Block single IP address

I have a nasty user on Emule and I would like to block them from uploading from me. I have tried several settings by adding a rule in the Network Monitor section of the firewall, but nothing happens on Emule and all traffic seems to be allowed to him.

I’ve done this as:

Block IP out from IP (my IP address) to IP (Emule user’s IP address) where IPPROTO is any

Am I doing something wrong here? And in what order do I put this rule? Before the Allow rules?

Many thanks - I think this firewall is excellent

For Blocking someone (even if I don’t get it, why you want shuch feature; unless the other party is a leecher), you should use:
Security → Network Monitor - > add rule ( I’m writing this so others can understand where to find this options)
Action = Block
Protocol = IP
Direction = Out
Source IP = Your IP (pay attention if you are behind a router to use your computer internal IP and not the Internet IP of the router); I’m not sure but maybe you can also leave it blank [ → I mean Any (coment added on May 20 2006)]
Remote IP = The IP of the nasty user :stuck_out_tongue:
IP Protocol = Any

Then move the rule up (over the default rule “Allow /IP Out/ Any/ Any”)

Hope it Helped :smiley:

Thanks pandlouk - perfect answer!!

Cheers mate!

Just tried this and it doesn’t appear to be working - the leecher is still downloading from me quite freely. Have done exactly what you have said and moved the rule to the top (above the default ‘Allow’ rule). Very odd. I have tried it using my IP address as the source, and also changing the source to ‘Any’. Nothing seems to stop this guy. I will keep an eye on Emule for the next hour or so and just see what happens. Should I perhaps restart Comodo?

If your router has a firewall, try blocking his IP on the routers firewall. Pretty much the same steps as outlined below are involved

ewen :slight_smile:

After watching Emule for a while, I think Comodo is blocking the leechers, but when I used to use Sygate to block a leecher, as soon as I entered the IP address of the leecher, I would see their names disappear from my upload queue and never see them again. With Comodo, the leechers still appear, but don’t seem to download much from me - however, they DO download a little, so something is still getting to the leechers I am trying to block. Very confusing as I would have thought that if they were blocked in Comodo, then they shouldn’t even appear in my upload queue?

I am very new to Comodo and like it very much (having spent the last few weeks testing every available firewall Comodo is the only one that doesn’t suddenly shut down my PC at random intervals, that I don’t need a degree in astrophysics to work out, and that seems to actually function how I tell it to) - it seems to do an excellent job and I feel safe with it. I just find adding some of these rules a little confusing with the source IP and remote IP, but I am determined to get there.

And thanks for the advice and help :wink:

The rule I described is only for blocking the leecher from downloading from you. But you still connect to them (so that you can gain some download from them). If you want to ban them completely change the rule:
Direction = Out
to Direction = In/Out
Also you can try Emule Xtreme which is pretty fast and bans most of the leechers

Hey pandlouk

I’ve checked my Comodo settings and have applied the rules as stated, but still today I have seen several of the leechers download from me quite freely (using ‘bad’ mods). I have checked the IP addresses to make sure that they are entered correctly in Comodo, and they are ok. The rules are placed above the general ‘Allow any’ rule. This is very puzzling.

Perhaps blocking a single IP address does not work very well with Comodo? Strange that it seems to work for you pandlouk. I’m definitely doing exactly what you suggested. Weird. Must be something I’m missing here.

I use a mod that has a similar punishing feature to Xtreme (Sion mod), but it doesn’t stop leechers >:(, it just punishes them.

Have actually just restarted Windows and relaunched Emule and immediately three leechers appeared and started downloading, none of them blocked.

Try to change also:
Source IP = your IP
to Source IP = Any
Does it work?If not try to make also an opposite rule with
Source IP = The IP adress of the leecher
Remote IP = Any

ps. Emule Xtreme gives you also the ability to ban them and not only to reduce score.

Ok, this is really confusing me now - I’ve managed to get the settings right - your first rules, pandlouk, seemed to work. I have even seen logs for the intrusions in the Activity->Logs window.

BUT, I have three entries of a certain IP address saying ‘Outbound Policy Vilation (Access Denied, IP = 123.456.78.90’ and the times of the violations. This is good, surely! :slight_smile:

However, 5 minutes later, there is the very same leecher downloading from me with the same address, leeching freely >:(! No log in the Activity->Logs either, yet I have not adjusted anything.

I am wondering if this is a fault with Comodo? It seems to work for a while, then not at all. Now I have seen the Logs, I am convinced that Comodo IS blocking the traffic to the right IP address, yet it somehow seems to allow traffic to the very same user minutes later?? And it’s not just a few kilobytes - this guy downloaded megabytes before I realised that he was the same user that Comodo had told me it had blocked! Weird.

I wonder if I could make an application rule for Emule - Blocking TCP or UDP out to the specified IP address? Or does it have to be a network control rule?

Maybe it has something to do with the bug that the develop group have found on CPF. I think that the update will be available next Thursday.

ps. the best way for blocking IPs is “Protowall” (with the help of “Blocklist manager”); or peerguardian2. You can find protowall at http://www.bluetack.co.uk/ and peerguardian2 at
http://phoenixlabs.org/ :wink:

Cheers pandlouk

I can easily use Peerguardian, I just thought that a firewall should be able to block an IP address quite easily, yet it seems Comodo is still having teething troubles. I still like the firewall though and intend to stick with it for sure. Thanks for your help on this matter. Happy Emule-ing! :slight_smile:

Had another look at this and I have attached some images that might help:

Every time a leecher or bad IP is blocked, I get three alerts, 5 seconds apart, and then nothing else. However, minutes later, the leecher appears on Emule and no further alerts in Comodo.

[attachment deleted by admin]

And here you can see that I have created a rule to block an IP address, and here is the leecher in my upload queue:

[attachment deleted by admin]

For what size of upload leeching are we talking about?
Some kbytes may be transfered by ICMP protocol that serves for comunicating between IPs and adjusting the speed connection between them and for replying to IP in connection. If you want to permanently ban them you should make also blocking rule for IP in connections. :wink:

Fair point. I guess the best way is a two-way ban anyway, so I will change the rule to in/out and see what that does instead. The confusion with Comodo, for me, is if it is an Out rule, then my IP is the source IP; if it is an In rule, then I am the Remote IP; but what if the rule is In/Out?

I’m going to master this if it kills me ;D

I think I will suggest a feature in future version - a simple IP block - enter an IP into a space, press ‘Ok’ and it’s done. :wink:

Yes you are right. People is getting confused with understanding how it works. So we should add a single option to BAN certain IP addresses/ports etc.

According to your rules, you block connection initiation from your PC to leecher. This means you are blocking your access to leechers PC. But leecher can connect to your PC. To ban the IP, you need to change direction to IP IN from leecher to your PC.
i.e. : BLOCK and LOG IP IN FROM IP 83.117.175.X TO IP ANY WHERE IPPROTO IS ANY

This means, you can download from the leecher but he cannnot download/upload from/to you.

Hope this helps,
Egemen

Hi, Egemen
I don’t get it. you mean a rule like

  1. Source IP = 83.117.175.X
    Remote IP = Any
    Or you mean the opposite
  2. Source IP = Any
    Remote IP = 83.117.175.X

I guess that the #1 is correct;
But in this chase isn’t it the same with the following rule that I had described at https://forums.comodo.com/index.php/topic,193.msg1166.html#msg1166
It is the exact opposite
Block IP Out from IP ANY to IP 83.117.175.X ; shouldn’t it have the same effect with yours ?
Block IP In from IP 83.117.175.X to IP Any
I am confused ???

Hi pandlouk,

Yes the number 1 is the correct one. Actually they would be the same if we had a static filtering firewall. But stateful inspection makes them different.
Let me clarify the case a bit :

TCP connections uses an alogrithm known as 3-way handshake while establishing the connections.

Lets say 83.117.175.X tries to connect to US. Below are the 3 steps of TCP connection establishment.

1 -83.117.175.X------SYN-----> US
2- 83.117.175.X<------SYN/ACK US
3- 83.117.175.X------ACK-----> US

Assume CPF is installed in US and let 83.117.175.X be our leecher.

CASE 1 : The only rule is “Block IP Out from IP ANY to IP 83.117.175.X”

1- 83.117.175.X------SYN-----> US This packet is going to be accepted because it does not match the rule

2- US -----SYN/ACK----> 83.117.175.X Although this packet matches the rule and makes us think CPF should block it, since it is a reply to a valid connection attempt, stateful inspection will allow it and thus the leecher will receive a reply

3- 83.117.175.X------ACK-----> US This will be accepted because it does not match the rule

As seen above, although we had a blocking rule for outgoing packets, stateful inspection did allow some outgoing packets.

CASE 2 : The only rule is Block IP In from IP 83.117.175.X to IP Any

1- 83.117.175.X------SYN-----> US This packet is going to be dropped because it matches our blocking rule thus the leecher will be blocked.

Since step 1 is not completed, step 2,3 wont take place.

Could you see the difference?

When a rule has a direction OUT attribute, “Source” fields represent our host and “Remote” fields represent the leecher.
When a rule has a direction IN attribute, “Source” fields represent leecher and “Remote” fields represent us. Once you visualize the picture, these names become clear.

Please do not hesitate to ask any points you need to be made clear.

Egemen

Thanks egemen and pandlouk - between you both it seems to look sorted - I will try this out this morning and fire up Emule in a minute and see what happens.

You are both right - this is very difficult and confusing for a new (and slightly experienced) user to understand. A basic function of any firewall, in my opinion, is to be able to block a single IP address, or range of addresses, in the simplest way possible. With Sygate it was the simplest thing to do - enter the IP, give the rule a name and you never saw the guy (leecher, in my case) ever again. With Outpost there is a simple plugin to add - simple. With Look 'n Stop, it’s a simple rule you can download.

As I’ve said, Comodo has potential to be one of the best out there (and I think it’s getting there fast), and that is why I am sticking with it. Also, you guys here at the forum know your stuff and seem intent on improving it in every way - that makes me feel comfortable.

Once again, thanks for all your help on this. I’m off to try out your rules egemen - what you say makes sense. :slight_smile: