all rules after block and log IP /in out will not be used (that block all that wasn’t alloved before) but your trusted zone is correctly set. thus you should be able to be pinged from your other pc and you should have no log entry for any traffic in your trusted zone including ICMP. ???
but if those ping are blocked maybe your home lan range is not set correctly. run ipconfig from the other pc to check if that ip is included in your home lan range
No no. Do not create any rule for “System Idle Process”. That is simply a ping request. You can use “Stealth Ports Wizard” and trust your LAN. This way both of those computer can speak to each other.
I don’t understand. Can you tell me which option to choose under Stealth Ports Wizard? Either way, all three still causes System Idle Process to be blocked.
I’m mystified by this, apparently system idle process is calling out to one or more ip addresses related to my verizon wireless service. CF3 identifies system idle process as a web browser then proceeds to block some of the outbound connection attempts. This may be a bandwidth management service related to verizon but it is very strange to me. Why system idle process? I tried completely blocking all internet connections from system idle process with no apparent negative effects as of yet. Anyone know what is going on here?
You don’t want SIP accepting incoming calls because some of those can be malware. Most of them will be from your ISP, telco, Microsoft, and a bunch of other semi-legitimate sources, but it is a potential source of trouble. The Storm Bot worm uses that process to access the messenging service on your system to fool you into downloading and installing it on your computer. The Global Block all incoming IP connections is what blocks these attempts and it should be left that way. If, for some overriding reason, you must have an incoming connection allowed, place it above the Block rule on the Global rules under the Network Security Policy section. BUT, only allow one IP address in and restrict it as much as possible.
Column Descriptions
Application - indicates which application or process propagated the event. If the application has no icon, the default system icon for executable files will be used;
In other words if it doesn’t recognise anything to call the attack it calls it by an executable file name, i.e. System Idle Process.
All these attacks (in my opinion) are the same as you see with any other Firewall log, only they are labled SIP instead of something else.
Not all are attacks. That is why I am trying to get a deeper understanding for unsolicited packets so I can filter the Event Log to list only the important things. The other stuff I would still block, but not log.
OK Adric, understand a little more what you are trying to do; but it may be difficult to establish why some are occurring (I get a few internal pings) and unless you are getting 100’s an hour then a cant really see the point in worrying about them or trying not to log the unimportant ones.
Just my personal opinion.
Looking at your attack log every hour or so can worry you to death.
I guess the real issue is that the log need some more features. like some filter out and an optional query module to save custom made queries (SQLITE engine can do it).
A setting to apply some users defined filter to the log by default will do the trick. BTW also an option to get the filter values from the current selected log entry would help.
All these issues will eventually disappear. So all members should address current issues (one at time) in a separate topic and elaborate a solution or an enhancement.
Description of the solution, Issues that solve, screenshots, concepts and so on in order to provide as much detail is possible and gathered in the same topic.
Once all solutions are elaborated a poll can be made in order to gather consensus on a particular topic. Don’t ever give up Submit your feedback as detailed is possible and use whatever (legit :P) means this forum offers to highlight it. Beware! duplicated topics will disrupt this cooperative feedback.
That is one issue, the other is understanding the event that caused the block. I asked if anyone else was interested in understanding this stuff here. Hopefully, with enough interest and input from some talented network gurus, the thread will help increase our network awareness.
You already got a correct answer there. Outbound traffic is blocked by ruleset. Inbound too. The only concern so far is SIP blocked entries as there is no entry in CFP help about them, plus the log cut out some extra info that V2 usually gave (like SPI blocks).