continual blocking of ip

[Guest]

[worldwidewiretap]

hello all...I am having a few issues I need help with..

I am using the version 4.0138377.779 CIS

my firewall continues every few seconds to block an ip on a network in the house here...

the event shown reads like this

Application = windows operating system

Action = Blocked

Direction = In

Protocal = ICMP

Source Ip = the router being used in the house (192.168.2.1)

Source = Type 3

Destination IP = An IP that is hardwired through the router that is listed above (192.168.2.1) (which leads to my second issue..I am trying to go to ipconfig in order to verify the ip on a pc..and the window disappears as soon as it pops up)

Destination = Code 4

there are times when 5 minutes or so will go by...and the blocking will cease...then, back to blocking every minute or so.  I tried to get live support twice..first time i was given advice to make a specific global rule, the blocking ceased for about an hour.....then only to return to the same behavior...

the second attempt of live help lead to being advised to run training mode...did nothing.

thanks for any advice.

[Ronny]

Did you happen to upgrade from the previous V4.0.x.742 ?

Please verify your Firewall's Application rules and see if the "All applications" rule still has a "Block" rule present, if so please remove that.

[worldwidewiretap]

this was a fresh install after a format Ronnie....

one thing I recall...recently I was looking in the CIS forums in which a member posted tweaking rules...one rule in particular was check the block all  option in the stealth ports wizard....after I checked this option, my system would not allow certain programs to open or websites, etc...so, in thinking a tweak of the stealth ports wizard was this was the problem, I went to switch back to the default option in the stealth ports wizard (define a new trusted network & make my ports stealth for everyone else)....

there are two network zones listed in my advanced firewall settings...one the loopback zone ip adress which I believe to be the adress of the modem provided by the isp.....the other zone being the one I set up after the install of comodo CIS..which I named and believe to be the ip being blocked continuously..(the ip of the pc wired through the router connected to the modem..)

Another note...after the first online help conversation as listed in the first post in this thread...the helper advised me to make a rule...allow, ip, direction out, source any, destination zone / which is the one named and being blocked, ip any   /////////  and allow ip, direction in, source zone, destination any, ip any..

this is curious to me, as the ip actions being blocked show the protocol being blocked is ICMP....

[Ronny]

Before we find the solution it's good to know something about the messages send:

ICMP Type 3 - Code 4 means the router is telling your PC

3     Destination Unreachable  4  Fragmentation Needed and Don't Fragment was Set
Source = http://www.iana.org/assignments/icmp-parameters

Basically the packet the PC send was to large for the Router to transport to it's destination.
This blocking of these packets was on v4.0.x.472 related to a bug caused by the "All Applications" block rule blocking this while the global rule allowed it.

So if you are still experiencing these blocks and you don't have the "All applications" rule or at least not the block rule under it present it's probably caused by the Global Rules.

Can you please verify if you have an ALLOW ICMP IN ANY ANY Fragmentation Needed present there?

Can you also maybe provide a screenshot of your global rules?

For the IP rule support suggested, IP is a group of protocol's like ICMP/UDP/TCP etc so IP will cover all those, and that rule could be valid.

[worldwidewiretap]

sorry for delay..I've attempted unsuccessfully to implement a snapshot of my global rules and such, but I cannot get the photo service sites to work properly...maybe due to the firewall.....

in the global rules..the allow icmp in / any / any / fragmentation needed is present..

also...icmp in / any / any / time exceeded is present..

as for the "all applications rule bug" explained above...I'm not real sure what you mean..but If you are referring to a global rule...block ip in / any / any / where protocol is any...this rule is present also..

and yes..the blocking is still occurring as described initially..

ps...under the advanced tab in the firewall behavior settings..the block fragmented IP datagrams box is checked..

[EricJH]

You can try uploading images to the Comodo forums as you can attach images to posts. Follows is a little tutorial about it.

How to post a screenshot?

To copy a screenshot of the active window push alt+print screen to copy the active window to the clipboard (pushing print screen will copy the complete window to the clipboard not just the active window). The window is now copied to the clipboard.  Paste the image in any image editing program, Paint, Paint.net, the Gimp etc. Use the "crop" function to resize the canvas to size of the image. Now save the file as 32 bits png image.

At the forum push the reply button. Or when using the Quick reply type some text and push the preview button.

Underneath the text box click on Additional options. Push the Choose button and navigate to the file and select it. When you want to post more images click on the more attachments link.

When done typing push the Post or Preview button.

[worldwidewiretap]

attempting to post image per guideline..

Great..it worked..thanks for imput..and the image attached IS the current settings...

I did however delete the named network zone with the ip being blocked as described in first post..and the same ip address continues to be blocked with the same codes as said...

[Ronny]

Can you please open the Network Security Policy, and verify your on the Application rules tab.
Now try to find the rules for "All Applications" and verify if there is a block rule beneath it, if so please remove the block rule that belongs to the "All Applications" group.
Then apply and the problem should be gone.

[worldwidewiretap]

thanks for detailed instructions to all responders...

[at] Ronnie...I did verify under the "network security policy" tab ..then "all applications" custom.. there was a "block and log all unmatching requests" (in bold print).. So I removed that rule...I will restart and watch the Firewall log..

Also..just below the "all applications" line..there is a line for "comodo internet security" Outgoing Only....below it are two rules similar to the "all applications" custom line...(they are allow all outgoing request)&(block and log all unmatching requests), however..these are not in bold print..kinda light gray...Should I also remove the "block and log all unmatching requests" there???

[Ronny]

Also..just below the "all applications" line..there is a line for "comodo internet security" Outgoing Only....below it are two rules similar to the "all applications" custom line...(they are allow all outgoing request)&(block and log all unmatching requests), however..these are not in bold print..kinda light gray...Should I also remove the "block and log all unmatching requests" there???

Hi,

No please leave those, they belong to Comodo Internet Security not to "All Applications".
This should do the trick you should be no longer seeing those ICMP packets logged/dropped.

[joeythekangaroo]

Same thing happens to me sometimes Ronny, I did a fresh install too like him, and now after a days work it says 5000 threats blocked(By the firewall) and it's always 192.168.0.1 and my ISP but idk how to fix it, please help

[Ronny]

Please remove the indicated rule from the Network Security Policy.

[worldwidewiretap]

After 30 some hours of intermittent checking, the suggestions by Ronny have currently stopped the issue I was experiencing initially in the thread... Thanks for the help..I found the setting in "all applications" set to "block and log all..etc" was causing the firewall to block signal FROM the router being used in the network TO the pc I was experiencing this issue (ie..when using router..all pc's are assigned ip addresses unless you do otherwise).   Since I have changed the setting..I have noticed certain things working better and particularly windows updates seem to giving me a higher influx of update notifications that I did not experience before (which I'm glad for...I'm just not totally sure this coincedence or not)  

Another Note..after resolving my "continual blocking of ip" issue...I went around to all computers sharing the network (all using the same versions of CIS), and I noticed silmilar blocking of IP logs on those PC's too, but these PC's also have different events listed (ie..different source ip's..different source ports and different destination ports etc..) I even noticed the firewall on one PC connected on the network was actually blocking the ip of the PC I started this thread about...weird, because I do not have sharing events enabled on any of the PC's on the network..(no one shares printers or anything like that)...

FIRST OF ALL I will go to all PC's sharing the SAME network using the same version of CIS and go to "all appllications" tab under "network security policy" and make sure the block all...request is removed..then I will continue to check firewall logs on all the PC's using CIS sharing the network and I'll touch base in a bit..

[Ronny]

Maybe good to know that Comodo dropped this rule in a clean install of version 4.0.x.779 already so it's only present on "migrated" from previous versions systems.

[worldwidewiretap]

noted Ronny thanks...however I think I was modifying my previous post when you read it...

[Tags:]