Unsafe at any Speed: Firewalls once more!

nononsense · May 30, 2004

Quote from ArchAngel:

Never used the Dlink gear but just wondering if maybe it's a nomenclature thing for it.

When you say that the ports were "open" - were they assigned an internal IP address in the firewall to forward activity on the ports to or were general ports forwarding rules just defined?

If there wasn't a valid internal IP assigned to the forwarding rules, then DLink may have just automatically created templates - similar to my Linksys having UPnp templates already defined for the typical services like FTP, Telnet, HTTP, etc. but the templates didn't have a valid IP address defined for the rules - so even though it might look like the ports were "open" by virtue of the template forwarding rules having been defined, but without an actual internal IP address assigned to them, the rules are effectively just inactive templates (presumably created for some perceived user convenience should the user need to later activate them).

Now on the other hand, if DLink actually assigned a valid internal IP address (i.e., the internal IP of a machine you have running on your LAN) to each of the template rules AND enabled them - then they're definitely not following the standard guidelines.
More...

Hi Archangel,

I got some automatically generated and enabled rules like:
(action) Allow
(name) "msmsg (....etc)"
(source) WAN,*
(destination) LAN,192.168.0.102
(protocol) TCP
(port range) 8000-40000

Other rules covered UDP with ranges typically 20000 wide! Different internal LAN addresses appeared, everytime belonging to computers running XP.

You raise some good questions Archangel. I did not experiment further to see what would really get through the firewall. I simply turned the UPNP option off as fast as I could. AFAIK I would say though that indeed the outside access to these computers was open over a wide port range. I never made any attempts to configure port forwarding.

Trying to remain balanced to D-Link, I must say that the DI-624 seems to operate correctly if you operate it as a "clean" firewall. The DWL-g650 (vC2) cardbus wireless 108MHz units are also great, provided you manage to pick up and install original Fujitsu/Atheros drivers and management software. D-Link's software for the g650 (vC2) SIMPLY DOES NOT WORK! This state of affairs is well documented in the forums.

Be good,

nononsense

ArchAngel · May 30, 2004

BTW - you might want to also make sure you have the latest firmware running in the Dlink - according to their website, the DI-624's latest firmware rev level is 2.42 (dated April 6, 2004).

Had another thought - did you install MS Messenger either as part of your XP install (might have been done by the PC vendor) or some application install??

If you did, the MSN Messenger service would create msmsgs network definitions for your PC's network connection (which would appear on the Advanced Settings tab with a list of all other network services that are defined for your PC).

In that case, under UPnP, your PC's networking software would automatically try to coordinate a compatible firewall forwarding rule (since in this case you've got the MS Messenger service enabled and therefore it assumes you want it to be able to work through the firewall - which is the underlying idea of automatic coordination behind UPnP, i.e., you activate some network service on your PC and any other necessary device coordination is done for you automatically).

In that scenario, packets for the MS Messenger ports would be forwarded to your PC where they would hit your PC's MS Messenger service.

Not technically a "hole" since the firewall is technically doing what it's supposed to do under this scenario (the whole idea of UPnP is to streamline and automate multi-device network coordination for the average home user) - in this case, your complaint would be not so much with DLink as whoever/whatever installed and activated the MS Messenger service in the first place (assuming you didn't really want to be running MS Messenger).

I don't use MSN Messenger on any of my PCs, so there are no PC network services defs and no firewall rules for it.

You should be able to turn off UPnP if you want to from the Control Panel's Add/Remove programs->Add/Remove Windows Components->Networking Services->Universal Plug and Play

nononsense · May 30, 2004

Quote from ArchAngel:

BTW - you might want to also make sure you have the latest firmware running in the Dlink - according to their website, the DI-624's latest firmware rev level is 2.42 (dated April 6, 2004).

Had another thought - did you install MS Messenger either as part of your XP install (might have been done by the PC vendor) or some application install??

If you did, the MSN Messenger service would create msmsgs network definitions for your PC's network connection (which would appear on the Advanced Settings tab with a list of all other network services that are defined for your PC).

In that case, under UPnP, your PC's networking software would automatically try to coordinate a compatible firewall forwarding rule (since in this case you've got the MS Messenger service enabled and therefore it assumes you want it to be able to work through the firewall - which is the underlying idea of automatic coordination behind UPnP, i.e., you activate some network service on your PC and any other necessary device coordination is done for you automatically).

In that scenario, packets for the MS Messenger ports would be forwarded to your PC where they would hit your PC's MS Messenger service.

Not technically a "hole" since the firewall is technically doing what it's supposed to do under this scenario (the whole idea of UPnP is to streamline and automate multi-device network coordination for the average home user) - in this case, your complaint would be not so much with DLink as whoever/whatever installed and activated the MS Messenger service in the first place (assuming you didn't really want to be running MS Messenger).

I don't use MSN Messenger on any of my PCs, so there are no PC network services defs and no firewall rules for it.

You should be able to turn off UPnP if you want to from the Control Panel's Add/Remove programs->Add/Remove Windows Components->Networking Services->Universal Plug and Play
More...

Hi Archangel,

Yeap, I had installed firmwire 2.42 before doing anything else.

Like you, Archangel, I don't use MSN messenger and have it turned off on all my XP PC's. BTW I had one Win2000 also going and this one did not get the automatic port openings.

Anyhow, I didn't want to bother with it further, I'm glad I caught it rather quickly and learned my lesson: no UPNP in DI-624 (this may apply to others as well as many brands use identical chipsets inside).

Be good,

nononsense

ArchAngel · May 30, 2004

Yeah, W2K doesn't have UPnP - it was implemented as a part of XP (they also played with it a bit a long time ago for WMe - but that whole thing was a total abortion).

If you'd turned off MSN Messenger, the only thing that might have happened is that it had already created the network defs on the PC before you turned it off and the defs were lying their all the time waiting for a UPnP firewall. Otherwise, the network defs on the PC side shouldn't have been there (unless the Dlink PC adapter driver software created them, but if they did that even though MSN Messenger was already disabled at the time of installation then Dlink is definitely not following the guidelines).

Huh, will have to remember to doublecheck if I ever have to deal with an installation that uses Dlinks.

nononsense · May 30, 2004

Quote from ArchAngel:

Yeah, W2K doesn't have UPnP - it was implemented as a part of XP (they also played with it a bit a long time ago for WMe - but that whole thing was a total abortion).

If you'd turned off MSN Messenger, the only thing that might have happened is that it had already created the network defs on the PC before you turned it off and the defs were lying their all the time waiting for a UPnP firewall. Otherwise, the network defs on the PC side shouldn't have been there (unless the Dlink PC adapter driver software created them, but if they did that even though MSN Messenger was already disabled at the time of installation then Dlink is definitely not following the guidelines).

Huh, will have to remember to doublecheck if I ever have to deal with an installation that uses Dlinks.
More...

Hi Archangel,

Reading that you are a Linksys user, I just stumbled on an amazing little Linux article you may want to take a look at:

http://www.pbs.org/cringely/pulpit/pulpit20040527.html

Be good,

nononsense

lojze · May 30, 2004

Hi,

some of you are really knowledgebale, so here the question:

With all router having their own firewall software, do you still need any other firewall software?

Even if NO, how need firewall to be configured for though use in trading evironment?

nononsense · Jun 1, 2004

Quote from lojze:

Hi,

some of you are really knowledgebale, so here the question:

With all router having their own firewall software, do you still need any other firewall software?

Even if NO, how need firewall to be configured for though use in trading evironment?
More...

Hi lojze,

This question has been thoroughly discussed before. If you don't have a local network, i.e. if you have a single computer hooked up, I would say that a hardware firewall will do.

Your second question is difficult to answer like that. Try to keep everything closed, except what you absolutely need. You will find out that a lot of know how is required. If you look at your actual situation, many questions may arise that require som research to answer.

Be good,

nononsense