Guest PCR Posted July 31, 2007 Posted July 31, 2007 Re: firewalls - Kerio PF Part 2 - what to block and why - your security at risk Re: firewalls - Kerio PF Part 2 - what to block and why - your security at risk PCR wrote: | MEB wrote: || Part 1 will have to be broken up.. I think the filters are now ON and || there is an area that is not supposed to be discussed.. think I might || have located it... after 15 trys and several addition partial post || failed attempts... | | Well, I've sent another response to that post, this time quoting it. | Looks like it went through for me. Therefore... | | (a) You are not wearing your tinfoil hat, &/or | | (b) You are making it too long with more additions | from Filter.log, &/or | | © Properties of your posts shows... | X-Newsreader: Microsoft Outlook Express 6.00.2800.1409 | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1409 | | ...Mine shows... | X-Newsreader: Microsoft Outlook Express 6.00.2800.1437 | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1441 (d) I am using... http://www.insideoe.com/resources/tools.htm OEQuotefix Can it be that it adds an invisible character/two that is poison to you?
Guest MEB Posted July 31, 2007 Posted July 31, 2007 Re: firewalls - what to block and why - your security at risk Whatever, now is it your intent to infer that I did NOT test this repeatedly? Shall I supply my EVIDENCE for you or to a court... Or shall we continue with the discussion? Your choice, I can just as easily deal with these issues via web page.. -- MEB http://peoplescounsel.orgfree.com ________
Guest PCR Posted July 31, 2007 Posted July 31, 2007 Re: firewalls - Kerio PF Part 1 - what to block and why - your security at risk Re: firewalls - Kerio PF Part 1 - what to block and why - your security at risk MEB wrote: | "PCR" <pcrrcp@netzero.net> wrote in message | news:OMaRHIk0HHA.4184@TK2MSFTNGP06.phx.gbl... ....snip || Uh-huh. Naturally, you & I have advanced beyond that point. | | hehehe, maybe,,,,, If it isn't true yet, it surely will kick in in the 16th year of my study! ....snip || | || | DNS is used by any program requiring addressing information. || || The sole purpose of my DNS Server rule(s)... || || Protocol.......... UDP || Direction......... Both || Local Endpoint || Ports........... 1024-5000 || Application... Any (but now I've limited it to 5 apps || by creating 5 of these rules) || Remote Endpoint || Addresses.... The entire NetZero range || Port............. 53 || || ... is to resolve NET addresses? Still, am I right to seek to limit || it to the five apps I kind of have to trust? Otherwise, can't it be || appropriated by some devious app to do ill? | | As you posted, yes, it would appear so. Well... one of us should solidify the point. Is it possible I might safely have left "any" in that rule, because... it has NetZero addresses in it &/or specifically refers to port 53... IOW, NetZero will handle any misanthrope at their end by whatever app owns the port there? I should get an answer to that before I continue much further with this current plan! | But is it necessary or | reasonable to create one rule with ALL the address range included and | allowed? Seems that leaves an awful lot of addresses available to | hijack/spoof... I'm thinking, even allowing the full range, there would have to be a port 53 at the address actually used for a spoof to do harm, anyhow. So, if spoofing is possible, it only will happen at an address that has port 53 open. Otherwise, the datagram will not be accepted. I don't know how NetZero picks one of these addresses to use, either-- I guess it's something in Exec.exe that decides. Previously, I fished for them out of Filter.log & stopped at 4. | though limiting it to JUST those apps does decrease | that ability.. That's my original thought. A trusted app will do no ill, unless hijacked. But, if hijacking it means it must be altered, Kerio should catch that with its MD5 check. Or avast! will stop it from being altered in the first place. || || | The key || | is to limit to the EXACT DNS server(s) NOT within your system || | [unless for local network traffic] and the port [53] used by that || | (those) server(s) with limited [chosen by previous monitoring] || | local ports and applications. What if NetZero adds or deletes them? Is there magic at a NetZero port 53 that will handle a spoof, anyhow, & no matter at which of their addresses? Or can there be magic in the protocol UDP in/out that prevents spoofing? || Why do I need to bother with ports, if I limit the DNS rule(s) to || trusted apps & to trusted NetZero addresses? | | Well, 53 is the standard port for that type of request, and is held | as such... as for requesting port, there may be a LARGE fluctuation.. | I think you limiting to the specific apps will suffice, perhaps | someone more qualified can confirm... Yea. And here is what to read thrice for an answer, as posted to me by Blanton long ago... http://www.cisco.com/univercd/cc/td/doc/cisintwk/ito_doc/ip.htm What a packet looks like. http://www.cisco.com/en/US/about/ac123/ac114/about_cisco_packet_magazine.html Packet Magazine. http://www.linuxsecurity.com/resource_files/firewalls/firewall-seen.html FAQ: Firewall Forensics (What am I seeing?) ...by Robert Graham || Unfortunately, Kerio does || not permit a list of apps in a rule, the way it does with ports & || addresses. So, currently I have coded 5 of them...!... || || (1) DNS Server-- EXEC.exe (NetZero) || (2) DNS Server-- ASHWEBSV (avast! Web Scanner) || (3) DNS Server-- AVAST.SETUP (There actually is no program) || (4) DNS Server-- ASHMAISV (avast! e-Mail Scanner Service) || (5) DNS Server-- IExplore ....snip || | 2,[28/Jul/2007 17:22:18] Rule 'AOL UDP pass': Permitted: Out UDP, || | localhost:1030->XXX.XXX.XXX.X:7427, Owner: C:\PROGRAM FILES\AMERICA || | ONLINE || | 7.0\WAOL.EXE || || So... WAOL.exe (which was port 1030 on your computer) needed to || resolve an address? And it did so at XXX.XXX.XXX.X, port7427? Is || that what that says? | | No and yes, there is another set of rules applied prior to this, and | UDP need not be | DNS. But what about port 53 at NetZero's end? Does it restrict what a UDP datagram can do? || || | 1,[28/Jul/2007 17:22:18] Rule 'Other ICMP': Blocked: Out ICMP [10] || | Router Solicitation, localhost->224.0.0.2, Owner: Tcpip Kernel || | Driver || || I get lots of those. Here is the last I recorded... || || 1,[27/Jul/2007 17:40:12] Rule 'Kill ICMP (Log)': Blocked: In ICMP [8] || Echo Request, 4.232.192.209->localhost, Owner: Tcpip Kernel Driver || || ..., but, beginning yesterday, I have chosen NOT to log those || anymore. I have two rules above that blocker. One allows ICMP || incoming for... [0] Echo Reply, [3] Destination Unreachable, [11] || Time Exceeded || || The other allows it outgoing for... || [3] Destination Unreachable, [8] Echo Request | | Those are the suggestions by most, including Sponge... | So you have no specific rule for Netzero ICMP? Undoubtedly, Sponge was the source of it-- but I may have made an adjustment afterward to drop [0] going out & [8] coming in-- to become non-pingable, I think. Anyhow, I'm very satisfied I am fine with ICMP. And I don't see anything specific to NetZero-- no! Should there be? I do have lots of protocol "any" rules (to be investigated last), but none of those are specific to any address, either. || I think that's probably finalized for ICMP. In this case, specific || apps & ports are not possible in the rules-- only specific endpoint || addresses are. But mine apply to any address. || || | 2,[28/Jul/2007 17:22:18] Rule 'AOL UDP pass': Permitted: In UDP, || | XXX.XXX.XXX.X:7427->localhost:1030, Owner: C:\PROGRAM FILES\AMERICA || | ONLINE || | 7.0\WAOL.EXE | | *********** | | This is apparently the problem area. If this posts refer to the | original. Google search for what this was and think of the potential | uses. | | ********** I have no trouble quoting the whole post. ....snip || I used to get these Kerio alert's about Shaw Comm... || || Someone from 24.64.9.177, port 3222 wants to send UDP datagram to || port 1027 owned by 'Distributed COM Services' on your computer. || || ..., but they are prevented now with a rule that specifically blocks || RPCSS.exe (which is Distributed COM Services & which establishes the || port 1027) from using UDP/TCP. Eventually, I hope to remove that || block rule (& 4 others)-- after I have completed my UDP & TCP permit || rules for specific, trusted apps/addresses. Then, RPCSS.exe will be || blocked along with the others by virtue of not being included in the || PERMITs-- & having one single BLOCK after them. | | Well I would suggest you block SHAW's range entirely, if you have | others, create a custom list or put them in your hosts file I'll have to look into that as I get to the other protocols. Currently, I still am holding to my master plan-- to have specific permits & generalized blocks. ....snip || I haven't begun to finalize my TCP rules yet. That's probably where || I go next, once UDP is done! | | Yeah get UDP outadaway... then lock down Outlook or whatever mail | prog you use... | There are a lot of TCP activities, back and forth, that can be | blocked. | | Each application should have only enough access to allow it to | function for its use... Well, let's see how it goes as I progress to the other protocols. Some obviously cannot have a rule that applies to specific apps. But, they do all allow for specific remote addresses. ....snip || Nothing ELSE tried to use UDP? Not even RNAAPP.exe, RPCSS.exe, || PersFW.exe, & PFWadMin.exe-- which are just some of the ones using || it in here before I recently have prevented them! Well, I guess it || may require the clicking of an URL for those to kick in. | | As I said, I would not post all my rules or the logs they would | create, that creates too much of a security risk.. | RPCSS was locked down previously, along with krnl386, and several | other potential exploits. Anything and EVERYTHING that might apply to | web/network usage should have its own settings JUST IN CASE... or at | least in my config.. OK. | If you remember [likely not], several months ago a program was | suggested to me which attempted to bypass/reset ALL of my firewall | settings,,, were it not for my prior restrictions it likely would | have succeeded. As it was already ruled, it popped up and requested | what to do since I said it couldn't do what the installation wanted | to do PRIOR to disabling the firewall.. Interesting. I haven't seen anything like that, & I hope it isn't because my rules are lax! || | | ANOTHER POTENTIAL AREA REMOVED I WAS able to respond to this area too-- to the whole post! || || What specifically is notable about them? | | See the prior links. So this was an attempt to locate other routers.. | And *tcpip Kernel request* indicates the driver/protocol itself,, | e.g. part of normal network usage, normally ALLOWED due to its usual | necessity. Alright. || | What would make you think any anti-spyware or anti-virus programs || | would check or correct these types of activities? || || I do believe an actual executable can be read into a machine through || malicious use of these NET packets, although I'm not sure which || precise protocols can do it. Once it is read in &/or tries to run, || one hopes one's virus/malware scanner WILL catch it, before it || delivers its payload! | | You forget JAVA, server side includes/codes [php, asp, other], FLASH, | streaming | media, PDFs, and other aspects which are not necessarily caught by | ANYTHING except for your proxy and/or firewall. ALL [emphasis all] | are potential carriers of damaging hacks... OK. There might have been java, flash, etc., updates as well-- but, fine, I'm a believer in a good firewall-- sure! ....snip | END PART 1 of 2 Very good. Before answering part 2, I must investigate a new trojan/virus avast! has discovered today... .......Quote avast! "Simple User Interface.txt....... C:\Program Files\Common Files\Microsoft Shared\Stationery\Tiki Lounge.htm [L] VBS:Malware (0) File was successfully renamed/moved... C:\Program Files\Alwil Software\Avast4\DATA\moved\Tiki Lounge.htm.vir [L] VBS:Malware [Html] (0) .......EOQ........................................................... I'm hoping it's another false alarm! But this is for another thread! | LESS THE DELETED MATERIAL | | -- | MEB | http://peoplescounsel.orgfree.com | ________ -- Thanks or Good Luck, There may be humor in this post, and, Naturally, you will not sue, Should things get worse after this, PCR pcrrcp@netzero.net
Guest PCR Posted July 31, 2007 Posted July 31, 2007 Re: firewalls - what to block and why - your security at risk MEB wrote: | Whatever, now is it your intent to infer that I did NOT test this | repeatedly? Shall I supply my EVIDENCE for you or to a court... | | Or shall we continue with the discussion? Your choice, I can just as | easily deal with these issues via web page.. Just joking about the hat-- you know! :-). I posted serious possibilities elsewhere in this thread why you can't quote it. Also, I answered Part 1 of 2. I must take a break from this thread & investigate a new avast! alert. Thanks for your continued participation. | -- | MEB | http://peoplescounsel.orgfree.com | ________ -- Thanks or Good Luck, There may be humor in this post, and, Naturally, you will not sue, Should things get worse after this, PCR pcrrcp@netzero.net
Guest MEB Posted August 1, 2007 Posted August 1, 2007 Re: firewalls - what to block and why - your security at risk "PCR" <pcrrcp@netzero.net> wrote in message news:OSjj1M70HHA.4344@TK2MSFTNGP03.phx.gbl... | MEB wrote: | | Whatever, now is it your intent to infer that I did NOT test this | | repeatedly? Shall I supply my EVIDENCE for you or to a court... | | | | Or shall we continue with the discussion? Your choice, I can just as | | easily deal with these issues via web page.. | | Just joking about the hat-- you know! :-). What you don't like my tin foil hat now, you are dangerously close .... ;-[ | | I posted serious possibilities elsewhere in this thread why you can't | quote it. Also, I answered Part 1 of 2. I must take a break from this | thread & investigate a new avast! alert. Thanks for your continued | participation. Well, that kinda ignores the fact that three others had difficulty posting [obviously server changes], moreover that suggestion related to OEQUOTEFIX directly conflicts with the ability to respond to your posts previously, and now. Frankly I have what I need pursuant the matter, from 07/30/07 12:55 AM through 07/31/07 2:49 AM as either the full post or the removed segments ONLY, and under various headings in this group, 22 attempts,... while retaining the ability to post anything else, ANYWHERE ELSE, or in this discussion. Further, Part 2 DID make it through AFTER I broke Part 1 away containg the segments though BOTH were posted at the same time under different or same headings and different thread segments. Moreover Part 1 DID post without them. Of course we need not even question that I COULD previously post those segments SINCE I originally posted them. So frankly what you posted means little related to what I could not do... nor that they could possibly be posted NOW having exposed this aspect before the group and the world ... settings/filters CAN be changed, can't they... This is a rather large amount of circumstantial evidence... Think we can let this alone now? | | | -- | | MEB | | ________ | | -- | Thanks or Good Luck, | There may be humor in this post, and, | Naturally, you will not sue, | Should things get worse after this, | PCR | pcrrcp@netzero.net | | -- MEB http://peoplescounsel.orgfree.com ________
Guest MEB Posted August 1, 2007 Posted August 1, 2007 Re: firewalls - Kerio PF Part 1 - what to block and why - your security at risk Re: firewalls - Kerio PF Part 1 - what to block and why - your security at risk "PCR" <pcrrcp@netzero.net> wrote in message news:ehuK$E70HHA.5152@TK2MSFTNGP02.phx.gbl... | MEB wrote: | | "PCR" <pcrrcp@netzero.net> wrote in message | | news:OMaRHIk0HHA.4184@TK2MSFTNGP06.phx.gbl... | ...snip | || Uh-huh. Naturally, you & I have advanced beyond that point. | | | | hehehe, maybe,,,,, | | If it isn't true yet, it surely will kick in in the 16th year of my | study! Oh wow, then you should have all this down pat...8<} | | ...snip | || | | || | DNS is used by any program requiring addressing information. | || | || The sole purpose of my DNS Server rule(s)... | || | || Protocol.......... UDP | || Direction......... Both | || Local Endpoint | || Ports........... 1024-5000 | || Application... Any (but now I've limited it to 5 apps | || by creating 5 of these rules) | || Remote Endpoint | || Addresses.... The entire NetZero range | || Port............. 53 | || | || ... is to resolve NET addresses? Still, am I right to seek to limit | || it to the five apps I kind of have to trust? Otherwise, can't it be | || appropriated by some devious app to do ill? | | | | As you posted, yes, it would appear so. | | Well... one of us should solidify the point. Is it possible I might | safely have left "any" in that rule, because... it has NetZero addresses | in it &/or specifically refers to port 53... IOW, NetZero will handle | any misanthrope at their end by whatever app owns the port there? I | should get an answer to that before I continue much further with this | current plan! Based upon my personal experience: NO, do not leave much of anything as ANY unless its a block/refusal, or you're logging results for refinement of your rules. | | | But is it necessary or | | reasonable to create one rule with ALL the address range included and | | allowed? Seems that leaves an awful lot of addresses available to | | hijack/spoof... | | I'm thinking, even allowing the full range, there would have to be a | port 53 at the address actually used for a spoof to do harm, anyhow. So, | if spoofing is possible, it only will happen at an address that has port | 53 open. Otherwise, the datagram will not be accepted. I don't know how | NetZero picks one of these addresses to use, either-- I guess it's | something in Exec.exe that decides. Previously, I fished for them out of | Filter.log & stopped at 4. Okay, further refinement: Port 53 is the SENDING port from some remote address, local ports may be just about anything out on the Net [and likely on NetZero]. So if, such as on AOL and its thousands of LOCAL private network addresses, proceeding OFF AOL's [and NetZero's] PRIVATE network and one of those addresses is available or known, AND your rule would accept such from ANY address/external OR one you had included within your rules for AOL/NetZero [but you're no longer on the private network] from Port 53, then there would be a potential access point. I presently have a DNS [one], and the UDP range which has seven additional UDP address waiting to be included IF there are other contiguous addresses which also need included [they are way out of range, so they may be a separate rule], and 53 more additional addresses logged and ruled SO FAR for AOL TCP [though potentially ranged to 3 rules]. AND I use nothing on AOL but its mail [rarely] and the logon from which ALL of these addresses were obtained, e.g. just what it takes to logon. And list grows EVERYTIME I logon. Its possible some of these addresses MIGHT be used off the private network so ALL are locked to waol. But this is a MAJOR security hole. I suppose I could just use some of the rules already created by others for AOL but ..... Haven't you ever logged a remote 192.168.1.* or a 192.168.0.* [or other class C] address from somewhere on the Internet yet?? Or a remote 127.0.0.1 or other non-standard Internet address? | | | though limiting it to JUST those apps does decrease | | that ability.. | | That's my original thought. A trusted app will do no ill, unless | hijacked. But, if hijacking it means it must be altered, Kerio should | catch that with its MD5 check. Or avast! will stop it from being altered | in the first place. But if hijacking requires nothing more than would have been displayed by that 3k [tooleaky] test I referred you to, then are you really secure? That test doesn't do anything that would normally be caught by ANYTHING. It could just as easily be delivered through some server code, or Java, or in a Flash object ... | | || | || | The key | || | is to limit to the EXACT DNS server(s) NOT within your system | || | [unless for local network traffic] and the port [53] used by that | || | (those) server(s) with limited [chosen by previous monitoring] | || | local ports and applications. | | What if NetZero adds or deletes them? Is there magic at a NetZero port | 53 that will handle a spoof, anyhow, & no matter at which of their | addresses? Or can there be magic in the protocol UDP in/out that | prevents spoofing? I would like to be able to say that the NetZero site/network was secure, but then we have to walk back to the real world and remember that Google was hacked, Microsoft was hacked, the DOJ was hacked, etc... Anytime an ISP or direct connection has large groups of people connected through it, there is always the chance that some of those people are running some type of hack, trace, broadcast, or other which you are susceptible to, since you also are connected through the same service. The ISP [or direct network] has a range of addresses it gives to its customers/users, which can be found through some rather simple means, or software which can locate/single out individual users. Did you miss that I posted some tools which potentially COULD do this. So is remote Port 53 safe to accept from a broad range of NetZero addresses or an *ANY*,, what do you think? | | || Why do I need to bother with ports, if I limit the DNS rule(s) to | || trusted apps & to trusted NetZero addresses? | | | | Well, 53 is the standard port for that type of request, and is held | | as such... as for requesting port, there may be a LARGE fluctuation.. | | I think you limiting to the specific apps will suffice, perhaps | | someone more qualified can confirm... | | Yea. And here is what to read thrice for an answer, as posted to me by | Blanton long ago... | | http://www.cisco.com/univercd/cc/td/doc/cisintwk/ito_doc/ip.htm | What a packet looks like. | | http://www.cisco.com/en/US/about/ac123/ac114/about_cisco_packet_magazine.html | Packet Magazine. | | http://www.linuxsecurity.com/resource_files/firewalls/firewall-seen.html | FAQ: Firewall Forensics (What am I seeing?) ...by Robert Graham Actually what I posted previously might have given a broader outlook, but I will read these [likely tonight/morning]. Heck for all I remember, I may have done so already. Oh yeah, seems I have Robert's listed on my firewall page, and the Cisco ip.htm, along with some other reference links, here's the link: http://peoplescounsel.orgfree.com/ref/gen/security/firewalls.htm | | || Unfortunately, Kerio does | || not permit a list of apps in a rule, the way it does with ports & | || addresses. So, currently I have coded 5 of them...!... | || | || (1) DNS Server-- EXEC.exe (NetZero) | || (2) DNS Server-- ASHWEBSV (avast! Web Scanner) | || (3) DNS Server-- AVAST.SETUP (There actually is no program) | || (4) DNS Server-- ASHMAISV (avast! e-Mail Scanner Service) | || (5) DNS Server-- IExplore | | ...snip | || | 2,[28/Jul/2007 17:22:18] Rule 'AOL UDP pass': Permitted: Out UDP, | || | localhost:1030->XXX.XXX.XXX.X:7427, Owner: C:\PROGRAM FILES\AMERICA | || | ONLINE | || | 7.0\WAOL.EXE | || | || So... WAOL.exe (which was port 1030 on your computer) needed to | || resolve an address? And it did so at XXX.XXX.XXX.X, port7427? Is | || that what that says? | | | | No and yes, there is another set of rules applied prior to this, and | | UDP need not be | | DNS. | | But what about port 53 at NetZero's end? Does it restrict what a UDP | datagram can do? Let's see if the prior answers/presents spark an answer. | | || | || | 1,[28/Jul/2007 17:22:18] Rule 'Other ICMP': Blocked: Out ICMP [10] | || | Router Solicitation, localhost->224.0.0.2, Owner: Tcpip Kernel | || | Driver | || | || I get lots of those. Here is the last I recorded... | || | || 1,[27/Jul/2007 17:40:12] Rule 'Kill ICMP (Log)': Blocked: In ICMP [8] | || Echo Request, 4.232.192.209->localhost, Owner: Tcpip Kernel Driver | || | || ..., but, beginning yesterday, I have chosen NOT to log those | || anymore. I have two rules above that blocker. One allows ICMP | || incoming for... [0] Echo Reply, [3] Destination Unreachable, [11] | || Time Exceeded | || | || The other allows it outgoing for... | || [3] Destination Unreachable, [8] Echo Request | | | | Those are the suggestions by most, including Sponge... | | So you have no specific rule for Netzero ICMP? | | Undoubtedly, Sponge was the source of it-- but I may have made an | adjustment afterward to drop [0] going out & [8] coming in-- to become | non-pingable, I think. Yes, if you want to be as stealthy as possible, everything should be ruled off in your firewall. Though in my config, I have specific addresses which can ping and to which I can ping [by application both ways] so that my web pages can be maintained and other necessary functions. And others which are set to log such activity [for purposes previously mentioned]. For instance, AOL contacts its users, and pops up a disconnect, should you fail to respond to the popup [likely to kill off asleep drunks in its forums or on the service] or disallow these, you will likely get kicked off more often ... | Anyhow, I'm very satisfied I am fine with ICMP. | And I don't see anything specific to NetZero-- no! Should there be? I do | have lots of protocol "any" rules (to be investigated last), but none of | those are specific to any address, either. I suppose once you get to that aspect you'll find out if NetZero does want or need ICMP. Do you understand what ICMP is used for? | | || I think that's probably finalized for ICMP. In this case, specific | || apps & ports are not possible in the rules-- only specific endpoint | || addresses are. But mine apply to any address. | || | || | 2,[28/Jul/2007 17:22:18] Rule 'AOL UDP pass': Permitted: In UDP, | || | XXX.XXX.XXX.X:7427->localhost:1030, Owner: C:\PROGRAM FILES\AMERICA | || | ONLINE | || | 7.0\WAOL.EXE | | | | *********** | | | | This is apparently the problem area. If this posts refer to the | | original. Google search for what this was and think of the potential | | uses. | | | | ********** | | I have no trouble quoting the whole post. I suggest you start here, and Google.. http://support.microsoft.com/kb/223136 http://www.iana.org/assignments/multicast-addresses And again, think carefully about what the potentials could be ..... don't get lost on the touchy feely, think about the ramifications ... | | ...snip | || I used to get these Kerio alert's about Shaw Comm... | || | || Someone from 24.64.9.177, port 3222 wants to send UDP datagram to | || port 1027 owned by 'Distributed COM Services' on your computer. | || | || ..., but they are prevented now with a rule that specifically blocks | || RPCSS.exe (which is Distributed COM Services & which establishes the | || port 1027) from using UDP/TCP. Eventually, I hope to remove that | || block rule (& 4 others)-- after I have completed my UDP & TCP permit | || rules for specific, trusted apps/addresses. Then, RPCSS.exe will be | || blocked along with the others by virtue of not being included in the | || PERMITs-- & having one single BLOCK after them. | | | | Well I would suggest you block SHAW's range entirely, if you have | | others, create a custom list or put them in your hosts file | | I'll have to look into that as I get to the other protocols. Currently, | I still am holding to my master plan-- to have specific permits & | generalized blocks. Its whatever suits your purpose and your needs... log for awhile after you think you have it finalized and that will pretty much answer your questions. | | ...snip | || I haven't begun to finalize my TCP rules yet. That's probably where | || I go next, once UDP is done! | | | | Yeah get UDP outadaway... then lock down Outlook or whatever mail | | prog you use... | | There are a lot of TCP activities, back and forth, that can be | | blocked. | | | | Each application should have only enough access to allow it to | | function for its use... | | Well, let's see how it goes as I progress to the other protocols. Some | obviously cannot have a rule that applies to specific apps. But, they do | all allow for specific remote addresses. | | ...snip | || Nothing ELSE tried to use UDP? Not even RNAAPP.exe, RPCSS.exe, | || PersFW.exe, & PFWadMin.exe-- which are just some of the ones using | || it in here before I recently have prevented them! Well, I guess it | || may require the clicking of an URL for those to kick in. | | | | As I said, I would not post all my rules or the logs they would | | create, that creates too much of a security risk.. | | RPCSS was locked down previously, along with krnl386, and several | | other potential exploits. Anything and EVERYTHING that might apply to | | web/network usage should have its own settings JUST IN CASE... or at | | least in my config.. | | OK. | | | If you remember [likely not], several months ago a program was | | suggested to me which attempted to bypass/reset ALL of my firewall | | settings,,, were it not for my prior restrictions it likely would | | have succeeded. As it was already ruled, it popped up and requested | | what to do since I said it couldn't do what the installation wanted | | to do PRIOR to disabling the firewall.. | | Interesting. I haven't seen anything like that, & I hope it isn't | because my rules are lax! No, likely you aren't testing large amounts of applications anymore. This actually was not unusual during my old testing days of pulling hundreds of apps of the Net to test [and the expected Viruses and other], but I was somewhat caught of guard when it occurred from a post in this group and someone was using it, and recommended it. As I stated in that discusion, had I used the Internet install; whatever this program wanted done MIGHT have been successful anyway and surely would have whacked the unsuspecting. | | || | | | | ANOTHER POTENTIAL AREA REMOVED | | I WAS able to respond to this area too-- to the whole post! | | || | || What specifically is notable about them? | | | | See the prior links. So this was an attempt to locate other routers.. | | And *tcpip Kernel request* indicates the driver/protocol itself,, | | e.g. part of normal network usage, normally ALLOWED due to its usual | | necessity. | | Alright. | | | || | What would make you think any anti-spyware or anti-virus programs | || | would check or correct these types of activities? | || | || I do believe an actual executable can be read into a machine through | || malicious use of these NET packets, although I'm not sure which | || precise protocols can do it. Once it is read in &/or tries to run, | || one hopes one's virus/malware scanner WILL catch it, before it | || delivers its payload! | | | | You forget JAVA, server side includes/codes [php, asp, other], FLASH, | | streaming | | media, PDFs, and other aspects which are not necessarily caught by | | ANYTHING except for your proxy and/or firewall. ALL [emphasis all] | | are potential carriers of damaging hacks... | | OK. There might have been java, flash, etc., updates as well-- but, | fine, I'm a believer in a good firewall-- sure! | | ...snip | | END PART 1 of 2 | | Very good. Before answering part 2, I must investigate a new | trojan/virus | avast! has discovered today... | | ......Quote avast! "Simple User Interface.txt....... | C:\Program Files\Common Files\Microsoft Shared\Stationery\Tiki | Lounge.htm [L] VBS:Malware (0) | File was successfully renamed/moved... | C:\Program Files\Alwil Software\Avast4\DATA\moved\Tiki Lounge.htm.vir | [L] VBS:Malware [Html] (0) | ......EOQ........................................................... | | I'm hoping it's another false alarm! But this is for another thread! I see it was. That is the problem with AV and Spyware, definitions may be a bit out of whack, but hopefully they get corrected. AVG popped up an ALERT a month or so [2 maybe] ago for something I had been using for years, had checked with all the available AV progs I had or used, and claimed it was a variant of an OLD virus. Next update it was gone. Of course I had already gone through all the motions and checks... BEFORE they corrected the data. But what the heck, I'd rather have an occasional false positive than an infection. | | | LESS THE DELETED MATERIAL | | | | -- | | MEB | | ________ | | -- | Thanks or Good Luck, | There may be humor in this post, and, | Naturally, you will not sue, | Should things get worse after this, | PCR | pcrrcp@netzero.net | | | -- MEB http://peoplescounsel.orgfree.com ________
Guest PCR Posted August 1, 2007 Posted August 1, 2007 Re: firewalls - what to block and why - your security at risk MEB wrote: | "PCR" <pcrrcp@netzero.net> wrote in message | news:OSjj1M70HHA.4344@TK2MSFTNGP03.phx.gbl... || MEB wrote: || | Whatever, now is it your intent to infer that I did NOT test this || | repeatedly? Shall I supply my EVIDENCE for you or to a court... || | || | Or shall we continue with the discussion? Your choice, I can just || | as easily deal with these issues via web page.. || || Just joking about the hat-- you know! :-). | | What you don't like my tin foil hat now, you are dangerously close | .... ;-[ No, no-- it's fine, fine! || || I posted serious possibilities elsewhere in this thread why you can't || quote it. Also, I answered Part 1 of 2. I must take a break from this || thread & investigate a new avast! alert. Thanks for your continued || participation. | | Well, that kinda ignores the fact that three others had difficulty | posting [obviously server changes], That kind of thing affects posting to ANY thread in the NG-- not just to my posts! | moreover that suggestion related | to OEQUOTEFIX directly conflicts with the ability to respond to your | posts previously, and now. Well, maybe, BUT I'm thinking there may be a rare circumstance in which OEQuoteFix inserts a special character that is poison to you. So, it might not always happen that you can't respond to it. BUT, very likely, OEQuoteFix is innocent. All I really know is... sometimes OEQuoteFix does muss URLs-- it will grab stuff from the next line & attach it to the URL! (Still, the URL almost does work when clicked.) Another remote possibility I didn't think of earlier... avast! is adding words to my headers... X-Antivirus: avast! (VPS 000762-4, 07/30/2007), Outbound message X-Antivirus-Status: Clean Here is the one back then... X-Antivirus: avast! (VPS 000762-0, 07/29/2007), Outbound message X-Antivirus-Status: Clean But I see no poison in it! | Frankly I have what I need pursuant the matter, from 07/30/07 12:55 | AM through 07/31/07 2:49 AM as either the full post or the removed | segments ONLY, and under various headings in this group, 22 | attempts,... while retaining the ability to post anything else, | ANYWHERE ELSE, or in this discussion. I know you've been wearing your tinfoil hat. Therefore... (a) You are allergic to something in my posts, &/or (b) You need to update your OE, &/or © You made a response that was unGodly HUGE, &/or (d) Something else is doing it, maybe a "filter", as you suspect. | Further, Part 2 DID make it through AFTER I broke Part 1 away | containg the segments though BOTH were posted at the same time under | different or same headings and different thread segments. | Moreover Part 1 DID post without them. Of course we need not even | question that I COULD previously post those segments SINCE I | originally posted them. It's something you posted? But after I quoted it only? Is it in here...?... news:OMaRHIk0HHA.4184@TK2MSFTNGP06.phx.gbl | So frankly what you posted means little related to what I could not | do... nor that they could possibly be posted NOW having exposed this | aspect before the group and the world ... settings/filters CAN be | changed, can't they... | | This is a rather large amount of circumstantial evidence... | | Think we can let this alone now? And, is it in here...?... news:OAxLQ750HHA.5884@TK2MSFTNGP02.phx.gbl I'll get to the firewall stuff shortly, I hope. || || | -- || | MEB || | ________ || || -- || Thanks or Good Luck, || There may be humor in this post, and, || Naturally, you will not sue, || Should things get worse after this, || PCR || pcrrcp@netzero.net || || | | | -- | MEB | http://peoplescounsel.orgfree.com | ________ -- Thanks or Good Luck, There may be humor in this post, and, Naturally, you will not sue, Should things get worse after this, PCR pcrrcp@netzero.net
Guest MEB Posted August 1, 2007 Posted August 1, 2007 Re: firewalls - what to block and why - your security at risk Look dude, your attempts at explaining away the issue holds no water.. any mere cursory analysis finds that true .... If you continue we WILL proceed to discuss those individuals within or whom monitor this group, with sufficient server/Microsoft contact; and the apparent fact, someone determined that this filter be applied... and how one could reasonably determine such issues, etc.. And use your brain, I do this for other activities,, its called forensic research, collecting evidence, building cases, providing prosecutive materials or defense materials ........................................ get it yet. NOW DROP IT! The last thing this discussion needs is spurious chatter... -- MEB http://peoplescounsel.orgfree.com ________
Guest PCR Posted August 1, 2007 Posted August 1, 2007 Re: firewalls - what to block and why - your security at risk MEB wrote: | Look dude, your attempts at explaining away the issue holds no | water.. any mere cursory analysis finds that true .... | | If you continue we WILL proceed to discuss those individuals within | or whom monitor this group, with sufficient server/Microsoft contact; | and the apparent fact, someone determined that this filter be | applied... and how one could reasonably determine such issues, etc.. | | And use your brain, I do this for other activities,, its called | forensic research, collecting evidence, building cases, providing | prosecutive materials or defense materials | ........................................ get it yet. | | NOW DROP IT! The last thing this discussion needs is spurious | chatter... I think I almost know what you're referring to. And that's enough for me. OK, bye. I'll try to get to the firewall stuff later. | -- | MEB | http://peoplescounsel.orgfree.com | ________ -- Thanks or Good Luck, There may be humor in this post, and, Naturally, you will not sue, Should things get worse after this, PCR pcrrcp@netzero.net
Guest Curt Christianson Posted August 1, 2007 Posted August 1, 2007 Re: firewalls - what to block and why - your security at risk I'm glad I bailed when I did, or else this thread would have looked like the *three* stooges! <vbg> -- HTH, Curt Windows Support Center http://www.aumha.org Practically Nerded,... http://dundats.mvps.org/Index.htm "PCR" <pcrrcp@netzero.net> wrote in message news:uKHQ%23iH1HHA.3768@TK2MSFTNGP06.phx.gbl... | MEB wrote: || Look dude, your attempts at explaining away the issue holds no || water.. any mere cursory analysis finds that true .... || || If you continue we WILL proceed to discuss those individuals within || or whom monitor this group, with sufficient server/Microsoft contact; || and the apparent fact, someone determined that this filter be || applied... and how one could reasonably determine such issues, etc.. || || And use your brain, I do this for other activities,, its called || forensic research, collecting evidence, building cases, providing || prosecutive materials or defense materials || ........................................ get it yet. || || NOW DROP IT! The last thing this discussion needs is spurious || chatter... | | I think I almost know what you're referring to. And that's enough for | me. OK, bye. I'll try to get to the firewall stuff later. | || -- || MEB || http://peoplescounsel.orgfree.com || ________ | | -- | Thanks or Good Luck, | There may be humor in this post, and, | Naturally, you will not sue, | Should things get worse after this, | PCR | pcrrcp@netzero.net | |
Guest PCR Posted August 1, 2007 Posted August 1, 2007 Re: firewalls - what to block and why - your security at risk Curt Christianson wrote: | I'm glad I bailed when I did, or else this thread would have looked | like the *three* stooges! <vbg> I didn't know you were bald, Christianson! Ohhhh, that's right, geees... it is one of the, the, the... early XP-irradiation symptoms! No, no, seriously, I GUESS I must recommence to reading those URLs for a bit-- BUT I'll be back with solidified answers as to whether my master plan will work with these Kerio rules or not! Also, MEB's idea to track my final result is a good one. And other things said are useful. | -- | HTH, | Curt | | Windows Support Center | http://www.aumha.org | Practically Nerded,... | http://dundats.mvps.org/Index.htm | | "PCR" <pcrrcp@netzero.net> wrote in message | news:uKHQ%23iH1HHA.3768@TK2MSFTNGP06.phx.gbl... || MEB wrote: ||| Look dude, your attempts at explaining away the issue holds no ||| water.. any mere cursory analysis finds that true .... ||| ||| If you continue we WILL proceed to discuss those individuals within ||| or whom monitor this group, with sufficient server/Microsoft ||| contact; and the apparent fact, someone determined that this filter ||| be applied... and how one could reasonably determine such issues, ||| etc.. ||| ||| And use your brain, I do this for other activities,, its called ||| forensic research, collecting evidence, building cases, providing ||| prosecutive materials or defense materials ||| ........................................ get it yet. ||| ||| NOW DROP IT! The last thing this discussion needs is spurious ||| chatter... || || I think I almost know what you're referring to. And that's enough for || me. OK, bye. I'll try to get to the firewall stuff later. || ||| -- ||| MEB ||| http://peoplescounsel.orgfree.com ||| ________ || || -- || Thanks or Good Luck, || There may be humor in this post, and, || Naturally, you will not sue, || Should things get worse after this, || PCR || pcrrcp@netzero.net -- Thanks or Good Luck, There may be humor in this post, and, Naturally, you will not sue, Should things get worse after this, PCR pcrrcp@netzero.net
Guest Curt Christianson Posted August 1, 2007 Posted August 1, 2007 Re: firewalls - what to block and why - your security at risk MEB is a force to be reckoned with--he/she knows their stuff. And don't make the mistake some of our "regulars" here trying to get into a battle of legalities and logistics--one usually can't win. "I refuse to have a battle of wits with an un-armed person"--my credo! -- HTH, Curt Windows Support Center http://www.aumha.org Practically Nerded,... http://dundats.mvps.org/Index.htm "PCR" <pcrrcp@netzero.net> wrote in message news:%23td8m2H1HHA.536@TK2MSFTNGP06.phx.gbl... | Curt Christianson wrote: || I'm glad I bailed when I did, or else this thread would have looked || like the *three* stooges! <vbg> | | I didn't know you were bald, Christianson! Ohhhh, that's right, geees... | it is one of the, the, the... early XP-irradiation symptoms! | | No, no, seriously, I GUESS I must recommence to reading those URLs for a | bit-- BUT I'll be back with solidified answers as to whether my master | plan will work with these Kerio rules or not! Also, MEB's idea to track | my final result is a good one. And other things said are useful. | || -- || HTH, || Curt || || Windows Support Center || http://www.aumha.org || Practically Nerded,... || http://dundats.mvps.org/Index.htm || || "PCR" <pcrrcp@netzero.net> wrote in message || news:uKHQ%23iH1HHA.3768@TK2MSFTNGP06.phx.gbl... ||| MEB wrote: |||| Look dude, your attempts at explaining away the issue holds no |||| water.. any mere cursory analysis finds that true .... |||| |||| If you continue we WILL proceed to discuss those individuals within |||| or whom monitor this group, with sufficient server/Microsoft |||| contact; and the apparent fact, someone determined that this filter |||| be applied... and how one could reasonably determine such issues, |||| etc.. |||| |||| And use your brain, I do this for other activities,, its called |||| forensic research, collecting evidence, building cases, providing |||| prosecutive materials or defense materials |||| ........................................ get it yet. |||| |||| NOW DROP IT! The last thing this discussion needs is spurious |||| chatter... ||| ||| I think I almost know what you're referring to. And that's enough for ||| me. OK, bye. I'll try to get to the firewall stuff later. ||| |||| -- |||| MEB |||| http://peoplescounsel.orgfree.com |||| ________ ||| ||| -- ||| Thanks or Good Luck, ||| There may be humor in this post, and, ||| Naturally, you will not sue, ||| Should things get worse after this, ||| PCR ||| pcrrcp@netzero.net | | -- | Thanks or Good Luck, | There may be humor in this post, and, | Naturally, you will not sue, | Should things get worse after this, | PCR | pcrrcp@netzero.net | |
Guest PCR Posted August 1, 2007 Posted August 1, 2007 Re: firewalls - Kerio PF Part 1 - what to block and why - your security at risk Re: firewalls - Kerio PF Part 1 - what to block and why - your security at risk MEB wrote: | "PCR" <pcrrcp@netzero.net> wrote in message | news:ehuK$E70HHA.5152@TK2MSFTNGP02.phx.gbl... ....snip || || | DNS is used by any program requiring addressing information. || || || || The sole purpose of my DNS Server rule(s)... || || || || Protocol.......... UDP || || Direction......... Both || || Local Endpoint || || Ports........... 1024-5000 || || Application... Any (but now I've limited it to 5 apps || || by creating 5 of these rules) || || Remote Endpoint || || Addresses.... The entire NetZero range || || Port............. 53 || || || || ... is to resolve NET addresses? Still, am I right to seek to || || limit it to the five apps I kind of have to trust? Otherwise, || || can't it be appropriated by some devious app to do ill? || | || | As you posted, yes, it would appear so. || || Well... one of us should solidify the point. Is it possible I might || safely have left "any" in that rule, because... it has NetZero || addresses in it &/or specifically refers to port 53... IOW, NetZero || will handle any misanthrope at their end by whatever app owns the || port there? I should get an answer to that before I continue much || further with this current plan! | | Based upon my personal experience: NO, do not leave much of anything | as ANY unless its a block/refusal, or you're logging results for | refinement of your rules. OK, thanks. I'll take another look at those URLs, but likely will continue as I began to have a specific allow for apps I must trust only. But, didn't it come from Sponge with "any" in there? || || | But is it necessary or || | reasonable to create one rule with ALL the address range included || | and allowed? Seems that leaves an awful lot of addresses || | available to hijack/spoof... || || I'm thinking, even allowing the full range, there would have to be a || port 53 at the address actually used for a spoof to do harm, anyhow. || So, if spoofing is possible, it only will happen at an address that || has port 53 open. Otherwise, the datagram will not be accepted. I || don't know how NetZero picks one of these addresses to use, either-- || I guess it's something in Exec.exe that decides. Previously, I || fished for them out of Filter.log & stopped at 4. | | Okay, further refinement: Port 53 is the SENDING port from some | remote address, Well... that DNS Server rule is both directions, yea. So, we send to UDP datagram to the ISP address, port 53-- & it may send UDP back to us. | local ports may be just about anything out on the Net | [and likely on NetZero]. The local endpoint ports in the DNS Server rule are... 1024-5000 (which some do narrow as gram pappy said-- I haven't finally decided yet)... & those are in OUR machine (as I understand it) & apparently created/closed on an as needed basis by whatever app cares to do it. But some apps might leave them open in a "listening" state. I don't see any open right now with one of those ports for UDP. I do see 3 listening for TCP on ports 1040, 1041, 1025, 1025, 1533, & 1027. HOWEVER, I have a rule blocking ALL of those, except the two that are ASHMAISV.exe. | So if, such as on AOL and its thousands of LOCAL private network | addresses, proceeding OFF AOL's [and NetZero's] PRIVATE network and | one of those addresses is available or known, AND your rule would | accept such from ANY address/external OR one you had included within | your rules for AOL/NetZero [but you're no longer on the private | network] from Port 53, then there would be a potential access point. Of course, I doubt I know what I'm talking about this early in my 17 year study, BUT... I'm thinking there is a timing consideration. The answer has to come quick, or the port won't be there. I have no port 1538 open to accept anything spurious. Avast! opened & closed it on an as needed basis. Here is its very last use of DNS... 2,[01/Aug/2007 18:13:34] Rule 'DNS Server-- ASHMAISV': Permitted: Out UDP, localhost:1538->64.136.44.74:53, Owner: C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHMAISV.EXE 2,[01/Aug/2007 18:13:34] Rule 'DNS Server-- ASHMAISV': Permitted: In UDP, 64.136.44.74:53->localhost:1538, Owner: C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHMAISV.EXE And this was a use by NetZero that preceeded it... 2,[01/Aug/2007 18:02:56] Rule 'DNS Server-- EXEC.exe': Permitted: Out UDP, localhost:1534->64.136.44.74:53, Owner: C:\PROGRAM FILES\NETZERO\EXEC.EXE 2,[01/Aug/2007 18:02:56] Rule 'DNS Server-- EXEC.exe': Permitted: In UDP, 64.136.44.74:53->localhost:1534, Owner: C:\PROGRAM FILES\NETZERO\EXEC.EXE I have no port 1534 open now to take anything! | I presently have a DNS [one], and the UDP range which has seven | additional UDP address waiting to be included IF there are other | contiguous addresses which also need included [they are way out of | range, so they may be a separate rule], I only did it recently (a week?), but I see no untoward result as yet from putting the full NetZero range in my 6 DNS rule. (There were just 5, but HiJackThis wanted one too, when I clicked to update it. But there was no update.) | and 53 more additional | addresses logged and ruled SO FAR for AOL TCP [though potentially | ranged to 3 rules]. I haven't begun to fiddle with TCP much. Currently, looks like... all my TCP permits are OUTWARD only... (a) NetZero may go to only its own address range, but any port & UDP is also permitted out in that rule. (b) Avast.SETUP can only go to port 80 only, but any address. © ASHWEBSV can only go to port 80 only, but any address. (d) ASHMAISV can go to any address, any port. (e) IExplore can go to any address, any port. But I DON'T want to discuss TCP yet! I think I do recall now/then a Kerio alert about someone wanting to send TCP in... probably... if it happened during a process I initiated with a trusted app... probably, I allowed it. | AND I use nothing on AOL but its mail [rarely] | and the logon from which ALL of these addresses were obtained, e.g. | just what it takes to logon. And list grows EVERYTIME I logon. Its | possible some of these addresses MIGHT be used off the private | network so ALL are locked to waol. But this is a MAJOR security hole. | I suppose I could just use some of the rules already created by | others for AOL but ..... I haven't fully studied TCP yet. I won't be able to advise for 6 or so years! | Haven't you ever logged a remote 192.168.1.* or a 192.168.0.* [or | other class C] address from somewhere on the Internet yet?? Or a | remote 127.0.0.1 or other non-standard Internet address? Huh? || || | though limiting it to JUST those apps does decrease || | that ability.. || || That's my original thought. A trusted app will do no ill, unless || hijacked. But, if hijacking it means it must be altered, Kerio should || catch that with its MD5 check. Or avast! will stop it from being || altered in the first place. | | But if hijacking requires nothing more than would have been | displayed by that 3k [tooleaky] test I referred you to, then are you | really secure? That test doesn't do anything that would normally be | caught by ANYTHING. It could just as easily be delivered through some | server code, or Java, or in a Flash object ... I haven't gotten to that test yet. Not this time around. I do recall once going to an URL posted here that did pronounce my rules to be safe-- but I've been fiddling since then! || || || || || | The key || || | is to limit to the EXACT DNS server(s) NOT within your system || || | [unless for local network traffic] and the port [53] used by || || | that (those) server(s) with limited [chosen by previous || || | monitoring] local ports and applications. || || What if NetZero adds or deletes them? Is there magic at a NetZero || port 53 that will handle a spoof, anyhow, & no matter at which of || their addresses? Or can there be magic in the protocol UDP in/out || that prevents spoofing? | | I would like to be able to say that the NetZero site/network was | secure, but then we have to walk back to the real world and remember | that Google was hacked, Microsoft was hacked, the DOJ was hacked, | etc... Anytime an ISP or direct connection has large groups of | people connected through it, there is always the chance that some of | those people are running some type of hack, trace, broadcast, or | other which you are susceptible to, since you also are connected | through the same service. The ISP [or direct network] has a range of | addresses it gives to its customers/users, which can be found through | some rather simple means, or software which can locate/single out | individual users. Did you miss that I posted some tools which | potentially COULD do this. So is remote Port 53 safe to accept from | a broad range of NetZero addresses or an *ANY*,, what do you think? I understand all that. Pending further research, I still believe there is a timing consideration in those DNS Server rules, though. || || || Why do I need to bother with ports, if I limit the DNS rule(s) to || || trusted apps & to trusted NetZero addresses? || | || | Well, 53 is the standard port for that type of request, and is || | held as such... as for requesting port, there may be a LARGE || | fluctuation.. I think you limiting to the specific apps will || | suffice, perhaps someone more qualified can confirm... || || Yea. And here is what to read thrice for an answer, as posted to me || by Blanton long ago... || || http://www.cisco.com/univercd/cc/td/doc/cisintwk/ito_doc/ip.htm || What a packet looks like. || || | http://www.cisco.com/en/US/about/ac123/ac114/about_cisco_packet_magazine.html || Packet Magazine. || || http://www.linuxsecurity.com/resource_files/firewalls/firewall-seen.html || FAQ: Firewall Forensics (What am I seeing?) ...by Robert Graham | | Actually what I posted previously might have given a broader | outlook, but I will read these [likely tonight/morning]. Heck for all | I remember, I may have done so already. | Oh yeah, seems I have Robert's listed on my firewall page, and the | Cisco ip.htm, along with some other reference links, here's the link: | | http://peoplescounsel.orgfree.com/ref/gen/security/firewalls.htm OK. I've clicked that. I think I do need to do some reading. I'm thinking we should suspend this thread, until we both have read that stuff again. I know I also owe a response to "part 2". || || || Unfortunately, Kerio does || || not permit a list of apps in a rule, the way it does with ports & || || addresses. So, currently I have coded 5 of them...!... || || || || (1) DNS Server-- EXEC.exe (NetZero) || || (2) DNS Server-- ASHWEBSV (avast! Web Scanner) || || (3) DNS Server-- AVAST.SETUP (There actually is no program) || || (4) DNS Server-- ASHMAISV (avast! e-Mail Scanner Service) || || (5) DNS Server-- IExplore || || ...snip || || | 2,[28/Jul/2007 17:22:18] Rule 'AOL UDP pass': Permitted: Out || || | UDP, localhost:1030->XXX.XXX.XXX.X:7427, Owner: C:\PROGRAM || || | FILES\AMERICA ONLINE || || | 7.0\WAOL.EXE || || || || So... WAOL.exe (which was port 1030 on your computer) needed to || || resolve an address? And it did so at XXX.XXX.XXX.X, port7427? Is || || that what that says? || | || | No and yes, there is another set of rules applied prior to this, || | and UDP need not be || | DNS. || || But what about port 53 at NetZero's end? Does it restrict what a UDP || datagram can do? | | Let's see if the prior answers/presents spark an answer. That's another option, yea. || || || || || | 1,[28/Jul/2007 17:22:18] Rule 'Other ICMP': Blocked: Out ICMP || || | [10] Router Solicitation, localhost->224.0.0.2, Owner: Tcpip || || | Kernel Driver || || || || I get lots of those. Here is the last I recorded... || || || || 1,[27/Jul/2007 17:40:12] Rule 'Kill ICMP (Log)': Blocked: In ICMP || || [8] Echo Request, 4.232.192.209->localhost, Owner: Tcpip Kernel || || Driver || || || || ..., but, beginning yesterday, I have chosen NOT to log those || || anymore. I have two rules above that blocker. One allows ICMP || || incoming for... [0] Echo Reply, [3] Destination Unreachable, [11] || || Time Exceeded || || || || The other allows it outgoing for... || || [3] Destination Unreachable, [8] Echo Request || | || | Those are the suggestions by most, including Sponge... || | So you have no specific rule for Netzero ICMP? || || Undoubtedly, Sponge was the source of it-- but I may have made an || adjustment afterward to drop [0] going out & [8] coming in-- to || become non-pingable, I think. | | Yes, if you want to be as stealthy as possible, everything should be | ruled off in your firewall. Though in my config, I have specific | addresses which can ping and to which I can ping [by application both | ways] so that my web pages can be maintained and other necessary | functions. And others which are set to log such activity [for | purposes previously mentioned]. I didn't think of that, to let specific sites ping me. I do get a warning from NetZero now/then that I must click or get thrown off. It seems to work w/o pinging. However, eventually, I am thrown off w/o a warning, anyhow. I don't know, maybe it's a second NetZero mechanism that does require PING to function. OK, that's done-- I allow ICMP [0] out & [8] in to the NetZero range only. It shouldn't be long before I know the result. | For instance, AOL contacts its users, and pops up a disconnect, | should you fail to respond to the popup [likely to kill off asleep | drunks in its forums or on the service] or disallow these, you will | likely get kicked off | more often ... Right. NetZero too-- & for a paying customer! || Anyhow, I'm very satisfied I am fine with ICMP. || And I don't see anything specific to NetZero-- no! Should there be? || I do have lots of protocol "any" rules (to be investigated last), || but none of those are specific to any address, either. | | I suppose once you get to that aspect you'll find out if NetZero | does want or need ICMP. Do you understand what ICMP is used for? No. But I'll let you know whether allowing NetZero to PING me eliminates the mysterious disconnects. || || I think that's probably finalized for ICMP. In this case, specific || || apps & ports are not possible in the rules-- only specific || || endpoint addresses are. But mine apply to any address. || || || || | 2,[28/Jul/2007 17:22:18] Rule 'AOL UDP pass': Permitted: In UDP, || || | XXX.XXX.XXX.X:7427->localhost:1030, Owner: C:\PROGRAM || || | FILES\AMERICA ONLINE || || | 7.0\WAOL.EXE || | || | *********** || | || | This is apparently the problem area. If this posts refer to the || | original. Google search for what this was and think of the || | potential uses. || | || | ********** || || I have no trouble quoting the whole post. | | I suggest you start here, and Google.. | | http://support.microsoft.com/kb/223136 | http://www.iana.org/assignments/multicast-addresses | | And again, think carefully about what the potentials could be ..... | don't get lost on the touchy feely, think about the ramifications ... I'll get to it. || || ...snip || || I used to get these Kerio alert's about Shaw Comm... || || || || Someone from 24.64.9.177, port 3222 wants to send UDP datagram to || || port 1027 owned by 'Distributed COM Services' on your computer. || || || || ..., but they are prevented now with a rule that specifically || || blocks RPCSS.exe (which is Distributed COM Services & which || || establishes the port 1027) from using UDP/TCP. Eventually, I hope || || to remove that block rule (& 4 others)-- after I have completed || || my UDP & TCP permit rules for specific, trusted apps/addresses. || || Then, RPCSS.exe will be blocked along with the others by virtue || || of not being included in the PERMITs-- & having one single BLOCK || || after them. || | || | Well I would suggest you block SHAW's range entirely, if you have || | others, create a custom list or put them in your hosts file || || I'll have to look into that as I get to the other protocols. || Currently, I still am holding to my master plan-- to have specific || permits & generalized blocks. | | Its whatever suits your purpose and your needs... log for awhile | after you think you have it finalized and that will pretty much | answer your questions. Ageed. ....snip || | If you remember [likely not], several months ago a program was || | suggested to me which attempted to bypass/reset ALL of my firewall || | settings,,, were it not for my prior restrictions it likely would || | have succeeded. As it was already ruled, it popped up and requested || | what to do since I said it couldn't do what the installation wanted || | to do PRIOR to disabling the firewall.. || || Interesting. I haven't seen anything like that, & I hope it isn't || because my rules are lax! | | No, likely you aren't testing large amounts of applications anymore. | This actually was not unusual during my old testing days of pulling | hundreds of apps of the Net to test [and the expected Viruses and | other], but I was somewhat caught of guard when it occurred from a | post in this group and someone was using it, and recommended it. | As I stated in that discusion, had I used the Internet install; | whatever this program wanted done MIGHT have been successful anyway | and surely would have whacked the unsuspecting. Alright. ....snip || Very good. Before answering part 2, I must investigate a new || trojan/virus || avast! has discovered today... || || ......Quote avast! "Simple User Interface.txt....... || C:\Program Files\Common Files\Microsoft Shared\Stationery\Tiki || Lounge.htm [L] VBS:Malware (0) || File was successfully renamed/moved... || C:\Program Files\Alwil Software\Avast4\DATA\moved\Tiki Lounge.htm.vir || [L] VBS:Malware [Html] (0) || ......EOQ........................................................... || || I'm hoping it's another false alarm! But this is for another thread! | | I see it was. That is the problem with AV and Spyware, definitions | may be a bit out of whack, but hopefully they get corrected. | AVG popped up an ALERT a month or so [2 maybe] ago for something I | had been using for years, had checked with all the available AV progs | I had or used, and claimed it was a variant of an OLD virus. Next | update it was gone. Of course I had already gone through all the | motions and checks... BEFORE they corrected the data. But what the | heck, I'd rather have an occasional false positive than an infection. Absolutely. But I never had these fireworks with McAfee. Twice, now, avast! has triggered a false alarm! Avast! does handle the file well-- renaming it, moving it into the Chest. However, once taken back out of the Chest, its date has changed. This was once a 1999 file... C:\>DIR C:\SetupMDM.exe /s Directory of C:\Program Files\RioPort\Audio Manager SETUPMDM EXE 195,716 06-25-07 3:31p Setupmdm.exe ....snip | -- | MEB | http://peoplescounsel.orgfree.com | ________ -- Thanks or Good Luck, There may be humor in this post, and, Naturally, you will not sue, Should things get worse after this, PCR pcrrcp@netzero.net
Guest PCR Posted August 2, 2007 Posted August 2, 2007 Re: firewalls - what to block and why - your security at risk Curt Christianson wrote: | MEB is a force to be reckoned with--he/she knows their stuff. And | don't make the mistake some of our "regulars" here trying to get into | a battle of legalities and logistics--one usually can't win. I only skim through such threads. My lawyers have told me to keep my mouth shut-- even have taped it shut! | "I refuse to have a battle of wits with an un-armed person"--my credo! That seems sensible enough. You could end up with a toe in the eye! | -- | HTH, | Curt | | Windows Support Center | http://www.aumha.org | Practically Nerded,... | http://dundats.mvps.org/Index.htm | | "PCR" <pcrrcp@netzero.net> wrote in message | news:%23td8m2H1HHA.536@TK2MSFTNGP06.phx.gbl... || Curt Christianson wrote: ||| I'm glad I bailed when I did, or else this thread would have looked ||| like the *three* stooges! <vbg> || || I didn't know you were bald, Christianson! Ohhhh, that's right, || geees... it is one of the, the, the... early XP-irradiation symptoms! || || No, no, seriously, I GUESS I must recommence to reading those URLs || for a bit-- BUT I'll be back with solidified answers as to whether || my master plan will work with these Kerio rules or not! Also, MEB's || idea to track my final result is a good one. And other things said || are useful. || ||| -- ||| HTH, ||| Curt ||| ||| Windows Support Center ||| http://www.aumha.org ||| Practically Nerded,... ||| http://dundats.mvps.org/Index.htm ||| ||| "PCR" <pcrrcp@netzero.net> wrote in message ||| news:uKHQ%23iH1HHA.3768@TK2MSFTNGP06.phx.gbl... |||| MEB wrote: ||||| Look dude, your attempts at explaining away the issue holds no ||||| water.. any mere cursory analysis finds that true .... ||||| ||||| If you continue we WILL proceed to discuss those individuals ||||| within or whom monitor this group, with sufficient ||||| server/Microsoft contact; and the apparent fact, someone ||||| determined that this filter be applied... and how one could ||||| reasonably determine such issues, etc.. ||||| ||||| And use your brain, I do this for other activities,, its called ||||| forensic research, collecting evidence, building cases, providing ||||| prosecutive materials or defense materials ||||| ........................................ get it yet. ||||| ||||| NOW DROP IT! The last thing this discussion needs is spurious ||||| chatter... |||| |||| I think I almost know what you're referring to. And that's enough |||| for me. OK, bye. I'll try to get to the firewall stuff later. |||| ||||| -- ||||| MEB ||||| http://peoplescounsel.orgfree.com ||||| ________ |||| |||| -- |||| Thanks or Good Luck, |||| There may be humor in this post, and, |||| Naturally, you will not sue, |||| Should things get worse after this, |||| PCR |||| pcrrcp@netzero.net || || -- || Thanks or Good Luck, || There may be humor in this post, and, || Naturally, you will not sue, || Should things get worse after this, || PCR || pcrrcp@netzero.net -- Thanks or Good Luck, There may be humor in this post, and, Naturally, you will not sue, Should things get worse after this, PCR pcrrcp@netzero.net
Guest MEB Posted August 2, 2007 Posted August 2, 2007 Re: firewalls - what to block and why - your security at risk "PCR" <pcrrcp@netzero.net> wrote in message news:er3KCkJ1HHA.3768@TK2MSFTNGP06.phx.gbl... | Curt Christianson wrote: | | MEB is a force to be reckoned with--he/she knows their stuff. And | | don't make the mistake some of our "regulars" here trying to get into | | a battle of legalities and logistics--one usually can't win. | | I only skim through such threads. My lawyers have told me to keep my | mouth shut-- even have taped it shut! | | | "I refuse to have a battle of wits with an un-armed person"--my credo! | | That seems sensible enough. You could end up with a toe in the eye! No, I wear glasses, phttttt... | | | -- | | HTH, | | Curt | | | | Windows Support Center | | http://www.aumha.org | | Practically Nerded,... | | http://dundats.mvps.org/Index.htm | | | | "PCR" <pcrrcp@netzero.net> wrote in message | | news:%23td8m2H1HHA.536@TK2MSFTNGP06.phx.gbl... | || Curt Christianson wrote: | ||| I'm glad I bailed when I did, or else this thread would have looked | ||| like the *three* stooges! <vbg> | || | || I didn't know you were bald, Christianson! Ohhhh, that's right, | || geees... it is one of the, the, the... early XP-irradiation symptoms! | || | || No, no, seriously, I GUESS I must recommence to reading those URLs | || for a bit-- BUT I'll be back with solidified answers as to whether | || my master plan will work with these Kerio rules or not! Also, MEB's | || idea to track my final result is a good one. And other things said | || are useful. | || | ||| -- | ||| HTH, | ||| Curt | ||| | ||| Windows Support Center | ||| http://www.aumha.org | ||| Practically Nerded,... | ||| http://dundats.mvps.org/Index.htm | ||| | ||| "PCR" <pcrrcp@netzero.net> wrote in message | ||| news:uKHQ%23iH1HHA.3768@TK2MSFTNGP06.phx.gbl... | |||| MEB wrote: | ||||| Look dude, your attempts at explaining away the issue holds no | ||||| water.. any mere cursory analysis finds that true .... | ||||| | ||||| If you continue we WILL proceed to discuss those individuals | ||||| within or whom monitor this group, with sufficient | ||||| server/Microsoft contact; and the apparent fact, someone | ||||| determined that this filter be applied... and how one could | ||||| reasonably determine such issues, etc.. | ||||| | ||||| And use your brain, I do this for other activities,, its called | ||||| forensic research, collecting evidence, building cases, providing | ||||| prosecutive materials or defense materials | ||||| ........................................ get it yet. | ||||| | ||||| NOW DROP IT! The last thing this discussion needs is spurious | ||||| chatter... | |||| | |||| I think I almost know what you're referring to. And that's enough | |||| for me. OK, bye. I'll try to get to the firewall stuff later. | |||| | ||||| -- | ||||| MEB | ||||| http://peoplescounsel.orgfree.com | ||||| ________ | |||| | |||| -- | |||| Thanks or Good Luck, | |||| There may be humor in this post, and, | |||| Naturally, you will not sue, | |||| Should things get worse after this, | |||| PCR | |||| pcrrcp@netzero.net | || | || -- | || Thanks or Good Luck, | || There may be humor in this post, and, | || Naturally, you will not sue, | || Should things get worse after this, | || PCR | || pcrrcp@netzero.net | | -- | Thanks or Good Luck, | There may be humor in this post, and, | Naturally, you will not sue, | Should things get worse after this, | PCR | pcrrcp@netzero.net | |
Guest MEB Posted August 2, 2007 Posted August 2, 2007 Re: firewalls - Kerio PF Part 1 - what to block and why - your security at risk Re: firewalls - Kerio PF Part 1 - what to block and why - your security at risk "PCR" <pcrrcp@netzero.net> wrote in message news:OeoQ7YJ1HHA.4824@TK2MSFTNGP02.phx.gbl... | MEB wrote: | | "PCR" <pcrrcp@netzero.net> wrote in message | | news:ehuK$E70HHA.5152@TK2MSFTNGP02.phx.gbl... | | ...snip | || || | DNS is used by any program requiring addressing information. | | OK. I've clicked that. I think I do need to do some reading. I'm | thinking we should suspend this thread, until we both have read that | stuff again. I know I also owe a response to "part 2". | Okay, I have saved the Part 1 and Part 2 threads. When you wish to continue we can address the materials from these posts, correct any errors, and proceed. You can save Part 2 for later also if you wish, as present answers may change. -- MEB http://peoplescounsel.orgfree.com ________
Guest MEB Posted August 2, 2007 Posted August 2, 2007 Re: firewalls - Kerio PF Part 1 - what to block and why - your security at risk Re: firewalls - Kerio PF Part 1 - what to block and why - your security at risk To no one directly, but to all who have interest: Before we completely stop this thread, and it fades away, I thought I should display how a persistent contact attempt may show up in a firewall log, and how one can use the log to help secure a system. I'll use the Shaw aspect as I have previously referenced this entity [again this is just logon and mail retrieval]: 1,[31/Jul/2007 23:40:44] Rule 'Shaw Comm block': Blocked: In UDP, 24.64.28.88:6950->localhost:1026, Owner: no owner 1,[31/Jul/2007 23:40:44] Rule 'Shaw Comm block': Blocked: In UDP, 24.64.28.88:6950->localhost:1027, Owner: no owner 1,[31/Jul/2007 23:40:44] Rule 'Shaw Comm block': Blocked: In UDP, 24.64.28.88:6950->localhost:1028, Owner: no owner 1,[31/Jul/2007 23:41:24] Rule 'Shaw Comm block': Blocked: In UDP, 24.64.75.177:29736->localhost:1026, Owner: no owner 1,[31/Jul/2007 23:41:24] Rule 'Shaw Comm block': Blocked: In UDP, 24.64.75.177:29736->localhost:1027, Owner: no owner 1,[31/Jul/2007 23:41:24] Rule 'Shaw Comm block': Blocked: In UDP, 24.64.75.177:29736->localhost:1028, Owner: no owner Next we see a distinct switch in tactics, to an out of Shaw range and TCP... 1,[31/Jul/2007 23:41:34] Rule 'Packet to unopened port received': Blocked: In TCP, S010600508df5db23.ed.shawcable.net [68.149.172.142:33745]->localhost:6346, Owner: no owner 1,[31/Jul/2007 23:41:36] Rule 'Packet to unopened port received': Blocked: In TCP, S010600508df5db23.ed.shawcable.net [68.149.172.142:33745]->localhost:6346, Owner: no owner 1,[31/Jul/2007 23:41:42] Rule 'Packet to unopened port received': Blocked: In TCP, S010600508df5db23.ed.shawcable.net [68.149.172.142:33745]->localhost:6346, Owner: no owner 1,[31/Jul/2007 23:43:14] Rule 'Packet to unopened port received': Blocked: In TCP, S010600508df5db23.ed.shawcable.net [68.149.172.142:63441]->localhost:6346, Owner: no owner 1,[31/Jul/2007 23:43:18] Rule 'Packet to unopened port received': Blocked: In TCP, S010600508df5db23.ed.shawcable.net [68.149.172.142:63441]->localhost:6346, Owner: no owner 1,[31/Jul/2007 23:43:24] Rule 'Packet to unopened port received': Blocked: In TCP, S010600508df5db23.ed.shawcable.net [68.149.172.142:63441]->localhost:6346, Owner: no owner 1,[31/Jul/2007 23:44:46] Rule 'Packet to unopened port received': Blocked: In TCP, S010600508df5db23.ed.shawcable.net [68.149.172.142:42961]->localhost:6346, Owner: no owner 1,[31/Jul/2007 23:44:54] Rule 'Packet to unopened port received': Blocked: In TCP, S010600508df5db23.ed.shawcable.net [68.149.172.142:42961]->localhost:6346, Owner: no owner We do find though, the unique identifier and time and date, which supplies sufficient material were this a subpoena matter [server logs], or something one wished to trace [as it occurred], or was suspect of a hack attempt. For reference, here was the range as posted by PCR: OrgName: Shaw Communications Inc. OrgID: SHAWC Address: Suite 800 Address: 630 - 3rd Ave. SW City: Calgary StateProv: AB PostalCode: T2P-4L4 Country: CA ReferralServer: rwhois://rs1so.cg.shawcable.net:4321 NetRange: 24.64.0.0 - 24.71.255.255 CIDR: 24.64.0.0/13 NetName: SHAW-COMM NetHandle: NET-24-64-0-0-1 Parent: NET-24-0-0-0-0 NetType: Direct Allocation NameServer: NS7.NO.CG.SHAWCABLE.NET NameServer: NS8.SO.CG.SHAWCABLE.NET Comment: RegDate: 1996-06-03 Updated: 2006-02-08 And last, the *shawcable.net* address so we can again visualize the above as a referenced Shaw attempt, and another unique identifier. 1,[02/Aug/2007 01:03:40] Rule 'Shaw Comm block': Blocked: In UDP, S0106000ae6120fdf.cg.shawcable.net [24.64.120.223:16547]->localhost:1028, Owner: no owner So finding out a range of addresses gives one opportunity to address specific issues by blocking them using the range, and your general blocks *with logging* provide additional information which you can use to determine other potential issues. --- This post is to display how important and useful firewall logs can be. A set of rules properly setup can keep out things we may not wish to enter our systems, and help monitor what is actually occurring as we travel the Internet. Keep it in mind when setting up, and monitoring your security.. -- MEB http://peoplescounsel.orgfree.com ________
Guest PCR Posted August 2, 2007 Posted August 2, 2007 Re: firewalls - Kerio PF Part 1 - what to block and why - your security at risk Re: firewalls - Kerio PF Part 1 - what to block and why - your security at risk MEB wrote: | "PCR" <pcrrcp@netzero.net> wrote in message | news:OeoQ7YJ1HHA.4824@TK2MSFTNGP02.phx.gbl... || MEB wrote: || | "PCR" <pcrrcp@netzero.net> wrote in message || | news:ehuK$E70HHA.5152@TK2MSFTNGP02.phx.gbl... || || ...snip || || || | DNS is used by any program requiring addressing information. | || || OK. I've clicked that. I think I do need to do some reading. I'm || thinking we should suspend this thread, until we both have read that || stuff again. I know I also owe a response to "part 2". || | | Okay, I have saved the Part 1 and Part 2 threads. | When you wish to continue we can address the materials from these | posts, correct any errors, and proceed. | You can save Part 2 for later also if you wish, as present answers | may change. Very good, MEB. And I SWEAR it won't be longer than 6 years! And I had to shoot 4 of my lawyers to do so! | -- | MEB | http://peoplescounsel.orgfree.com | ________ -- Thanks or Good Luck, There may be humor in this post, and, Naturally, you will not sue, Should things get worse after this, PCR pcrrcp@netzero.net
Guest PCR Posted August 2, 2007 Posted August 2, 2007 Re: firewalls - what to block and why - your security at risk MEB wrote: | "PCR" <pcrrcp@netzero.net> wrote in message | news:er3KCkJ1HHA.3768@TK2MSFTNGP06.phx.gbl... || Curt Christianson wrote: || | MEB is a force to be reckoned with--he/she knows their stuff. And || | don't make the mistake some of our "regulars" here trying to get || | into a battle of legalities and logistics--one usually can't win. || || I only skim through such threads. My lawyers have told me to keep my || mouth shut-- even have taped it shut! || || | "I refuse to have a battle of wits with an un-armed person"--my || | credo! || || That seems sensible enough. You could end up with a toe in the eye! | | No, I wear glasses, phttttt... LOL. || || | -- || | HTH, || | Curt || | || | Windows Support Center || | http://www.aumha.org || | Practically Nerded,... || | http://dundats.mvps.org/Index.htm || | || | "PCR" <pcrrcp@netzero.net> wrote in message || | news:%23td8m2H1HHA.536@TK2MSFTNGP06.phx.gbl... || || Curt Christianson wrote: || ||| I'm glad I bailed when I did, or else this thread would have || ||| looked like the *three* stooges! <vbg> || || || || I didn't know you were bald, Christianson! Ohhhh, that's right, || || geees... it is one of the, the, the... early XP-irradiation || || symptoms! || || || || No, no, seriously, I GUESS I must recommence to reading those URLs || || for a bit-- BUT I'll be back with solidified answers as to whether || || my master plan will work with these Kerio rules or not! Also, || || MEB's idea to track my final result is a good one. And other || || things said are useful. || || || ||| -- || ||| HTH, || ||| Curt || ||| || ||| Windows Support Center || ||| http://www.aumha.org || ||| Practically Nerded,... || ||| http://dundats.mvps.org/Index.htm || ||| || ||| "PCR" <pcrrcp@netzero.net> wrote in message || ||| news:uKHQ%23iH1HHA.3768@TK2MSFTNGP06.phx.gbl... || |||| MEB wrote: || ||||| Look dude, your attempts at explaining away the issue holds no || ||||| water.. any mere cursory analysis finds that true .... || ||||| || ||||| If you continue we WILL proceed to discuss those individuals || ||||| within or whom monitor this group, with sufficient || ||||| server/Microsoft contact; and the apparent fact, someone || ||||| determined that this filter be applied... and how one could || ||||| reasonably determine such issues, etc.. || ||||| || ||||| And use your brain, I do this for other activities,, its || ||||| called forensic research, collecting evidence, building cases, || ||||| providing prosecutive materials or defense materials || ||||| ........................................ get it yet. || ||||| || ||||| NOW DROP IT! The last thing this discussion needs is spurious || ||||| chatter... || |||| || |||| I think I almost know what you're referring to. And that's || |||| enough for me. OK, bye. I'll try to get to the firewall stuff || |||| later. || |||| || ||||| -- || ||||| MEB || ||||| http://peoplescounsel.orgfree.com || ||||| ________ || |||| || |||| -- || |||| Thanks or Good Luck, || |||| There may be humor in this post, and, || |||| Naturally, you will not sue, || |||| Should things get worse after this, || |||| PCR || |||| pcrrcp@netzero.net || || || || -- || || Thanks or Good Luck, || || There may be humor in this post, and, || || Naturally, you will not sue, || || Should things get worse after this, || || PCR || || pcrrcp@netzero.net || || -- || Thanks or Good Luck, || There may be humor in this post, and, || Naturally, you will not sue, || Should things get worse after this, || PCR || pcrrcp@netzero.net -- Thanks or Good Luck, There may be humor in this post, and, Naturally, you will not sue, Should things get worse after this, PCR pcrrcp@netzero.net
Guest PCR Posted August 2, 2007 Posted August 2, 2007 Re: firewalls - Kerio PF Part 1 - what to block and why - your security at risk Re: firewalls - Kerio PF Part 1 - what to block and why - your security at risk PCR wrote: | MEB wrote: || "PCR" <pcrrcp@netzero.net> wrote in message || news:ehuK$E70HHA.5152@TK2MSFTNGP02.phx.gbl... ....snip ||| | Those are the suggestions by most, including Sponge... ||| | So you have no specific rule for Netzero ICMP? ||| ||| Undoubtedly, Sponge was the source of it-- but I may have made an ||| adjustment afterward to drop [0] going out & [8] coming in-- to ||| become non-pingable, I think. || || Yes, if you want to be as stealthy as possible, everything should be || ruled off in your firewall. Though in my config, I have specific || addresses which can ping and to which I can ping [by application both || ways] so that my web pages can be maintained and other necessary || functions. And others which are set to log such activity [for || purposes previously mentioned]. | | I didn't think of that, to let specific sites ping me. I do get a | warning from NetZero now/then that I must click or get thrown off. It | seems to work w/o pinging. | | However, eventually, I am thrown off w/o a warning, anyhow. I don't | know, maybe it's a second NetZero mechanism that does require PING to | function. OK, that's done-- I allow ICMP [0] out & [8] in to the | NetZero range only. It shouldn't be long before I know the result. It didn't work for me to allow PING back/forth to the NetZero addresses. I still get thrown off the NET after a while, despite responding to the NetZero timer requestor. (It doesn't happen immediately after that.) But I'm only assuming it's NetZero throwing me off. I simply get a Windows requestor saying the connection has terminated-- looks like it may be an OE requestor. It offers a button to reconnect, but that won't work. I have to click the NetZero connectoid for that. ....snip -- Thanks or Good Luck, There may be humor in this post, and, Naturally, you will not sue, Should things get worse after this, PCR pcrrcp@netzero.net
Guest MEB Posted August 3, 2007 Posted August 3, 2007 Re: firewalls - Kerio PF Part 1 - what to block and why - your security at risk Re: firewalls - Kerio PF Part 1 - what to block and why - your security at risk "PCR" <pcrrcp@netzero.net> wrote in message news:%2316o%23IV1HHA.484@TK2MSFTNGP06.phx.gbl... | PCR wrote: | | MEB wrote: | || "PCR" <pcrrcp@netzero.net> wrote in message | || news:ehuK$E70HHA.5152@TK2MSFTNGP02.phx.gbl... | | ...snip | ||| | Those are the suggestions by most, including Sponge... | ||| | So you have no specific rule for Netzero ICMP? | ||| | ||| Undoubtedly, Sponge was the source of it-- but I may have made an | ||| adjustment afterward to drop [0] going out & [8] coming in-- to | ||| become non-pingable, I think. | || | || Yes, if you want to be as stealthy as possible, everything should be | || ruled off in your firewall. Though in my config, I have specific | || addresses which can ping and to which I can ping [by application both | || ways] so that my web pages can be maintained and other necessary | || functions. And others which are set to log such activity [for | || purposes previously mentioned]. | | | | I didn't think of that, to let specific sites ping me. I do get a | | warning from NetZero now/then that I must click or get thrown off. It | | seems to work w/o pinging. | | | | However, eventually, I am thrown off w/o a warning, anyhow. I don't | | know, maybe it's a second NetZero mechanism that does require PING to | | function. OK, that's done-- I allow ICMP [0] out & [8] in to the | | NetZero range only. It shouldn't be long before I know the result. | | It didn't work for me to allow PING back/forth to the NetZero addresses. | I still get thrown off the NET after a while, despite responding to the | NetZero timer requestor. (It doesn't happen immediately after that.) | | But I'm only assuming it's NetZero throwing me off. I simply get a | Windows requestor saying the connection has terminated-- looks like it | may be an OE requestor. It offers a button to reconnect, but that won't | work. I have to click the NetZero connectoid for that. | | ...snip | -- | Thanks or Good Luck, | There may be humor in this post, and, | Naturally, you will not sue, | Should things get worse after this, | PCR | pcrrcp@netzero.net | | Likely you will get to it when you get to your other rules. Or, as users of AOL would to do [and I did when using NetZero and ZoneAlarm], try something like Stay Alive[? PCMag] [slow down the ping/contact rate though] {make sure you rule the app well}, pending your further investigations into NetZero requirements and Kerio [and network aspects]. -- MEB http://peoplescounsel.orgfree.com ________
Guest PCR Posted August 3, 2007 Posted August 3, 2007 Re: firewalls - Kerio PF Part 1 - what to block and why - your security at risk Re: firewalls - Kerio PF Part 1 - what to block and why - your security at risk MEB wrote: | "PCR" <pcrrcp@netzero.net> wrote in message | news:%2316o%23IV1HHA.484@TK2MSFTNGP06.phx.gbl... || PCR wrote: || | MEB wrote: || || "PCR" <pcrrcp@netzero.net> wrote in message || || news:ehuK$E70HHA.5152@TK2MSFTNGP02.phx.gbl... || || ...snip || ||| | Those are the suggestions by most, including Sponge... || ||| | So you have no specific rule for Netzero ICMP? || ||| || ||| Undoubtedly, Sponge was the source of it-- but I may have made an || ||| adjustment afterward to drop [0] going out & [8] coming in-- to || ||| become non-pingable, I think. || || || || Yes, if you want to be as stealthy as possible, everything should || || be ruled off in your firewall. Though in my config, I have || || specific addresses which can ping and to which I can ping [by || || application both ways] so that my web pages can be maintained and || || other necessary functions. And others which are set to log such || || activity [for purposes previously mentioned]. || | || | I didn't think of that, to let specific sites ping me. I do get a || | warning from NetZero now/then that I must click or get thrown off. || | It seems to work w/o pinging. || | || | However, eventually, I am thrown off w/o a warning, anyhow. I don't || | know, maybe it's a second NetZero mechanism that does require PING || | to function. OK, that's done-- I allow ICMP [0] out & [8] in to the || | NetZero range only. It shouldn't be long before I know the result. || || It didn't work for me to allow PING back/forth to the NetZero || addresses. I still get thrown off the NET after a while, despite || responding to the NetZero timer requestor. (It doesn't happen || immediately after that.) || || But I'm only assuming it's NetZero throwing me off. I simply get a || Windows requestor saying the connection has terminated-- looks like || it may be an OE requestor. It offers a button to reconnect, but that || won't work. I have to click the NetZero connectoid for that. || || ...snip || -- || Thanks or Good Luck, || There may be humor in this post, and, || Naturally, you will not sue, || Should things get worse after this, || PCR || pcrrcp@netzero.net || || | | Likely you will get to it when you get to your other rules. Or, as | users of AOL would to do [and I did when using NetZero and | ZoneAlarm], try something like Stay Alive[? PCMag] [slow down the | ping/contact rate though] {make sure you rule the app well}, pending | your further investigations into NetZero requirements and Kerio [and | network aspects]. Uhuh. It isn't horribly bad, because normally I go for hours before it happens, & I can reconnect immediately for another dime by clicking the NetZero connectiod. It may not be NetZero at all doing it. It isn't a NetZero requestor that pops up, but I can't quite recall its title. It has a "Reconnect" & a "No thanks" button & possibly one other. Another possibility I guess is that someone is trying to ring my phone (I've only got one line) or something else happens to the phone line, I guess. Thanks for the suggestion. It's also been said I should occasionally click the NetZero Taskbar. | -- | MEB | http://peoplescounsel.orgfree.com | ________ -- Thanks or Good Luck, There may be humor in this post, and, Naturally, you will not sue, Should things get worse after this, PCR pcrrcp@netzero.net
Guest PCR Posted August 4, 2007 Posted August 4, 2007 Re: firewalls - Kerio PF Part 1 - what to block and why - your security at risk Re: firewalls - Kerio PF Part 1 - what to block and why - your security at risk PCR wrote: | MEB wrote: || "PCR" <pcrrcp@netzero.net> wrote in message || news:%2316o%23IV1HHA.484@TK2MSFTNGP06.phx.gbl... ||| PCR wrote: ||| | MEB wrote: ||| || "PCR" <pcrrcp@netzero.net> wrote in message ||| || news:ehuK$E70HHA.5152@TK2MSFTNGP02.phx.gbl... ||| ||| ...snip ||| ||| | Those are the suggestions by most, including Sponge... ||| ||| | So you have no specific rule for Netzero ICMP? ||| ||| ||| ||| Undoubtedly, Sponge was the source of it-- but I may have made ||| ||| an adjustment afterward to drop [0] going out & [8] coming in-- ||| ||| to become non-pingable, I think. ||| || ||| || Yes, if you want to be as stealthy as possible, everything should ||| || be ruled off in your firewall. Though in my config, I have ||| || specific addresses which can ping and to which I can ping [by ||| || application both ways] so that my web pages can be maintained and ||| || other necessary functions. And others which are set to log such ||| || activity [for purposes previously mentioned]. ||| | ||| | I didn't think of that, to let specific sites ping me. I do get a ||| | warning from NetZero now/then that I must click or get thrown off. ||| | It seems to work w/o pinging. ||| | ||| | However, eventually, I am thrown off w/o a warning, anyhow. I ||| | don't know, maybe it's a second NetZero mechanism that does ||| | require PING to function. OK, that's done-- I allow ICMP [0] out ||| | & [8] in to the NetZero range only. It shouldn't be long before I ||| | know the result. ||| ||| It didn't work for me to allow PING back/forth to the NetZero ||| addresses. I still get thrown off the NET after a while, despite ||| responding to the NetZero timer requestor. (It doesn't happen ||| immediately after that.) ||| ||| But I'm only assuming it's NetZero throwing me off. I simply get a ||| Windows requestor saying the connection has terminated-- looks like ||| it may be an OE requestor. It offers a button to reconnect, but that ||| won't work. I have to click the NetZero connectoid for that. ||| ||| ...snip ||| -- ||| Thanks or Good Luck, ||| There may be humor in this post, and, ||| Naturally, you will not sue, ||| Should things get worse after this, ||| PCR ||| pcrrcp@netzero.net ||| ||| || || Likely you will get to it when you get to your other rules. Or, as || users of AOL would to do [and I did when using NetZero and || ZoneAlarm], try something like Stay Alive[? PCMag] [slow down the || ping/contact rate though] {make sure you rule the app well}, pending || your further investigations into NetZero requirements and Kerio [and || network aspects]. | | Uhuh. It isn't horribly bad, because normally I go for hours before it | happens, & I can reconnect immediately for another dime by clicking | the NetZero connectiod. It may not be NetZero at all doing it. It | isn't a NetZero requestor that pops up, but I can't quite recall its | title. It has a "Reconnect" & a "No thanks" button & possibly one | other. | | Another possibility I guess is that someone is trying to ring my phone | (I've only got one line) or something else happens to the phone line, | I guess. Thanks for the suggestion. It's also been said I should | occasionally click the NetZero Taskbar. Update: Oooops, that IS a NetZero requestor... Title: Auto-Reconnect Message: You have been accidentally disconnected from the internet. Would you like to reconnect now? Buttons: "No Thanks", "Help", & "Reconnect" "Reconnect" doesn't work-- the requestor simply disappears. "Help" goes to a NetZero help page. I GUESS I can live with it!
Guest MEB Posted August 4, 2007 Posted August 4, 2007 Re: firewalls - Kerio PF Part 1 - what to block and why - your security at risk Re: firewalls - Kerio PF Part 1 - what to block and why - your security at risk "PCR" <pcrrcp@netzero.net> wrote in message news:uPG$Nxs1HHA.1100@TK2MSFTNGP06.phx.gbl... PCR wrote: | MEB wrote: || "PCR" <pcrrcp@netzero.net> wrote in message || news:%2316o%23IV1HHA.484@TK2MSFTNGP06.phx.gbl... ||| PCR wrote: ||| | MEB wrote: ||| || "PCR" <pcrrcp@netzero.net> wrote in message ||| || news:ehuK$E70HHA.5152@TK2MSFTNGP02.phx.gbl... ||| ||| ...snip ||| ||| | Those are the suggestions by most, including Sponge... ||| ||| | So you have no specific rule for Netzero ICMP? ||| ||| ||| ||| Undoubtedly, Sponge was the source of it-- but I may have made ||| ||| an adjustment afterward to drop [0] going out & [8] coming in-- ||| ||| to become non-pingable, I think. ||| || ||| || Yes, if you want to be as stealthy as possible, everything should ||| || be ruled off in your firewall. Though in my config, I have ||| || specific addresses which can ping and to which I can ping [by ||| || application both ways] so that my web pages can be maintained and ||| || other necessary functions. And others which are set to log such ||| || activity [for purposes previously mentioned]. ||| | ||| | I didn't think of that, to let specific sites ping me. I do get a ||| | warning from NetZero now/then that I must click or get thrown off. ||| | It seems to work w/o pinging. ||| | ||| | However, eventually, I am thrown off w/o a warning, anyhow. I ||| | don't know, maybe it's a second NetZero mechanism that does ||| | require PING to function. OK, that's done-- I allow ICMP [0] out ||| | & [8] in to the NetZero range only. It shouldn't be long before I ||| | know the result. ||| ||| It didn't work for me to allow PING back/forth to the NetZero ||| addresses. I still get thrown off the NET after a while, despite ||| responding to the NetZero timer requestor. (It doesn't happen ||| immediately after that.) ||| ||| But I'm only assuming it's NetZero throwing me off. I simply get a ||| Windows requestor saying the connection has terminated-- looks like ||| it may be an OE requestor. It offers a button to reconnect, but that ||| won't work. I have to click the NetZero connectoid for that. ||| ||| ...snip ||| -- ||| Thanks or Good Luck, ||| There may be humor in this post, and, ||| Naturally, you will not sue, ||| Should things get worse after this, ||| PCR ||| pcrrcp@netzero.net ||| ||| || || Likely you will get to it when you get to your other rules. Or, as || users of AOL would to do [and I did when using NetZero and || ZoneAlarm], try something like Stay Alive[? PCMag] [slow down the || ping/contact rate though] {make sure you rule the app well}, pending || your further investigations into NetZero requirements and Kerio [and || network aspects]. | | Uhuh. It isn't horribly bad, because normally I go for hours before it | happens, & I can reconnect immediately for another dime by clicking | the NetZero connectiod. It may not be NetZero at all doing it. It | isn't a NetZero requestor that pops up, but I can't quite recall its | title. It has a "Reconnect" & a "No thanks" button & possibly one | other. | | Another possibility I guess is that someone is trying to ring my phone | (I've only got one line) or something else happens to the phone line, | I guess. Thanks for the suggestion. It's also been said I should | occasionally click the NetZero Taskbar. >Update: Oooops, that IS a NetZero requestor... > >Title: Auto-Reconnect >Message: You have been accidentally disconnected from the internet. > Would you like to reconnect now? >Buttons: "No Thanks", "Help", & "Reconnect" > >"Reconnect" doesn't work-- the requestor simply disappears. "Help" goes to a NetZero help page. > >I GUESS I can live with it! Uhm, did you REALLY look at the net *calls* like ICMP? How about IGMP? etc.... -- MEB http://peoplescounsel.orgfree.com ________
Guest PCR Posted August 4, 2007 Posted August 4, 2007 Re: firewalls - Kerio PF Part 1 - what to block and why - your security at risk Re: firewalls - Kerio PF Part 1 - what to block and why - your security at risk MEB wrote: | "PCR" <pcrrcp@netzero.net> wrote in message | news:uPG$Nxs1HHA.1100@TK2MSFTNGP06.phx.gbl... | PCR wrote: || MEB wrote: ||| "PCR" <pcrrcp@netzero.net> wrote in message ||| news:%2316o%23IV1HHA.484@TK2MSFTNGP06.phx.gbl... |||| PCR wrote: |||| | MEB wrote: |||| || "PCR" <pcrrcp@netzero.net> wrote in message |||| || news:ehuK$E70HHA.5152@TK2MSFTNGP02.phx.gbl... |||| |||| ...snip |||| ||| | Those are the suggestions by most, including Sponge... |||| ||| | So you have no specific rule for Netzero ICMP? |||| ||| |||| ||| Undoubtedly, Sponge was the source of it-- but I may have made |||| ||| an adjustment afterward to drop [0] going out & [8] coming in-- |||| ||| to become non-pingable, I think. |||| || |||| || Yes, if you want to be as stealthy as possible, everything |||| || should be ruled off in your firewall. Though in my config, I |||| || have specific addresses which can ping and to which I can ping |||| || [by application both ways] so that my web pages can be |||| || maintained and other necessary functions. And others which are |||| || set to log such activity [for purposes previously mentioned]. |||| | |||| | I didn't think of that, to let specific sites ping me. I do get a |||| | warning from NetZero now/then that I must click or get thrown |||| | off. It seems to work w/o pinging. |||| | |||| | However, eventually, I am thrown off w/o a warning, anyhow. I |||| | don't know, maybe it's a second NetZero mechanism that does |||| | require PING to function. OK, that's done-- I allow ICMP [0] out |||| | & [8] in to the NetZero range only. It shouldn't be long before I |||| | know the result. |||| |||| It didn't work for me to allow PING back/forth to the NetZero |||| addresses. I still get thrown off the NET after a while, despite |||| responding to the NetZero timer requestor. (It doesn't happen |||| immediately after that.) |||| |||| But I'm only assuming it's NetZero throwing me off. I simply get a |||| Windows requestor saying the connection has terminated-- looks like |||| it may be an OE requestor. It offers a button to reconnect, but |||| that won't work. I have to click the NetZero connectoid for that. |||| |||| ...snip |||| -- |||| Thanks or Good Luck, |||| There may be humor in this post, and, |||| Naturally, you will not sue, |||| Should things get worse after this, |||| PCR |||| pcrrcp@netzero.net |||| |||| ||| ||| Likely you will get to it when you get to your other rules. Or, as ||| users of AOL would to do [and I did when using NetZero and ||| ZoneAlarm], try something like Stay Alive[? PCMag] [slow down the ||| ping/contact rate though] {make sure you rule the app well}, pending ||| your further investigations into NetZero requirements and Kerio [and ||| network aspects]. || || Uhuh. It isn't horribly bad, because normally I go for hours before || it happens, & I can reconnect immediately for another dime by || clicking the NetZero connectiod. It may not be NetZero at all doing || it. It isn't a NetZero requestor that pops up, but I can't quite || recall its title. It has a "Reconnect" & a "No thanks" button & || possibly one other. || || Another possibility I guess is that someone is trying to ring my || phone (I've only got one line) or something else happens to the || phone line, I guess. Thanks for the suggestion. It's also been said || I should occasionally click the NetZero Taskbar. | | >Update: Oooops, that IS a NetZero requestor... | > | >Title: Auto-Reconnect | >Message: You have been accidentally disconnected from the internet. | > Would you like to reconnect now? | >Buttons: "No Thanks", "Help", & "Reconnect" | > | >"Reconnect" doesn't work-- the requestor simply disappears. "Help" | goes to a NetZero help page. | > | >I GUESS I can live with it! | | Uhm, did you REALLY look at the net *calls* like ICMP? How about IGMP? | etc.... Believe me, every day since putting this thread on hold, I have sworn to click those URLs. I swore it at 7:00 AM this morning! Soon as I do (within 6 years, I swear), I'll know more about IGMP, I'm sure. But I don't appear to have any IGMP rule at all, which likely means nothing is using it-- otherwise, Kerio I think would put up a requestor, as it is set to do so! Are you sure there is such a protocol as IGMP? I don't even see it in Kerio's lists! But, YEA, I DID allow PING between me & NetZero-- & that did not solve it! Now, I've reverted back to none. | -- | MEB | http://peoplescounsel.orgfree.com | ________ -- Thanks or Good Luck, There may be humor in this post, and, Naturally, you will not sue, Should things get worse after this, PCR pcrrcp@netzero.net
Recommended Posts