Windows Firewall with Advanced Security (Guide for Vista)

Discussion in 'other firewalls' started by Stem, Apr 19, 2009.

Thread Status:
Not open for further replies.
  1. Heimdall

    Heimdall Registered Member

    Joined:
    Jul 29, 2009
    Posts:
    185
    That looks like a modified version of the default IGMP rule, which is active on all three profiles and is less restrictive, in terms of destination.

    For the most part, unless you have a specific need to support inbound IGMP announcements, you can block them.

    224.0.0.1, which is simply an 'All Hosts' or link Local Multicast, announcement and essentially unneeded.
    224.0.0.252 is for Link-local Multicast Name Resolution, so unless you're supporting IPv6 it's not going to be a lot of use.
    239.255.255.250 is connected with SSDP and UPnP, it might be useful if you have a need for such services, of you use something like Media Centre.
     
    Last edited: Feb 22, 2011
  2. sbseven

    sbseven Registered Member

    Joined:
    Jan 30, 2011
    Posts:
    140
    Heimdall

    I tried unchecking the "Register this connection's addresses in DNS" but it made no difference, I still occasionally get the attached message logged to the event viewer Windows Security Audit log (event 5152). The ICMP Type/Code is not shown in the log entry just "ICMP Error" unfortunately.

    It doesn't seem to adversely affect anything, I just wondered what it was, as it happens a few times a day.

    Note: This 'blocked packet' doesn't show itself in the pfirewall.log at all...
     

    Attached Files:

    • wfw2.jpg
      wfw2.jpg
      File size:
      15.3 KB
      Views:
      697
  3. sparviero

    sparviero Registered Member

    Joined:
    Apr 23, 2009
    Posts:
    88
    If you have configured it properly (e.g. Lan => DNS => Router IP), where do you think should go your important messages, out of the chimney ? :D
    Often the case, not knowing the subject itself becomes mystification.

    I wish you a beautiful day...
     
  4. sbseven

    sbseven Registered Member

    Joined:
    Jan 30, 2011
    Posts:
    140
    Right, I let svchost.exe->DNS Client have access to TCP:80 OUT for a while and the dropped packet messages stopped. I've since disabled that rule and rebooted, but I'm not seeing the message start up again. o_O
     
  5. wat0114

    wat0114 Guest

    Thank you sbseven! Somewhere I remember seeing that DNS can use TCP, but I can't remember why and in what cases it would use TCP?? never in my own needs have I set it up for anything but the UDP protocol for the DNS server ip(s).
     
  6. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    Take a look at the first page, second post.

    As for allowing communications other than port 53, it makes no sense. DNS Client caches DNS names. DNS translates domains to IPs. DNS operates on port 53. Why allowing any other port?
     
  7. sbseven

    sbseven Registered Member

    Joined:
    Jan 30, 2011
    Posts:
    140
    I still think it's strange the messages haven't restarted now I've disabled the rule. Wat0114, can you do the same test and report back? Thanks.
     
  8. wat0114

    wat0114 Guest

    Okay, there it is, thanks!

    I agree with you 100%

    Sure, I'll give it a try.
     
  9. sbseven

    sbseven Registered Member

    Joined:
    Jan 30, 2011
    Posts:
    140
    I don't dispute DNS Client only uses port 53 for its operation, m00nbl00d. If you read my posts just upthread, you'll see I'm trying to trace a service that's phoning home to M$ every now and again on TCP 80. The DNS Service was a possible candidate. So I tried a test by allowing that service access to TCP 80 and the messages stopped. I'm just reporting that and asking for confirmation from wat who sees the same log activity and is following this. I might be in error, that's why I'm asking for a 2nd opinion...

    As I've said previously, one of the following has been trying to phone home (and been blocked) a few times a day on my machine since I implemented the 2-Way Windows Firewall:
    • Cryptographic Services
    • DNS Client
    • KtmRm for Distributed Transaction Coordinator
    • Network Location Awareness

    Cryptographic Services has also been suggested by Heimdall as a possible candidate too.
     
  10. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    Oh, OK. I misunderstood you. :(
     
  11. wat0114

    wat0114 Guest

    I found out years ago that svchost likes to phone home (although I could not at the time trace it to DNS service, as I figured it was XP's, the O/S I was using at the time, win update service) and posted that somewhere, hundreds of posts ago :D , but it seemed most people thought of it as completely harmless, and saw no harm in a legit process phoning home to the MS Mothership o_O
     
  12. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    Doesn't Windows phone home to validate? Could that be it?
     
  13. wat0114

    wat0114 Guest

    Probably that's the reason, but then why does it do so all the time and randomly?
     
  14. sbseven

    sbseven Registered Member

    Joined:
    Jan 30, 2011
    Posts:
    140
    It's only coming from the svchost.exe PID that's running the four services above...
     
  15. Heimdall

    Heimdall Registered Member

    Joined:
    Jul 29, 2009
    Posts:
    185
    Well, I guess if you don't understand how ICMP works, or what it's function is, there' little to be had by way of discussion.
     
  16. Heimdall

    Heimdall Registered Member

    Joined:
    Jul 29, 2009
    Posts:
    185

    http://support.microsoft.com/kb/931125

    http://technet.microsoft.com/en-us/library/cc749331(WS.10).aspx

    On the subject of certificates, you will find that periodically, checks are made against parent certificate issuers for the validity of a certificate. This is called a Certificate Revocation List (CRL) check. These events will cause connections to the publishers, such as verisign, godaddy, comodo etc. These checks may be made by svchost and by browsers, where it is enabled by default.

    When a problematic certificate is encountered you will receive a pop-up, unless, of course you block these requests.
     

    Attached Files:

    Last edited: Feb 23, 2011
  17. Heimdall

    Heimdall Registered Member

    Joined:
    Jul 29, 2009
    Posts:
    185
    It was worth a try, as I've seen this help before. If I get time later, I'll put a wireshark trace on a test system with Norton DNS, see if it reveals any additional info.

    At the end of the day, it's probably just an availability check, but I'm curious about the 'Error'
     
  18. Heimdall

    Heimdall Registered Member

    Joined:
    Jul 29, 2009
    Posts:
    185
    The primary protocol used for DNS queries is UDP, however this is done more by convention than for any other reason. That said, in certain circumstances, TCP is used to facilitate the query, typically when there is a large amount of data to be transferred. If I remember, this is when the reply records are greater than 512 bytes.

    TCP is also used for Zone transfer between primary and secondary DNS servers.

    When configuring a DNS client, ideally, one should allow for both UDP and TCP queries to specified servers. However, blocking TCP may not cause any noticeable degradation in performance
     
  19. sbseven

    sbseven Registered Member

    Joined:
    Jan 30, 2011
    Posts:
    140
    I'm not sure it will show anything specific to Norton DNS's. If I change my config and use another DNS service (E.g. my ISPs, google DNS etc.), I get the same message periodically, but obviously showing the remote address as the DNS service I've configured...
     
  20. Heimdall

    Heimdall Registered Member

    Joined:
    Jul 29, 2009
    Posts:
    185
    Unfortunately, I'm unable to recreate these messages. However, from what I've found out, these Audit failures (5152 and 5157) are caused by the Application Layer Enforcement (ALE) filters, which are part of the Windows Filtering Platform.

    Essentially, these ALEs look at traffic and try to match what thy see against various filters, if the two don't match it may cause a failure. I guess in your case, it means that whatever ICMP is trying to do, it's not being allowed by one of your rules.

    ALE Stateful Filtering (Windows)

    In terms of what ICMP is trying to do, the answer may be in RFC 1788:

    http://www.faqs.org/rfcs/rfc1788.html

    Hope this helps.
     
  21. Greg S

    Greg S Registered Member

    Joined:
    Mar 1, 2009
    Posts:
    1,039
    Location:
    A l a b a m a
    For me, the above is some useful information. Thanks! I get the verisign, godaddy, comodo always with svchost.exe. As of right now they are blocked. I assume that adding the net range for the three you mention would be safe, correct?
     
  22. Heimdall

    Heimdall Registered Member

    Joined:
    Jul 29, 2009
    Posts:
    185
    I tend to allow them via permitted IP Blocks, which you can always check by looking at a certificate, either via the certificate snap-in, in an MMC, or via the browser. For example:
     

    Attached Files:

  23. sparviero

    sparviero Registered Member

    Joined:
    Apr 23, 2009
    Posts:
    88
  24. wat0114

    wat0114 Guest

    Okay, so I created an allow rule for the DNS service to TCP port 80, but oddly enough I see nothing successful for it in the logs (no attempts made) nor do I see failure.
     
  25. Heimdall

    Heimdall Registered Member

    Joined:
    Jul 29, 2009
    Posts:
    185
    If you didn't check the links I posted earlier, I'll post the relevant part:

    With regard to the other services used by that instance of svchost. You should find the DTS set to manual in services and the rules for the service inactive in the firewall.

    For the most part, communication between components in a distributed environment will communicate via RPC. However, there may be occasion where one component of the application is hosted on a SQL database with HTTP access requirements.

    The NLA service, as far as I know, doesn't access the Network directly, instead it uses NCSI probes to determine the status of any given network, to which your PC may be attached. Again, as far as I'm aware, it doesn't make calls home.

    As for the DNS client service, as you've already you've already said, it doesn't communicate via HTTP.
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.