Jump to content

Does firewall really work on EIS?

PassingBy
 Share

Recommended Posts

PassingBy

PassingBy 5

Posted
Posted

Long story made short,

 

Over the last months  i have spotted several IP numbers that should not be there while all apps are closed on laptop and desktop machines. I also use the web blocking functions to block an entire domain and an IP range. However, today i ran another packet traffic check and i saw those IPs are back and alive.

 

Firewall setup is simple

- Deny

- In-out all blocked

- Local and Remote.

- Warning

They're still there

What worries me is what seems a parallel connection separated from the tree of connections i see departing from my router and connecting between two hex IP numbers which i have converted and blocked. They disappeared for a while and they're back.

Am i doing something wrong?

Link to comment
Share on other sites
itman

itman 1,659

Posted
Posted (edited)
8 hours ago, PassingBy said:

What worries me is what seems a parallel connection separated from the tree of connections i see departing from my router and connecting between two hex IP numbers which i have converted and blocked.

I have never seen an IPv4 address shown in hexadecimal format; they are always numeric formatted. However, IPv6 addresses do use hexadecimal format: https://en.wikipedia.org/wiki/IPv6_address .

Edited by itman
Link to comment
Share on other sites
PassingBy

PassingBy 5

Posted
  • Author
Posted
5 hours ago, itman said:

I have never seen an IPv4 address shown in hexadecimal format; they are always numeric formatted. However, IPv6 addresses do use hexadecimal format: https://en.wikipedia.org/wiki/IPv6_address .

I never said they were IPv4. I said i had, on a tree of connections departing from my router, a SEPARATE connection with an initial HEX IP which converted was something like 245.8.X.X towards 1 or in one case 2 shorter HEX addresses, which converted gave the same sort of result. So, once verified EIS doesn't take HEX addresses, i created a rule with the decimal version and blocked everything. They showed up again. Same happened when i went to block a domain (www.blablablablah.xx). It was still there a few weeks later. In the case of the web domain, i also made sure to investigate their IP range and make an ad hoc rule in the firewall for the whole IP range.

They're still there showing on a sniffer similar to Wireshark i use.

Link to comment
Share on other sites
PassingBy

PassingBy 5

Posted
  • Author
Posted

 

10 hours ago, Marcos said:

Please provide:
- logs collected with ESET Log Collector
- a couple of screenshots with comments that would clarify your concerns

Will try to do it today if i have the time...I might have some screenshots somewhere...

Link to comment
Share on other sites
PassingBy

PassingBy 5

Posted
  • Author
Posted (edited)
10 hours ago, Marcos said:

Please provide:
- logs collected with ESET Log Collector
- a couple of screenshots with comments that would clarify your concerns

Here is a screenshot of what i see. On the right (redacted IPs) you have the normal IPs...they're mostly fine and link directly to my router's IP

On the left you see the others. That's today's. I have others for other days.

I will try to drop a log later on but i think the screenshot is eloquent enough.

ips.jpg

Edited by PassingBy
Link to comment
Share on other sites
PassingBy

PassingBy 5

Posted
  • Author
Posted
23 hours ago, Marcos said:

Please provide:
- logs collected with ESET Log Collector
- a couple of screenshots with comments that would clarify your concerns

Hi Marcos

Apparently the log is too big and won't let me upload it. Can you kindly clarify what part do you need?

Thanks

Link to comment
Share on other sites
  • Administrators
Marcos

Marcos 5,070

Posted
  • Administrators
Posted

Please provide complete logs. If necessary, upload the generated archive to a file sharing service and drop me a pm with a download link.

Still it's not clear to me if you are concerned that ESET (ekrn) is communicating with unknown IPv6 addresses or that something else is communicating. Note that in automatic mode all outbound communication is allowed.

Link to comment
Share on other sites
itman

itman 1,659

Posted
Posted

As far as the Eset IP address shown, Robtex lookup shows:

Eset_um05.thumb.png.b65c838cf4941fdf26655d52c7262c09.png

Of note is Eset server connections are all IPv4 as far as I am aware of.

Are you connecting exclusively via IPv6 since your screen shot only shows a local link IPv6 address? If so, your router is converting IPv4 addresses to IPv6 ones via 4to6 tunneling method. This might account for the strange activity you referenced.

Link to comment
Share on other sites
PassingBy

PassingBy 5

Posted
  • Author
Posted
11 hours ago, Marcos said:

Please provide complete logs. If necessary, upload the generated archive to a file sharing service and drop me a pm with a download link.

Still it's not clear to me if you are concerned that ESET (ekrn) is communicating with unknown IPv6 addresses or that something else is communicating. Note that in automatic mode all outbound communication is allowed.

The question is: Why despite me setting rules for IPs and domains i want to block they still show among my connections? Is the firewall blocking or those rules are inefficient? Am i doing something wrong? If so what? Bottom line. How can i actually block IPs and Domains from EIS?

Link to comment
Share on other sites
PassingBy

PassingBy 5

Posted
  • Author
Posted
3 hours ago, itman said:

As far as the Eset IP address shown, Robtex lookup shows:

Eset_um05.thumb.png.b65c838cf4941fdf26655d52c7262c09.png

Of note is Eset server connections are all IPv4 as far as I am aware of.

Are you connecting exclusively via IPv6 since your screen shot only shows a local link IPv6 address? If so, your router is converting IPv4 addresses to IPv6 ones via 4to6 tunneling method. This might account for the strange activity you referenced.

I am not worried about ESET connections. I am investigating the IPv6 addresses in the screenshot below (often it is just one associated). Since they are set as private and no information is provided i think it's normal to express a degree of doubt on what they are doing in my machine. The second doubt is why EIS is not blocking them as instructed.

TlLnTnD4J6.jpg

Link to comment
Share on other sites
  • Administrators
Marcos

Marcos 5,070

Posted
  • Administrators
Posted

In order to block a communication allowed by the default rules, make sure to put a blocking rule on top of the built in rules. I would not recommend doing that or could easily end up with blocking some vital communication needed for the OS or ESET to work.

image.png

Link to comment
Share on other sites
itman

itman 1,659

Posted
Posted (edited)
20 hours ago, PassingBy said:

I am investigating the IPv6 addresses in the screenshot below (often it is just one associated)

IPv6 addresses in the fe80::/64 range are local link addresses used for connectivity purposes on your device's local subnet. These addresses are not routable beyond the local subnet. Here's a good article that explains this in more detail: https://zivaro.com/what-you-need-to-know-about-ipv6-link-local-addresses/ .

Also note that if your network connection in Eset is set up as trusted, all fe80::/64 addresses are automatically trusted.

-EDIT-

I guess I should also explain the ff02:: connections so you don't bork that processing.

Open a command prompt window and enter the following command:

netsh int ipv6 show neigh

The output displayed will be similar to the following. Note that I have redacted my addresses. Also if you use a Wi-Fi connection, the Interface will be shown as such:

Eset_Netsh.thumb.png.99b69afeea906ce74c7343f01caadad9.png

What you observe is the result of DHCPv6 processing assigning via neighborhood discovery local link ff02:: equivalent broadcast addresses for your device and devices on your subnet allocated IPv6 addresses. The only IPv6 addresses not converted are my DHCPv6 DNS server and the fe80:: address assigned to my router/gateway.

 

Edited by itman
Link to comment
Share on other sites
  • 2 weeks later...
PassingBy

PassingBy 5

Posted
  • Author
Posted
On 3/14/2023 at 9:49 PM, itman said:

IPv6 addresses in the fe80::/64 range are local link addresses used for connectivity purposes on your device's local subnet. These addresses are not routable beyond the local subnet. Here's a good article that explains this in more detail: https://zivaro.com/what-you-need-to-know-about-ipv6-link-local-addresses/ .

Also note that if your network connection in Eset is set up as trusted, all fe80::/64 addresses are automatically trusted.

-EDIT-

I guess I should also explain the ff02:: connections so you don't bork that processing.

Open a command prompt window and enter the following command:

netsh int ipv6 show neigh

The output displayed will be similar to the following. Note that I have redacted my addresses. Also if you use a Wi-Fi connection, the Interface will be shown as such:

Eset_Netsh.thumb.png.99b69afeea906ce74c7343f01caadad9.png

What you observe is the result of DHCPv6 processing assigning via neighborhood discovery local link ff02:: equivalent broadcast addresses for your device and devices on your subnet allocated IPv6 addresses. The only IPv6 addresses not converted are my DHCPv6 DNS server and the fe80:: address assigned to my router/gateway.

 

Dear Itman, thanks for the kind explanation and for the time you devoted to this.

Understood.

Thanks a million.

R.

 

Link to comment
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...