|
Next: Password protect folders
|
| Author |
Message |
External
Since: Oct 16, 2006
Posts: 38
|
(Msg. 1) Posted: Mon Oct 16, 2006 7:25 am
Post subject: windows firewall
Archived from groups: microsoft>public>windowsxp>security_admin (more info?)
|
|
|
I've been parsing pfirewall daily for over a year now and the only
OPEN-INBOUND records are for my RDP connections which also happens to
be the only exception in my firewall.
About a week ago I started getting OPEN-INBOUND UDP to port 1026 which
seems to be my DNS process (C:\WINDOWS\system32\svchost.exe -k
NetworkService) from various sources. I don't have any firewall
exceptions for this port.
Has anyone else seen this or know what's up? |
|
| Back to top |
|
 | |
External
Since: Oct 16, 2006
Posts: 38
|
(Msg. 2) Posted: Tue Oct 17, 2006 6:08 am
Post subject: Re: windows firewall [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
|
|
|
Dave said:
>
> This is a question best suited for a FireWall related News Group.
>
Thanks Dave but this is not a general firewall question. The only
people who could answer my post are those who are monitoring
pfirewall.log of their XP clients and that should be those reading this
newsgroup 
I can only image 3 possible explanations for what I've seen:
1. Windows Firewall is hiccupping and letting stuff through
2. Some XP code is temporarily opening the firewall
3. There are some undocumented exceptions to the Firewall (I know there
are lots of special exceptions to the IPSec Packet Filter)
and I don't like any of these. |
|
| Back to top |
|
| |
External
Since: Jul 05, 2004
Posts: 585
|
(Msg. 3) Posted: Tue Oct 17, 2006 10:33 pm
Post subject: Re: windows firewall [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
|
|
|
Most likely that is simply return traffic [to source port] to your computer
for DNS name resolution from port 53 udp of the DNS server. Since your
computer initiates such the firewall would allow it back in. Don't know why
your logs started showing it but I really doubt it is anything malicious.
Steve
<boris914.DeleteThis@gmail.com> wrote in message
news:1161008714.879220.144510@i3g2000cwc.googlegroups.com...
> I've been parsing pfirewall daily for over a year now and the only
> OPEN-INBOUND records are for my RDP connections which also happens to
> be the only exception in my firewall.
>
> About a week ago I started getting OPEN-INBOUND UDP to port 1026 which
> seems to be my DNS process (C:\WINDOWS\system32\svchost.exe -k
> NetworkService) from various sources. I don't have any firewall
> exceptions for this port.
>
> Has anyone else seen this or know what's up?
> >> Stay informed about: windows firewall |
|
| Back to top |
|
| |
External
Since: Oct 16, 2006
Posts: 38
|
(Msg. 4) Posted: Wed Oct 18, 2006 7:05 am
Post subject: Re: windows firewall [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
|
|
|
Steven L Umbach wrote:
> Most likely that is simply return traffic [to source port] to your computer
> for DNS name resolution from port 53 udp of the DNS server. Since your
> computer initiates such the firewall would allow it back in.
I'd agree as I've seen that behavior before with other firewalls and
NAT routers but as I said I've been parsing pfirewall.log for over a
year and I've seen those those return DNS connections daily but Windows
Firewall has always always "DROP"ed them.
> Don't know why
> your logs started showing it but I really doubt it is anything malicious.
I doubt it's malicious (or a compromise) too. My security and
monitoring is extreme. I really think it's one of the three answers
that I previously listed and they all have MS as the common root cause
I was really hoping to find someone else here who has been monitoring
pfirewall.log. >> Stay informed about: windows firewall |
|
| Back to top |
|
| |
External
Since: Jul 05, 2004
Posts: 585
|
(Msg. 5) Posted: Thu Oct 19, 2006 7:15 pm
Post subject: Re: windows firewall [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
|
|
|
Just to add that I am not sure how the Windows Firewall handles UDP since it
is not stateful. It could be possible that if the operating system does not
get a reply from the DNS server in a specific amount of time that the return
packet is dropped.
Steve
<boris914 RemoveThis @gmail.com> wrote in message
news:1161180319.995679.81320@k70g2000cwa.googlegroups.com...
> Steven L Umbach wrote:
>> Most likely that is simply return traffic [to source port] to your
>> computer
>> for DNS name resolution from port 53 udp of the DNS server. Since your
>> computer initiates such the firewall would allow it back in.
>
> I'd agree as I've seen that behavior before with other firewalls and
> NAT routers but as I said I've been parsing pfirewall.log for over a
> year and I've seen those those return DNS connections daily but Windows
> Firewall has always always "DROP"ed them.
>
>> Don't know why
>> your logs started showing it but I really doubt it is anything malicious.
>
> I doubt it's malicious (or a compromise) too. My security and
> monitoring is extreme. I really think it's one of the three answers
> that I previously listed and they all have MS as the common root cause
>
>
> I was really hoping to find someone else here who has been monitoring
> pfirewall.log.
> >> Stay informed about: windows firewall |
|
| Back to top |
|
| |
External
Since: Oct 16, 2006
Posts: 38
|
(Msg. 6) Posted: Mon Nov 13, 2006 10:30 am
Post subject: Re: windows firewall [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
|
|
|
I found out what's going on. When Windows Firewall opens UDP ports for
an outbound connection, it opens the local source port to the world and
not just to the destination address. This port stays open to the world
for the duration of the firewall's timeout. I'm pretty shocked by this
behavior and it doesn't seem that anyone is aware of this. >> Stay informed about: windows firewall |
|
| Back to top |
|
| |
External
Since: Oct 16, 2006
Posts: 38
|
(Msg. 7) Posted: Mon Nov 13, 2006 10:30 am
Post subject: Re: windows firewall [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
|
|
|
I found out what's going on. When Windows Firewall opens UDP ports for
an outbound connection, it opens the local source port to the world and
not just to the destination address. This port stays open to the world
for the duration of the firewall's timeout. I'm pretty shocked by this
behavior and it doesn't seem that anyone is aware of this. >> Stay informed about: windows firewall |
|
| Back to top |
|
| |
External
Since: Oct 16, 2006
Posts: 38
|
(Msg. 8) Posted: Mon Nov 13, 2006 10:30 am
Post subject: Re: windows firewall [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
|
|
|
I found out what's going on. When Windows Firewall opens UDP ports for
an outbound connection, it opens the local source port to the world and
not just to the destination address. This port stays open to the world
for the duration of the firewall's timeout. I'm pretty shocked by this
behavior and it doesn't seem that anyone is aware of this. >> Stay informed about: windows firewall |
|
| Back to top |
|
| |
External
Since: Oct 16, 2006
Posts: 38
|
(Msg. 9) Posted: Mon Nov 13, 2006 10:30 am
Post subject: Re: windows firewall [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
|
|
|
I found out what's going on. When Windows Firewall opens UDP ports for
an outbound connection, it opens the local source port to the world and
not just to the destination address. This port stays open to the world
for the duration of the firewall's timeout. I'm pretty shocked by this
behavior and it doesn't seem that anyone is aware of this. >> Stay informed about: windows firewall |
|
| Back to top |
|
| |
External
Since: Oct 16, 2006
Posts: 38
|
(Msg. 10) Posted: Mon Nov 13, 2006 10:30 am
Post subject: Re: windows firewall [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
|
|
|
I found out what's going on. When Windows Firewall opens UDP ports for
an outbound connection, it opens the local source port to the world and
not just to the destination address. This port stays open to the world
for the duration of the firewall's timeout. I'm pretty shocked by this
behavior and it doesn't seem that anyone is aware of this. >> Stay informed about: windows firewall |
|
| Back to top |
|
| |
External
Since: Oct 16, 2006
Posts: 38
|
(Msg. 11) Posted: Mon Nov 13, 2006 10:30 am
Post subject: Re: windows firewall [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
|
|
|
I found out what's going on. When Windows Firewall opens UDP ports for
an outbound connection, it opens the local source port to the world and
not just to the destination address. This port stays open to the world
for the duration of the firewall's timeout. I'm pretty shocked by this
behavior and it doesn't seem that anyone is aware of this. >> Stay informed about: windows firewall |
|
| Back to top |
|
| |
External
Since: Oct 16, 2006
Posts: 38
|
(Msg. 12) Posted: Mon Nov 13, 2006 10:30 am
Post subject: Re: windows firewall [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
|
|
|
I found out what's going on. When Windows Firewall opens UDP ports for
an outbound connection, it opens the local source port to the world and
not just to the destination address. This port stays open to the world
for the duration of the firewall's timeout. I'm pretty shocked by this
behavior and it doesn't seem that anyone is aware of this. >> Stay informed about: windows firewall |
|
| Back to top |
|
| |
External
Since: Oct 16, 2006
Posts: 38
|
(Msg. 13) Posted: Mon Nov 13, 2006 10:30 am
Post subject: Re: windows firewall [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
|
|
|
I found out what's going on. When Windows Firewall opens UDP ports for
an outbound connection, it opens the local source port to the world and
not just to the destination address. This port stays open to the world
for the duration of the firewall's timeout. I'm pretty shocked by this
behavior and it doesn't seem that anyone is aware of this. >> Stay informed about: windows firewall |
|
| Back to top |
|
| |
External
Since: Oct 16, 2006
Posts: 38
|
(Msg. 14) Posted: Mon Nov 13, 2006 10:30 am
Post subject: Re: windows firewall [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
|
|
|
I found out what's going on. When Windows Firewall opens UDP ports for
an outbound connection, it opens the local source port to the world and
not just to the destination address. This port stays open to the world
for the duration of the firewall's timeout. I'm pretty shocked by this
behavior and it doesn't seem that anyone is aware of this. >> Stay informed about: windows firewall |
|
| Back to top |
|
| |
External
Since: Oct 16, 2006
Posts: 38
|
(Msg. 15) Posted: Mon Nov 13, 2006 10:30 am
Post subject: Re: windows firewall [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
|
|
|
I found out what's going on. When Windows Firewall opens UDP ports for
an outbound connection, it opens the local source port to the world and
not just to the destination address. This port stays open to the world
for the duration of the firewall's timeout. I'm pretty shocked by this
behavior and it doesn't seem that anyone is aware of this. >> Stay informed about: windows firewall |
|
| Back to top |
|
| |
FAQ
Profile
Private Messages
Log in
