My Friend Ben Ong says, "No good dead goes unpunished." I prefer a more positive bent on life like the glass is half full. Please be patient and read on for a moment.
A firewall is half of the security battle. A person wants to keep the bad guys out of a home network so that one can Samba Share a printer or other fun things like frag one another in quake or other LAN games for example. The firewall is there for convenience to access web pages for school work and other important stuff. Businesses want a firewall to protect their operation. A business may need to conduct lots of contact work through email but still need other applications that are not secure. The firewall protects the insecure applications. You still have to worry about trust on the protected side of the firewall. What is your mate, children, or in the case of businesses, employees installing on your client computers? All the protection that a LEAF firewall provides can be nullified, if a trojan is installed on the safe side of the firewall. I think that my situation is the funniest thing there is for several reasons. I think I answered Manfred's question, but was corrected on several key points unrelated to the answer. Hey, a mailing list won't let you get to far adrift. ;-) Thanks Jeff. Here's the knee slapper. School started for the kids August 19, 2002. The week before my oldest son had a friend stay for an extended sleep over so they could play LAN games. My wife was sorry she let the fragging go on for that many days. Last weekend my middle son says Dad the big computer--full towercase--isn't working right. I asked what did you guys install? He said nothing. I was thinking it was some CD based game causing a conflict. So I finally get the computer to boot into MS Windows. I had no problems with the PC because I was dual booting into Red Hat Linux when I used the computer. I can say this now while rolling on the floor laughing but good old KaZaa was installed. I found some sort of CD game key generator and another downloaded file. So now I have to council my kids about the difference between downloading GPL software and when other software is considered intellectual property and can't be tampered with. Fortunately, they were unsuccessful in creating a copy of Warcraft III. I explained to my son, you lose or give away that key and your copy of Warcraft III is lost. Moreover, the company considers that stealing if try to create non archival copies of their CDs. I can't wait. He's a screenager. Someday the little wanker between his legs will wake up and then he'll be susceptible to social engineering. I can hear it now, "Hey dude. Here's a picture of Miss April. All you have to do is run this .exe file to view her." Anyhow, I whacked KaZaa right away. Little did I know that KaZaa was half the issue. I started receiving the error "Windows could not upgrade the file %1 from %2". This happened after rebooting and MS Windows has to install DLL files that are in memory. I am sure you know the drill. There was an extended reboot time with the hard drive light pegged. I suspect that I improperly uninstalled KaZaa. Google pointed me to darnit based on the %1 from %2 message above. I used add/remove programs to get rid of "SaveNow", "b3d", "CYBERWORLD Browser", "DownloadWare, and "Media Loads Installer". These are all the benefits you receive from KaZaa's version of free software. Just like Juno, KaZaa wants to use your unused CPU cycles to solve computing problems for other people__and_at_your_expense!__ Note: that darnit takes a while to load because it is a hugh mega page. http://and.doxdesk.com/parasite/DownloadWare.html http://209.68.48.119/inetexplorer/Darnit.htm#Kazaa "Some choice quotes: "...The EULA, when found, claims that it may clash with various other software and so if it finds any it will remove it. (!)..." http://209.68.48.119/inetexplorer/Darnit.htm The computer still is not sound after the uninstalls. CommonName may be installed too. Well it is easy to mess up a good Windows install, but KaZaa can really foul it up beyond all measure. Ah but there's that cup half full angle I was looking for. I guess we will have an install festival this weekend. I don't trust my computers after the sleep over. My son's friend had no knowledge of the trojans he was installing for us. Like he's going to read the EULA let alone understand it. We'll reinstall MS Windows and dual boot Red Hat on both computers. Maybe I'll even have time to setup and an iMap mail server. I think I can use this as an excuse to have my wife answer her email on Linux. Moreover she can use Ximian which looks like outlook. She uses outlook at work. What a funny story. I help answer a question on a mailing list and I find out days later that I have the same KaZaa thief in my house. Those scurvy dogs! Why does the MS Windows oriented world think they have to own and know everything about a person? GPL software is starting to look better all the time. KaZaa and MS Media Player are light weights, however. Look what Intel and Microsoft have up their collective sleeve next: TCPA/Palladium. http://www.cl.cam.ac.uk/users/rja14/tcpa-faq.html "1. What are TCPA and Palladium? "TCPA stands for the Trusted Computing Platform Alliance, an initiative led by Intel. Their stated goal is `a new computing platform for the next century that will provide for improved trust in the PC platform.' Palladium is software that Microsoft says it plans to incorporate in future versions of Windows; it will build on the TCPA hardware, and will add some extra features. ... "24. So why is this called `Trusted Computing'? I don't see why I should trust it at all! "It's almost an in-joke. In the US Department of Defense, a `trusted system or component' is defined as `one which can break the security policy'. ... "25. So a `Trusted Computer' is one that can break my security? "Now you've got it. Do you think we'll need LEAF then? I hope my experience helps someone else. ;-) Greg Morgan Greg Morgan wrote: > > Manfred Schuler wrote: > > Hi all, > > > > in the last few weeks I discovered some unknown traffic on my firewall. > > I inserted a rule to log all traffic on the input and output chains and found that >the > > incoming packet is neither rejected nor denied, but answered by the firewall. > > I am using a stock eigerstein2beta firewall with no port redirection and no >additional > > ports opened. > > > > What I don't understand is why the packets are not denied and who is responding to >this > > packets. > <snip> > > Manfred, > > I've never seen these ports before, but hey with 65K available port > numbers, there are all kinds of services available. ;-) I was curious so > I spent some time looking into your question. I may or may not have > answered the question for you, but I guess it did give me a chance to > get up on the soap box. >:-> (evil grin) > > A port is also called a service. The services are defined in > /etc/services. A protocol, plus, a port number, and an ip address > equals a socket that an application uses to talk to another > application. All this information is supplied in case you didn't know > this. > > I'd say that you didn't realize that you are running some sort of peer > to peer file sharing service, or you are running one and didn't know the > mechanics of how it works. Perhaps you are running Kazaa? > > > Aug 18 13:24:08 tunix kernel: Packet log: input - ppp0 PROTO=6 213.168.220.62:2605 >80.134.34.59:1214 L=48 S=0x00 I=29010 F=0x4000 T=114 SYN (#1) > > This is the first line you supplied from your log. 80.134.34.59 appears > to be your current ip address supplied by your ISP. 1214 is the port > number used by the application i.e. 80.134.34.59:1214. Notice too that > this entry is from the input chain. > > google.com coughed up this with port showing Kazaa. > http://www.ec11.dial.pipex.com/port-num1.shtml#1200 > 1214 Kazaa Morpheus or KaZaA peer to peer music/file sharing > > > Aug 18 13:24:08 tunix kernel: Packet log: output - ppp0 PROTO=6 80.134.34.59:1214 >213.168.220.62:2605 L=40 S=0x00 I=14602 F=0x0000 T=255 (#1) > > This is the second line you supplied from your log. It is an output > chain entry. Your firewall is responding back to ip address > 213.168.220.62 and port 2605. The firewall is doing its job as > NAT--network address translation. It translates the internal network > address of your client PC to the firewall's IP address. There are a > number of services that use ports 2600 through 2606. The name > networksciences.net came up on one of the services list again supplied > by google. If you look at the information I copied from their web site > below, networksciences.net appears to supply tools to simplify the task > a building a client sever application. I may be speculating wildly > here, but perhaps Morpheus uses this tool in their application? > > seanecovel at attbi dot com supplied this sometime ago in the thread > "Re: [leaf-user] Blocking protocols at certain times" > http://documents.iss.net/whitepapers/X-Force_P2P.pdf > I found it an interesting read. The angle of the document is how as a > network admin do I reduce the risk of all these file and instant > messaging systems? The issue in a business is one of trust. Do you > really trust that these applications won't become a trojan, etc. The > question for you as an individual is, if you are running Morpheus, do > you want it serving data all the time? peer to peer applications still > have a server component to them. If someone finds an exploitable hole > in morpheus they can gain access to your client. This is why web > servers are always being patched. Known holes must be patched or the > web service will be "owned" by someone else. > > Please just be aware of the issues. You could become overly paranoid > and not use any application. I think one of the most alarming concepts > is how companies like Microsoft feel it is their right or duty to know > about you. I not sure I'd trust aol any more on this one. MS Windows > Media Player is supposed to send data about your media playing habits to > a web site. How are you going to block that, if they are using port 80 > that all web servers use? The firewall does not always block all > ports. Some ports are used for other services and should be allowed > out. I bring this up because the 260x port range appear to have some > other useful ports. > > Here's the batch file I run on Windows ME every once in awhile to clear > the MS media database, which includes the number of times you have > played a song. The location is in a slightly differenct place on MS > Windows 2000 and MS Windows XP. > @echo off > rem http://www.w2knews.com/index.cfm?id=352 > Rem kill wmp database > cd "C:\WINDOWS\All Users\Application Data\Microsoft\Media Index" > attrib -r *.* > del WMPLIBrary*.* > > I hope this helps, > Greg > > P.S. here's the other port info and stuff on Network Sciences. > > http://www.mit.edu/afs/athena/system/rhlinux/config/9.1.10/etc/services > # Ports numbered 2600 through 2606 are used by the zebra package without > # being registered. The primary names are the registered names, and the > # unregistered names used by zebra are listed as aliases. > hpstgmgr 2600/tcp zebrasrv # HPSTGMGR > hpstgmgr 2600/udp # HPSTGMGR > discp-client 2601/tcp zebra # discp client > discp-client 2601/udp # discp client > discp-server 2602/tcp ripd # discp server > discp-server 2602/udp # discp server > servicemeter 2603/tcp ripngd # Service Meter > servicemeter 2603/udp # Service Meter > nsc-ccs 2604/tcp ospfd # NSC CCS > nsc-ccs 2604/udp # NSC CCS > nsc-posa 2605/tcp bgpd # NSC POSA > nsc-posa 2605/udp # NSC POSA > netmon 2606/tcp ospf6d # Dell Netmon > netmon 2606/udp # Dell Netmon > > http://www.ec11.dial.pipex.com/port-num2.shtml#2600 > nsc = Networksciences.net on port 2605? > > http://networksciences.net/Whats_New__/whats_new__.html > A multi-platform subsystem that: > conforms to all of the TCP/IP connectivity specifications and > expertly performs error recovery. > relieves applications programmers of TCP/IP minutia and > connectivity requirements. > is designed with total unattended operations as an objective. > > A client / server application that: > > uses the NSC Open Client / Server to concentrate, switch > and/or > reformat messages between originating clients and target > servers. > connects to multiple clients that use unlike message formats. ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf ------------------------------------------------------------------------ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
