firewalls - what to block and why - your security at risk

PCR · Jul 30, 2007

Re: firewalls - Kerio PF Part 2 - what to block and why - your security at risk

MEB wrote:
| PART 2 of 2

I don't see part 1.

....snip
|| By the way, how do you empty Kerio's Filter.log, when you think
|| you've seen enough? (I've been deleting it in DOS along with
|| Filter.log.idx.)
|
| Right click and delete within the viewer..

Oh, my God! You are right! And it deleted the .idx file too! Thanks!

I'll answer the rest of the post tomorrow.

MEB · Jul 31, 2007

Re: firewalls - Kerio PF Part 2 - what to block and why - your security at risk

Part 1 will have to be broken up.. I think the filters are now ON and there
is an area that is not supposed to be discussed.. think I might have located
it... after 15 trys and several addition partial post failed attempts...

--
MEB
http://peoplescounsel.orgfree.com
________

"PCR" <pcrrcp@netzero.net> wrote in message
news:OFdYmUx0HHA.4652@TK2MSFTNGP05.phx.gbl...
| MEB wrote:
| | PART 2 of 2
|
| I don't see part 1.
|
| ...snip
| || By the way, how do you empty Kerio's Filter.log, when you think
| || you've seen enough? (I've been deleting it in DOS along with
| || Filter.log.idx.)
| |
| | Right click and delete within the viewer..
|
| Oh, my God! You are right! And it deleted the .idx file too! Thanks!
|
| I'll answer the rest of the post tomorrow.
|
|

MEB · Jul 31, 2007

Re: firewalls - Kerio PF Part 1 - what to block and why - your security at risk

"PCR" <pcrrcp@netzero.net> wrote in message
news:OMaRHIk0HHA.4184@TK2MSFTNGP06.phx.gbl...

|"PCR" <pcrrcp@netzero.net> wrote in message
|news:eEz4Oyu0HHA.1204@TK2MSFTNGP03.phx.gbl...
| Just testing to see whether this thread segment died of XP-irradiation
| from Christianson's post! MEB has complained he couldn't post here!
|
|

|"PCR" <pcrrcp@netzero.net> wrote in message
|news:eEz4Oyu0HHA.1204@TK2MSFTNGP03.phx.gbl...
| Just testing to see whether this thread segment died of XP-irradiation
| from Christianson's post! MEB has complained he couldn't post here!
|
|

|"PCR" <pcrrcp@netzero.net> wrote in message
|news:OMaRHIk0HHA.4184@TK2MSFTNGP06.phx.gbl...
| MEB wrote:
| | "PCR" <pcrrcp@netzero.net> wrote in message
| | news:OLN2TzV0HHA.1484@TK2MSFTNGP06.phx.gbl...
| || MEB wrote:
| || | PCR and Gram Pappy [among others] have been discussing firewall
| || | settings and what they can or should be used for.
| ||
| || That's right. I installed...
| ||
| http://www.dslreports.com/faq/security/2.5.1.+Kerio+and+pre-v3.0+Tiny+PFW
| ||
| || ...Kerio Personal Firewall v2.1.5 about 4 years ago & several months
| || later began a 17 year study of what to do with it. But I should have
| || spoke up sooner!
| ||
| || | In the spirit of those discussions, I thought I would post some
| || | blocked activity from a SINGLE session/contact through my ISP and
| || | ONLY to this news server and my email accounts [via OE6]. This is
| || | from the firewall log [several of my normal settings/restrictions
| || | were specifically reset for this presentation].
| ||
| || Thanks for jumping in. So, you wanted to see what would happen just
| || by connecting to the NET & using OE for mail & NG activity.
| |
| | Well, ah no, actually I wanted to let other users who may not have
| | investigated or understand firewalls.
|
| Uh-huh. Naturally, you & I have advanced beyond that point.

hehehe, maybe,,,,,

|
| ||
| || | No other Internet activity occurred [e.g., no external IE or
| || | browser usage or other activity]. All *allowed activity* has been
| || | removed, so that the addresses and activities blocked might be
| || | addressed for perhaps a greater understanding of the function of
| || | firewalls, what they can and are used for, and other aspects
| || | related thereto.
| ||
| || Really, it's important to see what was allowed too. Where I thought
| || my Primary DNS Server rule would be used only by NetZero (they are
| || NetZero addresses in there)... really a whole bunch of apps were
| || using it! But that's in the other thread!
| |
| | DNS is used by any program requiring addressing information.
|
| The sole purpose of my DNS Server rule(s)...
|
| Protocol.......... UDP
| Direction......... Both
| Local Endpoint
| Ports........... 1024-5000
| Application... Any (but now I've limited it to 5 apps
| by creating 5 of these rules)
| Remote Endpoint
| Addresses.... The entire NetZero range
| Port............. 53
|
| ... is to resolve NET addresses? Still, am I right to seek to limit it
| to the five apps I kind of have to trust? Otherwise, can't it be
| appropriated by some devious app to do ill?

As you posted, yes, it would appear so. But is it necessary or reasonable
to create one rule with ALL the address range included and allowed?
Seems that leaves an awful lot of addresses available to hijack/spoof...
though limiting it to JUST those apps does decrease that ability..

|
| | The key
| | is to limit to the EXACT DNS server(s) NOT within your system [unless
| | for local network traffic] and the port [53] used by that (those)
| | server(s) with limited [chosen by previous monitoring] local ports
| | and applications.
|
| Why do I need to bother with ports, if I limit the DNS rule(s) to
| trusted apps & to trusted NetZero addresses?

Well, 53 is the standard port for that type of request, and is held as
such... as for requesting port, there may be a LARGE fluctuation.. I think
you limiting to the specific apps will suffice, perhaps someone more
qualified can confirm...

| Unfortunately, Kerio does
| not permit a list of apps in a rule, the way it does with ports &
| addresses. So, currently I have coded 5 of them...!...
|
| (1) DNS Server-- EXEC.exe (NetZero)
| (2) DNS Server-- ASHWEBSV (avast! Web Scanner)
| (3) DNS Server-- AVAST.SETUP (There actually is no program)
| (4) DNS Server-- ASHMAISV (avast! e-Mail Scanner Service)
| (5) DNS Server-- IExplore
|
| | I will NOT post all my rules or what exactly I have configured
| | locally [that would supply the exact way to circumvent my
| | protection],
|
| OK.
|
| | however I will post this contact to retrieve the
| | email/news messages [your posting], with a few more inclusions
| | [again, slightly modified rules and rule logging]. This was ONLY to
| | retrieve mail and the newsgroups on Microsoft. Nothing else occurred
| | BUT the logon to the ISP.
|
| OK, limited to mail & NG activities, right.
|
| | 2,[28/Jul/2007 17:22:18] Rule 'AOL UDP pass': Permitted: Out UDP,
| | localhost:1030->XXX.XXX.XXX.X:7427, Owner: C:\PROGRAM FILES\AMERICA
| | ONLINE
| | 7.0\WAOL.EXE
|
| So... WAOL.exe (which was port 1030 on your computer) needed to resolve
| an address? And it did so at XXX.XXX.XXX.X, port7427? Is that what that
| says?

No and yes, there is another set of rules applied prior to this, and UDP
need not be
DNS.

|
| | 1,[28/Jul/2007 17:22:18] Rule 'Other ICMP': Blocked: Out ICMP [10]
| | Router Solicitation, localhost->224.0.0.2, Owner: Tcpip Kernel Driver
|
| I get lots of those. Here is the last I recorded...
|
| 1,[27/Jul/2007 17:40:12] Rule 'Kill ICMP (Log)': Blocked: In ICMP [8]
| Echo Request, 4.232.192.209->localhost, Owner: Tcpip Kernel Driver
|
| ..., but, beginning yesterday, I have chosen NOT to log those anymore. I
| have two rules above that blocker. One allows ICMP incoming for...
| [0] Echo Reply, [3] Destination Unreachable, [11] Time Exceeded
|
| The other allows it outgoing for...
| [3] Destination Unreachable, [8] Echo Request

Those are the suggestions by most, including Sponge...
So you have no specific rule for Netzero ICMP?

|
| I think that's probably finalized for ICMP. In this case, specific apps
| & ports are not possible in the rules-- only specific endpoint addresses
| are. But mine apply to any address.
|
| | 2,[28/Jul/2007 17:22:18] Rule 'AOL UDP pass': Permitted: In UDP,
| | XXX.XXX.XXX.X:7427->localhost:1030, Owner: C:\PROGRAM FILES\AMERICA
| | ONLINE
| | 7.0\WAOL.EXE

***********

This is apparently the problem area. If this posts refer to the original.
Google search for what this was and think of the potential uses.

**********

| | 1,[28/Jul/2007 17:23:58] Rule 'Incoming ICMP': Blocked: In ICMP [8]
| | Echo Request, XXX.XXX.XX.XXX->localhost, Owner: Tcpip Kernel Driver
|
| | 1,[28/Jul/2007 17:26:56] Rule 'Incoming ICMP': Blocked: In ICMP [8]
| | Echo Request, XXX.XXX.XXX.XXX->localhost, Owner: Tcpip Kernel Driver
|
| | 1,[28/Jul/2007 17:29:12] Rule 'Shaw Comm block': Blocked: In UDP,
| | 24.64.192.20:17898->localhost:1026, Owner: no owner
|
| I used to get these Kerio alert's about Shaw Comm...
|
| Someone from 24.64.9.177, port 3222 wants to send UDP datagram to
| port 1027 owned by 'Distributed COM Services' on your computer.
|
| ..., but they are prevented now with a rule that specifically blocks
| RPCSS.exe (which is Distributed COM Services & which establishes the
| port 1027) from using UDP/TCP. Eventually, I hope to remove that block
| rule (& 4 others)-- after I have completed my UDP & TCP permit rules for
| specific, trusted apps/addresses. Then, RPCSS.exe will be blocked along
| with the others by virtue of not being included in the PERMITs-- &
| having one single BLOCK after them.

Well I would suggest you block SHAW's range entirely, if you have others,
create a custom list or put them in your hosts file

|
| | 1,[28/Jul/2007 17:29:12] Rule 'Shaw Comm block': Blocked: In UDP,
| | 24.64.192.20:17898->localhost:1027, Owner: no owner
|
| | 1,[28/Jul/2007 17:29:12] Rule 'Shaw Comm block': Blocked: In UDP,
| | 24.64.192.20:17898->localhost:1028, Owner: no owner
|
| | 1,[28/Jul/2007 17:29:12] Rule 'TCP ack packet attack': Blocked: In
| | TCP, 207.46.248.16:119->localhost:1072, Owner: no owner
|
| I haven't begun to finalize my TCP rules yet. That's probably where I go
| next, once UDP is done!

Yeah get UDP outadaway... then lock down Outlook or whatever mail prog you
use...
There are a lot of TCP activities, back and forth, that can be blocked.

Each application should have only enough access to allow it to function for
its use...

|
| | at which point I disconnected having retrieved mail and the news
| | messages.
|
| Nothing ELSE tried to use UDP? Not even RNAAPP.exe, RPCSS.exe,
| PersFW.exe, & PFWadMin.exe-- which are just some of the ones using it in
| here before I recently have prevented them! Well, I guess it may require
| the clicking of an URL for those to kick in.

As I said, I would not post all my rules or the logs they would create,
that creates too much of a security risk..
RPCSS was locked down previously, along with krnl386, and several other
potential exploits. Anything and EVERYTHING that might apply to web/network
usage should have its own settings JUST IN CASE... or at least in my
config..

If you remember [likely not], several months ago a program was suggested to
me which attempted to bypass/reset ALL of my firewall settings,,, were it
not for my prior restrictions it likely would have succeeded. As it was
already ruled, it popped up and requested what to do since I said it
couldn't do what the installation wanted to do PRIOR to disabling the
firewall..

|

ANOTHER POTENTIAL AREA REMOVED

|
| What specifically is notable about them?

See the prior links. So this was an attempt to locate other routers..
And *tcpip Kernel request* indicates the driver/protocol itself,, e.g. part
of normal network usage, normally ALLOWED due to its usual necessity.

|
| ||
| || | For those who do not understand firewalls, these activities would
| || | or may have been allowed as they followed either programs IN USE
| || | [allowed activity], or through addressing [broadcast or otherwise]
| || | had a firewall not been used.
| ||
| || That is right. Without a firewall with a good set of denial rules,
| || all activity is allowed. Hopefully, if a virus or a Trojan or a spy
| || can sneak in that way, a good virus detector will prevent it from
| || executing. Also, there may have been an MS fix or two to prevent
| || some forms of abuse along these lines (I don't know).
| |
| | What would make you think any anti-spyware or anti-virus programs
| | would check or correct these types of activities?
|
| I do believe an actual executable can be read into a machine through
| malicious use of these NET packets, although I'm not sure which precise
| protocols can do it. Once it is read in &/or tries to run, one hopes
| one's virus/malware scanner WILL catch it, before it delivers its
| payload!

You forget JAVA, server side includes/codes [php, asp, other], FLASH,
streaming
media, PDFs, and other aspects which are not necessarily caught by ANYTHING
except for your proxy and/or firewall. ALL [emphasis all] are potential
carriers of damaging hacks...

|
| | Anti-spyware programs MAY block certain addresses and perhaps some
| | ActiveX, or other. Anti-virus MIGHT catch scripting or attempts to
| | infect something, or emails or files which contain hacks or other.
|
| It is still quick enough, in the cases when this bad stuff makes it
| through the firewall (or the lack of one), for these other apps to catch
| them trying to do their ill work-- if they can!
|
| BUT, I'm sure some ill-conceived packet can possibly do ill without
| delivering an executable that can be caught in another way. Somewhere in
| my 12th year of study I will know what these packets are & the protocols
| they use! But I'm hoping to get my Kerio rules solidified a lot sooner!
|
| | Host or lmhost files catch what they have been configured to catch
| | via addressing/name. These, however, are *network use* activities
| | WITHIN the TCP/IP and other aspects of Internet/network usage.
| | Firewalls, proxies, packet sniffers, client servers, the TCP/IP
| | kernel, and the like, are what handle these activities.
| | Of course the above is an overly simplified explanation.
|
| This isn't the year for me to really want to know every little detail,
| anyhow.
|

END PART 1 of 2

LESS THE DELETED MATERIAL

--
MEB
http://peoplescounsel.orgfree.com
________

PCR · Jul 31, 2007

Testing again-- to see whether I can reply to this post while quoting
it, Google search & all. But I think MEB has forgotten to put on his
tinfoil hat yet again!

PCR wrote:
| MEB wrote:
|| "PCR" <pcrrcp@netzero.net> wrote in message
|| news:OLN2TzV0HHA.1484@TK2MSFTNGP06.phx.gbl...
||| MEB wrote:
||| | PCR and Gram Pappy [among others] have been discussing firewall
||| | settings and what they can or should be used for.
|||
||| That's right. I installed...
|||
|
http://www.dslreports.com/faq/security/2.5.1.+Kerio+and+pre-v3.0+Tiny+PFW
|||
||| ...Kerio Personal Firewall v2.1.5 about 4 years ago & several months
||| later began a 17 year study of what to do with it. But I should have
||| spoke up sooner!
|||
||| | In the spirit of those discussions, I thought I would post some
||| | blocked activity from a SINGLE session/contact through my ISP and
||| | ONLY to this news server and my email accounts [via OE6]. This is
||| | from the firewall log [several of my normal settings/restrictions
||| | were specifically reset for this presentation].
|||
||| Thanks for jumping in. So, you wanted to see what would happen just
||| by connecting to the NET & using OE for mail & NG activity.
||
|| Well, ah no, actually I wanted to let other users who may not have
|| investigated or understand firewalls.
|
| Uh-huh. Naturally, you & I have advanced beyond that point.
|
|||
||| | No other Internet activity occurred [e.g., no external IE or
||| | browser usage or other activity]. All *allowed activity* has been
||| | removed, so that the addresses and activities blocked might be
||| | addressed for perhaps a greater understanding of the function of
||| | firewalls, what they can and are used for, and other aspects
||| | related thereto.
|||
||| Really, it's important to see what was allowed too. Where I thought
||| my Primary DNS Server rule would be used only by NetZero (they are
||| NetZero addresses in there)... really a whole bunch of apps were
||| using it! But that's in the other thread!
||
|| DNS is used by any program requiring addressing information.
|
| The sole purpose of my DNS Server rule(s)...
|
| Protocol.......... UDP
| Direction......... Both
| Local Endpoint
| Ports........... 1024-5000
| Application... Any (but now I've limited it to 5 apps
| by creating 5 of these rules)
| Remote Endpoint
| Addresses.... The entire NetZero range
| Port............. 53
|
| ... is to resolve NET addresses? Still, am I right to seek to limit it
| to the five apps I kind of have to trust? Otherwise, can't it be
| appropriated by some devious app to do ill?
|
|| The key
|| is to limit to the EXACT DNS server(s) NOT within your system [unless
|| for local network traffic] and the port [53] used by that (those)
|| server(s) with limited [chosen by previous monitoring] local ports
|| and applications.
|
| Why do I need to bother with ports, if I limit the DNS rule(s) to
| trusted apps & to trusted NetZero addresses? Unfortunately, Kerio does
| not permit a list of apps in a rule, the way it does with ports &
| addresses. So, currently I have coded 5 of them...!...
|
| (1) DNS Server-- EXEC.exe (NetZero)
| (2) DNS Server-- ASHWEBSV (avast! Web Scanner)
| (3) DNS Server-- AVAST.SETUP (There actually is no program)
| (4) DNS Server-- ASHMAISV (avast! e-Mail Scanner Service)
| (5) DNS Server-- IExplore
|
|| I will NOT post all my rules or what exactly I have configured
|| locally [that would supply the exact way to circumvent my
|| protection],
|
| OK.
|
|| however I will post this contact to retreive the
|| email/news messages [your posting], with a few more inclusions
|| [again, slightly modified rules and rule logging]. This was ONLY to
|| retreive mail and the newsgroups on Microsoft. Nothing else occurred
|| BUT the logon to the ISP.
|
| OK, limited to mail & NG activities, right.
|
|| 2,[28/Jul/2007 17:22:18] Rule 'AOL UDP pass': Permitted: Out UDP,
|| localhost:1030->XXX.XXX.XXX.X:7427, Owner: C:\PROGRAM FILES\AMERICA
|| ONLINE
|| 7.0\WAOL.EXE
|
| So... WAOL.exe (which was port 1030 on your computer) needed to
| resolve an address? And it did so at XXX.XXX.XXX.X, port7427? Is that
| what that says?
|
|| 1,[28/Jul/2007 17:22:18] Rule 'Other ICMP': Blocked: Out ICMP [10]
|| Router Solicitation, localhost->224.0.0.2, Owner: Tcpip Kernel Driver
|
| I get lots of those. Here is the last I recorded...
|
| 1,[27/Jul/2007 17:40:12] Rule 'Kill ICMP (Log)': Blocked: In ICMP [8]
| Echo Request, 4.232.192.209->localhost, Owner: Tcpip Kernel Driver
|
| ..., but, beginning yesterday, I have chosen NOT to log those
| anymore. I have two rules above that blocker. One allows ICMP
| incoming for... [0] Echo Reply, [3] Destination Unreachable, [11]
| Time Exceeded
|
| The other allows it outgoing for...
| [3] Destination Unreachable, [8] Echo Request
|
| I think that's probably finalized for ICMP. In this case, specific
| apps & ports are not possible in the rules-- only specific endpoint
| addresses are. But mine apply to any address.
|
|| 2,[28/Jul/2007 17:22:18] Rule 'AOL UDP pass': Permitted: In UDP,
|| XXX.XXX.XXX.X:7427->localhost:1030, Owner: C:\PROGRAM FILES\AMERICA
|| ONLINE
|| 7.0\WAOL.EXE
|
|| 1,[28/Jul/2007 17:22:22] Rule 'Other ICMP': Blocked: Out ICMP [10]
|| Router Solicitation, localhost->ALL-ROUTERS.MCAST.NET [224.0.0.2],
|| Owner: Tcpip Kernel Driver
|
| I've never seen an ALL-ROUTERS.MCAST.NET. But this would also be
| blocked in my machine!
|
|| 1,[28/Jul/2007 17:22:24] Rule 'Other ICMP': Blocked: Out ICMP [10]
|| Router Solicitation, localhost->ALL-ROUTERS.MCAST.NET [224.0.0.2],
|| Owner: Tcpip Kernel Driver
|
|| 1,[28/Jul/2007 17:23:58] Rule 'Incoming ICMP': Blocked: In ICMP [8]
|| Echo Request, XXX.XXX.XX.XXX->localhost, Owner: Tcpip Kernel Driver
|
|| 1,[28/Jul/2007 17:26:56] Rule 'Incoming ICMP': Blocked: In ICMP [8]
|| Echo Request, XXX.XXX.XXX.XXX->localhost, Owner: Tcpip Kernel Driver
|
|| 1,[28/Jul/2007 17:29:12] Rule 'Shaw Comm block': Blocked: In UDP,
|| 24.64.192.20:17898->localhost:1026, Owner: no owner
|
| I used to get these Kerio alert's about Shaw Comm...
|
| Someone from 24.64.9.177, port 3222 wants to send UDP datagram to
| port 1027 owned by 'Distributed COM Services' on your computer.
|
| ..., but they are prevented now with a rule that specifically blocks
| RPCSS.exe (which is Distributed COM Services & which establishes the
| port 1027) from using UDP/TCP. Eventually, I hope to remove that block
| rule (& 4 others)-- after I have completed my UDP & TCP permit rules
| for speific, trusted apps/addresses. Then, RPCSS.exe will be blocked
| along with the others by virtue of not being included in the
| PERMITs-- & having one single BLOCK after them.
|
|| 1,[28/Jul/2007 17:29:12] Rule 'Shaw Comm block': Blocked: In UDP,
|| 24.64.192.20:17898->localhost:1027, Owner: no owner
|
|| 1,[28/Jul/2007 17:29:12] Rule 'Shaw Comm block': Blocked: In UDP,
|| 24.64.192.20:17898->localhost:1028, Owner: no owner
|
|| 1,[28/Jul/2007 17:29:12] Rule 'TCP ack packet attack': Blocked: In
|| TCP, 207.46.248.16:119->localhost:1072, Owner: no owner
|
| I haven't begun to finalize my TCP rules yet. That's probably where I
| go next, once UDP is done!
|
|| at which point I disconnected having retrieved mail and the news
|| messages.
|
| Nothing ELSE tried to use UDP? Not even RNAAPP.exe, RPCSS.exe,
| PersFW.exe, & PFWadMin.exe-- which are just some of the ones using it
| in here before I recently have prevented them! Well, I guess it may
| require the clicking of an URL for those to kick in.
|
|| NOTE specifically the *ALL_ROUTERS* from MCAST.NET, and the tcpip
|| Kernel requests.
|
| What specifically is notable about them?
|
|||
||| | For those who do not understand firewalls, these activities would
||| | or may have been allowed as they followed either programs IN USE
||| | [allowed activity], or through addressing [broadcast or otherwise]
||| | had a firewall not been used.
|||
||| That is right. Without a firewall with a good set of denial rules,
||| all activity is allowed. Hopefully, if a virus or a trojan or a spy
||| can sneak in that way, a good virus detector will prevent it from
||| executing. Also, there may have been an MS fix or two to prevent
||| some forms of abuse along these lines (I don't know).
||
|| What would make you think any anti-spyware or anti-virus programs
|| would check or correct these types of activities?
|
| I do believe an actual executable can be read into a machine through
| malicious use of these NET packets, although I'm not sure which
| precise protocols can do it. Once it is read in &/or tries to run,
| one hopes one's virus/malware scanner WILL catch it, before it
| delivers its payload!
|
|| Anti-spyware programs MAY block certain addresses and perhaps some
|| ActiveX, or other. Anti-virus MIGHT catch scripting or attempts to
|| infect something, or emails or files which contain hacks or other.
|
| It is still quick enough, in the cases when this bad stuff makes it
| through the firewall (or the lack of one), for these other apps to
| catch them trying to do their ill work-- if they can!
|
| BUT, I'm sure some ill-conceived packet can possibly do ill without
| delivering an executable that can be caught in another way. Somewhere
| in my 12th year of study I will know what these packets are & the
| protocols they use! But I'm hoping to get my Kerio rules solidified a
| lot sooner!
|
|| Host or lmhost files catch what they have been configured to catch
|| via addressing/name. These, however, are *network use* activities
|| WITHIN the TCP/IP and other aspects of Internet/network usage.
|| Firewalls, proxies, packet sniffers, client servers, the TCP/IP
|| kernel, and the like, are what handle these activities.
|| Of course the above is an overly simplified explanation.
|
| This isn't the year for me to really want to know every little detail,
| anyhow.
|
|||
||| | NOTE: this is contact through a dial-up connection[phone]/ISP
||| | [which is indicated via some of these addresses], ALWAYS ON
||| | connections are even more of a security risk.
|||
||| Uhuh. I am Dial-Up too. That way, you get a new IP address each
||| connect.
||
|| Only if that is what the ISP requires or desires.
|
| OK. For me, it does happen that way, I'm fairly sure.
|
|||
||| | Hopefully, this discussion will be useful to those interested and
||| | provide theory and answers to various issues.
||| | Rule sets or other settings for various firewalls would naturally
||| | be of interest.
||| |
||| | 1,[28/Jul/2007 01:33:36] Rule 'Packet to unopened port received':
||| | Blocked: In UDP, 67.170.2.174:43511->localhost:29081, Owner: no
||| | owner
|||
||| I find I have to guess as to the meaning of that. Looks like someone
||| at
||| 67.170.2.174, who is Comcast...
|||
||| http://www.networksolutions.com/whois/results.jsp?ip=67.170.2.174
|
||| .....Quote...........
||| 67.170.2.174
||| Record Type: IP Address
|||
||| Comcast Cable Communications, Inc. ATT-COMCAST (NET-67-160-0-0-1)
||| 67.160.0.0 - 67.191.255.255
||| Comcast Cable Communications, IP Services WASHINGTON-6
||| (NET-67-170-0-0-1)
||| 67.170.0.0 - 67.170.127.255
||| .....EOQ.............
|||
||| ...sent a UDP datagram to port 29081 on your machine. But I don't
||| know...
|||
||| (1) did the port exist without an owner, & would it have received
||| the datagram (except the rule blocked it)?
||| (The name of that rule suggests the answer is no.)
||
|| The data request would have been received and likely honored.
|| The port would have been opened/created to allow this activity.
|
| I'm still thinking the port has to already be open to receive a
| packet. Is there documentation that may say otherwise?
|
|||
||| (2) did the the port once exist & at that time have an owner,
||| but somehow was closed before the datagram arrived?
||| Therefore, it couldn't get it, anyhow, even if not blocked?
||
|| If it would have been ALLOWED activity [e.g., without proxy or
|| firewall monitoring or exculsion, or within a hosts or lmhosts, or
|| other]], then a search would have been made for an available port,
|| and then created/opened. Look again at this:
|| 1,[28/Jul/2007 17:29:12] Rule 'Shaw Comm block': Blocked: In UDP,
|| 24.64.192.20:17898->localhost:1026, Owner: no owner
|| 1,[28/Jul/2007 17:29:12] Rule 'Shaw Comm block': Blocked: In UDP,
|| 24.64.192.20:17898->localhost:1027, Owner: no owner
|| 1,[28/Jul/2007 17:29:12] Rule 'Shaw Comm block': Blocked: In UDP,
|| 24.64.192.20:17898->localhost:1028, Owner: no owner
||
|| See the attempt to find or create an open port?
|
| Looks like Shaw Comm is trying to FIND one. If it could create one,
| why wouldn't it stop & just create 1026?
|
| It might still be worthwhile to block these-- but I wouldn't want to
| block them on an individual basis per abuser like Shaw Comm.
|
|| Now, should I have stayed online, there would have been continued
|| attempts [see your prior discussion where I was online longer],
|| though with different Shaw addressing and OUT ports, again stepping
|| through IN [local] ports in attempt to find or create.one.
|
| I'll look.
|
|||
||| (3) did the port 29081 never exist?
|||
||| Do any earlier log entries mention that port? You'd have to log all
||| activity of each "permit" rule to know for sure. But, if there is no
||| rule permitting the activity, then you would have received a Kerio
||| requestor mentioning the port.
||
|| No we don't need that.
|| Were an ALLOWED program or address using that aspect, then it would
|| NOT have created the denial.
|
| No, I wanted to know... did a PERMIT exist that came from port 29081?
| That would prove the port once existed & possibly initiated a
| communication with Shaw Comm. But, I'm fairly confident no such thing
| happened-- but it was Shaw Comm doing a probe. If it found it &
| activity was permitted-- mayhem such as pop-up ads or at least spying
| may have ensued, I think!
|
|| Either would have cascaded to find an
|| open port for use [as long as it was in the defined rule range].
|
| That's what I think-- it wants to find one that is already open.
|
|| AND you mention Kerio, which MUST have that turned on {requestor].
|
| Oops, that's right. "Kerio, Administration, Firewall tab" has to be
| set at "Ask me first". Then, when activity occurs that is not covered
| by a rule, an alert requestor will appear. It offers to create the
| rule, which later can be fine tuned. Yep, & that's a great feature!
|
|| Other firewalls, particularly those that automatically configure
|| themselves, MAY not pop-up anything unless it has been configured
|| that way. They also MAY pass through such requests if piggy-backed
|| from or on allowed activities/programs. Think "but all I want to know
|| is the user address". Think Microsoft's firewalls, imagine what they
|| are configured by default to allow.
|
| Yep. Kerio seems to have it all. It's highly configurable!
|
| ...snip of Kerio help page
||| | 1,[28/Jul/2007 01:34:00] Rule 'Packet to unopened port received':
||| | Blocked: In UDP, 200.112.1.7:8806->localhost:29081, Owner: no
||| | owner
|||
||| That one seems to be coming from...
|||
||| NetRange: 200.0.0.0 - 200.255.255.255
||| NetName: LACNIC-200
||
|| Yes, that is the key to your Firewall security.
|| Tracking each suspect activity to the originator, if possible.
|
| In the end, I just want to block them.
|
|| Actually were I to post prior complete TRACKING logs [which I
|| collect(ed) for specific use], say for one day's normal usage, vast
|| numbers of potentially dangerous attacks/attempts would be shown.
|
| By the way, how do you empty Kerio's Filter.log, when you think you've
| seen enough? (I've been deleting it in DOS along with Filter.log.idx.)
|
| ...snip of stuff not meant for me, but thanks for the additional URLs
| to research. And thanks for continuing to contribute to my
| understanding of it.
|
|| Of course SYSINTERNALS/WINTERNALS has some nice tools - look on
|| Microsoft's TechNet
||
|
| OK, I see here again are the other "no owner's"...
|
|||
||| | 1,[28/Jul/2007 01:34:06] Rule 'Packet to unopened port received':
||| | Blocked: In UDP, 218.10.137.139:55190->localhost:1026, Owner: no
||| | owner
|
| This is an attempt to send a UDP packet to port 1026. I still doubt it
| really needs to be blocked, if the port indeed does not exist. For
| UDP, I favor PERMITs of trusted apps from trusted addresses-- & one
| single block of UPD afterwards that will cover all others. (But I'm
| not even totally set up that way, myself, yet.) And I want to do it
| that way for TCP too.
|
| ...snip of other In UDP.
|
| 1,[28/Jul/2007 01:36:04] Rule 'Packet to unopened port
||| | received': Blocked: In TCP, 219.148.119.6:12200->localhost:7212,
||| | Owner: no owner
|
| Ah-- a TCP! Soon, I must do with TCP what I nearly am finishing with
| UDP!
|
| ...snip
||| | 1,[28/Jul/2007 01:36:08] Rule 'TCP ack packet attack': Blocked: In
||| | TCP, msnews.microsoft.com [207.46.248.16:119]->localhost:1186,
||| | Owner: no owner
|
| I don't believe I've seen one of those. Could be I'm just not tracking
| the rule that does it. Looks like msnews.microsoft.com was still
| trying to communicate after the NET connection was closed. What app
| controlled localhost:1186?
|
| ...snip of a bunch more of In UDPs & possibly In TCPs.

--
Thanks or Good Luck,
There may be humor in this post, and,
Naturally, you will not sue,
Should things get worse after this,
PCR
pcrrcp@netzero.net

PCR · Jul 31, 2007

Re: firewalls - Kerio PF Part 2 - what to block and why - your security at risk

MEB wrote:
| Part 1 will have to be broken up.. I think the filters are now ON and
| there is an area that is not supposed to be discussed.. think I might
| have located it... after 15 trys and several addition partial post
| failed attempts...

Well, I've sent another response to that post, this time quoting it.
Looks like it went through for me. Therefore...

(a) You are not wearing your tinfoil hat, &/or

(b) You are making it too long with more additions
from Filter.log, &/or

(c) Properties of your posts shows...
X-Newsreader: Microsoft Outlook Express 6.00.2800.1409
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1409

...Mine shows...
X-Newsreader: Microsoft Outlook Express 6.00.2800.1437
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1441

| --
| MEB
| http://peoplescounsel.orgfree.com
| ________
|
|
| "PCR" <pcrrcp@netzero.net> wrote in message
| news:OFdYmUx0HHA.4652@TK2MSFTNGP05.phx.gbl...
|| MEB wrote:
|| | PART 2 of 2
||
|| I don't see part 1.
||
|| ...snip
|| || By the way, how do you empty Kerio's Filter.log, when you think
|| || you've seen enough? (I've been deleting it in DOS along with
|| || Filter.log.idx.)
|| |
|| | Right click and delete within the viewer..
||
|| Oh, my God! You are right! And it deleted the .idx file too! Thanks!
||
|| I'll answer the rest of the post tomorrow.

--
Thanks or Good Luck,
There may be humor in this post, and,
Naturally, you will not sue,
Should things get worse after this,
PCR
pcrrcp@netzero.net

PCR · Jul 31, 2007

Re: firewalls - Kerio PF Part 2 - what to block and why - your security at risk

PCR wrote:
| MEB wrote:
|| Part 1 will have to be broken up.. I think the filters are now ON and
|| there is an area that is not supposed to be discussed.. think I might
|| have located it... after 15 trys and several addition partial post
|| failed attempts...
|
| Well, I've sent another response to that post, this time quoting it.
| Looks like it went through for me. Therefore...
|
| (a) You are not wearing your tinfoil hat, &/or
|
| (b) You are making it too long with more additions
| from Filter.log, &/or
|
| (c) Properties of your posts shows...
| X-Newsreader: Microsoft Outlook Express 6.00.2800.1409
| X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1409
|
| ...Mine shows...
| X-Newsreader: Microsoft Outlook Express 6.00.2800.1437
| X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1441

(d) I am using...
http://www.insideoe.com/resources/tools.htm
OEQuotefix
Can it be that it adds an invisible character/two
that is poison to you?

MEB · Jul 31, 2007

Whatever, now is it your intent to infer that I did NOT test this
repeatedly? Shall I supply my EVIDENCE for you or to a court...

Or shall we continue with the discussion? Your choice, I can just as easily
deal with these issues via web page..

--
MEB
http://peoplescounsel.orgfree.com
________

PCR · Jul 31, 2007

Re: firewalls - Kerio PF Part 1 - what to block and why - your security at risk

MEB wrote:
| "PCR" <pcrrcp@netzero.net> wrote in message
| news:OMaRHIk0HHA.4184@TK2MSFTNGP06.phx.gbl...
....snip
|| Uh-huh. Naturally, you & I have advanced beyond that point.
|
| hehehe, maybe,,,,,

If it isn't true yet, it surely will kick in in the 16th year of my
study!

....snip
|| |
|| | DNS is used by any program requiring addressing information.
||
|| The sole purpose of my DNS Server rule(s)...
||
|| Protocol.......... UDP
|| Direction......... Both
|| Local Endpoint
|| Ports........... 1024-5000
|| Application... Any (but now I've limited it to 5 apps
|| by creating 5 of these rules)
|| Remote Endpoint
|| Addresses.... The entire NetZero range
|| Port............. 53
||
|| ... is to resolve NET addresses? Still, am I right to seek to limit
|| it to the five apps I kind of have to trust? Otherwise, can't it be
|| appropriated by some devious app to do ill?
|
| As you posted, yes, it would appear so.

Well... one of us should solidify the point. Is it possible I might
safely have left "any" in that rule, because... it has NetZero addresses
in it &/or specifically refers to port 53... IOW, NetZero will handle
any misanthrope at their end by whatever app owns the port there? I
should get an answer to that before I continue much further with this
current plan!

| But is it necessary or
| reasonable to create one rule with ALL the address range included and
| allowed? Seems that leaves an awful lot of addresses available to
| hijack/spoof...

I'm thinking, even allowing the full range, there would have to be a
port 53 at the address actually used for a spoof to do harm, anyhow. So,
if spoofing is possible, it only will happen at an address that has port
53 open. Otherwise, the datagram will not be accepted. I don't know how
NetZero picks one of these addresses to use, either-- I guess it's
something in Exec.exe that decides. Previously, I fished for them out of
Filter.log & stopped at 4.

| though limiting it to JUST those apps does decrease
| that ability..

That's my original thought. A trusted app will do no ill, unless
hijacked. But, if hijacking it means it must be altered, Kerio should
catch that with its MD5 check. Or avast! will stop it from being altered
in the first place.

||
|| | The key
|| | is to limit to the EXACT DNS server(s) NOT within your system
|| | [unless for local network traffic] and the port [53] used by that
|| | (those) server(s) with limited [chosen by previous monitoring]
|| | local ports and applications.

What if NetZero adds or deletes them? Is there magic at a NetZero port
53 that will handle a spoof, anyhow, & no matter at which of their
addresses? Or can there be magic in the protocol UDP in/out that
prevents spoofing?

|| Why do I need to bother with ports, if I limit the DNS rule(s) to
|| trusted apps & to trusted NetZero addresses?
|
| Well, 53 is the standard port for that type of request, and is held
| as such... as for requesting port, there may be a LARGE fluctuation..
| I think you limiting to the specific apps will suffice, perhaps
| someone more qualified can confirm...

Yea. And here is what to read thrice for an answer, as posted to me by
Blanton long ago...

http://www.cisco.com/univercd/cc/td/doc/cisintwk/ito_doc/ip.htm
What a packet looks like.

http://www.cisco.com/en/US/about/ac123/ac114/about_cisco_packet_magazine.html
Packet Magazine.

http://www.linuxsecurity.com/resource_files/firewalls/firewall-seen.html
FAQ: Firewall Forensics (What am I seeing?) ...by Robert Graham

|| Unfortunately, Kerio does
|| not permit a list of apps in a rule, the way it does with ports &
|| addresses. So, currently I have coded 5 of them...!...
||
|| (1) DNS Server-- EXEC.exe (NetZero)
|| (2) DNS Server-- ASHWEBSV (avast! Web Scanner)
|| (3) DNS Server-- AVAST.SETUP (There actually is no program)
|| (4) DNS Server-- ASHMAISV (avast! e-Mail Scanner Service)
|| (5) DNS Server-- IExplore

....snip
|| | 2,[28/Jul/2007 17:22:18] Rule 'AOL UDP pass': Permitted: Out UDP,
|| | localhost:1030->XXX.XXX.XXX.X:7427, Owner: C:\PROGRAM FILES\AMERICA
|| | ONLINE
|| | 7.0\WAOL.EXE
||
|| So... WAOL.exe (which was port 1030 on your computer) needed to
|| resolve an address? And it did so at XXX.XXX.XXX.X, port7427? Is
|| that what that says?
|
| No and yes, there is another set of rules applied prior to this, and
| UDP need not be
| DNS.

But what about port 53 at NetZero's end? Does it restrict what a UDP
datagram can do?

||
|| | 1,[28/Jul/2007 17:22:18] Rule 'Other ICMP': Blocked: Out ICMP [10]
|| | Router Solicitation, localhost->224.0.0.2, Owner: Tcpip Kernel
|| | Driver
||
|| I get lots of those. Here is the last I recorded...
||
|| 1,[27/Jul/2007 17:40:12] Rule 'Kill ICMP (Log)': Blocked: In ICMP [8]
|| Echo Request, 4.232.192.209->localhost, Owner: Tcpip Kernel Driver
||
|| ..., but, beginning yesterday, I have chosen NOT to log those
|| anymore. I have two rules above that blocker. One allows ICMP
|| incoming for... [0] Echo Reply, [3] Destination Unreachable, [11]
|| Time Exceeded
||
|| The other allows it outgoing for...
|| [3] Destination Unreachable, [8] Echo Request
|
| Those are the suggestions by most, including Sponge...
| So you have no specific rule for Netzero ICMP?

Undoubtedly, Sponge was the source of it-- but I may have made an
adjustment afterward to drop [0] going out & [8] coming in-- to become
non-pingable, I think. Anyhow, I'm very satisfied I am fine with ICMP.
And I don't see anything specific to NetZero-- no! Should there be? I do
have lots of protocol "any" rules (to be investigated last), but none of
those are specific to any address, either.

|| I think that's probably finalized for ICMP. In this case, specific
|| apps & ports are not possible in the rules-- only specific endpoint
|| addresses are. But mine apply to any address.
||
|| | 2,[28/Jul/2007 17:22:18] Rule 'AOL UDP pass': Permitted: In UDP,
|| | XXX.XXX.XXX.X:7427->localhost:1030, Owner: C:\PROGRAM FILES\AMERICA
|| | ONLINE
|| | 7.0\WAOL.EXE
|
| ***********
|
| This is apparently the problem area. If this posts refer to the
| original. Google search for what this was and think of the potential
| uses.
|
| **********

I have no trouble quoting the whole post.

....snip
|| I used to get these Kerio alert's about Shaw Comm...
||
|| Someone from 24.64.9.177, port 3222 wants to send UDP datagram to
|| port 1027 owned by 'Distributed COM Services' on your computer.
||
|| ..., but they are prevented now with a rule that specifically blocks
|| RPCSS.exe (which is Distributed COM Services & which establishes the
|| port 1027) from using UDP/TCP. Eventually, I hope to remove that
|| block rule (& 4 others)-- after I have completed my UDP & TCP permit
|| rules for specific, trusted apps/addresses. Then, RPCSS.exe will be
|| blocked along with the others by virtue of not being included in the
|| PERMITs-- & having one single BLOCK after them.
|
| Well I would suggest you block SHAW's range entirely, if you have
| others, create a custom list or put them in your hosts file

I'll have to look into that as I get to the other protocols. Currently,
I still am holding to my master plan-- to have specific permits &
generalized blocks.

....snip
|| I haven't begun to finalize my TCP rules yet. That's probably where
|| I go next, once UDP is done!
|
| Yeah get UDP outadaway... then lock down Outlook or whatever mail
| prog you use...
| There are a lot of TCP activities, back and forth, that can be
| blocked.
|
| Each application should have only enough access to allow it to
| function for its use...

Well, let's see how it goes as I progress to the other protocols. Some
obviously cannot have a rule that applies to specific apps. But, they do
all allow for specific remote addresses.

....snip
|| Nothing ELSE tried to use UDP? Not even RNAAPP.exe, RPCSS.exe,
|| PersFW.exe, & PFWadMin.exe-- which are just some of the ones using
|| it in here before I recently have prevented them! Well, I guess it
|| may require the clicking of an URL for those to kick in.
|
| As I said, I would not post all my rules or the logs they would
| create, that creates too much of a security risk..
| RPCSS was locked down previously, along with krnl386, and several
| other potential exploits. Anything and EVERYTHING that might apply to
| web/network usage should have its own settings JUST IN CASE... or at
| least in my config..

OK.

| If you remember [likely not], several months ago a program was
| suggested to me which attempted to bypass/reset ALL of my firewall
| settings,,, were it not for my prior restrictions it likely would
| have succeeded. As it was already ruled, it popped up and requested
| what to do since I said it couldn't do what the installation wanted
| to do PRIOR to disabling the firewall..

Interesting. I haven't seen anything like that, & I hope it isn't
because my rules are lax!

||
|
| ANOTHER POTENTIAL AREA REMOVED

I WAS able to respond to this area too-- to the whole post!

||
|| What specifically is notable about them?
|
| See the prior links. So this was an attempt to locate other routers..
| And *tcpip Kernel request* indicates the driver/protocol itself,,
| e.g. part of normal network usage, normally ALLOWED due to its usual
| necessity.

Alright.

|| | What would make you think any anti-spyware or anti-virus programs
|| | would check or correct these types of activities?
||
|| I do believe an actual executable can be read into a machine through
|| malicious use of these NET packets, although I'm not sure which
|| precise protocols can do it. Once it is read in &/or tries to run,
|| one hopes one's virus/malware scanner WILL catch it, before it
|| delivers its payload!
|
| You forget JAVA, server side includes/codes [php, asp, other], FLASH,
| streaming
| media, PDFs, and other aspects which are not necessarily caught by
| ANYTHING except for your proxy and/or firewall. ALL [emphasis all]
| are potential carriers of damaging hacks...

OK. There might have been java, flash, etc., updates as well-- but,
fine, I'm a believer in a good firewall-- sure!

....snip
| END PART 1 of 2

Very good. Before answering part 2, I must investigate a new
trojan/virus
avast! has discovered today...

.......Quote avast! "Simple User Interface.txt.......
C:\Program Files\Common Files\Microsoft Shared\Stationery\Tiki
Lounge.htm [L] VBS:Malware

HTML:

 (0)
File was successfully renamed/moved...
C:\Program Files\Alwil Software\Avast4\DATA\moved\Tiki Lounge.htm.vir
[L] VBS:Malware [Html] (0)
.......EOQ...........................................................

I'm hoping it's another false alarm! But this is for another thread!

| LESS THE DELETED MATERIAL
|
| --
| MEB
| http://peoplescounsel.orgfree.com
| ________

-- 
Thanks or Good Luck,
There may be humor in this post, and,
Naturally, you will not sue,
Should things get worse after this,
PCR
pcrrcp@netzero.net

PCR · Jul 31, 2007

MEB wrote:
| Whatever, now is it your intent to infer that I did NOT test this
| repeatedly? Shall I supply my EVIDENCE for you or to a court...
|
| Or shall we continue with the discussion? Your choice, I can just as
| easily deal with these issues via web page..

Just joking about the hat-- you know!

.

I posted serious possibilities elsewhere in this thread why you can't
quote it. Also, I answered Part 1 of 2. I must take a break from this
thread & investigate a new avast! alert. Thanks for your continued
participation.

| --
| MEB
| http://peoplescounsel.orgfree.com
| ________

--
Thanks or Good Luck,
There may be humor in this post, and,
Naturally, you will not sue,
Should things get worse after this,
PCR
pcrrcp@netzero.net

MEB · Jul 31, 2007

"PCR" <pcrrcp@netzero.net> wrote in message
news:OSjj1M70HHA.4344@TK2MSFTNGP03.phx.gbl...
| MEB wrote:
| | Whatever, now is it your intent to infer that I did NOT test this
| | repeatedly? Shall I supply my EVIDENCE for you or to a court...
| |
| | Or shall we continue with the discussion? Your choice, I can just as
| | easily deal with these issues via web page..
|
| Just joking about the hat-- you know!

.

What you don't like my tin foil hat now, you are dangerously close .... -[

|
| I posted serious possibilities elsewhere in this thread why you can't
| quote it. Also, I answered Part 1 of 2. I must take a break from this
| thread & investigate a new avast! alert. Thanks for your continued
| participation.

Well, that kinda ignores the fact that three others had difficulty posting
[obviously server changes], moreover that suggestion related to OEQUOTEFIX
directly conflicts with the ability to respond to your posts previously, and
now.

Frankly I have what I need pursuant the matter, from 07/30/07 12:55 AM
through 07/31/07 2:49 AM as either the full post or the removed segments
ONLY, and under various headings in this group, 22 attempts,... while
retaining the ability to post anything else, ANYWHERE ELSE, or in this
discussion.
Further, Part 2 DID make it through AFTER I broke Part 1 away containg the
segments though BOTH were posted at the same time under different or same
headings and different thread segments.
Moreover Part 1 DID post without them. Of course we need not even question
that I COULD previously post those segments SINCE I originally posted them.

So frankly what you posted means little related to what I could not do...
nor that they could possibly be posted NOW having exposed this aspect before
the group and the world ... settings/filters CAN be changed, can't they...

This is a rather large amount of circumstantial evidence...

Think we can let this alone now?

|
| | --
| | MEB
| | ________
|
| --
| Thanks or Good Luck,
| There may be humor in this post, and,
| Naturally, you will not sue,
| Should things get worse after this,
| PCR
| pcrrcp@netzero.net
|
|

--
MEB
http://peoplescounsel.orgfree.com
________

MEB · Jul 31, 2007

Re: firewalls - Kerio PF Part 1 - what to block and why - your security at risk

"PCR" <pcrrcp@netzero.net> wrote in message
news:ehuK$E70HHA.5152@TK2MSFTNGP02.phx.gbl...
| MEB wrote:
| | "PCR" <pcrrcp@netzero.net> wrote in message
| | news:OMaRHIk0HHA.4184@TK2MSFTNGP06.phx.gbl...
| ...snip
| || Uh-huh. Naturally, you & I have advanced beyond that point.
| |
| | hehehe, maybe,,,,,
|
| If it isn't true yet, it surely will kick in in the 16th year of my
| study!

Oh wow, then you should have all this down pat...8<}

|
| ...snip
| || |
| || | DNS is used by any program requiring addressing information.
| ||
| || The sole purpose of my DNS Server rule(s)...
| ||
| || Protocol.......... UDP
| || Direction......... Both
| || Local Endpoint
| || Ports........... 1024-5000
| || Application... Any (but now I've limited it to 5 apps
| || by creating 5 of these rules)
| || Remote Endpoint
| || Addresses.... The entire NetZero range
| || Port............. 53
| ||
| || ... is to resolve NET addresses? Still, am I right to seek to limit
| || it to the five apps I kind of have to trust? Otherwise, can't it be
| || appropriated by some devious app to do ill?
| |
| | As you posted, yes, it would appear so.
|
| Well... one of us should solidify the point. Is it possible I might
| safely have left "any" in that rule, because... it has NetZero addresses
| in it &/or specifically refers to port 53... IOW, NetZero will handle
| any misanthrope at their end by whatever app owns the port there? I
| should get an answer to that before I continue much further with this
| current plan!

Based upon my personal experience: NO, do not leave much of anything as ANY
unless its a block/refusal, or you're logging results for refinement of your
rules.

|
| | But is it necessary or
| | reasonable to create one rule with ALL the address range included and
| | allowed? Seems that leaves an awful lot of addresses available to
| | hijack/spoof...
|
| I'm thinking, even allowing the full range, there would have to be a
| port 53 at the address actually used for a spoof to do harm, anyhow. So,
| if spoofing is possible, it only will happen at an address that has port
| 53 open. Otherwise, the datagram will not be accepted. I don't know how
| NetZero picks one of these addresses to use, either-- I guess it's
| something in Exec.exe that decides. Previously, I fished for them out of
| Filter.log & stopped at 4.

Okay, further refinement: Port 53 is the SENDING port from some remote
address, local ports may be just about anything out on the Net [and likely
on NetZero].
So if, such as on AOL and its thousands of LOCAL private network addresses,
proceeding OFF AOL's [and NetZero's] PRIVATE network and one of those
addresses is available or known, AND your rule would accept such from ANY
address/external OR one you had included within your rules for AOL/NetZero
[but you're no longer on the private network] from Port 53, then there would
be a potential access point.

I presently have a DNS [one], and the UDP range which has seven additional
UDP address waiting to be included IF there are other contiguous addresses
which also need included [they are way out of range, so they may be a
separate rule], and 53 more additional addresses logged and ruled SO FAR for
AOL TCP [though potentially ranged to 3 rules]. AND I use nothing on AOL
but its mail [rarely] and the logon from which ALL of these addresses were
obtained, e.g. just what it takes to logon. And list grows EVERYTIME I
logon. Its possible some of these addresses MIGHT be used off the private
network so ALL are locked to waol. But this is a MAJOR security hole. I
suppose I could just use some of the rules already created by others for AOL
but .....

Haven't you ever logged a remote 192.168.1.* or a 192.168.0.* [or other
class C] address from somewhere on the Internet yet?? Or a remote 127.0.0.1
or other non-standard Internet address?

|
| | though limiting it to JUST those apps does decrease
| | that ability..
|
| That's my original thought. A trusted app will do no ill, unless
| hijacked. But, if hijacking it means it must be altered, Kerio should
| catch that with its MD5 check. Or avast! will stop it from being altered
| in the first place.

But if hijacking requires nothing more than would have been displayed by
that 3k [tooleaky] test I referred you to, then are you really secure?
That test doesn't do anything that would normally be caught by ANYTHING. It
could just as easily be delivered through some server code, or Java, or in a
Flash object ...

|
| ||
| || | The key
| || | is to limit to the EXACT DNS server(s) NOT within your system
| || | [unless for local network traffic] and the port [53] used by that
| || | (those) server(s) with limited [chosen by previous monitoring]
| || | local ports and applications.
|
| What if NetZero adds or deletes them? Is there magic at a NetZero port
| 53 that will handle a spoof, anyhow, & no matter at which of their
| addresses? Or can there be magic in the protocol UDP in/out that
| prevents spoofing?

I would like to be able to say that the NetZero site/network was secure,
but then we have to walk back to the real world and remember that Google was
hacked, Microsoft was hacked, the DOJ was hacked, etc...
Anytime an ISP or direct connection has large groups of people connected
through it, there is always the chance that some of those people are running
some type of hack, trace, broadcast, or other which you are susceptible to,
since you also are connected through the same service. The ISP [or direct
network] has a range of addresses it gives to its customers/users, which can
be found through some rather simple means, or software which can
locate/single out individual users. Did you miss that I posted some tools
which potentially COULD do this.
So is remote Port 53 safe to accept from a broad range of NetZero addresses
or an *ANY*,, what do you think?

|
| || Why do I need to bother with ports, if I limit the DNS rule(s) to
| || trusted apps & to trusted NetZero addresses?
| |
| | Well, 53 is the standard port for that type of request, and is held
| | as such... as for requesting port, there may be a LARGE fluctuation..
| | I think you limiting to the specific apps will suffice, perhaps
| | someone more qualified can confirm...
|
| Yea. And here is what to read thrice for an answer, as posted to me by
| Blanton long ago...
|
| http://www.cisco.com/univercd/cc/td/doc/cisintwk/ito_doc/ip.htm
| What a packet looks like.
|
|
http://www.cisco.com/en/US/about/ac123/ac114/about_cisco_packet_magazine.html
| Packet Magazine.
|
| http://www.linuxsecurity.com/resource_files/firewalls/firewall-seen.html
| FAQ: Firewall Forensics (What am I seeing?) ...by Robert Graham

Actually what I posted previously might have given a broader outlook, but I
will read these [likely tonight/morning]. Heck for all I remember, I may
have done so already.
Oh yeah, seems I have Robert's listed on my firewall page, and the Cisco
ip.htm, along with some other reference links, here's the link:

http://peoplescounsel.orgfree.com/ref/gen/security/firewalls.htm

|
| || Unfortunately, Kerio does
| || not permit a list of apps in a rule, the way it does with ports &
| || addresses. So, currently I have coded 5 of them...!...
| ||
| || (1) DNS Server-- EXEC.exe (NetZero)
| || (2) DNS Server-- ASHWEBSV (avast! Web Scanner)
| || (3) DNS Server-- AVAST.SETUP (There actually is no program)
| || (4) DNS Server-- ASHMAISV (avast! e-Mail Scanner Service)
| || (5) DNS Server-- IExplore
|
| ...snip
| || | 2,[28/Jul/2007 17:22:18] Rule 'AOL UDP pass': Permitted: Out UDP,
| || | localhost:1030->XXX.XXX.XXX.X:7427, Owner: C:\PROGRAM FILES\AMERICA
| || | ONLINE
| || | 7.0\WAOL.EXE
| ||
| || So... WAOL.exe (which was port 1030 on your computer) needed to
| || resolve an address? And it did so at XXX.XXX.XXX.X, port7427? Is
| || that what that says?
| |
| | No and yes, there is another set of rules applied prior to this, and
| | UDP need not be
| | DNS.
|
| But what about port 53 at NetZero's end? Does it restrict what a UDP
| datagram can do?

Let's see if the prior answers/presents spark an answer.

|
| ||
| || | 1,[28/Jul/2007 17:22:18] Rule 'Other ICMP': Blocked: Out ICMP [10]
| || | Router Solicitation, localhost->224.0.0.2, Owner: Tcpip Kernel
| || | Driver
| ||
| || I get lots of those. Here is the last I recorded...
| ||
| || 1,[27/Jul/2007 17:40:12] Rule 'Kill ICMP (Log)': Blocked: In ICMP [8]
| || Echo Request, 4.232.192.209->localhost, Owner: Tcpip Kernel Driver
| ||
| || ..., but, beginning yesterday, I have chosen NOT to log those
| || anymore. I have two rules above that blocker. One allows ICMP
| || incoming for... [0] Echo Reply, [3] Destination Unreachable, [11]
| || Time Exceeded
| ||
| || The other allows it outgoing for...
| || [3] Destination Unreachable, [8] Echo Request
| |
| | Those are the suggestions by most, including Sponge...
| | So you have no specific rule for Netzero ICMP?
|
| Undoubtedly, Sponge was the source of it-- but I may have made an
| adjustment afterward to drop [0] going out & [8] coming in-- to become
| non-pingable, I think.

Yes, if you want to be as stealthy as possible, everything should be ruled
off in your firewall. Though in my config, I have specific addresses which
can ping and to which I can ping [by application both ways] so that my web
pages can be maintained and other necessary functions.
And others which are set to log such activity [for purposes previously
mentioned].

For instance, AOL contacts its users, and pops up a disconnect, should you
fail to respond to the popup [likely to kill off asleep drunks in its forums
or on the service] or disallow these, you will likely get kicked off
more often ...

| Anyhow, I'm very satisfied I am fine with ICMP.
| And I don't see anything specific to NetZero-- no! Should there be? I do
| have lots of protocol "any" rules (to be investigated last), but none of
| those are specific to any address, either.

I suppose once you get to that aspect you'll find out if NetZero does want
or need ICMP. Do you understand what ICMP is used for?

|
| || I think that's probably finalized for ICMP. In this case, specific
| || apps & ports are not possible in the rules-- only specific endpoint
| || addresses are. But mine apply to any address.
| ||
| || | 2,[28/Jul/2007 17:22:18] Rule 'AOL UDP pass': Permitted: In UDP,
| || | XXX.XXX.XXX.X:7427->localhost:1030, Owner: C:\PROGRAM FILES\AMERICA
| || | ONLINE
| || | 7.0\WAOL.EXE
| |
| | ***********
| |
| | This is apparently the problem area. If this posts refer to the
| | original. Google search for what this was and think of the potential
| | uses.
| |
| | **********
|
| I have no trouble quoting the whole post.

I suggest you start here, and Google..

http://support.microsoft.com/kb/223136
http://www.iana.org/assignments/multicast-addresses

And again, think carefully about what the potentials could be ..... don't
get lost on the touchy feely, think about the ramifications ...

|
| ...snip
| || I used to get these Kerio alert's about Shaw Comm...
| ||
| || Someone from 24.64.9.177, port 3222 wants to send UDP datagram to
| || port 1027 owned by 'Distributed COM Services' on your computer.
| ||
| || ..., but they are prevented now with a rule that specifically blocks
| || RPCSS.exe (which is Distributed COM Services & which establishes the
| || port 1027) from using UDP/TCP. Eventually, I hope to remove that
| || block rule (& 4 others)-- after I have completed my UDP & TCP permit
| || rules for specific, trusted apps/addresses. Then, RPCSS.exe will be
| || blocked along with the others by virtue of not being included in the
| || PERMITs-- & having one single BLOCK after them.
| |
| | Well I would suggest you block SHAW's range entirely, if you have
| | others, create a custom list or put them in your hosts file
|
| I'll have to look into that as I get to the other protocols. Currently,
| I still am holding to my master plan-- to have specific permits &
| generalized blocks.

Its whatever suits your purpose and your needs... log for awhile after you
think you have it finalized and that will pretty much answer your questions.

|
| ...snip
| || I haven't begun to finalize my TCP rules yet. That's probably where
| || I go next, once UDP is done!
| |
| | Yeah get UDP outadaway... then lock down Outlook or whatever mail
| | prog you use...
| | There are a lot of TCP activities, back and forth, that can be
| | blocked.
| |
| | Each application should have only enough access to allow it to
| | function for its use...
|
| Well, let's see how it goes as I progress to the other protocols. Some
| obviously cannot have a rule that applies to specific apps. But, they do
| all allow for specific remote addresses.
|
| ...snip
| || Nothing ELSE tried to use UDP? Not even RNAAPP.exe, RPCSS.exe,
| || PersFW.exe, & PFWadMin.exe-- which are just some of the ones using
| || it in here before I recently have prevented them! Well, I guess it
| || may require the clicking of an URL for those to kick in.
| |
| | As I said, I would not post all my rules or the logs they would
| | create, that creates too much of a security risk..
| | RPCSS was locked down previously, along with krnl386, and several
| | other potential exploits. Anything and EVERYTHING that might apply to
| | web/network usage should have its own settings JUST IN CASE... or at
| | least in my config..
|
| OK.
|
| | If you remember [likely not], several months ago a program was
| | suggested to me which attempted to bypass/reset ALL of my firewall
| | settings,,, were it not for my prior restrictions it likely would
| | have succeeded. As it was already ruled, it popped up and requested
| | what to do since I said it couldn't do what the installation wanted
| | to do PRIOR to disabling the firewall..
|
| Interesting. I haven't seen anything like that, & I hope it isn't
| because my rules are lax!

No, likely you aren't testing large amounts of applications anymore. This
actually was not unusual during my old testing days of pulling hundreds of
apps of the Net to test [and the expected Viruses and other], but I was
somewhat caught of guard when it occurred from a post in this group and
someone was using it, and recommended it.
As I stated in that discusion, had I used the Internet install whatever
this program wanted done MIGHT have been successful anyway and surely would
have whacked the unsuspecting.

|
| ||
| |
| | ANOTHER POTENTIAL AREA REMOVED
|
| I WAS able to respond to this area too-- to the whole post!
|
| ||
| || What specifically is notable about them?
| |
| | See the prior links. So this was an attempt to locate other routers..
| | And *tcpip Kernel request* indicates the driver/protocol itself,,
| | e.g. part of normal network usage, normally ALLOWED due to its usual
| | necessity.
|
| Alright.
|
|
| || | What would make you think any anti-spyware or anti-virus programs
| || | would check or correct these types of activities?
| ||
| || I do believe an actual executable can be read into a machine through
| || malicious use of these NET packets, although I'm not sure which
| || precise protocols can do it. Once it is read in &/or tries to run,
| || one hopes one's virus/malware scanner WILL catch it, before it
| || delivers its payload!
| |
| | You forget JAVA, server side includes/codes [php, asp, other], FLASH,
| | streaming
| | media, PDFs, and other aspects which are not necessarily caught by
| | ANYTHING except for your proxy and/or firewall. ALL [emphasis all]
| | are potential carriers of damaging hacks...
|
| OK. There might have been java, flash, etc., updates as well-- but,
| fine, I'm a believer in a good firewall-- sure!
|
| ...snip
| | END PART 1 of 2
|
| Very good. Before answering part 2, I must investigate a new
| trojan/virus
| avast! has discovered today...
|
| ......Quote avast! "Simple User Interface.txt.......
| C:\Program Files\Common Files\Microsoft Shared\Stationery\Tiki
| Lounge.htm [L] VBS:Malware

HTML:

 (0)
| File was successfully renamed/moved...
| C:\Program Files\Alwil Software\Avast4\DATA\moved\Tiki Lounge.htm.vir
| [L] VBS:Malware [Html] (0)
| ......EOQ...........................................................
|
| I'm hoping it's another false alarm! But this is for another thread!

 I see it was. That is the problem with AV and Spyware, definitions may be a
bit out of whack, but hopefully they get corrected.
AVG popped up an ALERT a month or so [2 maybe] ago for something I had been
using for years, had checked with all the available AV progs I had or used,
and claimed it was a variant of an OLD virus. Next update it was gone. Of
course I had already gone through all the motions and checks... BEFORE they
corrected the data. But what the heck, I'd rather have an occasional false
positive than an infection.

|
| | LESS THE DELETED MATERIAL
| |
| | --
| | MEB
| | ________
|
| -- 
| Thanks or Good Luck,
| There may be humor in this post, and,
| Naturally, you will not sue,
| Should things get worse after this,
| PCR
| pcrrcp@netzero.net
|
|
|

-- 
MEB
http://peoplescounsel.orgfree.com
________

PCR · Aug 1, 2007

MEB wrote:
| "PCR" <pcrrcp@netzero.net> wrote in message
| news:OSjj1M70HHA.4344@TK2MSFTNGP03.phx.gbl...
|| MEB wrote:
|| | Whatever, now is it your intent to infer that I did NOT test this
|| | repeatedly? Shall I supply my EVIDENCE for you or to a court...
|| |
|| | Or shall we continue with the discussion? Your choice, I can just
|| | as easily deal with these issues via web page..
||
|| Just joking about the hat-- you know!

.
|
| What you don't like my tin foil hat now, you are dangerously close
| .... -[

No, no-- it's fine, fine!

||
|| I posted serious possibilities elsewhere in this thread why you can't
|| quote it. Also, I answered Part 1 of 2. I must take a break from this
|| thread & investigate a new avast! alert. Thanks for your continued
|| participation.
|
| Well, that kinda ignores the fact that three others had difficulty
| posting [obviously server changes],

That kind of thing affects posting to ANY thread in the NG-- not just to
my posts!

| moreover that suggestion related
| to OEQUOTEFIX directly conflicts with the ability to respond to your
| posts previously, and now.

Well, maybe, BUT I'm thinking there may be a rare circumstance in which
OEQuoteFix inserts a special character that is poison to you. So, it
might not always happen that you can't respond to it. BUT, very likely,
OEQuoteFix is innocent. All I really know is... sometimes OEQuoteFix
does muss URLs-- it will grab stuff from the next line & attach it to
the URL! (Still, the URL almost does work when clicked.)

Another remote possibility I didn't think of earlier... avast! is adding
words to my headers...

X-Antivirus: avast! (VPS 000762-4, 07/30/2007), Outbound message
X-Antivirus-Status: Clean

Here is the one back then...

X-Antivirus: avast! (VPS 000762-0, 07/29/2007), Outbound message
X-Antivirus-Status: Clean

But I see no poison in it!

| Frankly I have what I need pursuant the matter, from 07/30/07 12:55
| AM through 07/31/07 2:49 AM as either the full post or the removed
| segments ONLY, and under various headings in this group, 22
| attempts,... while retaining the ability to post anything else,
| ANYWHERE ELSE, or in this discussion.

I know you've been wearing your tinfoil hat. Therefore...

(a) You are allergic to something in my posts, &/or
(b) You need to update your OE, &/or
(c) You made a response that was unGodly HUGE, &/or
(d) Something else is doing it, maybe a "filter", as you suspect.

| Further, Part 2 DID make it through AFTER I broke Part 1 away
| containg the segments though BOTH were posted at the same time under
| different or same headings and different thread segments.
| Moreover Part 1 DID post without them. Of course we need not even
| question that I COULD previously post those segments SINCE I
| originally posted them.

It's something you posted? But after I quoted it only? Is it in
here...?...
news:OMaRHIk0HHA.4184@TK2MSFTNGP06.phx.gbl

| So frankly what you posted means little related to what I could not
| do... nor that they could possibly be posted NOW having exposed this
| aspect before the group and the world ... settings/filters CAN be
| changed, can't they...
|
| This is a rather large amount of circumstantial evidence...
|
| Think we can let this alone now?

And, is it in here...?...
news:OAxLQ750HHA.5884@TK2MSFTNGP02.phx.gbl

I'll get to the firewall stuff shortly, I hope.

||
|| | --
|| | MEB
|| | ________
||
|| --
|| Thanks or Good Luck,
|| There may be humor in this post, and,
|| Naturally, you will not sue,
|| Should things get worse after this,
|| PCR
|| pcrrcp@netzero.net
||
||
|
|
| --
| MEB
| http://peoplescounsel.orgfree.com
| ________

--
Thanks or Good Luck,
There may be humor in this post, and,
Naturally, you will not sue,
Should things get worse after this,
PCR
pcrrcp@netzero.net

MEB · Aug 1, 2007

Look dude, your attempts at explaining away the issue holds no water.. any
mere cursory analysis finds that true ....

If you continue we WILL proceed to discuss those individuals within or whom
monitor this group, with sufficient server/Microsoft contact and the
apparent fact, someone determined that this filter be applied... and how one
could reasonably determine such issues, etc..

And use your brain, I do this for other activities,, its called forensic
research, collecting evidence, building cases, providing prosecutive
materials or defense materials
........................................ get it yet.

NOW DROP IT! The last thing this discussion needs is spurious chatter...

--
MEB
http://peoplescounsel.orgfree.com
________

PCR · Aug 1, 2007

MEB wrote:
| Look dude, your attempts at explaining away the issue holds no
| water.. any mere cursory analysis finds that true ....
|
| If you continue we WILL proceed to discuss those individuals within
| or whom monitor this group, with sufficient server/Microsoft contact
| and the apparent fact, someone determined that this filter be
| applied... and how one could reasonably determine such issues, etc..
|
| And use your brain, I do this for other activities,, its called
| forensic research, collecting evidence, building cases, providing
| prosecutive materials or defense materials
| ........................................ get it yet.
|
| NOW DROP IT! The last thing this discussion needs is spurious
| chatter...

I think I almost know what you're referring to. And that's enough for
me. OK, bye. I'll try to get to the firewall stuff later.

| --
| MEB
| http://peoplescounsel.orgfree.com
| ________

--
Thanks or Good Luck,
There may be humor in this post, and,
Naturally, you will not sue,
Should things get worse after this,
PCR
pcrrcp@netzero.net

Curt Christianson · Aug 1, 2007

I'm glad I bailed when I did, or else this thread would have looked like the
*three* stooges! <vbg>

--
HTH,
Curt

Windows Support Center
www.aumha.org
Practically Nerded,...
http://dundats.mvps.org/Index.htm

"PCR" <pcrrcp@netzero.net> wrote in message
news:uKHQ%23iH1HHA.3768@TK2MSFTNGP06.phx.gbl...
| MEB wrote:
|| Look dude, your attempts at explaining away the issue holds no
|| water.. any mere cursory analysis finds that true ....
||
|| If you continue we WILL proceed to discuss those individuals within
|| or whom monitor this group, with sufficient server/Microsoft contact
|| and the apparent fact, someone determined that this filter be
|| applied... and how one could reasonably determine such issues, etc..
||
|| And use your brain, I do this for other activities,, its called
|| forensic research, collecting evidence, building cases, providing
|| prosecutive materials or defense materials
|| ........................................ get it yet.
||
|| NOW DROP IT! The last thing this discussion needs is spurious
|| chatter...
|
| I think I almost know what you're referring to. And that's enough for
| me. OK, bye. I'll try to get to the firewall stuff later.
|
|| --
|| MEB
|| http://peoplescounsel.orgfree.com
|| ________
|
| --
| Thanks or Good Luck,
| There may be humor in this post, and,
| Naturally, you will not sue,
| Should things get worse after this,
| PCR
| pcrrcp@netzero.net
|
|

PCR · Aug 1, 2007

Curt Christianson wrote:
| I'm glad I bailed when I did, or else this thread would have looked
| like the *three* stooges! <vbg>

I didn't know you were bald, Christianson! Ohhhh, that's right, geees...
it is one of the, the, the... early XP-irradiation symptoms!

No, no, seriously, I GUESS I must recommence to reading those URLs for a
bit-- BUT I'll be back with solidified answers as to whether my master
plan will work with these Kerio rules or not! Also, MEB's idea to track
my final result is a good one. And other things said are useful.

| --
| HTH,
| Curt
|
| Windows Support Center
| www.aumha.org
| Practically Nerded,...
| http://dundats.mvps.org/Index.htm
|
| "PCR" <pcrrcp@netzero.net> wrote in message
| news:uKHQ%23iH1HHA.3768@TK2MSFTNGP06.phx.gbl...
|| MEB wrote:
||| Look dude, your attempts at explaining away the issue holds no
||| water.. any mere cursory analysis finds that true ....
|||
||| If you continue we WILL proceed to discuss those individuals within
||| or whom monitor this group, with sufficient server/Microsoft
||| contact and the apparent fact, someone determined that this filter
||| be applied... and how one could reasonably determine such issues,
||| etc..
|||
||| And use your brain, I do this for other activities,, its called
||| forensic research, collecting evidence, building cases, providing
||| prosecutive materials or defense materials
||| ........................................ get it yet.
|||
||| NOW DROP IT! The last thing this discussion needs is spurious
||| chatter...
||
|| I think I almost know what you're referring to. And that's enough for
|| me. OK, bye. I'll try to get to the firewall stuff later.
||
||| --
||| MEB
||| http://peoplescounsel.orgfree.com
||| ________
||
|| --
|| Thanks or Good Luck,
|| There may be humor in this post, and,
|| Naturally, you will not sue,
|| Should things get worse after this,
|| PCR
|| pcrrcp@netzero.net

--
Thanks or Good Luck,
There may be humor in this post, and,
Naturally, you will not sue,
Should things get worse after this,
PCR
pcrrcp@netzero.net

Curt Christianson · Aug 1, 2007

MEB is a force to be reckoned with--he/she knows their stuff. And don't
make the mistake some of our "regulars" here trying to get into a battle of
legalities and logistics--one usually can't win.

"I refuse to have a battle of wits with an un-armed person"--my credo!

--
HTH,
Curt

Windows Support Center
www.aumha.org
Practically Nerded,...
http://dundats.mvps.org/Index.htm

"PCR" <pcrrcp@netzero.net> wrote in message
news:%23td8m2H1HHA.536@TK2MSFTNGP06.phx.gbl...
| Curt Christianson wrote:
|| I'm glad I bailed when I did, or else this thread would have looked
|| like the *three* stooges! <vbg>
|
| I didn't know you were bald, Christianson! Ohhhh, that's right, geees...
| it is one of the, the, the... early XP-irradiation symptoms!
|
| No, no, seriously, I GUESS I must recommence to reading those URLs for a
| bit-- BUT I'll be back with solidified answers as to whether my master
| plan will work with these Kerio rules or not! Also, MEB's idea to track
| my final result is a good one. And other things said are useful.
|
|| --
|| HTH,
|| Curt
||
|| Windows Support Center
|| www.aumha.org
|| Practically Nerded,...
|| http://dundats.mvps.org/Index.htm
||
|| "PCR" <pcrrcp@netzero.net> wrote in message
|| news:uKHQ%23iH1HHA.3768@TK2MSFTNGP06.phx.gbl...
||| MEB wrote:
|||| Look dude, your attempts at explaining away the issue holds no
|||| water.. any mere cursory analysis finds that true ....
||||
|||| If you continue we WILL proceed to discuss those individuals within
|||| or whom monitor this group, with sufficient server/Microsoft
|||| contact and the apparent fact, someone determined that this filter
|||| be applied... and how one could reasonably determine such issues,
|||| etc..
||||
|||| And use your brain, I do this for other activities,, its called
|||| forensic research, collecting evidence, building cases, providing
|||| prosecutive materials or defense materials
|||| ........................................ get it yet.
||||
|||| NOW DROP IT! The last thing this discussion needs is spurious
|||| chatter...
|||
||| I think I almost know what you're referring to. And that's enough for
||| me. OK, bye. I'll try to get to the firewall stuff later.
|||
|||| --
|||| MEB
|||| http://peoplescounsel.orgfree.com
|||| ________
|||
||| --
||| Thanks or Good Luck,
||| There may be humor in this post, and,
||| Naturally, you will not sue,
||| Should things get worse after this,
||| PCR
||| pcrrcp@netzero.net
|
| --
| Thanks or Good Luck,
| There may be humor in this post, and,
| Naturally, you will not sue,
| Should things get worse after this,
| PCR
| pcrrcp@netzero.net
|
|

PCR · Aug 1, 2007

Re: firewalls - Kerio PF Part 1 - what to block and why - your security at risk

MEB wrote:
| "PCR" <pcrrcp@netzero.net> wrote in message
| news:ehuK$E70HHA.5152@TK2MSFTNGP02.phx.gbl...

....snip
|| || | DNS is used by any program requiring addressing information.
|| ||
|| || The sole purpose of my DNS Server rule(s)...
|| ||
|| || Protocol.......... UDP
|| || Direction......... Both
|| || Local Endpoint
|| || Ports........... 1024-5000
|| || Application... Any (but now I've limited it to 5 apps
|| || by creating 5 of these rules)
|| || Remote Endpoint
|| || Addresses.... The entire NetZero range
|| || Port............. 53
|| ||
|| || ... is to resolve NET addresses? Still, am I right to seek to
|| || limit it to the five apps I kind of have to trust? Otherwise,
|| || can't it be appropriated by some devious app to do ill?
|| |
|| | As you posted, yes, it would appear so.
||
|| Well... one of us should solidify the point. Is it possible I might
|| safely have left "any" in that rule, because... it has NetZero
|| addresses in it &/or specifically refers to port 53... IOW, NetZero
|| will handle any misanthrope at their end by whatever app owns the
|| port there? I should get an answer to that before I continue much
|| further with this current plan!
|
| Based upon my personal experience: NO, do not leave much of anything
| as ANY unless its a block/refusal, or you're logging results for
| refinement of your rules.

OK, thanks. I'll take another look at those URLs, but likely will
continue as I began to have a specific allow for apps I must trust only.
But, didn't it come from Sponge with "any" in there?

||
|| | But is it necessary or
|| | reasonable to create one rule with ALL the address range included
|| | and allowed? Seems that leaves an awful lot of addresses
|| | available to hijack/spoof...
||
|| I'm thinking, even allowing the full range, there would have to be a
|| port 53 at the address actually used for a spoof to do harm, anyhow.
|| So, if spoofing is possible, it only will happen at an address that
|| has port 53 open. Otherwise, the datagram will not be accepted. I
|| don't know how NetZero picks one of these addresses to use, either--
|| I guess it's something in Exec.exe that decides. Previously, I
|| fished for them out of Filter.log & stopped at 4.
|
| Okay, further refinement: Port 53 is the SENDING port from some
| remote address,

Well... that DNS Server rule is both directions, yea. So, we send to UDP
datagram to the ISP address, port 53-- & it may send UDP back to us.

| local ports may be just about anything out on the Net
| [and likely on NetZero].

The local endpoint ports in the DNS Server rule are... 1024-5000 (which
some do narrow as gram pappy said-- I haven't finally decided yet)... &
those are in OUR machine (as I understand it) & apparently
created/closed on an as needed basis by whatever app cares to do it. But
some apps might leave them open in a "listening" state. I don't see any
open right now with one of those ports for UDP. I do see 3 listening for
TCP on ports 1040, 1041, 1025, 1025, 1533, & 1027. HOWEVER, I have a
rule blocking ALL of those, except the two that are ASHMAISV.exe.

| So if, such as on AOL and its thousands of LOCAL private network
| addresses, proceeding OFF AOL's [and NetZero's] PRIVATE network and
| one of those addresses is available or known, AND your rule would
| accept such from ANY address/external OR one you had included within
| your rules for AOL/NetZero [but you're no longer on the private
| network] from Port 53, then there would be a potential access point.

Of course, I doubt I know what I'm talking about this early in my 17
year study, BUT... I'm thinking there is a timing consideration. The
answer has to come quick, or the port won't be there. I have no port
1538 open to accept anything spurious. Avast! opened & closed it on an
as needed basis. Here is its very last use of DNS...

2,[01/Aug/2007 18:13:34] Rule 'DNS Server-- ASHMAISV': Permitted: Out
UDP, localhost:1538->64.136.44.74:53, Owner: C:\PROGRAM FILES\ALWIL
SOFTWARE\AVAST4\ASHMAISV.EXE

2,[01/Aug/2007 18:13:34] Rule 'DNS Server-- ASHMAISV': Permitted: In
UDP, 64.136.44.74:53->localhost:1538, Owner: C:\PROGRAM FILES\ALWIL
SOFTWARE\AVAST4\ASHMAISV.EXE

And this was a use by NetZero that preceeded it...

2,[01/Aug/2007 18:02:56] Rule 'DNS Server-- EXEC.exe': Permitted: Out
UDP, localhost:1534->64.136.44.74:53, Owner: C:\PROGRAM
FILES\NETZERO\EXEC.EXE

2,[01/Aug/2007 18:02:56] Rule 'DNS Server-- EXEC.exe': Permitted: In
UDP, 64.136.44.74:53->localhost:1534, Owner: C:\PROGRAM
FILES\NETZERO\EXEC.EXE

I have no port 1534 open now to take anything!

| I presently have a DNS [one], and the UDP range which has seven
| additional UDP address waiting to be included IF there are other
| contiguous addresses which also need included [they are way out of
| range, so they may be a separate rule],

I only did it recently (a week?), but I see no untoward result as yet
from putting the full NetZero range in my 6 DNS rule. (There were just
5, but HiJackThis wanted one too, when I clicked to update it. But there
was no update.)

| and 53 more additional
| addresses logged and ruled SO FAR for AOL TCP [though potentially
| ranged to 3 rules].

I haven't begun to fiddle with TCP much. Currently, looks like... all my
TCP permits are OUTWARD only...

(a) NetZero may go to only its own address range, but any port
& UDP is also permitted out in that rule.
(b) Avast.SETUP can only go to port 80 only, but any address.
(c) ASHWEBSV can only go to port 80 only, but any address.
(d) ASHMAISV can go to any address, any port.
(e) IExplore can go to any address, any port.

But I DON'T want to discuss TCP yet! I think I do recall now/then a
Kerio alert about someone wanting to send TCP in... probably... if it
happened during a process I initiated with a trusted app... probably, I
allowed it.

| AND I use nothing on AOL but its mail [rarely]
| and the logon from which ALL of these addresses were obtained, e.g.
| just what it takes to logon. And list grows EVERYTIME I logon. Its
| possible some of these addresses MIGHT be used off the private
| network so ALL are locked to waol. But this is a MAJOR security hole.
| I suppose I could just use some of the rules already created by
| others for AOL but .....

I haven't fully studied TCP yet. I won't be able to advise for 6 or so
years!

| Haven't you ever logged a remote 192.168.1.* or a 192.168.0.* [or
| other class C] address from somewhere on the Internet yet?? Or a
| remote 127.0.0.1 or other non-standard Internet address?

Huh?

||
|| | though limiting it to JUST those apps does decrease
|| | that ability..
||
|| That's my original thought. A trusted app will do no ill, unless
|| hijacked. But, if hijacking it means it must be altered, Kerio should
|| catch that with its MD5 check. Or avast! will stop it from being
|| altered in the first place.
|
| But if hijacking requires nothing more than would have been
| displayed by that 3k [tooleaky] test I referred you to, then are you
| really secure? That test doesn't do anything that would normally be
| caught by ANYTHING. It could just as easily be delivered through some
| server code, or Java, or in a Flash object ...

I haven't gotten to that test yet. Not this time around. I do recall
once going to an URL posted here that did pronounce my rules to be
safe-- but I've been fiddling since then!

||
|| ||
|| || | The key
|| || | is to limit to the EXACT DNS server(s) NOT within your system
|| || | [unless for local network traffic] and the port [53] used by
|| || | that (those) server(s) with limited [chosen by previous
|| || | monitoring] local ports and applications.
||
|| What if NetZero adds or deletes them? Is there magic at a NetZero
|| port 53 that will handle a spoof, anyhow, & no matter at which of
|| their addresses? Or can there be magic in the protocol UDP in/out
|| that prevents spoofing?
|
| I would like to be able to say that the NetZero site/network was
| secure, but then we have to walk back to the real world and remember
| that Google was hacked, Microsoft was hacked, the DOJ was hacked,
| etc... Anytime an ISP or direct connection has large groups of
| people connected through it, there is always the chance that some of
| those people are running some type of hack, trace, broadcast, or
| other which you are susceptible to, since you also are connected
| through the same service. The ISP [or direct network] has a range of
| addresses it gives to its customers/users, which can be found through
| some rather simple means, or software which can locate/single out
| individual users. Did you miss that I posted some tools which
| potentially COULD do this. So is remote Port 53 safe to accept from
| a broad range of NetZero addresses or an *ANY*,, what do you think?

I understand all that. Pending further research, I still believe there
is a timing consideration in those DNS Server rules, though.

||
|| || Why do I need to bother with ports, if I limit the DNS rule(s) to
|| || trusted apps & to trusted NetZero addresses?
|| |
|| | Well, 53 is the standard port for that type of request, and is
|| | held as such... as for requesting port, there may be a LARGE
|| | fluctuation.. I think you limiting to the specific apps will
|| | suffice, perhaps someone more qualified can confirm...
||
|| Yea. And here is what to read thrice for an answer, as posted to me
|| by Blanton long ago...
||
|| http://www.cisco.com/univercd/cc/td/doc/cisintwk/ito_doc/ip.htm
|| What a packet looks like.
||
||
|
http://www.cisco.com/en/US/about/ac123/ac114/about_cisco_packet_magazine.html
|| Packet Magazine.
||
||
http://www.linuxsecurity.com/resource_files/firewalls/firewall-seen.html
|| FAQ: Firewall Forensics (What am I seeing?) ...by Robert Graham
|
| Actually what I posted previously might have given a broader
| outlook, but I will read these [likely tonight/morning]. Heck for all
| I remember, I may have done so already.
| Oh yeah, seems I have Robert's listed on my firewall page, and the
| Cisco ip.htm, along with some other reference links, here's the link:
|
| http://peoplescounsel.orgfree.com/ref/gen/security/firewalls.htm

OK. I've clicked that. I think I do need to do some reading. I'm
thinking we should suspend this thread, until we both have read that
stuff again. I know I also owe a response to "part 2".

||
|| || Unfortunately, Kerio does
|| || not permit a list of apps in a rule, the way it does with ports &
|| || addresses. So, currently I have coded 5 of them...!...
|| ||
|| || (1) DNS Server-- EXEC.exe (NetZero)
|| || (2) DNS Server-- ASHWEBSV (avast! Web Scanner)
|| || (3) DNS Server-- AVAST.SETUP (There actually is no program)
|| || (4) DNS Server-- ASHMAISV (avast! e-Mail Scanner Service)
|| || (5) DNS Server-- IExplore
||
|| ...snip
|| || | 2,[28/Jul/2007 17:22:18] Rule 'AOL UDP pass': Permitted: Out
|| || | UDP, localhost:1030->XXX.XXX.XXX.X:7427, Owner: C:\PROGRAM
|| || | FILES\AMERICA ONLINE
|| || | 7.0\WAOL.EXE
|| ||
|| || So... WAOL.exe (which was port 1030 on your computer) needed to
|| || resolve an address? And it did so at XXX.XXX.XXX.X, port7427? Is
|| || that what that says?
|| |
|| | No and yes, there is another set of rules applied prior to this,
|| | and UDP need not be
|| | DNS.
||
|| But what about port 53 at NetZero's end? Does it restrict what a UDP
|| datagram can do?
|
| Let's see if the prior answers/presents spark an answer.

That's another option, yea.

||
|| ||
|| || | 1,[28/Jul/2007 17:22:18] Rule 'Other ICMP': Blocked: Out ICMP
|| || | [10] Router Solicitation, localhost->224.0.0.2, Owner: Tcpip
|| || | Kernel Driver
|| ||
|| || I get lots of those. Here is the last I recorded...
|| ||
|| || 1,[27/Jul/2007 17:40:12] Rule 'Kill ICMP (Log)': Blocked: In ICMP
|| || [8] Echo Request, 4.232.192.209->localhost, Owner: Tcpip Kernel
|| || Driver
|| ||
|| || ..., but, beginning yesterday, I have chosen NOT to log those
|| || anymore. I have two rules above that blocker. One allows ICMP
|| || incoming for... [0] Echo Reply, [3] Destination Unreachable, [11]
|| || Time Exceeded
|| ||
|| || The other allows it outgoing for...
|| || [3] Destination Unreachable, [8] Echo Request
|| |
|| | Those are the suggestions by most, including Sponge...
|| | So you have no specific rule for Netzero ICMP?
||
|| Undoubtedly, Sponge was the source of it-- but I may have made an
|| adjustment afterward to drop [0] going out & [8] coming in-- to
|| become non-pingable, I think.
|
| Yes, if you want to be as stealthy as possible, everything should be
| ruled off in your firewall. Though in my config, I have specific
| addresses which can ping and to which I can ping [by application both
| ways] so that my web pages can be maintained and other necessary
| functions. And others which are set to log such activity [for
| purposes previously mentioned].

I didn't think of that, to let specific sites ping me. I do get a
warning from NetZero now/then that I must click or get thrown off. It
seems to work w/o pinging.

However, eventually, I am thrown off w/o a warning, anyhow. I don't
know, maybe it's a second NetZero mechanism that does require PING to
function. OK, that's done-- I allow ICMP [0] out & [8] in to the NetZero
range only. It shouldn't be long before I know the result.

| For instance, AOL contacts its users, and pops up a disconnect,
| should you fail to respond to the popup [likely to kill off asleep
| drunks in its forums or on the service] or disallow these, you will
| likely get kicked off
| more often ...

Right. NetZero too-- & for a paying customer!

|| Anyhow, I'm very satisfied I am fine with ICMP.
|| And I don't see anything specific to NetZero-- no! Should there be?
|| I do have lots of protocol "any" rules (to be investigated last),
|| but none of those are specific to any address, either.
|
| I suppose once you get to that aspect you'll find out if NetZero
| does want or need ICMP. Do you understand what ICMP is used for?

No. But I'll let you know whether allowing NetZero to PING me eliminates
the mysterious disconnects.

|| || I think that's probably finalized for ICMP. In this case, specific
|| || apps & ports are not possible in the rules-- only specific
|| || endpoint addresses are. But mine apply to any address.
|| ||
|| || | 2,[28/Jul/2007 17:22:18] Rule 'AOL UDP pass': Permitted: In UDP,
|| || | XXX.XXX.XXX.X:7427->localhost:1030, Owner: C:\PROGRAM
|| || | FILES\AMERICA ONLINE
|| || | 7.0\WAOL.EXE
|| |
|| | ***********
|| |
|| | This is apparently the problem area. If this posts refer to the
|| | original. Google search for what this was and think of the
|| | potential uses.
|| |
|| | **********
||
|| I have no trouble quoting the whole post.
|
| I suggest you start here, and Google..
|
| http://support.microsoft.com/kb/223136
| http://www.iana.org/assignments/multicast-addresses
|
| And again, think carefully about what the potentials could be .....
| don't get lost on the touchy feely, think about the ramifications ...

I'll get to it.

||
|| ...snip
|| || I used to get these Kerio alert's about Shaw Comm...
|| ||
|| || Someone from 24.64.9.177, port 3222 wants to send UDP datagram to
|| || port 1027 owned by 'Distributed COM Services' on your computer.
|| ||
|| || ..., but they are prevented now with a rule that specifically
|| || blocks RPCSS.exe (which is Distributed COM Services & which
|| || establishes the port 1027) from using UDP/TCP. Eventually, I hope
|| || to remove that block rule (& 4 others)-- after I have completed
|| || my UDP & TCP permit rules for specific, trusted apps/addresses.
|| || Then, RPCSS.exe will be blocked along with the others by virtue
|| || of not being included in the PERMITs-- & having one single BLOCK
|| || after them.
|| |
|| | Well I would suggest you block SHAW's range entirely, if you have
|| | others, create a custom list or put them in your hosts file
||
|| I'll have to look into that as I get to the other protocols.
|| Currently, I still am holding to my master plan-- to have specific
|| permits & generalized blocks.
|
| Its whatever suits your purpose and your needs... log for awhile
| after you think you have it finalized and that will pretty much
| answer your questions.

Ageed.

....snip
|| | If you remember [likely not], several months ago a program was
|| | suggested to me which attempted to bypass/reset ALL of my firewall
|| | settings,,, were it not for my prior restrictions it likely would
|| | have succeeded. As it was already ruled, it popped up and requested
|| | what to do since I said it couldn't do what the installation wanted
|| | to do PRIOR to disabling the firewall..
||
|| Interesting. I haven't seen anything like that, & I hope it isn't
|| because my rules are lax!
|
| No, likely you aren't testing large amounts of applications anymore.
| This actually was not unusual during my old testing days of pulling
| hundreds of apps of the Net to test [and the expected Viruses and
| other], but I was somewhat caught of guard when it occurred from a
| post in this group and someone was using it, and recommended it.
| As I stated in that discusion, had I used the Internet install
| whatever this program wanted done MIGHT have been successful anyway
| and surely would have whacked the unsuspecting.

Alright.

....snip
|| Very good. Before answering part 2, I must investigate a new
|| trojan/virus
|| avast! has discovered today...
||
|| ......Quote avast! "Simple User Interface.txt.......
|| C:\Program Files\Common Files\Microsoft Shared\Stationery\Tiki
|| Lounge.htm [L] VBS:Malware

HTML:

 (0)
|| File was successfully renamed/moved...
|| C:\Program Files\Alwil Software\Avast4\DATA\moved\Tiki Lounge.htm.vir
|| [L] VBS:Malware [Html] (0)
|| ......EOQ...........................................................
||
|| I'm hoping it's another false alarm! But this is for another thread!
|
|  I see it was. That is the problem with AV and Spyware, definitions
| may be a bit out of whack, but hopefully they get corrected.
| AVG popped up an ALERT a month or so [2 maybe] ago for something I
| had been using for years, had checked with all the available AV progs
| I had or used, and claimed it was a variant of an OLD virus. Next
| update it was gone. Of course I had already gone through all the
| motions and checks... BEFORE they corrected the data. But what the
| heck, I'd rather have an occasional false positive than an infection.

Absolutely. But I never had these fireworks with McAfee. Twice, now,
avast! has triggered a false alarm! Avast! does handle the file well-- 
renaming it, moving it into the Chest. However, once taken back out of
the Chest, its date has changed. This was once a 1999 file...

C:\>DIR C:\SetupMDM.exe /s
Directory of C:\Program Files\RioPort\Audio Manager
SETUPMDM EXE       195,716  06-25-07  3:31p Setupmdm.exe

....snip
| --
| MEB
| http://peoplescounsel.orgfree.com
| ________

-- 
Thanks or Good Luck,
There may be humor in this post, and,
Naturally, you will not sue,
Should things get worse after this,
PCR
pcrrcp@netzero.net

PCR · Aug 1, 2007

Curt Christianson wrote:
| MEB is a force to be reckoned with--he/she knows their stuff. And
| don't make the mistake some of our "regulars" here trying to get into
| a battle of legalities and logistics--one usually can't win.

I only skim through such threads. My lawyers have told me to keep my
mouth shut-- even have taped it shut!

| "I refuse to have a battle of wits with an un-armed person"--my credo!

That seems sensible enough. You could end up with a toe in the eye!

| --
| HTH,
| Curt
|
| Windows Support Center
| www.aumha.org
| Practically Nerded,...
| http://dundats.mvps.org/Index.htm
|
| "PCR" <pcrrcp@netzero.net> wrote in message
| news:%23td8m2H1HHA.536@TK2MSFTNGP06.phx.gbl...
|| Curt Christianson wrote:
||| I'm glad I bailed when I did, or else this thread would have looked
||| like the *three* stooges! <vbg>
||
|| I didn't know you were bald, Christianson! Ohhhh, that's right,
|| geees... it is one of the, the, the... early XP-irradiation symptoms!
||
|| No, no, seriously, I GUESS I must recommence to reading those URLs
|| for a bit-- BUT I'll be back with solidified answers as to whether
|| my master plan will work with these Kerio rules or not! Also, MEB's
|| idea to track my final result is a good one. And other things said
|| are useful.
||
||| --
||| HTH,
||| Curt
|||
||| Windows Support Center
||| www.aumha.org
||| Practically Nerded,...
||| http://dundats.mvps.org/Index.htm
|||
||| "PCR" <pcrrcp@netzero.net> wrote in message
||| news:uKHQ%23iH1HHA.3768@TK2MSFTNGP06.phx.gbl...
|||| MEB wrote:
||||| Look dude, your attempts at explaining away the issue holds no
||||| water.. any mere cursory analysis finds that true ....
|||||
||||| If you continue we WILL proceed to discuss those individuals
||||| within or whom monitor this group, with sufficient
||||| server/Microsoft contact and the apparent fact, someone
||||| determined that this filter be applied... and how one could
||||| reasonably determine such issues, etc..
|||||
||||| And use your brain, I do this for other activities,, its called
||||| forensic research, collecting evidence, building cases, providing
||||| prosecutive materials or defense materials
||||| ........................................ get it yet.
|||||
||||| NOW DROP IT! The last thing this discussion needs is spurious
||||| chatter...
||||
|||| I think I almost know what you're referring to. And that's enough
|||| for me. OK, bye. I'll try to get to the firewall stuff later.
||||
||||| --
||||| MEB
||||| http://peoplescounsel.orgfree.com
||||| ________
||||
|||| --
|||| Thanks or Good Luck,
|||| There may be humor in this post, and,
|||| Naturally, you will not sue,
|||| Should things get worse after this,
|||| PCR
|||| pcrrcp@netzero.net
||
|| --
|| Thanks or Good Luck,
|| There may be humor in this post, and,
|| Naturally, you will not sue,
|| Should things get worse after this,
|| PCR
|| pcrrcp@netzero.net

--
Thanks or Good Luck,
There may be humor in this post, and,
Naturally, you will not sue,
Should things get worse after this,
PCR
pcrrcp@netzero.net

MEB · Aug 1, 2007

"PCR" <pcrrcp@netzero.net> wrote in message
news:er3KCkJ1HHA.3768@TK2MSFTNGP06.phx.gbl...
| Curt Christianson wrote:
| | MEB is a force to be reckoned with--he/she knows their stuff. And
| | don't make the mistake some of our "regulars" here trying to get into
| | a battle of legalities and logistics--one usually can't win.
|
| I only skim through such threads. My lawyers have told me to keep my
| mouth shut-- even have taped it shut!
|
| | "I refuse to have a battle of wits with an un-armed person"--my credo!
|
| That seems sensible enough. You could end up with a toe in the eye!

No, I wear glasses, phttttt...

|
| | --
| | HTH,
| | Curt
| |
| | Windows Support Center
| | www.aumha.org
| | Practically Nerded,...
| | http://dundats.mvps.org/Index.htm
| |
| | "PCR" <pcrrcp@netzero.net> wrote in message
| | news:%23td8m2H1HHA.536@TK2MSFTNGP06.phx.gbl...
| || Curt Christianson wrote:
| ||| I'm glad I bailed when I did, or else this thread would have looked
| ||| like the *three* stooges! <vbg>
| ||
| || I didn't know you were bald, Christianson! Ohhhh, that's right,
| || geees... it is one of the, the, the... early XP-irradiation symptoms!
| ||
| || No, no, seriously, I GUESS I must recommence to reading those URLs
| || for a bit-- BUT I'll be back with solidified answers as to whether
| || my master plan will work with these Kerio rules or not! Also, MEB's
| || idea to track my final result is a good one. And other things said
| || are useful.
| ||
| ||| --
| ||| HTH,
| ||| Curt
| |||
| ||| Windows Support Center
| ||| www.aumha.org
| ||| Practically Nerded,...
| ||| http://dundats.mvps.org/Index.htm
| |||
| ||| "PCR" <pcrrcp@netzero.net> wrote in message
| ||| news:uKHQ%23iH1HHA.3768@TK2MSFTNGP06.phx.gbl...
| |||| MEB wrote:
| ||||| Look dude, your attempts at explaining away the issue holds no
| ||||| water.. any mere cursory analysis finds that true ....
| |||||
| ||||| If you continue we WILL proceed to discuss those individuals
| ||||| within or whom monitor this group, with sufficient
| ||||| server/Microsoft contact and the apparent fact, someone
| ||||| determined that this filter be applied... and how one could
| ||||| reasonably determine such issues, etc..
| |||||
| ||||| And use your brain, I do this for other activities,, its called
| ||||| forensic research, collecting evidence, building cases, providing
| ||||| prosecutive materials or defense materials
| ||||| ........................................ get it yet.
| |||||
| ||||| NOW DROP IT! The last thing this discussion needs is spurious
| ||||| chatter...
| ||||
| |||| I think I almost know what you're referring to. And that's enough
| |||| for me. OK, bye. I'll try to get to the firewall stuff later.
| ||||
| ||||| --
| ||||| MEB
| ||||| http://peoplescounsel.orgfree.com
| ||||| ________
| ||||
| |||| --
| |||| Thanks or Good Luck,
| |||| There may be humor in this post, and,
| |||| Naturally, you will not sue,
| |||| Should things get worse after this,
| |||| PCR
| |||| pcrrcp@netzero.net
| ||
| || --
| || Thanks or Good Luck,
| || There may be humor in this post, and,
| || Naturally, you will not sue,
| || Should things get worse after this,
| || PCR
| || pcrrcp@netzero.net
|
| --
| Thanks or Good Luck,
| There may be humor in this post, and,
| Naturally, you will not sue,
| Should things get worse after this,
| PCR
| pcrrcp@netzero.net
|
|

firewalls - what to block and why - your security at risk

PCR

MEB

MEB

PCR

PCR

PCR

MEB

PCR

PCR

MEB

MEB

PCR

MEB

PCR

Curt Christianson

PCR

Curt Christianson

PCR

PCR

MEB

Similar threads