BEFSX41 Firewall Problem (?)

[sctw98a260]

I have 2 home PCs connected to a Linksys BEFSX41 connected to a cable modem. I had no problems getting access to everything I had before the router was installed. However I have not been able to get the firewall to block all the incoming traffic using the 'Block Incoming Traffic' selection on the Firewall web page/log. Some traffic does get blocked (red lines in the Firewall log page) but most of it (green lines in the Access log page) still gets through the firewall. The traffic that gets through the firewall does not seem to be dependent on the day/time set on the Firewall page Time Filter. It looks as though my computer’s IP address is still visible to the outside world.
I have the following settings:
Advanced Firewall Protection enabled
Block Incoming Traffic set for all 7 days of the week
Block WAN request is enabled.
Connection using DHCP.
No filters or port forwarding set.
DMZ port disabled.
DDNS disabled.
Firmware version 1.44.3, Dec 24 2002.

Any ideas on what I can do to stop traffic from getting through the firewall? I have emailed Linksys twice for help but they can't/won't respond.

[Bill in SD, CA]

Welcome to TechIMO!!

Have you done an on-line port scan ?

Bill

[sctw98a260]

Yes, I ran the port scan from your URL and it 'failed':
TCP default : CLOSED We received a response packet that no service is available.
All other TCP ports showed as FILTERED.
Does not respond to ICMP ping, TCP ping, or UDP ping.

I then ran the port scan utility from ShieldsUp! and it also failed as many ports appeared as CLOSED, not STEALTHED.

What's really weird as that the results now are much worse than the results I obtained before I installed the router. When I ran ShieldsUp! before repeatedly on the first 1056 ports only a few ports above port 1000 appeared as CLOSED and this looked like it could have been a testing issue as I received a buffer overrun message. I wasn't too worried about this since I knew I was installing a router.

Have you ever heard of anything like this?
Thanks for your help.

[meese]

The only traffic coming through the firewall is traffic you initiate. That is if you access a webpage first it will send data back to your pc. The object of the firewall is to block un-initiated traffic. Are you sure your not just seeing traffic you initiated?

[M_Six]

I think meese is right. Green lines usually indicate outgoing initiated traffic.

[sctw98a260]

Here are some sample green lines from the log file:
00:01:37 TCP from 212.55.179.166:4212 to XX.XXX.XXX.XXX:3127
00:01:41 UDP from 221.232.160.103:777 to XX.XXX.XXX.XXX:1026
00:05:25 TCP from 4.12.193.243:3608 to XX.XXX.XXX.XXX:20168
00:23:06 UDP from 204.209.71.164:24419 to XX.XXX.XXX.XXX:1029
01:07:11 TCP from 200.66.99.5:1750 to XX.XXX.XXX.XXX:3127
01:13:28 UDP from 207.36.181.131:3456 to XX.XXX.XXX.XXX:1026
01:17:39 TCP from 80.128.129.72:3695 to XX.XXX.XXX.XXX:6129
01:20:25 TCP from 64.1.43.66:220 to XX.XXX.XXX.XXX:6129
01:26:05 TCP from 218.26.187.22:3079 to XX.XXX.XXX.XXX:4899
01:42:08 UDP from 209.123.112.111:13798 to XX.XXX.XXX.XXX:1026
01:42:08 UDP from 209.122.157.209:9599 to XX.XXX.XXX.XXX:1027
02:15:36 UDP from 61.17.107.71:777 to XX.XXX.XXX.XXX:1026
02:16:51 UDP from 204.78.8.141:21562 to XX.XXX.XXX.XXX:1028
02:19:26 UDP from 195.22.22.36:3235 to XX.XXX.XXX.XXX:1434
02:27:24 UDP from 221.232.160.103:777 to XX.XXX.XXX.XXX:1026
02:30:21 TCP from 82.64.66.86:1969 to XX.XXX.XXX.XXX:901
02:32:21 UDP from 64.253.170.82:16819 to XX.XXX.XXX.XXX:1026
02:43:51 TCP from 4.33.202.34:3481 to XX.XXX.XXX.XXX:6129

The XX.XXX.XXX.XXX is my WAN ip address. To me this looks like incoming traffic? These green messages are appearing mainly while I'm not on the computer. To my knowledge I'm not actively soliciting anything from the web (I turned off the Norton Live Update to be sure) while I'm not on the computer, but there could be requests being made that I'm not aware of.

Outgoing requests (say, to look at the weather as an example) look like the following:
02:50:21 TCP from 192.168.1.100:4146 to www.w3.weather.com(63.111.66.24):80
02:50:26 TCP from 192.168.1.100:4148 to www.weather.com(63.111.24.20):80
02:50:26 TCP from 192.168.1.100:4150 to www.w2.weather.com(63.111.24.22):80
02:50:28 TCP from 192.168.1.100:4152 to www.w3.weather.com(63.111.66.24):80

I generally don't see any additional incoming traffic while I'm on the web.

A typical red line of traffic which shows up as being blocked by the firewall looks as follows:
03:42:31 4459/TCP from 64.236.16.138:80 to 192.168.1.100:4459 Invalid TCP packet received, dropping packet

[meese]

I always have some activity hitting my router on the WAN side. As long as it doesn't get through to the LAN side. Your seeing traffic on the WAN side of your router. This is normal. That stuff is not getting through your routers firewall.

[sctw98a260]

But I am seeing lots of stuff being stopped by my software firewall (Norton) at the same time stuff seems to be at the WAN side of my router ... so I'm assuming this stuff is being passed through the router into the LAN side.
If it is hitting the WAN side of the router and NOT ending up in the router Firewall log then doesn't it have to be passing through the router?

[sctw98a260]

Sorry, forgot to add a sample of what I'm seeing in Norton firewall log:

TCP non-syn/non-ack packet on invalid connection. Packet has been dropped.

Thanks for your help.

[M_Six]

The 1026 port traffic is pop-up spam.

From Linklogger:

UDP Port 1026
Common Use
UDP port 1026 is registered as Calendar Access Protocol port.

Inbound Scan
Typically inbound traffic to this port is Messenger Spam which is more annoying then anything else, and hence not really worthy of a Link Logger alert, but still there is enough of this traffic that an explanation would be helpful.


Try using
Active Ports on your PC with your Norton firewall turned off. See if you get any incoming connections you don't want.