firewalls - what to block and why - your security at risk

MEB · Aug 1, 2007

Re: firewalls - Kerio PF Part 1 - what to block and why - your security at risk

"PCR" <pcrrcp@netzero.net> wrote in message
news:OeoQ7YJ1HHA.4824@TK2MSFTNGP02.phx.gbl...
| MEB wrote:
| | "PCR" <pcrrcp@netzero.net> wrote in message
| | news:ehuK$E70HHA.5152@TK2MSFTNGP02.phx.gbl...
|
| ...snip
| || || | DNS is used by any program requiring addressing information.

|
| OK. I've clicked that. I think I do need to do some reading. I'm
| thinking we should suspend this thread, until we both have read that
| stuff again. I know I also owe a response to "part 2".
|

Okay, I have saved the Part 1 and Part 2 threads.
When you wish to continue we can address the materials from these posts,
correct any errors, and proceed.
You can save Part 2 for later also if you wish, as present answers may
change.

--
MEB
http://peoplescounsel.orgfree.com
________

MEB · Aug 2, 2007

Re: firewalls - Kerio PF Part 1 - what to block and why - your security at risk

To no one directly, but to all who have interest:

Before we completely stop this thread, and it fades away, I thought I
should display how a persistent contact attempt may show up in a firewall
log, and how one can use the log to help secure a system.

I'll use the Shaw aspect as I have previously referenced this entity [again
this is just logon and mail retrieval]:

1,[31/Jul/2007 23:40:44] Rule 'Shaw Comm block': Blocked: In UDP,
24.64.28.88:6950->localhost:1026, Owner: no owner
1,[31/Jul/2007 23:40:44] Rule 'Shaw Comm block': Blocked: In UDP,
24.64.28.88:6950->localhost:1027, Owner: no owner
1,[31/Jul/2007 23:40:44] Rule 'Shaw Comm block': Blocked: In UDP,
24.64.28.88:6950->localhost:1028, Owner: no owner
1,[31/Jul/2007 23:41:24] Rule 'Shaw Comm block': Blocked: In UDP,
24.64.75.177:29736->localhost:1026, Owner: no owner
1,[31/Jul/2007 23:41:24] Rule 'Shaw Comm block': Blocked: In UDP,
24.64.75.177:29736->localhost:1027, Owner: no owner
1,[31/Jul/2007 23:41:24] Rule 'Shaw Comm block': Blocked: In UDP,
24.64.75.177:29736->localhost:1028, Owner: no owner

Next we see a distinct switch in tactics, to an out of Shaw range and
TCP...

1,[31/Jul/2007 23:41:34] Rule 'Packet to unopened port received': Blocked:
In TCP, S010600508df5db23.ed.shawcable.net
[68.149.172.142:33745]->localhost:6346, Owner: no owner
1,[31/Jul/2007 23:41:36] Rule 'Packet to unopened port received': Blocked:
In TCP, S010600508df5db23.ed.shawcable.net
[68.149.172.142:33745]->localhost:6346, Owner: no owner
1,[31/Jul/2007 23:41:42] Rule 'Packet to unopened port received': Blocked:
In TCP, S010600508df5db23.ed.shawcable.net
[68.149.172.142:33745]->localhost:6346, Owner: no owner
1,[31/Jul/2007 23:43:14] Rule 'Packet to unopened port received': Blocked:
In TCP, S010600508df5db23.ed.shawcable.net
[68.149.172.142:63441]->localhost:6346, Owner: no owner
1,[31/Jul/2007 23:43:18] Rule 'Packet to unopened port received': Blocked:
In TCP, S010600508df5db23.ed.shawcable.net
[68.149.172.142:63441]->localhost:6346, Owner: no owner
1,[31/Jul/2007 23:43:24] Rule 'Packet to unopened port received': Blocked:
In TCP, S010600508df5db23.ed.shawcable.net
[68.149.172.142:63441]->localhost:6346, Owner: no owner
1,[31/Jul/2007 23:44:46] Rule 'Packet to unopened port received': Blocked:
In TCP, S010600508df5db23.ed.shawcable.net
[68.149.172.142:42961]->localhost:6346, Owner: no owner
1,[31/Jul/2007 23:44:54] Rule 'Packet to unopened port received': Blocked:
In TCP, S010600508df5db23.ed.shawcable.net
[68.149.172.142:42961]->localhost:6346, Owner: no owner

We do find though, the unique identifier and time and date, which supplies
sufficient material were this a subpoena matter [server logs], or something
one wished to trace [as it occurred], or was suspect of a hack attempt.

For reference, here was the range as posted by PCR:
OrgName: Shaw Communications Inc.
OrgID: SHAWC
Address: Suite 800
Address: 630 - 3rd Ave. SW
City: Calgary
StateProv: AB
PostalCode: T2P-4L4
Country: CA

ReferralServer: rwhois://rs1so.cg.shawcable.net:4321

NetRange: 24.64.0.0 - 24.71.255.255
CIDR: 24.64.0.0/13
NetName: SHAW-COMM
NetHandle: NET-24-64-0-0-1
Parent: NET-24-0-0-0-0
NetType: Direct Allocation
NameServer: NS7.NO.CG.SHAWCABLE.NET
NameServer: NS8.SO.CG.SHAWCABLE.NET
Comment:
RegDate: 1996-06-03
Updated: 2006-02-08

And last, the *shawcable.net* address so we can again visualize the above
as a referenced Shaw attempt, and another unique identifier.

1,[02/Aug/2007 01:03:40] Rule 'Shaw Comm block': Blocked: In UDP,
S0106000ae6120fdf.cg.shawcable.net [24.64.120.223:16547]->localhost:1028,
Owner: no owner

So finding out a range of addresses gives one opportunity to address
specific issues by blocking them using the range, and your general blocks
*with logging* provide additional information which you can use to determine
other potential issues.

---

This post is to display how important and useful firewall logs can be.
A set of rules properly setup can keep out things we may not wish to enter
our systems, and help monitor what is actually occurring as we travel the
Internet.

Keep it in mind when setting up, and monitoring your security..

--
MEB
http://peoplescounsel.orgfree.com
________

PCR · Aug 2, 2007

Re: firewalls - Kerio PF Part 1 - what to block and why - your security at risk

MEB wrote:
| "PCR" <pcrrcp@netzero.net> wrote in message
| news:OeoQ7YJ1HHA.4824@TK2MSFTNGP02.phx.gbl...
|| MEB wrote:
|| | "PCR" <pcrrcp@netzero.net> wrote in message
|| | news:ehuK$E70HHA.5152@TK2MSFTNGP02.phx.gbl...
||
|| ...snip
|| || || | DNS is used by any program requiring addressing information.
|
||
|| OK. I've clicked that. I think I do need to do some reading. I'm
|| thinking we should suspend this thread, until we both have read that
|| stuff again. I know I also owe a response to "part 2".
||
|
| Okay, I have saved the Part 1 and Part 2 threads.
| When you wish to continue we can address the materials from these
| posts, correct any errors, and proceed.
| You can save Part 2 for later also if you wish, as present answers
| may change.

Very good, MEB. And I SWEAR it won't be longer than 6 years! And I had
to shoot 4 of my lawyers to do so!

| --
| MEB
| http://peoplescounsel.orgfree.com
| ________

--
Thanks or Good Luck,
There may be humor in this post, and,
Naturally, you will not sue,
Should things get worse after this,
PCR
pcrrcp@netzero.net

PCR · Aug 2, 2007

MEB wrote:
| "PCR" <pcrrcp@netzero.net> wrote in message
| news:er3KCkJ1HHA.3768@TK2MSFTNGP06.phx.gbl...
|| Curt Christianson wrote:
|| | MEB is a force to be reckoned with--he/she knows their stuff. And
|| | don't make the mistake some of our "regulars" here trying to get
|| | into a battle of legalities and logistics--one usually can't win.
||
|| I only skim through such threads. My lawyers have told me to keep my
|| mouth shut-- even have taped it shut!
||
|| | "I refuse to have a battle of wits with an un-armed person"--my
|| | credo!
||
|| That seems sensible enough. You could end up with a toe in the eye!
|
| No, I wear glasses, phttttt...

LOL.

||
|| | --
|| | HTH,
|| | Curt
|| |
|| | Windows Support Center
|| | www.aumha.org
|| | Practically Nerded,...
|| | http://dundats.mvps.org/Index.htm
|| |
|| | "PCR" <pcrrcp@netzero.net> wrote in message
|| | news:%23td8m2H1HHA.536@TK2MSFTNGP06.phx.gbl...
|| || Curt Christianson wrote:
|| ||| I'm glad I bailed when I did, or else this thread would have
|| ||| looked like the *three* stooges! <vbg>
|| ||
|| || I didn't know you were bald, Christianson! Ohhhh, that's right,
|| || geees... it is one of the, the, the... early XP-irradiation
|| || symptoms!
|| ||
|| || No, no, seriously, I GUESS I must recommence to reading those URLs
|| || for a bit-- BUT I'll be back with solidified answers as to whether
|| || my master plan will work with these Kerio rules or not! Also,
|| || MEB's idea to track my final result is a good one. And other
|| || things said are useful.
|| ||
|| ||| --
|| ||| HTH,
|| ||| Curt
|| |||
|| ||| Windows Support Center
|| ||| www.aumha.org
|| ||| Practically Nerded,...
|| ||| http://dundats.mvps.org/Index.htm
|| |||
|| ||| "PCR" <pcrrcp@netzero.net> wrote in message
|| ||| news:uKHQ%23iH1HHA.3768@TK2MSFTNGP06.phx.gbl...
|| |||| MEB wrote:
|| ||||| Look dude, your attempts at explaining away the issue holds no
|| ||||| water.. any mere cursory analysis finds that true ....
|| |||||
|| ||||| If you continue we WILL proceed to discuss those individuals
|| ||||| within or whom monitor this group, with sufficient
|| ||||| server/Microsoft contact and the apparent fact, someone
|| ||||| determined that this filter be applied... and how one could
|| ||||| reasonably determine such issues, etc..
|| |||||
|| ||||| And use your brain, I do this for other activities,, its
|| ||||| called forensic research, collecting evidence, building cases,
|| ||||| providing prosecutive materials or defense materials
|| ||||| ........................................ get it yet.
|| |||||
|| ||||| NOW DROP IT! The last thing this discussion needs is spurious
|| ||||| chatter...
|| ||||
|| |||| I think I almost know what you're referring to. And that's
|| |||| enough for me. OK, bye. I'll try to get to the firewall stuff
|| |||| later.
|| ||||
|| ||||| --
|| ||||| MEB
|| ||||| http://peoplescounsel.orgfree.com
|| ||||| ________
|| ||||
|| |||| --
|| |||| Thanks or Good Luck,
|| |||| There may be humor in this post, and,
|| |||| Naturally, you will not sue,
|| |||| Should things get worse after this,
|| |||| PCR
|| |||| pcrrcp@netzero.net
|| ||
|| || --
|| || Thanks or Good Luck,
|| || There may be humor in this post, and,
|| || Naturally, you will not sue,
|| || Should things get worse after this,
|| || PCR
|| || pcrrcp@netzero.net
||
|| --
|| Thanks or Good Luck,
|| There may be humor in this post, and,
|| Naturally, you will not sue,
|| Should things get worse after this,
|| PCR
|| pcrrcp@netzero.net

--
Thanks or Good Luck,
There may be humor in this post, and,
Naturally, you will not sue,
Should things get worse after this,
PCR
pcrrcp@netzero.net

PCR · Aug 2, 2007

Re: firewalls - Kerio PF Part 1 - what to block and why - your security at risk

PCR wrote:
| MEB wrote:
|| "PCR" <pcrrcp@netzero.net> wrote in message
|| news:ehuK$E70HHA.5152@TK2MSFTNGP02.phx.gbl...

....snip
||| | Those are the suggestions by most, including Sponge...
||| | So you have no specific rule for Netzero ICMP?
|||
||| Undoubtedly, Sponge was the source of it-- but I may have made an
||| adjustment afterward to drop [0] going out & [8] coming in-- to
||| become non-pingable, I think.
||
|| Yes, if you want to be as stealthy as possible, everything should be
|| ruled off in your firewall. Though in my config, I have specific
|| addresses which can ping and to which I can ping [by application both
|| ways] so that my web pages can be maintained and other necessary
|| functions. And others which are set to log such activity [for
|| purposes previously mentioned].
|
| I didn't think of that, to let specific sites ping me. I do get a
| warning from NetZero now/then that I must click or get thrown off. It
| seems to work w/o pinging.
|
| However, eventually, I am thrown off w/o a warning, anyhow. I don't
| know, maybe it's a second NetZero mechanism that does require PING to
| function. OK, that's done-- I allow ICMP [0] out & [8] in to the
| NetZero range only. It shouldn't be long before I know the result.

It didn't work for me to allow PING back/forth to the NetZero addresses.
I still get thrown off the NET after a while, despite responding to the
NetZero timer requestor. (It doesn't happen immediately after that.)

But I'm only assuming it's NetZero throwing me off. I simply get a
Windows requestor saying the connection has terminated-- looks like it
may be an OE requestor. It offers a button to reconnect, but that won't
work. I have to click the NetZero connectoid for that.

....snip
--
Thanks or Good Luck,
There may be humor in this post, and,
Naturally, you will not sue,
Should things get worse after this,
PCR
pcrrcp@netzero.net

MEB · Aug 2, 2007

Re: firewalls - Kerio PF Part 1 - what to block and why - your security at risk

"PCR" <pcrrcp@netzero.net> wrote in message
news:%2316o%23IV1HHA.484@TK2MSFTNGP06.phx.gbl...
| PCR wrote:
| | MEB wrote:
| || "PCR" <pcrrcp@netzero.net> wrote in message
| || news:ehuK$E70HHA.5152@TK2MSFTNGP02.phx.gbl...
|
| ...snip
| ||| | Those are the suggestions by most, including Sponge...
| ||| | So you have no specific rule for Netzero ICMP?
| |||
| ||| Undoubtedly, Sponge was the source of it-- but I may have made an
| ||| adjustment afterward to drop [0] going out & [8] coming in-- to
| ||| become non-pingable, I think.
| ||
| || Yes, if you want to be as stealthy as possible, everything should be
| || ruled off in your firewall. Though in my config, I have specific
| || addresses which can ping and to which I can ping [by application both
| || ways] so that my web pages can be maintained and other necessary
| || functions. And others which are set to log such activity [for
| || purposes previously mentioned].
| |
| | I didn't think of that, to let specific sites ping me. I do get a
| | warning from NetZero now/then that I must click or get thrown off. It
| | seems to work w/o pinging.
| |
| | However, eventually, I am thrown off w/o a warning, anyhow. I don't
| | know, maybe it's a second NetZero mechanism that does require PING to
| | function. OK, that's done-- I allow ICMP [0] out & [8] in to the
| | NetZero range only. It shouldn't be long before I know the result.
|
| It didn't work for me to allow PING back/forth to the NetZero addresses.
| I still get thrown off the NET after a while, despite responding to the
| NetZero timer requestor. (It doesn't happen immediately after that.)
|
| But I'm only assuming it's NetZero throwing me off. I simply get a
| Windows requestor saying the connection has terminated-- looks like it
| may be an OE requestor. It offers a button to reconnect, but that won't
| work. I have to click the NetZero connectoid for that.
|
| ...snip
| --
| Thanks or Good Luck,
| There may be humor in this post, and,
| Naturally, you will not sue,
| Should things get worse after this,
| PCR
| pcrrcp@netzero.net
|
|

Likely you will get to it when you get to your other rules. Or, as users of
AOL would to do [and I did when using NetZero and ZoneAlarm], try something
like Stay Alive[? PCMag] [slow down the ping/contact rate though] {make sure
you rule the app well}, pending your further investigations into NetZero
requirements and Kerio [and network aspects].

--
MEB
http://peoplescounsel.orgfree.com
________

PCR · Aug 3, 2007

Re: firewalls - Kerio PF Part 1 - what to block and why - your security at risk

MEB wrote:
| "PCR" <pcrrcp@netzero.net> wrote in message
| news:%2316o%23IV1HHA.484@TK2MSFTNGP06.phx.gbl...
|| PCR wrote:
|| | MEB wrote:
|| || "PCR" <pcrrcp@netzero.net> wrote in message
|| || news:ehuK$E70HHA.5152@TK2MSFTNGP02.phx.gbl...
||
|| ...snip
|| ||| | Those are the suggestions by most, including Sponge...
|| ||| | So you have no specific rule for Netzero ICMP?
|| |||
|| ||| Undoubtedly, Sponge was the source of it-- but I may have made an
|| ||| adjustment afterward to drop [0] going out & [8] coming in-- to
|| ||| become non-pingable, I think.
|| ||
|| || Yes, if you want to be as stealthy as possible, everything should
|| || be ruled off in your firewall. Though in my config, I have
|| || specific addresses which can ping and to which I can ping [by
|| || application both ways] so that my web pages can be maintained and
|| || other necessary functions. And others which are set to log such
|| || activity [for purposes previously mentioned].
|| |
|| | I didn't think of that, to let specific sites ping me. I do get a
|| | warning from NetZero now/then that I must click or get thrown off.
|| | It seems to work w/o pinging.
|| |
|| | However, eventually, I am thrown off w/o a warning, anyhow. I don't
|| | know, maybe it's a second NetZero mechanism that does require PING
|| | to function. OK, that's done-- I allow ICMP [0] out & [8] in to the
|| | NetZero range only. It shouldn't be long before I know the result.
||
|| It didn't work for me to allow PING back/forth to the NetZero
|| addresses. I still get thrown off the NET after a while, despite
|| responding to the NetZero timer requestor. (It doesn't happen
|| immediately after that.)
||
|| But I'm only assuming it's NetZero throwing me off. I simply get a
|| Windows requestor saying the connection has terminated-- looks like
|| it may be an OE requestor. It offers a button to reconnect, but that
|| won't work. I have to click the NetZero connectoid for that.
||
|| ...snip
|| --
|| Thanks or Good Luck,
|| There may be humor in this post, and,
|| Naturally, you will not sue,
|| Should things get worse after this,
|| PCR
|| pcrrcp@netzero.net
||
||
|
| Likely you will get to it when you get to your other rules. Or, as
| users of AOL would to do [and I did when using NetZero and
| ZoneAlarm], try something like Stay Alive[? PCMag] [slow down the
| ping/contact rate though] {make sure you rule the app well}, pending
| your further investigations into NetZero requirements and Kerio [and
| network aspects].

Uhuh. It isn't horribly bad, because normally I go for hours before it
happens, & I can reconnect immediately for another dime by clicking the
NetZero connectiod. It may not be NetZero at all doing it. It isn't a
NetZero requestor that pops up, but I can't quite recall its title. It
has a "Reconnect" & a "No thanks" button & possibly one other.

Another possibility I guess is that someone is trying to ring my phone
(I've only got one line) or something else happens to the phone line, I
guess. Thanks for the suggestion. It's also been said I should
occasionally click the NetZero Taskbar.

| --
| MEB
| http://peoplescounsel.orgfree.com
| ________

--
Thanks or Good Luck,
There may be humor in this post, and,
Naturally, you will not sue,
Should things get worse after this,
PCR
pcrrcp@netzero.net

PCR · Aug 4, 2007

Re: firewalls - Kerio PF Part 1 - what to block and why - your security at risk

PCR wrote:
| MEB wrote:
|| "PCR" <pcrrcp@netzero.net> wrote in message
|| news:%2316o%23IV1HHA.484@TK2MSFTNGP06.phx.gbl...
||| PCR wrote:
||| | MEB wrote:
||| || "PCR" <pcrrcp@netzero.net> wrote in message
||| || news:ehuK$E70HHA.5152@TK2MSFTNGP02.phx.gbl...
|||
||| ...snip
||| ||| | Those are the suggestions by most, including Sponge...
||| ||| | So you have no specific rule for Netzero ICMP?
||| |||
||| ||| Undoubtedly, Sponge was the source of it-- but I may have made
||| ||| an adjustment afterward to drop [0] going out & [8] coming in--
||| ||| to become non-pingable, I think.
||| ||
||| || Yes, if you want to be as stealthy as possible, everything should
||| || be ruled off in your firewall. Though in my config, I have
||| || specific addresses which can ping and to which I can ping [by
||| || application both ways] so that my web pages can be maintained and
||| || other necessary functions. And others which are set to log such
||| || activity [for purposes previously mentioned].
||| |
||| | I didn't think of that, to let specific sites ping me. I do get a
||| | warning from NetZero now/then that I must click or get thrown off.
||| | It seems to work w/o pinging.
||| |
||| | However, eventually, I am thrown off w/o a warning, anyhow. I
||| | don't know, maybe it's a second NetZero mechanism that does
||| | require PING to function. OK, that's done-- I allow ICMP [0] out
||| | & [8] in to the NetZero range only. It shouldn't be long before I
||| | know the result.
|||
||| It didn't work for me to allow PING back/forth to the NetZero
||| addresses. I still get thrown off the NET after a while, despite
||| responding to the NetZero timer requestor. (It doesn't happen
||| immediately after that.)
|||
||| But I'm only assuming it's NetZero throwing me off. I simply get a
||| Windows requestor saying the connection has terminated-- looks like
||| it may be an OE requestor. It offers a button to reconnect, but that
||| won't work. I have to click the NetZero connectoid for that.
|||
||| ...snip
||| --
||| Thanks or Good Luck,
||| There may be humor in this post, and,
||| Naturally, you will not sue,
||| Should things get worse after this,
||| PCR
||| pcrrcp@netzero.net
|||
|||
||
|| Likely you will get to it when you get to your other rules. Or, as
|| users of AOL would to do [and I did when using NetZero and
|| ZoneAlarm], try something like Stay Alive[? PCMag] [slow down the
|| ping/contact rate though] {make sure you rule the app well}, pending
|| your further investigations into NetZero requirements and Kerio [and
|| network aspects].
|
| Uhuh. It isn't horribly bad, because normally I go for hours before it
| happens, & I can reconnect immediately for another dime by clicking
| the NetZero connectiod. It may not be NetZero at all doing it. It
| isn't a NetZero requestor that pops up, but I can't quite recall its
| title. It has a "Reconnect" & a "No thanks" button & possibly one
| other.
|
| Another possibility I guess is that someone is trying to ring my phone
| (I've only got one line) or something else happens to the phone line,
| I guess. Thanks for the suggestion. It's also been said I should
| occasionally click the NetZero Taskbar.

Update: Oooops, that IS a NetZero requestor...

Title: Auto-Reconnect
Message: You have been accidentally disconnected from the internet.
Would you like to reconnect now?
Buttons: "No Thanks", "Help", & "Reconnect"

"Reconnect" doesn't work-- the requestor simply disappears. "Help" goes to a NetZero help page.

I GUESS I can live with it!

MEB · Aug 4, 2007

Re: firewalls - Kerio PF Part 1 - what to block and why - your security at risk

"PCR" <pcrrcp@netzero.net> wrote in message
news:uPG$Nxs1HHA.1100@TK2MSFTNGP06.phx.gbl...
PCR wrote:
| MEB wrote:
|| "PCR" <pcrrcp@netzero.net> wrote in message
|| news:%2316o%23IV1HHA.484@TK2MSFTNGP06.phx.gbl...
||| PCR wrote:
||| | MEB wrote:
||| || "PCR" <pcrrcp@netzero.net> wrote in message
||| || news:ehuK$E70HHA.5152@TK2MSFTNGP02.phx.gbl...
|||
||| ...snip
||| ||| | Those are the suggestions by most, including Sponge...
||| ||| | So you have no specific rule for Netzero ICMP?
||| |||
||| ||| Undoubtedly, Sponge was the source of it-- but I may have made
||| ||| an adjustment afterward to drop [0] going out & [8] coming in--
||| ||| to become non-pingable, I think.
||| ||
||| || Yes, if you want to be as stealthy as possible, everything should
||| || be ruled off in your firewall. Though in my config, I have
||| || specific addresses which can ping and to which I can ping [by
||| || application both ways] so that my web pages can be maintained and
||| || other necessary functions. And others which are set to log such
||| || activity [for purposes previously mentioned].
||| |
||| | I didn't think of that, to let specific sites ping me. I do get a
||| | warning from NetZero now/then that I must click or get thrown off.
||| | It seems to work w/o pinging.
||| |
||| | However, eventually, I am thrown off w/o a warning, anyhow. I
||| | don't know, maybe it's a second NetZero mechanism that does
||| | require PING to function. OK, that's done-- I allow ICMP [0] out
||| | & [8] in to the NetZero range only. It shouldn't be long before I
||| | know the result.
|||
||| It didn't work for me to allow PING back/forth to the NetZero
||| addresses. I still get thrown off the NET after a while, despite
||| responding to the NetZero timer requestor. (It doesn't happen
||| immediately after that.)
|||
||| But I'm only assuming it's NetZero throwing me off. I simply get a
||| Windows requestor saying the connection has terminated-- looks like
||| it may be an OE requestor. It offers a button to reconnect, but that
||| won't work. I have to click the NetZero connectoid for that.
|||
||| ...snip
||| --
||| Thanks or Good Luck,
||| There may be humor in this post, and,
||| Naturally, you will not sue,
||| Should things get worse after this,
||| PCR
||| pcrrcp@netzero.net
|||
|||
||
|| Likely you will get to it when you get to your other rules. Or, as
|| users of AOL would to do [and I did when using NetZero and
|| ZoneAlarm], try something like Stay Alive[? PCMag] [slow down the
|| ping/contact rate though] {make sure you rule the app well}, pending
|| your further investigations into NetZero requirements and Kerio [and
|| network aspects].
|
| Uhuh. It isn't horribly bad, because normally I go for hours before it
| happens, & I can reconnect immediately for another dime by clicking
| the NetZero connectiod. It may not be NetZero at all doing it. It
| isn't a NetZero requestor that pops up, but I can't quite recall its
| title. It has a "Reconnect" & a "No thanks" button & possibly one
| other.
|
| Another possibility I guess is that someone is trying to ring my phone
| (I've only got one line) or something else happens to the phone line,
| I guess. Thanks for the suggestion. It's also been said I should
| occasionally click the NetZero Taskbar.

>Update: Oooops, that IS a NetZero requestor...
>
>Title: Auto-Reconnect
>Message: You have been accidentally disconnected from the internet.
> Would you like to reconnect now?
>Buttons: "No Thanks", "Help", & "Reconnect"
>
>"Reconnect" doesn't work-- the requestor simply disappears. "Help" goes to
a NetZero help page.
>
>I GUESS I can live with it!

Uhm, did you REALLY look at the net *calls* like ICMP? How about IGMP?
etc....

--
MEB
http://peoplescounsel.orgfree.com
________

PCR · Aug 4, 2007

Re: firewalls - Kerio PF Part 1 - what to block and why - your security at risk

MEB wrote:
| "PCR" <pcrrcp@netzero.net> wrote in message
| news:uPG$Nxs1HHA.1100@TK2MSFTNGP06.phx.gbl...
| PCR wrote:
|| MEB wrote:
||| "PCR" <pcrrcp@netzero.net> wrote in message
||| news:%2316o%23IV1HHA.484@TK2MSFTNGP06.phx.gbl...
|||| PCR wrote:
|||| | MEB wrote:
|||| || "PCR" <pcrrcp@netzero.net> wrote in message
|||| || news:ehuK$E70HHA.5152@TK2MSFTNGP02.phx.gbl...
||||
|||| ...snip
|||| ||| | Those are the suggestions by most, including Sponge...
|||| ||| | So you have no specific rule for Netzero ICMP?
|||| |||
|||| ||| Undoubtedly, Sponge was the source of it-- but I may have made
|||| ||| an adjustment afterward to drop [0] going out & [8] coming in--
|||| ||| to become non-pingable, I think.
|||| ||
|||| || Yes, if you want to be as stealthy as possible, everything
|||| || should be ruled off in your firewall. Though in my config, I
|||| || have specific addresses which can ping and to which I can ping
|||| || [by application both ways] so that my web pages can be
|||| || maintained and other necessary functions. And others which are
|||| || set to log such activity [for purposes previously mentioned].
|||| |
|||| | I didn't think of that, to let specific sites ping me. I do get a
|||| | warning from NetZero now/then that I must click or get thrown
|||| | off. It seems to work w/o pinging.
|||| |
|||| | However, eventually, I am thrown off w/o a warning, anyhow. I
|||| | don't know, maybe it's a second NetZero mechanism that does
|||| | require PING to function. OK, that's done-- I allow ICMP [0] out
|||| | & [8] in to the NetZero range only. It shouldn't be long before I
|||| | know the result.
||||
|||| It didn't work for me to allow PING back/forth to the NetZero
|||| addresses. I still get thrown off the NET after a while, despite
|||| responding to the NetZero timer requestor. (It doesn't happen
|||| immediately after that.)
||||
|||| But I'm only assuming it's NetZero throwing me off. I simply get a
|||| Windows requestor saying the connection has terminated-- looks like
|||| it may be an OE requestor. It offers a button to reconnect, but
|||| that won't work. I have to click the NetZero connectoid for that.
||||
|||| ...snip
|||| --
|||| Thanks or Good Luck,
|||| There may be humor in this post, and,
|||| Naturally, you will not sue,
|||| Should things get worse after this,
|||| PCR
|||| pcrrcp@netzero.net
||||
||||
|||
||| Likely you will get to it when you get to your other rules. Or, as
||| users of AOL would to do [and I did when using NetZero and
||| ZoneAlarm], try something like Stay Alive[? PCMag] [slow down the
||| ping/contact rate though] {make sure you rule the app well}, pending
||| your further investigations into NetZero requirements and Kerio [and
||| network aspects].
||
|| Uhuh. It isn't horribly bad, because normally I go for hours before
|| it happens, & I can reconnect immediately for another dime by
|| clicking the NetZero connectiod. It may not be NetZero at all doing
|| it. It isn't a NetZero requestor that pops up, but I can't quite
|| recall its title. It has a "Reconnect" & a "No thanks" button &
|| possibly one other.
||
|| Another possibility I guess is that someone is trying to ring my
|| phone (I've only got one line) or something else happens to the
|| phone line, I guess. Thanks for the suggestion. It's also been said
|| I should occasionally click the NetZero Taskbar.
|
| >Update: Oooops, that IS a NetZero requestor...
| >
| >Title: Auto-Reconnect
| >Message: You have been accidentally disconnected from the internet.
| > Would you like to reconnect now?
| >Buttons: "No Thanks", "Help", & "Reconnect"
| >
| >"Reconnect" doesn't work-- the requestor simply disappears. "Help"
| goes to a NetZero help page.
| >
| >I GUESS I can live with it!
|
| Uhm, did you REALLY look at the net *calls* like ICMP? How about IGMP?
| etc....

Believe me, every day since putting this thread on hold, I have sworn to click those URLs. I swore it at 7:00 AM this morning! Soon as I do (within 6 years, I swear), I'll know more about IGMP, I'm sure. But I don't appear to have any IGMP rule at all, which likely means nothing is using it-- otherwise, Kerio I think would put up a requestor, as it is set to do so! Are you sure there is such a protocol as IGMP? I don't even see it in Kerio's lists!

But, YEA, I DID allow PING between me & NetZero-- & that did not solve it! Now, I've reverted back to none.

| --
| MEB
| http://peoplescounsel.orgfree.com
| ________

--
Thanks or Good Luck,
There may be humor in this post, and,
Naturally, you will not sue,
Should things get worse after this,
PCR
pcrrcp@netzero.net

firewalls - what to block and why - your security at risk

MEB

MEB

PCR

PCR

PCR

MEB

PCR

PCR

MEB

PCR

Similar threads