UDP errors

Hi. I reformatted my hard drive and reinstalled everything. I have a
Linksys router and Zone Alarm installed. I noticed, after I had set
everything up, there have been some alerts from ZA saying a packet from an
IP address has been blocked by ZA. I never received these before, and it
makes me think something might not be set up right in my router? Any
suggestions would be appreciated.

Thanks!

Gomek

Gomek wrote:
> Hi. I reformatted my hard drive and reinstalled everything. I have a
> Linksys router and Zone Alarm installed.

So why did you ruin your new system in first place?

> I noticed, after I had set
> everything up, there have been some alerts from ZA saying a packet from an
> IP address has been blocked by ZA.

That's bad, those messages are annoying. Doesn't it support silent logging?

> I never received these before, and it
> makes me think something might not be set up right in my router?

Eh... nothing? A router is not a security measure.

> Any suggestions would be appreciated.

Uninstall ZoneAlarm and get a serious security concept. Your router is
actually quite useful for building up a real firewall.

Sebastian Gottschalk

On Mon, 22 May 2006 04:02:35 +0200, Sebastian Gottschalk
<> wrote:

>> Any suggestions would be appreciated.
>
>Uninstall ZoneAlarm and get a serious security concept. Your router is
>actually quite useful for building up a real firewall.

Gottschalk is a plonker.

Your router is effective at providing protection against incoming
threats, where ZA is useful is identifying and blocking processes
on your computer which want to call out.

The two complement each other.
--
Jim Watt
http://www.gibnet.com

Jim Watt

Gomek wrote:
> Hi. I reformatted my hard drive and reinstalled everything. I have a
> Linksys router and Zone Alarm installed. I noticed, after I had set
> everything up, there have been some alerts from ZA saying a packet from an
> IP address has been blocked by ZA. I never received these before, and it
> makes me think something might not be set up right in my router? Any
> suggestions would be appreciated.
>
> Thanks!

Your Linky is working as designed. Out of the box, most linksys routers
are NOT stateful firewalls. They will faithfully NAT your LAN, and drop
unsolicited inbound packets from drive-by scans; but will not challenge
inbound traffic once you've established an outbound routing-table entry
- which can happen in many ways, good and not-so-good.

This blocked packet could have been from a legitimate connection which
is trying to keep the connection current, or from a malicious
connection established by a browser link, or any of a number of things.

IIWU, I'd upgrade the Linky with one of the open-source, Linux OS's
that includes a proper, stateful firewall (and in some cases attack
behaviour detection).

(Also, Sebastian mentioned replacing ZA with a more comprehensive
security solution ....... Yep - Agree with that.

But that requires some thought and a broader perspective (e.g. user
behaviour, potential loss, inventory of threats, which tools deal with
which threats, etc. ) for which most users have no appetite. And it
becomes religious very quickly.)

Roger Parks

Roger Parks wrote:

> Your Linky is working as designed. Out of the box, most linksys routers
> are NOT stateful firewalls. They will faithfully NAT your LAN, and drop
> unsolicited inbound packets from drive-by scans;

If due to using DHCP the routers know that there's only one client, a
full 1:1 NAT forwarding would be correct as well. Not to mention many
other heuristics... assuming that it will drop unrelated inbound traffic
is wrong.

> but will not challenge inbound traffic once you've established an outbound
> routing-table entry - which can happen in many ways, good and not-so-good.

Doesn't look like that applies here.

> IIWU, I'd upgrade the Linky with one of the open-source, Linux OS's
> that includes a proper, stateful firewall (and in some cases attack
> behaviour detection).

If it's a v5 (based on VxWorks instead of Linux), this could be a
comprehensive task. So far only DD-WRT is working, and still not as
stable as the previous versions.

And well, attack behaviour detection is bullshit. Want to flood yourself
with useless log data - or do you want to apply automatic blocking,
therefore creating a simple-to-exploit DoS condition?

Sebastian Gottschalk

Sebastian Gottschalk wrote:
> Roger Parks wrote:
>
> > Your Linky is working as designed. Out of the box, most linksys routers
> > are NOT stateful firewalls. They will faithfully NAT your LAN, and drop
> > unsolicited inbound packets from drive-by scans;
>
> If due to using DHCP the routers know that there's only one client, a
> full 1:1 NAT forwarding would be correct as well. Not to mention many
> other heuristics... assuming that it will drop unrelated inbound traffic
> is wrong.

Right you are.

I was presuming it was configured to send unknown inbound to a "DMZ".
Don't really know how the latest ones are set up (mine is a couple of
years old).

> > IIWU, I'd upgrade the Linky with one of the open-source, Linux OS's
> > that includes a proper, stateful firewall (and in some cases attack
> > behaviour detection).
>
> If it's a v5 (based on VxWorks instead of Linux), this could be a
> comprehensive task. So far only DD-WRT is working, and still not as
> stable as the previous versions.

An interesting task ...and a better firewall than the traditional Linky
factory setup.

Alternatively get an older <v5, or the SL (?) version.

>
> And well, attack behaviour detection is bullshit. Want to flood yourself
> with useless log data - or do you want to apply automatic blocking,
> therefore creating a simple-to-exploit DoS condition?

Bullshit? Perhaps if you sit there and watch raw logs all the time.
But who does that??

Once you're convinced that your box is secure, you turn off that
logging - turning it back on when you're testing your box, or surfing
on the "wild side" trying to see what they're doing.

For day to day use, I've turned off the wan firewall syslog popups, and
monitor onboard Snort (with information and nuisance messages
deactivated). An alternative syslog configuration reactivates the
"bullshit" messages when I need them.

But this is a different conversation than the one asked for....... he
wanted to know why a sym got past his "stock" Linky, and suggestions
for it.

Roger Parks

-----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160

"Gomek" <> wrote:

> Hi. I reformatted my hard drive and reinstalled everything. I have a
> Linksys router and Zone Alarm installed. I noticed, after I had set
> everything up, there have been some alerts from ZA saying a packet
> from an IP address has been blocked by ZA. I never received these
> before, and it makes me think something might not be set up right in
> my router? Any suggestions would be appreciated.

Need more input.


I take it from the Subject line were talking UDP packets?

What source/destination port?

What IP? Inside your ISP's "home network" or not?

What make and model of router?

Did you change anything at all in your router's configuration?

Did you install the exact same version of ZA? Is it configured
*exactly* the same as your old copy?

For that matter, did you install the exact same version of Windows, and
patch/update it to the exact degree it was before?

My knee jerk, gut reaction without knowing anything at all except you're
seeing a warning about UDP traffic you didn't see before, is that the
"fault" lies with ZA. Something you tweaked before and haven't tweaked
since the reinstall, or possibly some minor version issue.

The good news is if it really is unwanted traffic ZA is apparently doing
its job so there's no reason to panic. Figure out what sort of
traffic it is, then deal with it accordingly. Allow it if you want,
discard it if you see fit, and enable/disable whatever levels of
warnings you're comfortable with.
-----BEGIN PGP SIGNATURE-----

iD8DBQFEcOmPno5iexlRIBERA8mwAJwIcRqE012rug9N2xTwTj 25X4VaHACdH4Lj
LEJy2Eo5MjKc8+quYyK3Ylg=
=ieuN
-----END PGP SIGNATURE-----

Sheik Yurbhuti

Hi. Thanks to everyone who contributed. I noticed the last few days I
haven't had any more UDP packets blocked from Zone Alarm. Most of the
alerts I get (I don't have them pop up by the way) are ICMP and they are
internal xxx.xxx.xxx.001 to xxx.xxx.xxx.010 or whatever. I am computer
savvy, but please excuse my slight ignorance when it comes to these issues.
Thanks again!


"Sheik Yurbhuti" <> wrote in message
news:. theremailer.net...
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: RIPEMD160
>
> "Gomek" <> wrote:
>
>> Hi. I reformatted my hard drive and reinstalled everything. I have a
>> Linksys router and Zone Alarm installed. I noticed, after I had set
>> everything up, there have been some alerts from ZA saying a packet
>> from an IP address has been blocked by ZA. I never received these
>> before, and it makes me think something might not be set up right in
>> my router? Any suggestions would be appreciated.
>
> Need more input.
>
>
> I take it from the Subject line were talking UDP packets?
>
> What source/destination port?
>
> What IP? Inside your ISP's "home network" or not?
>
> What make and model of router?
>
> Did you change anything at all in your router's configuration?
>
> Did you install the exact same version of ZA? Is it configured
> *exactly* the same as your old copy?
>
> For that matter, did you install the exact same version of Windows, and
> patch/update it to the exact degree it was before?
>
> My knee jerk, gut reaction without knowing anything at all except you're
> seeing a warning about UDP traffic you didn't see before, is that the
> "fault" lies with ZA. Something you tweaked before and haven't tweaked
> since the reinstall, or possibly some minor version issue.
>
> The good news is if it really is unwanted traffic ZA is apparently doing
> its job so there's no reason to panic. Figure out what sort of
> traffic it is, then deal with it accordingly. Allow it if you want,
> discard it if you see fit, and enable/disable whatever levels of
> warnings you're comfortable with.
> -----BEGIN PGP SIGNATURE-----
>
> iD8DBQFEcOmPno5iexlRIBERA8mwAJwIcRqE012rug9N2xTwTj 25X4VaHACdH4Lj
> LEJy2Eo5MjKc8+quYyK3Ylg=
> =ieuN
> -----END PGP SIGNATURE-----
>

Gomek