Julius P. Posted February 27, 2007 Report Share Posted February 27, 2007 Is this really normal?I am behind a wired router, using both the router's firewall and a software firewall.The only port I have forwarded is for utorrent, which I run less than one hour a week. The software firewall is set up to let utorrent traffic through. The forwarded port is not the default one, and I have no problem uploading and downloading to the maximum capacity the ISP doles out (~500-600 down, 30 to 50 up).When I look at the logs for my software firewall, I find that it has to block 'intrusion attempts' every few seconds on that one port , regardless of whether utorrent is running or not. Obviously, plenty of connections do go through that port when I am down/uploading something, but what on earth are those blocked ones?? And should I really get that many? That's sometimes over 1000 of them an hour!Is it time to set up port triggering, so that at least this only happens when utorrent is running? Link to comment Share on other sites More sharing options...
DreadWingKnight Posted February 27, 2007 Report Share Posted February 27, 2007 It's time to ditch your overprotective firewall and get one that isn't so stupid.It probably assumes any incoming connection attempt is an "intrusion attempt" which is wrong. Link to comment Share on other sites More sharing options...
Julius P. Posted February 27, 2007 Author Report Share Posted February 27, 2007 Well, the firewall does not assume that every connection attempt is an 'intrusion attempt' (talk about alarmist terminology...). When utorrent is running, hundreds of perfectly good and legit connections are being made through the port assigned to utorrent, and the firewall does NOT flag them or in any way attempts to block them. Just some of them are blocked, and they continue even when utorrent is not even running. Link to comment Share on other sites More sharing options...
DreadWingKnight Posted February 27, 2007 Report Share Posted February 27, 2007 Just judging from the part where you mention that these entries are coming up regardless of whether or not uT is running, I'd say it is the firewall being overly paranoid. Link to comment Share on other sites More sharing options...
Julius P. Posted February 27, 2007 Author Report Share Posted February 27, 2007 O.K., I'll take that, but you probably underestimate my ignorance: what I really would like to know is WHAT those connection attempts being made round the clock through the uT port really are. Link to comment Share on other sites More sharing options...
DreadWingKnight Posted February 27, 2007 Report Share Posted February 27, 2007 Well, the UDP traffic is for DHT (and cannot be declared a connection attempt, since UDP is connectionless).Anything TCP would be peers on torrents you have active (or had active) trying to connect to you. Link to comment Share on other sites More sharing options...
Julius P. Posted February 27, 2007 Author Report Share Posted February 27, 2007 Thanks for helping out with this. It is starting to make sense. You are saying that when uT is not running, peers who previously had a connection with uT on my machine will check out if I am available, so to speak?But then, what of those that get blocked while uT is running? Why would the firewall allow some (most, really) and not others? Link to comment Share on other sites More sharing options...
DreadWingKnight Posted February 27, 2007 Report Share Posted February 27, 2007 You may have reached your connection limit for a particular torrent, causing uT to quickly close the connection and subsequently causing the firewall to go into "paranoid mode" and declare it an intrusion attempt because of how short the connection lasted. Link to comment Share on other sites More sharing options...
Julius P. Posted February 27, 2007 Author Report Share Posted February 27, 2007 mmmh.I do notice that admin and moderators on these forums are pretty critical of most, if not all firewalls. ('critical' is the mildest I could come up with)Maybe it is time to share your opinions of what firewall, if any, is not a POS, junk, crap, f**cking paranoid, or worse.I will change to it in a heartbeat. No joke.And my apologies if you have done so somewhere else already. Link to comment Share on other sites More sharing options...
Firon Posted February 28, 2007 Report Share Posted February 28, 2007 A router. Windows firewalls are all useless. Link to comment Share on other sites More sharing options...
Julius P. Posted February 28, 2007 Author Report Share Posted February 28, 2007 Chalk one up for clear advice. It does seem hard to believe that firewalls are useless, doesn't it? As you know, you are not the only ones, though: see http://www.mg.co.za/articlePage.aspx?articleid=275381&area=/insight/insight_tech/ (English), Slashdoted here:http://it.slashdot.org/article.pl?sid=06/08/24/136257&from=rssSee also here:http://samspade.org/d/firewalls.htmland here:http://tooleaky.zensoft.com/and finally:http://www.matousec.com/projects/windows-personal-firewall-analysis/leak-tests-results.phpCheers and thanks. Link to comment Share on other sites More sharing options...
Firon Posted February 28, 2007 Report Share Posted February 28, 2007 I don't believe -all- firewalls are useless. I've used firewalls on Linux, and they are FAR from useless, because they attempt to control only inbound stuff: packet rates, SYN floods, etc... and do a superb job at it.I just believe Windows firewalls are, because they're poorly implemented and try to do things that just don't work, such as egress filtering. They break more than they solve, and poorly detect stuff as hack attempts with pretty little popups and flashing. Link to comment Share on other sites More sharing options...
lorax1284 Posted June 9, 2007 Report Share Posted June 9, 2007 So the upshot is: if you have a hardware filewall (router) and only have ONE port open (is uPNP safe?) the worm messages thrown by NIS are bogus, even the ones that seem to be on computer on my home network trying to communicate with another computer that isn't involved in utorrent (it's on, doing nothing in particular?) Link to comment Share on other sites More sharing options...
DreadWingKnight Posted June 9, 2007 Report Share Posted June 9, 2007 Pretty much.most software firewalls are overly paranoid and/or poorly written. Routers will protect you from 90% of threats.The remaining 10% of the threats are dangerous enough that a software firewall wouldn't even slow them down. Link to comment Share on other sites More sharing options...
lorax1284 Posted June 9, 2007 Report Share Posted June 9, 2007 is this related to use of utorrent, or in general? That is, am I MORE susceptible running utorrent than not? I haven't had any problems to date while running utorrent and having Norton Worm Protection (warning me every 30 seconds when a malicious user finds my IP addy), so are you saying that if I use utorrent WITHOUT any kind of software worm protection running on my Windows XP computer (i.e. no warnings: ignorance is not bilss), I am NO MORE EXPOSED than I would be while running utorrent WITH software Worm Protection (warnings, but not better protection)? Link to comment Share on other sites More sharing options...
DreadWingKnight Posted June 9, 2007 Report Share Posted June 9, 2007 With or without the protection software, it doesn't matter. You're no more exposed.The protection software families have a long enough history of false alarms that they aren't recommended for use. Link to comment Share on other sites More sharing options...
lorax1284 Posted June 9, 2007 Report Share Posted June 9, 2007 Thanks very much... I'm convinced that the only safe place to be on the 'net is behind a hardware firewall under my own control... and using utorrent won't expose me unduly. Link to comment Share on other sites More sharing options...
Switeck Posted June 9, 2007 Report Share Posted June 9, 2007 There are even hacking exploits to take advantages of weakness in software firewalls. You are actually LESS vulnerable without them in those cases. (Buffer overflows can do all kinds of crazy things.)But a router would block basically ALL of that from reaching your computer.The biggest problem is Web browser exploits. Your software firewall and even your antivirus software already allows your web browser probably too much access. It does little good to put a deadbolt on a screen door. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.