[PeterEl]

Hello!

My firewall outpost detected incoming connections on port 80 and blocked them.

I think that the router must block incoming connections on port 80, right? But it does not.

Please explain why this might be.
(i use windows xp)

176.57.209.48 - this SOURCE ADRESS, 192.168.1.100 - this TARGET adress.
Attached a screenshot.

[jaclaz]

It depends by a number of factors.

Which router do you have?
How exactly it is setup?
Is NAT enabled?
And how it is set?

jaclaz

[PeterEl]

jaclaz, on 28 August 2012 - 05:32 AM, said:

It depends by a number of factors.

Which router do you have?
How exactly it is setup?
Is NAT enabled?
And how it is set?

jaclaz

1) linksys e1500
2) permission for incoming connections on port 80 is not installed.
3) NAT is enabled
4) "And how it is set?" - what do you mean?

[submix8c]

Me accessing MSFN.ORG (the Port 80 one) through my router (my router address=192.168.8.17 - multiple ports):

Attached File(s)

•  !!! MSFN Acesses.jpg (32.1K)
  Number of downloads: 9

[Tripredacus]

You should maybe run

netstat -b

To see if you have anything besides your browsers or known clients accessing the internet.

[PeterEl]

Tripredacus, on 28 August 2012 - 08:48 AM, said:

You should maybe run

netstat -b

To see if you have anything besides your browsers or known clients accessing the internet.

I looked, all processes are known.

The question is still valid.

This post has been edited by PeterEl: 28 August 2012 - 09:00 AM

[submix8c]

Can't disagree. The IP in your screenshot seems to indicate a Russian website that's being accessed.

edit - ULP! Is that YOUR External IP address?
http://jaguar.timewe...rror_domain.htm

This post has been edited by submix8c: 28 August 2012 - 09:01 AM

[submix8c]

???
http://en.timeweb.ru/support/faq/
If that's YOUR IP address, maybe you've set up a Web Server? I have one on my PC (via "no-ip") and had to make "exceptions" to allow folks to access it.

edit - (stupid me... I made a second post...)

This post has been edited by submix8c: 28 August 2012 - 09:14 AM

[jaclaz]

submix8c, on 28 August 2012 - 08:23 AM, said:

Me accessing MSFN.ORG (the Port 80 one) through my router (my router address=192.168.8.17 - multiple ports):

I am not sure to understand, those seems a lot like OUTbound connections and not INbound ones....

@PeterEl
I mean how exactly is NAT (or any other similar setting) set to?
From what I can see (not from the E1500 manual here: http://homesupport.c...t/routers/E1500 which is pretty much "useless") but from the more "generic" one:
http://www.manualowl.../236876?page=40
There is no specific setting/page for NAT, and if you want to "expose" a device to the internet you need to put it in the DMZ.
The *whatever* that blocks (or should block) unwanted packets is seemingly SPI (Stateful Packet Inspection), but as well I cannot find any detailed settings guide, see also:
http://www6.nohold.n...=80&converted=0
See if this applies to your router (these are the kind of settings that might affect the possibility to "go through"):
http://www6.nohold.n...d=8&converted=0


jaclaz

[PeterEl]

jaclaz, on 28 August 2012 - 09:15 AM, said:

submix8c, on 28 August 2012 - 08:23 AM, said:

Me accessing MSFN.ORG (the Port 80 one) through my router (my router address=192.168.8.17 - multiple ports):

I am not sure to understand, those seems a lot like OUTbound connections and not INbound ones....

@PeterEl
I mean how exactly is NAT (or any other similar setting) set to?
From what I can see (not from the E1500 manual here: http://homesupport.c...t/routers/E1500 which is pretty much "useless") but from the more "generic" one:
http://www.manualowl.../236876?page=40
There is no specific setting/page for NAT, and if you want to "expose" a device to the internet you need to put it in the DMZ.
The *whatever* that blocks (or should block) unwanted packets is seemingly SPI (Stateful Packet Inspection), but as well I cannot find any detailed settings guide, see also:
http://www6.nohold.n...=80&converted=0
See if this applies to your router (these are the kind of settings that might affect the possibility to "go through"):
http://www6.nohold.n...d=8&converted=0


jaclaz

All security options on my router are turned on.
And i not use DMZ, it's disabled.

[submix8c]

jaclaz, on 28 August 2012 - 09:15 AM, said:

I am not sure to understand, those seems a lot like OUTbound connections and not INbound ones....

Yeah, a little goofy-looking. It appears that the Outbound are legitimate. Apparently, it's part of the communications cycle. Details of one (Symantec Firewall, BTW):

Attached File(s)

•  !!! MSFN Acesses Detail.jpg (9.13K)
  Number of downloads: 2
•  !!! MSFN Firewall Options.jpg (9.8K)
  Number of downloads: 1

This post has been edited by submix8c: 28 August 2012 - 09:33 AM

[jaclaz]

PeterEl, on 28 August 2012 - 09:23 AM, said:

All security options on my router are turned on.

I will try again, are your settings EXACTLY like the ones on this page?
http://www6.nohold.n...d=8&converted=0
Does you router has other pages/settings?
How are they set?
Post a few screenshots of what you see (obviously removing personal information/private LAN Ip's etc).

PeterEl, on 28 August 2012 - 09:23 AM, said:

And i not use DMZ, it's disabled.

Good.

BTW a possibility would be to go to a friend's house and try accessing your IP from the "outside", backtrack is the first tool/distro that comes to mind:
http://www.backtrack-linux.org/
This way you could have maybe an idea of what's going on.


jaclaz

This post has been edited by jaclaz: 28 August 2012 - 09:46 AM

[submix8c]

Well, as I gave the address of the (apparently) Hosting site, perhaps someone has inadervtently HARD-WIRED you "dynamic" address into THEIR website.

Again, I use NO-IP and have a dynamic IP which is updated occasionally to allow others to access it and had to give an INCOMING exception to Port 80 for my INTERNAL "fixed" IP address.

http://martin-entltd.no-ip.org/
(No longer valid - NOIP deleted it from my Account and it's "stuck" to unusable.)

?Something odd with that IP address... What happens with the above (mine)?

This post has been edited by submix8c: 07 April 2013 - 02:00 PM

[PeterEl]

jaclaz, on 28 August 2012 - 09:46 AM, said:

PeterEl, on 28 August 2012 - 09:23 AM, said:

All security options on my router are turned on.

I will try again, are your settings EXACTLY like the ones on this page?
http://www6.nohold.n...d=8&converted=0
Does you router has other pages/settings?
How are they set?
Post a few screenshots of what you see (obviously removing personal information/private LAN Ip's etc).

PeterEl, on 28 August 2012 - 09:23 AM, said:

And i not use DMZ, it's disabled.

Good.

BTW a possibility would be to go to a friend's house and try accessing your IP from the "outside", backtrack is the first tool/distro that comes to mind:
http://www.backtrack-linux.org/
This way you could have maybe an idea of what's going on.


jaclaz

All the same like this page http://www6.nohold.n...d=8&converted=0, but Filter Multicast is ON and Filter Internet NAT Redirection... - is ON.
Other settings in attached file ->  router-settings-pic.rar (214.49K)
Number of downloads: 3

[jaclaz]

PeterEl, on 28 August 2012 - 10:13 AM, said:

All the same like this page http://www6.nohold.n...d=8&converted=0, but Filter Multicast is ON and Filter Internet NAT Redirection... - is ON.

From:
http://www6.nohold.n...d=8&converted=0

Quote

• Filter Multicast – This feature blocks multicasting or the method of sending IP diagrams to a group of receivers in a single transmission. This option is set to Disabled by default. Select this option to enable filter multicasting.

NOTE: IP multicasting is widely used in enterprises, commercial stock exchanges and multimedia content delivery networks such as IPTV applications. If you do not use such applications, it is much advisable to keep this option disabled to protect your network from spoofing or Denial of Service (DoS) attacks.

It seems like "safe" is "disabled".

Like many (most ) Cisco originated documentation is - to say the least - self referencing, I doubt Captain Obvious himself could have written a better article than:
http://www6.nohold.n...=80&converted=0
(please note how the title is "Definition of Filter Multicast and reasons to enable or disable it")

It is a very confusing matter:
http://homecommunity...ast/td-p/334178
but several sources (including the "default" settings) seem to imply that it should normally be disabled for increased security:
http://portforward.c...efaultguide.htm


jaclaz

[PeterEl]

1) So, probably, better is leave the default settings...

2) Today I noticed a strange thing, when my computer was turned off and no one LAN port is no worked (not light) and no used, and WI-FI is turned off also, the WAN-port (internet) is BLINKED, but not often.
I use DHCP connect to internet - dynamic ip.

Is it normal? that WAN is blinked when i not use internet???? Why it could be?


Thanks everybody fo answers.

[jaclaz]

PeterEl, on 29 August 2012 - 12:22 AM, said:

Is it normal? that WAN is blinked when i not use internet???? Why it could be?

It may be perfectly normal , as an example your ISP might want to "know" if the modem is coneected and working, there could be people (not necessarily malicious) pinging/arping/whatever, you may be part of an (ISP assigned) subnet range and get broadcasted packets, and of course there are thousands (or tens or hundreds of thousands) compromised machines/botnets that are randomly pinging/probing the internet for open ports and the like .

jaclaz