No Firewall & No attacks ?

Yeah

Good catch, it was Didn't twig Thanks

19 & 22 were DEF from my ISP to me.

I don't know what it means either You're not picking on me, i appreciate your post

 

You can do. Just make sure you leave the winpcap installed that came with the 0.99.5 version.



- Stem

 

I think i might stay with this version, for now anyway, as at least it's working If i do update it, i'll be Sure to follow your advice

Thanks VERY much for helping me get it working And it's good to see you back on here a bit more than you have been for a time. As you may have noticed, several other members have benefited from this thread, as well as me Also non members could have too Please consider posting more often, if you can

Regards

 

I think the main changes where in the interface and not anything in the way of decoding. So you should be OK with what you have installed. At least now, as you say, it is working.

You are welcome.


- Stem

 

This is one of the best threads for me in recent times.

(my favourite of all time was the Kerio thread some years ago.

I'm on W7 Sp1 64 bit and I'm concerned with muddying the thread waters with that os.

I'm also using a different FW than the OP and don't want to cause a debate like

"my FW is better than your FW" this happened in the past.

I really would like to clarify my own thinking and understanding about port terminology (if that is even possible) My current simplistic way of thinking about a port is that is a "service" ie 110 is incoming email service.

open
closed
listening
blocked

I would like get a sniffer to monitor and report on what is coming in and going out what protocols, ports and applications are "causing" this traffic.

Then I would KNOW what rules my FW is missing or needs?

When behind a router which has it's own hw fw will all of this be a waste of time?

Brain seized up again....

Should we have a sniffer thread which would be in dependant of any particular FW product? Need advice here.

 

Thanks

I'm hoping to learn more too

You mean INdependant, i think Sure why not, you could start it Or use this thread.

Well if you use WireShark it might be better as comparisons between people "might" be clearer etc


LATEST - New test without my FW & WireShark running in ShadowDefender mode.

Here's just one very early entry

Internet Protocol, Src: ****My IP**** , Dst: 95.165.176.244

95.165.176.244 =

****************

***************

"If" i've interpreted it correctly, it "appears" that my IP = Src connected to that Dst or tried to. Is this correct or ? If it did what could that mean ?

 

Re: Listening

In Post #47 I showed the ports my Firewall is listening to. Here is a pretty good article that explains what's going on:


Why are processes listening to closed ports on my firewall?
http://ask-leo.com/why_are_processes_listening_to_closed_ports_on_my_firewall.html



regards,

-rich

 

More info on that IP -https://secure.dshield.org/ipinfo.html?ip=95.165.176.244

 

Thanks, hmm, the plot thickens ?

 

well nessus and nmap secunia are free for personal home use

in nesssus in free you get few days previous updates to add not latest which is pretty ok for home use (ie nessus data base is about a week or so old which is not big deal for home users but corporates)

 

HI Rich!

TY! That was a great read. I would be very interested if Stem has time to get his comments on leo's explanations!

FWIW, I came away with a "new" concept of a port number.

It is a code for a type of message from the www. 110 an incoming email message (packet) etc. So the port number is not "physical" like for a ship port it is more akin to a code for a packet type. So my original view that a port was a service I either wanted or didn't want was well flawed.

Now since my concept # 1 was flawed, it is now possible my concept #2 is also flawed?

Anyway concepts aside I also want (very demanding)

a list of "ports" I don't want

eg

SSH port 465 simple protocol this one I block with no ill effects



Rats! I think I would do better to have a white list of ports I want/need and just let the FW block the rest by default. Same for protocols
What do others block and why?

 

Hi Escalader,

Speaking for myself: I do things as easily as possible!

By default, my firewall prompts with an alert for all inbound/outbound connections, so, when I first set up the rules, I just let the firewall tell me what is needed both inbound and outbound .

Looking again at my Post #47, you see that Port 53 is the only Port I need to allow inbound traffic (for DNS) , so I set a rule for that.

Everything else is denied automatic connection. So, there was no need for me to set inbound block rules for specific ports, although I did for Port 53, configuring the rule to log so that I could monitor attempts using that port. I show one instance of a Port 53 attempt in that Post.

Also, I made a "Deny All Other Protocols" for Inbound rule at the bottom of the ruleset. Without that, I would be bombarded all day with alerts.
Here, the log shows the inbound attempts that are blocked:



I learned a lot by watching my firewall log when I first started out with a firewall.

regards,

-rich

 

When trying to explain local port use without getting into the technical details, it can be a little difficult to explain correctly.
I use to look at local port use as an extension to the local IP address. Numbers(ports) assigned to applications/services, which act as an internal address for packet direction/routing.

For services, which show as listening on port, that is quite easy to see, be it using one of windows internal commands, or by 3rd party firewall/application. But you also need to understand that, for example, you browser also opens ports/listens for reply to its outbounds. As a simple explanation:-
When connecting out to a website, your browser will first send a packet requesting a connection, it will use a local port temporarily assigned, that port will then go into a wait/listening state and the browser will listen on that port for the reply, for an acknowledgment to its connection attempt. Once that reply is received, the browser will then send an acknowledgment and then a request for the contents of the web_page, that process continues, while the browser sends out a packet, then listens for a reply, until that specific connection is finished/closed. Other local port are also used (depending on how many connections are being made, as when connecting to a website, more than one actual connection can be made), the number of local ports used will depend on what site the browser is connecting to, as some sites will only allow maybe 4 simultaneous connections, while others may allow more. So there are times when you will have quite a few ports being listened to(albeit temporarily) by you browser.



- Stem