Hello . I have a firewall question connected to ESET Smart Security . However I need help from a Security / Firewall expert so I decided to post it here . Sorry , if this is a mistake. First to mention - I use ADSL connection - ADSL modem which incorporates NAT in it. My modem is with dynapic IP and so the computer is . I have always used routers with NAT/SPI and Windows firewall (or sometimes ZoneAlarm) and I am not very sure about the ESS firewall and other 3rd party firewalls . As you probably see , for me the most important is incoming protection and I want to be 100% sure I'll be secure with this setup. In ESET Smart Security using Automatic mode (it automatically decides what to goes out) When I first run ESS , it asked me about a network zone . I chose NO so I have no trusted zones (you can see in the screenshots) . With the IDS and advanced options everything (allowed) is unchecked . Is this setup OK and secure for my type of network connection ? Something that bothers me are the logs , see the screnshots . Each and every second there is something stopped (the source is my ADSL modem).Is it normal ?? This is 1 computer only behind the modem/router and I want to be really security with this . All my computers are Windows XP and this specific computer is XP Pro SP1.Everything else is working fine,just the logs... Thanks in advance !
Hi, Port 1900 UDP is used to receive UPnP (Universal Plug n' Play) messages from other UPn'P devices. I don't think this is needed in your case at all. Disable Universal Plug and Play Device Host in sevices. Also Messenger in services. While you are about it also disable Netbios over TCP/IP in Network Connections>Local Area Connection>Properties>Internet Protocol>Properties>Advanced>WNS. (Assuming you don't have file and printer sharing enabled and are thus not networked). See this from GRC You can also download Seconfig and configure for "Home" Regards.
Hi Ocky ! On my both computers (both SP1 and SP2) Messenger service is disabled. UPnP service is set to Manual (is this enough?) Yes , File&Printer Sharing is disabled . This is the first thing I do before I connect to internet (once after I reinstall Windows)
You don't need a trusted zone - it's a standalone machine. I would disable the UPn'P service in order to stop all those log entries. Also disable Netbios over TCP/IP as mentioned before (those 135-139 entries). Have a look at this from Black Viper: Are you happy with the Eset suite (I know itis beta) ? Seconfig will do most of this stuff for you. http://seconfig.sytes.net/
I think so , too . That's why I removed all trusted zones from the firewall setup. Will try this tomorrow. Yes , really happy . Good job !
Forgot to mention - also disable SSDP Discovery service in services if you haven't done so already. I am using Comodo, but will follow the posts re. ESS to see how it performs. Am very pleased with NOD32 and so is my wife.
Just a note: The logs are showing the uPnP being blocked on Inbound. This means (from your info) it is the router that is sending these. If you want this to stop, then you will need to check the settings in the router.
Hi Stem . The router is in modem and they control it . They have password-protected it and don't allow their clients change their default configurations.I may need to call them and ask them do it , otherwise I have to disable UPnP. If there is something else , please let me know . Thanks very much!
Ok , I disabled these two services and restarted : - Universal Plug and Play Host - SSDP Discovery service On the XP SP2 computer I can no longer see any packs dropped coming from my modem/router-port 1900 , which is good , right? However , here is what started occuring (this never appeared before , neither on WF , neither on ESS) 07:50 I disabled the services and rebooted later now another ports ... what is going on? What is this now ? Thanks to all who posted and are about to post
Just to let you know . I just made a few test. Scanned my computer with McAfee's HackerWatch.org and PC-Flank.com Hackerwatch (simple scan-direct attack) no successful connection made Hackerwatch (port scan) all ports secure/stealth PCFlank.com Port scan (both TCP SYN and TCP Connect scannings) - common ports All ports stealth PCFlank.com Stealth test - All ports stealth It seems it is working - the NAT modem/router blocking attacks . The Windows firewall is with ON (+Don't allow exception) . The ESS configuration is as on the screenshots above (it is on another comp) . The UPnP services as well as File and Printer Sharning are disabled . Experts , this is setup is OK , I think ,isn't it?
Unfortunately I am not a Firewall expert, for expert advise Stem is the one. It is generally considered bad to have two firewalls running at the same time. So why not disable the Windows firewall - you have your NAT router which should be blocking all incoming. You can test it at Shields Up https://www.grc.com/x/ne.dll?bh0bkyd2 As regards your source port 80 dropped packets had you been to the site in the source IP address (eg. wilderssecurity)? If so, then looking at the source port (http 80), it is likely just a late packet arriving to your system as a result of being at the site that the firewall no longer considers part of an active connection and has dropped. If this is the case, it is nothing to worry about. Hopefully Stem or Paranoid can tell you more. Regards.
Done. All ports Stealth , however it complains because Ping Reply: RECEIVED (FAILED) — Your system REPLIED to our Ping (ICMP Echo) requests, making it visible on the Internet Thanks
You can block the ICMP (type) 8 inbound echo request in the firewall section of your router setup. It is after all a request from outside. So far I think you have only tested your router, to test ESS firewall you need to bypass the router. PS. Have you password protected your router ? Enjoy the easter weekend !
I cannot change the settings because it is my ADSL modem that gives me both internet connection and it (the modem) has NAT in it . It ,as well as its settings, is configured by my ISP . They don't allow customers touch the router/settings as they say "for security reasons" . And yes , it has strong password protection So far I think everything is OK. Both at home and at the office I use the same ISP/the same modem/router and I think I am OK . Will try this some time soon (both for Windows Firewall and for ESS) Merci! (Thanks) . You , too . Happy Eastern and thanks a lot for your help.
Hi again , Ocky . Just did some more tests: Instead of connecting with ADSL (with my modem/router) , I connected with dial-up connection-directly . Tested without any additional protection (just me and Windows Firewall) . Scanned my computer with McAfee's HackerWatch.org and PC-Flank.com and the results are the same Hackerwatch (simple scan-direct attack) no successful connection made Hackerwatch (port scan) all ports secure/stealth PCFlank.com Port scan (both TCP SYN and TCP Connect scannings) - common ports All ports stealth PCFlank.com Stealth test - All ports stealth Thanks once again for your help and good job Microsoft for your reliable firewall - Windows Firewall P.S. Will soon test ESS and post (however in the ESET forums/threads) . HiTech_boy
