Firewall Log

  • Thread starter Thread starter Rick Merrill
  • Start date Start date
R

Rick Merrill

I find that in C:\windows there is a
"pfirewall.log" that gets bigger (>6MB) - I can stop the firewall and
delete the file the restart the firewall.

The log contains entries like
2005-01-05 19:14:19 DROP UDP 192.168.0.1 192.168.0.90 39562 162 135 - -
- - - - - RECEIVE
2005-01-05 19:14:34 DROP UDP 192.168.0.1 192.168.0.90 39563 162 135 - -
- - - - - RECEIVE
2005-01-05 19:14:49 DROP UDP 192.168.0.1 192.168.0.90 39564 162 135 - -
- - - - - RECEIVE
2005-01-05 19:15:02 OPEN UDP 192.168.0.90 63.240.76.19 1038 53 - - - - -
- - - -
2005-01-05 19:15:02 OPEN TCP 192.168.0.90 63.111.24.28 4282 80 - - - - -
- - - -

What do these entries mean? Is a "drop" a putative attack?!

Rick
Merrill
 
The contents of the firewall log can be frightening. unfortunately XP's
firewall log isn't very informative - hence I don't use it, simply because
it monitors incoming traffic but not outgoing traffic. As a suggestion I
would say download the free version of zone alarm www.zonelabs.com and use
that instead. Your system is then protected both ways and the log is more
informative, telling you what program accesses the web and what ip address
it contacted.
Judging by the contents of the log you have supplied and the IP addresses I
wouldn't say that they were punitive attacks. The UDP 192.168.0.90 is
probably svhost.exe contacting the server. the previous packages obviously
failing. You should also be aware that your isp regularly 'pings' your
connection to make sure you are still using it. This can account for a
substantial amount of the data in the log files. If you are a dial up
connection customer your ISP contract probably contains the following clause
'if you don't use the connection for 10 minutes (or whatever) your ISP can
disconnect you. The 'pinging' help check for this use.
On balance your machine is probably attacked 30 or 40 times an hour,
sometimes more depending upon the time of day. I know mine is but I don't
even bother checking the zone alarm log now. I know zone alarm is doing it's
job.
 
Rick Merrill said:
I find that in C:\windows there is a
"pfirewall.log" that gets bigger (>6MB) - I can stop the firewall and
delete the file the restart the firewall.

The log contains entries like
2005-01-05 19:14:19 DROP UDP 192.168.0.1 192.168.0.90 39562 162 135 -
- - - - - - RECEIVE
2005-01-05 19:14:34 DROP UDP 192.168.0.1 192.168.0.90 39563 162 135 -
- - - - - - RECEIVE
2005-01-05 19:14:49 DROP UDP 192.168.0.1 192.168.0.90 39564 162 135 -
- - - - - - RECEIVE
2005-01-05 19:15:02 OPEN UDP 192.168.0.90 63.240.76.19 1038 53 - - -
- - - - - -
2005-01-05 19:15:02 OPEN TCP 192.168.0.90 63.111.24.28 4282 80 - - -
- - - - - -

What do these entries mean? Is a "drop" a putative attack?!

Rick
Merrill

I don't have that file.

--
Frank Saunders, MS-MVP, IE/OE
Please respond in Newsgroup only. Do not send email
http://www.fjsmjs.com
Protect your PC
http://www.microsoft.com./athome/security/protect/default.aspx
 
To answer your question, the 3rd column is the action. Open means a
port was opened. If a dropped packet was inbound, it might have been
pests wandering the Internet, probes wandering the Internet, or just
background noise (e.g. broadcast messages) on the Internet. Like radio
broadcasts, broadcast messages are intended for everybody, but no
individual in particular. Among other reasons, outbound packets might
be dropped if an outbound communication request was made (e.g. request
for email or a web page) with no connection to the Internet, or if a
request was redirected internally and could not be resolved.

TCP and UDP are communication protocols you will often see in a log.
ICMP is a protocol used by Ping and Tracert. Ping does not use TCP or UDP.

Addresses on the Internet (IP addresses) are the 4 numbers separated by
dots. The first IP address is the source IP address, and the second IP
address is the destination. Among many others, addresses starting with
192.168 are internal inside your PC, not external. So all 5 packets
originated internally, and the first 3 had internal destinations.

the last 2 numbers are the port number used by the source system, and
the port number used by the target system, respectively. Sometimes your
PC is the source, and sometimes your PC is the target, depending on
whether your PC is sending or receiving the transmission. Port 80 is
used by Internet browsers for communicating in HTTP protocol. Port 53
is used to communicate with a DNS server (that translates www addresses
into IP addresses that computers understand). The meaning of other
TCP/UDP ports can be found at http://www.iana.org/assignments/port-numbers

You can quickly find your own IP address by clicking on the icon in the
lower right that looks 2 monitors (if you have 2 icons like this, it's
the one that shows the name of your Internet connection, when you rest
your mouse pointer on it.), and clicking the tab labeled Details.

As your firewall log grows, you will see that most dropped packets are
just background noise, or pests and probes that wander and search the
Internet looking for an opportunity (but not you or any particular
individual). If something/somebody were specifically targeting you for
an attack, you would likely see a sudden series of many dropped packets
from the same external IP address, using many different ports.

http://www.pcworld.com/reviews/article/0,aid,115939,pg,1,00.asp
Switching to one of the firewalls recommended in this article is very
good advice. Go with ZoneAlarm if you love to learn and are not
impatient with learning curves.

After installing TrendMicro's security suite and dropping XP's firewall,
i found that TrendMicro's initial settings left some ports on my PC
visible (open or closed) to predators on the internet, before i figured
out how to make them invisible. which ports were visible depended on
whether i was running with XP SP1 or SP2.

TrendMicro's security suite and the purchased versions of ZoneAlarm have
many other nice, additional features. TrendMicro's security suite has a
very good antivirus component, along with Wi-Fi and personal data
protection, though the spyware component had poor results in the tests
cited in the article. ZoneAlarm is much more versatile (herein lies the
learning curve) in allowing you to allow/disallow inbound requests
depending on IP address, and in filtering different types of cookies and
different types of mobile code (ActiveX, VBscript, Java script, etc.) on
a website-by-website basis.
 
Back
Top