Page 1 of 1

Help - problem with Norton Personal Firewall

PostPosted: Tue Jan 28, 2003 9:40 pm
by dodecahedron
today something strange happened all of the sudden.

no communication available, cannot get into any website, email not working from 2 different POP3 servers, but is working on the university's POP3 server, the university is also my ISP. also Norton Live Update is working.

i tracked it down to the Norton Personal Firewall (2002). when i disable this everything seems to work fine.

after some digging this is what i've come up with: when theh firewall is enabled and i try to get into cdrlabs.com, it doesn't work, the firewall statistics page shows an outbound blocked TCP connection, under Firewall Rules it appears to be blocked by Rule354.

wtf is Rule354???

going to Norton Personal Firewall -> Personal Firewall pane -> Internet Access Control -> Configure button -> System-Wide Settings, i find Rule354. double clicking on it, it appears that this rule:
Blocks Internet access; blocks Connections to and from other comuters; Any computer; TCP and UDP protocols, All types of communications (all ports, local and remote).

if i understand rightly, this rule (when active) blocks all and any TCP commnucations!!! wtf???

if i uncheck this rule things seem to be back to normal.

any idea what this rule is, why is it here, what is it for, anything?
what happened all of a sudden? this morning everything was working A-OK!

any help much appreciated.

PostPosted: Tue Jan 28, 2003 10:15 pm
by cfitz
Odd. Does Norton have some sort of emergency shutdown rule that it activates if it perceives that the computer is under attack? Is there any chance your system got probed by computers infected with the SQL Slammer worm one too many times, and Norton went into full turtle mode? The timing coincidence is a little bit suspicious.

Since you have found an unexpected change in one of your bastion programs, it would probably be worthwhile to give the system a complete sweep for viruses and trojans. And since you changed your firewall settings, it would probably also be worthwhile to retest its defenses. I use Steve Gibson's Shields Up! test at http://grc.com/default.htm .

cfitz

PostPosted: Wed Jan 29, 2003 12:28 am
by tazdevl
Actually if there was a shift in IP addresses via DHCP lease expiration and you don't approve the new IP as a valid connection, could be part of the problem.

The other thing it could be is program control/permission related. Might want to check and be sure Generic Host Processes for Win32 can connect to the internet otherwise it will shut everything down as you experienced.

IMO if I were you I'd use ZoneAlarm instead, it's a solid firewall with little overhead, easy to use, better than Symantec and free. Symantec has had a couple major holes in the firewall and taken their sweet time to fix it.

PostPosted: Wed Jan 29, 2003 7:11 am
by UALOneKPlus
This is one of the reasons I don't use a software firewall. I used ZoneAlarm last year, and it totally prevented me from connecting to my office network.

I prefer to use a good Anti-Virus program, regularly cleaning m PC with software like Ad-Aware, and a physical firewall like a router.

PostPosted: Wed Jan 29, 2003 9:01 am
by cfitz
One thing that software based firewalls can provide but hardware based ones cannot is verification that trusted programs which use the Internet have not been compromised. Good software based firewalls calculate hashes of program executables, and verify that programs with permission to use the Internet have not been changed (possibly by a virus or trojan). Anit-virus software will help in this regard as well, but it is nice to have a second layer of defense.

Also, software based firewalls make it easy to allow selective access to the Internet. They can be set up so that you are prompted every time a program attempts to connect to the Internet. Of course you wouldn't bother using this feature with programs like IE which need to access the Internet all the time, but I find it useful to control access by programs that don't need to access the Internet on a regular basis but do need to from time to time. It helps me prevent automatic updates, etc.

In general, software based firewalls are better at managing outbound Internet connections than hardware based firewalls.

I've been quite happy with my software based firewall.

cfitz

PostPosted: Wed Jan 29, 2003 5:45 pm
by dodecahedron
thanks guys for answering.

cfitz wrote:Odd. Does Norton have some sort of emergency shutdown rule that it activates if it perceives that the computer is under attack? Is there any chance your system got probed by computers infected with the SQL Slammer worm one too many times, and Norton went into full turtle mode? The timing coincidence is a little bit suspicious.

Since you have found an unexpected change in one of your bastion programs, it would probably be worthwhile to give the system a complete sweep for viruses and trojans.

Norton emergency shutdown - i haven't got a clue.
SQL Slammer worm etc. - what is this? first i've ever heard of it.
i regularly update the Norton Antivirus definitions and sweep the computer - at least once a week. so i belive (and hope!) my system is clean that way.

cfitz wrote: And since you changed your firewall settings, it would probably also be worthwhile to retest its defenses. I use Steve Gibson's Shields Up! test at http://grc.com/default.htm.

i used to go there quite often. actually, for a time i used to test my shields every time i logged into the net - first thing i would do after i dialed up. for a while everything was OK, all test (shields & ports) were perfect. about half a year ago it started acting up, with various ports open etc. (different ones every time), no consistent behaviour, kept getting reports of a next-level security/privacy threat something to do with a serial number hard-coded into my network card, which i don't have, andn it reported different numbers every time. anyway i figured that maybe sitting behind my university's proxy and firewall messes things up, i just don't trust GRC's shields up! results anymore.

tazdevl wrote:Actually if there was a shift in IP addresses via DHCP lease expiration and you don't approve the new IP as a valid connection, could be part of the problem.

sorry, i don't know what your'e talking about, don't know what DHCP is. however, i do know that i get a different IP from my ISP (my univ) every time i log in, and so far there has been no trouble at all with this. the IPs are in the same range as always (the first 3 groups of numbers are the same, the 4th is in the same range it always had been).

tazdevl wrote:The other thing it could be is program control/permission related. Might want to check and be sure Generic Host Processes for Win32 can connect to the internet otherwise it will shut everything down as you experienced.

Generic Host Processes for Win32 was configured as automatic, which was the usual setting for this program. anyway i've changed it to "Permit All".

i'll consider trying Zone Alarm, i've heard good things about it.

btw, what do you use cftiz?

so, any other suggestions anyone about what the problem could be?
dodecahedron wrote:going to Norton Personal Firewall -> Personal Firewall pane -> Internet Access Control -> Configure button -> System-Wide Settings, i find Rule354. double clicking on it, it appears that this rule:
Blocks Internet access; blocks Connections to and from other comuters; Any computer; TCP and UDP protocols, All types of communications (all ports, local and remote).

any ideas what this Rule354 is? am i correct in my interpretation of it's description that it blocks all TCP communications altoghether, and so if it's activated i'll have nothing working?
if so, what is it doing in my Firewall settings? how did it get there?

any help much appreciated, TIA!

PostPosted: Wed Jan 29, 2003 8:30 pm
by Spazmogen
dodecahedron:
stay away from Zone Alarm. It's only half the program that NPF is.

My version of NPF 2001 will not work with XP (but it does work with Win 2K Pro) so I'm using Zone Alarm for now. It's a generic (overly simple) program that can not be configured like NPF.

I've never had NPF change it's settings like that. I've manually made changes that caused problems, but I was always able to work though it with the manual.
ftp://ftp.symantec.com/public/english_u ... /npf40.pdf is the manual link.

But I see you were pretty quick figuring out the problem.

Personally, I'll probably get NPF 2003 shortly, once the money starts coming my way again.

I do highly recommend a hardware router (only if you have broadband, but I think you're on dial up) otherwise, use a good software firewall. And you have been.

Stick with NPF. In my opinion, it's far better than Zone Alarm (basic).

PostPosted: Thu Jan 30, 2003 12:28 am
by cfitz
dodecahedron wrote:SQL Slammer worm etc. - what is this?

http://news.zdnet.co.uk/story/0,,t269-s2129330,00.html

I was on the Internet Saturday night when it hit and it lit up my firewall. I must have been probed 100 times.

dodecahedron wrote:for a while everything was OK, all test (shields & ports) were perfect. about half a year ago it started acting up, with various ports open etc. (different ones every time), no consistent behaviour, kept getting reports of a next-level security/privacy threat something to do with a serial number hard-coded into my network card, which i don't have, andn it reported different numbers every time. anyway i figured that maybe sitting behind my university's proxy and firewall messes things up

Yes, if you are sitting behind yet another firewall and accessing the Internet via a proxy, then the probes will likely be testing those defenses rather than your personal computer's. When you go to the GRC and run the test, does it correctly list your machine's IP address as the one it will test? If you inspect the Norton logs, do you see unsuccessful connection attempts when the GRC test is running?


dodecahedron wrote:sorry, i don't know what your'e talking about, don't know what DHCP is. however, i do know that i get a different IP from my ISP (my univ) every time i log in, and so far there has been no trouble at all with this. the IPs are in the same range as always (the first 3 groups of numbers are the same, the 4th is in the same range it always had been).

DHCP = Dynamic Host Configuration Protocol - a protocol for assigning IP addresses and other network related information to computers. Since it is dynamic, IP addresses can change. However, in my experience I have never seen a lease fail to renew while a computer is operational. During reboots, yes, but not while in use. It could happen, but I've never seen it.

In any event, I don't think this has anything to do with your problem. You seem to have nailed down exactly what was causing your network interruption - a rule that denies all access both inbound and outbound - and the only question that remains is where did it come from and why did it suddently go into effect? In addition, if I recall from your other posts, you use a dial-up connection, which doesn't involve DHCP at all. You get a different IP address assignment via the PPP protocol every time you dial, but it will remain constant as long as your connection is established.



dodecahedron wrote:Generic Host Processes for Win32 was configured as automatic, which was the usual setting for this program. anyway i've changed it to "Permit All".

I assume you mean permit all outbound connections, not permit all inbound connections.

dodecahedron wrote:btw, what do you use cftiz?

Kerio: http://www.kerio.com/us/kpf_home.html

dodecahedron wrote:going to Norton Personal Firewall -> Personal Firewall pane -> Internet Access Control -> Configure button -> System-Wide Settings, i find Rule354. double clicking on it, it appears that this rule:
Blocks Internet access; blocks Connections to and from other comuters; Any computer; TCP and UDP protocols, All types of communications (all ports, local and remote).
any ideas what this Rule354 is? am i correct in my interpretation of it's description that it blocks all TCP communications altoghether, and so if it's activated i'll have nothing working?
if so, what is it doing in my Firewall settings? how did it get there?

Yes to the first question, I don't know to the second two. They are the heart of this mystery, in my opinion.

cfitz

PostPosted: Thu Jan 30, 2003 3:21 am
by dodecahedron
@Spazmogen:
thanks for the tips. i'll stay with NPF for now anyway.
thanks to the link for the manual. i used the built-in help, wasn't of too much help. i'll browse the manual, but i'm rather skeptical it will be much better. in the end i more or less figured things out myself by tinkering with the settings, menus etc.

@cfitz:
thanks for the info. read that link about the SQL worm, but like you said i don't think it had anything to do with this.

when i go Shields Up! i always use GRC's IP Agent, it always detects my IP correctly, so that's not the explanation for the weird and inconsistent results i get from it. maybe they are an indication that something has been screwed with my firewall for a long time?
i have never done this, but i'll try looking at the firewall logs, statistics etc. when i do a Shields Up! again.

by the way, just as i type, i ran a GRC's LeakTest and it says i'm OK.

yes, i'm on dial-up :o :x

i checked with a friend of mine who uses Norton Personal Firewall 2003, and he has similar Firewall Rules to the ones in mine (a few more actually) but no Rule354.
i wonder where this Rule354 came from.
is it concievable that a virus plants such a bogus firewall in my computer? sounds unlikely to me... :o

PostPosted: Thu Jan 30, 2003 3:55 am
by Spazmogen
Is the firewall set to create rules automatically or does it prompt you each time a new program tries to access the internet?

PostPosted: Thu Jan 30, 2003 4:43 pm
by dodecahedron
Spazmogen wrote:Is the firewall set to create rules automatically or does it prompt you each time a new program tries to access the internet?

i have no idea how rules are created.
i don't think they are created automatically.
i think these Firewall Rules are something very static that does not change much, basically just when you install the software and through LiveUpdates. unless you do it manually, of course.

as for prompting every time a program tries to access the internet, that's something different - that's something else, it's called Internet Access Control rules, these rules govern how the firewall responds when an application attempts to connect to the internet. i just leave it on Automatic for all applications (like most of them are by default).