Firewall Blocking Traffic from 255.255.255.255??

Discussion in 'other firewalls' started by kja, Aug 23, 2003.

Thread Status:
Not open for further replies.
  1. kja

    kja Registered Member

    Joined:
    Aug 23, 2003
    Posts:
    4
    Hi,

    I'm new here, and I don't really understand alot about firewall activity, so I was hoping someone might be able to help me with this. I keep getting bombarded with the following message:

    McAfee Firewall automatically blocked incoming traffic from IP address 255.255.255.255. You have configured McAfee Firewall to always block traffic to or from this address. The IP protocol type was 17 [UDP]. The remote address associated with the traffic was 10.40.224.1. The network adapter for the traffic was "Intel(R) PRO/100 VE Network Connection".

    I'm not sure how long my firewall has been blocking the attempts, but I just got cable two weeks ago, and I've been checking the activity logs alot more since then. I'm starting to get pretty worried, because today alone, there have been 422 entries like that in the last 8 1/2 hours. Also, I never configured my firewall to block traffic from that address, although the message says I did.

    Could somebody tell me what's happening, and if there's anything I can do to stop it? I'd really appreciate any info you can provide!
     
  2. CrazyM

    CrazyM Firewall Expert

    Joined:
    Feb 9, 2002
    Posts:
    2,428
    Location:
    BC, Canada
    Hi kja

    First...welcome to Wilders :).

    The 255.255.255.255 is a broadcast address.
    The 10.40.224.1 is in a range usually reserved for private networks, in your case, likely your cable connection/network.

    You indicate the protocol was UDP, do your logs show the source and destination ports?

    Regards,

    CrazyM
     
  3. kja

    kja Registered Member

    Joined:
    Aug 23, 2003
    Posts:
    4
    Thanks for the welcome and the info CrazyM. The logs don’t show either the source or destination ports. Also, I checked with my ISP, and they said this has nothing to with them or the cable service. Any other into you can provide? Thanks again!
     
  4. CrazyM

    CrazyM Firewall Expert

    Joined:
    Feb 9, 2002
    Posts:
    2,428
    Location:
    BC, Canada
    Hi kja

    Well hopefully you should have detailed logs somewhere. If the initial alert did not provide source and destination ports, it should be captured in the logs. Without detailed logs, it's hard to say what the firewall is actually blocking or what this traffic may be. Have another look, there is likely a log file kept by your firewall.

    Is your IP in the same range as the source IP's of the blocked packets?

    Regards,

    CrazyM
     
  5. kja

    kja Registered Member

    Joined:
    Aug 23, 2003
    Posts:
    4
    Hi again CrazyM,

    Thanks for replying so quickly. No, my IP isn’t in the same range as the source IP’s. Theirs starts with 10.xxx and mine starts with 24.xxx. I went back and checked my firewall logs and found that although the activity and warning logs have tons of entries for 255.255.255.255 today, the current activity log lists only one for that IP. It says:

    Program: SVCHOST.EXE
    Local Port: 1028 [ephemeral]
    Remote Address: 255.255.255.255
    Remote Port: 0
    Start Time: 08/26/03 11:47:28 AM
    Duration: 19884
    Sent (bytes): 0
    Received (bytes): 0

    Also, the log messages like the one I referenced in my first post all say something like this at the bottom of each message (each one differs a little bit):

    The binary data contained in the packet was "ff ff ff ff ff ff 00 08 e2 32 10 54 08 00 45 00 01 50 30 57 00 00 ff 11 a0 1c 0a 28 e0 01 ff ff ff ff 00 43 00 44 01 3c 68 7a 02 01 06 00 0d 9a ed 20 00 00 80 00 00 00 00 00 18 18 cd 04 00 00 ".

    Is any of this helpful in figuring out what's going on, and whether or not I should be worried about it?

    Thanks,
    Karin
     
  6. CrazyM

    CrazyM Firewall Expert

    Joined:
    Feb 9, 2002
    Posts:
    2,428
    Location:
    BC, Canada
    Hi Karin

    No I don't think you have anything to worry about if your firewall is blocking these broadcasts.

    Could you check the directory where you have your firewall installed for a log file. A complete log entry with: date, time, action (block/allow), protocol, source IP, source port, destination IP, destination port would help. (just xxx out your IP)

    Regards,

    CrazyM
     
  7. CrazyM

    CrazyM Firewall Expert

    Joined:
    Feb 9, 2002
    Posts:
    2,428
    Location:
    BC, Canada
    Thanks to Dan Perez for the decode:

    So it is IPv4
    min IP Header length of 5 32-bit words
    Type-of-Service field of value of 0x00

    IPDatagram Length is 0x0150 bytes (and not all of it is shown so the packet data was truncated)

    Datagram ID is 0x3057

    The Fragment Info is 0x0000

    TTL = 0xFF (I believe the default TTL for Win2K/XP is the same)
    Protocol# = 0x11 (UDP)

    IP Header Checksum = 0xa01c

    Source IP = 10.40.224.01

    Dest IP = 255.255.255.255

    UDP Header info

    Source Port = 67

    Dest Port = 68

    UDP Packet Length = 0x013c

    UDP Checksum = 0x687a

    BOOTP data

    Opcode = Reply
    Hardware Type = Ethernet

    So the broadcasts being blocked by your firewall are DHCP/Bootp broadcasts which are nothing to worry about. The private address range 10.xx.xx.xx showing as the source address, is likely you ISP's cable network/servers.

    Regards,

    CrazyM
     
  8. Peaches4U

    Peaches4U Registered Member

    Joined:
    Nov 22, 2002
    Posts:
    5,070
    Location:
    At my computer
    A little search on the source IP, came up with this info.

    OrgName: Internet Assigned Numbers Authority
    OrgID: IANA
    Address: 4676 Admiralty Way, Suite 330
    City: Marina del Rey
    StateProv: CA
    PostalCode: 90292-6695
    Country: US

    NetRange: 10.0.0.0 - 10.255.255.255
    CIDR: 10.0.0.0/8
    NetName: RESERVED-10
    NetHandle: NET-10-0-0-0-1
    Parent:
    NetType: IANA Special Use
    NameServer: BLACKHOLE-1.IANA.ORG
    NameServer: BLACKHOLE-2.IANA.ORG
    Comment: This block is reserved for special purposes.
    Comment: Please see RFC 1918 for additional information.
    Comment:
    RegDate:
    Updated: 2002-09-12

    OrgAbuseHandle: IANA-IP-ARIN
    OrgAbuseName: Internet Corporation for Assigned Names and Number
    OrgAbusePhone: +1-310-301-5
     
  9. kja

    kja Registered Member

    Joined:
    Aug 23, 2003
    Posts:
    4
    Thanks again CrazyM, and thanks for your info Peaches4U!

    I can’t find anything like the log you asked for, CrazyM. I can manually save the entries in the activity and warning logs whenever I want to, but they contain exactly the same information that I included in my first post. The only other log I saw was “08272003.log” in “McAfee\McAfee Firewall\Logs”, and when I opened it with WordPad and Notepad, the whole document consisted of characters like this “ @ é|}¤ â2 ¨ E <¼@ % ֳÃ ¤ «z”, with this listed in between them “DEVICE\{2B4F3A5E-284D-4BAC-8608-127CA3F08F6A}___'_Intel(R) PRO/100 VE Network Connection”. I looked through all the McAfee folders and that’s all that I saw.

    By the way, could you, or anyone else who’d like to, recommend a good antivirus and firewall? Something strong enough to do a good job, but easy enough for a non-technical person to use it. I don’t know if they all have this feature, but I’d like to find something where I can add IP addresses and/or ports to be blocked, if I wanted to.

    Even though you said I probably didn’t have anything to worry about, I decided I’d contact McAfee Tech Support via online chat last night. Huge mistake!! I spent 2 hours in the queue, and ½ hour talking to the first tech, who had me change some settings that locked up IE and knocked me out of chat. After restoring the settings and rebooting, I tried to contact them again. This time I was in the queue from 2-5 a.m., and then I spent another 2 hours with the second tech, who had me change all kinds of settings that didn’t do anything to stop the “255.255.255.255” entries. At the end he finally said, “Oh well, that’s just normal firewall activity.” He also said that my software might be corrupted because I wasn’t getting any pop-up notifications, so I uninstalled and reinstalled everything. Now, I don’t know if it’s because of something he had me do, but when I run security scans, they show that port 1025 is open, when it was stealthed before. Can you tell me how I might be able to fix that? Needless to say, I’m now in the market for another brand of security software. Any advice or suggestions would be appreciated!

    Thanks,
    Karin
     
  10. CrazyM

    CrazyM Firewall Expert

    Joined:
    Feb 9, 2002
    Posts:
    2,428
    Location:
    BC, Canada
    Hi Karin

    Well that is the type of log file I was hoping you would find. Is there an option in your firewall to view that log file so it will display properly, or just the option you mentioned? I was hoping you would find something formatted along the lines of this: (using your entry above as an example)
    2003/08/26, 11:47:28, GMT -0700, Device 2, Blocked incoming UDP packet (no matching rule), src=10.40.224.01, dst=255.255.255.255, sport=67, dport=68

    Yes, tech support can be fun at times :rolleyes:.

    Refering to the alert we have been discussing, it is normal to see these types of entries and they are nothing to worry about. With some cable connections, you will see alot this cr@p or what some refer to as internet noise by virtue of how some cable networks work. This in addition to the blocked connection attempts, scans, worms, etc., well that's why we have firewalls ;).

    Has your rule set changed at all? Might want to check your rules for any allowing inbound connections. Without seeing your rules we could only speculate at this point. Is there a convenient way with McAfee to post your rule set? (screenshot, text output)

    Unless you are completely unsatisfied, no need to jump ship just yet. We might be able to sort things out. There are lots of good alternatives if it should get to that.

    Regards,

    CrazyM
     
  11. CrazyM

    CrazyM Firewall Expert

    Joined:
    Feb 9, 2002
    Posts:
    2,428
    Location:
    BC, Canada
    Hi Karin

    Further to your port 1025 issue, you might want to take a look at the following post in the McAfee forums. In particular the one near the bottom by "burog25c" and see if that rule modification would be applicable to you.

    http://forums.mcafeehelp.com/viewtopic.php?t=13214

    Regards,

    CrazyM
     
  12. museheart

    museheart Registered Member

    Joined:
    Jan 3, 2003
    Posts:
    87
    Location:
    USA
    I get this all the time. What does this blackhole mean?

    I hate all this configuring! Can't something just be easy for people who are not programmers?
     
  13. BlitzenZeus

    BlitzenZeus Security Expert

    Joined:
    Feb 11, 2002
    Posts:
    451
    Location:
    Oregon, USA
    Addresses like this are not used beyond local configurations, like running a Lan. Nobody can enter you network from the internet by targetting your 10x address as it will lead nowhere, aka a blackhole.

    Terms like backhole are used since it also has another meaning else where like blackholes in space, and its usually only people who deal with networking that have to deal with things of this nature. Its also so they don't have to write a paragraph about everything on every page, and can list information in a simple mannor when you understand the terminology.
     
  14. Peaches4U

    Peaches4U Registered Member

    Joined:
    Nov 22, 2002
    Posts:
    5,070
    Location:
    At my computer
    Hope the following will give some insight to some of the questions posed here:

    Re Firewalls: Here is an URL for firewall reviews. It might help.

    http://www.firewallguide.com/software.htm

    Here is an URL for a personal firewall scoreboard:

    http://grc.com/lt/scoreboard.htm

    I have ZoneAlarm Pro and can configure to block certain ports, etc. Actually, it blocks ports very nicely with default configuration which is recommened for newbies to the software.

    Visit the following site to see what nasties are trying to enter Port 1025 along with a whole list of other Ports.

    http://www.simovits.com/nyheter9902.html

    Happy reading ... :D
     
  15. museheart

    museheart Registered Member

    Joined:
    Jan 3, 2003
    Posts:
    87
    Location:
    USA
    Oh. :rolleyes:

    Sorry I put you through that. But thanks. :)
     
Loading...
Thread Status:
Not open for further replies.