Author Topic: Firewall settings (Read 6536 times)

Atomic Mitten · « **on:** October 12, 2003, 11:44:59 am »

Hi Gryphon, can you help me please.Every time I start my pc my Mcaffee firewall shows a log of 100 entries.
My firewall blocks Wan miniport by default.
Should I enable this?
I am attaching a screenshot of the log page.

I'm not sure if MSN messenger needs the Wanminiport or not ?? $:-\$
Well the bmp file must be too big,so I'll print what I see in the log.

McAfee Firewall blocked an incoming TCP packet.The rermote address associated with the traffic was
217.42.XX.XX. The remote port was 4444(ephemeral).The local port on your PC was 135.The network adapter for the traffic was"WAN Miniport(IP)"

Doc Nyar · « **Reply #1 on:** October 12, 2003, 12:55:25 pm »

BMP files are not allowed as attachement I think. Try saving the pic in jpg format. That should work.

Atomic Mitten · « **Reply #2 on:** October 12, 2003, 01:14:43 pm »

Thanks Doc, yeah I thought that was the problem.
Anyway I printed the log by hand.

gryphon · « **Reply #3 on:** October 12, 2003, 02:50:00 pm »

Does your MSN messenger client start by default on your PC ?

And is the 217.xx.xx.xx IP always the same ? Port 135 shouldn't have access to the internet. Did you always have this ?
And is it with McAffee internet security or with just the firewall ?
[ the configuration is slightly different that's why I ask ]

I take it you look at your log just after you booted your PC and then find the blocks in your log ? Or do you get firewall warning popups all the time warning you for it ?

If you just find them in your log there isn't any problem I recon. You don't need you WAN miniport [ just your ethernet adapter needs to have access allowed ] and port 135 should be blocked to the internet.

Atomic Mitten · « **Reply #4 on:** October 12, 2003, 05:52:54 pm »

Yes my msn starts by default.I'm not sure if the ip always the same is,I will watch it.I have Mcaffee firewall only.
No I don't get pop ups.Just in the log.

gryphon · « **Reply #5 on:** October 12, 2003, 06:00:03 pm »

if it's in the log's it should be fine.

Is your MSN messenger able to connect online ?
If not try giving it full access in McAffee .. .

Atomic Mitten · « **Reply #6 on:** October 12, 2003, 06:09:24 pm »

Messenger works fine.I was just curious about the logs entries.

gryphon · « **Reply #7 on:** October 12, 2003, 06:17:44 pm »

depending on the source it could be anything. [ meaning a legit attempt to identify your computer or a less legit one. ] Port 135 is one of the famour Windows netbios ports. If you are directly connected to the internet it is probably a worm.
[ emagine this, security emails are comming in again sind this Monday or so that the RPC worm isn't stoped yet, to be more precies,. . . patched systems still appear to be vounerable for it. . . we are just waiting now for the next guy who think's it's funny to exploid it and the whole mess starts over again .. ..]

McAfee is supposed to block those ports [ 135 - 140 ]. And without knowing the source at this time I can't tell you if they are or are not legit . .

gryphon · « **Reply #8 on:** October 13, 2003, 01:33:31 am »

looking at the current prefered ports to scan I am not supprised you have a lot of 135 scans.

http://isc.incidents.org/

Atomic Mitten · « **Reply #9 on:** October 13, 2003, 10:03:58 am »

What is epmap ? I see what you mean now thanks.Good job I asked you first, before I allowed port 135.lol

gryphon · « **Reply #10 on:** October 13, 2003, 09:31:41 pm »

never allow port 135 access to the internet ! Nor 136, 137, 138 or 139.

this is a short explenation of the things on that port. Port 135 handles remote procedere calls from Microsoft mostly.

RotteVis · « **Reply #11 on:** October 13, 2003, 09:43:20 pm »

I?m glad my router blocks those port automaticly

gryphon · « **Reply #12 on:** October 13, 2003, 09:44:55 pm »

lol dude. . . I wonder how you found that out . . . .

make shure you don't have a DMZ configurated . .that would result in the forwarding of that port.

RotteVis · « **Reply #13 on:** October 13, 2003, 09:46:46 pm »

I never use a DMZ, when I bought my router I left all firewall settings on standard, only added MAC-adress control. Hail to sitecom for making a good working product

gryphon · « **Reply #14 on:** October 13, 2003, 09:48:34 pm »

Quote from: RotteVis on October 13, 2003, 09:46:46 pm

Hail to sitecom for making a good working product

gryphon remembers an mutual friend of us wardriving infront of your house. . .

RotteVis · « **Reply #15 on:** October 13, 2003, 09:50:16 pm »

He never made contact with my wlan. He was trying to get me pissed, went through all the logs and my setting worked perfectly. As far as I don?t post my MAC-adress I?m safe here

Atomic Mitten · « **Reply #16 on:** November 20, 2003, 11:32:26 am »

Does anyone know the correct settings for the Mcaffee Firewall version 4.0. I mean which apps should be filtered, which should be blocked and which should be allowed full access to the net.

This seems to be a big issue with alot of members as I have not found this info anywhere on the web.
I bet alot of people don't know what settings to use ?

Doc Nyar · « **Reply #17 on:** November 20, 2003, 06:09:41 pm »

Quote from: Atomic Mitten on November 20, 2003, 11:32:26 am

Does anyone know the correct settings for the Mcaffee Firewall version 4.0. I mean which apps should be filtered, which should be blocked and which should be allowed full access to the net.

This seems to be a big issue with alot of members as I have not found this info anywhere on the web.
I bet alot of people don't know what settings to use ?

Good question..

gryphon · « **Reply #18 on:** November 20, 2003, 06:49:27 pm »

you might not have found anything on the net as the applications that need access will depend on your own needs.

ok .. that's the crappy answer .. [ which is true in a way but still ].

No application needs full access.. . . and when you are connected to the internet via an ethernet network.

Generic Host can be given acces if you can get a connection, svchost can be blocked just as that DLL Windows file. Windows logon can be blocked. . . wait. . . you can simple block anything. . . just allow DNS and DHCP protocols . . .and if you can't get a connection allow svchost access.
All other things can be filtered or blocked.

Giving applications just the access they need.. . . An internet browser port 80, 443 8000 and 8080 for example. . . .email client port 25 and 110 [ given it's a pop account ]. And so on.. . .so basically it will depend on the application you are using. Most of them won't be needing full access . . justthe ports they are using.
And you can check the manual of the software for that.

If you should notice that an application can't connect. . . check your firewall logs for blocked messages for that application.. . that's a good indication it needs another port. .

Atomic Mitten · « **Reply #19 on:** November 20, 2003, 07:31:08 pm »

Thanks ! so basically filter everything and allow access on demand.

gryphon · « **Reply #20 on:** November 20, 2003, 08:09:06 pm »

nope. . .you deny everything. .. and start allowing individual ports for the applications you use and want to have an internet connection.

Directx diag for one will give you an prompt from your firewall.. asking internet access. . . you don't have to allow that one .. . so not on demand. . . just when you want it. . .

Use the full allow option only when there is no other option. . .

News:

Author Topic: Firewall settings (Read 6536 times)

Atomic Mitten

Atomic Mitten

Atomic Mitten

Atomic Mitten

Atomic Mitten

RotteVis

RotteVis

RotteVis

Atomic Mitten

Atomic Mitten