What Protocols in W7 do I have to allow?

Discussion in 'other firewalls' started by Escalader, May 12, 2012.

Thread Status:
Not open for further replies.
  1. Escalader

    Escalader Registered Member

    Joined:
    Dec 12, 2005
    Posts:
    3,710
    Location:
    Land of the Mooses
    If you go into the stickies at the top of this FW forum, (I just did it) there are dozens upon dozens of protocols. Many seem obscure to me as to why they exist at all.

    So, in our FW rules which ones do I have to allow?

    I propose to block them all except TCP and UDP?

    If I do that task what do you guys think would be the consequences?

    Here is one I don't like

    12:22:59 PM Allow IN Ethernet 00-xx-6vv-f1-vv-0g 00-2hh-11-22-22-22 No Rule

    And I have IPv6 IP Helper service disabled!!!!!

    .
     
    Last edited: May 12, 2012
  2. Seer

    Seer Registered Member

    Joined:
    Feb 12, 2007
    Posts:
    1,596
    Location:
    Singidunum
    Which exact post are you referring to?

    This is not IPv6 address, these are MAC addresses (not very wise to post that info in public). It may very well be the necessary ARP comm (reply allowed in) between your NIC and router.

    There are dependencies between protocols on different OSI layers. Some protocols on lower layers serve as a backbone for upper layers (so TCP and UDP, and above, can operate properly). If you do not fully understand the nature of your connection, I would leave it alone.
     
    Last edited by a moderator: May 12, 2012
  3. Escalader

    Escalader Registered Member

    Joined:
    Dec 12, 2005
    Posts:
    3,710
    Location:
    Land of the Mooses

    Thanks Nick I have altered the MAC addresses in my post.

    The stickies deal with the international protocols and their definitions I have concluded you are right and will leave it alone.!
     
  4. act8192

    act8192 Registered Member

    Joined:
    Nov 9, 2006
    Posts:
    1,273
    Why?
    MAC address is non-routable, so is it about spoofing etc?
     
  5. m0unds

    m0unds Guest

    i'd imagine that's what was implied - the only context where i'd worry about posting a MAC is if it belonged to a cable modem (or some other similar device that uses MAC auth), and the cable modem was authorized for use or was planned to be authorized in the future. otherwise, it doesn't really matter.
     
  6. TheWindBringeth

    TheWindBringeth Registered Member

    Joined:
    Feb 29, 2012
    Posts:
    2,084
    There are some additional reasons to be selective about disclosing MAC addresses:

    - Simply knowing the OUI portion can, in some circumstances, reveal the type of equipment in use.
    - Manufacturers who are assigned OUIs keep track of how they assign the remaining bits. In many cases the manufacturer maintains a database which allows them to identify not only the exact type of equipment the MAC was assigned to but the exact unit the MAC address was assigned to. In some cases the record keeping is such that the manufacturer (or anyone else who can gain access to the records) can track a MAC address back to records for the purchase of the equipment thereby revealing the original buyer.
    - In addition to manufacturer MAC databases there are other databases/logs (maintained by ISPs, still in the hands of Google, etc) which would allow those with access to attempt to identify location and/or personal and/or other information based just on the MAC address.
     
  7. Seer

    Seer Registered Member

    Joined:
    Feb 12, 2007
    Posts:
    1,596
    Location:
    Singidunum
    Hiding or displaying MAC address will not make spoofing any easier or harder. Spoofing is done on a LAN, where MAC addresses can be easily retrieved from the ARP cache. Measures can be taken to prevent this (IP/MAC binding).
    I was more in line with what TheWindBringeth said. Hiding a MAC is more of a privacy matter than a security concern.
     
  8. Escalader

    Escalader Registered Member

    Joined:
    Dec 12, 2005
    Posts:
    3,710
    Location:
    Land of the Mooses
    Hi Seer and thread:

    I recall many moons ago it was suggested to program the router to ONLY allow connects from the H/W on my LAN using MAC addy's. Is that what is meant by binding?

    This seems a perfect solution but since there is no perfect solution there must be a flaw in this notion.:doubt:
     
  9. Seer

    Seer Registered Member

    Joined:
    Feb 12, 2007
    Posts:
    1,596
    Location:
    Singidunum
    Yes. Most home router models now support this "addys" :D
    Users rarely take advantage of this feature though, as most are on trusted LANs.

    It is meant to do what it does. Stop MAC spoofing. If it's implemented correctly, that is.
    There are cases where binding MAC to IP could be very difficult to implement and even impossible (due to the nature of LAN itself, DHCP, etc.). There lies the flaw I guess.
     
  10. act8192

    act8192 Registered Member

    Joined:
    Nov 9, 2006
    Posts:
    1,273
    @Seer, thanks for clarifying where the subject of displaying MAC address falls in the scheme of things :)

    @Escalader, Many (all?) home routers allow what's called "Static IP". Here you BIND the MAC address to IP you want to use and set a flag to enforce it if you want to block any other MAC to be allowed by the DHCP server in the router. If you don't enforce, any guest in the house can get an IP, but your static IPs still exist which is convenient anyway when you read the router logs to know who did what.
    WRT54g and Asus routers certainly support it. Actiontech that Verizon issues do.
    Some routers call it "address reservation", Netgear is an example. Other designations possible.
     
  11. Escalader

    Escalader Registered Member

    Joined:
    Dec 12, 2005
    Posts:
    3,710
    Location:
    Land of the Mooses
    Thanks, you don't mean my ip provided by the ISP is static. It isn't stays the same for a bit then alters. Does binding still make sense?
     
  12. act8192

    act8192 Registered Member

    Joined:
    Nov 9, 2006
    Posts:
    1,273
    The static IP I described is on the LAN side. Router's DHCP server gives those out to DHCP clients on request.

    To have static IP on the WAN side is a whole different story and you may have to pay for it.
    For a normal, dynamic IP or PPPoE, PPT etc, depends on the lease duration with the ISP's DHCP server, and how in the router you set the WAN side (always on, timeout, etc). The assigned WAN IPs do change, at least in my neck of the woods (US, Verizon).
     
  13. Escalader

    Escalader Registered Member

    Joined:
    Dec 12, 2005
    Posts:
    3,710
    Location:
    Land of the Mooses
    Got it, mine is similar.

    So on Binding all I need to do it bind the mac addy's of the pc's themselves to the router as the only ones allowed and I'm done?
     
  14. act8192

    act8192 Registered Member

    Joined:
    Nov 9, 2006
    Posts:
    1,273
    Short answer: Yes.

    Long answer: You should get static IP assignments and, in addition, you can block any MAC address not in the router's list. These are often separate click settings. Depends on a router from what I've seen on few.

    For security, I think it's most important on WiFi, less so on the wired connections, so long as you control/deny NetBIOS access to your safe computer (see below).

    The downside of all this is a safe/good friend or family member will not have access till you get into the router and they dictate their MAC address and you type it in correctly.
    Also, some routers with stock firmware have a limit of eight assignments. WRT54g with Hyperwrt had more (12? 16?), most with Tomato firmware - I don't know if have a limit, haven't hit it yet for 14 so far.
    Some people I know decided to ignore that bit of a nuisance on the WiFi side of the router, and just count on their nice long WPA2 keyphrase which their guests do need to type in. Either way, security is a pest, isn't it :)

    HKEY1952 has interesting explanations/FoodForThought here on the subject of NetBIOS filesharing
    https://www.wilderssecurity.com/showthread.php?t=316919
    Really worth reading, at least was for me.
     
Loading...
Thread Status:
Not open for further replies.