Questions for beginners,.. Ask away

Thank you Paranoid2000.

 

It is certainly something that needs to be added, but I think there is also the need to set the "block" rule correctly (if the rule is blocking TCP/UDP in/out etc), with naming and setting the rule to log for any follow-up problems (which may not happen immediately) Maybe a dedicated section on this?

 

Done
Please check your PM

 

Hi. I'm from Italia.
A friend on another italian forum (but you can find him also here ) give me this link to ask you one thing.

I have Kaspersky Internet Security 6 on my Notebook. In one of the last update KIS some user, like me, had a little problem with the firewall and their rules for applications. For every application, even if already registered, the firewall asked for a new permission: inbound UDP traffic on remote port 53.

Now the problem is solved with a little trick.

But could someone of you explain me if the real danger in that rule in the case someone (like me...) give the permission?

Thanks and sorry for my poor english, it's a little rusted

 

Post by member SenorSlick moved to the appropriate forum.

See it here,

https://www.wilderssecurity.com/showthread.php?p=859145


snowbound

 

Hello Wip3out,

welcome to the forums. Check out the last quote & response in post #54 here https://www.wilderssecurity.com/showthread.php?t=141446&page=3 in this same thread. Hopefully it will answer your question.

 

Thanks.

But my question is about the danger that giving permission for inbound UDP traffic on port 53 (DNS) could take to the system, if there any. Only curious.

 

As long as the remote address is your DNS server's ip, i don't believe there is any danger. Stem, a firewall expert, responded in that post to that effect.

 

Ok, so, many thanks to you...and Stem

Bye

 

Hope this isnt a silly question, but away we go . I am loading a new system and am using KIS6 to protect my pc. Just getting started, I glanced in the rules area and am curious about 2 things for now (I'll come back with more later....lol):

1) Is it better to have an app in the app list and have it blocked completely, or is it better to not have it in the list at all? For example, I have all alg.exe stuff disabled via services and am not using it at all as far as I know, so should I remove it from the app list, or should I block in&out completely?

2) Again, in my global rules I have a pptp entry. I do not use pptp at all and was curious if removing it would be better than applying block to it both ways?

3)Lastly for now, my question involves local ports vs remote ports. I did a quick test with the pptp just to see what would happen. I blocked it both ways and all was well. I changed the remote port from the default 1723, to a range of 1-65535. It blocked my ability to get on the internet as I expected, so I put it back. I also changed the default 1024-65535 local ports to 1-65535, and everything seemed ok. My question here is this. If I am blocking in&out on something, what would be the negative side of using "1-65535" on ALL of the local ports ALWAYS vs picking a specific port? I hope that made some kind of sense


PS - Playing with it more now, would there be any advantage to using the alg.exe rule:

"Block inbound and outbound TCP connection where remote port = 21"

-vs- the more simplified

"Block inbound and outbound TCP connection"

 

Hi ndisgii, Welcome to Wilders,

Have you changed the default firewall setting in KIS? as this setting is to allow all applications not specifically denied.
If you are running KIS in "training" mode, so you are given popups for any new application internet access attempts, then it would be best to leave applications you have blocked within the rules, so that if for some reason these programs do attempt internet access, they will simply be blocked.

For global "allow" rules that you do not use, it is best to simply remove these.

As this was a global rule, then this rule affects any/all applications that make internet access. Creating a rule to block all ports, will do that for all, and will block your internet access.

When blocking an application from internet access, it is better to block that application completely:- block inbound/outbound TCP/UDP any local/remote ports

 

Thank you so much for jumping in this thread and thanks for the welcome. I hate asking stupid questions, but I want to get it right first go round. I am in Training Mode right now. Since I posted this, I have been going through my specific app list and making changes. ALL programs that are disabled/inactive/unused or that I know I dont want connecting to the internet are being set to full block both ways. For example, the alg.exe one that I was talking about now shows this in the rules:

BLOCK Inbound & Outbound TCP Connections
BLOCK Inbound & Outbound UDP Packets

And thats it. No local ports...no remote ports...no remote addresses....no nothing except the above. There is no specific option for "ANY" ports. Is that correct? I hope so, because that is how I have been doing all the ones I dont want connecting .

Just to be sure I understand, about the global pptp setting, so what problem will be created by me changing the default "1024-65535" LOCAL ports to "1-65535" when blocking both ways? Or here is another one to example: "Windows Server Message Block Activity" UDP is blocked both ways by default on local port 445. What will happen if I change the "445" to "1-65535" or "1024-65535"? It seems as though if I made that change, that it would stop the messages from hittting any possible local port on my system, but I think I am thinking wrong here

Thanks again!

 

Wow, now I am really starting to think I shouldnt be messing with this stuff....lol....

I am building this new machine at work, so it is temporarily on the same network as all the other machines.

Here is the crappy part. I just pinged my actual everyday work box, that only has Windows firewall enabled, and it came back unreachable. However, when I go over to to my work box and ping my new box that has KIS6 on it, it pings like a champ. I wonder why my new KIS box can be pinged by my work box? That sucks!

 

If no port is entered within the block rule then this should default to all ports,.. so your settings should be o.k. to block the applications.

All unsolicited inbound should be blocked by default (and there should be no need to set such rules), and the use of SPI or a state table should allow any replies.
If you do set such a rule, you would need to check that by creating such a global rule that DHCP or DNS replies are not blocked.
(there was a problem with an update to KIS, where DNS replies needed to be allowed by a rule,.. I dont know if this as been resolved)

 

With KIS you would need to change the network settings, so that you are in stealth mode on LAN.

edit:
If you check the below attached pic, you can see that there are settings for Lan/internet which changes the way NETbios is allowed. There is also a setting to "stealth" the network.

 

OK, update...I am feeling a little better now . Thanks for taking the time to help me....you are truely a lifesaver! I did already have the stealth mode checked, so I went to the Kaspersky forums and noticed that some people had problems with stealth mode and someone provided a file to fix it. I tried that and it did not work. Then I went back and looked at the default global settings again and thought ICMP might be creating a problem. The defaults are:

ICMP 0 = Allow In
ICMP 8 = Allow Out
ICMP 11 = Allow In
ICMP All Others = Block All

When I changed ICMP 0 to "BLOCK" In, it fixed the problem. Next question is, can I set all of the ICMP's to "BLOCK ALL"? I am on a standalone computer running a cable modem for high speed internet. NO other computers attach to me at all. Will disabling all ICMP effect my Cable connection? Thanks!

 

The default rules are only for (echo request (0)echo reply and (11)time exceeded. These should not be causing the problems you mention (must be bugs in the firewall),...... but anyway,..... blocking these will Stop you pinging other computers, and running traceroute. There should be no other problems.

edit,
This problem must be hardware/driver specific.... I have just scanned my LAN and no responses from KIS.

 

One of my biggest problems is reading content of articles, threads, posts etc. where the writer uses abbreviations for every other word. why can't people take the extra 3 seconds to write the word out. Some of the folks who are constantly exposed to the words that abbreviations mean, know what the abbreviations are. I am slowly finding out meanings. as I accidently see a word or phrase with the abbreviation next to it. I'm aware of a few tech dictionaries which I frequent occasionally, but you can't be clicking on the dictionary web site 10 times every time you read something. I subscribe to "Smart Computing" Magazine, and I don't care how many times they use an abbreviation, they always write the word or phrase next to it. Now part of the problem is you might find a meaning to an abbreviation and try to commit it to memory, but you might not see it again for a month. By that time you forgot the meaning. Wouldn't it be nice to put a abbreviation dictionary in the header of the forum listed alphabetically for quick access and keep it updated with new items.?

 

Thank you so much for your help. I feel a bit better now about this firewall thing, but still learning as I go. I went ahead and disabled ALL of the ICMP stuff both ways. I will see if it creates any problems. Take care!