A Windows XP help forum. PCbanter

If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below.

Go Back   Home » PCbanter forum » Windows 10 » Windows 10 Help Forum
Site Map Home Register Authors List Search Today's Posts Mark Forums Read Web Partners

How do you block an IP address on Windows?



 
 
Thread Tools Rate Thread Display Modes
  #31  
Old August 23rd 17, 12:38 AM posted to alt.comp.os.windows-10
Paul[_32_]
external usenet poster
 
Posts: 11,873
Default How do you block an IP address on Windows?

Bram van den Heuvel wrote:
Given news wrote:

Which means they're *starting* from my machine!

Why is your machine communicating with 1e100.net ?

I thought that was for crawling web sites.
Do you run a web site ?

I don't think I've ever casually seen one of my machines
communicating with an address like that. I don't run Wireshark
all that often, so it's not like I collect daily logs
of every packet sent/received.


All good questions. Here is a Wireshark screenshot from when I first
noticed the *outgoing* IP address 104.28.17.56 from my desktop 192.168.1.99
via my router 192.168.1.1 as shown in this screenshot
http://img4.imagetitan.com/img.php?i...nshot(603).jpg

I don't know how to decipher which process did that since Wireshark just
says Info=80-60589 [FIN, ACK] Seq=1 Ack=1 Win=30 Len=0

Here's another screenshot take at the same time showing an *outgoing* call
to 64.4.54.50 from the same other IP addresses, but where the communication
goes on for quite a while (and it may have something to do with
displaycatalog.mp.microsoft.com which came just before it).
http://img4.imagetitan.com/img.php?i...nshot(617).jpg

Here is a call to 204.79.197.200 made from my machine.
http://img4.imagetitan.com/img.php?i...nshot(614).jpg

The only way I know the domains is that I did a "whois" lookup afterward
but I was very clear to run nothing when these screenshots were snapped
with Windows+PrintScreen.

Other than providing the screenshots, I can't answer any of your questions
other than to say I'm probably as normal as anyone is, in that I have a
Windows 10 desktop configured probably about as normally as anyone is
configured (e.g., no servers).

I don't even know what 1e100.net means when you ask me.
Is that one of the domains of one of the IP addresses I found going out?


My advice, your next Windows tool would be TCPView.
The program name, is on the left.

https://docs.microsoft.com/en-us/sys...nloads/tcpview

Paul
Ads
  #32  
Old August 23rd 17, 02:43 AM posted to alt.comp.os.windows-10
Mayayana
external usenet poster
 
Posts: 6,438
Default How do you block an IP address on Windows?


"Bram van den Heuvel" wrote
| All good questions. Here is a Wireshark screenshot from when I first
| noticed the *outgoing* IP address 104.28.17.56 from my desktop
192.168.1.99
| via my router 192.168.1.1 as shown in this screenshot
| http://img4.imagetitan.com/img.php?i...nshot(603).jpg

I was thinking the same thing as Paul. TCPView will
show what program is going out. You may have programs
or services running that you've allowed to call home,
or that you haven't specifically set not to call home.

You really should look into getting a firewall that allows
you to control outbound traffic.


  #33  
Old August 23rd 17, 03:11 AM posted to alt.comp.os.windows-10
Char Jackson
external usenet poster
 
Posts: 10,449
Default How do you block an IP address on Windows?

On Tue, 22 Aug 2017 20:10:39 +0000 (UTC), Bram van den Heuvel
wrote:

All good questions. Here is a Wireshark screenshot from when I first
noticed the *outgoing* IP address 104.28.17.56 from my desktop 192.168.1.99
via my router 192.168.1.1 as shown in this screenshot


I didn't stare long at your packet captures, but from what I saw, I
couldn't tell which end initiated the connection. Since it's a TCP
connection, it'll start with a SYN, then a SYN,ACK in return, and a
final ACK. Once the three-way-handshake is successful and complete, the
actual data transfer can start. The first SYN comes from the side that
wants to initiate the connection.

You can use the filter capability above Wireshark's display area to
enter filter terms, or just right click on something interesting and
tell it to "Apply as Filter". That really cleans up the display.

http://img4.imagetitan.com/img.php?i...nshot(603).jpg


My ancient newsreader initially wanted to render that link as
http://img4.imagetitan.com/img.php?image=16_screenshot
and I was going to ask "What language is that??"

  #34  
Old August 23rd 17, 03:17 AM posted to alt.comp.os.windows-10
Bram van den Heuvel
external usenet poster
 
Posts: 28
Default How do you block an IP address on Windows?

Given news wrote:

My advice, your next Windows tool would be TCPView.
https://docs.microsoft.com/en-us/sys...nloads/tcpview


Thanks for that sniffer suggestion.
I am running tcpview now.

There sure are a lot of svchost.exe and mqsvc.exe processes!
http://img4.imagetitan.com/img.php?image=16_tcpview.jpg

I see there is a colum for "remote address" and one for "process" (on the
left) so I will see what that tells me over time.

Thanks for the debugging hints.
  #35  
Old August 23rd 17, 04:00 AM posted to alt.comp.os.windows-10
B00ze
external usenet poster
 
Posts: 472
Default How do you block an IP address on Windows?

On 2017-08-22 21:43, Mayayana wrote:

"Bram van den Heuvel" wrote
| All good questions. Here is a Wireshark screenshot from when I first
| noticed the *outgoing* IP address 104.28.17.56 from my desktop
192.168.1.99
| via my router 192.168.1.1 as shown in this screenshot
| http://img4.imagetitan.com/img.php?i...nshot(603).jpg

I was thinking the same thing as Paul. TCPView will
show what program is going out. You may have programs
or services running that you've allowed to call home,
or that you haven't specifically set not to call home.

You really should look into getting a firewall that allows
you to control outbound traffic.


I use the built-in Windows firewall for that, all you need is an extra
tool called Windows Firewall Notifier, so that you get some notice when
something gets blocked. If I recall, Mayayana, you use Private Firewall?
Is that not just a front end to the Windows built-in Filtering API? i.e.
Same as built-in firewall? Windows Firewall is a bit lame when it comes
to process names (if the process is a 8N3 name, it cannot identify it,
which is the case with Office 2016) and also pretty lame with services
hosted in svchost, but I'm not sure if Private Firewall can do better -
Plus I'd have to migrate all my rules, a real pain...

Best Regards,

--
! _\|/_ Sylvain /
! (o o) Memberavid-Suzuki-Fdn/EFF/Red+Cross/SPCA/Planetary-Society
oO-( )-Oo Pentium of Borg: Division futile; You will be approximated.

  #36  
Old August 23rd 17, 05:54 AM posted to alt.comp.os.windows-10
Paul[_32_]
external usenet poster
 
Posts: 11,873
Default How do you block an IP address on Windows?

Bram van den Heuvel wrote:
Given news wrote:

My advice, your next Windows tool would be TCPView.
https://docs.microsoft.com/en-us/sys...nloads/tcpview


Thanks for that sniffer suggestion.
I am running tcpview now.

There sure are a lot of svchost.exe and mqsvc.exe processes!
http://img4.imagetitan.com/img.php?image=16_tcpview.jpg

I see there is a colum for "remote address" and one for "process" (on the
left) so I will see what that tells me over time.

Thanks for the debugging hints.


You can use sysinternals.com "Process Explorer" on SVCHOSTs.

The current version doesn't seem to give details in the same
way as some older versions.

Basically, you right-click "procexp.exe" and select Run
as Administrator. With Admin, it is able to peer inside
SVCHosts and get service names and even execution cycles.

Maybe I'm confused, but when I tried the most recent version,
I wasn't seeing the usual info I'm used to getting.

*******

In Command Prompt, on WinXP Pro, you could do

tasklist /svc

and that gives the service names inside a SVCHOST.
But that may not be enough info. And Process Explorer,
if it works for you, can give a bit more info.

Paul
  #37  
Old August 23rd 17, 06:01 AM posted to alt.comp.os.windows-10
Paul[_32_]
external usenet poster
 
Posts: 11,873
Default How do you block an IP address on Windows?

Char Jackson wrote:
On Tue, 22 Aug 2017 20:10:39 +0000 (UTC), Bram van den Heuvel
wrote:

All good questions. Here is a Wireshark screenshot from when I first
noticed the *outgoing* IP address 104.28.17.56 from my desktop 192.168.1.99
via my router 192.168.1.1 as shown in this screenshot


I didn't stare long at your packet captures, but from what I saw, I
couldn't tell which end initiated the connection. Since it's a TCP
connection, it'll start with a SYN, then a SYN,ACK in return, and a
final ACK. Once the three-way-handshake is successful and complete, the
actual data transfer can start. The first SYN comes from the side that
wants to initiate the connection.

You can use the filter capability above Wireshark's display area to
enter filter terms, or just right click on something interesting and
tell it to "Apply as Filter". That really cleans up the display.

http://img4.imagetitan.com/img.php?i...nshot(603).jpg


My ancient newsreader initially wanted to render that link as
http://img4.imagetitan.com/img.php?image=16_screenshot
and I was going to ask "What language is that??"


In Wireshark, under the "View : Name Resolution" menu, is an option
to turn on DNS translation for as many as three different levels in the
trace. That makes the trace easier to read. That's one of the first
things I have to turn on, after installing it. I've had copies of
Wireshark before, which refused to save those settings, so they
had to be turned on each time Wireshark was used.

Paul
  #38  
Old August 23rd 17, 09:20 AM posted to alt.comp.os.windows-10
Andy Burns[_6_]
external usenet poster
 
Posts: 1,318
Default How do you block an IP address on Windows?

Paul wrote:

In Command Prompt, on WinXP Pro, you could do
tasklist /svc
and that gives the service names inside a SVCHOST.


You can also right-click the svchost in the details tab of task manager,
then use "go to service(s)"
  #39  
Old August 23rd 17, 09:22 AM posted to alt.comp.os.windows-10
Andy Burns[_6_]
external usenet poster
 
Posts: 1,318
Default How do you block an IP address on Windows?

Char Jackson wrote:

My ancient newsreader initially wanted to render that link as
http://img4.imagetitan.com/img.php?image=16_screenshot
and I was going to ask "What language is that??"


It's all Greek to me ;-)



  #40  
Old August 23rd 17, 02:04 PM posted to alt.comp.os.windows-10
Mayayana
external usenet poster
 
Posts: 6,438
Default How do you block an IP address on Windows?

"B00ze" wrote

| If I recall, Mayayana, you use Private Firewall?

I use Online Armor on XP and Private Firewall on
7. (You have a good memory! If you hadn't mentioned
the name I would have had to have checked.)

I've been waiting to see what else people recommend
for Win10. So far Comodo looks like a possibility. OA got
sold and changed after the XP version, and I've never
been more than generally satisfied with PF. The UI and
controls are not as easy to use. The trouble, as you
probably know, is that the products keep changing, being
sold, changing their license arrangement, etc. There
was a time on 9x when Zone Alarm was all that anyone
used. Then they got a bad reputation over something
or other. I think they're still around. Are they any good
now? Goodness knows! And the Matousec site that reviews
these things seems to have been all but abandoned.

| Is that not just a front end to the Windows built-in Filtering API?

Not that I know of. There've been firewalls far longer
than there's been the Windows firewall. But I don't know
for sure. I've only looked at the Windows version a
bit and found the customizing controls seemed to be
almost impossible to use. But I have to say that I didn't
try very hard. I don't particularly want to use the fox
to guard the henhouse. I block all svchost from going
out, for instance. I doubt Windows would allow that,
especially in Win10. Or more likely it would tell me svchost
was blocked and then call home anyway.


  #41  
Old August 24th 17, 01:54 AM posted to alt.comp.os.windows-10
B00ze
external usenet poster
 
Posts: 472
Default How do you block an IP address on Windows?

On 2017-08-23 09:04, Mayayana wrote:

"B00ze" wrote

| If I recall, Mayayana, you use Private Firewall?

I use Online Armor on XP and Private Firewall on
7. (You have a good memory! If you hadn't mentioned
the name I would have had to have checked.)


I remembered only because I had had my eye on PV already, and when you
told us one day that that's the one you were using I figured it
amplified my interest in it. The Windows Firewall has annoying
shortcomings, the most annoying being that it does not open a pop-up
window when it blocks an outgoing connection.

I've been waiting to see what else people recommend
for Win10. So far Comodo looks like a possibility. OA got


I tried Commodo once, but it was the entire security suite, and it was
just too much: You have rules, based on templates, based on something
else; like 3 levels deep. It also does HIPS, so it wants to control what
processes are allowed to do. Configuring the whole thing is a full time
job...

sold and changed after the XP version, and I've never
been more than generally satisfied with PF. The UI and
controls are not as easy to use. The trouble, as you
probably know, is that the products keep changing, being
sold, changing their license arrangement, etc. There


The product has not been updated since 2014. Waiting to see if someone
will pick-up...

was a time on 9x when Zone Alarm was all that anyone
used. Then they got a bad reputation over something
or other. I think they're still around. Are they any good
now? Goodness knows! And the Matousec site that reviews
these things seems to have been all but abandoned.


Hehehe, I had ZoneAlarm on my 9x box. But they insisted on "simplifying"
the program and it was less and less configurable. Haven't tried it in
years.

| Is that not just a front end to the Windows built-in Filtering API?

Not that I know of. There've been firewalls far longer
than there's been the Windows firewall. But I don't know
for sure. I've only looked at the Windows version a
bit and found the customizing controls seemed to be
almost impossible to use. But I have to say that I didn't
try very hard. I don't particularly want to use the fox


Agreed, Firewalls were around before the Microsoft Filtering API. But
I'm used to the Windows Firewall by now, so I've kinda given-up on
looking at alternatives. However, I still remember that one of the ones
I should look at, if someone ever buys them and continues development,
is PF.

to guard the henhouse. I block all svchost from going
out, for instance. I doubt Windows would allow that,
especially in Win10. Or more likely it would tell me svchost
was blocked and then call home anyway.


There are some services that should be allowed, like the one that
downloads CRLs. If you block all SVCHOSTS you will not have the latest
revocation lists. Since the Windows Firewall is very poor when it comes
to SVCHOSTS, I have a rule that allows svchosts only to specific IP
ranges (all Akamai.net). Bit of a pain to keep updated, but it's safer
than to allow svchost access to everything.

Best Regards,

--
! _\|/_ Sylvain /
! (o o) Memberavid-Suzuki-Fdn/EFF/Red+Cross/SPCA/Planetary-Society
oO-( )-Oo Bits of ice striking hull - "Captain, we're being hailed."

  #42  
Old August 24th 17, 02:31 AM posted to alt.comp.os.windows-10
Mayayana
external usenet poster
 
Posts: 6,438
Default How do you block an IP address on Windows?

"B00ze" wrote

| I block all svchost from going
| out, for instance. I doubt Windows would allow that,
| especially in Win10. Or more likely it would tell me svchost
| was blocked and then call home anyway.
|
| There are some services that should be allowed, like the one that
| downloads CRLs. If you block all SVCHOSTS you will not have the latest
| revocation lists. Since the Windows Firewall is very poor when it comes
| to SVCHOSTS, I have a rule that allows svchosts only to specific IP
| ranges (all Akamai.net). Bit of a pain to keep updated, but it's safer
| than to allow svchost access to everything.
|

I didn't know you could do that. I can control
processes and ports, but not IPs-per-process.
Though I can't say that I care very much about
certificates. If I shopped online, and if half of
them weren't expired anyway, then I might be
interested.

There's nothing I want that needs to allow
svchost. I don't enable Windows update or
any extras like Windows Time. I would need
DHCP but I use fixed local IPs in order to avoid
that. But I wouldn't be surprised if it's impossible
to block svchost entirely on Win10.


  #43  
Old August 24th 17, 11:04 PM posted to alt.comp.os.windows-10
Brian Gregory
external usenet poster
 
Posts: 648
Default How do you block an IP address on Windows?

On 22/08/2017 20:04, Paul wrote:
Bram van den Heuvel wrote:


Also Char Jackson was wondering if any of these connections were
*incoming* but they're not. All of them are outgoing connections first.

Which means they're *starting* from my machine!


Why is your machine communicating with 1e100.net ?

I thought that was for crawling web sites.
Do you run a web site ?

I don't think I've ever casually seen one of my machines
communicating with an address like that. I don't run Wireshark
all that often, so it's not like I collect daily logs
of every packet sent/received.

Â*Â* Paul


The 1e100.net domain (and all it's sub-domains, obviously) belong to Google.

See: https://support.google.com/faqs/answer/174717?hl=en

--

Brian Gregory (in the UK).
To email me please remove all the letter vee from my email address.
  #44  
Old August 24th 17, 11:14 PM posted to alt.comp.os.windows-10
Brian Gregory
external usenet poster
 
Posts: 648
Default How do you block an IP address on Windows?

On 21/08/2017 06:30, Bram van den Heuvel wrote:
I'm just learning Wireshark where all I'm doing at the moment is going line
by line to see what IP addresses are accessed by my computer when I am
doing nothing and the computer is just on.

In Wireshark I see connections to IP addresses which I look up and find out
who they are but I have no idea why my computer is connecting to them.

I tried putting them in the HOSTS file but HOSTS doesn't work this way.
# 127.0.0.1 104.28.17.56 # Wireshark - Cloudflare
# 127.0.0.1 172.217.5.206 # Wireshark - Google Search Engine Spider
# 127.0.0.1 152.195.54.20 # Wireshark - ANS Communication Verizon Busines
# 127.0.0.1 224.0.0.252 # Wireshark - MCAST-NET IANA Special Use (probably ok)


You are correct, that can't and won't work.
The hosts file can only be used to set the IP that will be returned when
a DNS lookup is done on a domain name using Windows.

--

Brian Gregory (in the UK).
To email me please remove all the letter vee from my email address.
  #45  
Old August 25th 17, 06:06 PM posted to alt.comp.os.windows-10
Mark Lloyd[_2_]
external usenet poster
 
Posts: 1,756
Default How do you block an IP address on Windows?

[snop]


You are correct, that can't and won't work.
The hosts file can only be used to set the IP that will be returned when
a DNS lookup is done on a domain name using Windows.


That's what I thought. HOSTS works only for domain names, not IPs. Some
routers can block IPs.

--
Mark Lloyd
http://notstupid.us/

"The memory of my own suffering has prevented me from ever shadowing one
young soul with the superstitions of the Christian religion." --
Elizabeth Cady Stanton
 




Thread Tools
Display Modes Rate This Thread
Rate This Thread:

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off






All times are GMT +1. The time now is 10:14 PM.


Powered by vBulletin® Version 3.6.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Copyright ©2004-2024 PCbanter.
The comments are property of their posters.