Need help w/ weird connection issue

Hey everybody--

Have been having this weird issue for the past month or so. Throughout the day I have no problems browsing and rarely hear a peep out of L&S. But, then in the evening around, say, 11:00p (give or take) all of a sudden I cannot connect to websites anymore and L&S starts beeping and generating messages in the log. Now, if I untick the Internet Filtering Enabled box I can connect to websites. As soon as a retick the box I can't connect anymore. The message in the log typically indicated that the connections are PC>Internet and the port#'s are mostly in the 5000 range. If I reboot the computer I can then start browsing again. This happens pretty much every night, not exactly the same time, I'd say anywhere from 10:30 to midnight.

I've run a number of different anti-malware programs, but they don't seem to be picking anything up.

I have L&S 2.07, DSL service.

Any thoughts would be appreciated. Thanks in advance.

 

Perhaps your BOOTP packets being blocked, don't know for certain without seeing a Logfile or you looking for yourself for BOOTP* packet blockings.

 

Thanks PhantOm.

Well, I see a rule with the name UDP BOOTP / DHCP and Description: Authorize all necessary BOOTP data packets used in cable modem and DSL setups. This looks like a stock rule which I doubt I would have created myself. The weird thing is that I don't start having problems until late in the evening.

What I can do is make myself a popup note to start a logfile this evening around 10 oclock. Should I post it, email it, or what?

 

If that rule is enabled and in original form, then it isn’t BOOTP problem.

Attaching it to a post here should be fine.

 

OK, PhantOm the log is attached. Tonight it didn't occur until a little after midnight. What is in the log is fairly typical of what happens, but sometimes there are a few more different types of entries in the log.

Let me know if you need anything else.

Thanks again.

 

Seems to be a problem with the "TCP : Authorize most common Internet services" rule and the use of 'Local In', you might have to use 'In range A:B' and specify 1025-65535 and see if that helps.

 

Before making the change it is configured as follows:

TCP/UDP: port
In range A/B
1024
5000

Now, this being the case, does it mean that attempts to access destination ports outside that range will be blocked by the firewall? Now, the log shows that the computer is trying to hit ports above 5000 correct?

So, the question that comes to mind is: Why do I not have this problem all day, then late in the evening all of a sudden my machine wants to start hitting destination ports outside the 5000 range, including the very same sites I use throughout the day? Isn't that pretty strange?

Could the DSL service be deciding to do that for some reason? They have made some recent improvements to the service here. We were having a terrible time with video buffering. Within the past 4-6 weeks ATT came through and replaced some interface posts and did some work on the overhead wiring as they are introducing TV service in the area. Suddenly our video buffering problem has improved greatly.

I'll make the change this evening after the problem occurs and we'll see what happens. Thanks a lot for all the assistance!

 

OK, PhatOm. Tonight the problem occurred about 11:00p. I made the change you suggested and that seemed to resolve the issue.

As a side note, when I made the change to 'Local In' the 'In range A:B and specify 1024-65535' appeared as a default and I could not change it anyway.

Now, to be honest...and humble...I don't really know what I did. Is this anything that will lesson my security very much?

Thanks again for your willingness to help!

 

Glad to read it’s resolved! Your security still good regardless the wider range, but you might be-able to make some adjustments, what version of Windows you running?

 

XP. I do go through a router.

Thanks, PhantOm.

 

Sounds like a registry tweak was used to extend from the normal ephemeral ports range, so instead of going to 5000 and recycling through, it keeps going. Nothing to worry about.

 

http://technet.microsoft.com/en-us/library/cc758002(WS.10).aspx

 

PhantOm, I see that the MaxUserPort entry is in my registry and set to ffff (65535). So, if that's a tweak, it makes me wonder how the heck it got in there. I sure don't recall doing such a thing.

It still seems bizarre to me that everything had been fine during the day. Then, anywhere from 10p on in the evening I would start having problems related to those ports beyond 5000. Maybe ATT or maybe some malware. Anyway, thanks for the explanation!!