The Steve Dahl Show::
All lanes are blocked on the inbound Stevenson at Pulaski because of a diesel fuel spill. He could get Fake Wendy to read the names of every victim and
http://www.dahl.com/show_logs/2006/08/02.aspHOME |
I have sent a support request to Outpost but since this is a trial version I may not receive support. My lan set up is illustrated. The firewall at home is a Zywall2X the work firewall is a Pix. This computer is XP Pro on the home lan with a trial version of Outpost 2.1.292.3816 (307). I use LinkLogger to parse the firewall logs, and it has a facility to show all hosts with blocked connection attempts. When I use this it attempts to look up the hosts using reverse DNS. The hosts that fail to resolve using reverse DNS show up as inbound Netbios connection attempts with the external host address as the remote address in Outpost firewall logs. This is unnerving to say the least.
I have added logging to all Netbios traffic in the Zywall where before it was just blocked thinking that maybe I was initiating a connection and it was somehow getting through the router. No logging occurred, so I set up a sniffer. With the sniffer I only saw DNS queries, so I'm fairly certain that no Netbios is entering or leaving this machine.
What I need now is an explanation of the log entries. Why do they show as inbound from an external host? How does this happen? How do I prevent this from happening?
I will run through a typical sequence of events. I guess I haven't explained my concern correctly.
The Zywall receives a connection attempt which it blocks, most likely port 137,135,445 or 3127 recently. In this example we'll use 61.33.41.44.
The blocked connection attempt is forwarded through syslog to LinkLogger, which is running on this computer as well as Outpost.
I then run a report to resolve the IP addresses to host names by descending number of blocked attempts. 61.33.41.44 has no reverse dns entry.
When I run this report the Outpost logs show an inbound NetBios connection attempt from 61.33.41.44. The Zywall shows no incoming or outgoing netbios traffic. A sniffer set up on the lan shows no incoming or outgoing Netbios traffic. What Outpost is blocking is outbound Netbios traffic to 61.33.41.44, which it should. The log however shows it as inbound. This is a serious error in my opinion, because I don't know whether the traffic is real or caused by my running the report unless I log every time I run the report and compare the entries.
IT Security Cookbook - Firewalls: Securing external Network connections::
disabled for inbound connections for IP address yyy with ACK=z, but enable modified HTTP proxy show also do CORBA object access logging and access control
http://www.boran.com/security/it12-firewall.htmlHOME |
A practical iptables firewall in Linux : Hands-on How-To::
So our example above shows the flow: a packet comes in, hence it is following a rule that will only allow inbound connections on port 25 from my anti-spam
http://handsonhowto.com/2007/iptablesHOME |
If the logs showed an inbound connection from loopback or my local ip that would be OK too. The logs should not however show that the netbios attempt originated at 61.33.41.44 destined for my computer, because that would mean the Zywall wasn't working.
It took me almost a week to determine the exact sequence of events to create these entries. I can now reproduce them at will. I can also furnish ethereal sniffer logs from a remote machine to prove there is no netbios traffic leaving or entering this machine.
I disabled loopback then shutdown and restarted Outpost, with the same results. Loopback shows unchecked and I had to create a couple of new application rules to allow Outlook to connect to Mcafee antivirus, so I know that the rule took. Here is an example of the outpost log.
11:30:05 AM NETBIOS UDP 61.60.115.155 NETBIOS_NS Block NetBIOS Traffic
11:30:04 AM NETBIOS UDP 67.37.46.73 NETBIOS_NS Block NetBIOS Traffic
11:30:04 AM NETBIOS UDP 221.196.30.215 NETBIOS_NS Block NetBIOS Traffic
11:30:04 AM NETBIOS UDP 213.42.177.40 NETBIOS_NS Block NetBIOS Traffic
11:30:04 AM NETBIOS UDP 68.127.159.194 NETBIOS_NS Block NetBIOS Traffic
11:30:04 AM NETBIOS UDP 200.63.236.226 NETBIOS_NS Block NetBIOS Traffic
11:30:04 AM NETBIOS UDP 213.47.229.125 NETBIOS_NS Block NetBIOS Traffic
11:30:04 AM NETBIOS UDP 218.90.191.170 NETBIOS_NS Block NetBIOS Traffic
The reason that it bothers me is that it shows as a blocked inbound connection. Nothing is getting in or out according to the Zywall logs and the sniffer on another computer except for DNS queries, but the logs show blocked inbound connections. This should not be, and could lead me to ignore real inbound connections. If its a misconfiguration on my part I'd like to fix it, otherwise I want to use something else.
11:30:05 AM IN REFUSED 61.60.115.155 NETBIOS_NS 192.168.0.2 NETBIOS_NS Block NetBIOS Traffic
11:30:04 AM IN REFUSED 67.37.46.73 NETBIOS_NS 192.168.0.2 NETBIOS_NS Block NetBIOS Traffic
11:30:04 AM IN REFUSED 221.196.30.215 NETBIOS_NS 192.168.0.2 NETBIOS_NS Block NetBIOS Traffic
Page 8 - Security Overview::
Fake Security is Big Business (2009-06-03) Image Processing Demo (2009-05-11) access control be applied only to inbound connections (lock-and-key can also be
http://www.devshed.com/c/a/Security/Security-Overview/7HOME |
The Digital Imprimatur::
of course, that NAT need not prevent inbound connections; a savvy user with meter connections nor log them than go to the expense of keeping records
http://www.fourmilab.ch/documents/digital-imprimaturHOME |
11:30:04 AM IN REFUSED 213.42.177.40 NETBIOS_NS 192.168.0.2 NETBIOS_NS Block NetBIOS Traffic
11:30:04 AM IN REFUSED 68.127.159.194 NETBIOS_NS 192.168.0.2 NETBIOS_NS Block NetBIOS Traffic
Originally posted by Paranoid2000
ChrisClu,
Does LinkLogger run on the router itself? That would certainly explain things... No it does not.
The router sends SNMP messages as either a network broadcast or to a specified PC, at least on the Linksys and Netgear routers I have used.
I am not at all familiar with ZyWall routers so cannot say for sure how they communicate with the PC.
Outpost should show any packets that LinkLogger sends or receives, including to the localhost address (127.0.0.1) - you can create a filter in the Log Viewer to view entries for a specific application to make this easier.
However, information passed between applications in Windows will not be reported by Outpost (or anything else for that matter except maybe Tiny) unless it is sent via 127.0.0.1.
Hello Terry Miller, Welcome to the Forum.:)
My Appoligises for missing your post.
The Steve Dahl Show::
be the Sweetness and Northwestern connections. Hes a nice enough guy The 5 vehicle crash happened on the inbound lanes around 6 am. This might not be
http://www.dahl.com/show_logs/2008/06/12.aspHOME |
Have you tried unchecking Allow Loopback, Open OutPost GUI>Click on Options>System>Under Global Application and Systems Rules Click on Settings>Uncheck Allow Lookback to see if this helps.
Well, the only other option I can suggest is to disable WINS resolution in your Network Properties and see if that makes a difference - assuming that you don't need WINS normally.
Terry,
After doing a clean install of Outpost last night, I seem to be having the same problem with my Linksys BEFSX41 that you are having. I'm not having NETBIOS problems (disabled on my machine), but I am having DNS problems. Try this for now (I'm still investigating if there are other problems with my machine. I can think of several other possibilities).
1) Go to your system rules and make a copy of the rule "Allow DNS resolving UDP" (select the rule and click the "copy" button).
2) Check out the new rule to be sure that the direction is inbound.
3) Go back to the original rule, check the box "where the specific local host is" and enter your address 192.168.0.2
This is working for me, so if you still have NETBIOS problems after trying this, you may have to create similar NETBIOS rules. I'll enable NETBIOS and try to help you out if needed. Simply unchecking the "direction" box also works, but for troubleshooting purposes, you'll want to see when these rules are triggered. One problem I do see is a logging problem. My new rule, direction inbound, shows "OUT" in the log's direction column.
TerryMiller,
I would suspect Link Logger is trying a WINS lookup if the DNS lookup fails, hence the NetBIOS traffic (which Outpost will block by default). I would suggest checking Link Logger's configuration for an option to disable this if it concerns you.
My problems cleared up this morning. My rules are back to normal with no more problems (copy of DNS rule deleted, local host unchecked in original rule). After running Internet Explorer (running it last night did not solve the problem), I saw log entries - "Internet Explorer HTTP connection" - the application was SYSTEM, not iexplorer.exe. After this, my problem cleared. Probably a component control problem and I don't know why Outpost took so long to detect the new component. To support your claim, I did see my inbound DNS rule triggered and reported as OUT in the log, which I thought should be IN. I use WallWatcher, one inbound rule, correctly reported in my log. I'm going to try LinkLogger when I have more time.
I also had problems with spiderml.exe. I had to uninstall and reinstall DrWeb antivirus to clear up this problem. This definitely looked like a component control problem to me. Sorry I can't give you a more technical answer, but I suggest that you try reinstalling LinkLogger. One of these days, I'm going to make an outrageous claim that all internet accessing programs need to be reinstalled after installing or upgrading a firewall. I can't wait to see what problems Windows XP SP2 is going to give us.
UDP does have a source and destination address. This is initiated internally. I believe that you are correct in that is blocking an outbound netbios connection request, which is appropriate.
This situation occurs only when I run one specific report on LinkLogger which resolves blocked connections at the Zywall to host names. I like to do this as it allows me to send e-mails to business machines (I don't bother with home machines) letting the persons know that they are infected. I actually had connection attempts frequently in the beginning from a mail server for a small ISP. I was using McAffee personal firewall at the time which was unsatisfactory as a firewall.
Outpost really does fit the bill nicely as a firewall, but I don't want to filter Netbios from the logs just in case something gets misconfigured on the Zywall. I also don't want to have to record every time that I run this report and compare the log entries to those times to see if the log entry is something to be concerned about.
If this is a known Outpost "feature" then I think I'll keep looking to see if there is something that suits my needs better.
In that case, I would suggest reporting this as a bug to Agnitum (www.agnitum.com/support/supportform.html) and include a link to this thread to spare yourself having to repeat everything.
Outpost does not always recognise the direction of UDP traffic correctly - due in part to the "connectionless" nature of the UDP protocol. Disabling NetBIOS completely should stop these entries but may cause problems with your work access (if you access work resources via Network Neighbourhood for instance). This is why I would suggest checking the Link Logger setup first - indeed, checking to see if these entries only occur with Link Logger running would be a good idea if you have not already done so.
Another alternative is to create an Outpost log filter to exclude NetBIOS entries.
ChrisClu,
Does LinkLogger run on the router itself? That would certainly explain things...
I did that before I posted here. I was afraid I wouldn't receive support since it is a trial version. I did receive a reply asking for the exact build of Outpost, so hopefully someone is looking at it.
Other than this one issue Outpost is perfect for me, but not knowing whether an inbound log entry is really inbound bothers me a lot.
If this is resolved before the trial expires, I'll buy Outpost. If not I'll keep looking and maybe still buy Outpost if there is nothing better.
Does anybody know any way to track the packets accurately inside the PC? See what LinkLogger is requesting etc. Is this even possible? This is the other part that is bothering me is not being able to determine exactly where the inbound and outbound is getting confused. If the same problem occurs with a second firewall then that would mean the problem is with LinkLogger.
Don't confuse Link Logger with your router. The router is doing what it should. However you have installed Link Logger (I have it also) to report the logging to your computer. That info from linklogger is an inbound communication with your computer. Outpost is on your computer and is blocking inbound communication as it hs no idea that it is harmless. (unlike inbound from the internet) Try adding the IP of your router to trusted zone temporarily and if that works you know you just have to create a rule allowing traffic from your router.
Chris
 Get Smart About Monitoring Virtual Machines
 Microsoft Gets Ex-Streamly Cozy with U.K.'s MediaWave
|
Logs show fake inbound connections