August 28th, 2001, 08:51 PM
Unwarranted Incoming Connection Alert
Hi everyone. Can anyone explain to me the warning message I am getting from the Tiny Personal Firewall I have installed on my PC?
First of all some background information:
I am running a Win95 machine, with a recently installed cable modem connection. Due to a change in my working conditions I will be spending most of my online time at home. So, the PC that I used only for my private email in a regular dial-up connection has now been upgraded to become my regular online tool along with it's connection.
This is a sample of the warnings I am getting:
- Incoming Connection Alert !
Remote: dns1.rjo.virtua.com.br [126.96.36.199], port 67 - UDP
Details: Someone from dns1.rjo.virtua.com.br [188.8.131.52], port 67 wants to send UDP datagram to port 68 owned by 'Componente de núcleo Kernel do Windows' on your computer
Details about your application: c:\windows\system\krnl386.exe
The DNS server responsible for this warning is my from my cable connection company. These messages usually appear aproximately 30 minutes after I connect.
I can deny responses three times before their DHCP server kicks me out of my connection explaining that my lease on the IP address has timed out
Can anyone explain to me if this is a normal procedure and if so why is it necessary? And also, why is it that it needs to contact the kernel file of my OS?
August 28th, 2001, 09:26 PM
Good for you. You have found something that is very common amongst users of cable modems. I found a similar problem with an internet provider. They had some sort of sniffing tool that checked to see who was online and using badwidth along with some other features invading my privacy. They were extremely mad when I hooked up a linux system to their connection for some reason they would not mention.
I would like to know what your provider mentions about this undocumented feature. Call them and find out. I am sure that will also be interesting and do tell us all about it.
A little tidbit:
The most interesting call with a cable internet provider I have had is "It is not required to have a firewall on cable internet, your connection is safe. Please remove the software and your problems will end." Why they would say this I don't know. But I do know that if you have cable modems then you better have a firewall of some sort.
August 28th, 2001, 11:05 PM
1st reply from cable company
- The support person I spoke to wouldn't tell me why is it necessary for them to "contact" my OS but he tried to convince me to configure a trust relationship rule between my firewall and his server.
Someone is gonna have to come up with a better reason than that to convince me !
Thanks for your prompt reply Neophyte !
Please keep the comments coming.
Can anyone explain why is this a necessary practice? Can anyone offer a plausible technical reason as to why should I do what the support person suggested?
August 28th, 2001, 11:57 PM
You're on cable.
The incoming connection came from your provider, sending an UDP package (port 67) to your 68 port.
The plausible technical reason:
When you connect to your ISP, you're assigned an IP-adress. This adress is assigned for a certain duration of time (unlike DSL, where you get a new IP each time you connect, and you keep that IP untill you disconnect).
The 67 and 68 ports are the Bootstrap Protocol Server (port 67, your provider) and the Bootstrap Protocol Client (port 68, your machine).
The BOOTP SERVER (managed by your ISP) automatically assigns an IP-adress from a pool of adresses for a certain duration of time. Your machine asks for an IP, your ISP sends one.
The Conclusion: don't let your firewall block this incoming packets!
The Objection: your firewall!!! It blocks the incoming packets (your ISP wanting to send you an IP), but NOT the outgoing ones (the requests for an IP)?
As for your problem ('These messages usually appear aproximately 30 minutes after I connect. I can deny responses three times before their DHCP server kicks me out of my connection explaining that my lease on the IP address has timed out '): your ISP wants to reassign the IP's (for your own security, amongst other reasons...). You deny response? You'll get kicked!