• All Community
    • All Community
    • Forums
    • Ideas
    • Blogs
Advanced

Not what you are looking for? Ask the experts!

This forum thread needs a solution.
Kudos0

Firewall traffic rules

I was looking at the firewall traffic rules that are in place for my computer and am not sure if they are configured correctly.

For example:

Default BLOCK inbound NetBios name

BLOCK, Direction: inbound; Computer: any; Communications: specific; Protocol: UDP

At first glance, it looks good.  However, when I clicked on Modify, and then Communications, I noticed that the rule specifically blocks "ONLY communications that match all the types and  ports listed below" which was listed as follows:  "local netbios-ns (port 137)".

There is another line regarding NetBios that is listed.  That is the same as above except it blocks only "local netbios-dgm (port 138).

Does that mean that every other port is NOT BLOCKED to inbound traffic for these situations?

I ran a test on Spybot Search and Destroy to see what I had for open network ports and both of those ports (137 and 138) are listed as open under the local port heading with a flag of UDP Listen.   At the time, there were 17 ports listed as LISTENING, one as ESTABLISHED and one as TCP CLOSE_WAIT. 

I then went to Shield's Up website and failed the test because they were able to get to my personal network IP.

I don't know enough about Network security and firewalls to know if something is really wrong or not and don't want to arbitrarily change things around without getting some advice.  (I did have someone from Norton set-me up originally, but that was months ago).  I have read in various forums mixed results of using the Smart Firewall or Automatic option.  Some people suggest turning that off and configuring the firewall on ones own to avoid problems.

Can someone help me?  I have only given one example of the Firewall Traffic Rules, but I have many I'd like to go over with someone.

Thanks,

LLee

LLee

Replies

Kudos0

Re: Firewall traffic rules

I was looking at the firewall traffic rules that are in place for my computer and am not sure if they are configured correctly.

For example:

Default BLOCK inbound NetBios name

BLOCK, Direction: inbound; Computer: any; Communications: specific; Protocol: UDP

At first glance, it looks good.  However, when I clicked on Modify, and then Communications, I noticed that the rule specifically blocks "ONLY communications that match all the types and  ports listed below" which was listed as follows:  "local netbios-ns (port 137)".

There is another line regarding NetBios that is listed.  That is the same as above except it blocks only "local netbios-dgm (port 138).

Does that mean that every other port is NOT BLOCKED to inbound traffic for these situations?

I ran a test on Spybot Search and Destroy to see what I had for open network ports and both of those ports (137 and 138) are listed as open under the local port heading with a flag of UDP Listen.   At the time, there were 17 ports listed as LISTENING, one as ESTABLISHED and one as TCP CLOSE_WAIT. 

I then went to Shield's Up website and failed the test because they were able to get to my personal network IP.

I don't know enough about Network security and firewalls to know if something is really wrong or not and don't want to arbitrarily change things around without getting some advice.  (I did have someone from Norton set-me up originally, but that was months ago).  I have read in various forums mixed results of using the Smart Firewall or Automatic option.  Some people suggest turning that off and configuring the firewall on ones own to avoid problems.

Can someone help me?  I have only given one example of the Firewall Traffic Rules, but I have many I'd like to go over with someone.

Thanks,

LLee

LLee
Kudos0

Re: Firewall traffic rules

Hi llee,

Those are the ports that NetBios uses, so those are the ports that are specified in the firewall rules.  It is definitely not a good idea to modify the General Rules unless you are really sure about what you are doing and have a very specific issue that makes creating an exception to a rule necessary.

Likewise, leave the automatic Smart FIrewall enabled unless you are highly knowledgeable about the processes running on your computer and their needs for internet access.  Being able to tell the difference between a legitimate, necessary communication request and a suspicious one is what the Norton Smart Firewall is designed to do, and it is able to do this with much more precision and reliability than most users could achieve on their own . 

As to the IP address at GRC,com, that is pretty much just your public internet address and does not figure into the pass/fail grade that Shields UP determines for you.  A website has to know your IP address or it could not send its content to you.  If you look in your user profile page here at the Norton Community, you will see it listed there as well (only you can see it though, it is not publicly viewable).

Kudos0

Re: Firewall traffic rules

Just to confirm, did you carefully check the IP address shown on the Shields up website.?  If you are behind a router, it will be the router that is visible to the Shields up check.

Generally speaking the safest configuration for the firewall rules is the default setting.  Stealth blocked ports should be on.  Some rules can be added if you are having difficulty connecting.  They are configured for maximum protection but still allowing your traffic in and out.

The firewall rules generally come in pairs.  There will be a default block and a default allow.  Some you can customize, and others you can only view. They are difficult to understand and usually not well explained.

The default block is blocking all computers on that port, the default allow provides the exception that allows you to receive traffic on that port if it is meant for you.

This is a handy link for explaining some of the default firewall rules.

http://service1.symantec.com/SUPPORT/sunset-c2002kb.nsf/672c231f89ff479085256ee600556cc3/ade2747ea2a9741685256ede00518db1?OpenDocument

Under certain circumstances profanity provides relief denied even to prayer.Mark Twain
Kudos0

Re: Firewall traffic rules

Thank you for your reply.  While I have no interest in disabling the Smart Firewall and haven't touched anything, I do realize there is a problem that could have grave consequences and possibly has already because I am having the Norton icon disappear and not loading on start-up.

I apologize, the test I ran for detecting my IP was from www.auditmypc.com.  It showed my external IP address AND my internal IP, city, general GPS location, browser, etc...  I understand the necessity of showing the external IP.  It is the internal IP++ that has me concerned because I am giving out way too much information.  From searching, it looks like a need to use a proxy server or something like that.  I am unfamilar with this.  I don't need to hide information from anyone physically looking at my computer, I just want to surf the web without giving away my city name, browser, and shoe size.  Any suggestions?  Can a browser add-on do the trick?

But the more important concern is that I ran a leaktest on the Shield's Up website and it failed.  I downloaded the leaktest.exe and changed the name to setup.exe (per Shield's Up directions to change to an "approved" application).  I didn't get any notifications from Norton about the program!  I got the Shield's Up pop-up that my firewall was penetrated.  I went back and looked in Norton's Recent History and the following entries were added:

1.  Firewall rules were automatically created for Firewall Leak Testing Utility (severity=info and status=protected).

2.  An instance of  "C:\documents and settings\AdminOnly\My Documents\Downloads\setup.exe" is preparing to access the internet (severity=info and status=detected).

I then looked at the Program Rules and noticed that a new automatic rule was created:

Program:  Firewall Leak Testing Utility

                   C:\Documents and Settings\AdminOnly\My Documents\Downloads\setup.exe

Access:  Auto

With Rules:   Firewall Leak Testing Utility ALLOW; Direction: outbound; Computer: any; Communications: Specific; Protocols:  UDP and TCP (Specific port: remote domains (port 53) and TCP (Specific port: remote http (port 80)

Now what?  

Thanks,

LLee

LLee
Kudos0

Re: Firewall traffic rules

If you go into Norton>program rules (not firewall rules) and block the leaktest utility, I expect that you will find that it can no longer connect.  When youi install any program or utility in your computer and click on it to work, which includes net access, Norton allows it. 

I tried the port scan at Audit my PC.  It found my router IP address.  The first thing it asked was for my IP address.  I gave it the router address instead of mine.  I thought it should have to find it without me telling it.

It advised me that I have no leaks in my router firewall.  No kidding!  It is a miracle that I can get out of that one.

I then took the safe surfing test.  It advised me that I am living in the wrong place, using an IP address that is for my router, have an area code of 0.  Not great.

It did reveal that I have Win 7, I am using Firefox, and correctly identified my service provider, probably because of the IP number range.

It also advises that running the NoScript add-on in Firefox mucks up the tests, or having Java disabled, which might be a good idea to use both.

On Explorer the test was able to find my internal IP address, but you must consider the fact that every time you go somewhere expecting a response, you have to leave your return address.

They are selling a product, and trying to make it look like magic.

Under certain circumstances profanity provides relief denied even to prayer.Mark Twain
Kudos1 Stats

Re: Firewall traffic rules

Hi llee,

About your private IP address showing up at AuditmyPC, this is a bit of a trick they use that actually has nothing to do with the firewall, but everything to do with how your browser is configured.   The website says this:

I see my Private IP - What can I do?

Don't panic, even if someone has this information, there is not much that can be done with it...

The point is, you should be concerned that a Java applet ran without your knowledge, found some information and passed it back to the server...

It was cross site leaking of java that gathered this information made possible by passing variables back from the applet and constructing a url in java to a web page using an iframe that contains the data to be collected. The server can then read this information, store and process the internal ip address as needed.

The only way to prevent this that we are aware of, is to disable active scripting in the browser.

So, this is not a firewall issue at all, but rather an issue of not having your browser locked down to block Java applets from running without your permission.  You can set  IE's handling of Java applets to enable, disable, or prompt .  In Firefox you can turn Java on or off or use the NoScript add-on to permit applets on a per-site basis.

As to the leak test, when the Smart Firewall's Automatic Program Control is turned on leak tests are not blocked.  As you discovered, the firewall is familiar with the leak test program, knows that it is not malicious, and therefore allows it.  Actual malware that use the methods employed by the leak test will be blocked, however.  Turning off APC and using Advanced Events Monitoring will cause the firewall to block and alert you to the leak test.  But in everyday use it is far more convenient and just as effective to let Automatic Program Control handle things.  You can read an earlier discussion of this in this post:

http://community.norton.com/t5/Norton-Internet-Security-Norton/ShieldsUP-and-Leaktest/m-p/102228/highlight/true#M53680

Kudos0

Re: Firewall traffic rules

I would recommend NoScript as SendOfJive mentions, this add on is a valuable addition to internet security.

Kudos0

Re: Firewall traffic rules

having a decent router also helps

Kudos0

Re: Firewall traffic rules

Thank you everyone.  I will add the NoScript add-on to my browser and limit Java.  I realize now that it isn't really a firewall issue even though it is a security issue (because the Java applet runs and reveals more info than I want).   There are so many loopholes, cracks and crevices that the average user doesn't realize.  It's scary sometimes.   Thank you.

Also, extra thank you to SendofJive.  I really liked your explanation of the leaktest in the link you included.  It was understandable to a noobie such as myself.  Now I won't be panicing that anything and everything my kids or I download will be automatically accepted by Norton - legitimate or not.

Thanks,

LLee

This thread is closed from further comment. Please visit the forum to start a new thread.