A firewall is a policy enforcement device. Ideally the policy you'd like
it to enforce is "allow all good stuff and no bad stuff". But it needs to
be specified a bit more precisely than that -- reflect for a moment that in
an office, or in a household with teenagers, the owner of the machine and
the person seated at the keyboard might disagree about what constitutes
"good" and "bad". (Or, if you prefer, "appropriate" and "inappropriate".)
The result is that there is going to be some traffic for which a given
firewall needs to appeal to some human for guidance. A really good user-
friendly firewall will try to start with that set as small as possible, but
there is always going to be some traffic that falls into that category.
You give two specific examples. Let's take the second one first:
> ISMMODULE2.EXE from my computer to 76.9.9.190 port 80
Port 80 is routinely used by clients connecting to web servers using HTTP.
So routinely that most firewalls should not alert on that case -- unless,
perhaps, there is some reason to believe that 76.9.9.190 is the address of a
known compromised/booby-trapped server, or that something that isn't HTTP is
trying to use port 80 to sneak past. Perhaps it's just that "ISMMODULE2.EXE
is not recognized as a known web client/browser....
> 222.161.2.9 port44429 wants to connect to port 1026 owned by "SYSTEM" on
> your computer
Those Windows Messenger popups that claim that a problem has been found on
your machine that will be fixed by downloading some magical panacea normally
come in bound for port 1024, 1025, or 1026. I would not accept any internet
traffic for those ports.
David Gillett
On 27 Aug 2007 at 19:25, [log in to unmask] wrote:
Date sent: Mon, 27 Aug 2007 19:25:44 EDT
Send reply to: PCSOFT - Personal Computer software discussion list
<[log in to unmask]>
From: [log in to unmask]
Subject: [PCSOFT] understanding firewall info
To: [log in to unmask]
> Greetings all,
>
> I just installed Kerio firewall and am purplexed as to what should or
> shouldn't be allowed connection. I use AOL and assumed anything with AOL in the
> name would be needed for my conection(???) so allowed them all as well as
> anything relating to AVG and Avast. I denied access to such things as Real Player
> and Internet Explorer (since I only use Opera as a browser). I also get
> messages that an address (of the numerical type) is trying to send packets to
> Kerio on my machine. (OK?)
>
> While attempting to write this I have been interrupted by several
> connection attempts such as;
>
> 222.161.2.9 port44429 wants to connect to port 1026 owned by "SYSTEM" on
> your computer
>
> And;
>
> ISMMODULE2.EXE from my computer to 76.9.9.190 port 80
>
> If I don't understand it, I don't allow it. But since I fail to understand
> most of what's displayed, I fear to create a rule against some benign, needed
> connection so end up denying over and over!
>
> I guess I'm asking if there is an 'easy' way to learn what these different
> request are really associated with so I can determine what to allow.
>
> Many Thanks,
> -Phillip Williams-
>
>
>
> ************************************** Get a sneak peek of the all-new AOL at
> http://discover.aol.com/memed/aolcom30tour
>
> PCSOFT maintains many useful files for download
> visit our download web page at:
> http://freepctech.com/downloads.shtml
Curious about the people moderating your
messages? Visit our staff web site:
http://freepctech.com/staff.shtml
|