Logs and rules questions

Discussion in 'LnS English Forum' started by electrique, May 8, 2008.

Thread Status:
Not open for further replies.
  1. electrique

    electrique Registered Member

    Joined:
    Apr 17, 2008
    Posts:
    4
    Hi.I have many questions.

    1)In my log there's always many blocked ICMP Type 3 Code 3 entries.When I look them up they are PC-Internet from my IP to my ISP's IP.Should I allow them?

    2)I also get a lot of this thing:
    CRITICAL ERROR MESSAGE! - REGISTRY DAMAGED AND CORRUPTED FIX this problem Open Internet Explorer and type:registrycleanerxp(dot)com Once you load the web page, close this message window..After you installthe cleaner program you will not receive any more reminders or pop-ups like this...VISIT (the same url) IMMEDIATELY!

    I've looked it up and they are supossed to be pop up ads that are send to your pc.I don't get any pop ups but there are a lot of UDP entries in my log from different IP addresses,even spoofed internet addresses,that are sending this crap over and over.Even if LooknStop blocks this thing sometimes my connection gets slower or I get disconnected because of so many entries.

    Is there a way to make my pc invisible to these addresses or is it a problem with my ISP's network?

    Also is there a anti-spoof rule so you can see the real source addresses

    of these attacks.?

    3)On the Internet filtering tab there are these two rules that do not have the green square thing:Block IP packets with MF flag set and Block fragmented IP packets.What are they? Should I keep them as they are?
     
  2. Frederic

    Frederic LnS Developer

    Joined:
    Jan 9, 2003
    Posts:
    4,354
    Location:
    France
    Hi,

    Here are some answers.

    1) these packets inform the remote machine some ports are unreachable. To be stealth/invisible, you should keep them blocked. Normally these packets are the consequence of other incoming packets (UDP or TCP) which were allowed by the firewall.
    Is the rule "Block incoming connection" enabled ?
    Did you add some rules to allow some incoming packets for some particular ports ?

    2) I'm not sure where exactly you see these messages. Is it in Look 'n' Stop log in the packet content ?
    Since Look 'n' Stop is already blocking packets, and assuming the "Block incoming connection" rule is enabled, then normally you are already stealth/invisible. The fact you are receiving unwanted packets, doesn't mean you are not stealth. Scanners/Attackers try IP address at random, without knowing initially if there is a machine behind the IP.

    A rule can't tell you what is the real IP address when it has been spoofed.
    A rule can just allow/block a packet.
    It is very difficult to know which was the real IP address, and usually it is not the scope of the firewall. The firewall can just sometimes detect packets contains spoofed information to block them (but even this is difficult).

    3) These rules are related to fragmented packets. If these kind of packets are not used by your ISP, you can block them by enabling the two rules.
    If something is not working well after you will do that, you can anyway disable the rules again.

    Regards,

    Frederic
     
Thread Status:
Not open for further replies.