Block Transit Packets
Posted in xn--kfs74mzzid01b.com edit by cfz on January 7th, 2009
I have found many "Block Transit Packets" in my log.
What exactly does it mean?
Thank you :)
When very first time I install OPv2, everything seems works fine (PCs on my LAN does able to share internet), even with policy mode 'block most'. As time goes by, I have recently re-installed XP and noticed that other PCs are no longer able to go through my XP for internet anymore. The OP monitor shows 'Blocked transit packet', file/folder sharing between PCs are fine. I have double checked the system network option, it is '192.160.0.0/255.255.255.0' with trusted zone OFF, so then I add one of the PC's IP to it ie. 192.168.0.98/255.255.255.255 with trusted zone ON, it still blocking any requests from that PC, unless I turn the policy mode to 'allow most', then everything works again.
What can be wrong here and how to resolve my problem please.
Here is my network layout.
Modem -> router -> wireless XP with bridging -> wired router -> PC
Thanks for you reply. :)
And, thanks for the explanation of your network configuration. I do hope that one of the threads that I have linked can help you. Please keep us advised of your progress.
Have a nice day. :)
I will check the reference link you provided, see if I can understand abit more.
a lot of your questions..;)
http://www.outpostfirewall.com/forum/showthread.php?s=&threadid=8394&highlight=transit+packets
Thanks for the complete description. Still, the problem seems a mystery. However, as I said before, I asked Agnitum specifically to include ICS in their test plan for upcoming releases. Maybe we can fix this, I am not sure. Unfortunately, I have some more questions. Thanks very much for the patience you have shown so far. I appreciate it.
1. What kind of modem are you using? Brand? Model? Cable, external phone modem, DSL, other?
2. What is the model of your NetGear router?
3. What is the model of your SMC router?
4. Are you using any features like DMZ, IP Filtering, or Port forwarding with your NetGear router? If so, please explain.
5. Are you using any features like DMZ, IP Filtering, or Port forwarding with your SMC router? If so, please explain.
6. Can you provide some of the logs for us to examine? Please make sure that both the local and remote port and the local and remote port are listed. These items can be selected by right clicking on an area of the log and selecting Columns.
7. Finally please open the Outpost GUI and look in the title bar at the top of the GUI. There 'Agnitum Outpost Firewall - SomeConfiguration.cfg'. Please not the specific name of your 'cfg' file and open Windows Explorer. Go to the directory where Outpost is installed and find that file. Please attach it to your next post.
Again, thanks for the efforts so far and I sincerely hope that the information that I have requested in this post can help us solve this issue for you or at least keep us moving forward. We will do our best. If nothing else works, I will refer this specific thread to Agnitum.
Have a good day. :)
1. Setup your OP with specific addresses when ever you are setting up Trusted LAN or NetBIOS. And, DISABLE network auto-detection in the LAN settings also.
2. If I remember correctly, OP may need Global Rules to allow traffic to the appropriate IP when Transit Packets are blocked. I will do some checking though.
3. What kind of network setup is that? Considering the number of PCs in your network, I see ZERO need for two routers or using ICS. Both PCs can simply be connected directly to the first router. I can see no significant benefits with your configuration.
Here is a thread that you can reference that may help:
Transit Packet Hell (http://www.outpostfirewall.com/forum/showthread.php?s=&threadid=8612)
ICS give up (http://www.outpostfirewall.com/forum/showthread.php?s=&threadid=8258)
Have a good day. :)
Does this caused by the incorrect DOMAIN and DNS in OPv2 ? because the domain range of my Netgear router is 1~5, and other clients and the SMC router is totally out of the scope (yes they all still within tha same subnet 255.255.255.0 but gateway and DNS is the Netgear router 192.168.0.1), therefore the 192.168.0.0 default did not consider anything of 1~5 as their coverage ?
I use Cisco VPN from time to time with my company's laptop by hooked it up to the SMC router. I have no idea how/why it works though, since there is no 'special' setup configuration for this particular laptop. However, I just can NOT make my XP machine works with this VPN, I have tried many ways as people suggested but just no luck though.
I see "System, Remote address/port, Blocked trasit packet" when request from the PC, however if I turn the policy to 'allow most', it works.
As per some post mentioned that this is typical of the global rules issue, but which rule(s) should I pay attention to? ie. Is it related to the ALLOW rules or the BLOCK rules ?
Also, other post also memtioned that this is related XP bridging and Win98se problem, and my setup is exactly as it claimed. Will setup another w2k pc for this case tonight.
Nice4, my first suggestion is to check that you have all the IP addresses involved listed in your LAN settings (specifically, your XP bridging PC will have 2 IP addresses since it is using 2 interfaces - both may need to be included). A list of the IP addresses you have chosen for your components would be useful here.
Second, check the source/destination IP addresses for those packets that are being blocked with the Transit Packets rule (the log does not show source IP addresses by default - to see them, right-click in the log window, select Columns... and ensure that "Local Address" is checked (you may as well do "Local Port" also since it is needed when diagnosing problems with inbound traffic although it should not be needed in this case). If you can identify a common IP address, add it to your LAN settings (as long as it is an address on your network).
You did mention that you had a trusted network of 192.160.0.0/255.255.255.0 - are you sure that this was not 192.168.0.0/255.255.255.0? The 192.168.x.x range is what you should be using, since this has been reserved for private networks. Using 192.160.x.x instead means that you will be using addresses allocated for use on the Internet which will cause problems (inability to access websites in that address range being the most likely).
What is UDP 520 anyway ????
Problem resolved but what is my SCOPE under OPv2 ?
The default setting does not seem helping with my setup - still not sure why though !. I have finally resolved it by defined two new global rules.
1) Copy from Allow DNS (TCP), changed DOMAIN to local host 192.168.0.98/99/100, allow these IP host go through. This will enable all PCs access to internet.
2) Copy from Allow DNS (UDP), changed its remote port to remote host to 192.168.0.98,99,100,4. These will help all file sharing between all PCs and also Cisco VPN.
With rules added to the very top spot in global rules screen , it works exactly as I expected it to be.
More tests here...
-move new rules down to the spot where just before all BLOCK rules, it works fine.
-move down more to the last spot, it still works.
-then disable new added rules, ohhh it does NOT function any more, clearly the default global rules does not take care of other client's requests, and I have proved that from the monitor log. When it works, I see my new added rules kicks in, but why should it be all looking after by these global rules ?
I think the 1st two global rules does not really do their work because OP was not be able to obtain the DOMAIN and DNS scope correctly, therfore all requests from other clients are ignored.
At this point, what is my security scope under OPv2 ? All clients are widely opened, that is fine because I assumed that each PC should have their own copy of OP installs, but what about the communications between my XP PC and all other client PC(s) on the LAN which they sharing files/printing/refernece...
Log file snap...you rules defined by Nice
Allows
8:49:59 PM SYSTEM TCP spd.atdmt.com HTTP New rule #1 - User Nice
8:49:59 PM SYSTEM TCP 192.168.0.98 1129 Trusted Zone
8:49:41 PM SYSTEM TCP spd.atdmt.com HTTP New rule #1 - User Nice
8:49:41 PM SYSTEM TCP 192.168.0.98 1129 Trusted Zone
8:49:41 PM SYSTEM UDP 192.168.0.1 DNS Allow DNS Resolving (UDP)#1 - Nice for VPN
8:49:41 PM SYSTEM UDP 192.168.0.98 1128 Trusted Zone
8:49:41 PM SYSTEM TCP 216.74.132.10 HTTP New rule #1 - User Nice
8:49:41 PM SYSTEM TCP 192.168.0.98 1127 Trusted Zone
8:49:40 PM SYSTEM TCP sc.msn.com HTTP New rule #1 - User Nice
8:49:40 PM SYSTEM TCP 192.168.0.98 1124 Trusted Zone
8:49:40 PM SYSTEM TCP sc.msn.com HTTP New rule #1 - User Nice
8:49:40 PM SYSTEM UDP 192.168.0.98 1125 Trusted Zone
8:49:40 PM SYSTEM TCP 192.168.0.98 1126 Trusted Zone
8:49:40 PM SYSTEM UDP 192.168.0.1 DNS Allow DNS Resolving (UDP)#1 - Nice for VPN
8:49:40 PM SYSTEM TCP c.msn.com HTTP New rule #1 - User Nice
8:49:40 PM SYSTEM TCP 192.168.0.98 1123 Trusted Zone
8:49:40 PM SYSTEM UDP 192.168.0.98 1122 Trusted Zone
8:49:40 PM SYSTEM UDP 192.168.0.1 DNS Allow DNS Resolving (UDP)#1 - Nice for VPN
8:49:40 PM SYSTEM UDP 192.168.0.98 1121 Trusted Zone
8:49:40 PM SYSTEM UDP 192.168.0.1 DNS Allow DNS Resolving (UDP)#1 - Nice for VPN
8:49:39 PM SYSTEM TCP cb.msn.com HTTP New rule #1 - User Nice
8:49:39 PM SYSTEM TCP 192.168.0.98 1120 Trusted Zone
8:49:38 PM SYSTEM TCP cb.msn.com HTTP New rule #1 - User Nice
8:49:38 PM SYSTEM TCP 192.168.0.98 1119 Trusted Zone
8:49:37 PM SYSTEM UDP 192.168.0.1 520 Allow DNS Resolving (UDP)#1 - Nice for VPN
8:49:37 PM SYSTEM UDP 192.168.0.98 1118 Trusted Zone
8:49:37 PM SYSTEM UDP 192.168.0.1 DNS Allow DNS Resolving (UDP)#1 - Nice for VPN
8:49:37 PM SYSTEM TCP login.passport.net HTTP New rule #1 - User Nice
8:49:37 PM SYSTEM TCP 192.168.0.98 1117 Trusted Zone
8:49:36 PM SYSTEM TCP login.passport.net HTTP New rule #1 - User Nice
Block log
8:43:04 PM SYSTEM UDP 192.168.0.255 520 Block All Activity
8:42:32 PM SYSTEM UDP 192.168.0.255 520 Block All Activity
8:42:00 PM SYSTEM UDP 192.168.0.255 520 Block All Activity
8:41:28 PM SYSTEM UDP 192.168.0.255 520 Block All Activity
Here is my network layout, I try the best as I can.
modem -> netgear router 192.168.0.1 acting as DHCP range 0-5
-> PC with XP and bridging with IP 192.168.0.4, here is where the OPv2 installed and so is the norton installed. The bridging has 3 interfaces namely the wireless card, the LAN interface then the virtual bridging interface. (the 1394 interface is not in the bridging group since doesn't required), there is one and only one IP here which is 192.168.0.4, it is within the scope of the netgear router's DHCP range.
-> SMC router with 192.168.0.100 acting as a switch with DHCP off.
-> PC with Win98SE installed, as 192.168.0.98, norton installed. This is hooked to the SMC router.
------ everything works as expected before, until I have to reinstall the XP again, and certainly OPv2 again -----
OPV2 related....system network
- by default, it has 192.168.0.0/255.255.255.0, without trusted, then with trusted again, it does not help.
- add 192.168.0.1/4/100/98 all with trusted check, no luck.
- removed the default 192.168.0.0....no help either.
OPV2 related...Global rules
- everything default, does not work;
- choose 'report' with each Block rules (about 4 of them), I expect if any of these rule kicks in, I should see the prompt, but nothing pops up, just does work again;
- add a new ALLOW rule on the very first spot, specify TCP, and remote/local 192.168.0.98 (one each try), no direction. Still does not work !
OPV2 related....add another w2k PC as 192.168.0.99, there is nothing changed on this PC since last used with the previous XP installation, purely works before. I have received same 'Blocked Transit Packet'.
Noticed: The blocking seems only on the inbound since I can see the outbound request shows 'Trusted Zone' then goes through, the monitor shows
'system wwww.examplesss.comm HTTP port# Blocked transit Packet'
Does any know should it be some XP secruity updates are missing or maybe it is some sort of conflict somewhere? I have not idea what I have done last time when we talking about XP updates.
Well, it is long enough...hope these info can help to resolve my problems.
Your new rules should have only had an impact if you had disabled the default global "Allow DNS" rule or amended it to include your ISP's DNS servers. Can you please confirm if this is the case?
I should look at FAQ first.
Thank you for the information.
Do you use a VPN?
And, what about the configuration file that was requested? Can you post it?
You seemed to indicate that you have got things working. Is that true?
I am a bit confused. I have seen the suggestion that special Global Rules may help eliminate the Transit Packet issue. But, since you have made your clients Trusted, I would expect things should work. It may likely be because things are as Paranoid2000 has often said and the source and destination IP are to blame. I'm not sure. I do believe that you have done a good thing in stating each client IP specifically in the LAN Settings. I do have some questions that may shed light on this issue.
1. On which PCs is Outpost installed?
2. Please restate your network configuration the same way as you described below. Exept this time list the OS on each PC and state whether Outpost is installed or not.
3. For each PC that Outpost is installed, please list completely the ruleset for the following applications, svchost.exe and services.exe. You can use a simple shorthand to state each rule. For example one rule for svchost.exe might look like this: TCP, Outbound, remote port 80, Allow It. Please list all rules in this format.
Hopefully we can help you out. I have also notified Agnitum of these occasional ICS problems and asked them to again verify the functionality of ICS with Outpost.
Keep us advised of your progress and I look forward to your reply. :)
Posting your configuration would really help us understand your setup and how it will function as far as security is concerned. By the way, if you are speaking of DOMAIN as TCP 53, then that is not handled by the Global Rule for DNS which is DNS 53. Honestly, I have never found it necessary to have a funcitoning rule for DOMAIN.
If you can, please post your configuration and we can take a close look at it.
#If you have any other info about this subject , Please add it free.# |
