Mars Attacks! and apparently everyone else does too.

[Guest]

[Irish_Sean]

CFP / Latest version, using Proactive Security config, FW Safe, D+ Safe, Stealth ports to everyone.
WIN XP PRO SP3.
Dial up, no router.

After initial install I started to define some rules for common windows components and all hell has broke loose. I have set Lsass, Svchost, System, and Explorer to outgoing only using CFP's predefined rule. CFP is now logging 100/1000's of intrusion attempts on my computer I dont know what is going on.

I have included a screen, showing examples....HELP How can I be attacked when all my ports are stealthed?

[grue155]

How can I be attacked when all my ports are stealthed?

Believe it or not, this the normal amount of junk on the Internet these days. These are simply zombie probes being sent to any and all, to see if anything replies. You're stealthed, so they don't know that you're there. But it makes the logs look like a windscreen travelling down a motorway in locust season. It's unnerving, but harmless because CFP is keeping all the junk away from your machine.

To cut back on the amount of stuff being recorded in the logs, you can uncheck the box that says "log this" on the respective blocking rules.

[Irish_Sean]

Good to know grue155, I felt a little naked in the wind there. I thought I had miss-configured the Firewall in some way.

I still have a problem though, while playing Warrock an on-line FPS that is using P2P technology to connect players, my logs fill up with failled UDP attempts. When I firstt ran Warrock I set FW/D+ into training mode so Im pretty sure that I allowed CFP to accept inbound UDP for Warrock. Is the fact I set most Windows components to outgoing only superceeding this?

[grue155]

Maybe. The answer in probably in the way that firewall rules are evaluated. When packets are sent and received, the packets are processed in this sequence of rules:

   Internet  ---- Global Rules ------ Application Rules ------- application

Setting CFP for a training mode, lets CFP learn about the application and what rules need to be set for that application. Setting rules to be outgoing only doesn't allow packets to come in from the Internet if those packets are not in some kind of answer to something sent from the application.

P2P, on the other hand, has users out on the Internet who will query your machine. They just send packets to you, and those packets aren't answers, but are queries. So, those packets coming in, first encounter CFP global rules, and then the application rules. (And, if there is no specific application, the CFP "Windows Operating System" rules get used)

If those incoming packets are all coming to a single UDP port, then you'll need to set an application rule to allow those unsolicated packets to reach the application. And you'll likely need to add a global rule to allow that packet to get thru, also.

[Irish_Sean]

If those incoming packets are all coming to a single UDP port, then you'll need to set an application rule to allow those unsolicated packets to reach the application. And you'll likely need to add a global rule to allow that packet to get thru, also.

Thanks for taking the time to explain that grue155, very nice of you. I didn't want to report back without trying to create these rules myself, but as you can in the logs I have made things worse. Could someone in the know check them out and determine what adjustments I need to make, or better yet if someone else plays Warrock without lag could you post your rules.

Thanks Sean.

[Tags:]