biyahero

Firewall Rules for Packet Filtering

6 posts in this topic

I have a program called SymSMB which runs on a Nokia Smartphone, and enables one to connect the Smartphone to your wireless LAN and then to browse, copy, delete and whatever from the shared directories on one's Windows Desktop...sort of like a remote Windows Explorer.

 

The Developer of this program indicates that it functions over Port 445 using the "SMB Protocol" and sends packets using TCP, and if Port 445 is blocked the SMB protocol is able to fall back to using Port 139. What has this got to do with Kaspersky.... well I'm getting there.

 

With that background in mind, I have noticed that my KIS 7.0.0.125 installation has the following settings:

 

Firewall; Rules for Packet Filtering

Block: Windows "Server Message Block" Activity

Properties

Local Port

Rule Description

Block inbound (stream) TCP Connections, where:

Local Port: 445

 

Block: Windows "Server Message Block" Activity

Properties

Local Port

Rule Description

Block Inbound & Outbound UDP packets, where:

Local Port: 445

 

Now if Kaspersky was *REALLY* blocking SMB activity on Port 445, then my SymSMB program should not function... unless it fell back to using Port 139, (which SMB would do except that the developer indicates that the SymSMB program is not set up to do currently).

 

So this makes me doubt that KIS is really doing what it says it is doing because if it did my SymSMB program should not function, and it does function perfectly!

 

The reason this came up is that the SymSMB program would not function to connect to the network shares on my son's computer (who regrettably persists in using Norton) and the problem eventually was traced to a rule in Norton blocking Port 445, and removing that rule fixed the problem. Now however I see that KIS has the same sort of rule, but inexplicably the SymSMB program works fine on my machine(s)... all 5 of them... which are using KIS.

 

Why? How does it work?

 

Here is what I see in "Firewall; Kaspersky Network Monitor":

 

Current Ports Open:

Local Port Protocol Application Local IP Address

445 TCP System 0.0.0.0

445 UDP System 0.0.0.0

139 TCP System 192.168.1.103

 

If Port 445 is blocked by KIS, why is it showing open in "Kaspersky Network Monitor"??

 

Share this post


Link to post
Share on other sites

In a related question, I have also noticed in the "Firewall; Rules for Packet Filtering" these three items:

 

Localhost Loopback UDP Activity

Properties

Remote IP Address

Rule Description

Rule is temporarily disabled

Allow Inbound & Outbound UDP packets, where:

Remote IP Address is: 127.0.0.1

 

Localhost Loopback UDP Activity

Properties

Remote IP Address

Rule Description

Rule is temporarily disabled

Allow Inbound & Outbound TCP Connections, where:

Remote IP Address is: 127.0.0.1

 

PPT Control Activity

Properties

Remote Port

Local Port

Rule Description

Rule is temporarily disabled

Allow Outbound (stream) TCP Connections, where:

Remote Port: 1723

Local Port: 1024-65535

Remote IP Address is: 127.0.0.1

 

Why are these rules "Temporarily Disabled"? Does everyone else have settings like this? Does KIS install itself with these defaults because I am sure I never unchecked these three rules!

 

Or is this another inexplicable auto-change like how the Parental Control seems to activate itself for myself and a few other users?

 

Is there any reason why I would *want* to have these three rules temporarily disabled, or if not I guess I will recheck them to remove the temporary disablement!

 

 

 

 

Share this post


Link to post
Share on other sites

Those three Allow rules have always been temporarily disabled for me, over here in the provincial wilderness. The Netsky et. al. Block rules are also temporally disabled by default. So I leave them in default, or change them, once in a while to see if there is a perceptible difference. I have experienced none.

Share this post


Link to post
Share on other sites
Those three Allow rules have always been temporarily disabled for me, over here in the provincial wilderness. The Netsky et. al. Block rules are also temporally disabled by default. So I leave them in default, or change them, once in a while to see if there is a perceptible difference. I have experienced none.

 

Thanks richbuff for confirming that those three "Allow" rules are temporarily disabled by default for you and presumably everyone by default.

 

Now my concern is why SymSMB still works even with those "Block" rules supposedly blocking SMB activity!

Is KIS really not blocking what it claims to be?

 

Share this post


Link to post
Share on other sites

The Kaspersky Network Monitor looks at open ports on the local PC, not what is exposed to the LAN or Internet. This means you have a program that is Listening on those ports but may not be exposed to outside probes. If you expand the TCP rule to block inbound AND outbound on 445 do you have the same connection ability with SymSMB?

 

Share this post


Link to post
Share on other sites
Now my concern is why SymSMB still works even with those "Block" rules supposedly blocking SMB activity!

Is KIS really not blocking what it claims to be?

I'm not sure, but I think those rules apply to the Internet Zone only...

 

Paul

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now