Can't access Internet unless I turn off OneCare firewall after Vista upgrade

Discussion in 'Windows Vista General Discussion' started by EJR, Feb 2, 2007.

  1. EJR

    EJR Guest

    I upgraded XP pro yesterday to Vista Ultimate. I had already upgraded
    OneCare to 1.5. Since I upgraded I can't get to the internet unless I turn
    the OneCare firewall off. If I turn the Windows firewall on I can still get
    to the internet.

    I read another post that said to add Ports 6 and 17 to the exception list in
    OneCare. I did this and I now can access the internet but I also read that
    turning on these ports is the same as turning off the OneCare firewall.

    Any suggestions?

    EJR, Feb 2, 2007
    1. Advertisements

  2. EJR,

    Un-install OneCare, and then, if you desire, return to OneCare for
    Jonathan Schwartz 2, Feb 2, 2007
    1. Advertisements

  3. EJR

    Dale Guest

    Or take an old junker PC and create a Linux proxy/firewall server.

    Dale, Feb 3, 2007
  4. EJR

    StephenB Guest

    The OneCare team is investigating the cause of this problem that has affected
    some users of 1.5 that upgraded from XP to Vista with 1.5 in place. The
    workaround at this time is to turn off the OneCare firewall and enable the Vista
    firewall. When the cause and solution is found, either a OneCare update will be
    pushed or instructions for how to resolve will be provided via support and on
    the OneCare forums. You are correct, if you open up protocols 6 and 17
    bidirectionally you are indeed allowing most Internet traffic through the
    firewall, effectively rendering the firewall useless, while OneCare will happily
    report that you are protected and will be in a green status. If an update is
    pushed to resolve the problem, you will remain unprotected until you manually
    remove the rules you added for those protocols.
    StephenB, Feb 3, 2007
  5. EJR

    Dale Guest

    Just curious. How does ports 6 and 17 allow most Internet traffic through
    your system? How does Windows respond to traffic on those ports?

    Dale, Feb 3, 2007
  6. EJR

    StephenB Guest

    Not "ports" - "protocols."
    (6 for TCP, 17 for UDP, 1 for ICMP, and so on)
    If you create a rule to unconditionally allow bidirectional traffic for
    protocols 6 and 17, you're apparently allowing all TCP and UDP traffic in an out
    without regard for source.
    StephenB, Feb 4, 2007
  7. EJR

    Dale Guest

    What's the source of the protocol numbers 1, 6, 17, etc? While I haven't
    done network admin for a while, I'm not completely unknowledgeable in the
    subject but I have never come across that.

    Dale, Feb 4, 2007
  8. EJR

    StephenB Guest

    I did a search last night on Live Search and got that snip from a Cisco page.

    The full quote is from the entry for - author_service:

    "The services which require authorization. Use any, ftp, http, telnet, or
    protocol/port. Use any to provide authorization for all TCP services. To provide
    authorization for UDP services, use the protocol/port form.

    Services not specified are authorized implicitly. Services specified in the aaa
    authentication command do not affect the services which require authorization.

    For protocol/port:

    protocol—the protocol (6 for TCP, 17 for UDP, 1 for ICMP, and so on).
    port—the TCP or UDP destination port, or port range. The port can also be the
    ICMP type; that is, 8 for ICMP echo or ping. A port value of 0 (zero) means all
    ports. Port ranges only applies to the TCP and UDP protocols, not to ICMP. For
    protocols other than TCP, UDP, and ICMP the port is not applicable and should
    not be used. An example port specification follows.
    aaa authorization include udp/53-1024 inside 0 0 0 0

    This example enables authorization for DNS lookups to the inside interface for
    all clients, and authorizes access to any other services that have ports in the
    range of 53 to 1024.

    Note Specifying a port range may produce unexpected results at the authorization
    server. PIX Firewall sends the port range to the server as a string with the
    expectation that the server will parse it out into specific ports. Not all
    servers do this. In addition, you may want users to be authorized on specific
    services, which will not occur if a range is accepted."

    StephenB, Feb 4, 2007
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.