PDA

View Full Version : Help with firewall configuration!

M_G_H
November 4th, 2007, 04:26 PM
I have installed ESS 3.0.551.0 and need help with the firewall configuration.

My Linksys (with Tomato firmware) router stores the logs in a shared folder on my computer, but since installing ESS, the router cannot access the shared folder on the computer, although my other computers in the netwoork can access any shares just fine.

If I disable the "SMB Attack Relay Detection" in the IDS and Advanced Options section, than the router can mount the share and store the logs. If that option is ticked than it does not work.

I tried to create a rule to let that address (router's) allow to access that share, but it still does not work. (eg. direction -both, protocol - TCP\UDP, local port - 445, remote port - 445, ip address - 192.168.16.1) I tried a variety of combinations but still no go.

Reason I tried to create that rule is so that I can leave that option ticked but allow only that one ip address to access. I then ticked the traffic log in ESS and here is what it logs:

04/11/2007 3:34:31 PM Detected SMB Relay attack 192.168.16.1 192.168.16.10 TCP
04/11/2007 3:34:31 PM Detected SMB Relay attack 192.168.16.1 192.168.16.10 TCP
04/11/2007 3:34:30 PM Detected SMB Relay attack 192.168.16.1 192.168.16.10 TCP
04/11/2007 3:34:30 PM Detected SMB Relay attack 192.168.16.1 192.168.16.10 TCP
04/11/2007 3:34:27 PM No usable rule found fe80::4018:ca18:aa19:eaa7%-209387264.:61163 ff02::1:3%1870987264.:5355 UDP
04/11/2007 3:34:27 PM No usable rule found fe80::4018:ca18:aa19:eaa7%-209387264.:61163 ff02::1:3%1870987264.:5355 UDP
04/11/2007 3:34:26 PM Detected SMB Relay attack 192.168.16.1 192.168.16.10 TCP
04/11/2007 3:34:25 PM No usable rule found fe80::4018:ca18:aa19:eaa7%-209387264.:61161 ff02::1:3%1870987264.:5355 UDP
04/11/2007 3:34:25 PM No usable rule found fe80::4018:ca18:aa19:eaa7%-209387264.:61161 ff02::1:3%1870987264.:5355 UDP
04/11/2007 3:34:23 PM Detected SMB Relay attack 192.168.16.1 192.168.16.10 TCP
04/11/2007 3:34:20 PM Detected SMB Relay attack 192.168.16.1 192.168.16.10 TCP
04/11/2007 3:34:17 PM No usable rule found fe80::4018:ca18:aa19:eaa7%-209387264.:61154 ff02::1:3%1870987264.:5355 UDP
04/11/2007 3:34:17 PM No usable rule found fe80::4018:ca18:aa19:eaa7%-209387264.:61154 ff02::1:3%1870987264.:5355 UDP
04/11/2007 3:34:17 PM Detected SMB Relay attack 192.168.16.1 192.168.16.10 TCP
04/11/2007 3:34:16 PM Detected SMB Relay attack 192.168.16.1 192.168.16.10 TCP
04/11/2007 3:34:14 PM Detected SMB Relay attack 192.168.16.1 192.168.16.10 TCP
04/11/2007 3:34:14 PM Detected SMB Relay attack 192.168.16.1 192.168.16.10 TCP
04/11/2007 3:34:13 PM Detected SMB Relay attack 192.168.16.1 192.168.16.10 TCP

If anyone has any ideas, please let me know.

Thanks
ASpace
November 4th, 2007, 11:32 PM
Hi!

Enter the Advanced Setup Tree (F5)

1. Navigate to Personal Firewall.
Choose Interactive Mode

2. Navigate to Personal Firewall -> Rules and zones . In the right (at the Trusted zone part) , click Setup and choose "Allow sharing"

3. Navigate to Personal Firewall -> IDS and Advanced options
Make sure all services are allowed (a.k.a 4 services)

4. In Personal firewall -> IDS and advanced options , enabled logging


Then,
Open Personal firewall > Rules and zones > Zone and rule setup
Choose Toggle detailed view of all riles (if already not set to this)
Uncheck every rule that has in the name Block.

Confirm with OK.

Start creating new rule:


Name : your choice
Direction : Both
Action : Allow
Protocol : TCP & UDP

Additional action:
check Log


In Local tab - For the ports choose 135-139
In Remote choose - For every (ports)
Then (AFAI remember , you should enter the IP address in the Remote tab . So here enter the IP of the router-192.168.16.1) .

Confirm with OK and restart.Try again.


In case this doesn't help , delete the rule above and simply uncheck the SMB Relay attack detection in Personal firewall -> IDS and advanced options
M_G_H
November 5th, 2007, 08:55 AM
Hello HiTech_boy,

Thanks for the info. I tried what you posted and even created a rule to allow all ports in local and remote from the router's ip address and still received the "Detected SMB Relay attack " in the logs.

I have temporarily just unchecked the SMB Relay attack detection and it works. I may try it for another day or 2 and then go back to my other security software. I don't like the idea that the firewall has to be configured to a all or nothing type setting.

Thanks for your help.