Sygate Question

Discussion in 'other firewalls' started by snowboard, Jun 26, 2005.

Thread Status:
Not open for further replies.
  1. Kerodo

    Kerodo Registered Member

    Joined:
    Oct 5, 2004
    Posts:
    8,013
    I would say that the outgoing and incoming TCP with flags is normal enough (just CHX's stricter SPI), but the incoming UDP should not be seen in the CHX logs. Sygate should have blocked this. Perhaps CHX is getting the packets first on your system?? On mine, Sygate (and other firewalls) always got the incoming packets first before CHX, so I could view the CHX logs to see what the other firewall was missing. Perhaps this is not happening on your system though..

    I have found though, that Sygate will allow packets thru to listening ports, sometimes without permission or asking. It's possible that you are seeing this also...
     
  2. CrazyM

    CrazyM Firewall Expert

    Joined:
    Feb 9, 2002
    Posts:
    2,428
    Location:
    BC, Canada
    Without more detail, it is hard to say why you are seeing these.
    You need to look at your connection history and the entire log entry: protocol, source/destination port/service, source/destination IP.
    Was there a connection established by you to any of these IP's?
    Were the incoming packets unsolicited, or just late packets (out of state/connection) being dropped by the SPI?

    Regards,

    CrazyM
     
  3. dholiday

    dholiday Registered Member

    Joined:
    Nov 4, 2004
    Posts:
    48
    You are correct. Sygate was allowing UDP scans on ports 1026 and 1027 to pass through, never asking for permission. I've implemented some changes in Sygate's "advanced rules" and am no longer seeing the packets in CHX's log. Without CHX running in tandem with Sygate this situation would not have been discovered. You're right too about Sygate fitering packets before CHX.
    In case anyone is interested, here are some other packets being blocked by CHX:
    Outgoing - TCP - Rst - Out of connection
    Incoming - TCP - Ack Rst - Out of Connection
    Incoming - TCP - Ack Pish Fin - Invalid Sequence no.
     
  4. CrazyM

    CrazyM Firewall Expert

    Joined:
    Feb 9, 2002
    Posts:
    2,428
    Location:
    BC, Canada
    If these were unsolicited inbound UDP packets did you check your existing rules for anything that may have been permitting them?

    Regards,

    CrazyM
     
  5. dholiday

    dholiday Registered Member

    Joined:
    Nov 4, 2004
    Posts:
    48
    Regarding the UDP packets, no connection established by me, and the incoming packets were unsolicited. As far as the TCP packets, I agree with Kerodo, that CHX has stricter SPI, especially with the IP frag analysis & CWR/ECE flags.
     
  6. dholiday

    dholiday Registered Member

    Joined:
    Nov 4, 2004
    Posts:
    48
    Not so. I am now seeing the same UDP packets (incoming to ports 1026, 1027) in both CHX and Sygate logs.
     
  7. dholiday

    dholiday Registered Member

    Joined:
    Nov 4, 2004
    Posts:
    48
    Yes, nothing. I only allow two UDP ports: 53 for DNS, and 123 for NTC. These are allowed in "advanced rules", and restricted to their specific IPs and ports.
    The next UDP rule blocks all IPs and all applications, except for Automachron (which uses 123 for NTC), and blocks all ports except 53 and 123.
     
  8. CrazyM

    CrazyM Firewall Expert

    Joined:
    Feb 9, 2002
    Posts:
    2,428
    Location:
    BC, Canada
    While the advanced rules should have priority over application rules, have you checked all you application rules to ensure the permit server (inbound) has been disabled?
     
  9. dholiday

    dholiday Registered Member

    Joined:
    Nov 4, 2004
    Posts:
    48
    Only one program requires "act as server" - Automachron. I checked again and that is the only allowed to do so. I've removed the program from the applications and will see if that stops the incoming on 1026 and 1027. I doubt it.
     
  10. CrazyM

    CrazyM Firewall Expert

    Joined:
    Feb 9, 2002
    Posts:
    2,428
    Location:
    BC, Canada
    Are they both logging the same events? Same source port/IP, same destination port/IP?

    Regards,

    CrazyM
     
  11. Kerodo

    Kerodo Registered Member

    Joined:
    Oct 5, 2004
    Posts:
    8,013
    dh - I think you will find that one of the programs giving you problems is Sygate itself, or Smc.Exe. Sygate (Smc.exe) listens typically on port 1026 or 1027, in that range. And you will find that it let's random inbound UDP packets thru to it's own listening port. To stop this, you will need to find out exactly which port Sygate is listening on and then create an advanced rule to block UDP to that port from any address and then select Smc.Exe in the applications tab. Then block it inbound only. That will stop the packets coming in to one of those ports. The other one you will have to research and see what program or service is listening on that port.

    I use a program called Active Ports to see what's listening on what port. If you run this, you should be able to find out. You'll see Sygate there (Smc) as one of them.
     
  12. djg05

    djg05 Registered Member

    Joined:
    Apr 6, 2005
    Posts:
    1,565
    I was wondering if you install CHX-1 as is, would it log anything being missed by the f/w or do some rules have to be put in?
     
  13. Kerodo

    Kerodo Registered Member

    Joined:
    Oct 5, 2004
    Posts:
    8,013
    I don't have CHX-I installed right now, so I can't check or try it, but my understanding was that you would need some rules to do any meaningful blocking and hence logging. But since Stefan made his comments on the SPI being active even without rules, I'm not so sure. What I typically do is import my rules, turn on all SPI via the Interface Properties tab, and that's it. My best suggestion is to try it both ways and see what you get... :)
     
  14. Jaws

    Jaws Registered Member

    Joined:
    Apr 4, 2005
    Posts:
    210
    Boy, did Snowboard and his/her question get hijacked or what!
    LOL
     
  15. Kerodo

    Kerodo Registered Member

    Joined:
    Oct 5, 2004
    Posts:
    8,013
    Looks like the discussion has mutated beyond recognition.... :D
     
  16. dholiday

    dholiday Registered Member

    Joined:
    Nov 4, 2004
    Posts:
    48
    Your are correct once again. See here:
    http://www.issociate.de/board/post/209951/Sygate_listening.html

    Read the last post in the thread, which says a lot. I'm back to just CHX-I and SSM.

    I use Active Ports also, a must have. IMHO.
    Thanks everyone for your help.
     
  17. dholiday

    dholiday Registered Member

    Joined:
    Nov 4, 2004
    Posts:
    48
    Yes indeed, that is why we need a CHX forum, and why not here?
     
  18. Kerodo

    Kerodo Registered Member

    Joined:
    Oct 5, 2004
    Posts:
    8,013
    A wise choice. :)
     
  19. dholiday

    dholiday Registered Member

    Joined:
    Nov 4, 2004
    Posts:
    48
    With no filters, meaning no rules, even with all of the SPI rules activated, you willl fail the GRC scan, you'll be wide open. Verify this by disabling all of your filters and then scan.
     
  20. Kerodo

    Kerodo Registered Member

    Joined:
    Oct 5, 2004
    Posts:
    8,013
    That is what I thought also.. If you just install CHX out of the box, it will do basically nothing...
     
  21. dholiday

    dholiday Registered Member

    Joined:
    Nov 4, 2004
    Posts:
    48
    Yes, absolutely. With just one filter rule you're fully steath, but you won't know. Why? Because with "Allow-Deny All Except", say for just TCP, with no UDP rule, you will not have DNS lookups.
    I think we need to put this thread to bed, and start a new one if anyone is interested in doing so.
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.