Can't ublock UDP scan autoblock

I have a computer in my network that was trying to join a game I was hosting (Civilization 4). Comodo blocked the IP because that computer did a UDP scan for the right ports to connect in the game. After trying continuously to connect in the game, the firewall went into “emergency mode”. I tried reducing the amount of time that an IP gets autoblocked, and increasing the threshold that a UDP scan blocks an IP, but the computers IP was still being blocked into my machine. I also Turned on all permissions for Civ4, as well as putting the internal network as a “safe zone”. I tried looking for a way to remove his IP in comodo, but I can’t find anywhere that has a list of currently blocked IP’s due to UDP scans/floods/DDOS. The only way that his machine could connect to mine was by turning off “Network Monitor”. But as you can imagine, that’s not a very good permanently solution. What do to?

Allright, the server that’s running comodo is now stuck in some strange “emergency mode” and won’t allow communication through the internet or access network shares from other machines who are in the same subnet at the one that caused the UDP flood. The server CAN be pinged, and so can the machine though. The internet works on the server though. It’s not a problem with the network, since as soon as I disable comodo, everything is peachy again. I’m seriously considering switching to a more transparent firewall…

Rereading my posts, I realized I posted in a bit of a fit and panic, so I’m reposting the details in a more clear and organized manner:

I allowed ALL IP communication from the subnet that’s behind the nat, IP 192.168.1.0-192.168.1.255. This allows computers behind the nat to pass through and connect to the internet.

This worked fine until on computer behind the nat did a UDP scan to look for a UDP port to use in the game Civilization 4. This caused the IP to be flagged and temporarily blocked. Repeated attempts to do this causesed a DDOS event to be registered, and sent the firewally into “emergency mode” according to the log. (whatever that is. Nowhere else is it specified that it’s still in emergency mode or how to turn it off). Raising the theshold for DDOS and UDP scans had no effect.

Now whenever a computer in the subnet tries to either browse the internet, browse the windows network, NOTHING happens. no data gets transfered. You would think that the log in Comodo would report that a blocked IP was attempting to do stuff but NOTHING is in the log.

If you go into SECURITY - APPLICATION MONITOR and add an application rule for Civ4, telling the rule to allow all activity for this app and skip parent, Civ 4 shoudl have unrestrained access across your LAN even with CPF set to CUSTOM.

Try this and let us know how it goes.

Hope this helps,
Ewen :slight_smile:

Oh, you let him play Civ4 BEFORE he could answer? Big misstake :smiley:

After the UDP flood happened, I set Civ4 to allow all. However, the problem isn’t with Civ4, it’s with ANY TCP/UDP on the subnet of the machine who started the UDP flood (192.168.1.*). The only different in user settings for the firewall before and after the “emergency mode” happened was the addition of Civ4. The firewall worked perfectly before a UDP scan and flood attack were detected. Therefore there is some hidden setting or some hidden list of blocked IPs that I don’t have access to. Any traffic that is blocked is not logged. This is a serious bug of some kind, or an “unintended feature”.

Now that you’ve got the rule for Civ4, try rebooting the computer that CPF’s on…

See if that resets the emergency block.

No guarantees, just a thought…

LM

Thanks, rebooting worked. I hadn’t thought of it, because standard practice says you shouldn’t reboot servers unless you need to. This is one of those “need to” situations :smiley: Thanks.

Yata! I’m glad that worked. CPF has a “memory” that needs to be cleared, once it blocks all internet connection. Some people say that it clears when you stop/restart CPF, but I have found it to be more effective to reboot.

When you make any rule/settings changes, it’s a good idea to stop/restart CPF to set the rule/change, but you shouldn’t have to reboot at that point.

Are you able to play Civ4 now, without problem? No Flood issues?

LM

Best practice says to do what you have to do to get things working. LOL. Remember the words of Mark Twain (I think it was him, anyway) “■■■■ the theory if the machinery works!”. :wink:

Ewen :slight_smile: