CPF exposes MAC address!!

ronkeli · September 14, 2006, 4:50pm

I’m running CPF ver. 2.3.5.62 but still GRC shields up test is able to read my MAC address?! Can someone help a newb? Has anyone else had similar issue? I would love to use comodo, but this sounds no good!

AOwL · September 14, 2006, 5:12pm

Are you using the default network monitor rules, or have you changed anything? Are you behind a router?

Kempo · September 14, 2006, 5:14pm

Should it make a difference whether a router is involved or not?

AOwL · September 14, 2006, 5:27pm

Maybe not in this case, but if you test your software firewall, you have to turn off (DMZ) your router/hardware firewall, otherwise you are testing the router and not your software firewall.

So IF he have one, then he have problems with both… ;D

egemen · September 14, 2006, 7:47pm

This means it is connecting to the PC over netbios. Tell us more about your internet connection(ADSL modem etc.) and your network monitor rules pls. Have you changed default rules?

ronkeli · September 16, 2006, 3:15pm

My connection is 100mbit LAN and no physical firewall that i would know of! This happens with default settings. I used Symantec Client Security for a while and no such “threat” was present.

This is the message Shields up shows:
“Unable to connect with NetBIOS to your computer.
The attempt to connect to your computer with NetBIOS protocol over the Internet (NetBIOS over TCP/IP) FAILED. But, as you can see below, significant personal information is still leaking out of your system and is readily available to curious intruders. Since you do not appear to be sharing files or printers over the TCP/IP protocol, this system is relatively secure. It is exposing its NetBIOS names (see below) over the Internet, but it is refusing to allow connections, so it is unlikely that anyone could gain casual entry into your system due to its connection to the Internet.”

egemen · September 16, 2006, 5:27pm

ronkeli post:6:

My connection is 100mbit LAN and no physical firewall that i would know of! This happens with default settings. I used Symantec Client Security for a while and no such “threat” was present.

This is the message Shields up shows:
“Unable to connect with NetBIOS to your computer.
The attempt to connect to your computer with NetBIOS protocol over the Internet (NetBIOS over TCP/IP) FAILED. But, as you can see below, significant personal information is still leaking out of your system and is readily available to curious intruders. Since you do not appear to be sharing files or printers over the TCP/IP protocol, this system is relatively secure. It is exposing its NetBIOS names (see below) over the Internet, but it is refusing to allow connections, so it is unlikely that anyone could gain casual entry into your system due to its connection to the Internet.”

This should be related to your router or gateway. Otherwise, while CPF is installed, and default rules are not changed, this can not happen.

ronkeli · September 17, 2006, 9:08am

But CPF is the only firewall that allows this to happen! Jetico, Symantec Client Security, Zone Alarm, even windows firewall can prevent this type of connection, but CPF allows shields up to read the MAC address.

egemen · September 17, 2006, 1:37pm

Hmmm. They should also behave similar. Can you show us a screenshot of the network monitor rules?

Thx,
Egemen

ronkeli · September 19, 2006, 5:37pm

Here are the rules, they are the default ones! Thank you for you help!

[attachment deleted by admin]

egemen · September 19, 2006, 6:34pm

Nothing is wrong with these rules. Can you describe your network configuration to us? How do you connect to the Internet? ADSL, Cable? Whats your computers internal IP address(e.g 192.168.0.1)?
Do you use a gateway computer which shares the internet connection or the adsl/cable router does this job?

For example, is this name in the grc.com site, the name of the PC that has CPF installed?

Egemen

ronkeli · September 19, 2006, 7:27pm

I connect directly to a 100mbit LAN network which is a part of funet (Finnish university network http://www.csc.fi/suomi/funet/index.html) and I have no physical firewall in between. Shields up does display my internal ip address.

egemen · September 20, 2006, 5:58am

What you can do is the following:

1- While testing, setting CPF to Block All, and see if it makes a difference.
2- Create a rule below the BLOCK IP IN/OUT rule so that if CPF allows something, we will see.

To create the rule,

1- go to Network monitor
2- select “Add” button
3- Action = Allow, Protocol = IP, Direction = IN/OUT and “Create an alert when this rule is fired” selected
4- Press OK button.

After these steps, ALLOW IP IN/OUT FROM ANY TO ANY must be created just below the BLOCK IP IN/OUT rule.

Restest and let us see your CPF logs.

Egemen

ronkeli · September 20, 2006, 5:01pm

Block all literally blocks all and the test can’t even initiate as well as no other web pages are available. CPF does not log anything even though the rule was applied. But if I create a rule that blocks TCP/UDP in/out on ports 137-139 (netBIOS ports) then shields up is no longer able to lurk my mac address! Problem solved? Hmm, doesn’t anyone else have had this problem? So if I understood right, CPF doesn’t block those ports automatically? I read somewhere that many ISPs block these ports as a matter of course.

I can now cope with this “feature” as I know how to deal with it, but i bet there are people out there who doesn’t even think that such “risk” could exist.

I shall thank you egemen for you willingness to help and i will continue using cpf because it is a lot lighter than symantec products and yet fairly easy to operate and configure, and what most important it is free!

egemen · September 20, 2006, 8:32pm

ronkeli post:14:

Block all literally blocks all and the test can’t even initiate as well as no other web pages are available. CPF does not log anything even though the rule was applied. But if I create a rule that blocks TCP/UDP in/out on ports 137-139 (netBIOS ports) then shields up is no longer able to lurk my mac address! Problem solved? Hmm, doesn’t anyone else have had this problem? So if I understood right, CPF doesn’t block those ports automatically? I read somewhere that many ISPs block these ports as a matter of course.

I can now cope with this “feature” as I know how to deal with it, but i bet there are people out there who doesn’t even think that such “risk” could exist.

I shall thank you egemen for you willingness to help and i will continue using cpf because it is a lot lighter than symantec products and yet fairly easy to operate and configure, and what most important it is free!

It should not behave like that. If the first rule in network monitor is not “TCP/UDP IN/OUT”, your rules must block without any need to write that TCP/UDP IN 137 rule.

Default CPF configuration must give you fulll stealth. You should not have needed to add an additional rule. Where did you add this rule TCP/UDP in/out on ports 137-139 rule? At the end of the rules or beginning of the rules?

Egemen