Why is Win Explorer accessing the Net?

[Vance Roos]

I run Win XP Pro and I recently got a message from my Sygate Pro 5.0
firewall which said:

==== START QUOTE ====
"Windows Explorer is trying to broadcast an ICMP Type 10 (Router
Solicitation) packet to [224.0.0.2]. Do you want to allow this
program access to the network?"
==== END QUOTE ====

When I look it up it seems that 224.0.0.2 is for something called
"Local Network Control Block" (See
http://www.faqs.org/rfcs/rfc3171.html)

My QUESTION to the newsgroup is should I allow Windows Explorer
access to the Net in order for it to go to that IP address?

--------

These are my own thoughts:

(a) On one hand, I can not see why a simple file manager like Windows
Explorer would need to access the Net.

(b) On the other hand, Windows Explorer is deeply embedded in Win XP
and may need to perform all sorts of function on behamf of XP.

I have had some problems in being over-hasty in blocking
comunications from XP to the Net (for example blocking NTOSKRNL.EXE,
NDISUIO.SYS and SVCHOST.EXE).

 

[Colonel Flagg]

I run Win XP Pro and I recently got a message from my Sygate Pro 5.0
firewall which said:

==== START QUOTE ====
"Windows Explorer is trying to broadcast an ICMP Type 10 (Router
Solicitation) packet to [224.0.0.2]. Do you want to allow this
program access to the network?"
==== END QUOTE ====

When I look it up it seems that 224.0.0.2 is for something called
"Local Network Control Block" (See
http://www.faqs.org/rfcs/rfc3171.html)

My QUESTION to the newsgroup is should I allow Windows Explorer
access to the Net in order for it to go to that IP address?

--------

These are my own thoughts:

(a) On one hand, I can not see why a simple file manager like Windows
Explorer would need to access the Net.

(b) On the other hand, Windows Explorer is deeply embedded in Win XP
and may need to perform all sorts of function on behamf of XP.

I have had some problems in being over-hasty in blocking
comunications from XP to the Net (for example blocking NTOSKRNL.EXE,
NDISUIO.SYS and SVCHOST.EXE).

--------

Can someone who understands what is taking place please advise me if
I should allow to permit permanent access for Windows Explorer to the
Net?

It's not accessing the "net", it's attempting to access the local area
network.... probably looking for other hosts, etc. for DNS purposes or
Microshaft's silly ****ing "Master Browser" BS.


--
Colonel Flagg
http://www.internetwarzone.org/

Privacy at a click:
http://www.cotse.net

Q: How many Bill Gates does it take to change a lightbulb?
A: None, he just defines Darkness? as the new industry standard..."

"...I see stupid people."

 

[Lassi =?iso-8859-1?Q?Hippel=E4inen?=]

I run Win XP Pro and I recently got a message from my Sygate Pro 5.0
firewall which said:

==== START QUOTE ====
"Windows Explorer is trying to broadcast an ICMP Type 10 (Router
Solicitation) packet to [224.0.0.2]. Do you want to allow this
program access to the network?"
==== END QUOTE ====

When I look it up it seems that 224.0.0.2 is for something called
"Local Network Control Block" (See
http://www.faqs.org/rfcs/rfc3171.html)

My QUESTION to the newsgroup is should I allow Windows Explorer
access to the Net in order for it to go to that IP address?

That seems to be an attempt to discover a router in your LAN. Since your
internal LAN traffic has no business in the Internet, I'd order the FW
to silently discard those packets, no matter what application is sending
them.

-- Lassi

 

[Lars M. Hansen]

On Tue, 16 Dec 2003 08:39:45 GMT, Vance Roos spoketh

I run Win XP Pro and I recently got a message from my Sygate Pro 5.0
firewall which said:

==== START QUOTE ====
"Windows Explorer is trying to broadcast an ICMP Type 10 (Router
Solicitation) packet to [224.0.0.2]. Do you want to allow this
program access to the network?"
==== END QUOTE ====

Simply disable the IRDP in the registry. The value name is
"HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\[InterfaceName]\PerformRouterDiscovery".
Set the value to 0 (zero), and it'll stop.

Lars M. Hansen
http://www.hansenonline.net
(replace 'badnews' with 'news' in e-mail address)

 

[Lars M. Hansen]

On Tue, 16 Dec 2003 04:09:34 -0500, Colonel Flagg spoketh

It's not accessing the "net", it's attempting to access the local area
network.... probably looking for other hosts, etc. for DNS purposes or
Microshaft's silly ****ing "Master Browser" BS.

Not even close ...


Lars M. Hansen
http://www.hansenonline.net
(replace 'badnews' with 'news' in e-mail address)

 

[NeoSadist]

I run Win XP Pro and I recently got a message from my Sygate Pro 5.0
firewall which said:

==== START QUOTE ====
"Windows Explorer is trying to broadcast an ICMP Type 10 (Router
Solicitation) packet to [224.0.0.2]. Do you want to allow this
program access to the network?"
==== END QUOTE ====

When I look it up it seems that 224.0.0.2 is for something called
"Local Network Control Block" (See
http://www.faqs.org/rfcs/rfc3171.html)

My QUESTION to the newsgroup is should I allow Windows Explorer
access to the Net in order for it to go to that IP address?

--------

These are my own thoughts:

(a) On one hand, I can not see why a simple file manager like Windows
Explorer would need to access the Net.

(b) On the other hand, Windows Explorer is deeply embedded in Win XP
and may need to perform all sorts of function on behamf of XP.

I have had some problems in being over-hasty in blocking
comunications from XP to the Net (for example blocking NTOSKRNL.EXE,
NDISUIO.SYS and SVCHOST.EXE).

--------

Can someone who understands what is taking place please advise me if
I should allow to permit permanent access for Windows Explorer to the
Net?

It's not accessing the "net", it's attempting to access the local area
network.... probably looking for other hosts, etc. for DNS purposes or
Microshaft's silly ****ing "Master Browser" BS.

No, Master browser broadcasting isn't ICMP, it's a broadcast over Netbios I
believe (hold on, let me start up ethereal) Ok, here's what it looks like:

First, the computer coming up will ask the router, over ARP, who has the IP
it was given by DHCP, and if it's not taken, it will register it by
broadcasting NetBios Name Service (port 137) over its subnet's broadcast IP
(which is why windows computers are described as "leaky", or "not fit to
use anywhere without a firewall"). It will then also register its
workgroup if it doesn't detect that its workgroup is up, again over netbios
name service (port 137). From there it will then use the master browser
stuff, broadcasting over the LAN at its subnet broadcast level that it is
(win2k pro) an nt workstation and that it is serving a printer. Master
browser announcements are UDP packets over port 138 using TCP/IP, NOT ICMP.
But that's ok, you don't have a linux machine connected to your LAN running
ethereal like I do. Do that some time with a spare computer: you'd be
surprised at how "noisy" windows machines can be.

 

[Colonel Flagg]

On Tue, 16 Dec 2003 04:09:34 -0500, Colonel Flagg spoketh


Not even close ...


Lars M. Hansen
http://www.hansenonline.net
(replace 'badnews' with 'news' in e-mail address)

just a guess. course that's how MS Programmers do their jobs.




--
Colonel Flagg
http://www.internetwarzone.org/

Privacy at a click:
http://www.cotse.net

Q: How many Bill Gates does it take to change a lightbulb?
A: None, he just defines Darkness? as the new industry standard..."

"...I see stupid people."

 

[Lars M. Hansen]

On Tue, 16 Dec 2003 22:10:56 -0500, Colonel Flagg spoketh

just a guess. course that's how MS Programmers do their jobs.

And you know this how?


Lars M. Hansen
http://www.hansenonline.net
(replace 'badnews' with 'news' in e-mail address)

 

[Colonel Flagg]

And you know this how?


Lars M. Hansen
http://www.hansenonline.net
(replace 'badnews' with 'news' in e-mail address)

the *quality* or rather *lack thereof* of their products.



--
Colonel Flagg
http://www.internetwarzone.org/

Privacy at a click:
http://www.cotse.net

Q: How many Bill Gates does it take to change a lightbulb?
A: None, he just defines Darkness? as the new industry standard..."

"...I see stupid people."

 

[Lars M. Hansen]

On Wed, 17 Dec 2003 14:38:38 -0500, Colonel Flagg spoketh

the *quality* or rather *lack thereof* of their products.

So, basically, you're just guessing too ...


Lars M. Hansen
http://www.hansenonline.net
(replace 'badnews' with 'news' in e-mail address)

 

[Colonel Flagg]

On Wed, 17 Dec 2003 14:38:38 -0500, Colonel Flagg spoketh


So, basically, you're just guessing too ...

no, actually, it's from years of experience using their so-called
"products" and supporting end-users with all of their complaints about
how windows is a piece of shit.

that's why I eventually switched to linux & freebsd for all of my server
needs and only use one xp workstation for 3 reasons that has nothing to
do with Microsoft... 1) Eudora, 2) Photoshop, 3) Flash creation

and all of my clients are either showing a lot of interest in migrating
to linux for their file servers or they're in the process of moving.
considering i take care of the majority of law offices in my town and
around 30-40 other clients in the area... i think i'll make a little-
tiny-dent in the money-machine that *was* microsoft. if ever person that
feels the way i do, makes the same contribution to the anti-microsoft
game, we'll eventually win

thanks for asking tho.



--
Colonel Flagg
http://www.internetwarzone.org/

Privacy at a click:
http://www.cotse.net

Q: How many Bill Gates does it take to change a lightbulb?
A: None, he just defines Darkness? as the new industry standard..."

"...I see stupid people."

 

[Lars M. Hansen]

On Wed, 17 Dec 2003 20:05:39 -0500, Colonel Flagg spoketh

no, actually, it's from years of experience using their so-called
"products" and supporting end-users with all of their complaints about
how windows is a piece of shit.

that's why I eventually switched to linux & freebsd for all of my server
needs and only use one xp workstation for 3 reasons that has nothing to
do with Microsoft... 1) Eudora, 2) Photoshop, 3) Flash creation

and all of my clients are either showing a lot of interest in migrating
to linux for their file servers or they're in the process of moving.
considering i take care of the majority of law offices in my town and
around 30-40 other clients in the area... i think i'll make a little-
tiny-dent in the money-machine that *was* microsoft. if ever person that
feels the way i do, makes the same contribution to the anti-microsoft
game, we'll eventually win

thanks for asking tho.

Interesting, because from years of experience, I've had little trouble
with any Microsoft product, and a large portion of the troubles I've had
have been human error (either by the operator or the installer).

Lars M. Hansen
http://www.hansenonline.net
(replace 'badnews' with 'news' in e-mail address)

 

[Joe Dunning]

On Tue, 16 Dec 2003 08:39:45 GMT, Vance Roos spoketh

I run Win XP Pro and I recently got a message from my Sygate Pro 5.0
firewall which said:

==== START QUOTE ====
"Windows Explorer is trying to broadcast an ICMP Type 10 (Router
Solicitation) packet to [224.0.0.2]. Do you want to allow this
program access to the network?"
==== END QUOTE ====

Simply disable the IRDP in the registry. The value name is
"HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\[InterfaceName]\PerformRouterDiscovery".
Set the value to 0 (zero), and it'll stop.

And people say that configuring *nix machines requires you to remember
obscure locations to make changes?

 

[David]

Windows explorer is much more than a simple file manager. It is the user
shell when you log into windows. It can be difficult to decide which
core windows programs to allow to access the internet especially since
the application controls of the different personal firewalls all work a
little differently. Other firewalls for example may not indicate such
activity if they are using a different scheme to control ICMP traffic or
can "monitor" activity at the dll level. I would tend to use protocol
and port filtering for such diverse applications as explorer.exe and
svchost.exe since they perform multiple functions. I'm not familiar with
Sygate, but you should check to see what other filtering is available.
For example, explorer in regards to being a shell can oversee file
transfers via netbios over tcp/ip, ftp, and has some responsibility as
seen in your case in regards to ICMP traffic. If you are not in a LAN
where you need to browse the resources of other LAN machines,if you do
not do ftp transfers via the explorer shell, and if you have a DHCP
assigned internet gateway address and no internal routers using routing
protocols, then you could probably block explorer access in Sygate
without adverse affects. Personally I would probably hack the registry
as Lars has pointed out, and leave the Sygate settings for explorer in a
state of flux so that other activity would generate an alert. This way
you would be dealing with the specific alerts you received, and will not
block explorer from doing something else you may want it to do or allow
it to do things you may not want. The next thing it tries will generate
an alert which will either be for valid traffic or perhaps give you a
hint that something malicious has made its way onto your machine.

 

[--= Ö§âmâ ßíñ Këñ0ßí =--]

A long time ago in a galaxy far, far away, Lars M. Hansen

Interesting, because from years of experience, I've had little trouble
with any Microsoft product, and a large portion of the troubles I've had
have been human error (either by the operator or the installer).

Lars, are you getting paid to defend M$?

 

[Adam Russell]

A long time ago in a galaxy far, far away, Lars M. Hansen


Lars, are you getting paid to defend M$?

A person does not have to be biased to want to tell the truth as he sees it.
Might you be projecting some flaw in yourself?

 

[Lars M. Hansen]

On Tue, 23 Dec 2003 05:59:39 GMT, --= Ö§âmâ ßíñ Këñ0ßí =-- spoketh

A long time ago in a galaxy far, far away, Lars M. Hansen


Lars, are you getting paid to defend M$?

no.

Lars M. Hansen
http://www.hansenonline.net
(replace 'badnews' with 'news' in e-mail address)

 

[Leythos]

A long time ago in a galaxy far, far away, Lars M. Hansen


Lars, are you getting paid to defend M$?

I think what you are hearing from Lars is what you would hear from any
competent network/os person in the business, in fact, I'm sure of it.

I have installed thousands of workstations and hundreds of servers in
the last 20 years, I've also designed the networks and security plans.
In all of those years not one of the machines or businesses has been
compromised - I have had several machines crashed because someone
deleted files or because an update didn't like a piece of hardware, but
I've never had a virus take one machine or server down. I've never had
one machine compromised via the internet...

MS makes great software for the business and home, it's simple to
install, easy to use, and on the average, has more features that any GNU
or Open Source product available.

If you don't know how to secure something it only takes about an hours
time to research it to figure it out.

As Lars said, I can count the times on two hands when MS was at fault,
but I can't count the times a user was at fault if I was using all the
hairs on my head.

I can also make the above statements for CPM, AIX, HPUX, Linux, and
several other languages.

 

[Walter Roberson]

:MS makes great software for the business and home, it's simple to
:install, easy to use, and on the average, has more features that any GNU
r Open Source product available.

:If you don't know how to secure something it only takes about an hours
:time to research it to figure it out.

Unless it's peered MS Exchange (pre-AD) servers. The MS
documentation gives a very short list of ports that has little
relationship to reality. I analyzed the firewall logs to see
what ports were actually being used -- it was over 20 different
protocols. And it continues to surprise me; I noticed in my
logs this morning that the traffic flow has changed again since
the last time I analyzed about 3 weeks ago.

Here's an issue that I've run into that perhaps you could clue
me in on:

Client contacts Exchange Server (pre-AD). Client negotiates
a port via RPC (TCP 135). Client holds short TCP conversation and
drops the connection. Later (a few hours, up to a couple of weeks),
Exchange server wishes to send information to client. Exchange
server attempts to contact client at -same- IP address and port
that client used last time they connected many days before.
Firewall does not let server through because the original port
the client used was dynamically allocated and the TCP connection
had been closed long ago. Exchange server retries and retries
and retries, persisting in attempting to contact the dynamic
TCP port for over a week.

Now, not having control over the corporate Exchange servers, how
can I configure the client to stop the server from remembering the
ip + port (both of which could have been dynamically allocated) --
or how can I *reasonably* configure a stateful firewall to
recognize this situation and make the appropriate back-connection
even if the public IP has been long ago reallocated?

 

[Lars M. Hansen]

On 23 Dec 2003 16:02:22 GMT, Walter Roberson spoketh

Now, not having control over the corporate Exchange servers, how
can I configure the client to stop the server from remembering the
ip + port (both of which could have been dynamically allocated) --
or how can I *reasonably* configure a stateful firewall to
recognize this situation and make the appropriate back-connection
even if the public IP has been long ago reallocated?

Simple: A client should never connect to Exchange through a firewall. If
external users needs to connect to Exchange, use VPN.

Lars M. Hansen
http://www.hansenonline.net
(replace 'badnews' with 'news' in e-mail address)