My Network Zone

Xthink · August 2, 2009, 12:24pm

Good day everyone.

Are all traffic both outgoing and incoming allowed from all My Network Zones unless I stealth my ports using the wizard?

Why browsing/opening my network printers takes longer when my ports are stealth? Any workaround for this?

Thanks and regards.

system · August 2, 2009, 12:35pm

Hi Xthink.

Zones are just a simple way to organise the networks you connect to, they don’t of themselves, allow or disallow access. If you wish to permit or deny access to a particular network, you will need to have rules.

You’ll notice that if you use the option to ‘Create a new Trusted Network, stealth my ports to Everyone’ it creates both Global and Application rules that allow full communication between nodes on that network.

Personally, I haven’t noticed a difference is performance when browsing or accessing printers when stealthed. Perhaps someone else has experience of this.

Xthink · August 2, 2009, 1:34pm

Thanks for the reply Quill.

I’m testing several rules now. I create Port Set (137, 139, 445) and called it Printer. I allow TCP In from my gateway Destination Port is Printer. I can open now the printer instantly. Using either 137, 139 or 445 alone is not enough. Allowing each particular printer’s ip alone is not enough either, it wants the gateway. By the way, I’m on a subnet and the printers are on Samba server. Allowing Samba’s ip also fail.

But I think allowing TCP from my gateway will defeat the purpose of stealthing my ports because everybody on my network can see me. Am I right on this? Can I still be stealth from everyone other than the network printers?

system · August 2, 2009, 1:58pm

Hi.

I’m not sure what you mean by ‘gateway’, is this your router?

Your port set should also include port 138, for NetBIOS datagrams.

I assume you’re running SAMBA on some flavour of Linux? is the SAMBA server on the same subnet as your PC? if so, it’s configured with a IP address which is in the same range as that one used by your PC. If you’ve created a trusted zone that includes this range The linux box should be transparent.

If you have a trusted zone and have stealthed, then everything other than devices in your trusted zone will not be able to see you.

Xthink · August 2, 2009, 2:12pm

Our router is 192.168.176.1
Samba server (Linux) - 192.168.176.2
My IP is 192.168.176.149
My Subnet Mask is 255.255.255.192
So my default gateway is 192.168.176.190 and not 192.168.176.1 as usual.

On each printers property (right click printer and select Property) the port they are using is named Samba Port not the usual printer’s ip (192.168.176.xxx).

Hope this helps.

Xthink · August 2, 2009, 2:27pm

There is no problem printing or even browsing the printer. Only some delay, 10-20 seconds difference when I’m not stealth. The same even by adding each printers ip or the Samba server’s ip on the My Network Zone.

I want to be stealth to everyone, should I remove all entry on My Network Zone other than the loopback?

I’m afraid that putting my gateway 192.168.176.190 on My Network Zone and/or allowing traffic on Global rule will make me not stealth on other pc’s on our network.

rhgtyink · August 2, 2009, 2:30pm

Hi Xthink,

Well the “My Network Zone” is only a group, and if you don’t use it on the firewall policy it does nothing.
It’s just there to group “a set of networks” you can use in your Firewall rules as source or destination nothing more nothing less.

Xthink · August 2, 2009, 2:42pm

So I can delete everything in there including the loopback. Thanks Ronny.

Am I right that by allowing TCP In on Global rules for my Default Gateway other pc’s on our network can see me even I use Stealth Port Wizard?

rhgtyink · August 2, 2009, 2:50pm

Depends on what you define as “see”.

If you have global rules that only allow incoming traffic from your gateway and the next one blocks IP any then others should not be able so ping your ip and or use your network connections, They can however find your ip address and MAC address because the firewall does not filter MAC traffic on layer 2 but IP traffic on layer 3.

Unless you created a rule for My Network Zones and it is still there.
In the help file there is a graph with the way the filters work including the direction of the traffic

system · August 2, 2009, 2:52pm

If you remove the loopback zone you will break most of the predefined firewall rules.

Xthink · August 3, 2009, 7:42am

So I will keep the loopback.

You mean if I will put the allow TCP In just above the Block all ip rule everybody on my network can’t ping me but can see my ip and MAC? Any additional tools to CIS that can do that?

Or, how can i fix the delay I’m experiencing in opening my network printers when I’m in stealth mode without the allow TCP In for the gateway?

Regards

rhgtyink · August 3, 2009, 7:48am

I think this could be caused by SNMP traffic from your driver to the printer where the driver want’s to know the printer status etc… maybe that traffic is blocked somewhere.
Did you change Firewall’s attack detection settings ?

Xthink · August 3, 2009, 8:39am

“Protect the ARP Cache” and “Block Gratuitous ARP Frames” both checked.
“Block Fragmented IP Datagrams”, “Do Protocol Analysis” and “Do Packet checksum Verification” checked.
Custom Policy Mode and ports are stealth.
BO protection enabled, Safe Mode D+, Monitor Settings all checked.

Only putting rule Allow TCP In for my default gateway |(192.168.176.190) can I browse my network printers instantly (not waiting for 10-20 minutes). In default config (not stealth port) there is no problem.

Regards

rhgtyink · August 3, 2009, 8:47am

So your printers are hosted by the Samba Server acting as a print server.

Can you set logging to the rule that makes it work, it depends on how the printer port connection is defined.
LPR printer based on ip address, or a shared printer like \ServerName\PrinterName

Xthink · August 3, 2009, 9:34am

Yes.

Could you please help me how can I attach the logs image to this. Sorry for my ignorance

Thanks

rhgtyink · August 3, 2009, 9:38am

No problem, just click on Reply and then >Additional Options left below the textbox, now use browse to browse to the image and Post. That should do the trick.

Xthink · August 3, 2009, 10:51am

Thanks.

Attached is my log file and one of the printer’s property.

[attachment deleted by admin]

rhgtyink · August 3, 2009, 11:20am

Hi Xthink,

I think you can drop the UDP 137 - 138 traffic if you don’t use network neighborhood to browse for other pc’s. Global rule

Block (Not log)
UDP
In
Source Any
Source port range 137 - 138
Dest Any
Dest port range 137 - 138

For the rest it looks like the samba server has a drive mapping to your system is that correct ?
See the rule where your ip + port = TCP 445 that is “File and Printer Sharing”

For the printer can you click “Configure Port” and tell what that says, probably
\SambaServer\PrinterShareName

Xthink · August 3, 2009, 12:20pm

I’m already blocking UDP for 137, 138 and 1900 to suppress some logs.

Network drives are mapped. Port config raise an error as on the attached jpg.

Regards

[attachment deleted by admin]

rhgtyink · August 4, 2009, 10:06pm

Is that block no log rule above or below the rule that allows all traffic from the samba server incoming ?