Results 1 to 12 of 12
  1. #1
    3 Star Lounger
    Join Date
    Feb 2003
    Location
    England
    Posts
    378
    Thanks
    1
    Thanked 0 Times in 0 Posts

    should I allow this past firewall?

    Can anyone here tell me what this means please? My ISP is dsl.pipex.com. On the zone alarm log it shows blocking packets from them at least once every minute while I'm on line (have included screen shot). I'm not sure if I should allow this or what it means and cant find much help from dsl.pipex support - in so much they dont reply to email enquiry, and user forums dont turn up much either. Grateful for any leads

  2. #2
    Super Moderator jscher2000's Avatar
    Join Date
    Feb 2001
    Location
    Silicon Valley, USA
    Posts
    23,112
    Thanks
    5
    Thanked 93 Times in 89 Posts

    Re: should I allow this past firewall?

    Can you find the following information in the log:

    Destination Port Number (on your computer)

    It probably is just to the right of the information in your image. Most ports have particular functions assigned to them, so this can help identify the purpose of the incoming packet.

    Incidentally, the fact that the address is in a block assigned to your ISP could simply mean it is from another subscriber, and not from the ISP itself. Very difficult to be certain without more legwork than usually is worth doing.

  3. #3
    3 Star Lounger
    Join Date
    Feb 2003
    Location
    England
    Posts
    378
    Thanks
    1
    Thanked 0 Times in 0 Posts

    Re: should I allow this past firewall?

    yes it says destination 81.178,,, etc etc... tcp port 135. from what you say I think I'll leave it blocked. I just thought it was maybe my Isp sending some sort of usefull info that I might be missing out on,as its there every day.

  4. #4
    Super Moderator jscher2000's Avatar
    Join Date
    Feb 2001
    Location
    Silicon Valley, USA
    Posts
    23,112
    Thanks
    5
    Thanked 93 Times in 89 Posts

    Re: should I allow this past firewall?

    No legitimate packets come to port 135 over the Internet, only from a local network. Probably one of the worms exploiting old flaws in Windows XP. Too bad there's no way to inform the sender of what he or she is doing.

  5. #5
    3 Star Lounger
    Join Date
    Feb 2003
    Location
    England
    Posts
    378
    Thanks
    1
    Thanked 0 Times in 0 Posts

    Re: should I allow this past firewall?

    Well, thanks for the information anyway. I will leave things as they are, just annoying to see the ZA log filled with this same address but on the other hand I suppose it shows the firewall doing its job which is reassuring.

  6. #6
    4 Star Lounger
    Join Date
    Oct 2001
    Location
    Bellevue, Nebraska, USA
    Posts
    569
    Thanks
    0
    Thanked 1 Time in 1 Post

    Re: should I allow this past firewall?

    Do you have any other systems on your own network? If you do have more than on PC, it could just be it announcing its presence. Note to that ISP DNS severs like to see what's out there (but they don't really need to know). Since you are on DSL, I would certainly get a router and throw it in line. Even if you only have one PC, throwing a router in line will go far in isolating you from the bad guys as the routers NAT feature will assign you (and any other nodes on your home network) a new IP. The router will assume the IP assigned by the DSL Modem (if DHCP) or by the ISP (if static). That hides your PC from the world - a very good thing.

    BillB
    Bill (AFE7Ret)
    Freedom is NOT Free!
    Heat is the bane of all electronics!

    ─────────────────────

  7. #7
    Plutonium Lounger
    Join Date
    Nov 2001
    Posts
    10,550
    Thanks
    0
    Thanked 7 Times in 7 Posts

    Re: should I allow this past firewall?

    TCP Port 135 is used by Microsoft's RPC (Remote Procedure Call) service. There is no way that your your ISPs DNS servers, or any other server at the ISP, should be trying to contact your PC on that address. It is however used by many worms to try to get in.

    Port 135 should definitely be blocked on your external firewall, and almost certainly blocked on your software firewall, unless you are running some very improbable applications across your home network.

    StuartR

  8. #8
    Super Moderator jscher2000's Avatar
    Join Date
    Feb 2001
    Location
    Silicon Valley, USA
    Posts
    23,112
    Thanks
    5
    Thanked 93 Times in 89 Posts

    Re: should I allow this past firewall?

    Yeah, the problem with logs is that they get so big so fast. Every few days I get a pop-up notice above my task tray area saying that Outpost Pro is cleaning its log. Even inside our company network, some stupid program broadcasts a packet out every 20 seconds. I've tried to convince my IT guys that this is worth stopping, but there are always bigger issues on the agenda than whether my log is clogged up. <img src=/S/laugh.gif border=0 alt=laugh width=15 height=15>

  9. #9
    4 Star Lounger
    Join Date
    Oct 2001
    Location
    Bellevue, Nebraska, USA
    Posts
    569
    Thanks
    0
    Thanked 1 Time in 1 Post

    Re: should I allow this past firewall?

    Although I agree that 135 is used primarily for RPC and bad guys, and I personally have not seen it used elsewhere, but I note the following:

    http://www.iss.net/security_center/advice/...135/default.htm

    I note we do not know what OS or other services he is running, if he is (or was) attached to corporate network/exchange server (not likely as it seems this is a home system) or if he does use VPN to connect to a corporate or university email system.
    Bill (AFE7Ret)
    Freedom is NOT Free!
    Heat is the bane of all electronics!

    ─────────────────────

  10. #10
    Super Moderator jscher2000's Avatar
    Join Date
    Feb 2001
    Location
    Silicon Valley, USA
    Posts
    23,112
    Thanks
    5
    Thanked 93 Times in 89 Posts

    Re: should I allow this past firewall?

    I'm curious what the firewall logs for a VPN session. I know that when I make a PPTP connection, my firewall blocks more inbound traffic than normal, in other words, although I am on the office LAN, it is being treated as an untrusted network. But this isn't a good time to experiment, maybe I'll come back to this someday.

  11. #11
    3 Star Lounger
    Join Date
    Feb 2003
    Location
    England
    Posts
    378
    Thanks
    1
    Thanked 0 Times in 0 Posts

    Re: should I allow this past firewall?

    Thanks to all for the usefull info..just a single home computer with xp sp2 all updates..even so it appears a router would still be a good thing to have. And finally a reply from Pipex itself confirming that another user's computer is probably infected and is sending out these probes to many others...just as was suggested here.

  12. #12
    5 Star Lounger
    Join Date
    May 2003
    Location
    Pittsburgh, Pennsylvania, USA
    Posts
    629
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Re: should I allow this past firewall?

    I don't use your firewall, but a lot of firewall programs allow you to put a list of IP addresses on an "always block" list, so you never have to worry about "virus boy" again.

    Hope this helps

    Jim

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •