Firewall question

Discussion in 'other firewalls' started by ASpace, Apr 6, 2007.

Thread Status:
Not open for further replies.
  1. ASpace

    ASpace Guest

    Hello .

    I have a firewall question connected to ESET Smart Security . However I need help from a Security / Firewall expert so I decided to post it here . Sorry , if this is a mistake.

    First to mention - I use ADSL connection - ADSL modem which incorporates
    NAT in it. My modem is with dynapic IP and so the computer is .
    I have always used routers with NAT/SPI and Windows firewall (or sometimes ZoneAlarm) and I am not very sure about the ESS firewall and other 3rd party firewalls . As you probably see , for me the most important is incoming protection and I want to be 100% sure I'll be secure with this setup.

    In ESET Smart Security using Automatic mode (it automatically decides what to goes out)
    When I first run ESS , it asked me about a network zone . I chose NO
    so I have no trusted zones (you can see in the screenshots) .
    With the IDS and advanced options everything (allowed) is unchecked . Is this
    setup OK and secure for my type of network connection ?

    Something that bothers me are the logs , see the screnshots . Each and
    every second there is something stopped (the source is my ADSL
    modem).Is it normal ?? o_O

    This is 1 computer only behind the modem/router and I want to be really security with this .

    All my computers are Windows XP and this specific computer is XP Pro SP1.Everything else is working fine,just the logs...
    Thanks in advance ! :thumb:
     

    Attached Files:

    Last edited by a moderator: Apr 6, 2007
  2. Ocky

    Ocky Registered Member

    Joined:
    May 6, 2006
    Posts:
    2,677
    Location:
    George, S.Africa
    Hi, Port 1900 UDP is used to receive UPnP (Universal Plug n' Play) messages from other UPn'P devices. I don't think this is needed in your case at all.
    Disable Universal Plug and Play Device Host in sevices. Also Messenger in services. While you are about it also disable Netbios over TCP/IP in Network Connections>Local Area Connection>Properties>Internet Protocol>Properties>Advanced>WNS. (Assuming you don't have file and printer sharing enabled and are thus not networked). See this from GRC
    You can also download Seconfig and configure for "Home"

    Regards.
     
  3. ASpace

    ASpace Guest

    Hi Ocky !

    On my both computers (both SP1 and SP2) Messenger service is disabled.
    UPnP service is set to Manual (is this enough?)

    Yes , File&Printer Sharing is disabled . This is the first thing I do before I connect to internet (once after I reinstall Windows)
     
  4. ASpace

    ASpace Guest

    Are my firewall settings correct? I think they are but need clarification
     
  5. Ocky

    Ocky Registered Member

    Joined:
    May 6, 2006
    Posts:
    2,677
    Location:
    George, S.Africa
    You don't need a trusted zone - it's a standalone machine. I would disable the UPn'P service in order to stop all those log entries. Also disable Netbios over TCP/IP as mentioned before (those 135-139 entries). Have a look at this from Black Viper:
    Are you happy with the Eset suite (I know itis beta) ? :)

    Seconfig will do most of this stuff for you. http://seconfig.sytes.net/
     
  6. ASpace

    ASpace Guest

    I think so , too . That's why I removed all trusted zones from the firewall setup.

    Will try this tomorrow.

    Yes , really happy . Good job !
     
  7. Ocky

    Ocky Registered Member

    Joined:
    May 6, 2006
    Posts:
    2,677
    Location:
    George, S.Africa
    Forgot to mention - also disable SSDP Discovery service in services if you haven't done so already.

    I am using Comodo, but will follow the posts re. ESS to see how it performs.
    Am very pleased with NOD32 and so is my wife. :thumb:
     
  8. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    Just a note:

    The logs are showing the uPnP being blocked on Inbound. This means (from your info) it is the router that is sending these. If you want this to stop, then you will need to check the settings in the router.
     
  9. ASpace

    ASpace Guest

    Hi Stem .

    The router is in modem and they control it . They have password-protected it and don't allow their clients change their default configurations.I may need to call them and ask them do it , otherwise I have to disable UPnP.

    If there is something else , please let me know . Thanks very much!
     
  10. ASpace

    ASpace Guest

    Ok , I disabled these two services and restarted :
    - Universal Plug and Play Host
    - SSDP Discovery service


    On the XP SP2 computer I can no longer see any packs dropped coming from my modem/router-port 1900 , which is good , right?

    However , here is what started occuring (this never appeared before , neither on WF , neither on ESS)
    07:50 I disabled the services and rebooted



    later

    now another ports ... what is going on? What is this now ? Thanks to all who posted and are about to post :thumb:
     
    Last edited by a moderator: Apr 7, 2007
  11. ASpace

    ASpace Guest

    Just to let you know . I just made a few test.

    Scanned my computer with McAfee's HackerWatch.org and PC-Flank.com

    Hackerwatch (simple scan-direct attack) no successful connection made
    Hackerwatch (port scan) all ports secure/stealth

    PCFlank.com Port scan (both TCP SYN and TCP Connect scannings) - common ports All ports stealth
    PCFlank.com Stealth test - All ports stealth

    It seems it is working - the NAT modem/router blocking attacks . The Windows firewall is with ON (+Don't allow exception) . The ESS configuration is as on the screenshots above (it is on another comp) . The UPnP services as well as File and Printer Sharning are disabled .

    Experts , this is setup is OK , I think ,isn't it?
     
    Last edited by a moderator: Apr 7, 2007
  12. Ocky

    Ocky Registered Member

    Joined:
    May 6, 2006
    Posts:
    2,677
    Location:
    George, S.Africa
    Unfortunately I am not a Firewall expert, for expert advise Stem is the one.
    It is generally considered bad to have two firewalls running at the same time. So why not disable the Windows firewall - you have your NAT router which should be blocking all incoming. You can test it at Shields Up https://www.grc.com/x/ne.dll?bh0bkyd2

    As regards your source port 80 dropped packets had you been to the site in the source IP address (eg. wilderssecurity)?
    If so, then looking at the source port (http 80), it is likely just a late
    packet arriving to your system as a result of being at the site that the firewall no longer considers part of an active connection and has dropped.
    If this is the case, it is nothing to worry about.

    Hopefully Stem or Paranoid can tell you more.

    Regards.
     
  13. ASpace

    ASpace Guest

    Done.
    All ports Stealth , however it complains because Ping Reply: RECEIVED (FAILED) — Your system REPLIED to our Ping (ICMP Echo) requests, making it visible on the Internet

    Thanks
     
    Last edited by a moderator: Apr 7, 2007
  14. Ocky

    Ocky Registered Member

    Joined:
    May 6, 2006
    Posts:
    2,677
    Location:
    George, S.Africa
    You can block the ICMP (type) 8 inbound echo request in the firewall section of your router setup. It is after all a request from outside.
    So far I think you have only tested your router, to test ESS firewall you need to bypass the router.
    PS. Have you password protected your router ?

    Enjoy the easter weekend !
     
  15. ASpace

    ASpace Guest

    I cannot change the settings because it is my ADSL modem that gives me both internet connection and it (the modem) has NAT in it . It ,as well as its settings, is configured by my ISP . They don't allow customers touch the router/settings as they say "for security reasons" . And yes , it has strong password protection :D

    So far I think everything is OK. Both at home and at the office I use the same ISP/the same modem/router and I think I am OK .


    Will try this some time soon (both for Windows Firewall and for ESS)


    Merci! (Thanks) . You , too . Happy Eastern and thanks a lot for your help. :thumb: :thumb: :thumb:
     
    Last edited by a moderator: Apr 7, 2007
  16. ASpace

    ASpace Guest

    Hi again , Ocky . Just did some more tests:

    Instead of connecting with ADSL (with my modem/router) , I connected with dial-up connection-directly . Tested without any additional protection (just me and Windows Firewall) . Scanned my computer with McAfee's HackerWatch.org and PC-Flank.com and the results are the same

    Hackerwatch (simple scan-direct attack) no successful connection made
    Hackerwatch (port scan) all ports secure/stealth

    PCFlank.com Port scan (both TCP SYN and TCP Connect scannings) - common ports All ports stealth
    PCFlank.com Stealth test - All ports stealth

    Thanks once again for your help :thumb: and good job Microsoft for your reliable firewall - Windows Firewall :thumb:

    P.S. Will soon test ESS and post (however in the ESET forums/threads) .


    HiTech_boy
     
Loading...
Thread Status:
Not open for further replies.