Network / Firewall issue

Hello there

Laptop / desktop networked wirelessly via router.

Trusted zone was set up on instal.

Now, if I try to see desktop's shared files from laptop, I can only do this sporadically.

I'm getting incoming port scanning attacks logged every 10 minutes from the desktop's ip4 address to the laptop's (UDP protocol).

I've tried adding a rule allowing all UDP from the desktop's ip, but this makes no difference.

Am I missing something? (apart from a basic grasp of ports).

File sharing has always worked fine in v3 with trusted zone / interactive mode.

Thanks in advance

Philby

 

OK, after re-installing and double checking everything, it seems I can only access desktop folders from laptop by unchecking both TCP and UDP port scanning under IDS and advanced options.

Is this what I am supposed to do?

I didn't need to do that in V3.

Can anyone confirm that this isn't leaving the back door open?

Thanks

Philby

 

Hello,

Could you provide more information about the exact notification you received when the port scanning attacks were reported by the beta version?

Regards,

Aryeh Goretsky

 

Hello Aryeh and thanks for responding.

FW log shows 2 entries:

1. Detected port scanning attack / source 192.168.0.xxx (desktop) / target 192.168.0.yyy (laptop) / protocol UDP
This is in the firewall log every 10 minutes or so.

2. Address temporarily blocked by active defence (IDS)
Source is 50% 192.168.0.xxx (desktop) and 50% 192.168.0.yyy (laptop)
Target is the opposite of .xxx or .yyy each time
Protocol is mostly UDP but sometimes TCP
I get regular bursts of about twelve of these entries each time I try to access files on the desktop (after selecting log all attacks).

Weird?

Philby

 

too

18/11/2008 23:26:05 Detected DNS cache poisoning attack 192.168.1.1:53 192.168.1.10:51349 UDP
a lot...v3 too
it is bug with modem no ?

 

I get those DNS poisoning attacks in V3 all the time, but they never prevent laptop to desktop file access.

Strangely, I'm not getting the DNS attacks in V4.

Merci pour votre reponse (excuse spelling)

Philby

 

Merci pour votre reponse -> thank you for reply

i am french too

 

Actually, I'm not French - I just wanted to thank you en francais as I saw your sig.

Philby

 

lot of them 203.99.163.240 is my DNS server it's a firewall bug in v4
11/21/2008 7:01:48 AM Detected DNS cache poisoning attack 203.99.163.240:53 192.168.1.10:54245 UDP
11/21/2008 6:48:44 AM Detected DNS cache poisoning attack 203.99.163.243:53 192.168.1.10:63127 UDP
11/21/2008 6:22:45 AM Detected DNS cache poisoning attack 203.99.163.243:53 192.168.1.10:49822 UDP
11/20/2008 8:19:29 PM Detected DNS cache poisoning attack 203.99.163.243:53 192.168.1.10:55718 UDP
11/20/2008 7:53:53 PM Detected DNS cache poisoning attack 203.99.163.240:53 192.168.1.10:59066 UDP
11/20/2008 7:40:01 PM Detected DNS cache poisoning attack 203.99.163.243:53 192.168.1.10:52459 UDP
11/20/2008 7:40:00 PM Detected DNS cache poisoning attack 203.99.163.240:53 192.168.1.10:61206 UDP
11/20/2008 7:35:35 PM Detected DNS cache poisoning attack 203.99.163.240:53 192.168.1.10:65029 UDP
11/20/2008 7:35:22 PM Detected DNS cache poisoning attack 203.99.163.240:53 192.168.1.10:53586 UDP
11/20/2008 7:35:22 PM Detected DNS cache poisoning attack 203.99.163.240:53 192.168.1.10:63648 UDP
11/20/2008 7:35:12 PM Detected DNS cache poisoning attack 203.99.163.240:53 192.168.1.10:55785 UDP
11/20/2008 7:34:09 PM Detected DNS cache poisoning attack 203.99.163.240:53 192.168.1.10:52776 UDP
11/20/2008 7:33:49 PM Detected DNS cache poisoning attack 203.99.163.240:53 192.168.1.10:60216 UDP
11/20/2008 7:31:16 PM Detected DNS cache poisoning attack 203.99.163.240:53 192.168.1.10:51591 UDP
11/20/2008 7:28:23 PM Detected DNS cache poisoning attack 203.99.163.240:53 192.168.1.10:57921 UDP
11/20/2008 7:27:23 PM Detected DNS cache poisoning attack 203.99.163.240:53 192.168.1.10:55199 UDP
11/20/2008 7:27:15 PM Detected DNS cache poisoning attack 203.99.163.240:53 192.168.1.10:54218 UDP
11/20/2008 7:27:08 PM Detected DNS cache poisoning attack 203.99.163.243:53 192.168.1.10:49830 UDP
11/20/2008 7:27:08 PM Detected DNS cache poisoning attack 203.99.163.240:53 192.168.1.10:50844 UDP
11/20/2008 7:27:08 PM Detected DNS cache poisoning attack 203.99.163.240:53 192.168.1.10:59142 UDP
11/20/2008 7:27:04 PM Detected DNS cache poisoning attack 203.99.163.243:53 192.168.1.10:63740 UDP
11/20/2008 7:26:59 PM Detected DNS cache poisoning attack 203.99.163.243:53 192.168.1.10:51667 UDP
11/20/2008 7:23:55 PM Detected DNS cache poisoning attack 203.99.163.240:53 192.168.1.10:63304 UDP
11/20/2008 7:23:32 PM Detected DNS cache poisoning attack 203.99.163.243:53 192.168.1.10:63458 UDP
11/20/2008 7:22:50 PM Detected DNS cache poisoning attack 203.99.163.243:53 192.168.1.10:52432 UDP
11/20/2008 7:14:48 PM Detected DNS cache poisoning attack 203.99.163.243:53 192.168.1.10:53626 UDP
11/20/2008 7:14:48 PM Detected DNS cache poisoning attack 203.99.163.243:53 192.168.1.10:49975 UDP
11/20/2008 6:59:17 PM Detected DNS cache poisoning attack 203.99.163.243:53 192.168.1.10:55476 UDP
11/20/2008 6:52:14 PM Detected DNS cache poisoning attack 203.99.163.240:53 192.168.1.10:50188 UDP
11/20/2008 6:50:13 PM Detected DNS cache poisoning attack 203.99.163.243:53 192.168.1.10:51662 UDP

 

As far as I know, these DNS poisoning attacks are irritating but inconsequential. There have been many posts about this re. V3.

Like I said, I've always had them in V3 but this is not the problem here.

The problem is that I can't access folders on the other box in my tiny little network unless I disable both TCP and UDP Port scanning detection under IDS.

If I leave them checked, I have the log entries in post #4 and no access to the second box.

Philby

 

Please, does anyone understand why this is happening when port scanning attack detection is enabled for udp/tcp in IDS?

Thanks

Philby

 

Looks pretty obvious from the log why's this happening?

 

Sorry but what do you mean by that?

My point is that when using V3, I can access the desktop with port scanning detection enabled - nothing flagged in the fw log.

With V4, if I leave port scanning detection enabled, I can't access the desktop and the fw log gets flooded as above.

Ergo, bafflement.

Philby

 

the allow sharing is broken, when you click on it, 4.0 wont allow sharing regardless of allowing sharing or not, so i reverted back to NOD32 Antivirus 4.0 Beta

 

Thanks for your reply wiak.

I still don't get it though.

You say:

But sharing does work, though only if I disable port scanning detection.

Philby

 

when i installed smart security 4.0 i got allow sharing or strict then clicked allow sharing, and it should allow sharing, but it does not

 

i met a trival one:
Zapnuty