unknown firewall events

Help for v3
1

Hi
Does anyone know what is causing these events and whether it is a problem and how to stop it?
Thanks in advance
RobQQQ

COMODO Firewall Pro Logs
Log Scope: Today
Date/Time Application Action Source IP Source Port Destination IP Destination Port
27-Aug-2008 05:28:42 System Blocked 192.168.1.3 137 192.168.1.255 137
27-Aug-2008 05:28:42 System Blocked 192.168.1.3 137 192.168.1.255 137
27-Aug-2008 05:28:42 System Blocked 192.168.1.3 137 192.168.1.255 137
27-Aug-2008 05:28:43 System Blocked 192.168.1.3 137 192.168.1.255 137

[attachment deleted by admin]

2

System is part of Windows. Set it to outgoing only. Are you behind a hardware firewall?

3

That’s Windows networking broadcast traffic. How many machines do you have on your LAN?

Port 137 is the Windows networking name lookup service. Windows networking doesn’t rely on a central server, like DNS. Instead, each machine broadcasts its name and IP address to all the other machines on the LAN. The broadcast address in your case is the x.255 address, which is the usual address.

To answer your question of “how to make it stop”, there are a couple of ways to go at it.

You could turn off Windows networking on each and every machine on your LAN.

Or, you could allow the broadcast traffic thru your firewall, and have Windows networking work normally. Probably the easiest way to do that, is to add the broadcast x.255 address to your LAN network zone.

To do that, open CFP, and click Firewall → Common Tasks, My Network Zones. The click on the zone name for your LAN to highlight it, then right-click to open up a menu. Select Add, and then ‘a new address’. Then on the edit window that comes up, add the single IP address of 192.168.1.255.

4

Thanks folks. Your replies must be very helpful, but I’m sorry, they are a level or two above my knowledge, so I don’t understand them and they raise lots more questions.
Firstly, tho, I can add that my PC is behind a 3com router (hardware firewall?) and that there are two other PCs on the network, connected by wireless link, one of which is an Apple. Also, I’m using Windows XP. My machine is apparently the IP no. 192.168.1.3

My questions are:
How does one “set System to outgoing only”, and what else would that change?

What is “Windows networking broadcast traffic”?

What is the “Windows networking name lookup service” and what is it looking up?

Why does each machine broadcast its name and IP address to all the other machines on the LAN?

What is a broadcast address and where exactly is the IP address 192.168.1.255? I couldn’t find it listed in my router information. is it the network, the router, a PC or something on the internet?

If I turn off Windows networking on each and every machine on my LAN, will I still have a network and be able to use the internet? It sounds like a drastic step! Or were you joking?

If I allow the broadcast traffic thru the CFP firewall, will it not weaken the security and allow others to break in thru the firewall?

Why would I want to “add the broadcast x.255 address to my LAN network zone? Apart from stopping this firewall message, what else will happen?

I opened CFP, and in My Network Zones I found a “Loopback zone” (127.0.0.1/255.0.0.0) and an “Intel(R) 82562V-2 10/100 Network Connection - Packet Scheduler Miniport” (192.168.1.7 255.255255.0). I assume the latter is “the zone name for my LAN” to which I should add the single IP address of 192.168.1.255? Right?

The help file suggests that one should define permission levels for zones added to My Network Zones. Which type of permission should I give the new zone?

Lastly, tongue in cheek, how exactly does “Windows networking work normally”? The boffins at Redmond have made it so bloody complicated that I have never managed to understand it!!

5

Oh my. Questions questions ;D

Rather than try to answer one-by-one, let me come at thngs from a different direction, by way of explanation.

Windows networking protocols are extremely chatty. The protocols were defined in the early 1980’s, before the TCP/IP networking standards came to the world of PC’s. Back in those early days, the protocols were kept simple. The basic principle was that each machine kept track of what was on the LAN. To have that happen, each machine would broadcast it’s name and capabilities to the LAN as a whole, and listen for the broadcast of that same information from all other machines. Then each machine would have the equivalent of a sticky note collection, saying things like “machine adam12 is at address 00:12:34:56:78:9a and has a printer”. So when somebody needed to print, guess who gets contacted: adam12.

The TCP/IP came along, and the old protocol got adapted to fit in the “new” Internet way of doing things. A LAN is roughly the equivalent of an address block (192.168.1.0 thru 192.168.1.255, for example). A broadcast address is always the highest address in that range (192.168.1.255).

Since TCP/IP gets used for a lot of different things, the old networking protocols needed some way of making sure that when they were “talking shop” they were talking to the right place. In TCP/IP terms, that place is a port number. Windows networking, given its variety, got a bunch of port numbers assigned to it by the keeper of such numbers (iana.org). Those ports are 135, 137, 138, 139, and 445. Each one has a different purpose, matching up with the original protocol.

Port 137 is the “name” service. In the old days, the broadcast would be “Hi, I’m adam12 at 00:12:34:56:78:9a”, in the new terms that becomes “Hi, I’m adam12 at 192.168.1.3” sent to port 137 (it’s a name) and a broadcast (send to 192.168.1.255). Windows however still has it’s sticky note collection, just some different bits. Every machine is still doing it’s broadcast, just like the old days. It’s just TCP/IP stuff now, in place of the original raw ethernet packets.

Microsoft, in their wisdom, have all Windows machines set by default to presume all machines want to talk to all other machines. If you share files and printers between machines, then it’s these Windows networking protocols that are doing the work. If you don’t, then you can turn off the Windows networking, and not miss it.

I opened CFP, and in My Network Zones I found a “Loopback zone” (127.0.0.1/255.0.0.0) and an “Intel(R) 82562V-2 10/100 Network Connection - Packet Scheduler Miniport” (192.168.1.7 255.255255.0). I assume the latter is “the zone name for my LAN” to which I should add the single IP address of 192.168.1.255? Right?
Yes, that sounds like the right place. But, as I read your description, the broadcast address is already included. The 192.168.1.7/255.255.255.0 is just another way of writing the range of 192.168.1.0 thru 192.168.1.255. It's called a "netmask notation". That you're getting CFP log messages says to me that there is a rule blocking the packets. The question then is, where's the rule doing the blocking.

The easy way to check that, is the CFP Config Reporting Script. It’s described in a sticky post at the top of this forum page. If you would run the script (for firewall rules only, please. The script can produce huge amounts of output otherwise), and post the report here, then I can see what the rules are, and what might be the problem.

6

Thank you very much, Grue155, for taking the time to explain all that to me. Much appreciated.
I now know a little bit more about how little I know about networking!!

I downloaded and ran your CFP Config Reporting Script. Well done - it is a brilliant bit of work. (:CLP)
(As an aside - there isn’t any posting about how to install and operate it, which might help others in the forum.)

I have posted what I think are the key lines from the script log below.
Maybe you can spot something.

So, going back to the original question- I keep getting this blocked message:
Date/Time Application Action Source IP Source Port Destination IP Destination Port
27-Aug-2008 05:28:42 System Blocked 192.168.1.3 137 192.168.1.255 137
I’m still not sure if that is a problem and whether I need to I stop it.
Nothing else on the network needs to access my PC at present and I don’t share files and printers (yet), so I am quite happy to turn off whatever is causing this, as long as I can still use the internet and e-mail through the router.
If it is caused by “Windows networking”, then I don’t know how to turn that off. (Was that not a joke?). It isn’t listed in the Services.
And if I follow the other suggestion and “allow the broadcast traffic thru the CFP firewall” and “add the broadcast x.255 address to my LAN network zone”, will it not weaken the security?

Sorry to be so thick, but this is soooo complex!! (It is probably another Microsoft plot to extract more money from us!)
RobQQQ

File Group 2:	[Important Files/Folders] is defined as
---------------------------------------------------------------------------------------
[0] C:\WINDOWS\system32\*
[1] C:\WINDOWS\servicing\*
[2] C:\WINDOWS\system.ini
[3] C:\WINDOWS\win.ini
[4] C:\WINDOWS\wininit.ini
[5] C:\WINDOWS\winstart.bat
[6] C:\WINDOWS\Tasks\*
[7] \Device\HarddiskVolume?\boot.ini
[8] \Device\HarddiskVolume?\ntdetect.com
[9] \Device\HarddiskVolume?\ntldr

File Group 3:	[Windows Updater Applications] is defined as
---------------------------------------------------------------------------------------
[0] C:\WINDOWS\system32\svchost.exe
[1] C:\WINDOWS\system32\msiexec.exe
[2] C:\WINDOWS\system32\wuauclt.exe
[3] C:\WINDOWS\system32\wupdmgr.exe

File Group 4:	[Windows System Applications] is defined as
---------------------------------------------------------------------------------------
[0] System
[1] C:\WINDOWS\system32\smss.exe
[2] C:\WINDOWS\system32\csrss.exe
[3] C:\WINDOWS\system32\winlogon.exe
[4] C:\WINDOWS\system32\services.exe
[5] C:\WINDOWS\system32\spoolsv.exe
[6] C:\WINDOWS\system32\lsass.exe
* * * * *
My Network Zones
=========================================================================================
INFORMATION: There are 2 Zones reported In CFP Configuration Tree

Zone 0: [Loopback Zone] is defined as
-----------------------------------------------------------------------------------------
[0]	IP In [127.0.0.1/255.0.0.0]

Zone 1: [Intel(R) 82562V-2 10/100 Network Connection - Packet Scheduler Miniport] is defined as
-----------------------------------------------------------------------------------------
[0]	IP In [192.168.1.7/255.255.255.0]

My Blocked Network Zones
=========================================================================================
INFORMATION: There are 0 Blocked Zones reported In CFP Configuration Tree

My Ports Sets
=========================================================================================
INFORMATION: There are 3 Port Sets reported In CFP Configuration Tree

Portset 0:	 [HTTP Ports] is defined as
-----------------------------------------------------------------------------------------
[0]	80
[1]	443
[2]	8080

Portset 1:	 [POP3/SMTP Ports] is defined as
-----------------------------------------------------------------------------------------
[0]	110
[1]	25
[2]	143
[3]	993
[4]	995
[5]	465
[6]	587

Portset 2:	 [Privileged Ports] is defined as
-----------------------------------------------------------------------------------------
[0]	0-1023

* * * * * * * * * * * * * * * * * * * *

Application 13: C:\Documents and Settings\qqq\Local Settings\Temp\is-U36KH.tmp\spybotsd152.tmp Treat as: [Web Browser]
----------------------------------------------------------------------------
The predefined rules are as follows:
[0] Allow            IP      Out    From  IP Any  To  Zone [Loopback Zone]  Where Protocol Is Any
[1] Allow            TCP     Out    From  IP Any  To  IP Any  Where Source Port Is Any And Destination Port Is In [HTTP Ports]
[2] Allow            TCP     Out    From  IP Any  To  IP Any  Where Source Port Is Any And Destination Port Is 21
[3] Allow            TCP     Out    From  IP Any  To  IP Any  Where Source Port Is Any And Destination Port Is Not In [Privileged Ports]
[4] Allow            UDP     Out    From  IP Any  To  IP Any  Where Source Port Is Any And Destination Port Is 53
[5] Block & Log      IP      In/Out From  IP Any  To  IP Any  Where Protocol Is Any

Application 14: Group [COMODO Firewall Pro] Treat as: [Outgoing Only]
----------------------------------------------------------------------------
The predefined rules are as follows:
[0] Allow        TCP Or UDP  Out    From  IP Any  To  IP Any  Where Source Port Is Any And Destination Port Is Any
[1] Block & Log      IP      In/Out From  IP Any  To  IP Any  Where Protocol Is Any

Application 15: Group [Windows Updater Applications] Treat as: [Custom Policy]
----------------------------------------------------------------------------
[0] Allow        TCP Or UDP  Out    From  IP Any  To  IP Any  Where Source Port Is Any And Destination Port Is Any

Application 16: System Treat as: [Web Browser]
----------------------------------------------------------------------------
The predefined rules are as follows:
[0] Allow            IP      Out    From  IP Any  To  Zone [Loopback Zone]  Where Protocol Is Any
[1] Allow            TCP     Out    From  IP Any  To  IP Any  Where Source Port Is Any And Destination Port Is In [HTTP Ports]
[2] Allow            TCP     Out    From  IP Any  To  IP Any  Where Source Port Is Any And Destination Port Is 21
[3] Allow            TCP     Out    From  IP Any  To  IP Any  Where Source Port Is Any And Destination Port Is Not In [Privileged Ports]
[4] Allow            UDP     Out    From  IP Any  To  IP Any  Where Source Port Is Any And Destination Port Is 53
[5] Block & Log      IP      In/Out From  IP Any  To  IP Any  Where Protocol Is Any
* * * * * * * * * * * * * * * * * * * *
7

Thank you for the report. It does show the problem: CFP is set to use “web browser” rules for “System”.

This has been a recurring problem for a lot of people recently. Best guess is that some recent CFP update or CFP rule re-ordering somehow changed things, and now “web browser” rules are being applied to things that aren’t web browsers, and things mysteriously act very strangely.

The problem is here:


Application 16: System Treat as: [Web Browser]
----------------------------------------------------------------------------
The predefined rules are as follows:

[0] Allow            IP      Out    From  IP Any  To  Zone [Loopback Zone]  Where Protocol Is Any
[1] Allow            TCP     Out    From  IP Any  To  IP Any  Where Source Port Is Any And Destination Port Is In [HTTP Ports]
[2] Allow            TCP     Out    From  IP Any  To  IP Any  Where Source Port Is Any And Destination Port Is 21
[3] Allow            TCP     Out    From  IP Any  To  IP Any  Where Source Port Is Any And Destination Port Is Not In [Privileged Ports]
[4] Allow            UDP     Out    From  IP Any  To  IP Any  Where Source Port Is Any And Destination Port Is 53
[5] Block & Log      IP      In/Out From  IP Any  To  IP Any  Where Protocol Is Any

The proper default setting for this should be something like this:


[0] allow IP Out from IP Any      to Zone[MyLAN] where protocol is any
[1] allow IP In  from Zone[MyLAN] to IP Any      where protocol is any
[2] allow IP Out from IP Any      to IP Any      where protocol is any

which is a considerably different set of rules.

Note that I’m being a lazy typist, and saying “MyLAN” rather than what should properly be said as “Intel(R) 82562V-2 10/100 Network Connection - Packet Scheduler Miniport” for your CFP network zone.

So, how to fix it:

Open CFP, click Firewall → Advanced, Network Security Policy, the Application Rules tab.

Find the line that says “System”, which will likely be the 16th or 17th entry. Right-click on the application name “System”, and select edit. That will get you to a rules-entry window.

We do not want to use a predefined policy, so select “use a custom policy”.

Now to add these 3 rules:

Action: Allow
Protocol: IP #select from the pulldown list
Direction: Out #select from the pulldown list
Source Address: any
Destination Address: zone: and select “Intel(R) 82562V-2 10/100 Network Connection”
IP Details: any
and then click Apply

Action: Allow
Protocol: IP #select from the pulldown list
Direction: In #select from the pulldown list
Source Address: zone: and select “Intel(R) 82562V-2 10/100 Network Connection”
Destination Address: any
IP Details: any
and then click Apply

Action: Allow
Protocol: IP #select from the pulldown list
Direction: Out #select from the pulldown list
Source Address: any
Destination Address: any
IP Details: any
and then click Apply

and then click Apply all the way out.

With this change in the CFP rules, that should take care of the problem. And then I can properly answer your other questions, in the context of a working machine, which can simplify the explanations considerably. (Windows networking is a network connection property, buried many levels deep in menus. It would confuse considerably at this point.)

8

Not wanting to step on grue`s toes here but i noticed a referance for spybot in the “Application Rules” which was a temp folder with web browser policy ???
You might want to try Firewall/Advanced/Network Security Policy and then hit “Purge”.This should clear any entries no longer relevant.Also you might want to just have your “Web Browser”,Firefox/Internet Explorer/Opera set up with the “Web Browser” policy,the others can use the policy “Outgoing only”

Back over to grue.

Regards,
Matty

9

Good catch! Thank you Matty :-TU

10

Many thanks, grue155 and Matty.
You guys are very helpful! :-TU
I have changed my system rules as described. they are now:

Application 16: System Treat as: [Custom Policy]

[0] Allow IP Out From IP Any To Zone [Intel(R) 82562V-2 10/100 Network Connection - Packet Scheduler Miniport] Where Protocol Is Any
[1] Allow IP In From Zone [Intel(R) 82562V-2 10/100 Network Connection - Packet Scheduler Miniport] To IP Any Where Protocol Is Any
[2] Allow IP Out From IP Any To IP Any Where Protocol Is Any

Sucess- I have no more funny blocked events!!!

I “purged” the settings that were no longer of any use, although some spybot rules in the temp folder still seem to be valid because they were not purged. (although I couldn’t find the relevant file.)

I set up firefox to the “Browser” defaults (even though those rules look very odd!
[0] Allow IP Out From IP Any To Zone [Loopback Zone] Where Protocol Is Any
[1] Allow TCP Out From IP Any To IP Any Where Source Port Is Any And Destination Port Is In [HTTP Ports]
[2] Allow TCP Out From IP Any To IP Any Where Source Port Is Any And Destination Port Is 21
[3] Allow TCP Out From IP Any To IP Any Where Source Port Is Any And Destination Port Is Not In [Privileged Ports]
[4] Allow UDP Out From IP Any To IP Any Where Source Port Is Any And Destination Port Is 53
[5] Block & Log IP In/Out From IP Any To IP Any Where Protocol Is Any

I wasn’t sure what Matty meant by “others” when he said "others can use the policy ‘Outgoing only’ " Is that all the other applications?

Then I tried reading all about creating rules and all the FAQ’s about it, to see if I could understand what I had just done, and to review my rules to see if they made sense. But I just got bogged down in jargon. I have no idea whether my rules make sense - there are just too many, and it is too complex.
CFP is remarkable in the way it is so easy to customise whatever one wants. And the CFM help file really does explain things well (unlike Microsoft!). I could plod thru the steps and understand how to do things. And the forums have some gret examples and help.

The problem is that there is just so much jargon, and the rules become so complex, that it all goes swirling around one’s head and becomes too much to make sense of. Even the “Summary of Network rules” guide is too complex. One can make the rules, but what do they really mean? What order must they be in. Which ones must one choose? It is all too much!
Firewalls/networking shouldn’t be the equivalent of studying for a university course. One should just be able to install them and leave it be. There is no way I am ever going to understand this lot or get it right.

Anyway, thanks again for your all help. Even, if this has left me baffled, your efforts are appreciated.
RobQQQ