OT: help with security question

To: debian-user@lists.debian.org
Subject: OT: help with security question
From: Marty <martyb@ix.netcom.com>
Date: Thu, 25 Aug 2005 22:18:54 -0400
Message-id: <[🔎] 430E7C0E.2020609@ix.netcom.com>

Unfortunately there is a windows box on my network which is running
Norton Firewall, with logs, documentation and a user interface that
seem ambigious, simplistic and confusing, as if written in some
kind of technical pigeon language.

I was surprised when it reported an incoming ICMP packet by raising
a dialog window asking if I wanted to make a firewall rule for the
source of the packet, which I later thought looks like a router
at some mid-level ISP (ae-1-51.bbr1.Chicago1.Level3.net [4.68.101.1]).
Norton's recommendation was to enable incoming ICMP for that host,
which I did.  I then checked the firewall rules and found a specific
rule just for that host.

Now I'm trying to understand what it all means.  I'm not very
familiar with the details of IP and ICMP, much less windoze boxes
and all their quirks.  For some unknown reason Norton Firwall
wants to distinguish between incoming/outgoing ICMP v "bidirectional"
ICMP.  There doesn't seem to be any way to log and inspect the actual
packet headers or contents, so I don't know what kind of ICMP the
firewall detected, nor even the definition of "incoming ICMP."

I don't think any application or service tried to ping the internet
router, because when I manually try to ping another internet host from
the windows host, Norton tries to make rule for "*outgoing* ICMP," not
"incoming ICMP."  This reinforces my slightly paranoid initial impression
that some internet host is trying to ping or otherwise access the windows
host behind my firewall, and a possible hardware firewall misconfiguration
that allows it to happen.

I double checked my hardware firewall, which is a Sarge box running
guarddog and my ppp link to the local ISP.  It's set to allow ICMP
"service" from the internet to local hosts, but not in the other
direction.  I've always assumed that local hosts cannot automatically
serve protocols, including ICMP, through the firewall without special
configuration.

Thanks for any help, suggestions or insights.  The Debian firewall has
all the tools I might need to track this down, e.g. psad, snort, bastille,
etc.  But I'm still learning how to use them, and I appreciate any help.

Reply to:

Prev by Date: adding modules to an initrd image
Next by Date: Upcoming Events from Contact Advocate
Previous by thread: Re: adding modules to an initrd image
Next by thread: Upcoming Events from Contact Advocate
Index(es):
- Date
- Thread