A firewall is a policy enforcement device.  Ideally the policy you'd like 
it to enforce is "allow all good stuff and no bad stuff".  But it needs to 
be specified a bit more precisely than that -- reflect for a moment that in 
an office, or in a household with teenagers, the owner of the machine and 
the person seated at the keyboard might disagree about what constitutes 
"good" and "bad".  (Or, if you prefer, "appropriate" and "inappropriate".)
  The result is that there is going to be some traffic for which a given 
firewall needs to appeal to some human for guidance.  A really good user-
friendly  firewall will try to start with that set as small as possible, but 
there is always going to be some traffic that falls into that category.

  You give two specific examples.  Let's take the second one first:

> ISMMODULE2.EXE from my computer to 76.9.9.190 port 80

Port 80 is routinely used by clients connecting to web servers using HTTP.  
So routinely that most firewalls should not alert on that case -- unless, 
perhaps, there is some reason to believe that 76.9.9.190 is the address of a 
known compromised/booby-trapped server, or that something that isn't HTTP is 
trying to use port 80 to sneak past.  Perhaps it's just that "ISMMODULE2.EXE 
is not recognized as a known web client/browser....

> 222.161.2.9 port44429 wants to connect to port 1026 owned by "SYSTEM" on  
> your computer

Those Windows Messenger popups that claim that a problem has been found on 
your machine that will be fixed by downloading some magical panacea normally 
come in bound for port 1024, 1025, or 1026.  I would not accept any internet 
traffic for those ports.

David Gillett



On 27 Aug 2007 at 19:25, [log in to unmask] wrote:

Date sent:      	Mon, 27 Aug 2007 19:25:44 EDT
Send reply to:  	PCSOFT - Personal Computer software discussion list
             	<[log in to unmask]>
From:           	[log in to unmask]
Subject:        	[PCSOFT] understanding firewall info
To:             	[log in to unmask]

> Greetings all,
>  
>  I just installed Kerio firewall and am purplexed as to what should or  
> shouldn't be allowed connection. I use AOL and assumed anything with AOL in the  
> name would be needed for my conection(???) so allowed them all as well as  
> anything relating to AVG and Avast. I denied access to such things as Real  Player 
> and Internet Explorer (since I only use Opera as a browser). I also get  
> messages that an address (of the numerical type) is trying to send packets  to 
> Kerio on my machine. (OK?)
>  
>  While attempting to write this I have been interrupted by several  
> connection attempts such as;
>  
> 222.161.2.9 port44429 wants to connect to port 1026 owned by "SYSTEM" on  
> your computer
>  
> And;
>  
> ISMMODULE2.EXE from my computer to 76.9.9.190 port 80
>  
> If I don't understand it, I don't allow it. But since I fail to understand  
> most of what's displayed, I fear to create a rule against some benign, needed  
> connection so end up denying over and over!
>  
>  I guess I'm asking if there is an 'easy' way to learn what these  different 
> request are really associated with so I can determine what to  allow.
>  
>  Many Thanks,
> -Phillip Williams-
> 
> 
> 
> ************************************** Get a sneak peek of the all-new AOL at 
> http://discover.aol.com/memed/aolcom30tour
> 
>              PCSOFT maintains many useful files for download
>                      visit our download web page at:
>                   http://freepctech.com/downloads.shtml

                Curious about the people moderating your
                   messages? Visit our staff web site:
                    http://freepctech.com/staff.shtml