blackice ignoring port 113

[vali () INAME COM (vali)]

It's as simple as that, blackice (a somehow popular windows firewall) is
ignoring TCP trafic with destination port 113 (even with "paranoid" seting).
The most simple way to try this is

nmap -sS -p 113 -P0 victim (victim's blackice is silent)
nmap -sS -p any_other_port -P0 victim (blackice says "tcp port probe").

Tried with blackice 2.1.x (blackice.exe & vxd = 2.1.25, blackicd and
blackdll.dll = 2.1.22) on both win95 OSR 2 ans win98 SE.

This is not much, but is a simple way to flood a computer without blackice
reacting in any way. Also, if somebody is using a buggy ident server this is
fatal (irc clients install sometimes ident servers, without users knowledge).

Other comments regarding BlackIce:

Blackice is doing a good job in stoping malformed packets "bad" for Microsoft
IP stacks (including IGMP, fragmented ICMP aka teardrop, etc, etc). Can detect
nmap stealth scan but there is no simple way to tell from the interface the
port scaned (if the port is not a "standard" port). Anyway, it has
extensive logging capabilities. In fact with "logging" and "evidence logging"
enabled sniffed sessions can linger in Blackice folder, alongside with
sensitive information like passwords.
Blackice can do (automatic)  DNS reverse lookup and a Netbios scan for the
atackers (wich can be a *very* bad thing). I think this feature is enabled by
default.

Blackice seems to have some limits for the number of packets loged and for the
alerts displayed. This is a good thing and a bad thing. This limit the memory
used but some packets can go unnoticed (and if someone send a lot of spoofed
packets the real atack will go unnoticed).