Internet connection going out [Resolved]

[Guest]

[gamekid]

I added the blocking rule. My network monitor rules are posted below.
Screenshot of network monitor rules
http://img401.imageshack.us/my.php?image=networkmonitorrulesforcgs4.png

[grue155]

Having had the chance to go thru your logs in detail, I found myself pleasantly surprised. Your logs are actually quite clean, after all that port 1026-1028 stuff gets out of the way. In fact, there is traffic missing that I was expecting to see, which tells me that your ISP is filtering it. That makes your ISP one of the few really good guys on the Internet.

What your ISP seems to be doing, is blocking all Netbios traffic (ports 135-139). Windows in all of its versions, is a very chatty system, and tries to broadcast its LAN file sharing to one and all. The malware folks take advantage of that "broken by design" feature, and try to attack the Netbios ports. There's not one entry in your entire log showing any probes. That means your ISP is blocking the ports.

Since you're running the CFP default rules, for the most part, that means that your machine is trynig to broadcast any Netbios traffic it has outbound to the Internet. If you were on a LAN with a NAT/router box, that wouldn't be a problem. But since you have the one machine, and are directly connected to the modem, that means the traffic is going out to the ISP routers. Then the ISP routers just drop the traffic. So you're safe.

I'll suggest adding these two rules, to serve as a backup to make sure that LAN networking traffic doesn't accidently leak out to the Internet. If you ever get a NAT/router box, or a second PC, these new rules will block any sharing or contact with that box or other PC. Just be aware of that for the future.

Your existing rule 2 (Allow TCP/UDP Out  Any Any) is the rule that lets your machine talk to the Internet. These two new rules have to go just ahead of your existing rule 2.

The first new rule, which will block Netbios traffic:

Action: Block (do not check the box for alerts)
Protocol: "TCP or UDP"
Direction: In/Out
Source IP: Any
Destination IP: Any
Source Port: Any
Destination Port: a set of ports: 135,137,138,139,445

The second new rule, which will block "multicast" traffic used by NAT/routers and Windows UPnP:

Action: Block (do not check the box for alerts)
Protocol: IP
Direction: In/Out
Source IP: Any
Destination IP: IP mask: IP 224.0.0.0  mask 240.0.0.0

With these two rules, you machine is much less likely to leak anything out to the Internet. Your ISP is already blocking this traffic, so these rules are just a backup.

Something that did show up in your log in a few instances, were some blocked ICMP messages. ICMP is one of those background things that traffic flowing reasonably efficiently. In particular, are the ICMP error messages. The Internet equivalent of a telephone busy signal, or an answering machine that says "sorry, nobody home and voicemail is full". There are about a dozen or so ICMP error messages. The default rules that you have in place, are letting in two of those dozen messages. You need to add a few more.

Since all of the ICMP rules are the same, except for the ICMP details, here's the template:

Action: Allow
Protocol: ICMP
Direction: In
Source IP: Any
Destination IP: Any
ICMP Details: <the following list, one new rule for each>

The ICMP rules you need to are are for "ICMP Net Unreachable", "ICMP Host Unreachable", and "ICMP Port Unreachable".

Your existing rule 5 is the "allow ICMP In --- Time Exceeded". These three new ICMP rules go after your existing rule 5.

After all those rule changes, you can clear your CFP log. And you should be good to go at this point. Watch your logs for a day or so. You'll still see stuff in your log. That's just the normal variety of junk on the Internet these days. And it means that CFP is doing its job. If you see anything in the log that you're not sure about, you can post it here.

[gamekid]

You're one of the few people that I meet online that actually says something nice about AOL, since that is my ISP. In the past, when I had issues, I would always hear "Get rid of AOL" Not very nice to say since it's my choice to begin with. Here is a list of the new rules that I added. Does the order matter?
Rule #1
http://img59.imageshack.us/my.php?image=newnetworkmonitorrule1fpe4.png
Rule #2
http://img59.imageshack.us/my.php?image=newnetworkmonitorrule2fuu8.png
Rule #3
http://img99.imageshack.us/my.php?image=newnetworkmonitorrule3ffz2.png
Rule #4
http://img99.imageshack.us/my.php?image=newnetworkmonitorrule4fdm4.png

Where you give me the template, I'm confused because I don't know where I add the ICMP details.

[grue155]

Looks like you need to move rule 8 and rule 9 up, so they are after rule 1.

You should wind up with a rule order that is like this (abbreviating the rules for ease of writing here)

0. Allow TCP/UDP ----- 255.255.255.255
1. Allow TCP/UDP  Mask 10.0.0.0/255.0.0.0
2. Block TCP/UDP ---  Mask 224.0.0.0/240.0.0.0    # your current rule 8
3. Block TCP/UDP --------- Ports 135,137,...    # your current rule 9
4. Allow TCP/UDP Out Any Any  Any Any

And, yes, order does matter. CFP reads the rule from the top down. The first matching rule is the one that gets applied. If your machine is sending something out, the first matching outbound rule will let the stuff out. That's going to be, in my list of what should be, rule 4. So anything that is going out, has to come before that rule.

The ICMP detail is on the ICMP Details tab. When you select ICMP as the Protocol from the pulldown list, you'll see the tabs change, and you'll see an ICMP Details tab. The pulldown list for the ICMP message type has the three message types. Use one per rule.

Way back when, 10 to 15 years ago, AOL had some problems. They've done a lot, and gotten their act together over that time. Today, they're one of the better ISPs out there. In this case, they're doing the right thing with their filtering, and I commend them.

[gamekid]

Adding all the rules, this is the order that I have.
Network monitor rules for comodo firewall
http://img514.imageshack.us/my.php?image=newnetworkmonitorrulesflk6.png

[grue155]

The rule order looks good. There's just a little bit of tweaking that needs to be done.

On the three new ICMP rules, the direction needs to be In, rather than the default In/Out. There is a pulldown list for Direction like there is for the Protocol.

And, on rule 2 (block --- 224.0.0.0, that one), the Protocol needs to be IP rather than just TCP/UDP. There is a lot of stuff that can move over the multicast addresses beyond just TCP and UDP. Selecting Protocol as IP will catch all of it.

How does your CFP log look? If you post a screenshot, just the first screen will be enough to give me a sense for traffic volume. I'm expecting that the amount of stuff in the log will be way down from what you had at the beginning of this topic.

[gamekid]

When you mention the three ICMP rules, which numbers are you refering to?

Here is a screenshot of the CFP log
http://img230.imageshack.us/my.php?image=cfplogqr0.png

[grue155]

Sorry, I should have given you the rule numbers.

It's rules 6, 7, and 8. The ones that say "Allow ICMP In/Out", should say "Allow ICMP In".

For an hour and a half, that's a decently busy CFP log. It's "normal" junk on the Internet these days, and is showing that CFP is doing it's job. If stuff starts piling up in the log, then there's some kind of problem. Either a CFP rule needs changing, or somebody out on the Internet is throwing a lot of probes or such at your machine. Your screen shot isn't showing anything piling up. That's good.

Everything looks good. I'd say you're all set.

[gamekid]

I changed the rules to what they should be. I'd say that I'm all done. I really want to thank you for all of your help. I'm no expert in firewalls. I can download and install one, but that's about it.

[grue155]

Glad to have been of help. You can watch the CFP log for the next couple of days to see if anything strange show up in the log. If it does, you can post your questions here.

I'll hold this topic open for the next couple of days, and then lock it for reference. If it needs to be reopened, just PM any of the moderators.

[gamekid]

Fair enough

[Tags:]