I noticed that the only intrusion attempt I get is from a application called “system”.
(set as windows system application “standard”)
Source port 137 Source ip 192.168.1.**
Destination port 137 Destination port 192.168.1.255
Why is it doing this? I keep it blocked unless needed, but right now I dont see its use. windows is so *** with all its wierd apps trying to do all kinds of wierd stuff.
EDIT: also i noticed how I have some global rules set. (firewall>advanced>network security policy>global rules)
“Allow All Outgoing Requests If The Target Is In [NETWORK NAME]”
“Bllow All Incoming Requests If The Sender Is In [NETWORK NAME]”
“Block ICMP In From IP Any Where ICMP Message Is ECHO REQUEST”
I dont like any Allow EVERYTHING so i got a question about (“Allow All Outgoing Requests If The Target Is In [NETWORK NAME]”)
Is it safe to REMOVE this rule totaly?
What will happen, more popups, no internet?
And i noticed how (“Block ICMP In From IP Any Where ICMP Message Is ECHO REQUEST”)
is only set to IN. Why not both ways?
I guess its only used oneway.
But it will couse no errors to have it both ways?
And my finale question.
Give some tips on globalrules to IMPROVE security…
Allowing communications within your [Network Name] does not open you up to outside attacks. There are several normal communications that happen within a LAN and they need to be allowed - communications with the modem, router, printer, another networked computer all happen to establish that the device is online or not and other stuff that I don’t know the details of. Outgoing here just means from your computer to another device on your LAN.
As for the block incoming ECHO REQUEST - that is to prevent your computer from being pinged and thus identified as a target for scanning. Your own computer may need to ping another public computer as a way of testing the communications link’s health. That is why you don’t want to block the outgoing ECHO REQUEST.
As for tips to improve security, I would suggest that you check the rules for applications under Network Security Policy. Most of the rules generated by the pop-ups do not have a final Block rule. I would add a rule that would read:
Block (log) IP In/Out From Any To Any Protocol Any
This rule should be at the bottom of the list. That prevents applications from being used to make connections by malware. The usual rule just has a port restriction which allows a connection and then this results in any other connections using other ports to cause a pop-up to ask about allowing a different type of connection for that software. The added rule will block the connection and no pop-up will appear. An event will appear in the Event Log when the rule blocks a connection, so you can later add a permission if you need to, using the info in the event log entry. If you are particularly paranoid (like me), you can check the “Log” box for all your existing rules and record the IP addresses that your software connects to. Once you have a collection of IP addresses, you can restrict the permission by changing the rule from “Destination Address Any” to “Single IP” or IP Range and enter the address or range that that software uses. A warning - some programs connect to several addresses, even several address ranges and addresses within those ranges, so it is a long-term project and you should use WhoIs to determine the range of addresses owned by the owner of the single IP address that appears in your Event Log and use the range and not just the single address.
About your initial post, the connection is an internal Netbios connection and blocking it should not cause problems unless you transfer data between home computers. It must have happened as a result of a disallowed pop-up (I’m guessing). You may be able to find the rule under “Network Security Policy” for System. Look at the rules there (click Edit, but don’t change anything) for a Block rule with a Destination Port of 137. Once you have found it, you can enter a description in the dialog and Apply it so you can find it later if you ever want to change it.