Re: Personal Firewall 2003

Discussion in 'Computer Security' started by Vassilis, Jul 23, 2003.

  1. Vassilis

    Vassilis Guest

    i do not understand the notion of restricted zone.
    If I do not place an IP on my Trusted Zone it will not
    automatically be in Restricted zone?


    "JP" <> wrote in message
    news:bfjpfs$can$-telecom.nl...
    > "Vassilis" <> wrote in message
    > news:bfjhas$d1s$...
    > > my computer (Win 2000 Prof) is inside a university's lab.
    > > I use IPs in Trusted Zone for example:
    > >
    > > xxx.xxx.x.56
    > > xxx.xxx.x.44
    > > xxx.xxx.x.64
    > >
    > > and I share my drive D:
    > >
    > > But a friend of mine inside the lab that has IP xxx.xxx.x.60,
    > > is able also to see my drive D:

    >
    >
    > So what does your Trusted Zone say?
    >
    > It looks like it may all be in the same subnet in which case anyone in the
    > xxx.xxx.x network may be able to access you D drive. Have you set

    passwords
    > on the share?
    >
    > JP
    >
    > --
    > There are 10 types of people in this world
    > Those that understand binary and those that don't
    >
    >
    >
     
    Vassilis, Jul 23, 2003
    #1
    1. Advertising

  2. Vassilis,

    "Vassilis" <> wrote in message
    news:bflmdg$2jol$...
    > i do not understand the notion of restricted zone.
    > If I do not place an IP on my Trusted Zone it will not
    > automatically be in Restricted zone?


    I think you're confusing the concept of trusted and restricted zone in a
    software firewall with trusted and restricted zone in a browser like
    Internet Explorer. The two are not even particularly similar. In NPF 2003,
    any remote IP address listed in the Trusted Zone is allowed to _completely_
    bypass the software firewall on your machine. Any remote IP address listed
    in the Restricted Zone is _completely_ BLOCKED from accessing your PC. In
    essence, neither Trusted Zone IPs nor Restricted Zone IPs ever actually get
    to the firewall -- the former bypassses the firewall, the latter are blocked
    before the firewall even attempts to analyze the packets.

    Only IP addresses that are found neither in the Trusted Zone or the
    Restricted Zone are actually compared with the ruleset to determine whether
    they should be Permitted or Blocked. In essence, the Zones simply reduce
    the amount of processing that the firewall ruleset needs to do.

    > > > I use IPs in Trusted Zone for example:
    > > >
    > > > xxx.xxx.x.56
    > > > xxx.xxx.x.44
    > > > xxx.xxx.x.64
    > > >
    > > > and I share my drive D:


    I assume you're putting this IPs in the Trusted Zone by specifically listing
    each one of them? Not by using a Subnet mask?

    If you want to COMPLETELY exclude other workstations on the lab subnet from
    being able to access your workstation, you would need to put the following
    four RANGES into your restricted zone:
    xxx.xxx.x.0 to xxx.xxx.x.43
    xxx.xxx.x.45 to xxx.xxx.x.55
    xxx.xxx.x.57 to xxx.xxx.x.63, and
    xxx.xxx.x.65 to xxx.xxx.x.255

    You obviously have file (and printer?) sharing enabled on your NIC -- and no
    rule whatsoever to block it in your NPF ruleset. If you use the Trusted and
    Restricted Zones as characterized above, you can now put a rule (in your
    General Settings in NPF 2003) to BLOCK file sharing.

    Alternatively, you could completely eliminate the dependence on Trusted and
    Restricted Zone by putting a rule like that illustrated by Crazy M at
    http://www.gpick.com/agnisrules/pages/system/system_pg3.html :

    Rule xx Permit Local NetBIOS Networking
    Category: NIS System Keeping
    Rule in use: Yes
    Logging: Log Entry
    Protocol: TCP or UDP
    Action: Permit
    Direction: Inbound
    Application: Any Application
    Local Service:
    ...............Port: 135
    ...............Port: 137
    ...............Port: 138
    ...............Port: 139
    Local Address: Any Address
    Remote Service: Any Service
    Remote Address: (IPGroup xx)
    .......................IP: xxx.xxx.x.44
    IP: xxx.xxx.x.56
    .......................IP: xxx.xxx.x.64

    BEFORE the Global Block Rule in the General Rules.

    There's an advantage in doing this in that it now allows you to LOG
    communications that you receive from the authorized members of your
    workgroup -- you can't log at all if you rely on the Trusted and Restricted
    Zones.

    Hope this is of some help, rather than making things even more confusing.

    --
    Regards,
    Joseph V. Morris
     
    Joseph V. Morris, Jul 23, 2003
    #2
    1. Advertising

  3. Vassilis

    Vassilis Guest

    thank you very much for your answer.
    So, if I want to make sure that I will not
    be a victim from hacker that will attemp
    to attack my machine, what I should add
    in my restricted zone.

    For example I want only a friend of mine
    to have access with a number for example:

    157.122.8.56

    I should put on restricted zone:??

    157.122.8.0-157.122.8.55

    157.122.8.57-157.122.8.255


    But what if somebody with IP:

    859.205.2.50 try to attack?

    --


    ----------------------------------------------------
    Vassilis Antipas (PhD student)
    Room 2.1.28
    In Silico Oncology Group
    Department of Electrical and Computer Engineering
    National Technical University of Athens
    Zografou Campus
    157 80 Zografou, Athens
    Tel: +30-210-7722288, Fax: +30-210-7723557
    Mobile: +30-6945-337750
    Website: http://www.in-silico-oncology.iccs.ntua.gr ,
    http://www.in-silico-oncology.iccs.ntua.gr/Vassilis_Antipas.htm
    e-mail:
    "Joseph V. Morris" <> wrote in message
    news:bfm0vq$mk3$...
    > Vassilis,
    >
    > "Vassilis" <> wrote in message
    > news:bflmdg$2jol$...
    > > i do not understand the notion of restricted zone.
    > > If I do not place an IP on my Trusted Zone it will not
    > > automatically be in Restricted zone?

    >
    > I think you're confusing the concept of trusted and restricted zone in a
    > software firewall with trusted and restricted zone in a browser like
    > Internet Explorer. The two are not even particularly similar. In NPF

    2003,
    > any remote IP address listed in the Trusted Zone is allowed to

    _completely_
    > bypass the software firewall on your machine. Any remote IP address

    listed
    > in the Restricted Zone is _completely_ BLOCKED from accessing your PC. In
    > essence, neither Trusted Zone IPs nor Restricted Zone IPs ever actually

    get
    > to the firewall -- the former bypassses the firewall, the latter are

    blocked
    > before the firewall even attempts to analyze the packets.
    >
    > Only IP addresses that are found neither in the Trusted Zone or the
    > Restricted Zone are actually compared with the ruleset to determine

    whether
    > they should be Permitted or Blocked. In essence, the Zones simply reduce
    > the amount of processing that the firewall ruleset needs to do.
    >
    > > > > I use IPs in Trusted Zone for example:
    > > > >
    > > > > xxx.xxx.x.56
    > > > > xxx.xxx.x.44
    > > > > xxx.xxx.x.64
    > > > >
    > > > > and I share my drive D:

    >
    > I assume you're putting this IPs in the Trusted Zone by specifically

    listing
    > each one of them? Not by using a Subnet mask?
    >
    > If you want to COMPLETELY exclude other workstations on the lab subnet

    from
    > being able to access your workstation, you would need to put the following
    > four RANGES into your restricted zone:
    > xxx.xxx.x.0 to xxx.xxx.x.43
    > xxx.xxx.x.45 to xxx.xxx.x.55
    > xxx.xxx.x.57 to xxx.xxx.x.63, and
    > xxx.xxx.x.65 to xxx.xxx.x.255
    >
    > You obviously have file (and printer?) sharing enabled on your NIC -- and

    no
    > rule whatsoever to block it in your NPF ruleset. If you use the Trusted

    and
    > Restricted Zones as characterized above, you can now put a rule (in your
    > General Settings in NPF 2003) to BLOCK file sharing.
    >
    > Alternatively, you could completely eliminate the dependence on Trusted

    and
    > Restricted Zone by putting a rule like that illustrated by Crazy M at
    > http://www.gpick.com/agnisrules/pages/system/system_pg3.html :
    >
    > Rule xx Permit Local NetBIOS Networking
    > Category: NIS System Keeping
    > Rule in use: Yes
    > Logging: Log Entry
    > Protocol: TCP or UDP
    > Action: Permit
    > Direction: Inbound
    > Application: Any Application
    > Local Service:
    > ..............Port: 135
    > ..............Port: 137
    > ..............Port: 138
    > ..............Port: 139
    > Local Address: Any Address
    > Remote Service: Any Service
    > Remote Address: (IPGroup xx)
    > ......................IP: xxx.xxx.x.44
    > IP: xxx.xxx.x.56
    > ......................IP: xxx.xxx.x.64
    >
    > BEFORE the Global Block Rule in the General Rules.
    >
    > There's an advantage in doing this in that it now allows you to LOG
    > communications that you receive from the authorized members of your
    > workgroup -- you can't log at all if you rely on the Trusted and

    Restricted
    > Zones.
    >
    > Hope this is of some help, rather than making things even more confusing.
    >
    > --
    > Regards,
    > Joseph V. Morris
    >
    >
    >
     
    Vassilis, Jul 23, 2003
    #3
  4. Vassilis

    Vassilis Guest

    ok. it is clear.
    thank you very much for your answer and your time.


    --


    ----------------------------------------------------
    Vassilis Antipas (PhD student)
    Room 2.1.28
    In Silico Oncology Group
    Department of Electrical and Computer Engineering
    National Technical University of Athens
    Zografou Campus
    157 80 Zografou, Athens
    Tel: +30-210-7722288, Fax: +30-210-7723557
    Mobile: +30-6945-337750
    Website: http://www.in-silico-oncology.iccs.ntua.gr ,
    http://www.in-silico-oncology.iccs.ntua.gr/Vassilis_Antipas.htm
    e-mail:
    "Joseph V. Morris" <> wrote in message
    news:bfm5h5$28m$...
    > Vassilis,
    >
    > "Vassilis" <> wrote in message
    > news:bfm23s$g1h$...
    > > thank you very much for your answer.
    > > So, if I want to make sure that I will not
    > > be a victim from hacker that will attemp
    > > to attack my machine, what I should add
    > > in my restricted zone.

    >
    > Let's start with the fundamentals. Do you have Security set to HIGH? Do
    > you have Reporting Level set to MINIMAL (to reduce extraneous clutter in
    > your logs, which is all this does)? Have you DISABLED (i.e., UNCHECKED)
    > Automatic Firewall Rule Creation for known applications? (I'm not sure
    > exactly what this is called in NPF 2003 or precisely where it's located,

    but
    > it's there somewhere.)
    >
    > If you have done the above, then everything not explicitly PERMITted is
    > implicitly BLOCKed. That's the way NIS/NPF and AtGuard have always

    worked.
    >
    > 1) The "problem" is that you seem to have a rule in your ruleset that
    > PERMITs everyone to access your shared drive (D). You need to fix that.
    >
    > I'm not exactly certain what that rule is called in your ruleset, but it's
    > probably in your GENERAL settings and it's a PERMIT INBOUND TCP rule that
    > allows ANY remote IP address. I am assuming the file-sharing is being

    done
    > via NetBIOS, so it would be best to look for rules that apply to LOCAL

    Ports
    > 135-139. Find that rule; change (customize) it to a BLOCK action. Below,

    I
    > shall refer to this as a BLOCK ALL NetBIOS rule.
    >
    > Once this change is accomplished, you only need to add those authorized
    > sites that you DESIRE have access to your drive D to the Trusted Zone.

    You
    > can then completely forget about using the RESTRICTED Zone (at least for
    > this purpose). The RESTRICTED Zone is primarily used for BLOCKING
    > persistent, obnoxious inbound from a group of remote IP addresses that are
    > constantly probing your IP address. Trying to do what you are talking

    about
    > by relying exclusively on the RESTRICTED Zone is going to be very awkward.
    > And you will also have to modify your RESTRICTED Zone listing everytime

    you
    > decide to allow another remote IP to access your D drive.
    >
    > 2) Now, I don't really like using even the TRUSTED Zone, to be honest.

    You
    > see, it gives COMPLETE unrestricted access to your PC from those remote IP
    > addresses that you "trust". (At least as far as the firewall is

    concerned.)
    > What if one of those "trusted" PCs was then used by someone other than the
    > specific individuals you think of as normally using it? At that point,

    this
    > other individual would have the complete run of your PC (again, at least

    as
    > far as the firewall is concerned). And I already mentioned that you

    can't
    > log this activity even if you wanted to if you rely on the TRUSTED Zone --
    > TRUSTED communications completely bypass the firewall and therefore the
    > firewall CANNOT log them.
    >
    > Hence, my recommended solution is to use CrazyM's rule (displayed in the
    > prior post) and position it BEFORE the BLOCK ALL NetBIOS rule. Then you

    can
    > ignore the Trusted/Restricted Zone metaphor entirely (at least for this
    > purpose). This is just the way I would do it. Otherwise you can do it as
    > indicated in 1).
    >
    > With regards to the following:
    >
    > > For example I want only a friend of mine
    > > to have access with a number for example:
    > >
    > > 157.122.8.56
    > >
    > > I should put on restricted zone:??
    > >
    > > 157.122.8.0-157.122.8.55
    > >
    > > 157.122.8.57-157.122.8.255

    >
    > Yes, you COULD do it this way, but as you note below, that simply blocks

    ALL
    > OTHER IP addresses in the 157.122.8.x subnet.
    >
    >
    > > But what if somebody with IP:
    > >
    > > 859.205.2.50 try to attack?

    >
    > Yes, that's the problem with trying to do this by relying exclusively on

    the
    > Trusted and Restricted Zone to do this. Very shortly, your RESTRICTED

    Zone
    > listing is going to get out of control.
    > . . . .
    >
    > --
    > Regards,
    > Joseph V. Morris
    >
    >
    >
     
    Vassilis, Jul 23, 2003
    #4
  5. Vassilis

    Vassilis Guest

    one last question?

    I achieved to protect my pc.
    I already tested it.
    I friend of mine with IP (example)

    123.568.10.33

    tried to connect to my pc (IP: 123.568.5.89).
    He was not able to connect and received an alert message.

    Another friend (IP: 123.568.5.91) (from the same SUBNET with me) tried to
    connect
    and he was able to connect and I received an alert message.
    BUT I have not place him in my trusted zone. Do you know why he was able to
    connect?




    ----------------------------------------------------
    Vassilis Antipas (PhD student)
    Room 2.1.28
    In Silico Oncology Group
    Department of Electrical and Computer Engineering
    National Technical University of Athens
    Zografou Campus
    157 80 Zografou, Athens
    Tel: +30-210-7722288, Fax: +30-210-7723557
    Mobile: +30-6945-337750
    Website: http://www.in-silico-oncology.iccs.ntua.gr ,
    http://www.in-silico-oncology.iccs.ntua.gr/Vassilis_Antipas.htm
    e-mail:
    "Joseph V. Morris" <> wrote in message
    news:bfm5h5$28m$...
    > Vassilis,
    >
    > "Vassilis" <> wrote in message
    > news:bfm23s$g1h$...
    > > thank you very much for your answer.
    > > So, if I want to make sure that I will not
    > > be a victim from hacker that will attemp
    > > to attack my machine, what I should add
    > > in my restricted zone.

    >
    > Let's start with the fundamentals. Do you have Security set to HIGH? Do
    > you have Reporting Level set to MINIMAL (to reduce extraneous clutter in
    > your logs, which is all this does)? Have you DISABLED (i.e., UNCHECKED)
    > Automatic Firewall Rule Creation for known applications? (I'm not sure
    > exactly what this is called in NPF 2003 or precisely where it's located,

    but
    > it's there somewhere.)
    >
    > If you have done the above, then everything not explicitly PERMITted is
    > implicitly BLOCKed. That's the way NIS/NPF and AtGuard have always

    worked.
    >
    > 1) The "problem" is that you seem to have a rule in your ruleset that
    > PERMITs everyone to access your shared drive (D). You need to fix that.
    >
    > I'm not exactly certain what that rule is called in your ruleset, but it's
    > probably in your GENERAL settings and it's a PERMIT INBOUND TCP rule that
    > allows ANY remote IP address. I am assuming the file-sharing is being

    done
    > via NetBIOS, so it would be best to look for rules that apply to LOCAL

    Ports
    > 135-139. Find that rule; change (customize) it to a BLOCK action. Below,

    I
    > shall refer to this as a BLOCK ALL NetBIOS rule.
    >
    > Once this change is accomplished, you only need to add those authorized
    > sites that you DESIRE have access to your drive D to the Trusted Zone.

    You
    > can then completely forget about using the RESTRICTED Zone (at least for
    > this purpose). The RESTRICTED Zone is primarily used for BLOCKING
    > persistent, obnoxious inbound from a group of remote IP addresses that are
    > constantly probing your IP address. Trying to do what you are talking

    about
    > by relying exclusively on the RESTRICTED Zone is going to be very awkward.
    > And you will also have to modify your RESTRICTED Zone listing everytime

    you
    > decide to allow another remote IP to access your D drive.
    >
    > 2) Now, I don't really like using even the TRUSTED Zone, to be honest.

    You
    > see, it gives COMPLETE unrestricted access to your PC from those remote IP
    > addresses that you "trust". (At least as far as the firewall is

    concerned.)
    > What if one of those "trusted" PCs was then used by someone other than the
    > specific individuals you think of as normally using it? At that point,

    this
    > other individual would have the complete run of your PC (again, at least

    as
    > far as the firewall is concerned). And I already mentioned that you

    can't
    > log this activity even if you wanted to if you rely on the TRUSTED Zone --
    > TRUSTED communications completely bypass the firewall and therefore the
    > firewall CANNOT log them.
    >
    > Hence, my recommended solution is to use CrazyM's rule (displayed in the
    > prior post) and position it BEFORE the BLOCK ALL NetBIOS rule. Then you

    can
    > ignore the Trusted/Restricted Zone metaphor entirely (at least for this
    > purpose). This is just the way I would do it. Otherwise you can do it as
    > indicated in 1).
    >
    > With regards to the following:
    >
    > > For example I want only a friend of mine
    > > to have access with a number for example:
    > >
    > > 157.122.8.56
    > >
    > > I should put on restricted zone:??
    > >
    > > 157.122.8.0-157.122.8.55
    > >
    > > 157.122.8.57-157.122.8.255

    >
    > Yes, you COULD do it this way, but as you note below, that simply blocks

    ALL
    > OTHER IP addresses in the 157.122.8.x subnet.
    >
    >
    > > But what if somebody with IP:
    > >
    > > 859.205.2.50 try to attack?

    >
    > Yes, that's the problem with trying to do this by relying exclusively on

    the
    > Trusted and Restricted Zone to do this. Very shortly, your RESTRICTED

    Zone
    > listing is going to get out of control.
    > . . . .
    >
    > --
    > Regards,
    > Joseph V. Morris
    >
    >
    >
     
    Vassilis, Jul 23, 2003
    #5
  6. Vassilis,

    Inline, below . . .

    "Vassilis" <> wrote in message
    news:bfmc7g$17vh$...
    > one last question?
    >
    > I achieved to protect my pc.


    Yes, but HOW? You don't say. Did you just rely on the Trusted and
    Restricted Zones, or did you shut down the File Sharing in the ruleset, or
    did you completely eliminate reliance on the Restricted and Trusted Zones
    and go to explicit firewall rules in the General Settings?

    Yes, it is important, because in NPF 2003, there are often three or four
    different ways to do something and which one you invoke is critical.

    > I already tested it.
    > I friend of mine with IP (example)
    >
    > 123.568.10.33
    >
    > tried to connect to my pc (IP: 123.568.5.89).
    > He was not able to connect and received an alert message.


    WHO received the 'alert message'? Him or you?
    If it was you, what did the message say?

    This does not seem to reconcile with what you subsequently say. If this
    friend was incorporated into the Trusted Zone (or even BLOCKed in the
    Restricted Zone), there's no way that you should have received any sort of
    Alert Message or firewall event log entry.

    > Another friend (IP: 123.568.5.91) (from the same SUBNET with me) tried to
    > connect and he was able to connect and I received an alert message.


    HOW did he connect? What was the alert message (or firewall event log
    entry) associated with this event? For that matter, did he REALLY connect
    or are you simply reporting that you found an Alert Message or firewall
    event log entry? (Indeed, almost all of my Alerts and firewall event log
    entries represent people who TRIED but FAILED to connect. You'd almost have
    to write a customized rule in NIS/NPF to get a record of somewhere who TRIED
    to connect and SUCCEEDED.)

    What, specifically, is your specification in the Trusted Zone? Are you
    using a subnet mask, an IP range, or individually specified IP addresses?
    (This may sound like a stupid question, but I recently got involved with a
    knowledgable individual using a subnet mask who apparently didn't quite
    realize how it worked.)

    > BUT I have not place him in my trusted zone. Do you know why he was able

    to
    > connect?


    Not until you answer the preceding questions. Specifically, if you haven't
    modified the File sharing rule in the ruleset itself, it was trivial.

    --
    Regards,
    Joseph V. Morris
     
    Joseph V. Morris, Jul 23, 2003
    #6
  7. Vassilis

    Vassilis Guest

    Firewall Level: high

    Trusted Zone: only a friend in the same lab

    I used the Windows File Sharing:
    Action: Block
    Connections: from other computers
    Computers: any computer
    Communications: TCP and UDP, type of communication: local netbios-ns 137,
    local netbios-dgm 138, local netbios-ssn 139
    Tracking: all checked

    Everything else: by default.

    also: from the General Rules: the Default Inbound Loopback is by default:
    permit, connections from other computers, communications:
    TCP and UDP,all type of communications.

    My friend from the same lab is able to access my pc and he is not in
    trusted zone.

    > Inline, below . . .
    >
    > "Vassilis" <> wrote in message
    > news:bfmc7g$17vh$...
    > > one last question?
    > >
    > > I achieved to protect my pc.

    >
    > Yes, but HOW? You don't say. Did you just rely on the Trusted and
    > Restricted Zones, or did you shut down the File Sharing in the ruleset, or
    > did you completely eliminate reliance on the Restricted and Trusted Zones
    > and go to explicit firewall rules in the General Settings?
    >
    > Yes, it is important, because in NPF 2003, there are often three or four
    > different ways to do something and which one you invoke is critical.
    >
    > > I already tested it.
    > > I friend of mine with IP (example)
    > >
    > > 123.568.10.33
    > >
    > > tried to connect to my pc (IP: 123.568.5.89).
    > > He was not able to connect and received an alert message.

    >
    > WHO received the 'alert message'? Him or you?
    > If it was you, what did the message say?
    >
    > This does not seem to reconcile with what you subsequently say. If this
    > friend was incorporated into the Trusted Zone (or even BLOCKed in the
    > Restricted Zone), there's no way that you should have received any sort of
    > Alert Message or firewall event log entry.
    >
    > > Another friend (IP: 123.568.5.91) (from the same SUBNET with me) tried

    to
    > > connect and he was able to connect and I received an alert message.

    >
    > HOW did he connect? What was the alert message (or firewall event log
    > entry) associated with this event? For that matter, did he REALLY connect
    > or are you simply reporting that you found an Alert Message or firewall
    > event log entry? (Indeed, almost all of my Alerts and firewall event log
    > entries represent people who TRIED but FAILED to connect. You'd almost

    have
    > to write a customized rule in NIS/NPF to get a record of somewhere who

    TRIED
    > to connect and SUCCEEDED.)
    >
    > What, specifically, is your specification in the Trusted Zone? Are you
    > using a subnet mask, an IP range, or individually specified IP addresses?
    > (This may sound like a stupid question, but I recently got involved with a
    > knowledgable individual using a subnet mask who apparently didn't quite
    > realize how it worked.)
    >
    > > BUT I have not place him in my trusted zone. Do you know why he was able

    > to
    > > connect?

    >
    > Not until you answer the preceding questions. Specifically, if you

    haven't
    > modified the File sharing rule in the ruleset itself, it was trivial.
    >
    > --
    > Regards,
    > Joseph V. Morris
    >
    >
    >
     
    Vassilis, Jul 23, 2003
    #7
  8. Vassilis

    Vassilis Guest

    I created a new rule and I blocked all ports, all computers,
    all communications.

    My friends was able to see my share folder D:\ !!!!!!!!!
    Bu tI received an lert message: a computer with
    the IP address xxxxxxxxx attemped to connect to your
    computer usgin Fireall Rule (my new rule).


    "Joseph V. Morris" <> wrote in message
    news:bfmj24$aj$...
    > Vassilis,
    >
    > Inline, below . . .
    >
    > "Vassilis" <> wrote in message
    > news:bfmc7g$17vh$...
    > > one last question?
    > >
    > > I achieved to protect my pc.

    >
    > Yes, but HOW? You don't say. Did you just rely on the Trusted and
    > Restricted Zones, or did you shut down the File Sharing in the ruleset, or
    > did you completely eliminate reliance on the Restricted and Trusted Zones
    > and go to explicit firewall rules in the General Settings?
    >
    > Yes, it is important, because in NPF 2003, there are often three or four
    > different ways to do something and which one you invoke is critical.
    >
    > > I already tested it.
    > > I friend of mine with IP (example)
    > >
    > > 123.568.10.33
    > >
    > > tried to connect to my pc (IP: 123.568.5.89).
    > > He was not able to connect and received an alert message.

    >
    > WHO received the 'alert message'? Him or you?
    > If it was you, what did the message say?
    >
    > This does not seem to reconcile with what you subsequently say. If this
    > friend was incorporated into the Trusted Zone (or even BLOCKed in the
    > Restricted Zone), there's no way that you should have received any sort of
    > Alert Message or firewall event log entry.
    >
    > > Another friend (IP: 123.568.5.91) (from the same SUBNET with me) tried

    to
    > > connect and he was able to connect and I received an alert message.

    >
    > HOW did he connect? What was the alert message (or firewall event log
    > entry) associated with this event? For that matter, did he REALLY connect
    > or are you simply reporting that you found an Alert Message or firewall
    > event log entry? (Indeed, almost all of my Alerts and firewall event log
    > entries represent people who TRIED but FAILED to connect. You'd almost

    have
    > to write a customized rule in NIS/NPF to get a record of somewhere who

    TRIED
    > to connect and SUCCEEDED.)
    >
    > What, specifically, is your specification in the Trusted Zone? Are you
    > using a subnet mask, an IP range, or individually specified IP addresses?
    > (This may sound like a stupid question, but I recently got involved with a
    > knowledgable individual using a subnet mask who apparently didn't quite
    > realize how it worked.)
    >
    > > BUT I have not place him in my trusted zone. Do you know why he was able

    > to
    > > connect?

    >
    > Not until you answer the preceding questions. Specifically, if you

    haven't
    > modified the File sharing rule in the ruleset itself, it was trivial.
    >
    > --
    > Regards,
    > Joseph V. Morris
    >
    >
    >
     
    Vassilis, Jul 23, 2003
    #8
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Dan & Lisa

    Norten Personal Firewall 2003

    Dan & Lisa, Sep 29, 2003, in forum: Computer Support
    Replies:
    1
    Views:
    420
    °Mike°
    Sep 29, 2003
  2. Vassilis

    Personal Firewall 2003

    Vassilis, Jul 22, 2003, in forum: Computer Security
    Replies:
    2
    Views:
    882
    Vassilis
    Jul 22, 2003
  3. Vassilis

    Re: Personal Firewall 2003

    Vassilis, Jul 23, 2003, in forum: Computer Security
    Replies:
    0
    Views:
    775
    Vassilis
    Jul 23, 2003
  4. Vassilis

    Re: Personal Firewall 2003

    Vassilis, Jul 23, 2003, in forum: Computer Security
    Replies:
    0
    Views:
    767
    Vassilis
    Jul 23, 2003
  5. Vassilis
    Replies:
    1
    Views:
    2,391
    Frode
    Jul 26, 2003
Loading...

Share This Page