what firewall rule is THIS?
Updated: 09 Jun 2010 | 8 comments
This issue has been solved. See solution.
The logs this AM are filled with entries regarding a test notebook I'm messing with. I setup a group where the firewall would be off...... and instead, I get this!
Check out that rule name!
| Event Type: | UDP datagram |
| Event Time: | 10/16/2009 07:29:54 |
| Domain Name: | IVRS-SEP1 |
| Site Name: | IVRS-SEP01 |
| Server Name: | VRDSMSEP2 |
| Group Name: | My Company\testing-2-nofirewall |
| Computer Name | |
| Current: | VR999 |
| When event occurred: | VR99 |
| IP Address | |
| Current: | 111.222.180.120 |
| When event occurred: | 122.222.180.255 |
| Severity: | Minor |
| Remote Host Name: | |
| Remote Host IP: | 111.222.180.100 |
| Network Protocol: | UDP |
| Local Port: | 138 |
| Remote Port: | 138 |
| Traffic Direction: | Inbound |
| Occurrence: | 1 |
| Begin Time: | 10/16/2009 07:28:52 |
| End Time: | 10/16/2009 07:28:52 |
| Application Name: | C:/WINDOWS/system32/ntoskrnl.exe |
| Blocked: | Not blocked |
| Rule Name: | GUI%GUICONFIG#SRULE@NBENABLEYOU#ALLOW-UDP |
| Alert: | 0 |
| Location Name: | Default |
| User Name: | Bill. |
| Domain Name: | IVRS-SEP1 |
discussion Filed Under:
Comments
Hi
The rule is to allow UDP.
As far as I know which I read from the Help file.
For stateful UDP traffic, when a UDP connection is made, the inbound UDP communication is allowed(same as in your log) even if the firewall rule blocks it. For example, if a rule blocks inbound UDP communications for a specific application, but you choose to allow an outbound UDP datagram, all inbound UDP communications are allowed for the current application session. For stateless UDP, you must create a firewall rule to allow the inbound UDP communication response.
A UDP session times out after 40 seconds if the application closes the port.
Please don't forget to mark your thread solved with whatever answer helped you : ) Rafeeq
HI, As you mentioned that the
HI,
As you mentioned that the client installed on the machine should not have NTP installed. So, you just confirm that the driver teefer2 des not appear in the properties of the network card. Also, if a rule is being applied, it could be the "Allow All other IP traffic".
You can check if you can find the rule no. in the logs so that would be a self-explainatory way to determine the exact conditions being applied to the traffic.
If possible, you can withdraw the firewall policy from that group. You can do so by going to Clients->Policy-> Click on Tasks at extreme right in front of firewall policy-> click on withdraw policy.
Best,
Aniket
I do not see this on any
I do not see this on any other computer, however, and my main work notebook is in the same group, using the same policies and rules.
This is the line that REALLY has me - look closely at the name of the rule.....
GUI ?
NBENABLEYOU ?
GUICONFIG ?
Actually, NTP is installed, the config just allows it to be "turned off" or disabled by the client, or end user, and the rules are lax when it's enabled.
My sites - http://theamcpages.com & http://antique-engines.com
Toy:
Shadow:
This rule
This rule is client-side.
On unmanaged clients (or clients in mixed mode or client control), in Network Threat Protection, click Options, then Change Settings.
In Settings, click Microsoft Windows Networking.
Here, if you check the box for Browse files and printers on the network, the GUI rule you're seeing is enabled, thus allowing this traffic.
On managed clients this is enabled by default, with the understanding that Administrators can create a rule that will block this access in the firewall policy, if so desired.
Hi
The once which are created automatically during installation have that format these the filenames allowed by default.
It can be broke down into
GUI-
GUI Configuration
Source Rule
Enabled
You are allowing UDP on port number 138 ( ntoskrnl.exe)
Please don't forget to mark your thread solved with whatever answer helped you : ) Rafeeq
Ah, so the NB is network
Ah, so the NB is network browsing, then ENABLE Not sure what the YOU is.......
That explains it mostly - not sure why I don't see this on the other computer in the same group........... but at least now I know it's nothing that is from a source outside of the known world.
Thanks.
My sites - http://theamcpages.com & http://antique-engines.com
Toy:
Shadow:
Names are somewhat deceptive
I agree, it seems like NB would stand for network browsing...and maybe in this case it does. However, as an example, there's a default block called @NBBLOCK, where NB stands for NetBIOS. So, I wouldn't automatically attach NB to mean network browsing.
...although, in my personal opinion...you'd think we'd make the names of the rules a little more obvious or understandable.
Hi
My be its NetBIOs
Indicating that YOU are allowing NetBIOS UDP in and OUT on port 138?
Please don't forget to mark your thread solved with whatever answer helped you : ) Rafeeq
Would you like to reply?
Login or Register to post your comment.