Firewall Rule: Default Block Windows 2000 SMB

mickeyboymel

I am running XP sp2 and Norton Internet Security Prof 2004 and seem to be having a lot of trouble with the "Default Block Microsoft Windows 2000 SMB" firewall rule.

It is reporting attacks againt me coming from my ISP (fe0-0.edge1.mgr.mullingar.eircom.net) with a similar address to the random IP which is allocated each time I use Eircomnet Anytime.

Its always been an annoyance,but now I am trying to use an online course from FasNet College,who reccomend turning off the firewall which I do not want to do.

It seems I cannot use the online site without disabling this particular rule,and want to know if it is safe to do so.

My machine is fully patched and always has been.

What are the range of IPs that Eircom use to allocate to dialup users , would it help if i configured a rule to allow this range of addresses?

EDIT: Removed rule completely,ran a security scan from Symantec website and it showed up as having no security issues,so I guess its ok to disable this rule!

Capt'n Midnight

SMB = File and Print sharing, opening this is just asking for trouble...

Have you checked with the college ??

And no don't trust dial up users - due to the cost & speed you can guarantee most are not patched uptodate.

127.0.0.1 is your local machine if that helps

check also www.grc.org for shieldsup for another scan

PS Symantec Antivirus did not stop MSblaster (not really fair since it's firewall related - point is proving you have no known vuneralabilites does not prove you don't have unknown ones)

Do you use IE as your brower ??
Try firefox too to rule out that

mickeyboymel

Thanks for the reply.

With this rule unticked in the firewall settings, I passed all the Symantec, Sheilds Up and Sygate test scans,showing every port stealthed.

Fas Net Colleges only advise is not to use Norton Internet Security at all!!!

I use Firefox whenever I can,but this particular course will only support IE.

ressem

The messages you're getting are almost certainly from viruses.

What part of the course page won't work with Firefox?
(does it use an active X component?)

Your firewall setup is correct.
There is absolutely no reason that you should allow incoming or outgoing file and printer sharing traffic.
(or any incoming traffic, that is not a response to an outgoing request)


If you can identify the component/plugin used by the course, or point to a publically accessible web page that uses the component, then we can probably suggest what outgoing traffic to allow out from your firewall.


Sounds like the course organisers just don't want the hassle of running support for firewalls.

Cake Fiend

Originally posted by ressem
Sounds like the course organisers just don't want the hassle of running support for firewalls.

Exactly the first thing that entered my mind when I read the first post. There is no reason whatsoever that they should need the SMB ports open, bar avoiding the hassle of students moaning about attacks. In fact, it's very possible that Eircom have blocked these ports themselves (due to the pandemonium ensuing the outbreaks of blaster, etc).

mickeyboymel

Thanks for all the replies.The course uses a Netg webplayer with the Microsoft Java Machine or you can use Sun Java Plug in.

You log on to a server on the Fas Net site, (which I have the IP address of) by following a link and then it downloads this applet?? which in turn downloads the relevant course sections as you need them.

I tried to download an entire module and save it on my computer,to avoid time online,but they have it configured not to allow this.

They specify that Norton Internet Security is the problem and that it should be disabled,but to leave your Norton Anti Virus running,which is madness!!

There is a similar demo for ECDL here:http://www.netg.co.uk/DemosAndDownloads/TestDrive/courses.asp

Perhaps if I created a rule to allow the IP of the Fas Net Server?

Sorry for the ignorance,but I know little regarding firewall rules etc, I just try to make sure it is turned on and all protection enabled-if I got these damn courses to work I might actually learn something!!

It is working fine with the rule unticked but I do not want to continue leaving it off as it is there for a purpose.The rule (when active) is configured to block port 445, local microsoft-ds by default in Norton Setup.

ressem

The site you pointed to worked ok here, behind a hardware firewall that forbids all smb / netbios traffic in or out, and just about everything else, so it's just using internet traffic on a standard port http, ftp port (80, 8080, 443, 21 )

looking at the default symantec rules
http://service1.symantec.com/SUPPORT/nip.nsf/pfdocs/2001092609491136?Open

you should be safe from port scanning even with that specific rule switched off.
But I would suggest that you make sure that file and printer sharing is diabled for your internet network connection. Also disable netbios (under the connection's properties/Networking/TCP-ip/Properties/Advanced/wins/netbios setting), and Client for microsoft windows so your PC is not trying to send out invitations on this connection.

These should be the defaults for a new dial up connection but check anyways...

That should be OK.

Do you really have the XP service pack 2 beta, with it's firewall also? Two software firewalls on the same machine can make a mess.
Reputedly MS are having hassle trying to get the 2 to coexist.

mickeyboymel

Thanks Ressem,will set all that up now. I only installed File & Printer Sharing protocol lately as Microsoft Buisness Contact Manager 2003, part of Outlook 2003,required it to run,but as I have a standalone machine its not an issue.

Yes I have SP2 but I have the Firewall disabled as it only works for incoming stuff and not outgoing so Norton is better.

You can allow the new Security Centre to moniter your own firewall and antivirus software, but the Norton products need to be patched to allow this,which Symantec are not going to do until the SP2 is ready for general release.