Sucessfully Block port 135, and 136 on WIndows98?

Discussion in 'other firewalls' started by Comp01, Sep 7, 2003.

Thread Status:
Not open for further replies.
  1. SpaceCowboy

    SpaceCowboy Registered Member

    Joined:
    Oct 20, 2002
    Posts:
    40
    i wish they would get rid of those graphs. they just confuse people. the graphs do not tell you what application they are showing traffic for. so it could be something else that you are seeing. here is a link that explains the graphs a little.

    http://smb.sygate.com/support/documents/spf/traffic_history_graphs.htm

    and like you have already been told, if a application is listening, it doesnt mean that it is transmitting out. you have the application blocked so it wont ever do any more than listen.

    you should disable netbios if you dont need it.
    http://comp.bio.uci.edu/security/netbios.htm
     
  2. Comp01

    Comp01 Registered Member

    Joined:
    Sep 4, 2003
    Posts:
    638
    I wasnt talking about graphs, if in Sygate click view application details, thats what I am talking about, also
    theOrgName: Internet Assigned Numbers Authority
    OrgID: IANA
    Address: 4676 Admiralty Way, Suite 330
    City: Marina del Rey
    StateProv: CA
    PostalCode: 90292-6695
    Country: US
    What is that? I mean why is kernel32.dll connecting there? also could it be because A part of my ISP's software was blocked? (Just found it) and I cant disable netBIOS, I tried, its checked, and grayed out :doubt:
     
  3. Comp01

    Comp01 Registered Member

    Joined:
    Sep 4, 2003
    Posts:
    638
    Also, on IP address its suppose to/and or sending to, comes up like this:
    169.254.4.206->0.0.0.0
     
  4. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    18,278
    Location:
    New England
    Actually, I tried to explain the 169.254.*.* addresses above (reply #19).

    Your system is not connecting "there". IANA is the Internet naming authority that is responsible for the designation of the use of the IP address range you're talking about. That's all. It isn't a remote network or a location that anyone's systems connect to.

    So, don't worry about that back trace, it doesn't apply on a 169.254 based address.

    I'm still not clear on what you are seeing. Perhaps you can make a screen image or two to show us exactly what Sygate screen you are looking at, highlighting the significant portions.

    You can add one image per post here on the forum. This FAQ will explain how if you've never done it: FAQ: Screen Shots and Image Posting .
     
  5. SpaceCowboy

    SpaceCowboy Registered Member

    Joined:
    Oct 20, 2002
    Posts:
    40
    ok ok i see where you are talking about now. this page kind of explains it. http://smb.sygate.com/support/documents/spf/running_applications_list.htm

    not sure what your question is though.. sry
     
  6. Comp01

    Comp01 Registered Member

    Joined:
    Sep 4, 2003
    Posts:
    638
    OK, hope this image works :doubt:
     

    Attached Files:

  7. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    18,278
    Location:
    New England
    Well, the image attached fine... Now all we need is someone who understands exactly what that particular Sygate screen's purpose and meaning is so they can tell us if this is a concern or not. Let's wait and see.
     
  8. Comp01

    Comp01 Registered Member

    Joined:
    Sep 4, 2003
    Posts:
    638
    Yep :doubt: that could take a while though, but really right now (At the moment atleast) is I want to know am I safe on the internet? :doubt: will this "connection" or whatever spy on me? or just give me my DNS/IP#? hmm :doubt: maybe my ISP uses this to specifically obtain IP#'s? (Sorry, as I said, I'm a noobie at security)
     
  9. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    18,278
    Location:
    New England
    Well, at this point my belief is that you are safe, and that most likely the screen is showing something quite normal, that once it's explained we'll all slap our foreheads and say - "Oh, yeah! That's what that is."
     
  10. Comp01

    Comp01 Registered Member

    Joined:
    Sep 4, 2003
    Posts:
    638
    Yeah, I guess, I'm still waiting though :doubt:
     
  11. snapdragin

    snapdragin Registered Member

    Joined:
    Feb 16, 2002
    Posts:
    8,415
    Location:
    Southern Ont., Canada
    Hi Comp01,

    i also have a Win98se computer and use Sygate (free) along with a router on cable connection.

    i am probably repeating what other's have already posted, but thought i would add to your post since we have about the same setup.

    The kernel32.dll will show as listening on ports 137, 138, and 139 in Sygate's application listing (that first panel you see with the graph with black background and green lines) even if you have blocked it with Sygate. But no connection from the net will happen since you do have it blocked.

    However, if you no longer want to see the file kernel32.dll "listening" on those three ports, then you will have to disable NetBIOS.

    i also had used Sygate to just block the kernel32.dll (which is identified in Sygate's Application List as the file name: Win32 Kernel core component) until i felt comfortable enough to disable NetBIOS. Then the three instances of Kernel32.dll disappeared from Sygate's list, as it was no longer "listening" on ports 137, 138, and 139. :)

    If you do not have several computers networked together and sharing files between them in your home, (that is called a private LAN) then you do not need to have NetBIOS enabled.

    The link SpaceCowboy gave you for disabling NetBIOS is a good one and explains it very well. (i will repost it again here in case you are not sure of which link i mean)

    How To Disable NetBIOS over TCP/IP
    http://comp.bio.uci.edu/security/netbios.htm

    If you decide that you just want to leave it for Sygate to block kernel32.dll, that is ok too and you are safe. But if you want to have those ports closed, then follow the two steps there in that link above, for Windows 95, 98, or WinME.

    Hope that helps and i haven't confused you, it is confusing enough already lol. (i also have an XP-Home with Sygate on it, and have NetBIOS disabled on that computer too...i do not have the two computers networked together...they are standalones edited to add - i owe a "Thank You!" to LWM for that! He helped me with the XP... :D )

    Best regards,

    snap
     
  12. snapdragin

    snapdragin Registered Member

    Joined:
    Feb 16, 2002
    Posts:
    8,415
    Location:
    Southern Ont., Canada
    Oh! Forgot something. You had also asked about blocking port 135. i am assuming the file rpcss.exe is showing as "listening" on that port, yes? The rpcss.exe did not come with my Win98se....i never had that file on that computer until i installed my LexmarkZ53 printer. grrrr..grr. i read up on it and from what i read, the rpcss.exe is not needed, BUT it also said if i remove it i "may" have problems with my printer. i don't know...lol..so i decided just to leave it there now and have Sygate block it.

    The rpcss.exe has been blocked on my Win98se for about a year with no ill effects and my printer works just fine since it is connected directly to my computer and not through any network.

    So you are good to go with just having Sygate block the rpcss.exe (shown in Sygate's Application List as the Distributed COM Services).

    snap :)
     
  13. Comp01

    Comp01 Registered Member

    Joined:
    Sep 4, 2003
    Posts:
    638
    Thanks for all the help! I dont have any networked PC's, this is my only PC, heh, but, it wont allow me to disable netBIOS, I go to the page, its checked off to allow it, and grayed out :doubt:
     
  14. snapdragin

    snapdragin Registered Member

    Joined:
    Feb 16, 2002
    Posts:
    8,415
    Location:
    Southern Ont., Canada
    Hi Comp01

    Yes..it will be greyed out...mine was too. You have to "unbind" NetBIOS first.

    The second part there on that link can be a bit confusing. But i'll try and explain it here.

    1. Go to START-->Settings-->ControlPanel, and find the icon called Network....double-click on it and the Network box will pop up.

    2. Choose the Configuration tab and look for the TCP/IP line...highlight that.

    3. Now click on the button called Properties. The TCP/IP Properties box will pop up.

    4. Choose the Bindings tab now.

    5. Uncheck the box beside Client for Microsoft Networks.

    6. Click "OK" (if you get the message "You have not selected any drivers to bind with. Would you like to select one now?) Just ignore this message and click on "YES". Then click on "OK" to close the TCP/IP Properties box.

    7. Now click on the File and Printer Sharing button and make sure those two boxes there are UN-CHECKED.

    8. Click OK again to close the Network box

    9. You may have to reboot your computer for the settings to take place.

    10. And you are done. :) The NetBIOS tab that you mentioned that was greyed out will no longer be greyed out and the check-mark that was in it will also be gone. You can check that if you like by following the first steps above, but rather than choosing the Bindings tab, this time choose the NetBIOS tab. If it is still checked (it shouldn't be) but if it is, then just uncheck it and click OK to close the boxes. :)

    snap

    forgot to add...if you have two instances of TCP/IP there in the Network box, you will have to do the above twice. i did. LOL
     
  15. Comp01

    Comp01 Registered Member

    Joined:
    Sep 4, 2003
    Posts:
    638
    Yeah, I do have to TCP/IP's there :doubt: I have a ethernet card along with my modem, with 2 different settings...
     
  16. BlitzenZeus

    BlitzenZeus Security Expert

    Joined:
    Feb 11, 2002
    Posts:
    451
    Location:
    Oregon, USA
    Please note I haven't read completely through this topic, but to disable netbios on 9x all I do is rename the vnbt.386 file to vnbt386.bak in the X:\windows\system directory, then reboot. This will kill all netbios so if you ever have a network you will have to rename the file, reboot, then use your firewall to allow those permissions correctly.
     
  17. Comp01

    Comp01 Registered Member

    Joined:
    Sep 4, 2003
    Posts:
    638
    I already done it the way they said to do it, also, My windows login screen disappeared (or netowrk login screen, or user or whatever) is that normal?
     
  18. Comp01

    Comp01 Registered Member

    Joined:
    Sep 4, 2003
    Posts:
    638
    Also, when I click up "Network neighborhood" it says "Network not complete, continue" with Yes/No buttons, is that normal also?
     
  19. snapdragin

    snapdragin Registered Member

    Joined:
    Feb 16, 2002
    Posts:
    8,415
    Location:
    Southern Ont., Canada
    Hi Comp01 - for that message, just say "No" since you do not want to complete a network. That is what you just got away from. When i click on the desktop icon called Network Neighbourhood, i get the "Unable to browse network. The network is not accesible". A "Network neighborhood" is just that, a neighborhood of computers on a network. We don't want that. LOL.

    As for the Windows Login Screen...are you referring to the screen that comes up after the Windows 98 screen disappears? If that is what you mean, then that may not be such a bad thing as many people usually want to get rid of that. i still have my login screen but that might be because i still have my Client for Microsoft Networks bound to NetBEUI. But since you are not wanting a network, you really don't need to "log into a network". If i am wrong in this regard, please someone jump in and correct me. :)

    Also, if you have the MS DOS icon on your desktop, double-click on it to open up the black DOS box, and at the DOS prompt type in: nestate -an (note, there is a space before the minus sign) and hit Enter.

    You will see a listing of all the addresses and ports listening or connected. You should see ports 137, 138 and 139 no longer listed there. When you are done with the DOS window, just type in the word exit, then hit enter, and this will close that black box.

    Or if you would rather use a small program which will give you the same results as the above, but with just a click of the mouse instead. A good 'free' program called TCPView, will show you detailed listings of all TCP and UDP connections and what ports are being used. TCPView is free and works on Windows 98 too, and can be found here:

    http://www.sysinternals.com/ntw2k/source/tcpview.shtml

    Another excellent program is Port Explorer. Port Explorer is not free though, but it does have a 30-day free trial period. You can also find the support forum here at wilders. Jason has posted the information on the new released version 1.800 here:

    http://www.wilderssecurity.com/showthread.php?t=13621

    Hope that helps,

    snap :)
     
  20. JayK

    JayK Poster

    Joined:
    Dec 27, 2002
    Posts:
    619
    Try active ports
     
  21. Comp01

    Comp01 Registered Member

    Joined:
    Sep 4, 2003
    Posts:
    638
    Yeah, kernel32.dll still come up in Sygate as "Listening on remote port 68, IP address 0.0.0.0->0.0.0.0" but, 0.0.0.0 is your own computer thoug, isnt it? :doubt: so, uhh, I'm listening to myself? lol
     
  22. CrazyM

    CrazyM Firewall Expert

    Joined:
    Feb 9, 2002
    Posts:
    2,428
    Location:
    BC, Canada
    Hi Comp01

    It is not unusual to have certain system functions listening on your computer, as long as your rules control what is allowed to enter and leave your system.

    Regards,

    CrazyM
     
  23. Comp01

    Comp01 Registered Member

    Joined:
    Sep 4, 2003
    Posts:
    638
    Also, when I click "Connection Details" now, kernel32.dll doesnt even show up as connecting anywhere, but yet it says its sending data? :doubt: still confusing, but feel safer now that NetBIOS is disabled..
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.