IPB

Welcome Guest ( Log In | Register )

 
Reply to this topicStart new topic
> Firewall Rules for Packet Filtering
biyahero
post 4.11.2007 06:58
Post #1


Advanced Member III
*****

Group: Members
Posts: 543
Joined: 22.10.2006




I have a program called SymSMB which runs on a Nokia Smartphone, and enables one to connect the Smartphone to your wireless LAN and then to browse, copy, delete and whatever from the shared directories on one's Windows Desktop...sort of like a remote Windows Explorer.

The Developer of this program indicates that it functions over Port 445 using the "SMB Protocol" and sends packets using TCP, and if Port 445 is blocked the SMB protocol is able to fall back to using Port 139. What has this got to do with Kaspersky.... well I'm getting there.

With that background in mind, I have noticed that my KIS 7.0.0.125 installation has the following settings:

Firewall; Rules for Packet Filtering
Block: Windows "Server Message Block" Activity
Properties
Local Port
Rule Description
Block inbound (stream) TCP Connections, where:
Local Port: 445

Block: Windows "Server Message Block" Activity
Properties
Local Port
Rule Description
Block Inbound & Outbound UDP packets, where:
Local Port: 445

Now if Kaspersky was *REALLY* blocking SMB activity on Port 445, then my SymSMB program should not function... unless it fell back to using Port 139, (which SMB would do except that the developer indicates that the SymSMB program is not set up to do currently).

So this makes me doubt that KIS is really doing what it says it is doing because if it did my SymSMB program should not function, and it does function perfectly!

The reason this came up is that the SymSMB program would not function to connect to the network shares on my son's computer (who regrettably persists in using Norton) and the problem eventually was traced to a rule in Norton blocking Port 445, and removing that rule fixed the problem. Now however I see that KIS has the same sort of rule, but inexplicably the SymSMB program works fine on my machine(s)... all 5 of them... which are using KIS.

Why? How does it work?

Here is what I see in "Firewall; Kaspersky Network Monitor":

Current Ports Open:
Local Port Protocol Application Local IP Address
445 TCP System 0.0.0.0
445 UDP System 0.0.0.0
139 TCP System 192.168.1.103

If Port 445 is blocked by KIS, why is it showing open in "Kaspersky Network Monitor"??
Go to the top of the page
 
+Quote Post
biyahero
post 4.11.2007 07:04
Post #2


Advanced Member III
*****

Group: Members
Posts: 543
Joined: 22.10.2006




In a related question, I have also noticed in the "Firewall; Rules for Packet Filtering" these three items:

Localhost Loopback UDP Activity
Properties
Remote IP Address
Rule Description
Rule is temporarily disabled
Allow Inbound & Outbound UDP packets, where:
Remote IP Address is: 127.0.0.1

Localhost Loopback UDP Activity
Properties
Remote IP Address
Rule Description
Rule is temporarily disabled
Allow Inbound & Outbound TCP Connections, where:
Remote IP Address is: 127.0.0.1

PPT Control Activity
Properties
Remote Port
Local Port
Rule Description
Rule is temporarily disabled
Allow Outbound (stream) TCP Connections, where:
Remote Port: 1723
Local Port: 1024-65535
Remote IP Address is: 127.0.0.1

Why are these rules "Temporarily Disabled"? Does everyone else have settings like this? Does KIS install itself with these defaults because I am sure I never unchecked these three rules!

Or is this another inexplicable auto-change like how the Parental Control seems to activate itself for myself and a few other users?

Is there any reason why I would *want* to have these three rules temporarily disabled, or if not I guess I will recheck them to remove the temporary disablement!



Go to the top of the page
 
+Quote Post
richbuff
post 4.11.2007 07:22
Post #3


Oldtimer
****************

Group: Moderators
Posts: 48824
Joined: 14.06.2007




Those three Allow rules have always been temporarily disabled for me, over here in the provincial wilderness. The Netsky et. al. Block rules are also temporally disabled by default. So I leave them in default, or change them, once in a while to see if there is a perceptible difference. I have experienced none.


--------------------
Please see the Important topics, located at the top of this section, and at the top of other sections of this forum.
Go to the top of the page
 
+Quote Post
biyahero
post 5.11.2007 06:49
Post #4


Advanced Member III
*****

Group: Members
Posts: 543
Joined: 22.10.2006




QUOTE(richbuff @ 4.11.2007 13:22) *
Those three Allow rules have always been temporarily disabled for me, over here in the provincial wilderness. The Netsky et. al. Block rules are also temporally disabled by default. So I leave them in default, or change them, once in a while to see if there is a perceptible difference. I have experienced none.


Thanks richbuff for confirming that those three "Allow" rules are temporarily disabled by default for you and presumably everyone by default.

Now my concern is why SymSMB still works even with those "Block" rules supposedly blocking SMB activity!
Is KIS really not blocking what it claims to be?
Go to the top of the page
 
+Quote Post
Mem
post 5.11.2007 17:29
Post #5


Advanced Member III
*****

Group: Members
Posts: 632
Joined: 14.04.2005
From: USA




The Kaspersky Network Monitor looks at open ports on the local PC, not what is exposed to the LAN or Internet. This means you have a program that is Listening on those ports but may not be exposed to outside probes. If you expand the TCP rule to block inbound AND outbound on 445 do you have the same connection ability with SymSMB?
Go to the top of the page
 
+Quote Post
p2u
post 5.11.2007 18:01
Post #6


Guest
**************

Group: Gold beta testers
Posts: 7775
Joined: 7.12.2005
From: Ring 0




QUOTE(biyahero @ 5.11.2007 05:49) *
Now my concern is why SymSMB still works even with those "Block" rules supposedly blocking SMB activity!
Is KIS really not blocking what it claims to be?

I'm not sure, but I think those rules apply to the Internet Zone only...

Paul


--------------------
Adblock Plus content blocking filter: * (= show text only anywhere)
Exception rule for all: @@*$stylesheet (= show style sheet only anywhere)
Default exception rule for white-listed sites: domain name/$background,image (= images only from that domain only; no scripts, objects, or other elements)
Go to the top of the page
 
+Quote Post

Reply to this topicStart new topic

 



Lo-Fi Version Time is now: 23.08.2014 07:31