Trying to Figure out What's OK and What to Block

Migrating from shit to shit....

D'oh! That's one of the very good arguments why Application Control shouldn't even partially considered on modern Windows versions, not to tell about actual security...

Definitely. But it could also be that's simply messing up your network capabilities with clearly defective software.

If you don't know the answer to that simple question, why are you quaggling around with a packet filter anyway?

The personal FW is the problem.

For what? It's a worthless endeavor. The machines are behind a NAT router and it's not a wireless NAT router. But some line to use a personal FW behind the NAT router and there is no harm and no foul, if it's not getting in the way.

If you didn't have the PFW sitting there whining about nothing behind the NAT router, then it would be no concern to you.

Who knows? If the PFW is disabled behind the router does the machine have an Internet connection?

They are trying to talk to each other due to the simple fact that they are connected to the router. The router is the gateway device that allows the computers to access the WAN (Wide Area Network)/Internet and provides the plumbing that's going to allow the machines to see and talk to each other on the LAN (Local Area Network).

Hey, other machine on the LAN I have discovered that you're on the LAN I see you. *Other machine on the LAN* -- yeah I discovered you and I see you too. Both machines reply okay dokey will talk again later.

Duane :)

It's pretty easy to get lost in a nightmare of rules, popups and other nonsense when you try to control things like that. Since you're already covered inbound by the router, it would be better to just skip the software firewall and try using some common sense and keep any bad programs off the computer to begin with. Otherwise, you'll find yourself blocking normal things that need to communicate and the bad stuff will likely slip thru anyway. Best to keep it simple.

I agree with the philosophy of keeping it simple, but I have legitimate reasons for controlling the applications on the PC. For one thing, with Windows the "bad" stuff comes bundled with it. Take Windows Media Player. The first time you use it you set your preferences and prohibit the program from ever accessing the internet for any reason, not for updates, not to send information, not to obtain licenses, not for anything. And then ten minutes later the software firewall pops up and tells you that Windows Media Player is trying to connect to Microsoft for something. Without the software firewall you would never know.

You may say "so what," but my personal preference is that my video viewing habits remain private. Aside from that the program has some value. Occasionally it will play files that Videolan cannot. So I wouldn't get rid of it if I could, I just want to control it.

Another example is HP software that comes with their printers, scanners, etc. The only way I can stop it from sending out is to use a software firewall. Again, I just prefer that it doesn't connect out without permission.

As for trojans and viruses, I am careful about what I do, but who knows? With the firewall I can see if something new is trying to connect out and I can figure out what it is before I let it. It is just a little peace of mind.

As for the bad stuff slipping through anyway, that reminds me of the way some people say "why lock your doors? if they really want to get in they will." But if your doors are locked it is more likely they will look elsewhere for easier pickins.

BTW, some guy with an ip originating in China got past my router a couple of times - and hit the software firewall, which is how I knew about it. AFAIK it stopped there.

-Fishlips

"Delicious Fried"

ipconfig/all

ipconfig/all

ipconfig/all

And these rules are?

The local system process, I guess.

Might be DNS.

Might be file and printer sharing.

If it is blocking DNS.

But your computers are not plugged into a router, they are plugged into a switch. Whether you intend the switch to network the PCs is irrelevant, the switch is providing its primary function.

NetBIOS Name Service.

Should I allow this?

If you intend to resolve NetBIOS names using the NetBIOS Name Service. If it is bothersome it may be disabled.

Mine is also wireless.

I prefer to use the personal FW to control apps as I explain to Kerodo below.

At the point that the internet connection is lost, turning off the firewall does not restore it. Only a reboot will.

-Fishlips

"Delicious Fried"

In your opinion are there any software firewalls that are not shit? If so, which one(s)?

OK, which defective software are you referring to here? Windows or TPF?

If you know the answer to that simple question why are you quaggling around instead of giving a simple answer?

-Fishlips

"Delicious Fried"

Ok, so you're basically one of those folks who isn't worried about the malware situation so much as which of your legitimate apps is trying to connect out and do what. There is some usefulness there I guess. I personally am not that paranoid or concerned. I could care less what Microsoft knows or thinks about my video viewing habits. I also could care less about most other programs phoning home. So for me, a simple cheap NAT router works fine with nothing else but an AV. And to be honest, if some program does things I don't like, then I don't use it. There are alternatives for almost every program out there, MS progs included.

If you want that kind of control over everything, then by all means go ahead and use Kerio or whatever, but that means you'll have to spend the time debugging your rules and finding out what everything does and needs in the way of IPs, ports and protocols, etc. So for you, some work is in store.. Good luck.

There is a specific rule to permit DNS. This is something else.

Yeah. I like to have all unecessary services turned off. I remember back in the Win 98 days that file and printer sharing was exploitable. I don't need it so I want it turned off or blocked.

I bought something called a router, not a switch. The same company sells a similar looking box that they call a switch, so I assume they are two different things. When I said "router" why do you say I am using a switch?

Why would I want to do that?

How?

-Fishlips

"Delicious Fried"

I don't know precisely what hardware you are using, but since it sounds like you're plugging PCs into multiple LAN ports then you have a router with built-in switch. Your LAN ports are switch ports, not router ports.

To resolve a NetBIOS name to an IP.

Somewhere in the advanced TCP/IP properties. You can also unbind file/printer sharing and Microsoft client.

Yeah, I read that and it may work for the most part as long as you don't

*boot* the machine as malware can get to the TCP/IP connection first and beat it and its App Control and be done before the 3rd party personal FW can even start to get there and stop it.

So why don't you do an IPconfig /release and Ipconfig /renew to see if the machine can access the Internet without rebooting the machine?

And what machine is this happening wired or wireless as it seems there maybe a problem with the NIC dropping the connection and could be defective in someway.

I also read some other parts of your other post about some MS software you didn't want phoning home, which the NT based O/S can be configured to not allow something to run until you configure the O/S to let it run and should be configured through the O/S and not the PFW.

In addition to this, I had a Linksys wireless NIC driver that was phoning home and what I did was found out what part of the O/S services the driver was piggy backing off of and shutdown the unneeded service that the driver was sneaking out on and is where I needed to go to and not try control something with Application Control in a PFW.

The buck stops with the O/S and no where else and is the entity that should be doing the controlling.

And about that IP that came past the NAT router, yeah I know about that one and a PFW will help protect in that area, but you might want to get a better NAT router if the one you're using doesn't have SPI.

Duane :)

Duane :)

I decided to just let "SYSTEM" do its thing, and I am also allowing the Netbios stuff through because it is so persistant in wanting to do that, and so far it has been running for a couple of hours and is still connected. So I think that was the problem. Time will tell.

Oh damn, it just crapped out again.

Wired.

I don't know how to do that.

I agree. I just wish I knew enough to configure it properly.

-Fishlips

"Delicious Fried"

Thanks.

-Fishlips

"Delicious Fried"

Maybe, you should swap out the NIC on the machine and see if the problem follows.

By using NTFS and going to the exe or dll you don't want to run using Explorer to access the directory the file is located and setting its NTFS property to not *Execute*.

Well you could get a book from the library or buy one that's going to allow you to better understand and control the XP NT based O/S.

The link can get you started on some of the things to secure the O/S a little more.

You can be compromised by someone joining your wireless network and coming after the machines. The link may help a little bit, along with paying a visit to alt.Internet.wireless.

You can use Google to find how to(s) and better understand the tools like Process Explorer to find the bottom line as to what processes are running on the machine and what hidden process is using a process.

Long

Short

Duane :)

The

-Fishlips

"Delicious Fried"

I wasn't thinking it could be a hardware problem, but that would be a good thing to check.

The NIC is built in to the motherboard, but I can add another one and try it to see if the problem goes away.

Cool. That is pretty simple.

Great site, will spend some time going though this.

My wireless is set up according to those guidelines.

Another good site.

Thanks for the help.

-Fishlips

"Delicious Fried"

You may differentiate between a host-based packet filter and a firewall. And out of the first one, the Personal Firewalls are the common snake-oil.

TPF.

Once again: Without any detailed understanding of TCP/IP and a serious configuration you cannot achieve any security with a packet filter.

Get someone who has a clue and pay him for doing the administrative tasks, or uninstall your packet filter and take some serious security measures.

A personal firewall..er...packetfilter apparently stops Windows Media Player from phoning home, to give one example. It may not be what you consider "serious security," and I agree with you on that, but I find it useful nonetheless.

-Fishlips

"Delicious Fried"

In case of doubt, nothing that is not equivalent to a cutted connection can save you from such a behaviour.

Windows Media Player is not phoning home. Please provide proof of your claims.

serious = it actually works

Hey, even RealPlayer 8 knew how to circumvent such PFW nonsense. AdobeLM does with ease, and real malware has absolutely no problem with that.