ChrisCranie
asked on
What traffic shoudl I block/allow on a networked laptop?
Morning,
I'm currently looking at Sophos Client Firewall for our laptop users, but my question is more related to networking in general I think. I'm running it in default mode for now to analyse the type of traffic coming in/out of the client. Our LAN is on 192.168.0.x, 255.255.255.0.
The following entries have been blocked, I'm ideally looking for a brief explanation of what they might be and whether I should be allowing them; the time period (9.03 to 9.10am) included powering on, logging on, and loading up Outlook. I've got VMWare installed on the laptop, but no VMs running at powerup.
09:09:57 netbios IN REFUSED UDP 172.50.10.1 NETBIOS_DGM Block NetBIOS Traffic
09:09:57 netbios IN REFUSED UDP 172.50.10.3 NETBIOS_DGM Block NetBIOS Traffic
09:09:57 netbios IN REFUSED UDP 172.50.10.5 NETBIOS_DGM Block NetBIOS Traffic
09:09:57 netbios IN REFUSED UDP 172.50.10.4 NETBIOS_DGM Block NetBIOS Traffic
09:09:57 netbios IN REFUSED UDP 172.50.10.2 NETBIOS_DGM Block NetBIOS Traffic
09:08:40 svchost.exe IN REFUSED UDP 192.168.1.254 1900 Block All Activity
09:07:23 system IN REFUSED UDP localhost(any) BOOTPC Block All Activity
09:06:54 netbios IN REFUSED UDP 172.50.10.4 NETBIOS_DGM Block NetBIOS Traffic
09:05:42 system IN REFUSED UDP localhost(any) BOOTPC Block All Activity
09:04:32 netbios OUT REFUSED UDP 192.168.234.255 NETBIOS_NS Block NetBIOS Traffic
09:04:29 netbios OUT REFUSED UDP 192.168.198.255 NETBIOS_NS Block NetBIOS Traffic
09:04:27 system IN REFUSED UDP 192.168.198.1 1119 Block All Activity
09:04:27 system IN REFUSED UDP 192.168.234.1 1120 Block All Activity
09:04:18 svchost.exe IN REFUSED UDP 192.168.198.1 1119 Block All Activity
09:04:18 system IN REFUSED UDP localhost 1122 Block Transit Packets
09:04:18 svchost.exe IN REFUSED UDP 192.168.234.1 1120 Block All Activity
09:04:09 system IN REFUSED UDP localhost 1099 Block Transit Packets
09:04:08 system OUT REFUSED IGMP 224.0.0.22 0 Learning Mode
09:04:08 system OUT REFUSED IGMP 224.0.0.22 0 Learning Mode
09:04:08 system OUT REFUSED IGMP 224.0.0.22 0 Learning Mode
09:03:44 netbios OUT REFUSED UDP 192.168.198.1 NETBIOS_NS Block NetBIOS Traffic
09:03:44 netbios OUT REFUSED UDP 192.168.198.1 NETBIOS_NS Block NetBIOS Traffic
09:03:44 netbios OUT REFUSED UDP 192.168.198.1 NETBIOS_NS Block NetBIOS Traffic
09:03:39 netbios OUT REFUSED UDP 192.168.234.1 NETBIOS_NS Block NetBIOS Traffic
09:03:39 netbios OUT REFUSED UDP 192.168.234.1 NETBIOS_NS Block NetBIOS Traffic
09:03:39 netbios OUT REFUSED UDP 192.168.234.1 NETBIOS_NS Block NetBIOS Traffic
09:03:33 netbios OUT REFUSED UDP 192.168.234.255 NETBIOS_DGM Block NetBIOS Traffic
09:03:33 netbios OUT REFUSED UDP 192.168.198.255 NETBIOS_DGM Block NetBIOS Traffic
09:03:09 netbios OUT REFUSED UDP 192.168.234.255 NETBIOS_NS Block NetBIOS Traffic
09:03:06 netbios OUT REFUSED UDP 192.168.198.255 NETBIOS_NS Block NetBIOS Traffic
Regards,
Chris.
I'm currently looking at Sophos Client Firewall for our laptop users, but my question is more related to networking in general I think. I'm running it in default mode for now to analyse the type of traffic coming in/out of the client. Our LAN is on 192.168.0.x, 255.255.255.0.
The following entries have been blocked, I'm ideally looking for a brief explanation of what they might be and whether I should be allowing them; the time period (9.03 to 9.10am) included powering on, logging on, and loading up Outlook. I've got VMWare installed on the laptop, but no VMs running at powerup.
09:09:57 netbios IN REFUSED UDP 172.50.10.1 NETBIOS_DGM Block NetBIOS Traffic
09:09:57 netbios IN REFUSED UDP 172.50.10.3 NETBIOS_DGM Block NetBIOS Traffic
09:09:57 netbios IN REFUSED UDP 172.50.10.5 NETBIOS_DGM Block NetBIOS Traffic
09:09:57 netbios IN REFUSED UDP 172.50.10.4 NETBIOS_DGM Block NetBIOS Traffic
09:09:57 netbios IN REFUSED UDP 172.50.10.2 NETBIOS_DGM Block NetBIOS Traffic
09:08:40 svchost.exe IN REFUSED UDP 192.168.1.254 1900 Block All Activity
09:07:23 system IN REFUSED UDP localhost(any) BOOTPC Block All Activity
09:06:54 netbios IN REFUSED UDP 172.50.10.4 NETBIOS_DGM Block NetBIOS Traffic
09:05:42 system IN REFUSED UDP localhost(any) BOOTPC Block All Activity
09:04:32 netbios OUT REFUSED UDP 192.168.234.255 NETBIOS_NS Block NetBIOS Traffic
09:04:29 netbios OUT REFUSED UDP 192.168.198.255 NETBIOS_NS Block NetBIOS Traffic
09:04:27 system IN REFUSED UDP 192.168.198.1 1119 Block All Activity
09:04:27 system IN REFUSED UDP 192.168.234.1 1120 Block All Activity
09:04:18 svchost.exe IN REFUSED UDP 192.168.198.1 1119 Block All Activity
09:04:18 system IN REFUSED UDP localhost 1122 Block Transit Packets
09:04:18 svchost.exe IN REFUSED UDP 192.168.234.1 1120 Block All Activity
09:04:09 system IN REFUSED UDP localhost 1099 Block Transit Packets
09:04:08 system OUT REFUSED IGMP 224.0.0.22 0 Learning Mode
09:04:08 system OUT REFUSED IGMP 224.0.0.22 0 Learning Mode
09:04:08 system OUT REFUSED IGMP 224.0.0.22 0 Learning Mode
09:03:44 netbios OUT REFUSED UDP 192.168.198.1 NETBIOS_NS Block NetBIOS Traffic
09:03:44 netbios OUT REFUSED UDP 192.168.198.1 NETBIOS_NS Block NetBIOS Traffic
09:03:44 netbios OUT REFUSED UDP 192.168.198.1 NETBIOS_NS Block NetBIOS Traffic
09:03:39 netbios OUT REFUSED UDP 192.168.234.1 NETBIOS_NS Block NetBIOS Traffic
09:03:39 netbios OUT REFUSED UDP 192.168.234.1 NETBIOS_NS Block NetBIOS Traffic
09:03:39 netbios OUT REFUSED UDP 192.168.234.1 NETBIOS_NS Block NetBIOS Traffic
09:03:33 netbios OUT REFUSED UDP 192.168.234.255 NETBIOS_DGM Block NetBIOS Traffic
09:03:33 netbios OUT REFUSED UDP 192.168.198.255 NETBIOS_DGM Block NetBIOS Traffic
09:03:09 netbios OUT REFUSED UDP 192.168.234.255 NETBIOS_NS Block NetBIOS Traffic
09:03:06 netbios OUT REFUSED UDP 192.168.198.255 NETBIOS_NS Block NetBIOS Traffic
Regards,
Chris.
ASKER
Am looking for a little more detail cdesigner, for example.
1. OUT REFUSED netbios calls from Netbios from an IP which isn't my laptop (e.g. 192.168.198.x). Where could this originate from?
2. IN REFUSED system calls from local IP addresses, but still not on the lan (e.g. 192.168.198.x), similarly where might these originate from?
3. What might OUT REFUSED IIGMP traffic be?
Regards,
Chris.
1. OUT REFUSED netbios calls from Netbios from an IP which isn't my laptop (e.g. 192.168.198.x). Where could this originate from?
2. IN REFUSED system calls from local IP addresses, but still not on the lan (e.g. 192.168.198.x), similarly where might these originate from?
3. What might OUT REFUSED IIGMP traffic be?
Regards,
Chris.
do this in the command line:
tracert 192.168.198.1
and you will see where this address.
tracert 192.168.198.1
and you will see where this address.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Darr247 - thanks for the detailed response and links, this was helpful and has got the ball rolling on how I can investigate links such as this.
Regards,
Chris.
Regards,
Chris.
The Internet Assigned Numbers Authority (IANA) has changed the link to the list of well-known/assigned ports...
here are the new URLs:
XML version - http://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.xml
Text version - http://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.txt
The new versions have fields that note when the assignment was made and/or modified, along with a glossary of the acronymns used and a list of contact emails after the ports list.
here are the new URLs:
XML version - http://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.xml
Text version - http://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.txt
The new versions have fields that note when the assignment was made and/or modified, along with a glossary of the acronymns used and a list of contact emails after the ports list.
1024-1030 IP ports from outside LAN