ICMP (type:0/subtype:0)

Discussion in 'other firewalls' started by eyespy, Mar 20, 2003.

Thread Status:
Not open for further replies.
  1. eyespy

    eyespy Registered Member

    Joined:
    Feb 20, 2002
    Posts:
    490
    Location:
    Oh Canada !!
    Hi all !
    Hope all is well with you all !
    ZAP 3.5 alerting me to ICMP (type:0/subtype:0)

    It's looping back to and fro my Static IP (same IP). But it's showing the destination DNS to my ISP.
    I'm a little confused about this one !! o_O

    And since I'm on the subject...should "Generic Host Process for Win32" be allowed to ACCEPT connections from the internet ? I have it blocked at this time...with no noticable problems !

    regards,
    bill :)
     
  2. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,842
    Location:
    New England
    Hi Bill,

    I haven't seen that looping ICMP stuff before. Is it constant or does it come after a specific type of network access? More on the exact circumstances might help to better isolate the cause for what you are seeing.

    As to "Generic Host Process for Win32 Services" (whew! long name - let's just call it svchost.exe from here forward ;) ), I have never given "server" rights to this for the Internet because that will allow whatever ports it is listening on to be open and listening to connection attempts from the Internet. This would allow connection attempts to port 135, for example, which could allow messanger spam in and many other things. If you have 445 listening, then your SMB access could listen to connections from the Internet, as well. And other ports, too.

    Many people find they need to allow svchost.exe access outbound to the network to support things like DNS resolution and other basic network services. I have never found an issue with allowing it out. In the Programs panel in ZA+ on my system, svchost.exe has both Trusted and Internet Access out checked, and question marks in the two Server columns. (I like question marks in case something changes on the system, and suddenly it wants server rights - I'd want to see it ask so I'd know. Normally, it does not ask for server rights on my system, but that may be related to how my services are configured.)

    Hope that helps,
    LowWaterMark
     
  3. eyespy

    eyespy Registered Member

    Joined:
    Feb 20, 2002
    Posts:
    490
    Location:
    Oh Canada !!
    Hi LWM and thanks for the response !

    Just to clarify.....
    "svchost.exe" is not trying to connect out, but rather I get a prompt that asks if "svchost.exe " will ACCEPT connections. Your answer will probably be the same but i thought I would clarify that ! ;)

    I would post a couple of snapshots but the Forum doesn't seem to allow them at this time ! :eek:



    Thanks and regards,
    bill :)
     
  4. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,842
    Location:
    New England
    Yes, you're right Bill - same answer, more or less. That is an exact condition I see at times by having svchost.exe set to "?" program permissions. The parameters listed in the pop-up, if there are any, (port, protocol, addresses), should clarify what condition is causing the alert (inquiry) in the first place. (Although, there are times when not all those fields have data in them, at least I see that at times in ZA+. It makes it hard to make an intelligent decision whether to allow it or not. So, in my case, if there is no data - then I just say no.)
     
  5. eyespy

    eyespy Registered Member

    Joined:
    Feb 20, 2002
    Posts:
    490
    Location:
    Oh Canada !!
    I've been alerted to that ICMP type 3 times in the last 24 hrs.
    I can't seem to pinpoint the app.
    It's being blocked and all is working fine !

    regards,
    bill :)
     
  6. eyespy

    eyespy Registered Member

    Joined:
    Feb 20, 2002
    Posts:
    490
    Location:
    Oh Canada !!
    Here's a screenshot of my ZAP alert !

    regards,
    bill :)
     

    Attached Files:

Thread Status:
Not open for further replies.