Firwall Blocking IP

I have started to get numerous “network intrusions” in CIS V6. The IP address (source & destination) appear to be the IP of my D-Link wireless router.

Here is a sample of the firewall log.

2013-07-03 02:33:07 Windows Operating System Blocked In ARP 192.168.0.100 192.168.0.100
2013-07-03 02:33:02 Windows Operating System Blocked In ARP 192.168.0.100 192.168.0.100
2013-07-03 02:27:43 Windows Operating System Blocked In ARP 192.168.0.100 192.168.0.100
2013-07-03 02:27:38 Windows Operating System Blocked In ARP 192.168.0.100 192.168.0.100
2013-07-03 02:17:58 Windows Operating System Blocked In ARP 192.168.0.100 192.168.0.100
2013-07-03 02:17:57 Windows Operating System Blocked In ARP 192.168.0.100 192.168.0.100
2013-07-03 02:12:33 Windows Operating System Blocked In ARP 192.168.0.100 192.168.0.100
2013-07-03 02:02:55 Windows Operating System Blocked In ARP 192.168.0.100 192.168.0.100
2013-07-03 02:02:53 Windows Operating System Blocked In ARP 192.168.0.100 192.168.0.100
2013-07-03 01:57:29 Windows Operating System Blocked In ARP 192.168.0.100 192.168.0.100
2013-07-03 01:57:27 Windows Operating System Blocked In ARP 192.168.0.100 192.168.0.100
2013-07-03 01:47:54 Windows Operating System Blocked In ARP 192.168.0.100 192.168.0.100
2013-07-03 01:47:48 Windows Operating System Blocked In ARP 192.168.0.100 192.168.0.100
2013-07-03 01:42:08 Windows Operating System Blocked In ARP 192.168.0.100 192.168.0.100
2013-07-03 01:42:07 Windows Operating System Blocked In ARP 192.168.0.100 192.168.0.100
2013-07-03 01:32:58 Windows Operating System Blocked In ARP 192.168.0.100 192.168.0.100
2013-07-03 01:32:57 Windows Operating System Blocked In ARP 192.168.0.100 192.168.0.100
2013-07-03 01:27:34 Windows Operating System Blocked In ARP 192.168.0.100 192.168.0.100
2013-07-03 01:27:33 Windows Operating System Blocked In ARP 192.168.0.100 192.168.0.100
2013-07-03 01:17:55 Windows Operating System Blocked In ARP 192.168.0.100 192.168.0.100
2013-07-03 01:17:52 Windows Operating System Blocked In ARP 192.168.0.100 192.168.0.100
2013-07-03 01:12:29 Windows Operating System Blocked In ARP 192.168.0.100 192.168.0.100
2013-07-03 01:12:28 Windows Operating System Blocked In ARP 192.168.0.100 192.168.0.100
2013-07-03 01:02:50 Windows Operating System Blocked In ARP 192.168.0.100 192.168.0.100
2013-07-03 01:02:48 Windows Operating System Blocked In ARP 192.168.0.100 192.168.0.100
2013-07-03 00:56:39 Windows Operating System Blocked In ARP 192.168.0.100 192.168.0.100
2013-07-03 00:56:38 Windows Operating System Blocked In ARP 192.168.0.100 192.168.0.100

I am now up to 29 network intrusions as I type (make that 31 now).

Is this normal? I didn’t have this issue in V5. Is there anything I can do to the settings to decrease the amount of network intrusions I keep getting.

Thanks in advance.

Check to see if ‘protect ARP cache’ is ticked in Frewall Behavior settings, advanced

You’ll ony need that if all the nodes on the network are DHCP assigned IP address or you’re doing printer / file shareing and there’s risk of a rogue user on your network trying to implement Man-in-the-Middle attack.

Or idsable that function on the router.

Thanks.

The is no setting called ‘protect ARP cache’ in firewall Behavior settings, advanced.

However, I will uncheck the “Enable anti-ARP Spoofing” box in advanced settings and see if that works.

There any difference security wise?

When using a wireless connection you want the ARP cache protection enabled. ARP cache poisoning is the royal way in when hacking a wireless network.

With v6.2 the ARP traffic gets logged and that is what you are seeing. WxMan1 is using v5 wording for the protection settings.

Can you check to what computer the IP address 192.168.0.100 belongs? Are there other computers on your local network? 192.168.0.100 is not a regular IP address for a router; it is usually for connected devices.

Here are the IP addresses assigned to the computers on the LAN

IP Address Name (if any) MAC
192.168.0.100 UNKNOWN 0c:77:1a:28:cf:87
192.168.0.101 NetPC 78:92:9c:61:60:ec
192.168.0.103 VAIO 4c:0f:6e:ef:d5:5d
192.168.0.104 UNKNOWN a4:e7:31:9b:3c:b6
192.168.0.102 LN430010 a0:88:b4:8c:f6:90

The NetPC, Vaio, and LN430010 are computers on the network that use the wifi. The two UNKNOWNS (192.168.0.100 & 192.168.0.104) are cell phones that use the wifi).

So it appears that all the IP addresses are accounted for.

If all IP addresses are accounted for then there is nothing to worry about. Then you’re just watching ARP in action; which now gets logged by the Firewall.

Thanks for the info.

Is there a reason why they are considered “network intrusions”? It is a little unnerving to open up CIS and see 31 network intrusions. Anyway to combat this?

Thanks

May be it could be better named blocked connection attempts. That is a more neutral term.

Thanks for the info.

Excuse my ignorance but, since the IP addresses that that are being “blocked” are accounted for, is there a way to prevent them from being blocked? Or would that decrease my security? Can they be added to the “home network - Wireless” which has the following defined zones.

Loopback Zone
IP in [127.0.0.1 / 255.0.0.0]

Home #1
IP in [192.168.0.100 / 255.255.255.0]
IP6 in [fe80::39b9:a49a:35cc:7795 / 64]

Thanks for your time.

You can make your local network trusted using the Stealth Ports Wizard choosing the option Alert incoming connections. That way you will be alerted when one of your devices tries to access your computer and you can make rules on the fly.

I prefer the now removed option to trust a network zone using the Stealth Ports Wizard. Since that is gone we will have to adapt the Global Rules and application rule for System manually. Let me know if you want to go this way then I will provide more information.

Making your local network trusted is strictly speaking a security risk. But assuming your other computers are also well protected this of course minimises the risk.

I have chosen the option to “Alert incoming connections” in the Stealth Ports Wizard. We will see if the number of “network intrusions” decreases over time.

Thanks for your time and advice.