Firewall Configuration

LisaAJohnson
edited February 2012 in General talk

I have been unsuccessful, in properly configuring my Firewall to block individual IP addresses.


I am running Bit Defender Internet Security v10.


I tested this failure, by intentionally blocking a static IP address on my local network.


To attempt to configure the block of this static IP address ..I did the following:


SELECT FIREWALL TAB


SELECT ADD RULE


APPLICATION INFO, elected the default setting of "ANY"


ACTION INFO, selected DENY


NETWORK EVENTS, elected the default of "ALL"


ADDRESSES INFO


DIRECTION = BOTH


PROTOCOL = ANY


SOURCE ADDRESS = The IP address that I want to block


TYPE = HOST


What am I configuring wrong?


In the above configuration, I intentionally DID NOT INCLUDE information relating to the "DESTINATION ADDRESS" because I already have DENY MULTICAST TRAFFIC enabled.


This is extremely maddening ..and any response to this forum post, would be greatly appreciated!

Comments

  • Apache2k
    edited February 2012

    I have been unsuccessful, in properly configuring my Firewall to block individual IP addresses.


    I am running Bit Defender Internet Security v10.


    I tested this failure, by intentionally blocking a static IP address on my local network.


    To attempt to configure the block of this static IP address ..I did the following:


    SELECT FIREWALL TAB


    SELECT ADD RULE


    APPLICATION INFO, elected the default setting of "ANY"


    ACTION INFO, selected DENY


    NETWORK EVENTS, elected the default of "ALL"


    ADDRESSES INFO


    DIRECTION = BOTH


    PROTOCOL = ANY


    SOURCE ADDRESS = The IP address that I want to block


    TYPE = HOST


    What am I configuring wrong?


    In the above configuration, I intentionally DID NOT INCLUDE information relating to the "DESTINATION ADDRESS" because I already have DENY MULTICAST TRAFFIC enabled.


    This is extremely maddening ..and any response to this forum post, would be greatly appreciated!


    Hi,


    Im very new in this forum but i try to help u if i can :) others, please joyn. :)


    Please check if your ip (the one u want to ban) tuned zero. Example ip is 192.168.2.123 turns to 192.168.2.0


    As far as i know if the lat number is zero ( 0 ) this means the whole network? Do u have any other rules where u gave full right to an other ip ? That one might make a conflict and the last rule is maybe not taking any action..


    Did you also select Class C Netork?

  • alexcrist
    alexcrist
    edited July 2007

    Hi LisaAJohnson,


    What you did wrong is that the IP you want to block should be written in the Destination field. When you click Add new rule, you'll define a rule for Outbound. That means those settings apply for applications that whant to access the network.


    In other words: to ban a single IP, try this:


    Application: Any


    Action: Deny


    Network Events: All


    Direction: Both


    Protocol: Any


    Source: <you can select Local>


    Destination: <the IP you want to block>


    When you click OK, BitDefender will automatically create another rule, for
    Inbound, in which the IP you want to ban is written in the Source field. To check this, just click Edit Profile (it is under the Traffic list) and check the two lists.


    Also, to fully block that IP, you have to move the two rules (for
    Inbound and Outbound) on the top of the lists in the Edit Profile window. To do this, select the rules and click the Move to Top button in each list.


    Please post if this worked.


    Cris.


    Edit: Please try to write with a normal size text. Writing with such big letters is very inaesthetic and tiresome.

  • LisaAJohnson
    edited February 2012

    Thank You for reviewing my concerns, and providing valuable feedback.


    HOWEVER! I did make a full attempt to try each of the above suggestions (from Cris and Apache2k) ..and NEITHER OF THE SUGGESTIONS WORKED.


    I was still able to gain access to the machine that was running BitDefender Internet Security v10.


    This should really be a "no brainer"


    And to be honest with you, I would have always assumed that the SPECIAL RULES that I had created were working properly, until a few days ago ..when I noticed that someone was attempting to flood my machine with "Adminmistrator" login requests, so I snagged their IP address and added them to the BitDefender "DENY" rule.


    With that said, I noticed 30 seconds later ..that they were still connected to my machine (and the second clue was the absense of NO POP UP NOTIFICATIONS from BitDefender)


    To test the BitDefender Internet Security v10 console, I decided to block one of my own IP addresses, and when this failed ..I began to wonder.


    Each machine on my network is configured with it's own permissions and levels of security. So, just because I am the administrator ..does not mean that all actions, are granted access. (so this isn't the problem)


    YES, YES, the "firewall is enabled" ..so what other setting could I possibly be missing here?


    I appreciate your feedback.

  • Hi LisaAJohnson,


    I have no way of testing this, because I have a direct connection to Internet (I don't have a network with multiple PC that I can use to test this issue). However, in theory, what I said above should work.


    Could you send me your BD Firewall Profile files, so I can take a look at them? The files are placed in C:\Program Files\Softwin\BitDefender10\Firewall\Profiles\ (this is the default installation folder. If you installed BD somewhere else, then look for them where you installed it). Put all the files from that folder in a zip file and attach it to your next post (or send me a PM with those files).


    I'll see if anything is wrong in those files.


    Cris.

  • LisaAJohnson
    edited February 2012

    Dear Cris;


    Thank you in advance for your response.


    I have included the .zip file that you requested to review .


    Please let me know what you conclude ..I sincerely appreciate your efforts.


    /applications/core/interface/file/attachment.php?id=338" data-fileid="338" rel="">BITDEFENDER15JULY2007.zip

  • Hi LisaAJohnson,


    As far as I can see, those files don't contain any information about any blocked IPs. All rules are defined for all IPs (Source and Destination: Any), except for two svchost.exe rules, which are limited to IP 192.168.0.1


    Are you sure this is your current profile?


    The only rules that these files contain are about inetinfo.exe and IEXPLORE.EXE, but they are also defined for Any IP.


    Cris.

  • LisaAJohnson
    edited February 2012

    Hi Cris;


    Once I determined that the IP addresses that I had blocked ..weren't really blocked at all, I DELETED them from the profile.


    I have attached a new profile for your review.


    I have created an IP address that I would like to have BLOCKED from access to my machine, as ..they repeatedly attempt to wear down the Microsoft OS cache by flooding it with an "Administrator" login.


    For what it is worth, here are the credentials of the IP address that I would like to successfully block:


    IP ADDRESS: 61.145.62.84


    inetnum: 61.145.0.0 - 61.145.255.255


    netname: CHINANET-GD


    country: CN


    descr: CHINANET Guangdong Province Network


    admin-c: CH93-AP


    tech-c: IC83-AP


    status: ALLOCATED NON-PORTABLE


    changed: dingsy@cndata.com 20070711


    mnt-by: MAINT-CHINANET


    mnt-lower: MAINT-CHINANET-GD


    source: APNIC


    person: Chinanet Hostmaster


    nic-hdl: CH93-AP


    e-mail: anti-spam@ns.chinanet.cn.net


    address: No.31 ,jingrong street,beijing


    address: 100032


    phone: +86-10-58501724


    fax-no: +86-10-58501724


    country: CN


    changed: dingsy@cndata.com 20070416


    mnt-by: MAINT-CHINANET


    source: APNIC


    person: IPMASTER CHINANET-GD


    nic-hdl: IC83-AP


    e-mail: ipadm@gddc.com.cn


    address: NO.1,RO.DONGYUANHENG,YUEXIUNAN,GUANGZHOU


    phone: +86-20-83877223


    fax-no: +86-20-83877223


    country: CN


    changed: ipadm@gddc.com.cn 20040902


    mnt-by: MAINT-CHINANET-GD


    remarks: IPMASTER is not for spam complaint,please send spam complaint to abuse@gddc.com.cn


    source: APNIC


    IP Addresses coming from this country are a "chronic" issue for me! :(


    I appreciate your review ..and look forward to your additional feedback regarding this matter.


    /applications/core/interface/file/attachment.php?id=339" data-fileid="339" rel="">BITDEFENDER_VERSION_O2.zip

  • Hi LisaAJohnson,


    The files look OK. In theory, those rules should completely block that IP from accessing anything in your PC.


    However, I saw in your post that the something that is trying to flood your PC doesn't have a single IP ( inetnum: 61.145.0.0 - 61.145.255.255 ). The only thing that comes to my mind right now is that, when an IP fails to connect, the someone on the other end uses another IP.


    So, I could recommend you to try to block the hole subnet. Open BD Management Console -> Firewall -> Edit Profile, open both rules (with the IP) and select (at Destination or Source, whatever the case) Class B network and click OK. I hope this works.


    Sadly, this is the most I can do. I don't work for BitDefender, so I can only give you some advises. If this doesn't work, it means that there is something wrong in BitDefender and you should report this on LiveAssistance ( www.bitdefender.com/Live-Assistance).


    I hope you find a solution.


    Cris.

  • LisaAJohnson
    edited February 2012

    Hi Cris!


    WOW! I had no idea that you weren't on the BitDefender payroll. In my opinion, you should be. Your feedback has been generous and informative.


    I did take your advice, and I contacted a BitDefender representative regarding this matter. Additionally, I asked them to take a moment to read the posts that have been made in this forum, especially this discussion, to discern a further coarse or action.


    Aside from a personal use of BitDefender, I am extremely familar with the BitDefender Client Professional Plus flavor, which is perhaps ..what I should have purchased instead of BitDefender Internet Security v10.


    The functionality in the upgraded flavor, seems more reasonable and accomodating for the security spet ..who may have advanced requirements from their 3rd party firewall application(s).


    That may be the route that I will have to take.


    Later this evening, I fully intend to terminate the "WHITELISTED" object, because I am suspicious that programatically, something is mis-configured in that portion of the application, and this may be the root cause of my immediate dilemma.


    Again, Cris ..thank you for your insight, as I certainly have appreciated it!

  • LisaAJohnson
    edited February 2012

    To whom it may concern;


    I have certainly appreciated the efforts by the moderators of this online forum.


    With that said, I would like to offer the following comments to take an "ad-hoc" approach to actually getting the BitDefender Firewall to configure and DENY IP addresses, on an individual basis.


    OPEN YOUR BITDEFENDER CONSOLE


    SELECT FIREWALL


    IN THE "PROTECTION LEVEL" AREA


    DISABLE ALLOW WHITELIST


    "BY"


    SELECTING ALLOW ALL


    FINALLY, SELECT THE TRAFFIC TAB IN THE FIREWALL


    MANUALLY ADD THE IP ADDRESS THAT YOU WISH TO DENY


    This is the only possible combination of events, that yielded the actual ..expected result. Sadly enough.


    THAT IS STRIKE ONE!


    If you are lucky enough, to have more than one local machine on your network ..and you can test the above recommendation, you will additionally be 'hard pressed" to recieve a "pop-up" notification that unauthorized traffic may be attempting to make a connection, EVEN IF you have ENABLED the "pop-up notification feature"


    THAT IS STRIKE TWO!


    And additionally, your event logs WILL NOT REFLECT the DENIED IP ADDRESS. You will have to rely on other reporting mechanisms for that information.


    THAT IS STRIKE THREE!


    Call me cynical, but doesn't this entire process seems a tad bit backwards to most of you?


    Disappointing ..at best. :(

  • Hi LisaAJohnson,


    With that said, I would like to offer the following comments to take an "ad-hoc" approach to actually getting the BitDefender Firewall to configure and DENY IP addresses, on an individual basis.


    BD v11 will have this feature.


    DISABLE ALLOW WHITELIST


    "BY"


    SELECTING ALLOW ALL


    I would suggest to select Ask. It's a lot safer, because Allow all practicly disables the Outbound control (except for the rules that already exist in the Firewall).


    If you are lucky enough, to have more than one local machine on your network ..and you can test the above recommendation, you will additionally be 'hard pressed" to recieve a "pop-up" notification that unauthorized traffic may be attempting to make a connection, EVEN IF you have ENABLED the "pop-up notification feature"


    I might be able to help here. Try to set the Firewall to Ask, not to Allow all. This way, you will always be asked when someone tries to connect (Inbound and Outbound). Of course, if there is an application that already has a rule in the Firewall, you won't receive a pop-up. But with this setting, BitDefender will not make anything without knowing your opinion.


    I have this setting enabled, and I always get a pop-up when *something* wants to access my PC from outside and I don't have a rule to allow/block it.


    And additionally, your event logs WILL NOT REFLECT the DENIED IP ADDRESS. You will have to rely on other reporting mechanisms for that information.


    The current logs don't show the firewall's activity. This feature will be available in BD v11.


    However, you can see the activity in the past few minutes by doing this: open BitDefender Management Console and go to Firewall -> Activity. Then click Show log. You'll see absolutely everything that the firewall has blocked/allowed in the past few minutes.


    Cris.

  • LisaAJohnson
    edited February 2012

    Hi Cris!


    Again, thank you for your resourceful feedback.


    I have come to the conclusion, that this version of BitDefender needed an enormous amount of testing before it's release ..and frankly, I am a little to busy to baby-sit the essentials that this product lacks.


    I have elected to uninstall it, and stick with the Enterprise Edition.

  • Apache2k
    edited July 2007

    @LisaAJohnson


    Im at the same position like you and i feel exactly like as u wrote:


    ""Call me cynical, but doesn't this entire process seems a tad bit backwards to most of you?""


    @Cris


    I get the feeling that u are the only person working to bitdefender. ( i know u are not)


    looks like this version 10 is a beta and all the needed stuff will be in version 11,, ummm i bought this with 2 years license hmm does this mean i have to buy version 11. I hope it will be free for us who have a beta version and did pay for it for 2 years.


    @liveAssistance???


    I think this should be turned down cos its empty as sahara in mid day. 24/7 must be the date :)


    Alot of features needs to be fixed but reading all the time some updates like now we have fixed the fonts in the windows style stuff


    BD IS10 was selected as the best suite in a very big IT magazine , i wonder how did they made the testing.


    Im nothing against nobody but this software is turning me crazy. huhhh

  • alexcrist
    alexcrist
    edited August 2007

    Hi Apache2k,


    looks like this version 10 is a beta and all the needed stuff will be in version 11,, ummm i bought this with 2 years license hmm does this mean i have to buy version 11. I hope it will be free for us who have a beta version and did pay for it for 2 years.


    Of course upgrading to BD v11 will be free. I don't know yet how exactly the upgrading process will take place (because BD AV Plus will not exist anymore and a new version, BD Total Security, will appear), but upgrading will be possible with the same licenses that you already have. :)


    BD IS10 was selected as the best suite in a very big IT magazine , i wonder how did they made the testing.


    Well, it depends by the user. For a home user this product it's fine. I'm using BD since v7, and BD IS since v10. It never have me headaches.


    As far as I see on this forum, the most ugly problems are:


    - BD AV Plus interface crashing: this doesn't happen on all PCs, which makes it very hard to fix because the exact cause is unknown


    - problems with networks: home users, like myself, don't deal with such problems because I don't share any files on my network. For networks, you could try the Enterprise version, but I cannot say anything about how well it works, because I've never tried it. LisaAJohnson says it works a lot better on networks then BD IS.


    Cris.