republican-creole
Search:  

 
theme to white backgroundlet page decide theme
HomeFind ServiceReviewsISP NewsFAQsForumsToolsDatabaseAbout 
 
   All ForumsHot TopicsGallery






how-to block ads


 
Forums » Up and Running » Security » Security » Common Firewall False Positives
Share Topic:
RSS topic:
toggle:
flat / full
normal / watch
Posting:
Post a:
Post a:
Links: ·Hijack This logs? ·Panda Free Tools ·Vundo Removal
NTFS problam »
« Security Focus MS newsletter  

SYNACK
Just Firewall It
Premium,Mod
join:2001-03-05
Venice, CA
·Comcast Formerly ..

Host:
Networking
Virtual Private Ne..
Netgear
ZyXEL

Re: Common Firewall False Positives

Thanks, this is a good summary. Typically, the firewall timeout is much longer that a few seconds (e.g. on the ZyWALL 10 it is a minute, but adjustable). I have encountered late DNS responses up to three minutes after the outgoing request.
(people with NAT router and NO ports forwarded will still see those with the LAN IP as destination. The NAT timeout is much longer than the firewall timeout and NAT still treats them as return traffic.)

Another case that often seem to create false positives in personal firewalls are broadcasted DHCP replies (from your-DHCP-server:67 to 255.255.255.255:68).
Quote from RFC 1541:Normally, DHCP servers and BOOTP relay agents attempt to deliver DHCPOFFER, DHCPACK and DHCPNAK messages directly to the client using unicast delivery. The IP destination address (in the IP header) is set to the DHCP 'yiaddr' address and the link-layer destination address is set to the DHCP 'chaddr' address. Unfortunately, some client implementations are unable to receive such unicast IP datagrams until the implementation has been configured with a valid IP address (leading to a deadlock in which the client's IP address cannot be delivered until the client has been configured with an IP address).

A client that cannot receive unicast IP datagrams until its protocol software has been configured with an IP address SHOULD set the BROADCAST bit in the 'flags' field to 1 in any DHCPDISCOVER or DHCPREQUEST messages that client sends. The BROADCAST bit will provide a hint to the DHCP server and BOOTP relay agent to broadcast any messages to the client on the client's subnet. A client that can receive unicast IP datagrams before its protocol software has been configured SHOULD clear the BROADCAST bit to 0. The BOOTP clarifications document discusses the ramifications of the use of the BROADCAST bit.
Note that personal firewall correctly ignore DHCP requests of other LAN users. Suppressing broadcast replies seems however not implemented in most personal firewalls.

In general, anything that contains a broadcast or multicast address (224.0.0.0-239.255.255.255) as destination should be summarily ignored!

Of course the firewall programmers are reluctant to add a little bit of AI to clean up/limit the logs, because every log generated justifies their existence to the user.

All this also underscores the need to discourage reporting by new users directly to ISPs. Your service is very valuable in this respect, because it can weed out all the meaningless garbage and focus on the rare gems that might require attention.
permalink · 2002-01-06 16:06:06 · Print · Reply to this
Forums » Up and Running » Security » SecurityNTFS problam »
« Security Focus MS newsletter  

Saturday, 05-Dec 16:59:11 Terms of Use | Privacy Policy | Hosting by www.nac.net - DSL,Hosting & Co-lo | feedback | contact
over 10 years online! © 1999-2009 dslreports.com.
page compression OFF
Most commented news this week
· [163] Comcast Releasing Promised Usage Meter
· [147] Avast Antivirus Has Gone Mad
· [127] Comcast Makes NBC Universal Acquisition Official
· [104] Graduate Student Unveils Sprint's GPS Sharing With Feds
· [101] Google Invades ISP, OpenDNS Turf With Google Public DNS
· [99] The Bandwidth Hog Does Not Exist
· [85] FCC Ponders Moving From PSTN To IP Voice
· [81] Latest Consumer Reports Survey Not Kind To AT&T
· [80] New Bill Aims To Limit ETFs
· [74] Sprint Defuses GPS Privacy Media Bomb
Most people now reading
· Wife might have to work in.... Iowa for a few months!!! [General Questions]
· False positive in Avast! or is it real? [Security]
· Windows 7 boot manager editing questions [Microsoft Help]
· DNS options, what are YOU using? [TekSavvy]
· 3.x Feral Druid - Bear Tanking Guide [World of Warcraft]
· Connecting to Google Voice Via SIP [VOIP Tech Chat]
· [How to] Install Asterisk on an Asus WL-520GU router [VOIP Tech Chat]
· What is the spell hit cap for a lvl 80 full arcane spec mage [World of Warcraft]
· Why do you switch distros? [All Things Unix]
· [ PVP] 3.2 DK PvP D/W Spec... [World of Warcraft]