Re: pf.conf + Norton Antivirus -question

From: Pekka Niiranen (pekka.niiranen_at_wlanmail.com)
Date: 10/26/03 

Date: Sun, 26 Oct 2003 10:23:47 +0200
To:  erik@geenspam.vanwesten.net

Well,

I have to wait for the next weekly update.

I have tried to update from my client manually,
so could it be possible, that manual update
(that failed) created a state in my firewall that
server-push used later on to access my harddisk?
I will try to flush states before the next virus update.

I will propably need separate line to my pf.conf
for logging purposes because our network is filled
with UDP messages. I will report the further results.

-pekka-

erik wrote:
> pekka.niiranen wrote:
>
>
>>My current pf.conf is as follows:
>>-----------
>>EXT = "xl0"
>>INT = "xl1"
>>PRIVNETS = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8
>>}"
>>
>># Options
>>set block-policy drop
>>set loginterface $EXT
>>
>># clean fragmented and abnormal packets
>>scrub in all
>>
>># Nat
>>nat on $EXT inet from $INT:network to any -> ($EXT)
>>
>># Default block
>>block all
>>
>># Allow loopbacks
>>pass quick on lo0 all
>>
>># Block access to certain networks
>>block drop in quick on $EXT from $PRIVNETS to any
>>block drop out quick on $EXT from any to $PRIVNETS
>>
>>pass in on $INT from $INT:network to any keep state
>>pass out on $INT from any to $INT:network keep state
>>
>>pass out on $EXT inet proto tcp all modulate state flags S/SA
>>pass out on $EXT inet proto { udp, icmp } all keep state
>>--------
>>
>>However, the Norton Antivirus Corporate Edition 4.1
>>running in my PC (192.168.x.x) connected to INT gets its virus updates
>>automatically from Virus server! The server uses "push" method to
>>write new virus definitions to my harddisk. Port it uses are:
>>
>>38292 (TCP/UDP) Virus alarms
>>38293 (UDP) Virus updated at server end
>>38037 (TCP/UDP) Virus alarms
>>2967 (UDP) Virus updates at client end
>>
>>What am I missing in my pf.conf? Some port range default
>>setting or what? I would like to stop that "push" coming thru
>>and update manually by myself.
>>
>>-pekka-
>
>
> Are you really 100% sure that your virusscanner is not getting the
> updates itself? Check your firewall logs.
>
> EJ

Relevant Pages

  • Re: [fw-wiz] Ok, so now we have a firewall, were safe, right?
    ... >firewall logs, this is it- nobody at any of the companies involved figured ... Find some solution that can consume all the logs from all your network ... >Seems to also intimate the Trojan being injected via autorun CDs. ... >AV isn't going to be effective against most custom Trojan Horses. ...
    (Firewall-Wizards)
  • Re: security of a new installation / steps to take
    ... firewall to block access to services on ports 22, ... What does not listen on the network cannot be used to compromise you. ... accessible configuration scripts, which you should take care to disable by ...
    (freebsd-questions)
  • MS help file...
    ... I am not really sure why Policy's will block access to the local drives thru ... In side of the main pane it will bring up a link to the "Windows Explorer", ... Network Places". ...
    (Focus-Microsoft)
  • Re: Why block web hit counters?
    ... It appears you don't understand network security - it's very simple to ... block access to unapproved websites - in fact, ... to these new proxy services, where users can bypass virtually any ...
    (comp.security.firewalls)
  • Re: IRC-based Olympic Coverage
    ... > network, and plug it onto their cell phone, and get the net that way. ... The Summer Olympics ONLY come every FOUR ... There is no EARTHLY reason for an employer to block access to ANY ... and logging in from work. ...
    (comp.security.firewalls)