Helping people with computers... one answer at a time.
Firewall software can help protect against remote intrusion attempts, as well as outgoing attempts. 192.168 addresses give a clue as to the source.
I have a software firewall on trial. One penetration attempt the program consistently blocks is from IP 192.168.0.105. This attempt is incessant and for the moment I've turned off the reports. However, if it's a legitimate probe, I need to let it through. Our router IP is 192.168.0.101, so that's close to the "culprit". So, how do I determine whence cometh the IP address the firewall doesn't like?
One of the common annoyances with software firewalls is exactly this: that you may get repeated notification of access attempts, with no real sense of where they're really coming from, and whether or not they're legitimate.
In this case, I can't really say whether it's legitimate.
But I can say that the IP address is closer than you think.
The IP address range 192.168.x.x is never seen on the internet. By definition that range and a couple of others are reserved specifically for local area networks.
Your router's internet-facing connection has a real internet address. But the inward-facing connection on which your computer and perhaps others are connected will have an IP address like you've seen: 192.168.0.101 is one common default configuration for routers.
The router also assigns the IP addresses for the machines on your local network from that same range. It then also takes care of translating between the "real" internet IP address and the local network IP addresses as data flows to and from the internet.
What that implies is that 192.168.0.105 is a machine on your local network.
So the next step is pretty easy: check the IP addresses assigned to the machines on your network and you'll quickly find out which machine is the culprit. My favorite way to get the IP address is to open a Windows Command Shell and type in "ipconfig" followed by Enter; you should get something much like this:
Windows IP Configuration Ethernet adapter Local Area Connection: Connection-specific DNS Suffix . : IP Address. . . . . . . . . . . . : 192.168.1.2 Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : 192.168.1.1
Here you can see my router is assigning from the "192.168.1.*" range, but it's the "192.168" part that shows that I'm behind a router performing this network address translation or "NAT".
Now, there's a interesting scenario you might run into and that's this: you might find that the IP address is that of the very machine you have your firewall installed on. There are a couple of reasons that might be:
What you're seeing could be a warning relating to an outgoing connection attempt. Your machine is attempting to connect to some remote machine in a way that your firewall has been configured to block. Without knowing more about the connection attempt details it's almost impossible to say whether this is good or bad.
Sometimes software will attempt to "connect to itself" using the network - so even though my machine might be at IP 192.168.1.2, it's possible that software running on that machine might try to make an outbound connection to ... 192.168.1.2, which is, of course, itself. That's totally valid, but it might be seen as either an incoming or outgoing connection attempt that your firewall doesn't like.
Regardless of the reasons, and be it from your own machine or another machine on your local network, understanding the alert is the first step. Hopefully the firewall will include additional information like the "port" the attempt is being made on, which will often tell you what it's trying to do. For outgoing alerts, the firewall should also be able to tell you what software or service on your machine is requesting the connection. If the firewall's not giving you that information in the alert, then check any logs that the firewall might be creating.
Using that information you can make a call as to whether or not the alert is legitimate. If it's not, if it's just an annoyance, then it's time to reconfigure the software firewall to stop bugging you about it.
And if it's not legitimate, then of course, you'll want to address the underlying cause.
Comments on this entry are closed.
If you have a question, start by using the search box up at the top of the page - there's a very good chance that your question has already been answered on Ask Leo!.
If you don't find your answer, head out to http://askleo.com/ask to ask your question.