windows firewall

B

boris914

I've been parsing pfirewall daily for over a year now and the only
OPEN-INBOUND records are for my RDP connections which also happens to
be the only exception in my firewall.

About a week ago I started getting OPEN-INBOUND UDP to port 1026 which
seems to be my DNS process (C:\WINDOWS\system32\svchost.exe -k
NetworkService) from various sources. I don't have any firewall
exceptions for this port.

Has anyone else seen this or know what's up?
 
D

David H. Lipman

From: <[email protected]>

| I've been parsing pfirewall daily for over a year now and the only
| OPEN-INBOUND records are for my RDP connections which also happens to
| be the only exception in my firewall.
|
| About a week ago I started getting OPEN-INBOUND UDP to port 1026 which
| seems to be my DNS process (C:\WINDOWS\system32\svchost.exe -k
| NetworkService) from various sources. I don't have any firewall
| exceptions for this port.
|
| Has anyone else seen this or know what's up?

This is a question best suited for a FireWall related News Group.
 
B

boris914

Dave said:
This is a question best suited for a FireWall related News Group.

Thanks Dave but this is not a general firewall question. The only
people who could answer my post are those who are monitoring
pfirewall.log of their XP clients and that should be those reading this
newsgroup ;-)

I can only image 3 possible explanations for what I've seen:

1. Windows Firewall is hiccupping and letting stuff through
2. Some XP code is temporarily opening the firewall
3. There are some undocumented exceptions to the Firewall (I know there
are lots of special exceptions to the IPSec Packet Filter)

and I don't like any of these.
 
S

Steven L Umbach

Most likely that is simply return traffic [to source port] to your computer
for DNS name resolution from port 53 udp of the DNS server. Since your
computer initiates such the firewall would allow it back in. Don't know why
your logs started showing it but I really doubt it is anything malicious.

Steve
 
B

boris914

Steven said:
Most likely that is simply return traffic [to source port] to your computer
for DNS name resolution from port 53 udp of the DNS server. Since your
computer initiates such the firewall would allow it back in.

I'd agree as I've seen that behavior before with other firewalls and
NAT routers but as I said I've been parsing pfirewall.log for over a
year and I've seen those those return DNS connections daily but Windows
Firewall has always always "DROP"ed them.
Don't know why
your logs started showing it but I really doubt it is anything malicious.

I doubt it's malicious (or a compromise) too. My security and
monitoring is extreme. I really think it's one of the three answers
that I previously listed and they all have MS as the common root cause
;-)

I was really hoping to find someone else here who has been monitoring
pfirewall.log.
 
S

Steven L Umbach

Interesting in that if a firewall dropped DNS return traffic then DNS name
resolution would fail though if you are using an internal DNS server on your
subnet then the firewall may permit them. It seems that some "protection"
applications are coded to use their own DNS servers rather than the one
shown in tcp/ip which may be something to look at and may require a more
advanced firewall that could show the process that spawned that activity.
You might try installing port reporter for a while to see if you can track
down in more detail what is going on.

Steve

http://www.microsoft.com/downloads/...9B-BAE9-4243-B9D6-63E62B4BCD2E&displaylang=en
-- Port Reporter

Steven said:
Most likely that is simply return traffic [to source port] to your
computer
for DNS name resolution from port 53 udp of the DNS server. Since your
computer initiates such the firewall would allow it back in.

I'd agree as I've seen that behavior before with other firewalls and
NAT routers but as I said I've been parsing pfirewall.log for over a
year and I've seen those those return DNS connections daily but Windows
Firewall has always always "DROP"ed them.
Don't know why
your logs started showing it but I really doubt it is anything malicious.

I doubt it's malicious (or a compromise) too. My security and
monitoring is extreme. I really think it's one of the three answers
that I previously listed and they all have MS as the common root cause
;-)

I was really hoping to find someone else here who has been monitoring
pfirewall.log.
 
S

Steven L Umbach

Just to add that I am not sure how the Windows Firewall handles UDP since it
is not stateful. It could be possible that if the operating system does not
get a reply from the DNS server in a specific amount of time that the return
packet is dropped.

Steve


Steven said:
Most likely that is simply return traffic [to source port] to your
computer
for DNS name resolution from port 53 udp of the DNS server. Since your
computer initiates such the firewall would allow it back in.

I'd agree as I've seen that behavior before with other firewalls and
NAT routers but as I said I've been parsing pfirewall.log for over a
year and I've seen those those return DNS connections daily but Windows
Firewall has always always "DROP"ed them.
Don't know why
your logs started showing it but I really doubt it is anything malicious.

I doubt it's malicious (or a compromise) too. My security and
monitoring is extreme. I really think it's one of the three answers
that I previously listed and they all have MS as the common root cause
;-)

I was really hoping to find someone else here who has been monitoring
pfirewall.log.
 
B

boris914

I found out what's going on. When Windows Firewall opens UDP ports for
an outbound connection, it opens the local source port to the world and
not just to the destination address. This port stays open to the world
for the duration of the firewall's timeout. I'm pretty shocked by this
behavior and it doesn't seem that anyone is aware of this.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Top