Are packets addressed to specific programs?

[Infohawk]

I ask this because my sygate firewall is blocking a lot of traffic. When I
look at the logs, I notice that half of the traffic from benign websites
does not have a program designated with it. Those packets are always
rejected. The other packets do have a program listed in the sygate log and
they are accepted. What is happening here? Do certain packets list a
program to be used with? Or is Sygate not detecting which programs go with
the packets. It seems silly to have so many benign packets being blocked
from sites I want to visit.

 

[ScottMac]

It goes something like this (very abbreviated):

The Ethernet frame has a protocol designator (IP, IPX, Appletalk, etc). Frames get passed "up the stack" to Layer 3 (in this case, IP), IP looks for a designator that describes the Layer 4 protocol (TCP, UDP, ICMP: TCP would be for FTP, for example, UDP might be a video or music multicast, ICMP might be a PING...).

Once TCP, UDP, or ICMP process gets the packet, it looks for a "port ID," like 20, 21 for FTP, 23 for Telnet, 22 for SSH, etc, then passes the packet to that process, who looks for a session number...who passes it up the stack some more until it eventually gets to the originating (or destination) application.

Much of the unsolicited traffic you're seeing is people probing your firewall for an open port (like 137,138,139, 23, 20, 21, 80...etc). If the firewall is set to pass that port inbound (regardless of source), then you can be attacked on that port. The nature of the attack depends on what ports are exposed.

This is the basic premise for only opening ports that are being used, and if open, to use some secondary protection (maybe a software firewall) to keep out unwanted traffic.

Like I said, this is fairly abbreviated. There's a jillion details omitted or slightly modified to keep it short.

FWIW

Scott

 

[Infohawk]

Thanks for your explanation.

I still don't understand what's happening with my firewall logs though.

I understand what port scans and your average unsollicited traffic looks like, but what I'm seeing is different.

My firewalls (I've tried with Kerio and Sygate) are rejecting about half the packets that are coming from sites I want to visit. For example, with internet explorer, if I visit yahoo, the page will load up fine. If I look at the packet log however, I see that half of the packets from the yahoo site have been rejected, which doesn't make sense to me because I've allowed explorer to accept traffic from port 80 and because the sites are loading up fine. THe packets that are being accepted have iexplore.exe listed next to them, the packets that are not being accepted do not have any program next to them. In Kerio, the log says that the rejected packets have "No owner."

Where is the problem here? It's seems like these packets (again in large quantities from sites I'm trying to visit [not your average random port scan]) should be accepted, but they are not. Just curious, cause my browsing / internet activity is working fine, I just want to understand what's happening under the hood. Why are some packets not being delivered to iexplore.exe properly? WHy do some packets get associated with internet explorer on my system while others (that presumably should be since they come from the exact same ip as the accepted packets and are on the exact same port) are not associated with internet explorer. This is happening with all my programs too, not just internet explorer packets.

Any ideas?

Thanks.