Firewall security rule settings

Source: Internet
Author: User

Low: All applications will be asked when they access the network for the first time, and approved programs will operate according to the configured rules. The computer will fully trust the LAN, allowing machines inside the LAN to access various services provided by itself (file and printer sharing services), but prohibiting machines on the Internet from accessing these services.

Medium: All applications will be asked when accessing the network for the first time, and approved programs will operate according to the configured rules. Prohibit machines on the LAN and the Internet from accessing their own network sharing services (file and printer sharing services). machines on the LAN and the Internet will not be able to see this machine.

High: All applications will be asked when they access the network for the first time, and approved programs will operate according to the configured rules. Prohibit machines on the LAN and the Internet from accessing their own network sharing services (file and printer sharing services). machines on the LAN and the Internet will not be able to see this machine. Except for ports opened by approved programs, the system shields all ports opened to the outside.

Expansion: SkyNet has developed a series of extension rules for Trojans and spyware to prevent Trojans and spyware from enabling TCP or UDP port listening or even opening unauthorized services. We will upgrade the rule repository based on the latest security trends to provide you with the safest service!

Users can adjust their own security levels as needed, which is convenient and practical.

Note: The simple security level of Skynet is designed to make it easier for users who are not familiar with Skynet to use Skynet. Because of this, if you choose to adopt simple security level settings, Skynet will block the role of the Rules in advanced IP rule settings.

If you click Advanced and then click IP rules, Skynet will automatically change the IP rules to the default
Introduction to port 135,445
Port 135 is actually a WINNT vulnerability, and port 135 is prone to external "Snork" attacks !!!

To open port 135, add a rule on your firewall: deny all incoming UDP packets of this type. The destination port is 135, the source port is 135, or, this protects internal systems and prevents external attacks. Most firewalls or packet filters have already set many strict rules that cover this filter rule. However, you must note that there are some NT applications, they rely on the UDP135 port for valid communication, and open your port 135 to communicate with the RPC service of NT. If this is the case, you must implement the above rules on the systems with the original address (requiring 135-port communication) and specify that communications from these systems can be performed through the firewall, or, it can be ignored by the attack detection system to maintain the normal connection of those applications.

!!! To protect your information security, we strongly recommend that you install Microsoft's latest windows Patch pack .!!!

2. How to understand and disable port 139 (tcp port provided by NetBIOS)

Netbios (NETworkBasicInput/OutputSystem) Network Basic Input/Output System. It is a set of network standards developed by IBM in 1983. Microsoft continues to develop on this basis. Microsoft's client/server network systems are based on NetBIOS. In a network system built using WindowsNT4.0, the unique identifier of each host is its NetBIOS name. The system can use WINS service, broadcast, and Lmhost files to resolve NetBIOS names to corresponding IP addresses for information communication. In such a network system, it is very convenient and fast to use NetBIOS name for information communication. But on the Internet, it is similar to a backdoor program. Therefore, it is necessary for us to block this terrible vulnerability.

.

Port 445
It is also a TCP port, which plays the same role as port 2000 in the Windows 2003 Server or Windows Server 139 system. Specifically, it also provides the file or printer sharing service in the LAN. However, this port is based on the CIFS protocol (universal Internet File System Protocol), and port 139 is based on the SMB protocol (server protocol family) to provide shared services. Similarly, attackers can establish request connections with port 445 to obtain various shared information in the specified LAN. Port 445 is useless to common users. We recommend that you disable it.

IGMP data packets: IGMP is useless for common Windows users. However, due to kernel defects in the Win9X operating system, IGMP has its own vulnerability, someone may exploit this vulnerability to send a large number of IGMP packets to a specified host, which may cause damage to the network layer of the Windows operating system and cause a crash, which is recorded in the firewall log.

If the IP address in your LAN is used, packets will be sent out whenever the machine in your network is connected to the LAN to search for other machines in the network. when the machine is equipped with TCP/IP, A response packet is returned. Skynet intercepts these irregular packets. Simply put, when you open your computer, your computer will automatically search for other computers in the LAN and send data packets. A data packet will also be sent when the computer in other networks responds; in the same way, when other computers start up, your computer will be in this lan and will certainly receive these packets.
137,138,139 close Method
Control Plane pull-network connection-right-click the local connection property-remove the check box before sharing the network file with the Shadow machine.
However, the local pier still monitors the sharing of the other party, which is within the normal range.


There are still no solutions to the process in the system process when Automatic startup is set. No icon
Log on to the system using the Account "Administrators", and then you can use it. This account can be renamed. the specific method is control panel --- management tools ---- Computer Management ----- local users and groups ---- users ---- right-click Administrators, rename, change it casually, remember, when logging on again, this is the login number. (This method is recommended only when the system process does not exist)

2. QQ runs automatically, which is also the cause of the failure of Skynet to run automatically. Close the method: Start Menu --- program ---- start, just delete the QQ in it, or change the registry, I will not go into details here. (If you have time, add it)

Or it is poisoned. In general, some Trojans will automatically close the firewall and pack the WIN wall.

Let me explain the log. I am on the LAN.
[17:12:41] 172.16.74.9 try to use Ping to detect the local machine,
This operation is rejected.
[17:12:49] received the IGMP packet of 172.16.74.151,
This packet is intercepted.
[17:13:01] 172.16.75.48 trying to connect to the CIFS [445] port of the local machine,
TCP flag: S,
This operation is rejected.
[17:19:42] 220.173.110.194 trying to connect to the CIFS [445] port of the local machine,
TCP flag: S,
This operation is rejected.
[17:18:41] 222.84.159.250 tries to connect to port 135 of the local machine,
TCP flag: S,
This operation is rejected.
[21:34:29] ***. ***. *. *** try to connect to the NetBios-SSN [139] port of the local machine,
TCP flag: S,
This operation is rejected.
That's all. Other interpretations are the same,
In this log, the default rule is enabled, and the above operation is rejected, so it is not connected to your port, you are safe, IGMP is the broadcast distributed by the host in the LAN, generally, this is not required for 98 systems. If 98 is used, the system will crash, So SkyNet will intercept it for you.


About access violation at address 00413082 in moduleb pfw.exe write at address 0000033c


If this problem occurs after the installation is restarted, uninstall it. Restart, install, and restart. It is best to Unmount and delete the folder. If this is not the case, install it with a built-in account in safe mode.


What should I do if someone keeps trying to connect to my computer?

As long as you connect to the network, someone will connect you, just like the above log, there will be no problem, unless your firewall shows that it is passed, then either you allow, either your firewall settings are incorrect. Please set it to medium or high. It is not recommended for new users to use custom

  
Firewall logs are concise and comprehensive. Firewall logs have always been tianshu: TCP, UDP, and tcp syn ...... I am dizzy and confused. In fact, logs are very important functions of the firewall, but many people do not pay attention to them and have not carefully studied the log Content. Logs record seemingly boring data. In fact, they provide a large amount of valuable first-hand information to help us better manage and maintain networks.

So I want to explain what common Skynet firewall logs represent. Click the "log" button in the upper-right corner of the main interface to view the following information:

Generally, logs are divided into three lines:

The first line:

It reflects the packet sending, receiving time, the sender's IP address, the recipient's communication port, the data packet type, and the local communication port;

Row 2 ::

It is the flag of the TCP packet, with a total of six flags: URG, ACK, PSH, RST, SYN, and FIN, skynet takes the first letter of the six flag spaces when displaying the flag spaces, that is, A represents ASK, S represents SYN, and so on. Among them, the flag spaces ACK, SYN, and FIN are commonly used, the simple meaning is as follows:

ACK: Validation mark

Prompt that the remote system has successfully received all data

SYN: synchronization flag

This flag is valid only when a TCP connection is established. It prompts the TCP connection server to check the serial number.

FIN: End mark

A packet with this flag is used to end a TCP session, but the corresponding port is still open, ready to receive subsequent data.

RST: reset flag. The specific role is unknown.

Row 3:

How to handle data packets:

Packets that do not comply with the rules will be intercepted or rejected. The message "this operation is denied" indicates that this operation was intercepted by Skynet firewall! That is, the other party does not know your existence!

For packets that comply with the rules but are set to be monitored, they are displayed as "continue to next rule ".




[10:41:30] received the IGMP packet of 218.2.140.13,
This packet is intercepted.

This log appears frequently. The full name of IGMP is the internet group management protocol, which is an extension of the IP protocol. It is mainly used for the IP host to notify its neighboring host of group members. This log usually does not indicate that the computer is under attack. However, hackers can write attack programs and use windows bugs to launch attacks to the target computer using special data packets, make the operating system of the attacked computer blue screen and crash. Blue Screen bombs generally use the IGMP protocol.

Generally, when an IGMP attack is formed, a large number of IGMP data packets from the same IP address are displayed in the log.

However, sometimes such a message is not necessarily a hacker or virus attack, and similar packets from the gateway are often received in the LAN; some machines with the video broadcast service will also send such data packets to users, so don't panic too much.


-----------------------------------

[7:11:04] receives a UDP packet of 61.132.112.236,
Local Port: 47624,
Peer Port: 40627
This packet is intercepted.

There is nothing to worry about. Someone is scanning the IP address and scanning your IP address segment with the IP address scanning software, such software sends TCP or UDP connection requests to different ports of the attacked host to detect the service type of the attacked object. In particular, connection requests for ports other than 21, 23, 25, 53, 80, 8000, and 8080. So SkyNet fireworks

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.