firewall dialog - limited understanding

Discussion in 'NZ Computing' started by Simon Pleasants, Jun 6, 2004.

  1. I get firewall warning messages about UDP datagrams, ICMP packets, etc.

    I don't understand what they mean, so I habitually deny ythem access and
    create rules to prevent further access.

    But I'm aware that this practice may not always be a good idea.

    I can't be bothered learning all the poota-geek language -- I just want to
    be told whether the things I get warnings about are good things or bad
    things.

    Where can I go to find out?

    Nowhere that requires me to take a degree in poota science first.
     
    Simon Pleasants, Jun 6, 2004
    #1
    1. Advertising

  2. Simon Pleasants

    Nihil Guest

    On Sun, 6 Jun 2004 16:28:18 +1200, Simon Pleasants wrote:

    > I get firewall warning messages about UDP datagrams, ICMP packets, etc.
    >
    > I don't understand what they mean,


    The best way to learn is to do your own reading and research.

    To get you started here is a very brief introduction to the TCP/IP system.

    Networking protocols are normally developed in layers, each layer
    responsible for a different facet of communications. TCP/IP is normally
    considered to be a 4-layer system (the ISO OSI is a 7-layer system).

    4 Application FTP, Telnet, SMTP, etc...
    |
    3 Transport TCP, UDP
    |
    2 Network IP, (ICMP, IGMP)
    |
    1 Link Network hardware and device driver

    1) Link Layer: (data link, network interface) This is where the device
    driver of the NIC resides. All the hardware details are handled here.

    2) Network Layer: (internet layer) Handles the movement and routing of
    packets around the network. IP is considered 'unreliable'.

    3) Transport Layer: Provides the flow of data between the two parties, for
    the application layer above. TCP is considered 'reliable', while UDP is
    not. TCP is connection-oriented, maintaining state information, etc.
    UDP is connectionless oriented.

    4) Application Layer: Handles all the details of the particular
    application.

    Happy researching.


    --
    ....check out the nametag.. you're in MY world now grandma...
     
    Nihil, Jun 6, 2004
    #2
    1. Advertising

  3. In article <J3xwc.1070$>,
    says...
    > I get firewall warning messages about UDP datagrams, ICMP packets, etc.
    >
    > I don't understand what they mean, so I habitually deny ythem access and
    > create rules to prevent further access.
    >
    > But I'm aware that this practice may not always be a good idea.


    If it doesn't stop you from using the net then it is OK basically.

    I have all the warnings in ZA set to silent, I don't need to know what
    idiot is trying to hack into my PC, if they don't get in.
     
    Patrick Dunford, Jun 6, 2004
    #3
  4. Hi there,

    Simon Pleasants wrote:
    > I get firewall warning messages about UDP datagrams, ICMP packets, etc.
    >
    > I don't understand what they mean, so I habitually deny ythem access and
    > create rules to prevent further access.
    >
    > But I'm aware that this practice may not always be a good idea.


    Don't believe that. If you stealth *everything*, then nothing can get
    thru uninitiated. Surely the best defence in my opinion...

    > I can't be bothered learning all the poota-geek language -- I just want to
    > be told whether the things I get warnings about are good things or bad
    > things.


    You should be stealthing everything that comes in, unless your firewall
    knows that it came in from an IP address that you had sent something to
    first...

    --
    Kind regards,

    Chris Wilkinson, Christchurch, New Zealand.
    Canterbury Horse Taxis. http://www.horsetaxis.co.nz/
    Remove spamblocker to send replies direct to my email...
     
    Chris Wilkinson, Jun 7, 2004
    #4
  5. Simon Pleasants

    Dave Taylor Guest

    "Simon Pleasants" <> wrote in news:J3xwc.1070
    $:

    > Where can I go to find out?
    >
    > Nowhere that requires me to take a degree in poota science first.
    >
    >
    >


    Try this place and run the shields up scan against your IP.
    http://www.grc.com/

    Ciao, Dave
     
    Dave Taylor, Jun 8, 2004
    #5
  6. Simon Pleasants

    Route Guest

    On Mon, 07 Jun 2004 21:30:54 +0100, Chris Wilkinson wrote:

    > Hi there,
    >
    > Simon Pleasants wrote:
    >> I get firewall warning messages about UDP datagrams, ICMP packets, etc.
    >>
    >> I don't understand what they mean, so I habitually deny ythem access and
    >> create rules to prevent further access.
    >>
    >> But I'm aware that this practice may not always be a good idea.

    >
    > Don't believe that. If you stealth *everything*, then nothing can get
    > thru uninitiated. Surely the best defence in my opinion...


    The often used term "Stealth" is load of rubbish. All that happens is that
    the firewall throws away incoming packets and does not respond at all, but
    usually you don't want that. Contrary to some of the hype, it is usually
    better to return an error than nothing at all, because the error will at
    least cause port scanners to move on to the next port, so the attack will
    be over more quickly. If a firewall returns nothing then the scanner
    assumes that a packet was lost and tries again, prolonging the attack. In
    both cases the amount of information an attacker gets at the end is the
    same, but with errors at least there is less of a load on the connection.

    BTW don't put your faith in these web based free security checkers either.
    One of them claimed that my firewall was using "the latest stealthing
    techniques" and is extremely secure. But I had no "stealthing techniques".
    The reason that this online security tester did not see error responses
    from my computer was due to a simple programming error in their script.
    Apparently whoever wrote the script was not very experienced in socket
    programming, and did not know that for all BSD derived stacks a UDP socket
    has to be connect()ed in order to receive socket errors. Personally I would
    not trust a company to write a firewall for me if they don't even know
    these basic things.

    -- Route
     
    Route, Jun 9, 2004
    #6
  7. Simon Pleasants

    Route Guest

    On Fri, 11 Jun 2004 19:51:33 +0100, Chris Wilkinson wrote:

    >>>Don't believe that. If you stealth *everything*, then nothing can get
    >>>thru uninitiated. Surely the best defence in my opinion...

    >>
    >>
    >> The often used term "Stealth" is load of rubbish. All that happens is that
    >> the firewall throws away incoming packets and does not respond at all, but
    >> usually you don't want that. Contrary to some of the hype, it is usually
    >> better to return an error than nothing at all

    >
    > Returning an error returns an IP address does it not?


    Yes.

    > Based on that I'd rather use so-called 'stealthing'...


    I'm afraid there really is no advantage in doing that and the practice may
    cause technical problems with normal tcp/ip services.

    >> BTW don't put your faith in these web based free security checkers either.
    >> One of them claimed that my firewall was using "the latest stealthing
    >> techniques" and is extremely secure.

    >
    > I don't put my faith in them. I put my faith in Linux,


    A very naive statement. I don't put my faith in any operating system.

    --
    ....check out the nametag.. you're in MY world now grandma...
     
    Route, Jun 11, 2004
    #7
  8. Hi there,

    Route wrote:
    > On Mon, 07 Jun 2004 21:30:54 +0100, Chris Wilkinson wrote:
    >
    >
    >>Hi there,
    >>
    >>Simon Pleasants wrote:
    >>
    >>>I get firewall warning messages about UDP datagrams, ICMP packets, etc.
    >>>
    >>>I don't understand what they mean, so I habitually deny ythem access and
    >>>create rules to prevent further access.
    >>>
    >>>But I'm aware that this practice may not always be a good idea.

    >>
    >>Don't believe that. If you stealth *everything*, then nothing can get
    >>thru uninitiated. Surely the best defence in my opinion...

    >
    >
    > The often used term "Stealth" is load of rubbish. All that happens is that
    > the firewall throws away incoming packets and does not respond at all, but
    > usually you don't want that. Contrary to some of the hype, it is usually
    > better to return an error than nothing at all


    Returning an error returns an IP address does it not? Based on that I'd
    rather use so-called 'stealthing'...

    > BTW don't put your faith in these web based free security checkers either.
    > One of them claimed that my firewall was using "the latest stealthing
    > techniques" and is extremely secure.


    I don't put my faith in them. I put my faith in Linux, which has not
    seen an infection in 18 months I've been online with it...

    I have seen plenty of port hits from Win based virii however...all of
    which have been ignored, and usually cease after a second or two...

    --
    Kind regards,

    Chris Wilkinson, Christchurch, New Zealand.
    Canterbury Horse Taxis. http://www.horsetaxis.co.nz/
    Remove spamblocker to send replies direct to my email...
     
    Chris Wilkinson, Jun 11, 2004
    #8
  9. Simon Pleasants

    Randor Guest

    On Fri, 11 Jun 2004 19:51:33 +0100, Chris Wilkinson
    <> wrote:

    >
    >I don't put my faith in them. I put my faith in Linux, which has not
    >seen an infection in 18 months I've been online with it...


    But it has been regularly updated, has it not?
     
    Randor, Jun 13, 2004
    #9
  10. Hi there,

    Route wrote:
    > On Fri, 11 Jun 2004 19:51:33 +0100, Chris Wilkinson wrote:
    >
    >
    >>>>Don't believe that. If you stealth *everything*, then nothing can get
    >>>>thru uninitiated. Surely the best defence in my opinion...
    >>>
    >>>
    >>>The often used term "Stealth" is load of rubbish. All that happens is that
    >>>the firewall throws away incoming packets and does not respond at all, but
    >>>usually you don't want that. Contrary to some of the hype, it is usually
    >>>better to return an error than nothing at all

    >>
    >>Returning an error returns an IP address does it not?

    >
    > Yes.
    >
    >>Based on that I'd rather use so-called 'stealthing'...

    >
    > I'm afraid there really is no advantage in doing that and the practice may
    > cause technical problems with normal tcp/ip services.


    The advantage I see is that your machine categorically refuses to send
    anything back to the originator...random IP pings that don't hit a
    target will cause just as many TCP/IP service issues, so why is it
    considered different to be ignoring any port hits?

    >>>BTW don't put your faith in these web based free security checkers either.
    >>>One of them claimed that my firewall was using "the latest stealthing
    >>>techniques" and is extremely secure.

    >>
    >>I don't put my faith in them. I put my faith in Linux,

    >
    > A very naive statement. I don't put my faith in any operating system.


    Lets both remove our firewalls...who will still be running at 100%
    by the end of the night? Not you...if you cannot accept that by far
    the bulk of port hits and scans from virii etc are designated for
    Windows based systems, then you have comprehension issues...there
    are Linux nasties out there, but as a % of the total nasties? Next
    to zilch...get over it...

    --
    Kind regards,

    Chris Wilkinson, Christchurch, New Zealand.
    Canterbury Horse Taxis. http://www.horsetaxis.co.nz/
    Remove spamblocker to send replies direct to my email...
     
    Chris Wilkinson, Jun 17, 2004
    #10
  11. Hi there,

    Randor wrote:
    > On Fri, 11 Jun 2004 19:51:33 +0100, Chris Wilkinson
    > <> wrote:
    >
    >>I don't put my faith in them. I put my faith in Linux, which has not
    >>seen an infection in 18 months I've been online with it...

    >
    > But it has been regularly updated, has it not?


    Only with an upgrade to a new distro. I've run virus/rootkit
    scans periodically. I'm using Mandrake 10.0 Official, so that
    will mean my iptables is recent, and I use guarddog GUI to ease
    the configuring (something guarddog does excellently!). My
    rule of thumb is that I let NOTHING into the machine that has
    not been initiated from my end...

    --
    Kind regards,

    Chris Wilkinson, Christchurch, New Zealand.
    Canterbury Horse Taxis. http://www.horsetaxis.co.nz/
    Remove spamblocker to send replies direct to my email...
     
    Chris Wilkinson, Jun 17, 2004
    #11
  12. Chris Wilkinson wrote:
    > Lets both remove our firewalls...who will still be running at 100%
    > by the end of the night? Not you...


    I don't see why he wouldn't be, assuming he's all patched up, he'll be fine.

    --
    Dave Hall
    http://www.dave.net.nz
     
    Dave - Dave.net.nz, Jun 17, 2004
    #12
  13. Chris Wilkinson wrote:
    > I cannot see why some of the patches are so freaking large...the very
    > latest XP patch is around 237MB IIRC...all that to keep out a virus
    > or two that fit in the boot sector of a floppy...its god damn totally
    > laughable! :)


    237MB? which patch is that? SP1 is only ~130MB and I dont think there
    have been over 100 MB since then.
    I could be wrong, it's not like I sit there with a calculater each time
    I do updates.

    --
    Dave Hall
    http://www.dave.net.nz
     
    Dave - Dave.net.nz, Jun 18, 2004
    #13
  14. Simon Pleasants

    theseus Guest

    Chris Wilkinson wrote:

    > Hi there,
    >
    > Dave - Dave.net.nz wrote:
    >> Chris Wilkinson wrote:
    >>
    >>> I cannot see why some of the patches are so freaking large...the very
    >>> latest XP patch is around 237MB IIRC...all that to keep out a virus
    >>> or two that fit in the boot sector of a floppy...its god damn totally
    >>> laughable! :)

    >>
    >> 237MB? which patch is that? SP1 is only ~130MB and I dont think there
    >> have been over 100 MB since then.
    >> I could be wrong, it's not like I sit there with a calculater each time
    >> I do updates.

    >
    > My bad, but even if its only say 80MB thats still 4-5 hours an
    > unpatched XP system without firewall would be required to survive
    > without being infected...pretty tough odds...
    >


    I guess a solution would be to enable the built in firewall included in the
    first release
     
    theseus, Jun 18, 2004
    #14
  15. Hi there,

    Dave - Dave.net.nz wrote:
    > Chris Wilkinson wrote:
    >
    >> Lets both remove our firewalls...who will still be running at 100%
    >> by the end of the night? Not you...

    >
    >
    > I don't see why he wouldn't be, assuming he's all patched up, he'll be
    > fine.


    I cannot see why some of the patches are so freaking large...the very
    latest XP patch is around 237MB IIRC...all that to keep out a virus
    or two that fit in the boot sector of a floppy...its god damn totally
    laughable! :)

    --
    Kind regards,

    Chris Wilkinson, Christchurch, New Zealand.
    Canterbury Horse Taxis. http://www.horsetaxis.co.nz/
    Remove spamblocker to send replies direct to my email...
     
    Chris Wilkinson, Jun 18, 2004
    #15
  16. Hi there,

    Dave - Dave.net.nz wrote:
    > Chris Wilkinson wrote:
    >
    >> I cannot see why some of the patches are so freaking large...the very
    >> latest XP patch is around 237MB IIRC...all that to keep out a virus
    >> or two that fit in the boot sector of a floppy...its god damn totally
    >> laughable! :)

    >
    > 237MB? which patch is that? SP1 is only ~130MB and I dont think there
    > have been over 100 MB since then.
    > I could be wrong, it's not like I sit there with a calculater each time
    > I do updates.


    My bad, but even if its only say 80MB thats still 4-5 hours an
    unpatched XP system without firewall would be required to survive
    without being infected...pretty tough odds...

    --
    Kind regards,

    Chris Wilkinson, Christchurch, New Zealand.
    Canterbury Horse Taxis. http://www.horsetaxis.co.nz/
    Remove spamblocker to send replies direct to my email...
     
    Chris Wilkinson, Jun 18, 2004
    #16
  17. theseus wrote
    > >> 237MB? which patch is that? SP1 is only ~130MB and I dont think there
    > >> have been over 100 MB since then.
    > >> I could be wrong, it's not like I sit there with a calculater each time
    > >> I do updates.


    > > My bad, but even if its only say 80MB thats still 4-5 hours an
    > > unpatched XP system without firewall would be required to survive
    > > without being infected...pretty tough odds...


    > I guess a solution would be to enable the built in firewall included in

    the
    > first release


    OMG, is this a well thought out post on usenet... tut tut, you'll be banned
    :)
     
    Dave - Dave.net.nz, Jun 19, 2004
    #17
  18. Chris Wilkinson wrote
    > My bad, but even if its only say 80MB thats still 4-5 hours an
    > unpatched XP system without firewall would be required to survive
    > without being infected...pretty tough odds...


    when mah and pah run the internet wizard, it'll ask them if they want the
    firewall enabled, their choice, it even has a short explaination of what it
    is, if they choose not to use it, thats their problem.
     
    Dave - Dave.net.nz, Jun 19, 2004
    #18
  19. Simon Pleasants

    theseus Guest

    Dave - Dave.net.nz wrote:

    > theseus wrote
    >> >> 237MB? which patch is that? SP1 is only ~130MB and I dont think there
    >> >> have been over 100 MB since then.
    >> >> I could be wrong, it's not like I sit there with a calculater each
    >> >> time I do updates.

    >
    >> > My bad, but even if its only say 80MB thats still 4-5 hours an
    >> > unpatched XP system without firewall would be required to survive
    >> > without being infected...pretty tough odds...

    >
    >> I guess a solution would be to enable the built in firewall included in

    > the
    >> first release

    >
    > OMG, is this a well thought out post on usenet... tut tut, you'll be
    > banned
    > :)


    And from Knode too, I'll be banished from the colony, no more Bluebird chip
    dances for me
    J J J Jive talkin'.....
     
    theseus, Jun 19, 2004
    #19
  20. Simon Pleasants

    thing Guest

    Simon Pleasants wrote:
    > I get firewall warning messages about UDP datagrams, ICMP packets, etc.
    >
    > I don't understand what they mean, so I habitually deny ythem access and
    > create rules to prevent further access.
    >
    > But I'm aware that this practice may not always be a good idea.
    >
    > I can't be bothered learning all the poota-geek language -- I just want to
    > be told whether the things I get warnings about are good things or bad
    > things.
    >
    > Where can I go to find out?
    >
    > Nowhere that requires me to take a degree in poota science first.
    >
    >


    As a pretty good rule of thumb, ALL incoming UDP and TCP should be
    blocked, all you want coming in is the return from your outward request
    to a web server, ftp server or whatever. So you should be running a
    stateful firewall ie one that remembers you sent a request out and the
    reply coming back should be allowed through.

    ICMP is the messaging protocol for IP, so what is happening here is an
    underlying transport a user does nto need to worry about. In strict
    terms some ICMP types can be blocked, but its considered bad form to
    block them all. However that is somewhat old hat, many nasty types can
    and do use ICMP against you and your systems, so blocking all of that is
    not outrageous IMHO.

    regards

    Thing
     
    thing, Jun 19, 2004
    #20
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. TYCOON

    Understanding your BIOS

    TYCOON, Jun 27, 2005, in forum: Hardware
    Replies:
    6
    Views:
    5,229
    unholy
    Jun 29, 2005
  2. Evil Uncle Chris

    Confirm my wireless understanding please?

    Evil Uncle Chris, May 1, 2005, in forum: Wireless Networking
    Replies:
    1
    Views:
    594
    Sooner Al [MVP]
    May 1, 2005
  3. Ghazan Haider

    Understanding voice AIMs

    Ghazan Haider, Nov 28, 2004, in forum: Cisco
    Replies:
    1
    Views:
    411
    Doug McIntyre
    Nov 28, 2004
  4. =?Utf-8?B?aG9yc2VmbHk=?=

    limited connectivity for limited users

    =?Utf-8?B?aG9yc2VmbHk=?=, Mar 24, 2006, in forum: Wireless Networking
    Replies:
    1
    Views:
    817
  5. Replies:
    0
    Views:
    687
Loading...

Share This Page