I keep getting incoming connection attempts on port 80 every 10 or 20 seconds. Just this evening in the time I've been online there have been over 300 attempts, all blocked.
Doing a WHOIS Lookup shows the offending address to be in London, UK. Recently I've been getting these attacks fairly regularly although not with such persistence and duration. Usually my machine gets a couple of hits and then it stops. At other times the remote address is always different although it is possible they are all originating from the same person/location.
Not sure what I can do about this although I did change preferences so that the alert window now stays hidden and the details are logged in the background. Does anyone have any suggestions?
Could you double click on one of the offending log entries, and post a screenshot of the "More Info" window? That'll give us more information on the access attempts.
A full set of steps:
1. Open the Norton Firewall application.
2. Click on the "View history" link on the right side of the window, or choose "History" from the Window menu.
3. In the log window, select "Connection Blocking".
4. Double click on an access attempt to open the More Info window.
5. Take a screenshot (press Apple (command)-shift-4, and drag the mouse to select the More Info window.
Post the screenshot here, or you can email it to me privately on the forums if you don't want to make it public.
I tried to upload a screen shot (jpg) but got a message saying "Please correct the highlighted error ... The file does not have a valid extension for an attachment. txt,log,lue are the valid extensions."
So I'll try uploading an edited copy of the history file and see how it goes. If it doesn't post I'll email you the jpgs. The entries at the top (46.105.180.237) are from Saturday's attempt. You can also see by the dates further down that they've been reasonably frequent (although different IP addresses).
I can't really tell what's going on from the log file you posted. The redacted information might be kind of important, so would you mind sending me a private message with the full log, or the screenshot?
Ryan, did you get the email I sent a couple of days ago with attached screenshot and history file? If not I've attached an unredacted version of the history file.
OK after all this, it looks like the product is actually doing what it's supposed to. It's not a false positive that I can tell, and it's not a problem with the product. Somebody is very interested in your Mac and is trying to acces port 80 on your Mac.
It looks like (correct me if I am wrong) that your Mac is behind a NAT device (which is why you have a 192. address), but you have have allowed port 80 in the firewall on the NAT device. Was this done because you are running a Web server on your Mac? If not, is there some other reason you need port 80 to be accessed by the outside world?
In any event, the product is doing what it should be doing--blocking unwanted attempts to access your Mac.
Thanks for your feedback. Good to hear that NIS checks out ok although, to be honest, I think I would have preferred a false positive. lol
I'm not running a server but you're right that I'm behind a NAT router. All ports are closed except for port 80, which is in stealth mode. Not sure why only 80 is set to stealth but it may be that it's the default setting. I've tried to close it a few times in the past but was unsuccessful, even after contacting the manufacturer (Corega).
A slight problem is that the router instructions/settings are in Japanese (I live in Japan and bought it here) and it takes time to go through the language. I'm also unfamiliar with routers so in the end I decided to leave it in stealth mode.
I know this has nothing to do with Norton but since I'm here, if you or anyone else could give a tip on how I might close port 80 then I'd be grateful. Otherwise no problem and thanks again.
Well, you are behind a NAT router, but for some reason, port 80 on the router must be set to "port forwarding".
Norton Firewall will only report attempts to access your Mac, not the NAT router. So the NAT device is, for whatever reason, forwarding all port 80 packets to your Mac. Either that, or it is forwarding all packet activity to your Mac. Since all activity log entries were for port 80, I am going to guess it's just forwarding port 80.
Stealth mode usually (though not always) means that attempts to access the port are dropped, without a response sent to the attacker. Normally when a router or firewall blocks an attempt to access a port, it tells the attacker "nope, sorry, not allowed". Stealth mode usually means that the response is never sent. That's the meaning in Norton Firewall's stealth mode feature. So if port 80 is set to stealth mode, I'm even more confused.
But since it all sounds like the product is doing what it's designed to do, I'd just make sure to keep Norton Firewall installed and spend some time with Google Translate :-) If the router is a brand that is sold in the United States you can always try going to the manufacturer's Web site and downloading the manual in English.