Results 1 to 6 of 6

Thread: Free Firewall, Blocking from 10.0.0.50 (UDP Port 5000) to 10.0.0.251:138

  1. #1
    cellist Guest

    Default Free Firewall, Blocking from 10.0.0.50 (UDP Port 5000) to 10.0.0.251:138

    The Free Firewall is blocking access to my computer from 10.0.0.50 (UDP Port 5000) to 10.0.0.251:138. The complete log entry is shown below.
    I think this is happening
    while I'm connected to another computer using Remote Desktop via Cisco VPN. I see a discussion of this type of event in another thread here, "Firewall Expert Rules vs Program Control Expert Rules", but I'm having a bit of diffculty following that discussion. So...
    My question is whether I can configure ZA to allow access to VPN/Remote Desktop while not allowing the same access to other applications? Can I do this only with the pay-for version?

    <blockquote>

    Packet sent from 10.0.0.50 (UDP Port 5000) to 10.0.0.251 (NetBIOS Datagram) was blocked
    Rating









    High
    Date / Time




    2009-04-07 10:34:16-4:00
    Type











    Firewall
    Protocol







    UDP
    Program









    Source IP






    10.0.0.50:5000
    Destination IP

    10.0.0.251:138
    Direction






    Incoming
    Action Taken



    Blocked
    Count










    1
    Source DNS






    Destination DNS
    DELL-8250-DEN
    Policy









    Personal Policy
    Rule











    ExtBlockAll2</blockquote>

    TIA,

    Phil


    Operating System:Windows XP Home Edition
    Software Version:8.0
    Product Name:ZoneAlarm (Free)

  2. #2
    Join Date
    Dec 2005
    Posts
    8,984

    Default Re: Free Firewall, Blocking from 10.0.0.50 (UDP Port 5000) to 10.0.0.251:138


    <blockquote><hr>cellist wrote:
    The Free Firewall is blocking access to my computer from 10.0.0.50 (UDP Port 5000) to 10.0.0.251:138. The complete log entry is shown below.
    I think this is happening
    while I'm connected to another computer using Remote Desktop via Cisco VPN. I see a discussion of this type of event in another thread here, "Firewall Expert Rules vs Program Control Expert Rules", but I'm having a bit of diffculty following that discussion. So...
    My question is whether I can configure ZA to allow access to VPN/Remote Desktop while not allowing the same access to other applications? Can I do this only with the pay-for version?

    <blockquote>

    Packet sent from 10.0.0.50 (UDP Port 5000) to 10.0.0.251 (NetBIOS Datagram) was blocked
    Rating









    High
    Date / Time




    2009-04-07 10:34:16-4:00
    Type











    Firewall
    Protocol







    UDP
    Program









    Source IP






    10.0.0.50:5000
    Destination IP

    10.0.0.251:138
    Direction






    Incoming
    Action Taken



    Blocked
    Count










    1
    Source DNS






    Destination DNS
    DELL-8250-DEN
    Policy









    Personal Policy
    Rule











    ExtBlockAll2</blockquote>

    TIA,

    Phil


    Operating System:
    Windows XP Home Edition
    Software Version:
    8.0
    Product Name:
    ZoneAlarm (Free)

    <hr></blockquote>


    Place the LAN IP as trusted in the Zones of the Firewall of the ZA (this is either UPnP or SSDP).
    The windows files that use the connections seen in the Program listing must have trusted server rights (services, svchost, etc).

    Usually the Alerts and Logging should be set to On and High to get the maximum logging and alerts to see what to allow or needs to be allowed.
    Also set the program control slider to the middle level to train the ZA for the new and up-and-coming connections and events.

    Oldsod.
    Best regards.
    oldsod

  3. #3
    cellist Guest

    Default Re: Free Firewall, Blocking from 10.0.0.50 (UDP Port 5000) to 10.0.0.251:138


    Oldsod, thanks for your reply.
    <blockquote>

    Place the LAN IP as trusted in the Zones of the Firewall of the ZA</blockquote><blockquote><blockquote>

    LAN IP would be 10.0.0.50 ? Is this done
    with Firewall&gt;Zones screen?</blockquote></blockquote><blockquote>

    (this is either UPnP or SSDP).<blockquote>

    I don't know what this means.</blockquote></blockquote><blockquote>

    Alerts and Logging should be set to On and High<blockquote>

    In Alerts &amp; Logs&gt;Main&gt;Alert Events Shown the On button is set. I don't see any High setting on this screen or under the Advanced control. Where can I find that? Maybe this is not available in the Free Version?</blockquote>

    set the program control slider to the middle level to train the ZA ...<blockquote>

    Under Program Control&gt;Main&gt;Program Control I have the slider set to Med. Is that what I want?

    Under ProgramControl&gt;Programs I have 2 entries for Cisco VPN client. 1) is for program cvpnd.exe and has green check-marks under Access&gt;Trusted and Server&gt;Trusted. 2) is for program cvpngui.exe and has green check-mark only under Access&gt;Trusted. The other columns for both have ?. Do I need to change anything in these two entries? Is there another program that needs to be added here?

    Notice that the ZA event log shows nothing for program for these errors.</blockquote></blockquote>

    Phil

    Message Edited by cellist on 04-07-2009 10:59 PM

  4. #4
    Join Date
    Dec 2005
    Posts
    8,984

    Default Re: Free Firewall, Blocking from 10.0.0.50 (UDP Port 5000) to 10.0.0.251:138


    <blockquote><hr>cellist wrote:

    Oldsod, thanks for your reply.
    <blockquote>

    Place the LAN IP as trusted in the Zones of the Firewall of the ZA</blockquote><blockquote><blockquote>

    LAN IP would be 10.0.0.50 ? Is this done
    with Firewall>Zones screen?</blockquote></blockquote><blockquote>

    (this is either UPnP or SSDP).<blockquote>

    I don't know what this means.</blockquote></blockquote><blockquote>

    Alerts and Logging should be set to On and High<blockquote>

    In Alerts & Logs>Main>Alert Events Shown the On button is set. I don't see any High setting on this screen or under the Advanced control. Where can I find that? Maybe this is not available in the Free Version?</blockquote>

    set the program control slider to the middle level to train the ZA ...<blockquote>

    Under Program Control>Main>Program Control I have the slider set to Med. Is that what I want?

    Under ProgramControl>Programs I have 2 entries for Cisco VPN client. 1) is for program cvpnd.exe and has green check-marks under Access>Trusted and Server>Trusted. 2) is for program cvpngui.exe and has green check-mark only under Access>Trusted. The other columns for both have ?. Do I need to change anything in these two entries? Is there another program that needs to be added here?

    Notice that the ZA event log shows nothing for program for these errors.</blockquote></blockquote>

    Phil

    Message Edited by cellist on 04-07-2009 10:59 PM
    <hr></blockquote>


    Yes.

    See:
    http://en.wikipedia.org/wiki/Upnp
    http://en.wikipedia.org/wiki/Simple_...overy_Protocol

    Perhaps not. Alerts to High and Logging to On in the Pro version.

    Yes.
    Make all of the cisco client programs with all access for both trusted and internet and with all server for both trusted and internet.
    Also make sure your own dhcp and dns servers are listed as trusted in the zones of the firewall AND include the dhcp and dns servers of the other connectiong end of the other lan from across the internet ... I am guessing you are connecting using a vpn over the internet itself even though you have never revealed any details about this.....

    Plus allow all uncommon protocols at high security and disable any arp protection or spoofing (if this is available in the free) and allow broadcast/multicas, all ping, icmp in the internet security zone settings.

    Check the logs and look carefully for any blocked or dropped connecions of any kind of protocol (tcp, udp, icmp) and for ports such as 21, 23, 53, 67, 68, 109, 110, 113, 135, 137, 138, 139, 443, 445, 1080, 1900, 3289, 5000, 8080 (and maybe a few more not listed) involved with the vpn connections.
    Also look at the tcp 'flags' to better understand what is going on:

    http://www.pccitizen.com/threewayhandshake.htm

    It would help if you could list what you have done so far and what is actually happening and where/why/what.

    Oldsod.
    Best regards.
    oldsod

  5. #5
    cellist Guest

    Default Re: Free Firewall, Blocking from 10.0.0.50 (UDP Port 5000) to 10.0.0.251:138


    Again, thanks for you reply, oldsod.
    &gt;what you have done so far In Firewall&gt;Zones screen


    I've added 10.0.0.50 as trusted. (10.0.0.50 is the &quot;from&quot; address in the &quot;blocking&quot; message.)
    &gt;what is actually happening and where/why/what.


    After adding 10.0.0.50 I don't see the blocking message when I connect with VPN. I don't see any of the blocking messages at any other time, either.
    &gt;Make all of the cisco client programs with all access for both trusted and internet and with all server for both trusted and internet.
    I have not changed anything for the cisco client programs. cvpnd.exe had and still has green check-marks for Access&gt;Trusted and for Server&gt;Trusted. cvpngui.exe had and still has green check-mark only for Access&gt;Trusted. Since I am not seeing any blocking messages after having added 10.0.0.50, why do I need to change anything here?
    &gt;Also make sure your own dhcp and dns servers are listed as trusted in the zones of the firewall AND include the dhcp and dns servers of the other connectiong end of the other lan from across the internet ...
    I don't know how to identify dhcp and dns servers, so I don't know which ones to add as trusted.
    &gt;Plus allow all uncommon protocols at high security and disable any arp protection or spoofing (if this is available in the free) and allow broadcast/multicas, all ping, icmp in the internet security zone settings.
    I don't see anywhere in the free version to do this kind of thing, but then I don't really know what I'm looking for. The pro version is not an option, as I've already tried it and could not get tech support to help me configure it to avoid a conflict with cisco. (The &quot;conflict&quot; was not the blocking issue, rather, had to do with uninstall/re-installing cisco.) I wonder if I should start a new thread to elicit a response (in this forum)
    to the &quot;uncommon protocols&quot; issue specifically for the free version?
    &gt;I am guessing you are connecting using a vpn over the internet itself even though you have never revealed any details about this.....
    Not sure what to reveal, beyond what I've already stated. I connect with the remote computer over a vpn by executing the cisco client cvpngui.exe, which is configured with the remote computer's identity, such as HOST=xxx.yyy.com and enc_GroupPwd=blah-blah-blah. Would adding the HOST= domain name to ZA enable ZA to block domains other than this one from using 10.0.0.50?
    &gt;Check the logs and look carefully for any blocked or dropped connecions of any kind of protocol...
    I'm not seeing any other blocked or dropped connections.

    FINALLY, TO SUMMARIZE:
    Adding the 10.0.0.50 as trusted in Firewall&gt;Zones seems to clear up the blocking message with vpn.
    My main concern remaining is whether I've opened the door to other processes connecting via 10.0.0.50 and, if so, how to block access from any process other than the cisco vpn. It would be helpful if I could enable a logging mode that basically logs every access for short periods of time. This would enable me to (manually) analyze granted accesses and disclose accesses that ought to be blocked. I wonder if such a logging mode is available in the freefirewall version.

    Cheers,
    Phil

  6. #6
    Join Date
    Dec 2005
    Posts
    8,984

    Default Re: Free Firewall, Blocking from 10.0.0.50 (UDP Port 5000) to 10.0.0.251:138

    "I don't know how to identify dhcp and dns servers, so I don't know which ones to add as trusted."

    Make sure your DNS and DHCP server IP's are in your Firewall's Trusted zone. Finding DNS and DCHP servers, etc

    1. Go to Run and type in command and hit 'ok', and in the command then type in ipconfig /all then press the enter key. In the returned data list will be a line DNS and DHCP Servers with the IP address(s) listed out to the side. Make sure there is a space between the ipconfig and the /all, and the font is the same (no capitals).
    2. In ZA on your machine on the Firewall, open the Zones tab, click Add and then select IP Address. Make sure the Zone is set to Trusted. Add the DNS IP(s) .
    3. Click OK and Apply. Then do the same for the DHCP server.
    4. The localhost (127.0.0.1) must be listed as Trusted.
    5. The Generic Host Process (svchost.exe) as seen in the Zone Alarm's Program's list must have server rights for the Trusted Zone.
    Plus it must have both Trusted and Internet Access.
    6. The Trusted slider should be at the middle level.

    Extra help is found at Guru Hoov site for the DNS/DHCP.

    Probably the fine controls are not in the free's GUI... just ignore this previous idea of mine as the free stil handles this situation with the user during the ZA alerts (whereas many things are treated in the gui of the pro versions).

    "Would adding the HOST= domain name to ZA enable ZA to block domains other than this one from using 10.0.0.50?"

    Possible the doamin name will still resolve to the same IP, but the security risk is not really there anyways, so it's not a real issue.


    "My main concern remaining is whether I've opened the door to other processes connecting via 10.0.0.50 and, if so, how to block access from any process other than the cisco vpn."

    Any new process attempting to connect to 10.0.0.50 will be seen in the ZA alerts- allow or deny, as the free version is very alert dependant and it should be seen in the logs.....

    " I wonder if such a logging mode is available in the freefirewall version. "

    The free should be logging...although there seems to be an unfixed bug in some in the free version 8s that does have proper logging that should be there by default.
    But the paid versions can be set up to specifically log by the IP(s), by the program(s) and by the port(s). Or any combination of those.
    Whereas the free should be logging the connections events by the normal logs seen in the Log Viewer of the ZA.
    The paid ZA does allow for finer control to block/allow as desired, although this may not be neccessary in all situations.

    Oldsod.
    Best regards.
    oldsod

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •