Okay I’ve checked the IPs making inbound attempts on me, but the info provided by WHOIS doesn’t seem very useful.
All the inbound attempts regarding System and svchost.exe came from the same IP range as my own, which according to WHOIS corresponds to some “Coordination Centre” in Europe. That’s like no info at all though, I’m in that range and so could anyone I know nothing about.
Alerts for the System Idle Process came both from that same IP range, and from others, which WHOIS identifies as various other Internet organizations, most times in the USA.
Is this normal traffic? Still I get no undesired effect from blocking it. Is this some kind of routine monitoring coming from the Internet infrastructure? I’ve left things as they were and I’ve disabled logging for the “block inbound” global rule. I could still use some explanation if some wise buddy would be kind enough.
LOL I know this is trivial stuff compared to the bigger scheme of things but why does CFP3 install the desktop icon if it doesn’t work?..V2 used to open with both options.
Not the end of the world anyway is it
I too have the same problem with the desktop icon not working (so does my brother). What is the point of having the icon on the desktop if it doesn't open the program??
You don't need a desktop icon for a program that runs auto when you start your pc...
The desktop shortcut icon is to start a program... but the firewall is already running auto from the boot...
You can see the sys tray icon as a minimized program.
If you start let's say Microsoft Word with the desktop icon, and work on a document and then minimize it to browse the web or something, do you click on the desktop icon when you want to continue to work on the document? No you probably click on the minimized tab or for some programs the sys tray icon to continue to work with the program.
You can use the desktop icon if you have turned off the firewall for some reason, to start it again.
Hi Japo - the point in defining a LAN is to allow communication with things connected to your computer. Your default gateway - your router or ADSL modem is defined as a LAN address, usually 192.168.1.254 or 192.168.0.254. There are also a couple of other default addresses - 192.168.0.0 and 192.168.0.255 (or 192.168.1.0/192.168.1.255) which are used for system functions. Click Start>Run>cmd and type ipconfig and press enter. This will give you the addresses for your system.
You could just write the permissions as follows (Change the port range to reflect your results from ipconfig):
Allow IP out from All to 192.168.1.0-192.168.1.255 where protocol is Any
Allow IP in from 192.168.1.0-192.168.1.255 to All where protocol is Any
Allow IP out from All to 224.0.0.0-224.0.0.255 where protocol is Any
Allow IP out from All to 239.0.0.0-239.255.255.255 where protocol is Any
Allow IP in from 224.0.0.0-224.0.0.255 to All where protocol is Any
Allow IP in from 239.0.0.0-239.255.255.255 to All where protocol is Any
Allow TCP and UDP out from IP Any to IP Any where source port is any and destination port is any
Allow ICMP out from Any to 192.168.1.0-192.168.1.255 where message is Any
Allow ICMP in from 192.168.1.0-192.168.1.255 to Any where message is Any
Block and Log IP In or Out from IP Any to IP Any where protocol is Any
You will have to do this for both Svchost.exe and Services or you could write the above as a Predefined Firewall Policy called LAN and Outgoing and apply it to those two processes.
Then there are some global policies (Firewall>Advanced>Network Security Policies> Global Rules tab. The following should be added:
o Allow and Log TCP or UDP Out From IP Any to IP Any Where Source Port Is In [Privileged Ports] And Destination Port Is Any
o Allow TCP or UDP Out From IP Any to IP Any Where Source Port Is Not In [Privileged Ports] And Destination Port Is Any
o Allow IP out from Any IP to Any IP where the protocol is GRE
o Allow ICMP Out From From IP Any to IP Any Where ICMP Message Is ECHO REQUEST
o Allow ICMP In From From IP Any to IP Any Where ICMP Message Is ECHO REPLY
o Allow ICMP In From From IP Any to IP Any Where ICMP Message Is TIME EXCEEDED
o Allow ICMP In From From IP Any to IP Any Where ICMP Message Is FRAGMENTATION NEEDED
This set of rules is much tighter (and lifted from the link in a previous post).
The only virtue of defining your local network zone is to limit the addresses that are permitted to use system processes like svchost.exe. Note that svchost.exe also needs to be able to send TCP or UDP out to the internet and ICMP out to the Local network. You can use the defaults that are installed at setup, but that is a bit more permissive than restricting permissions as spelled out above. One thing that I forgot about the setup outlined on the link above is that it also tells you about Stealthing your ports. If you do not need LAN permissions, you should select the “Block all incoming connections…” option.
Thanks a lot for your attention. However, are you sure that it’s the same whether I have a router or modem? I’m not confusing both terms, I don’t have a router, I have this. If I run ipconfig I get this:
IP Address: ...
Subnet Mask: 255.255.255.255
Default Gateway: ...
If you don’t have a lan as you said and only a router the settings should be different.
“Anotherone” seems to think that you have a lan.
A question for you.
Have you been to firewall/common tasks/stealth ports wizard and made any setting? You should try the “block all - stealth my ports” option and see what happens.
I have a lan myself and I also get those blocked system idle loggs… they are mostly from the router, but they have also been from outside my lan. I don’t have any errors either Japo, but it would be great with an explanation… I don’t have one yet…
Hi Japo - I am behind a router, so I was guessing that it was the same for your modem. If you don’t have a LAN and there is no IP for the router, use your MAC or computer name (I think that you can get this easiest from AIDA32, WinAudit or a similar system info utility) instead of the IP range. I am guessing that you probably don’t need the Local Multicasting IP ranges as well. I added that on my system because there was a regular blocked attempt to connect to 224.0.0.24 which is a multicasting reserved IP address, and I believe, safe. You should certainly stealth your ports. In your case, the “Block all Incoming Connections…” option would be fine. The Global Rules additions look like they are worth adding to me. I personally feel that it is worth the effort to restrict svchost.exe and Services to your computer with added permission for outgoing TCP and UDP connections. I am not sure about System Idle, but I think that it should be fine if restricted to your machine. Explorer.exe should be restricted to you local machine as well.
OK, i’ll try it.
i’ve done it (remembering,allowing).but i’ve just reinstalled CFP >:( . i have 2 apps for 2 product divisions,and each one of them, has about 5/6 exe?(inventory, sales in, sales out,etc. i open the main window through a .BAT) so i have to allow 12 exes.
today i got system & system idle proccess blocked again ??? (attached)
hmm, make sense. i was afraid that there’s something wrong on my CFP installation. but if it’s a known “bug”.then i shouldn’t be worried. 8)
thx for the reply AnotherOne, but i wonder, why CFP blocked something that’s legit ??? what will happen if these system idle,system, etc were blocked? coz i don’t see any problem.
another questions:
when i tried to connect to internet using PC card, CFP ask me something (same thing when i was trying to connect to LAN). what should i do about that? i don’t wanna accidentally allow everything.
Those entries are Netbios(file sharing) connection attempts. Better make some extra global rule to block any of this traffic leaking outside your lan over the internet.
Firewall\Common Tasks\My Port Sets
Netbios
IN (135-139)
445
add these after your trusted network rules
Block and Log TCP or UDP Out From IP Any to IP Any Where Source Port is In [Netbios] And Destination Port Is ANY
Block and Log TCP or UDP In From IP Any to IP Any Where Source Port is ANY And Destination Port is In [Netbios]
Thanks. I ran the “stealth ports wizard” and selected that option, however I didn’t notice any change in the rules. CFP has always stealthed the ports right? I don’t think I need to allow anything particular (unless I want to use P2P of course) since the only existing global rule is “block everything inbound”, and still I have internet access ok.
As for the permissions for those processes, the install default setting was the “outgoing only” predefined policy for both System and svchost.exe, so that’s safe if I understood you right? The System Idle Process hasn’t attempted anything on its own and there’s no app rule about it, but as I said it’s getting millions of inbound attempts, and so are System and svchost.exe, but all those are blocked by the global rule.
Ganda, if Defense+ was set to Clean PC mode and you had left CFP configure itself automatically as default during install, you shouldn’t get popups from programs that were present in your computer before CFP was installed. But you can also switch temporarily to Train mode, that’s intended for programs installed after CFP I think.
thx for the reply AnotherOne, but i wonder, why CFP blocked something that's legit ??? what will happen if these system idle,system, etc were blocked? coz i don't see any problem.
If I’m getting this right, those connections are not started by the legit processes, even being about them. They’re attempted from the outside, and since they weren’t solicited by you, it makes sense not to trust them. Blocking someone outside to access your system doesn’t stop it from functioning.
Gibran, thanks a lot. I’ve defined the outbound rule although the logs say it’s not being fired. But I don’t need the inbound rule if I already have the “Block IP In From IP Any to IP Any Where Protocol Is Any”, right? “Block IP” implies blocking everything including TCP and UDP right?
Anyway Toggie is getting the same inbound attempts and they’re not confined to ports 135-139 and 445, and although I deleted the massive logs I’m pretty sure they come from other ports for me as well (could turn logging back on if you want).
??? sorry,but i don’t follow ;D did you say that to Japo or me?
can you explain it more ? hey, i’ve put all the exe on defense+/comp security policy as trusted apps, but defense+ still alert me >:(
one more question :
on Network zone, i have my PCcard listed. isn’t it dangerous? since i use it to connect to internet.
Yep that block IP block inboud netbios traffic as well
Yep Toggie has no predictable Source or destination port so it’s not easy to guess what’s going on.
Anyway I guess that Invalid tcp flag combinations would appear in the log as plain connections too.
Those are safety rules that apply to dialup users and you I looked at your log and you have dangerous inbound traffic blocked.
I guess you should check if something is leaking. :o
Network zones serve the only purpose to select them when you need to fill firewall Source or destination IP when you edit/create a rule.
??? i’m really frustrated configuring CFP >:( ;D
hey, anyone can help me pls ?. i’ll start from the beginning :
i have a notebook with CFP 3.
i connect to internet using dial up connection & PC card
i connect to cable LAN (192.168.0.1 - 192.168.0.12), and i operate apps from my server.
i often connect to them both (LAN & Internet) at the same time
so what should i do to configure CFP properly & stay secure? (firewall & defense+ set to train with safe mode)
thx
Er… that sounds right as safe as not using Defense+ at all. Besides as you say it’s no good because the policy for “trusted” apps is allowing all once they’re running, but according to that policy D+ will still ask about its execution.
Really, if you install CFP with the default options it won’t ask you about starting programs that were already present before the installation. A couple of windows system apps will popup but if you set CFP to identify them as such and remember you won’t be bothered again. If you still have problems with something else use the train mode.
By default the firewall is set to “train with safe”, but Defense+ should be set to Clean PC, otherwise it will be very noisy. Maybe that’s the problem you’re having, change D+ from train with safe to clean PC (but leave the firewall at train with safe).
no no no, i mean, i put all the “distribution apllication” exe. not all exe.
hey, on Network security policy/global rules :
i allow everything (in/out) my LAN
and BLOCK AND LOG ICMP IN FROM IP ANY TO IP ANY WHERE ICMP MESSAGE IS ECHO REQUEST.
am i safe enough? or should i do something about the applcication rules too?
I’d think you always need a “Block IP In From IP Any to IP Any Where Protocol Is Any” rule at the bottom which blocks whatever hasn’t been allowed by any specific rule above it.
I looked at your log and you have dangerous inbound traffic blocked.