Firewall Notices - Default, or delay?

I got a notification that an application was attempting to connect to a host:port and wanted to investigate this activity before allowing/denying it. I started Google’n it and by the time I was to the point where I could research common uses for the port the firewall’s dialog box disappeared. I searched the logs and found no reference to it, so I can only assume that there was some sort of default to “yes” after a predetermined amount of time. Is that the case, or have I overlooked something?

– Tom

The default action on ALL alerts is BLOCK.

Can you set the amount of time before the default action is taken?

– Tom

For Firewall alerts, open CIS and click FIREWALL → ADVANCED → FIREWALL BEHAVIOUR SETTINGS
Maximum setting is 999 seconds.

For Defense+ alerts, open CIS and click DEFENSE+ → ADVANCED->DEFENSE+ SETTINGS
Maximum setting is 999 seconds.

Hope this helps,
Ewen

A graphic example of what Panic has said.

[attachment deleted by admin]

Excellent! Thank you both for your help!

While I’ve got your attention, what do you normally do when you see suspicious activity?

I’m inclined to look up DNS & WHOIS information and then determine the typical use for the port(s) involved. Any special sites you use? Tools?

Cheers,
Tom

DNS and WHOIS are good places to start.

http://www.networksorcery.com/enp/protocol/ip/ports00000.htm

This is a listing of commonly used ports. Ports 0-1026 are reserved for standard communications (i.e. port 80 is HTTP transfer). Ports above 1026 (up to port 65535) can and are used by anything.

The best place to start is your system. Learn what is on there and what the port requirements are.

Knowing what should be happening is the first step in spotting what should not be happening.

Hope this helps,
Ewen