Network / Firewall issue

Discussion in 'ESET Smart Security v4 Beta Forum' started by philby, Nov 20, 2008.

Thread Status:
Not open for further replies.
  1. philby

    philby Registered Member

    Joined:
    Jan 10, 2008
    Posts:
    940
    Hello there

    Laptop / desktop networked wirelessly via router.

    Trusted zone was set up on instal.

    Now, if I try to see desktop's shared files from laptop, I can only do this sporadically.

    I'm getting incoming port scanning attacks logged every 10 minutes from the desktop's ip4 address to the laptop's (UDP protocol).

    I've tried adding a rule allowing all UDP from the desktop's ip, but this makes no difference.

    Am I missing something? (apart from a basic grasp of ports).

    File sharing has always worked fine in v3 with trusted zone / interactive mode.

    Thanks in advance

    Philby
     
  2. philby

    philby Registered Member

    Joined:
    Jan 10, 2008
    Posts:
    940
    OK, after re-installing and double checking everything, it seems I can only access desktop folders from laptop by unchecking both TCP and UDP port scanning under IDS and advanced options.

    Is this what I am supposed to do?

    I didn't need to do that in V3.

    Can anyone confirm that this isn't leaving the back door open?

    Thanks

    Philby
     
  3. agoretsky

    agoretsky Eset Staff Account

    Joined:
    Apr 4, 2006
    Posts:
    4,032
    Location:
    California
    Hello,

    Could you provide more information about the exact notification you received when the port scanning attacks were reported by the beta version?

    Regards,

    Aryeh Goretsky
     
  4. philby

    philby Registered Member

    Joined:
    Jan 10, 2008
    Posts:
    940
    Hello Aryeh and thanks for responding.

    FW log shows 2 entries:

    1. Detected port scanning attack / source 192.168.0.xxx (desktop) / target 192.168.0.yyy (laptop) / protocol UDP
    This is in the firewall log every 10 minutes or so.

    2. Address temporarily blocked by active defence (IDS)
    Source is 50% 192.168.0.xxx (desktop) and 50% 192.168.0.yyy (laptop)
    Target is the opposite of .xxx or .yyy each time
    Protocol is mostly UDP but sometimes TCP
    I get regular bursts of about twelve of these entries each time I try to access files on the desktop (after selecting log all attacks).

    Weird?

    Philby
     
  5. dorgane

    dorgane Registered Member

    Joined:
    Oct 17, 2007
    Posts:
    362
    too

    18/11/2008 23:26:05 Detected DNS cache poisoning attack 192.168.1.1:53 192.168.1.10:51349 UDP
    a lot...v3 too
    it is bug with modem no ?
     
  6. philby

    philby Registered Member

    Joined:
    Jan 10, 2008
    Posts:
    940
    I get those DNS poisoning attacks in V3 all the time, but they never prevent laptop to desktop file access.

    Strangely, I'm not getting the DNS attacks in V4.

    Merci pour votre reponse (excuse spelling)

    Philby
     
  7. dorgane

    dorgane Registered Member

    Joined:
    Oct 17, 2007
    Posts:
    362
    Merci pour votre reponse -> thank you for reply :)

    i am french too
     
  8. philby

    philby Registered Member

    Joined:
    Jan 10, 2008
    Posts:
    940
    Actually, I'm not French - I just wanted to thank you en francais as I saw your sig.

    Philby
     
  9. proactivelover

    proactivelover Registered Member

    Joined:
    Apr 7, 2006
    Posts:
    840
    Location:
    Near Wilders Forums
    lot of them 203.99.163.240 is my DNS server it's a firewall bug in v4
    11/21/2008 7:01:48 AM Detected DNS cache poisoning attack 203.99.163.240:53 192.168.1.10:54245 UDP
    11/21/2008 6:48:44 AM Detected DNS cache poisoning attack 203.99.163.243:53 192.168.1.10:63127 UDP
    11/21/2008 6:22:45 AM Detected DNS cache poisoning attack 203.99.163.243:53 192.168.1.10:49822 UDP
    11/20/2008 8:19:29 PM Detected DNS cache poisoning attack 203.99.163.243:53 192.168.1.10:55718 UDP
    11/20/2008 7:53:53 PM Detected DNS cache poisoning attack 203.99.163.240:53 192.168.1.10:59066 UDP
    11/20/2008 7:40:01 PM Detected DNS cache poisoning attack 203.99.163.243:53 192.168.1.10:52459 UDP
    11/20/2008 7:40:00 PM Detected DNS cache poisoning attack 203.99.163.240:53 192.168.1.10:61206 UDP
    11/20/2008 7:35:35 PM Detected DNS cache poisoning attack 203.99.163.240:53 192.168.1.10:65029 UDP
    11/20/2008 7:35:22 PM Detected DNS cache poisoning attack 203.99.163.240:53 192.168.1.10:53586 UDP
    11/20/2008 7:35:22 PM Detected DNS cache poisoning attack 203.99.163.240:53 192.168.1.10:63648 UDP
    11/20/2008 7:35:12 PM Detected DNS cache poisoning attack 203.99.163.240:53 192.168.1.10:55785 UDP
    11/20/2008 7:34:09 PM Detected DNS cache poisoning attack 203.99.163.240:53 192.168.1.10:52776 UDP
    11/20/2008 7:33:49 PM Detected DNS cache poisoning attack 203.99.163.240:53 192.168.1.10:60216 UDP
    11/20/2008 7:31:16 PM Detected DNS cache poisoning attack 203.99.163.240:53 192.168.1.10:51591 UDP
    11/20/2008 7:28:23 PM Detected DNS cache poisoning attack 203.99.163.240:53 192.168.1.10:57921 UDP
    11/20/2008 7:27:23 PM Detected DNS cache poisoning attack 203.99.163.240:53 192.168.1.10:55199 UDP
    11/20/2008 7:27:15 PM Detected DNS cache poisoning attack 203.99.163.240:53 192.168.1.10:54218 UDP
    11/20/2008 7:27:08 PM Detected DNS cache poisoning attack 203.99.163.243:53 192.168.1.10:49830 UDP
    11/20/2008 7:27:08 PM Detected DNS cache poisoning attack 203.99.163.240:53 192.168.1.10:50844 UDP
    11/20/2008 7:27:08 PM Detected DNS cache poisoning attack 203.99.163.240:53 192.168.1.10:59142 UDP
    11/20/2008 7:27:04 PM Detected DNS cache poisoning attack 203.99.163.243:53 192.168.1.10:63740 UDP
    11/20/2008 7:26:59 PM Detected DNS cache poisoning attack 203.99.163.243:53 192.168.1.10:51667 UDP
    11/20/2008 7:23:55 PM Detected DNS cache poisoning attack 203.99.163.240:53 192.168.1.10:63304 UDP
    11/20/2008 7:23:32 PM Detected DNS cache poisoning attack 203.99.163.243:53 192.168.1.10:63458 UDP
    11/20/2008 7:22:50 PM Detected DNS cache poisoning attack 203.99.163.243:53 192.168.1.10:52432 UDP
    11/20/2008 7:14:48 PM Detected DNS cache poisoning attack 203.99.163.243:53 192.168.1.10:53626 UDP
    11/20/2008 7:14:48 PM Detected DNS cache poisoning attack 203.99.163.243:53 192.168.1.10:49975 UDP
    11/20/2008 6:59:17 PM Detected DNS cache poisoning attack 203.99.163.243:53 192.168.1.10:55476 UDP
    11/20/2008 6:52:14 PM Detected DNS cache poisoning attack 203.99.163.240:53 192.168.1.10:50188 UDP
    11/20/2008 6:50:13 PM Detected DNS cache poisoning attack 203.99.163.243:53 192.168.1.10:51662 UDP
     
  10. philby

    philby Registered Member

    Joined:
    Jan 10, 2008
    Posts:
    940
    As far as I know, these DNS poisoning attacks are irritating but inconsequential. There have been many posts about this re. V3.

    Like I said, I've always had them in V3 but this is not the problem here.

    The problem is that I can't access folders on the other box in my tiny little network unless I disable both TCP and UDP Port scanning detection under IDS.

    If I leave them checked, I have the log entries in post #4 and no access to the second box.

    Philby
     
  11. philby

    philby Registered Member

    Joined:
    Jan 10, 2008
    Posts:
    940
    Please, does anyone understand why this is happening when port scanning attack detection is enabled for udp/tcp in IDS?

    Thanks

    Philby
     

    Attached Files:

  12. doktornotor

    doktornotor Registered Member

    Joined:
    Jul 19, 2008
    Posts:
    2,047
    o_O Looks pretty obvious from the log why's this happening? o_O
     
  13. philby

    philby Registered Member

    Joined:
    Jan 10, 2008
    Posts:
    940
    Sorry but what do you mean by that?

    My point is that when using V3, I can access the desktop with port scanning detection enabled - nothing flagged in the fw log.

    With V4, if I leave port scanning detection enabled, I can't access the desktop and the fw log gets flooded as above.

    Ergo, bafflement.

    Philby
     
  14. wiak

    wiak Registered Member

    Joined:
    Sep 10, 2006
    Posts:
    107
    the allow sharing is broken, when you click on it, 4.0 wont allow sharing regardless of allowing sharing or not, so i reverted back to NOD32 Antivirus 4.0 Beta ;)
     
  15. philby

    philby Registered Member

    Joined:
    Jan 10, 2008
    Posts:
    940
    Thanks for your reply wiak.

    I still don't get it though.

    You say:

    But sharing does work, though only if I disable port scanning detection.

    Philby
     
  16. wiak

    wiak Registered Member

    Joined:
    Sep 10, 2006
    Posts:
    107
    when i installed smart security 4.0 i got allow sharing or strict then clicked allow sharing, and it should allow sharing, but it does not
     
  17. Bensec

    Bensec Registered Member

    Joined:
    Aug 4, 2008
    Posts:
    177
    Location:
    China Changsha
    i met a trival one:
    Zapnuty:D
    notintl2.png
     
Thread Status:
Not open for further replies.