Author Topic: ICMP = UNREACHABLE and PORT UNREACHABLE to DNS  (Read 6844 times)

Offline a_hombach

  • Newbie
  • *
  • Posts: 9
ICMP = UNREACHABLE and PORT UNREACHABLE to DNS
« on: May 01, 2007, 08:46:08 PM »
Hello,

1.) I'm constantly getting the inbound policy violation

Access denied, icmp = unreachable

Before I was getting also messages for "host unreachable" or
"protocol unreachable". After making matching rules, this doesn't occur.

Now my problem:

Where can I make such a rule for the above?

Under ICMP Details is no possibility for it. There's only
port/host/net/protocol unreachable
but not a "unreachable" without host/...

OK, it could use "any", but that's not what I want!

Is there a possibility in comodo or will it be in the next version?

2.) I'm regular getting an "Access denied, ICMP = PORT UNREACHABLE" as
outbound policy violation.

This occurs to the trusted DNS of my provider. Should I allow it? Why does
the DNS of my provider want to know about my ports? Is this normal behavior?

Thx
Achim

soyabeaner

  • Guest
Re: ICMP = UNREACHABLE and PORT UNREACHABLE to DNS
« Reply #1 on: May 02, 2007, 08:48:59 AM »
Hi, Achim.

I also have trouble finding the specific Network rule for this generic ICMP = Unreachable.  The only way I know is to allow all ICMP (which is what I have right now, but I'm confident with my own setup to lose some "stealth" capabilities).  I have a pending support ticket that's opened for months, but the team will get back to it after v3 is released.

Here's the thread: http://forums.comodo.com/index.php/topic,2543.0.html
« Last Edit: May 02, 2007, 08:56:04 AM by Soya »

Offline kail

  • Mostly Benevolent
  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 11277
  • The future is much like the present, only longer.
    • COMODO's free software!
Re: ICMP = UNREACHABLE and PORT UNREACHABLE to DNS
« Reply #2 on: May 02, 2007, 08:53:18 AM »
Hi Achim

You could always use "Custom.." specifying any Type 3 Code combination you want/need. You can find a rather good list of Types 3 Codes here.

Where would make such a rule? In the Network Monitor before the final Block & Log rule.

ICMP Port Unreachable messages from your DNS. I believe that is a redundant reply sent by the DNS. If you allow your system to respond with an acknowledgment the DNS will ignore it anyway. So, it is not needed & you can safely block it. Some users don't get hardly any of these messages, where other users receive loads. I'm in the latter group, I get so many that I created a silent Block (no Log) in the Network Monitor just above the final Block & Log rule in order that my Log didn't get filled up with Port Unreachable messages.

Hope that helps.
My System Details: W8Px64 with CIS 6, Firefox 26 & Becky! 2.65
Forum Policy.
____
The problem is not the problems, the problem is people's attitude towards those problems.

Offline a_hombach

  • Newbie
  • *
  • Posts: 9
Re: ICMP = UNREACHABLE and PORT UNREACHABLE to DNS
« Reply #3 on: May 02, 2007, 04:52:16 PM »
Yeaah, custom types is the right thing. I didn't see it myself.

For outbound icmp port unreachable I also created a silent block rule as you recommended.
Now the logs are much more well arranged.

Thx for help.

Offline kail

  • Mostly Benevolent
  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 11277
  • The future is much like the present, only longer.
    • COMODO's free software!
Re: ICMP = UNREACHABLE and PORT UNREACHABLE to DNS
« Reply #4 on: May 02, 2007, 05:12:56 PM »
No problem, glad it helped.
My System Details: W8Px64 with CIS 6, Firefox 26 & Becky! 2.65
Forum Policy.
____
The problem is not the problems, the problem is people's attitude towards those problems.

 

Seo4Smf 2.0 © SmfMod.Com | Smf Destek