Help with firewall configuration!

Discussion in 'ESET Smart Security' started by M_G_H, Nov 4, 2007.

Thread Status:
Not open for further replies.
  1. M_G_H

    M_G_H Registered Member

    Joined:
    Sep 3, 2007
    Posts:
    17
    I have installed ESS 3.0.551.0 and need help with the firewall configuration.

    My Linksys (with Tomato firmware) router stores the logs in a shared folder on my computer, but since installing ESS, the router cannot access the shared folder on the computer, although my other computers in the netwoork can access any shares just fine.

    If I disable the "SMB Attack Relay Detection" in the IDS and Advanced Options section, than the router can mount the share and store the logs. If that option is ticked than it does not work.

    I tried to create a rule to let that address (router's) allow to access that share, but it still does not work. (eg. direction -both, protocol - TCP\UDP, local port - 445, remote port - 445, ip address - 192.168.16.1) I tried a variety of combinations but still no go.

    Reason I tried to create that rule is so that I can leave that option ticked but allow only that one ip address to access. I then ticked the traffic log in ESS and here is what it logs:

    04/11/2007 3:34:31 PM Detected SMB Relay attack 192.168.16.1 192.168.16.10 TCP
    04/11/2007 3:34:31 PM Detected SMB Relay attack 192.168.16.1 192.168.16.10 TCP
    04/11/2007 3:34:30 PM Detected SMB Relay attack 192.168.16.1 192.168.16.10 TCP
    04/11/2007 3:34:30 PM Detected SMB Relay attack 192.168.16.1 192.168.16.10 TCP
    04/11/2007 3:34:27 PM No usable rule found fe80::4018:ca18:aa19:eaa7%-209387264.:61163 ff02::1:3%1870987264.:5355 UDP
    04/11/2007 3:34:27 PM No usable rule found fe80::4018:ca18:aa19:eaa7%-209387264.:61163 ff02::1:3%1870987264.:5355 UDP
    04/11/2007 3:34:26 PM Detected SMB Relay attack 192.168.16.1 192.168.16.10 TCP
    04/11/2007 3:34:25 PM No usable rule found fe80::4018:ca18:aa19:eaa7%-209387264.:61161 ff02::1:3%1870987264.:5355 UDP
    04/11/2007 3:34:25 PM No usable rule found fe80::4018:ca18:aa19:eaa7%-209387264.:61161 ff02::1:3%1870987264.:5355 UDP
    04/11/2007 3:34:23 PM Detected SMB Relay attack 192.168.16.1 192.168.16.10 TCP
    04/11/2007 3:34:20 PM Detected SMB Relay attack 192.168.16.1 192.168.16.10 TCP
    04/11/2007 3:34:17 PM No usable rule found fe80::4018:ca18:aa19:eaa7%-209387264.:61154 ff02::1:3%1870987264.:5355 UDP
    04/11/2007 3:34:17 PM No usable rule found fe80::4018:ca18:aa19:eaa7%-209387264.:61154 ff02::1:3%1870987264.:5355 UDP
    04/11/2007 3:34:17 PM Detected SMB Relay attack 192.168.16.1 192.168.16.10 TCP
    04/11/2007 3:34:16 PM Detected SMB Relay attack 192.168.16.1 192.168.16.10 TCP
    04/11/2007 3:34:14 PM Detected SMB Relay attack 192.168.16.1 192.168.16.10 TCP
    04/11/2007 3:34:14 PM Detected SMB Relay attack 192.168.16.1 192.168.16.10 TCP
    04/11/2007 3:34:13 PM Detected SMB Relay attack 192.168.16.1 192.168.16.10 TCP

    If anyone has any ideas, please let me know.

    Thanks
     
  2. ASpace

    ASpace Guest

    Hi!

    Enter the Advanced Setup Tree (F5)

    1. Navigate to Personal Firewall.
    Choose Interactive Mode

    2. Navigate to Personal Firewall -> Rules and zones . In the right (at the Trusted zone part) , click Setup and choose "Allow sharing"

    3. Navigate to Personal Firewall -> IDS and Advanced options
    Make sure all services are allowed (a.k.a 4 services)

    4. In Personal firewall -> IDS and advanced options , enabled logging


    Then,
    Open Personal firewall > Rules and zones > Zone and rule setup
    Choose Toggle detailed view of all riles (if already not set to this)
    Uncheck every rule that has in the name Block.

    Confirm with OK.

    Start creating new rule:


    Name : your choice
    Direction : Both
    Action : Allow
    Protocol : TCP & UDP

    Additional action:
    check Log


    In Local tab - For the ports choose 135-139
    In Remote choose - For every (ports)
    Then (AFAI remember , you should enter the IP address in the Remote tab . So here enter the IP of the router-192.168.16.1) .

    Confirm with OK and restart.Try again.


    In case this doesn't help , delete the rule above and simply uncheck the SMB Relay attack detection in Personal firewall -> IDS and advanced options
     
  3. M_G_H

    M_G_H Registered Member

    Joined:
    Sep 3, 2007
    Posts:
    17
    Hello HiTech_boy,

    Thanks for the info. I tried what you posted and even created a rule to allow all ports in local and remote from the router's ip address and still received the "Detected SMB Relay attack " in the logs.

    I have temporarily just unchecked the SMB Relay attack detection and it works. I may try it for another day or 2 and then go back to my other security software. I don't like the idea that the firewall has to be configured to a all or nothing type setting.

    Thanks for your help.
     
Thread Status:
Not open for further replies.