Inbound TCP connections from web sites

Discussion in 'other firewalls' started by silvero, Jul 23, 2006.

Thread Status:
Not open for further replies.
  1. silvero

    silvero Registered Member

    Joined:
    Jul 23, 2006
    Posts:
    9
    My computer is behind a NAT router and runs Kerio firewall. I have checked the "Log packets going to unopened ports" box, and in the log I often get long lists of denied incoming TCP connections from websites I visit.

    For example, I have just visited sunbelt-software.com to have a look for the answer, and I now have 13 denied TCP connections from sunbelt-software.com:http trying to connect to various ports from 2400-2500. They are all denied because the port is unopened.

    Can anyone tell me why these attempted connections are taking place?
     
  2. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    Hi silvero,

    Does your router have a firewall? If yes then any inbound connections should be filtered at that layer.

    Which version of Kerio do you have installed?
    Which browser are you using?

    I will set up to see what is being logged by the option "Log packets going to unopened ports"

    ___
    Stem
     
  3. silvero

    silvero Registered Member

    Joined:
    Jul 23, 2006
    Posts:
    9
    My router has a firewall and it is enabled, but I believe the packets will be sent through as solicited because my browser initiated the connection - all the denied connections in the log are from websites I have visited, not from any other locations.

    I am using Firefox and since posting the above I have upgraded to the latest Kerio 4.3.268.0, I had the next most recent version beforehand, and the results have been the same with both versions.

    While writing this I have just tried Opera and IE6 and no messages appear (cringe why didn't I think to try that before!), so it appears to be Firefox specific.

    If anyone else is interested or has this issue I would be glad to hear, otherwise I will write it off as a Firefox oddity or a screwed up setting (I will reinstall to find out).

    Thanks!
     
  4. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    Hi silvero,
    Inbound connections will still be blocked, unless you have placed a "trigger" or "port forward" rule within the router.

    I highly suspect that Kerio is blocking the inbound "loopback" connections from Firefox. I will install to check, but I do believe this is what is being logged.

    ____
    Stem
     
  5. Gez

    Gez Registered Member

    Joined:
    Jan 15, 2006
    Posts:
    65
    Location:
    Ireland
    I had this problem. As far as I remember it happened when I had Web filtering and Block Advertising turned on. If you turn these off for a while you should see these log entries disappear.
    Gez
     
  6. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    Hi silvero,
    I have set up, but not seeing the inbound being blocked you mention.

    Please go to the "Network Security / Applications" and for Firefox, block both in/ out to the "Trusted Zone", then see if the "block TCP" are still being logged.

    ____
    Stem
     
  7. silvero

    silvero Registered Member

    Joined:
    Jul 23, 2006
    Posts:
    9
    Gez: I am using the free version of Kerio and all the web blocking functions are disabled so that is not a factor.

    Stem: I hear you about the inbound connections being blocked by the router, that is the main reason I posted this question as I really would like to know how these packets are getting through to my machine. It's obviously not malicious in any way, but I don't understand it.

    I don't have Firefox listed in the program list, as I am using the packet filter. The only trusted zone I have checked is 127.0.0.1, so would the equivalent packet filter rule be to block firefox in/out to 127.0.0.1?

    I will try this in any case and advise.
     
  8. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    Yes, please try that.
     
  9. silvero

    silvero Registered Member

    Joined:
    Jul 23, 2006
    Posts:
    9
    Well...I tried that rule, I also uninstalled Firefox, removed my profile and reinstalled just to ensure there were no dodgy settings causing the issue. I also tried allowing Firefox inbound and outbound connections. No change...frustrating!

    I know there is (probably) no security issue, but I find it difficult to leave it when I know the system isn't working the way it should. If you have any other ideas I would be very interested to hear.
     
  10. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    Is the Router Firewall SPI enabled?

    Whch router have you, model/make?
     
  11. silvero

    silvero Registered Member

    Joined:
    Jul 23, 2006
    Posts:
    9
    The router is a Linksys WAG54G, and the firewall is enabled. There aren't any options for the firewall on the router, just the normal port forwarding and triggering, none of which are set for the ports in question.
     
  12. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    Can you make a screen grab of the "blocked connections" that are showing in the Kerio log, and post.

    Or can you copy and paste the log?

    ____
    Stem

    EDIT
    It is now 3am here, and time for me to sleep.
     
    Last edited: Jul 23, 2006
  13. silvero

    silvero Registered Member

    Joined:
    Jul 23, 2006
    Posts:
    9
  14. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    The pic is showing blocked packets from your lan, not the internet.
    Have you another PC on the network/lan.
     
  15. silvero

    silvero Registered Member

    Joined:
    Jul 23, 2006
    Posts:
    9
    The column headings aren't in the pic, but under the heading "remote point" is "www.sunbelt-software.com", under the heading "local point" is 192.168.1.7 which is my computer.

    Yes I have another computer on the LAN, it's IP is 192.168.1.8 and it's off.

    Are you sure the blocked packets are from the LAN?
     
  16. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    Hi silvero,
    Now that I re-look (after sleep),.. no.
    Let`s check your router firewall. Go to Shieldsup and perform a scan "All service ports"
    Once complete,.. check the Kerio log.


    Have you a wired connection to the router?
    Have you just one network card in the PC (wired)?

    ____
    Stem
     
    Last edited: Jul 24, 2006
  17. silvero

    silvero Registered Member

    Joined:
    Jul 23, 2006
    Posts:
    9
    I did the shieldsup test and the result was as follows:

    - cleared log, went to grc.com, the usual denied packets from grctech.com:http then changing to www.grc.com:https when moving to the secure shieldsup page
    - the packets were sent to various ports starting at 1211 up to 1217
    - hit the all service ports test, a few more came through, ports 1223 to 1227
    - re the test, most stealthed, about 5% closed, none open. Just to be thorough, I checked the ports listed in the log as where the packets were sent to and they are of course closed

    Pic of the log is here:
    http://putfile.com/pic.php?pic=main/7/20407493397.gif&s=f10

    If I flick back and forth between the overview and logs tabs on kerio I can see that all the denied packets are being sent from the http or https port on the webserver to the port(s) that firefox was connecting out on moments before. This would also be the only way packets could get through the NAT router anyway.

    I did some other stuff today re this problem:

    - installed and configured jetico firewall, that was a mission, no funny business there with any application including firefox. Considered leaving it installed but then lost faith a bit after a weird incident with blacklight rootkit eliminator, but I'll leave that for today.
    - removed all my rules from kerio and just left allow firefox outbound TCP & UDP connections - the same problem occurred.
    - checked my notebook, same thing occurs there too, but then I have the same applications and the same setup so not too surprising I suppose.

    I appreciate your help a lot, and if you have any further suggestions I would be keen to hear.
     
  18. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    I have set up a Linksys WRT54G (closest model I could find), with Kerio, but still not seeing these blocked packets.
    Would you perform a cold boot/reset of your router,..
    Re-set the router,.. switch off power to the router(from the mains for at least 30 seconds), power back up,.. then re-set the router again. (there should be a re-set button on the back of the router). Go into the router settings and ensure the firewall is enabled.
    Then perform the scan again at shields up.
     
  19. silvero

    silvero Registered Member

    Joined:
    Jul 23, 2006
    Posts:
    9
    I tried my old SAMR-4114 router and the results are identical, and then resetting the Linksys did not result in any change...

    However! I have done a lot of research and have found what I believe is an explanation - which is the packets logged are ACK packets sent by the web server after the connection is closed by Firefox. In previous versions the logs had reported ACK-attacks. One forum message Google translated from German suggested it could be reproduced simply by loading a web page and stopping it midway through, which it does. The packets get through the router because the router doesn't know the connection is closed yet, but Kerio does.

    Reference for the router thing is here:
    http://www.broadbandreports.com/forum/remark,12471460
    http://www.broadbandreports.com/forum/remark,12159758~mode=flat

    One similar case:
    http://www.castlecops.com/p694149-Kerio_v4_2_3_and_logging_of_packets_to_unopened_ports.html

    I lost the german URL, shame because the translation was hilarious

    I know it's not conclusive, but as every single log entry is from a website I have visited, and from the port on that website I made the request to, and is being sent to a port recently closed by the requesting application, it's a good enough explanation for me, unless someone comes up with something I've not factored in. Only thing is I can't believe hardly anyone else has the problem, because I don't run anything unusual...

    Thanks for your help Stem!
     
  20. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    Hi silvero,

    Thanks for the info. But I still think strange results (particularly the Shieldsup scan),.. as this, or the blocked packets is not reproducible on any of my setups (3 different routers) with Kerio installed.

    I will keep an eye for any other posts/info on this.

    Regards
    _____
    Stem
     
Loading...
Thread Status:
Not open for further replies.