Firewall activities, wireless modems, and routers

I know... I know.. I said I would stop thinking about/looking at the logs--and I really intended to...

 

It's just, this morning, I started thinking about those stupid inbound TCP connections that Norton has (thankfully) been blocking.

 

Example:

 

Rule "Default Block Microsoft Windows 2000 SMB" blocked (60.191.111.85, Port (445) )
Inbound TCP connection
Local address, service is (PC (my IP), Port (445) ).
Remote address, service is (60.191.111.85, Port (60633) ).
Process name is "System".

 

And it occurred to me that my IP that was showing started with 192.168 which should be private and not public. And then I sarted thinking about the fact that I was on a wireless modem which should (I think) have a built in router which made me wonder why anything was getting through in the first place.

 

Anyway, I tried logging into the router's settings through the intenet and there didn't seem to be much in the way of security settings. I called the service provider who said not to worry becase my personal firewall was blocking the attempts but couldn't explain why they were getting through (though they did say that their modems only came with very basic firewalls and were not NAT -- though the not NAT confused me as I thought having private addresses meant NAT). His suggestion was to tun off the modem for 30 seconds which would generate a new IP address.

 

So I guess my question is: Does the fact that the inbound TCP attempts were showing up despite the fact that I'm on a wireless modem indicate that something on my computer was somehow solicitating the traffic OR is it probably an issue with the modem? I've checked the other computers in the house and they don't have inbound TCP attempts showing up in their logs, but those computers aren't online nearly as much as I am.

 

I'm sorry I keep asking questions about this. I've just had such rotten/strange luck with computers over the past couple of years that it doesn't take much for me to go from concern to epic worry.

 

 

I know... I know.. I said I would stop thinking about/looking at the logs--and I really intended to...

 

It's just, this morning, I started thinking about those stupid inbound TCP connections that Norton has (thankfully) been blocking.

 

Example:

 

Rule "Default Block Microsoft Windows 2000 SMB" blocked (60.191.111.85, Port (445) )
Inbound TCP connection
Local address, service is (PC (my IP), Port (445) ).
Remote address, service is (60.191.111.85, Port (60633) ).
Process name is "System".

 

And it occurred to me that my IP that was showing started with 192.168 which should be private and not public. And then I sarted thinking about the fact that I was on a wireless modem which should (I think) have a built in router which made me wonder why anything was getting through in the first place.

 

Anyway, I tried logging into the router's settings through the intenet and there didn't seem to be much in the way of security settings. I called the service provider who said not to worry becase my personal firewall was blocking the attempts but couldn't explain why they were getting through (though they did say that their modems only came with very basic firewalls and were not NAT -- though the not NAT confused me as I thought having private addresses meant NAT). His suggestion was to tun off the modem for 30 seconds which would generate a new IP address.

 

So I guess my question is: Does the fact that the inbound TCP attempts were showing up despite the fact that I'm on a wireless modem indicate that something on my computer was somehow solicitating the traffic OR is it probably an issue with the modem? I've checked the other computers in the house and they don't have inbound TCP attempts showing up in their logs, but those computers aren't online nearly as much as I am.

 

I'm sorry I keep asking questions about this. I've just had such rotten/strange luck with computers over the past couple of years that it doesn't take much for me to go from concern to epic worry.

 

 

roane, Bombastus is right. These notifications are showing that Norton is doing its job of protecting you. As I said in the post that Bombastus linked to, if you have the green tick in your tray icon you are protected, and all is well.

Be aware that IP address is coming from a Chinese government facility:

 

IP Information for 60.191.111.85

IP Location: China Hangzhou Hangzhou City People Government Information Disposal Centre
ASN: AS4134 CHINANET-BACKBONE No.31,Jin-rong Street (registered Aug 01, 2002)
IP Address: 60.191.111.85
Whois Server whois.apnic.net

inetnum: 60.191.111.64 - 60.191.111.95
netname: HANGZHOU-PEOPLE-GOVERNMENT
country: CN
descr: HangZhou City People Government Information Disposal Centre

 

Act accordingly if your line of work deals with sensitive or valuable information.

 

Dave

 

 

 

Thanks bombastus and F4E! I wasn’t sure if that still applied when factoring in the fact that it was a private IP address. So relieved!

Hi DaveH,

Okay that’s kind of creepy and puzzling. The attempts have been coming from different addresses–I just grabbed one of the addresses at random to put in the example.

Now I’m kind of freaked out.

roane, no need to freak. These people ping computers from all over the world looking for weaknesses. That's why we need to keep our computers locked up tight. I've had attacks from all over, and Norton has always slammed the door !....:smileyhappy:

HI roane,

 

It would be helpful if you would keep your information in one place.  In your thread here, it appears that you are connecting on a network that is not yours, and is therefore not under your control.  Since you are connecting wirelessly on a network, there is a router involved and you should not be seeing any unsolicited incoming traffic from the internet- unless someone has configured the router to allow traffic on that port (445).  Ask your family if they have configured any port forwarding on the router.

Hi F4E,

 

So the fact that one of the address appareantly belongs to a government facility isn't anything to worry about? Honestly, I was so freaked when I saw that that I tried to go back and edit the info out of my original post (but I was past the 1 hour cutoff for editing).

 

To be fair, I can't think of anything on my computer they'd be interested in, but it was still a bit unerving. Even now, in the back of my mind, I'm all "what if they find this post and really decide to try and get in."

roane, did you check Send Of Jive's post ? Are you on a family network ?

HI roane,

 

It would be helpful if you would keep your information in one place.  In your thread here, it appears that you are connecting on a network that is not yours, and is therefore not under your control.  Since you are connecting wirelessly on a network, there is a router involved and you should not be seeing any unsolicited incoming traffic from the internet- unless someone has configured the router to allow traffic on that port (445).  Ask your family if they have configured any port forwarding on the router.

 

---

 

Hi SendofJive,

 

Sorry about that! I wasn't sure if they should be in seperate threads or not.

 

The network isn't mine. I don't think they would have intentionally configured it to allow traffic on those ports (in addition to attempts on 445, I've had them on 2869 and 135). Their computer knowledge is very basic. They just followed the (very limited) setup instructions with the booklet the service provider sent with the modem.

 

I looked at the modem's settings and didn't see any place where anything was forwarded (though I may not have been looking in the correct place). One thing I saw which I thought might potentially be an issue was under the Universal Plun-N-Play options. There were three options: Disable UPnP; Enable Discovery and Adertisement Only (SSDP); and Enable full internet Gateway Device (IGD) support. Enable full internet Gateway Devce (IDG) was the one that was checked and I wondered if that might be cause because when I looked it up on Wikipedia, I saw the following line "Internet Gateway Device (IGD) Standardized Device Control Protocol is a NAT Port Mapping Protocol (NAT-PMP)[1] and is supported by some NAT routers. It is a common communications protocol of automatically configuring port forwarding." 

 

Thanks so much for taking the time to respond and any advice. I did try contacting their ISP, but didn't get very far in terms of advice. 

roane, Send Of Jive is offline at the moment. When he comes back, he may be able to give you more assistance with your situation. The router brand-name, may be of some help. Also, someone else may be able to point you in the right direction, so keep the thread open...

Thanks so much F4E. 

 

In case it does help, the modem was made by Siemens.

Roane,

 

Disable UpnP and if your pc's are not set on a Home network so they communicate to each other, and they work as single entities, disable also SSDP Discovery in your Router/AP.

 

Regards,

Hi Apostolos,

My computer is set up not to communicate with the others, but theirs are set up so they can use their wireless printer so I think that means they are on a network?

Hi roane,

 

If the 2 pc's have shared folders and set to "talk" to the wireless printer, then yes, they're probably networked.

 

Regards,

Hi guys,

Thanks so much for all of your time and feedback (and incredible patience!).I think I'm just going to try and forget about all of this--at least unless something else happens. I've been driving myself a bit crazy and I think I've been taking it beyond the point of normal concern.


Thanks so much for your responses. They are much appreciated! Even though I only recently started posting, the forum has always been my first stop when I've had questions about Norton. You guys rock!

roane , I agree with Apostolos. UPnP can be a security concern and if you don't need it , best to disable it . Here's some interesting reading on the subject. However, don't let it worry you unnecessarily. :smileyhappy:

 

http://www.forbes.com/sites/andygreenberg/2013/01/29/disable-a-protocol-called-upnp-on-your-router-now-to-avoid-a-serious-set-of-security-bugs/

Thanks Apostolos and F4E. I'm going to pass that on (both the advice and the article) and recomend they disable it.