Internet connection going out [Resolved]

[Guest]

[gamekid]

My internet connection has been going out, just like that, out of the blue for the last two weeks. I would like to eliminate the possiblity that my firewall is causing the problem. I don't get any firewall prompts, what happens is that my modem tries to renew my IP address which it doesn't and then I have to either reboot or disconnect the power cord from my modem, shut down my computer, reconnect the power cord to my modem, wait for my modem to reaquire service and then turn my computer back on in order to get online. I connect to the internet with a cable modem via an ethernet connection. I have an onboard eithernet connection. I have windows xp home edition with service pack 3. If I go to the command prompt, and then use the ipconfig command, the connection-specific dns suffix and the default gateway field is blank while the autoconfiguration ip address and the subnet mask field is not blank. When my internet connection is working, the autoconfiguration ip address is changed to just ip address. Going to the event viewer, I have this:

date: 7/5/2008
time: 7:41:43 AM
type: error
user: n/a
computer: HOME-1JB298VQN8
source: dhcp
category: none
event ID: 1000

description:
your coputer has lost the lease to its IP address 76.168.59.200 on the network card with network address 001060168E43

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp

[gamekid]

According to my event viewer, my internet connection has gone out at the following times.
12:08 AM
5:34 AM
6:36 AM
7:41 AM
8:47 AM
9:57 AM
11:00 AM

[grue155]

The Event Log entry is telling that the DHCP address renewal is being blocked. Is there anything in your CFP log?
In v2.4, you click Activity -> Logs. If you right click anywhere in the log, you'll get a menu that will let you export the log to html, which you can post here.

Your first post mentioned a modem. What kind of connection do you have? Is this a modem, or a modem/router combination?

[gamekid]

I called into time warner and I found out that my firewall may be causing my internet connection to go out so I have my firewall turned off right now to confirm whether or not, that is the problem. The log file is too big to post here so here the link for it.
C:\Documents and Settings\Owner\Desktop\Misc\log file for comodo firewall.html

[grue155]

Since that link is on your computer, I can't get to it to see what is in the log.

So, let's try a different approach, with a screen shot.

Bring up the CFP log (Activity -> Logs), and take a "snapshot" by pressing Alt-Prntscrn. This will copy the window onto the system clipboard.

Now, open Notepad (or Wordpad, or Paint), and do a Cntl-V for a normal paste operation. You should have the image of your window. Save that image as a file. Then you can post that file here.

To post the file, there is the "Additional Options" in the Comodo forum post page. You want to Attach the file, so when you Post, that file will show up here.

[gamekid]

One problem. I took screenshots of the log, pasted the screenshot into paint and then saved that as a file. The file size is at least 3.75 MB which is way more then what I can post here.

I have another method, I'll use image shack to get links which I'll post here. It'll be one link per image.
Screenshot #1
http://img396.imageshack.us/my.php?image=comodofirewalllog1cr6.png
Screenshot #2
http://img396.imageshack.us/my.php?image=comodofirewalllog2ga3.png
Screenshot #3
http://img396.imageshack.us/my.php?image=comodofirewalllog3qd3.png
Screenshot #4
http://img157.imageshack.us/my.php?image=comodofirewalllog4gd8.png
Screenshot #5
http://img157.imageshack.us/my.php?image=comodofirewalllog5ik8.png

[grue155]

Thank you. As you likely noticed, you have a lot of entries complaining about svchost.exe and IP address 255.255.255.255. That's the problem.

svchost.exe is the Windows system component that renews your IP address automatically (among other things that svchost.exe does). CFP is blocking it.

To remove the block, open CFP and click Security -> Application Monitor. Find the line (or lines) that have svchost.exe and permission as "blocked". Click on each line to highlight it, then click Remove (in the upper right corner). That should get rid of the block, and all those "Application Access Denied" messages in the log.

You probably should add these rules to make sure that the DHCP address assignment gets thru in the future. Click Security -> Network Monitor, and then Add

Action: Allow
Protocol: UDP
Direction: In/Out
Source IP: Any
Destination IP: Single IP: 255.255.255.255
Source Port: Any
Destination Port: a port range: Start 67 End 68

The click OK. You'll have a new rule as the very last rule. You need to move it up to the top of the rule list, so it is first. Click the line to highlight it, and Move Up as needed.

Another new rule to put into place. Your log is showing some DHCP replies being blocked, and this new rule should keep that from happening.

Action: Allow
Protocol: UDP
Direction: In/Out
Source IP: IP Mask: IP 10.0.0.0  Mask 255.0.0.0.0
Destination IP: Any
Source Port: Any
Destination Port: a port range: Start 67 End 68

Click OK, and the move this new rule up to be your second rule.

Then clear your logs, so we can see what is happening with these new rules. Click Activity -> Logs, right click in the log, and select Clear All Logs. Then exit CFP.

To test things out real quick, you can do a reboot. Then look at the CFP logs again. You should be okay. But watch things for a little while.

Your logs are showing some other traffic that needs to be looked at, but first we need to get your a good working connection.

[gamekid]

I followed your insructions so I'll monitor everything for a bit and see what happens.

[gamekid]

I wanted to provide you with an update. So far, my internet connection has been good. I am getting warning in my event viewer, but those aren't as bad as red X's. They may have to do with the other things, I really don't know. I'll continue to monitor everything in the next few days.

[gamekid]

Unless you feel that it's too early, I'd like to go on ahead and take care of the other traffic that's being blocked. My internet connection has not gone out so far which is good.

[grue155]

Good to hear that your connection is working now. And, no, it is not too soon to look at the other stuff.

Your earlier logs were showing what look like a bunch of probes, and some likely misconfigured network "neighbors". But with all that svchost.exe blocked messages filling the log, it was hard to tell. Now that the svchost thing is cleared up, the log should be able to properly show what's going on.

So, if you could post your CFP log,we can see what's what. With a smaller log this time, you should be able to export it to a file. Or you can make screen snapshots as you did before. Your choice.

The other thing I'd like to see, is what your firewall rules are. It may be that rearranging the rules, or adding some additional rules, can help to keep your machine safe. There's no means to export the rules, so you'll have to do it as a screen snapshot. Open CFP, maximize the screen, click Security -> Network Monitor, and the capture the screen image.

And, I want to confirm what I guessed at from your earlier logs. That you are connecting thru a cable modem, like this:

     Internet ------- modem -------- PC

and not like this, with a router or some other box in the middle:

     Internet ----- modem ------- router/box --------- PC

Thanks.

[gamekid]

My log is not quite as long this time, but you'll have to bear with me. Same setup as before and to answer your last question, the first diagram would be correct. I don't have a router or box of any kind.
Screenshot #1
http://img375.imageshack.us/my.php?image=newcomodofirewalllog1gj0.png
Screenshot #2
http://img137.imageshack.us/my.php?image=newcomodofirewalllog2oz7.png
Screenshot #3
http://img375.imageshack.us/my.php?image=newcomodofirewalllog3rb1.png
Screenshot #4
http://img375.imageshack.us/my.php?image=newcomodofirewalllog4th5.png
Screenshot #5
http://img60.imageshack.us/my.php?image=newcomodofirewalllog5ot3.png
Screenshot #6
http://img60.imageshack.us/my.php?image=newcomodofirewalllog6bj3.png
Screenshost #7
http://img375.imageshack.us/my.php?image=newcomodofirewalllog7ju2.png
Screenshot #8
http://img375.imageshack.us/my.php?image=newcomodofirewalllog8yu1.png
Screenshot #9
http://img137.imageshack.us/my.php?image=newcomodofirewalllog9sm1.png
Screenshot #10
http://img60.imageshack.us/my.php?image=newcomodofirewalllog10mb0.png
Screenshot #11
http://img137.imageshack.us/my.php?image=newcomodofirewalllog11oc5.png
Screenshot #12
http://img60.imageshack.us/my.php?image=newcomodofirewalllog12ez5.png
Screenshot #13
http://img60.imageshack.us/my.php?image=newcomodofirewalllog13uq5.png
Screenshot #14
http://img375.imageshack.us/my.php?image=newcomodofirewalllog14lk5.png
Screenshot #15
http://img60.imageshack.us/my.php?image=newcomodofirewalllog15bg6.png
Screenshot #16
http://img375.imageshack.us/my.php?image=newcomodofirewalllog16af7.png
Screenshot #17
http://img375.imageshack.us/my.php?image=newcomodofirewalllog17xy8.png
Screenshot #18
http://img60.imageshack.us/my.php?image=newcomodofirewalllog18ea1.png
Screenshot #19
http://img137.imageshack.us/my.php?image=newcomodofirewalllog19of3.png
Screenshot #20
http://img137.imageshack.us/my.php?image=newcomodofirewalllog20lm5.png

[grue155]

Got it. Thank you. It's going to take me a little while to work thru the logs. I'll have some rule change suggestions for you later that should help cleanup the logs a bit. Today's dayjob schedule is a bit busy, so it may be tomorrow before I can get it all worked out.

[gamekid]

By all means, take your time. I'm in no rush.

[grue155]

Here's a rule for you to add, just based on the sheer volume of entries in your log. All that "inbound policy violation" on ports 1026, 1027, and 1028 is very very typical for what is often referred to as "net send" spam. This is the stuff that causes a popup message box that says something like this "Warning. Your machine is infected. Visit <evilsite> and download <malware> immediately". You're right to have that blocked. But it is filling up the log to no effect.

So, here is a blocking rule, without the logging. Click Security -> Network Monitor, then Add

Action: Block (do not check the alert box, that will produce a log entry)
Protocol: UDP
Direction: In/Out
Source IP: Any
Destination IP: Any
Source port: Any
Destination Port: a port range: start 1026 end 1028

Click Ok, and you have a new rule. Use "Move Up" to move this new rule up just one position, so it comes just before that last "block&log all from any to any" rule that is giving all the log entries.

And, can you give me a screen snapshot of your Network Monitor rules?

I'm still going thru your logs as I get the time. I'll likely have some additional rules for you to add.

[Tags:]