PeterEl

Incoming connection on 80 port

17 posts in this topic

Hello!

My firewall outpost detected incoming connections on port 80 and blocked them.

I think that the router must block incoming connections on port 80, right? But it does not.

Please explain why this might be.

(i use windows xp)

176.57.209.48 - this SOURCE ADRESS, 192.168.1.100 - this TARGET adress.

Attached a screenshot.

wcnuw9.gif

0

Share this post


Link to post
Share on other sites

It depends by a number of factors.

Which router do you have?

How exactly it is setup?

Is NAT enabled?

And how it is set?

jaclaz

0

Share this post


Link to post
Share on other sites

It depends by a number of factors.

Which router do you have?

How exactly it is setup?

Is NAT enabled?

And how it is set?

jaclaz

1) linksys e1500

2) permission for incoming connections on port 80 is not installed.

3) NAT is enabled

4) "And how it is set?" - what do you mean?

0

Share this post


Link to post
Share on other sites

Me accessing MSFN.ORG (the Port 80 one) through my router (my router address=192.168.8.17 - multiple ports):

post-72994-0-96047500-1346163792_thumb.j

0

Share this post


Link to post
Share on other sites

You should maybe run

netstat -b

To see if you have anything besides your browsers or known clients accessing the internet.

0

Share this post


Link to post
Share on other sites

You should maybe run

netstat -b

To see if you have anything besides your browsers or known clients accessing the internet.

I looked, all processes are known.

The question is still valid.

Edited by PeterEl
0

Share this post


Link to post
Share on other sites

Can't disagree. The IP in your screenshot seems to indicate a Russian website that's being accessed.

edit - ULP! Is that YOUR External IP address?

http://jaguar.timeweb.ru/error_domain.htm

Edited by submix8c
0

Share this post


Link to post
Share on other sites

???

http://en.timeweb.ru/support/faq/

If that's YOUR IP address, maybe you've set up a Web Server? I have one on my PC (via "no-ip") and had to make "exceptions" to allow folks to access it.

edit - (stupid me... I made a second post...)

Edited by submix8c
0

Share this post


Link to post
Share on other sites

Me accessing MSFN.ORG (the Port 80 one) through my router (my router address=192.168.8.17 - multiple ports):

I am not sure to understand, those seems a lot like OUTbound connections and not INbound ones.... :unsure:

@PeterEl

I mean how exactly is NAT (or any other similar setting) set to?

From what I can see (not from the E1500 manual here: http://homesupport.cisco.com/en-eu/support/routers/E1500 which is pretty much "useless") but from the more "generic" one:

http://www.manualowl.com/m/Cisco/E1500/Manual/236876?page=40

There is no specific setting/page for NAT, and if you want to "expose" a device to the internet you need to put it in the DMZ.

The *whatever* that blocks (or should block) unwanted packets is seemingly SPI (Stateful Packet Inspection), but as well I cannot find any detailed settings guide, see also:

http://www6.nohold.net/Cisco2/GetArticle.aspx?docid=349c2ccc3fb44e1b8878369cc84a56bb_KB_EN_v1.xml&pid=80&converted=0

See if this applies to your router (these are the kind of settings that might affect the possibility to "go through"):

http://www6.nohold.net/Cisco2/GetArticle.aspx?docid=978eca6b436a4edc92576ba183b91f5c_KB_EN_v1.xml&pid=8&converted=0

jaclaz

0

Share this post


Link to post
Share on other sites

Me accessing MSFN.ORG (the Port 80 one) through my router (my router address=192.168.8.17 - multiple ports):

I am not sure to understand, those seems a lot like OUTbound connections and not INbound ones.... :unsure:

@PeterEl

I mean how exactly is NAT (or any other similar setting) set to?

From what I can see (not from the E1500 manual here: http://homesupport.cisco.com/en-eu/support/routers/E1500 which is pretty much "useless") but from the more "generic" one:

http://www.manualowl.com/m/Cisco/E1500/Manual/236876?page=40

There is no specific setting/page for NAT, and if you want to "expose" a device to the internet you need to put it in the DMZ.

The *whatever* that blocks (or should block) unwanted packets is seemingly SPI (Stateful Packet Inspection), but as well I cannot find any detailed settings guide, see also:

http://www6.nohold.net/Cisco2/GetArticle.aspx?docid=349c2ccc3fb44e1b8878369cc84a56bb_KB_EN_v1.xml&pid=80&converted=0

See if this applies to your router (these are the kind of settings that might affect the possibility to "go through"):

http://www6.nohold.net/Cisco2/GetArticle.aspx?docid=978eca6b436a4edc92576ba183b91f5c_KB_EN_v1.xml&pid=8&converted=0

jaclaz

All security options on my router are turned on.

And i not use DMZ, it's disabled.

0

Share this post


Link to post
Share on other sites
I am not sure to understand, those seems a lot like OUTbound connections and not INbound ones....
Yeah, a little goofy-looking. It appears that the Outbound are legitimate. Apparently, it's part of the communications cycle. Details of one (Symantec Firewall, BTW):

post-72994-0-25926200-1346167569_thumb.j

post-72994-0-87432300-1346167983_thumb.j

Edited by submix8c
0

Share this post


Link to post
Share on other sites

All security options on my router are turned on.

I will try again, are your settings EXACTLY like the ones on this page?

http://www6.nohold.net/Cisco2/GetArticle.aspx?docid=978eca6b436a4edc92576ba183b91f5c_KB_EN_v1.xml&pid=8&converted=0

Does you router has other pages/settings?

How are they set?

Post a few screenshots of what you see (obviously removing personal information/private LAN Ip's etc).

And i not use DMZ, it's disabled.

Good. :)

BTW a possibility would be to go to a friend's house and try accessing your IP from the "outside", backtrack is the first tool/distro that comes to mind:

http://www.backtrack-linux.org/

This way you could have maybe an idea of what's going on.

jaclaz

Edited by jaclaz
0

Share this post


Link to post
Share on other sites

Well, as I gave the address of the (apparently) Hosting site, perhaps someone has inadervtently HARD-WIRED you "dynamic" address into THEIR website.

Again, I use NO-IP and have a dynamic IP which is updated occasionally to allow others to access it and had to give an INCOMING exception to Port 80 for my INTERNAL "fixed" IP address.

http://martin-entltd.no-ip.org/

(No longer valid - NOIP deleted it from my Account and it's "stuck" to unusable.)

?Something odd with that IP address... What happens with the above (mine)?

Edited by submix8c
0

Share this post


Link to post
Share on other sites

All security options on my router are turned on.

I will try again, are your settings EXACTLY like the ones on this page?

http://www6.nohold.net/Cisco2/GetArticle.aspx?docid=978eca6b436a4edc92576ba183b91f5c_KB_EN_v1.xml&pid=8&converted=0

Does you router has other pages/settings?

How are they set?

Post a few screenshots of what you see (obviously removing personal information/private LAN Ip's etc).

And i not use DMZ, it's disabled.

Good. :)

BTW a possibility would be to go to a friend's house and try accessing your IP from the "outside", backtrack is the first tool/distro that comes to mind:

http://www.backtrack-linux.org/

This way you could have maybe an idea of what's going on.

jaclaz

All the same like this page http://www6.nohold.net/Cisco2/GetArticle.aspx?docid=978eca6b436a4edc92576ba183b91f5c_KB_EN_v1.xml&pid=8&converted=0, but Filter Multicast is ON and Filter Internet NAT Redirection... - is ON.

Other settings in attached file ->router-settings-pic.rar

0

Share this post


Link to post
Share on other sites

From:

http://www6.nohold.net/Cisco2/GetArticle.aspx?docid=978eca6b436a4edc92576ba183b91f5c_KB_EN_v1.xml&pid=8&converted=0

Filter Multicast – This feature blocks multicasting or the method of sending IP diagrams to a group of receivers in a single transmission. This option is set to Disabled by default. Select this option to enable filter multicasting.

NOTE: IP multicasting is widely used in enterprises, commercial stock exchanges and multimedia content delivery networks such as IPTV applications. If you do not use such applications, it is much advisable to keep this option disabled to protect your network from spoofing or Denial of Service (DoS) attacks.

It seems like "safe" is "disabled". :unsure:

Like many (most :unsure:) Cisco originated documentation is - to say the least - self referencing, I doubt Captain Obvious himself could have written a better article than:

http://www6.nohold.net/Cisco2/GetArticle.aspx?docid=34da84c41ef2451e96dbc36f49b2f455_17372.xml&pid=80&converted=0

(please note how the title is "Definition of Filter Multicast and reasons to enable or disable it")

It is a very confusing matter:

http://homecommunity.cisco.com/t5/Wireless-Routers/Filter-Multicast/td-p/334178

but several sources (including the "default" settings) seem to imply that it should normally be disabled for increased security:

http://portforward.com/english/routers/firewalling/Cisco/Linksys-E1200/defaultguide.htm

jaclaz

0

Share this post


Link to post
Share on other sites

1) So, probably, better is leave the default settings...

2) Today I noticed a strange thing, when my computer was turned off and no one LAN port is no worked (not light) and no used, and WI-FI is turned off also, the WAN-port (internet) is BLINKED, but not often.

I use DHCP connect to internet - dynamic ip.

Is it normal? that WAN is blinked when i not use internet???? Why it could be?

Thanks everybody fo answers.

0

Share this post


Link to post
Share on other sites

Is it normal? that WAN is blinked when i not use internet???? Why it could be?

It may be perfectly normal :yes: , as an example your ISP might want to "know" if the modem is coneected and working, there could be people (not necessarily malicious) pinging/arping/whatever, you may be part of an (ISP assigned) subnet range and get broadcasted packets, and of course there are thousands (or tens or hundreds of thousands) compromised machines/botnets that are randomly pinging/probing the internet for open ports and the like :ph34r: .

jaclaz

0

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.