Results 1 to 4 of 4

Thread: ForceField accesses Verisign and names registries on TCP port 43?

  1. #1
    pdf_iii Guest

    Default ForceField accesses Verisign and names registries on TCP port 43?

    Some time after installing ForceField I notice my hardware firewall (Z100G) is blocking streams of outgoing connection attempts on TCP port 43, seemingly to Verisign and some Internet names registries. Before creating a rule allowing these to pass the firewall, I want to be sure that this is ForceField. Assuming it is, does anyone one know exactly which IP addresses ForceField uses for this? I see quite a few: 149.17.192.7 , 199.43.0.144 , 199.7.57.74 , ...

    Operating System:Windows XP Pro
    Software Version:
    Product Name:Other ZoneAlarm Product

  2. #2
    Join Date
    Dec 2005
    Posts
    9,056

    Default Re: ForceField accesses Verisign and names registries on TCP port 43?

    Exactly what are the logs showing?
    Is that really tcp port 43 or is it instead udp port 53?
    TCP port 43 is the correct port for "Who Is" or properly called the "nicname" .

    149.17.192.7 = whois.publicinterestregistry.net

    199.43.0.144 = whois.arin.net

    Versign is for file/web server certificates as well as being a cached server.

    Oldsod.

    Message Edited by Oldsod on 06-22-2008 02:37 AM
    Best regards.
    oldsod

  3. #3
    pdf_iii Guest

    Default Re: ForceField accesses Verisign and names registries on TCP port 43?

    Logs show many blocked connection attempts from my PC IP address to (for example) 199.43.0.144, TCP protocol, port 43. All are to TCP 43, whether connecting to Verisign, ARIN or WhoIS.
    By experimentation, I verified that these are from ForceField. I added rules to allow these connections and browsing with ForceField active got a lot faster, presumably because it was repeatedly retrying the blocked connection (and filling up the log!).

  4. #4
    Join Date
    Dec 2005
    Posts
    9,056

    Default Re: ForceField accesses Verisign and names registries on TCP port 43?

    My humble guess is the ZAFF is doing verifications of the urls and IPs.
    Probably as part of it's anti-phishing/antispoofing/antifraud protection.
    Seems very normal to me. I do not use the ZAFF, but these events do seem very appropiate.

    I will agree with you also to allow these connections for faster processing and getting faster connections.
    Skipping the logging of allowed and appropiate IPs not only makes the logs smaller and more readable, but makes the firewalling process goes faster if the log "writing" itself is kept to a minimum.
    I suppose we both agree it is not the normal connections in the usual course of events that is to be of concern, but it is those weird and unusual connections events that we should be aware of and mistrust.

    Nice to se you actually check the logs and try to keep things secure.
    I wish more people were like you - stop and read the firewall logs from time to time and figure things out if there is something unusual or not fully understood.

    Oldsod.
    Best regards.
    oldsod

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •