Welcome to Smokey's Security Forums.
Guests have only limited access to the board and it's features, please consider registering to gain full access!
Registration is free and it only takes a few moments to complete.

Smokey's Security Forums

Please login or register.

Login with username, password and session length
Advanced search  

News:

Smokeys is looking for 'Updaters.
If you have  knowledge of Updates or a willingness to learn, please send  'Starbuck' or 'Tinker' a PM with your details.
Thanks.

OTL Log Analysis and Malware Removal - Qualified PC Disinfection & Cleaning - Microsoft Security Info & Alert Center - Official Jetico Inc. Support Forums

Share this topic on FacebookShare this topic on MySpaceShare this topic on Del.icio.usShare this topic on DiggShare this topic on RedditShare this topic on StumbleUponShare this topic on TwitterAuthorTopic: System Internet Zone - UDP  (Read 596 times)

0 Members and 1 Guest are viewing this topic.

Kicker

  • Jetico Personal Firewall Mod
  • Global Moderator
  • *
  • Offline Offline
  • location: Prague, Czech Republic, Europe
  • Posts: 218
Re: System Internet Zone - UDP
« Reply #4 on: May 13, 2009, 02:43:54 PM »
Hello,
Quote from: voessli on May 13, 2009, 12:30:30 PM
Thanks Tommy! is there a way to monitor what UDP or TCP requests is done from the local PC? Because I guess Statefull inspection is no protection against trojans.


In JPF2, there is a Applications tab which shows which applications has which ports open and how they use it. I think there was something similar in JPF1 as well. If you need more information, then I would recommend using some dedicated diagnostic utility or network sniffer.

Regardsing trojans - statefull inspection will allow only responses to allowed requests. So if your rules does not allow the trojan to initiate the connection, statefull inspection won't help the trojan to get out.

BTW. I am not sure how well UDP statefull inspection works in JPF1. In JPF2 it is not yet fully implemented, so I doubt JPF1 would have robust implementation in place.

Quote from: voessli on May 13, 2009, 12:30:30 PM
Another issue btw, what does these checkboxes mean? (to the left of a policy). Some of my policies are unchecked and with an exclamation mark - in the redirector to Application Blocked Zone and System Blocked Zone.


The checkbox mean if the rule is enabled or not. You can use it to quickly enable or disable rules (e.g. for debugging). The exclamation mark means the rule can't be used for some reason. I think that the only possible reason is that the rule is defined using a group, and that group is empty (happens often e.g. for rules "Block Network Blocked Addresses" or "Allow trusted" when the Blocked Networks group or Trusted Networks are empty).

voessliTopic starter

  • Full Member
  • **
  • Offline Offline
  • Posts: 23
Re: System Internet Zone - UDP
« Reply #3 on: May 13, 2009, 12:30:30 PM »
Thanks Tommy! is there a way to monitor what UDP or TCP requests is done from the local PC? Because I guess Statefull inspection is no protection against trojans.

Another issue btw, what does these checkboxes mean? (to the left of a policy). Some of my policies are unchecked and with an exclamation mark - in the redirector to Application Blocked Zone and System Blocked Zone.



Tommy

  • Jetico Forums Team Leader
  • Administrator
  • *
  • Offline Offline
  • location: Buenos Aires - München
  • Posts: 1062
    • WWW
Re: System Internet Zone - UDP
« Reply #2 on: May 12, 2009, 02:02:01 AM »
The first rule explicit allows incoming UDP traffic from DNS servers on local port 53.
The second one allows any incoming UDP traffic but only when it was requested from your computer. This is called 'Statefull inspection'.

voessliTopic starter

  • Full Member
  • **
  • Offline Offline
  • Posts: 23
System Internet Zone - UDP
« Reply #1 on: May 11, 2009, 06:42:22 PM »
Hello to all!

here is a quite technical question. I am configuring my DNS settings and there are 2 confusing policies:

Code: [Select]
Allow incoming DNS: UDP - incoming packet - DNS IP (Source) - Local Adress - Port 53I think this entry resticts UDP connection to a DNS server on port 53.


Code: [Select]
Stateful UDP Inspection: - UDP - any (Event) - any (Source) - any (Destination) - and no port overridei dont understand what that is for, it completely overrides the first entry since no event or addresses are specified. That is, all events and addresses are allowed?

Can someone please explain the difference between both of these policies?

Thanks in advance!

 

* Permissions
You can't post new topics.
You can't post replies.
You can't post attachments.
You can't modify your posts.
 BBCode Enabled
Smilies Enabled
[img] Enabled
HTML Disabled


Except where otherwise stated, all content Copyright © 2006 - 2010 Smokey Services™ -- All rights reserved

Surf Smokey's with confidence: all external links in posts are checked and rated by WOT - Web of Trust
Security Knowledge-, Alert- & News Center and Comprehensive Microsoft Windows Information & Download Center
Board- and databases search functions and the download of post attachments are only available to registered board members

    


==>Think your PC is infected? Click here for OTL Log Analysis and Malware Removal Assistance<==


Smokey's Security Forums provide full qualified OTL Log Analysis & Cleaning Services
OTL (formerly OTListIt2) by OldTimer is a sophisticated, comprehensive log analysis tool to clean PCs with malicious content

Microsoft Security Info & Alert Center - most recent, real-time released Microsoft Security Bulletins, Alerts, Advisories and Vulnerabilities:
<div style="background-color: none transparent;"><a href="http://www.rsspump.com/?web_widget/rss_widget" title="rss widget">Rss widget</a></div>