kerodo wrote in news: snipped-for-privacy@news.central.cox.net:

You want to know then use Active Ports and Process Explorer and look.

Duane :)

Yes, my email client is open and running all the time. I use Outlook and it polls my ISP for mail every 5 minutes...

Ok, thanks Lars.. But doesn't it mean then that a packet is getting thru the firewall rules somehow and getting in? What I'm concerned about is that there is a "hole" in the firewall..

Unless you have your email client open and running on your desktop, or a email status app (like a tray icon) running, there is no reason for your system to do an outbound port 25 connection.

Outbound port 25 is representative of something sending email outbound to somewhere.

What email client do you use and does it poll your ISP for email?

On Sat, 28 Aug 2004 22:21:09 -0700, Kerodo spoketh

What you are seeing are a proper response to an inbound connection from port 4032 on a remote system to your local port 25. The response RST ACK simply means "we're closed, go away". So, it's not a connection initiated from your computer, it's a response to an external connection attempt.

Lars M. Hansen

Remove "bad" from my e-mail address to contact me. "If you try to fail, and succeed, which have you done?"

Ok, thanks. While I have your attention there, maybe I can ask one more question. I have a choice between 2 rule based firewalls to run here. I like both. One is Jetico Personal Firewall beta, which we have been talking about above, and the other is Kerio 2.1.5. Jetico has stateful inspection. Kerio does not. Which would be the better choice? Is stateful inspection really that important or desirable?

Thanks for your reply.. Sounds like it's nothing to worry about based on what a few people have said. I guess what I don't understand is how a packet can get in to the OS thru the firewall to begin with, to generate that "not listening" reply.

I have an AV email scanner that uses port 25 apparently, so maybe something is getting thru there?

My typical internet usage is just email, newsgroups and browsing. Pretty simple. I just wondered if stateful inspection was hype or really an advantage. Sounds like it's an advantage, so that's good. Thanks for your explanations...

I'll check that out. Could be I'm allowing incoming to 25 in my rules.

I'm using Avast AV here. I don't fully understand what it's doing, but when I look in Active Ports I see the Avast email service on 127.0.0.1 on ports 25, 110 and 143. Does that make any sense?

But it also says that someone it's trying to use him as a relay for spam or something. If he doesn't have external clients that have to send mail through this computer then someone it's knocking at his door to send spam, probably...

On Sun, 29 Aug 2004 13:06:11 -0700, Kerodo spoketh

Even if it was not the firewall itself that were sending the reply packet but rather the OS, it really doesn't matter a whole lot. If you don't have anything running on port 25, then no external (or internal for that matter) clients can connect to this port.

I agree that it is somewhat odd that the firewall logs the outgoing "rst" packet rather than simply logging the connection attempt from the external source ... and, most desktop firewalls actually "stealths" port rather than sending out rst's. But I still don't think it's anything to lose sleep over.

Lars M. Hansen

'badnews' with 'news' in e-mail address)

I checked the rules and I'm not allowing inbound port 25 anywhere, so that's not it.

That makes sense I guess. The proxy stuff. I'm sure that's how it works. However I don't believe the firewall is giving Avast free rein to connect.. The firewall does a weird thing and distinguishes between "connecting to network" and "outgoing connection" and "incoming connection". Also distinguishes "send datagrams" and "receive datagrams". Sort of confusing. Avast email scanner service seems to have permission to "connect to network" only. No incoming or outgoing connections. How that works though is beyond me. But a lot of programs need this "connect to network" without needing to connect to the internet.

I've written to Jetico, the firewall makers, and told them about the situation, so I'll wait and see if I get a reply in a few days. They're very good about writing, so maybe they'll know what's going on.

I have a sneaky suspicion that packets are getting in thru the firewall when they're not supposed to. Somehow. But who knows for sure?

Meanwhile I've switched back to Kerio 2.1.5 until I hear from Jetico. Kerio is one of my favorites, even though it doesn't have stateful inspection.

[...]

That's backwards. In general, email clients send mail using random ports in the "thousand-something" range TO port 25. Traffic going out on port

25 would indicate a response to *incoming* mail. The above traffic would indicate a "not listening" reply to someone attempting to send mail to the poster's (probably non-existent) email daemon/host/server... whatever you want to call it.

Or it could mean that he has a dynamic IP whose previous owner had an SMTP server set up. Or that someone simply misconfigured a mail client or other SMTP service. Or that someone is simply randomly probing for open mail servers...

The important thing is that no connection is being made, and nobody is actually *able* to use his machine as a SPAM host. Unless the traffic volume causes problems it's probably nothing to worry about. Pretty normal stuff, really.

Your email client won't be using local port 25. It likely chooses a port in the 1100 range and connects TO port 25 on your email server from that

11xx port. If you're seeing outbound traffic on port 25, it's your machine, or a piece of software running on your machine, responding a request that you accept email. In particular, the traffic you're seeing indicates a "not listening" reply generated by the OS itself. Pretty common stuff.

Probably nothing to worry about. If it starts being a bandwidth problem, you might reconsider. ;)

In short, stateful inspection keeps track of the "state" of a connection by examining things like packet types, sequence numbers, and source and destination IP numbers. This way a stateful firewall can be more "intelligent" about passing or blocking traffic, because it might know for instance that a packet coming from X is part of an already established connection or not. This can allow you to (in theory) set up a "don't allow incoming traffic at all" policy, and still have inbound responses to your requests pass.

It also this gives the firewall the ability to reassemble fragmented packet information. This gives the firewall a big advantage when it comes to detecting certain types of problems or attacks.

Simple packet filters can only examine one packet at a time, and so they're constrained to accepting or rejecting traffic based on a per-port/IP, or maybe per-application, basis.

Stateful inspection is a good thing, but whether or not it's necessary in your case probably depends on your typical Internet usage. for the average "grab email and browse the web" user it's probably not necessary.

It could be the firewall itself generating the reply. Or the firewall rule set could be configured to allow incoming traffic to port 25. If what you say below is true that's a fairly valid assumption.

Out of curiosity, what AV software uses *incoming* port 25 connections? And why? It seems odd that AV software would listen on that port, even for automagical updates. Generally this is accomplished by polling a server rather than listening for the server to announce the update. But I'm not as familiar with AV software as I could be. ;)