Windows Firewall and OSSEC

357 views
Skip to first unread message

Michael Starks

unread,
Apr 25, 2007, 11:00:25 PM4/25/07
to ossec...@googlegroups.com
I'm not sure if this was expected, but when I installed OSSEC on a
machine with the Windows firewall enabled, I did not have to make an
exception in the firewall for port 1514. Given that it uses UDP, I
expected to have to open the port to allow the reply back in from the
server. I also did not make an exception for the application so that
Windows could open it dynamically. So it would seem that it's not
necessary, at least on Windows 2003 Server. Have others had the same
experience?

List Subscriptions

unread,
Apr 26, 2007, 9:43:28 AM4/26/07
to ossec...@googlegroups.com
The windows firewall is a one-way firewall that only blocks incoming
traffic. Since the agent is using UDP to forward to the server no
exception is needed. Firewall issues with OSSEC usually arise when
you're running a firewall on the server, *nix agents, or a third-party
firewall on windows.

Cheers,
Dale

Michael Starks

unread,
Apr 27, 2007, 10:33:18 PM4/27/07
to ossec...@googlegroups.com
List Subscriptions wrote:
>
> The windows firewall is a one-way firewall that only blocks incoming
> traffic. Since the agent is using UDP to forward to the server no
> exception is needed. Firewall issues with OSSEC usually arise when
> you're running a firewall on the server, *nix agents, or a third-party
> firewall on windows.
>
> Cheers,
> Dale

I thought the server also sent packets to the client to maintain state,
but I suppose that's not necessary.

Daniel Cid

unread,
Apr 28, 2007, 6:03:52 PM4/28/07
to ossec...@googlegroups.com, Michael Starks
Hi Michael,

The server sends packets to the agent on the same connection that the
agent started,
so we have no port open on the agent (connected udp).

To exemplify with a tcpdump output:

agent.ossec.net.24345 > server.ossec.net.1514: udp 257
server.ossec.net.1514 > agent.ossec.net.24245: udp 112

agent2.ossec.net.4987 > server.ossec.net.1514: udp 321
server.ossec.net.1514 > agent2.ossec.net.4987: udp 106

It basically works the same way as DNS and other udp protocols, where the server
replies using the same socket to the client. See DNS AAAA/MX request dump:


18:54:05.578817 enigma.ossec.net.16142 > dns.ossec.net.53: 12663+
AAAA? www.uol.com.br. (32)
18:54:05.758295 dns.ossec.net.53 > enigma.ossec.net.16142: 12663* 0/1/0 (79)
18:54:05.758958 enigma.ossec.net.12453 > dns.ossec.net.53: 11816+ MX?
www.uol.com.br. (32)
18:54:05.932896 dns.ossec.net.53 > enigma.ossec.net.12453: 11816* 0/1/0 (79)


Hope it helps,

--
Daniel B. Cid
dcid ( at ) ossec.net

Reply all
Reply to author
Forward
0 new messages