I just installed CFP, I have a log entry that I cannot explain, it is my machine reported to be connecting to my Gateway, I have allowed the access, (the access was blocked by default) but I do not understand what is actually happening and why.
Date/Time :2007-02-16 09:44:27
Severity :Low
Reporter :Network Monitor
Description:Information (Access Granted, ICMP = PORT UNREACHABLE)
Protocol:ICMP Outgoing
Source: 192.168.1.2
Destination: 192.168.1.1
Message: PORT UNREACHABLE
Reason: Network Control Rule ID = 5
Can someone explain the circumstances of this activity to me.
While you are at it, can you also tell me something about the following entry please:
Date/Time :2007-02-17 20:06:24
Severity :Medium
Reporter :Network Monitor
Description: Inbound Policy Violation (Access Denied, IP = 192.168.1.3, Port = nbdgram(138))
Protocol: UDP Incoming
Source: 192.168.1.3:nbdgram(138)
Destination: 192.168.1.255:nbdgram(138)
Reason: Network Control Rule ID = 5
192.168.1.3 is one of the 3 PCs on my Wireless network while 192.168.1.255 is the Broadcast address of my router, the same entries are ALSO found for Port 137.
What activity is taking place and should I allow it or not ?
Ah ha! “One of 3 PCs”! If you have CFP installed on a PC that is part of a LAN, you need to create a zone that encompasses the IP addresses of all the PCs on your LAN (including your router) and then set that zone as trusted.
Open CFP
Click SECURITY - TASKS - ADD/REMOVE/MODIFY A ZONE
Clck the ADD button
Give your zone a meaningful name and enter the start and end addresses of the LAN.
When prompted, select the zone name we defined in step 4
This wizard will create two additinal network monitor rules and position them as rule 0 and 1
These steps need to be done on each PC on your LAN that has CFP installed.
The traffic you’re seeing on ports 137 and 138 is normal LAN setup traffic and is how PCs identify the other nodes on the LAN. This is normal and will be automatically allowed once you have defined trusted zones on all the CFP equipped PCs.
I saw a recommendation for the following rule to be added.
Action=Allow
Protocol=UDP
Direction=In
SourceIP=Broadcast address of router (192.168.1.255)
Destination=PC ( I assume the range of LAN IPs)
IP Details=Any
My questions are:
1- If I define a Trusted Zone, then do I need the above rule or not ?
2- What is the harm in allowing the traffic “In/Out” instead of just “In”, as defined in the above rule ?
Thanks for your advice, I configured everything as you suggested, all seems well except that everyday I see numerous entries in my log, identical to this one:
192.168.1.2 is my machine which is one of the three Win XP Pro SP2 machines connected to internet via a wireless router. I do not have any application that runs in the background that could possibly be tying to connect anywhere to download any video clip that could generate the above noted log entries everyday all the time. These entries occur even if the other 2 machines on my network are off.
From Wikipedia
The Internet Group Management Protocol is a communications protocol used to manage the membership of Internet Protocol multicast groups. IGMP is used by IP hosts and adjacent multicast routers to establish multicast group memberships. It is an integral part of the IP multicast specification, like ICMP for unicast connections. IGMP can be used for online video and gaming, and allows more efficient use of resources when supporting these uses. IGMP does allow some attacks, and firewalls commonly allow the user to disable it if it will not be needed.
There is something on your PC attempting to send out an IGMP packet to the destination IP 224.0.0.22 (Any idea what this IP is? Something at your ISP perhaps?). Although IGMP is usually associated with online gaming and video, it can be used for other online activities.
Are there any indications in the logs as to what application is attempting to send?
Are all of your applications working, even if these IGMP packets are being blocked?
Please note that an entry in the log doesn’t necessarily indicate an error. It is an indicator of activity, attempted activity or failed activity. Just because it’s in the logs, doesn’t mean it’s bad.