B
Bob Adkins
Well... I'm just glad... Oh no, I'm just not going there. Let's quit while
we're ahead.
Bob
Remove "kins" to reply by e-mail.
Well... I'm just glad... Oh no, I'm just not going there. Let's quit while
we're ahead.
Bob
Remove "kins" to reply by e-mail.
J
jo
Lou said:
Why not just close the ports?
L
Lou Rehberger
jo said:
You tell me how and I'll be glad to give it a try.
N
null
Not difficult on Win 9X/ME :
http://home.epix.net/~artnpeg/internet.html
A bit more involved on the NT based OS.
Art
http://www.epix.net/~artnpeg
J
John Corliss
Kerodo said:
Here's links to two packet sniffers in case you're interested:
Ethereal:
http://www.ethereal.com/
EtherSnoop Light:
http://www.arechisoft.com/
K
Kerodo
[email protected]# said:
Thanks John.. I appreciate it...
K
Kerodo
Well, I installed EtherSnoop and ran it with Kerio 2.1.5 and waited for the
outbound icmp 3 to occur, and when it did, I found that no packets were
getting in thru the firewall. Nothing showed up in EtherSnoop. So that's
great. I can run Kerio 2.1.5 now, which I much prefer over 4.xx.
I still don't know what's generating the outbound icmp 3 but it would
appear that I don't have to worry about holes in the firewall at any rate,
so that's excellent..
Thanks for you help...
J
John Corliss
Kerodo said:
I can tell you this: my tenth rule is "deny both ways, ICMP, Any port,
Any Address, Any Application"
and I don't have any problems with the internet or usenet.
J
John Corliss
Kerodo said:
Forgot to add in the other reply that I allow ICMP replies to pings.
Doesn't hurt anything. Lets them know that you're there, but they
still can't do shit to you.
R
Richard Steinfeld
| | > Lou Rehberger wrote:
| >
| > >Sygate allows "Port Scans".
| >
| > Explain?
|
| I can't explain it.
| I only know that one morning I kept getting these messages from
Sygate that
| a Port Scan was allowed.
| I checked the security log and one company whose name I can not
recall, had
| made 31 'Port Scans' on my computer.
| I removed Sygate.
|
|
My experience with Sygate has been excellent. The program really
works, gives good reports, and is head and shoulders above all
other security software I've ever used in it's interface.
Compared with other programs in its general class, I'd say that
Sygate is 1,000% better in usability. It blocks port scans
firmly and thoroughly on my system, although I forgot if I did
anything to set this up.
The program has to "learn" from you; you've got to study some
documentation/help in order to grock how it works. I didn't learn
it overnight, although once you "get" it, it will be got. I've
actually been using two different versions of it for around 2
years. I tried Kerio in between, and found it too arcane for me
to work very well without loading in files made by other people.
By the way, I also enjoy the user interface of Grisoft/AVG; I
like their graphics, too.
I've been getting a really great number of port scans recently.
My ISP's owner replied to a query from me that these probes are
the result of the latest uber-worm. The M.O. seems to be that
there is a cluster of 3-8 separate events in rapid succession,
each of which contains a group of individual port scans. Each of
these events originates from the same source. That source
typically appears to be a corporate entity, usually a division of
a telephone company or an internet service provider. It's obvious
that the originating computer, which is on that company's
network, is cloaked. All of this information is easily retrieved
in Sygate.
Using that information, I posted an ISP in Alaska. They in turn
traced my Sygate log data further and temporarily suspended one
of their users whose machine was infected with Sasser.
As far as the free version of Sygate is concerned, the program
updates itself from time-to-time (if automatic updating is turned
on). This is a typical habit of spyware, and one or two people
have suspected that it is. I honestly don't know.
I experience an strange incompatibility between Sygate and The
Proxomitron. There's something about Proxo that causes Sygate to
do some polling frequently; I hear the hard drive blipping often.
I am very fond of The Proxomitron; it's an endearing piece of
freeware; user-friendly, potent, flexible, and just a wonderful
piece of work. It's a tossup. I'm inclined to get another
firewall simply because I'm so grateful for the calmness that
Proxo gives me when surfing. It civilizes the Web.
Richard
| >
| > >Sygate allows "Port Scans".
| >
| > Explain?
|
| I can't explain it.
| I only know that one morning I kept getting these messages from
Sygate that
| a Port Scan was allowed.
| I checked the security log and one company whose name I can not
recall, had
| made 31 'Port Scans' on my computer.
| I removed Sygate.
|
|
My experience with Sygate has been excellent. The program really
works, gives good reports, and is head and shoulders above all
other security software I've ever used in it's interface.
Compared with other programs in its general class, I'd say that
Sygate is 1,000% better in usability. It blocks port scans
firmly and thoroughly on my system, although I forgot if I did
anything to set this up.
The program has to "learn" from you; you've got to study some
documentation/help in order to grock how it works. I didn't learn
it overnight, although once you "get" it, it will be got. I've
actually been using two different versions of it for around 2
years. I tried Kerio in between, and found it too arcane for me
to work very well without loading in files made by other people.
By the way, I also enjoy the user interface of Grisoft/AVG; I
like their graphics, too.
I've been getting a really great number of port scans recently.
My ISP's owner replied to a query from me that these probes are
the result of the latest uber-worm. The M.O. seems to be that
there is a cluster of 3-8 separate events in rapid succession,
each of which contains a group of individual port scans. Each of
these events originates from the same source. That source
typically appears to be a corporate entity, usually a division of
a telephone company or an internet service provider. It's obvious
that the originating computer, which is on that company's
network, is cloaked. All of this information is easily retrieved
in Sygate.
Using that information, I posted an ISP in Alaska. They in turn
traced my Sygate log data further and temporarily suspended one
of their users whose machine was infected with Sasser.
As far as the free version of Sygate is concerned, the program
updates itself from time-to-time (if automatic updating is turned
on). This is a typical habit of spyware, and one or two people
have suspected that it is. I honestly don't know.
I experience an strange incompatibility between Sygate and The
Proxomitron. There's something about Proxo that causes Sygate to
do some polling frequently; I hear the hard drive blipping often.
I am very fond of The Proxomitron; it's an endearing piece of
freeware; user-friendly, potent, flexible, and just a wonderful
piece of work. It's a tossup. I'm inclined to get another
firewall simply because I'm so grateful for the calmness that
Proxo gives me when surfing. It civilizes the Web.
Richard
R
REM
It looks like outgoing ICMP is perfectly harmless. Some program you
run is having routing difficulties of some sort and these packets are
an attempt to find a reliable route to the destination. Your
connectivity will be enhanced by allowing outbound ICMP. If you choose
to block outgoing ICMP you get stalled downloads of whatever you were
trying to connect with, as the problem was not reported and rerouting
does not occur when your request for a packet does not fit into a
queue (cache) at any point along the way.
For optimum connectivity both inbound and outbound ICMP appear to be
necessary. I'm browsing the subject and (so far) I have seen nothing
stating this is dangerous or that any exploits have been developed.
http://www.faqs.org/rfcs/rfc792.html
RFC792:
"The Internet Protocol (IP) [1] is used for host-to-host datagram
service in a system of interconnected networks called the
Catenet [2]. The network connecting devices are called Gateways.
These gateways communicate between themselves for control purposes
via a Gateway to Gateway Protocol (GGP) [3,4]. Occasionally a
gateway or destination host will communicate with a source host,
for example, to report an error in datagram processing. For such
purposes this protocol, the Internet Control Message Protocol (ICMP),
is used. ICMP, uses the basic support of IP as if it were a higher
level protocol, however, ICMP is actually an integral part of IP, and
must be implemented by every IP module.
ICMP messages are sent in several situations: for example, when a
datagram cannot reach its destination, when the gateway does not have
the buffering capacity to forward a datagram, and when the gateway
can direct the host to send traffic on a shorter route.
The Internet Protocol is not designed to be absolutely reliable. The
purpose of these control messages is to provide feedback about
problems in the communication environment, not to make IP reliable.
There are still no guarantees that a datagram will be delivered or a
control message will be returned. Some datagrams may still be
undelivered without any report of their loss. The higher level
protocols that use IP must implement their own reliability procedures
if reliable communication is required.
The ICMP messages typically report errors in the processing of
datagrams. To avoid the infinite regress of messages about messages
etc., no ICMP messages are sent about ICMP messages. Also ICMP
messages are only sent about errors in handling fragment zero of
fragemented datagrams. (Fragment zero has the fragment offeset equal
zero)."
Another nice explanation:
http://www.freesoft.org/CIE/Topics/81.htm
S
scroob
I have had all ICMP disallowed for 3 years, and have never seen any
connectivity problems or any problems downloading. That's what I advised
the OP in alt.computer.security when he asked the question there first.
K
Kerodo
Thanks for all the info. I tried running the computer all night with NO
apps running at all, and still saw several outbound icmp 3's to random IPs.
I'm totally stumped now and have no idea what's causing it. Heck, I don't
even know if it's a problem. But just in case, I've gone to Kerio 4, which
doesn't exhibit this behavior, even with the same rule set. Very very
weird if you ask me..
Thanks for your help though...
R
ric
On Tue, 11 May 2004 22:46:57 GMT, Kerodo
It might be worth installing Ethereal as Ethersnoop only seems to
support TCP, UDP, ARP and ICMP. Ethereal supports nearly 400
protocols.
Ric
It might be worth installing Ethereal as Ethersnoop only seems to
support TCP, UDP, ARP and ICMP. Ethereal supports nearly 400
protocols.
Ric
K
Kerodo
Ok, thanks for the advice... I may try Ethereal..
J
John Corliss
ric said:
Ric,
Thanks for mentioning this. Guess Ethersnoop isn't such a good bet
afterall.
R
ric
As an afterthought this is well worth a read.
http://www.sys-security.com/archive/papers/ICMP_Scanning_v3.0.pdf
Ric
P
PuppyKatt
I got the update, and it must have forgotten my rules, because even to
play a game, it asks for permission to run the thing. That I like; it
secures the entire computer, not just stuff trying to go online. No
crashes in the 5 or so days that I've had it. much better than 2.1.5
--
Thou shalt not admit adultry.
: On Wed, 12 May 2004 19:00:04 -0700, Kerodo
:
: >In article <[email protected]>,
(e-mail address removed)
: >says...
: >> On Tue, 11 May 2004 22:46:57 GMT, Kerodo
: >>
: >> <snip>
: >>
: >> >
: >> >Well, I installed EtherSnoop and ran it with Kerio 2.1.5 and
waited for the
: >> >outbound icmp 3 to occur, and when it did, I found that no packets
were
: >> >getting in thru the firewall. Nothing showed up in EtherSnoop.
So that's
: >> >great. I can run Kerio 2.1.5 now, which I much prefer over 4.xx.
: >> >
: >> >I still don't know what's generating the outbound icmp 3 but it
would
: >> >appear that I don't have to worry about holes in the firewall at
any rate,
: >> >so that's excellent..
: >> >
: >> >Thanks for you help...
: >>
: >> It might be worth installing Ethereal as Ethersnoop only seems to
: >> support TCP, UDP, ARP and ICMP. Ethereal supports nearly 400
: >> protocols.
: >
: >Ok, thanks for the advice... I may try Ethereal..
:
: As an afterthought this is well worth a read.
: http://www.sys-security.com/archive/papers/ICMP_Scanning_v3.0.pdf
:
: Ric
play a game, it asks for permission to run the thing. That I like; it
secures the entire computer, not just stuff trying to go online. No
crashes in the 5 or so days that I've had it. much better than 2.1.5
--
Thou shalt not admit adultry.
: On Wed, 12 May 2004 19:00:04 -0700, Kerodo
:
: >In article <[email protected]>,
(e-mail address removed)
: >says...
: >> On Tue, 11 May 2004 22:46:57 GMT, Kerodo
: >>
: >> <snip>
: >>
: >> >
: >> >Well, I installed EtherSnoop and ran it with Kerio 2.1.5 and
waited for the
: >> >outbound icmp 3 to occur, and when it did, I found that no packets
were
: >> >getting in thru the firewall. Nothing showed up in EtherSnoop.
So that's
: >> >great. I can run Kerio 2.1.5 now, which I much prefer over 4.xx.
: >> >
: >> >I still don't know what's generating the outbound icmp 3 but it
would
: >> >appear that I don't have to worry about holes in the firewall at
any rate,
: >> >so that's excellent..
: >> >
: >> >Thanks for you help...
: >>
: >> It might be worth installing Ethereal as Ethersnoop only seems to
: >> support TCP, UDP, ARP and ICMP. Ethereal supports nearly 400
: >> protocols.
: >
: >Ok, thanks for the advice... I may try Ethereal..
:
: As an afterthought this is well worth a read.
: http://www.sys-security.com/archive/papers/ICMP_Scanning_v3.0.pdf
:
: Ric
B
Black Knight
PuppyKatt said:
[...]
Not only you top post but you are also putting the original post after
your signature making yours posts always garbage.
You really a idiot.