cancel
Showing results for 
Search instead for 
Did you mean: 
alhaawi
Level 9

HIPS firewall blocks incoming UDP 53, and 389 on windows 8.1

I have strange blocking on my windows 8.1 I do not know if it is false positive or not. the Mcafee firewall installed on windows 8.1 blocks incoming UDP 53, and 389. The source is windows 8.1 and the destination is the domain controller(no firewall on the DC). The windows seams to be working fine I can run the outlook, and change password, but this blocked traffic is scary , I would like to know if it is a bug? Description:

Host Process for Windows Services (svchost)

Path: C:\Windows\System32\svchost.exe Message: Blocked Incoming UDP -  Source 192.168.20.212 :  (56006)  Destination 192.168.20.251 : dns (53) Matched Rule: Block All Traffic

Description: Host Process for Windows Services (svchost)

Message: Blocked Incoming UDP -  Source 192.168.20.212 :  (52778)  Destination 192.168.20.251 : ldap (389)

Matched Rule: Block All Traffic

0 Kudos
12 Replies
fitchsoccer342
Level 13

Re: HIPS firewall blocks incoming UDP 53, and 389 on windows 8.1

The HIPS firewall is a statefull firewall, meaning its a table and when filtering traffic, it starts top to bottom and if it cannot match your traffic to a certain rule within the table, it will default to the "Block All Traffic" rule which is what it's hitting in your situation.

It looks like your traffic is internal that is being blocked, I would look at setting up a connection aware group as a firewall rule, it can greatly help out for internal traffic without having to create tons of rules. more info: https://kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/20000/PD20747/en_US/...

creese36
Level 9

Re: HIPS firewall blocks incoming UDP 53, and 389 on windows 8.1

are you able to resolve any internal DNS from this machine? port 53 is a DNS port

0 Kudos
alhaawi
Level 9

Re: HIPS firewall blocks incoming UDP 53, and 389 on windows 8.1

dear all

If any likes to see the blocking traffic you may use a vm or real  windows 8.1 with HIPS firewall enabled, member of a domain, and dhcp must be enabled then wait for one or two hours  the blocked traffic will appear in the activity log. if you do not want to wait  just configure the tcp settings  of windows 8.1 to be static ip(with your dns), then change it back to dhcp you will get the red traffic, if not just log off, and login again. The HIPS version is 8 with p4 and latest hot fixes.

I am sure that the HIPS firewall does not block 53 or 389, because if you enable log allowed traffic you will see 53 as a green traffic, but I do not know why it is showing us both colors!

McAfee Employee

Re: HIPS firewall blocks incoming UDP 53, and 389 on windows 8.1

There are no default Firewall rules to allow INBOUND port 53 and port 389 traffic.  You will need to create firewall rules to allow this traffic in, if the operating systems requires it.

alhaawi
Level 9

Re: HIPS firewall blocks incoming UDP 53, and 389 on windows 8.1

i understand that 53 and 389 are DC ports! do we need a local rule for these ports?

McAfee Employee

Re: HIPS firewall blocks incoming UDP 53, and 389 on windows 8.1

Yes.

alhaawi
Level 9

Re: HIPS firewall blocks incoming UDP 53, and 389 on windows 8.1

again I understand that these ports 53, and 389 are remote ports for DNS and DC, I like to know the reason why should I create rule for these ports locally for windows 8.1?

0 Kudos
McAfee Employee

Re: HIPS firewall blocks incoming UDP 53, and 389 on windows 8.1

You'll need to ask Microsoft that question to determine why exactly this traffic is needed.  If you wish to continue blocking the traffic, and lose whatever functionality is provided with this traffic, you can do so.  If the network traffic is necessary for some functionality that you need, then you will need to allow the traffic in.

0 Kudos
alhaawi
Level 9

Re: HIPS firewall blocks incoming UDP 53, and 389 on windows 8.1

it is allowed by default