Network / Firewall issue [Archive] - Wilders Security Forums

View Full Version : Network / Firewall issue

philby

November 20th, 2008, 10:20 AM

Hello there

Laptop / desktop networked wirelessly via router.

Trusted zone was set up on instal.

Now, if I try to see desktop's shared files from laptop, I can only do this sporadically.

I'm getting incoming port scanning attacks logged every 10 minutes from the desktop's ip4 address to the laptop's (UDP protocol).

I've tried adding a rule allowing all UDP from the desktop's ip, but this makes no difference.

Am I missing something? (apart from a basic grasp of ports).

File sharing has always worked fine in v3 with trusted zone / interactive mode.

Thanks in advance

Philby

philby

November 20th, 2008, 11:25 AM

OK, after re-installing and double checking everything, it seems I can only access desktop folders from laptop by unchecking both TCP and UDP port scanning under IDS and advanced options.

Is this what I am supposed to do?

I didn't need to do that in V3.

Can anyone confirm that this isn't leaving the back door open?

Thanks

Philby

agoretsky

November 20th, 2008, 02:09 PM

Hello,

Could you provide more information about the exact notification you received when the port scanning attacks were reported by the beta version?

Regards,

Aryeh Goretsky

philby

November 20th, 2008, 03:14 PM

Hello Aryeh and thanks for responding.

FW log shows 2 entries:

1. Detected port scanning attack / source 192.168.0.xxx (desktop) / target 192.168.0.yyy (laptop) / protocol UDP
This is in the firewall log every 10 minutes or so.

2. Address temporarily blocked by active defence (IDS)
Source is 50% 192.168.0.xxx (desktop) and 50% 192.168.0.yyy (laptop)
Target is the opposite of .xxx or .yyy each time
Protocol is mostly UDP but sometimes TCP
I get regular bursts of about twelve of these entries each time I try to access files on the desktop (after selecting log all attacks).

Weird?

Philby

dorgane

November 20th, 2008, 03:19 PM

too

18/11/2008 23:26:05 Detected DNS cache poisoning attack 192.168.1.1:53 192.168.1.10:51349 UDP
a lot...v3 too
it is bug with modem no ?

philby

November 20th, 2008, 03:25 PM

I get those DNS poisoning attacks in V3 all the time, but they never prevent laptop to desktop file access.

Strangely, I'm not getting the DNS attacks in V4.

Merci pour votre reponse (excuse spelling)

Philby

dorgane

November 20th, 2008, 03:38 PM

Merci pour votre reponse -> thank you for reply :)

i am french too

philby

November 20th, 2008, 03:44 PM

Actually, I'm not French - I just wanted to thank you en francais as I saw your sig.

Philby

proactivelover

November 20th, 2008, 09:08 PM

lot of them 203.99.163.240 is my DNS server it's a firewall bug in v4
11/21/2008 7:01:48 AM Detected DNS cache poisoning attack 203.99.163.240:53 192.168.1.10:54245 UDP
11/21/2008 6:48:44 AM Detected DNS cache poisoning attack 203.99.163.243:53 192.168.1.10:63127 UDP
11/21/2008 6:22:45 AM Detected DNS cache poisoning attack 203.99.163.243:53 192.168.1.10:49822 UDP
11/20/2008 8:19:29 PM Detected DNS cache poisoning attack 203.99.163.243:53 192.168.1.10:55718 UDP
11/20/2008 7:53:53 PM Detected DNS cache poisoning attack 203.99.163.240:53 192.168.1.10:59066 UDP
11/20/2008 7:40:01 PM Detected DNS cache poisoning attack 203.99.163.243:53 192.168.1.10:52459 UDP
11/20/2008 7:40:00 PM Detected DNS cache poisoning attack 203.99.163.240:53 192.168.1.10:61206 UDP
11/20/2008 7:35:35 PM Detected DNS cache poisoning attack 203.99.163.240:53 192.168.1.10:65029 UDP
11/20/2008 7:35:22 PM Detected DNS cache poisoning attack 203.99.163.240:53 192.168.1.10:53586 UDP
11/20/2008 7:35:22 PM Detected DNS cache poisoning attack 203.99.163.240:53 192.168.1.10:63648 UDP
11/20/2008 7:35:12 PM Detected DNS cache poisoning attack 203.99.163.240:53 192.168.1.10:55785 UDP
11/20/2008 7:34:09 PM Detected DNS cache poisoning attack 203.99.163.240:53 192.168.1.10:52776 UDP
11/20/2008 7:33:49 PM Detected DNS cache poisoning attack 203.99.163.240:53 192.168.1.10:60216 UDP
11/20/2008 7:31:16 PM Detected DNS cache poisoning attack 203.99.163.240:53 192.168.1.10:51591 UDP
11/20/2008 7:28:23 PM Detected DNS cache poisoning attack 203.99.163.240:53 192.168.1.10:57921 UDP
11/20/2008 7:27:23 PM Detected DNS cache poisoning attack 203.99.163.240:53 192.168.1.10:55199 UDP
11/20/2008 7:27:15 PM Detected DNS cache poisoning attack 203.99.163.240:53 192.168.1.10:54218 UDP
11/20/2008 7:27:08 PM Detected DNS cache poisoning attack 203.99.163.243:53 192.168.1.10:49830 UDP
11/20/2008 7:27:08 PM Detected DNS cache poisoning attack 203.99.163.240:53 192.168.1.10:50844 UDP
11/20/2008 7:27:08 PM Detected DNS cache poisoning attack 203.99.163.240:53 192.168.1.10:59142 UDP
11/20/2008 7:27:04 PM Detected DNS cache poisoning attack 203.99.163.243:53 192.168.1.10:63740 UDP
11/20/2008 7:26:59 PM Detected DNS cache poisoning attack 203.99.163.243:53 192.168.1.10:51667 UDP
11/20/2008 7:23:55 PM Detected DNS cache poisoning attack 203.99.163.240:53 192.168.1.10:63304 UDP
11/20/2008 7:23:32 PM Detected DNS cache poisoning attack 203.99.163.243:53 192.168.1.10:63458 UDP
11/20/2008 7:22:50 PM Detected DNS cache poisoning attack 203.99.163.243:53 192.168.1.10:52432 UDP
11/20/2008 7:14:48 PM Detected DNS cache poisoning attack 203.99.163.243:53 192.168.1.10:53626 UDP
11/20/2008 7:14:48 PM Detected DNS cache poisoning attack 203.99.163.243:53 192.168.1.10:49975 UDP
11/20/2008 6:59:17 PM Detected DNS cache poisoning attack 203.99.163.243:53 192.168.1.10:55476 UDP
11/20/2008 6:52:14 PM Detected DNS cache poisoning attack 203.99.163.240:53 192.168.1.10:50188 UDP
11/20/2008 6:50:13 PM Detected DNS cache poisoning attack 203.99.163.243:53 192.168.1.10:51662 UDP

philby

November 21st, 2008, 05:38 AM

As far as I know, these DNS poisoning attacks are irritating but inconsequential. There have been many posts about this re. V3.

Like I said, I've always had them in V3 but this is not the problem here.

The problem is that I can't access folders on the other box in my tiny little network unless I disable both TCP and UDP Port scanning detection under IDS.

If I leave them checked, I have the log entries in post #4 and no access to the second box.

Philby

philby

November 23rd, 2008, 04:36 PM

Please, does anyone understand why this is happening when port scanning attack detection is enabled for udp/tcp in IDS?

Thanks

Philby

doktornotor

November 23rd, 2008, 04:43 PM

{QUOTE-> Please, does anyone understand why this is happening when port scanning attack detection is enabled for udp/tcp in IDS?
<-QUOTE}

??? Looks pretty obvious from the log why's this happening? ???

philby

November 23rd, 2008, 04:47 PM

Sorry but what do you mean by that?

My point is that when using V3, I can access the desktop with port scanning detection enabled - nothing flagged in the fw log.

With V4, if I leave port scanning detection enabled, I can't access the desktop and the fw log gets flooded as above.

Ergo, bafflement.

Philby

wiak

November 23rd, 2008, 05:39 PM

the allow sharing is broken, when you click on it, 4.0 wont allow sharing regardless of allowing sharing or not, so i reverted back to NOD32 Antivirus 4.0 Beta ;)

philby

November 23rd, 2008, 05:52 PM

Thanks for your reply wiak.

I still don't get it though.

You say:

{QUOTE-> the allow sharing is broken, when you click on it, 4.0 wont allow sharing regardless of allowing sharing or not <-QUOTE}

But sharing does work, though only if I disable port scanning detection.

Philby

wiak

November 23rd, 2008, 06:08 PM

when i installed smart security 4.0 i got allow sharing or strict then clicked allow sharing, and it should allow sharing, but it does not

Bensec

November 23rd, 2008, 10:37 PM

i met a trival one:
Zapnuty;D
204269