Firewall close TCP port without explanation (during browsing web) under Windows

Firewall close TCP port without explanation (during browsing web) under Windows

Post by cedM1 » Wed, 06 Feb 2008 23:16:42


Hello,

I have a problem with the Windows XP firewall (SP2), when I browse our
web server with Internet Explorer or Firefox.

* With the Windows Firewall disabled, Wireshark can see Internet
Explorer or Firefox is sending a number of SYN packets in quick
succession to our web server, which we acknoledge with SYN-ACK packets.
I can see too that the Windows client sends sometimes a RST packet. But
the browsing of our web server is always OK.

* If I then enable the Windows XP firewall and do the same, the browsing
of WEB server initiates sometimes the unaccess of our web server (during
35 seconds minimum).
I can see this pattern with Wireshark:
PC : --> SYN
WEB server : --> SYN, ACK
WEB server : --> SYN, ACK after 5 seconds
WEB server : --> SYN, ACK after 10 seconds
WEB server : --> SYN, ACK after 20 seconds

I can see (with Wireshark) then that the Windows firewall dropped some
SYN-ACK packets. Moreover, the Windows client closed the TCP port of
this connection in progress before receiving SYN-ACK packet.

In the Windows XP firewall (pfirewall.log), I can see that the firewall
dropped the connection of ou web server (10.12.1.2) with number 1064 TCP
port (because the Windows client closed this port before receiving SYN-
ACK packet) :

16:12:55 OPEN TCP 192.168.1.71 10.12.1.2 1329 80 - - - - - - - - -
16:12:55 CLOSE TCP 192.168.1.71 10.12.1.2 1329 80 - - - - - - - - -
16:12:55 DROP TCP 10.12.1.2 192.168.1.71 80 1329 44 SA 550383384
1616135431 4096 - - - RECEIVE
16:13:00 DROP TCP 10.12.1.2 192.168.1.71 80 1329 44 SA
550383384 1616135431 4096 - - - RECEIVE
16:13:10 DROP TCP 10.12.1.2 192.168.1.71 80 1329 44 SA
550383384 1616135431 4096 - - - RECEIVE


Why the firewall closed the TCP port in this example? Which are the
conditions of closing a TCP port? Do you have an idea that explains this
default, please?

I searched in newsgroup and googled around, but no hint to explain it.

I had the same default with Kerio firewall.
I tried to understand how firewall works under Windows. But it's not
easy. I understand that there are 2 zones of control "Hook" : one
between NDIS and IP layer and an another between TDI (Transport Driver
Interface) and Winsock. Then I don't see rules applied which concerns my
problem.
Is there a Web link where I should see?


Thanks

Cedric
 
 
 

Firewall close TCP port without explanation (during browsing web) under Windows

Post by julio_9 » Fri, 05 Jun 2009 17:52:44


it would be great if someone would help..waiting for good answers thanks


--
julio_90
------------------------------------------------------------------------
julio_90's Profile: http://www.yqcomputer.com/
View this thread: http://www.yqcomputer.com/

http://www.yqcomputer.com/