Constant Firewall Alerts

I’m completely new to Comodo Firewall and I tried reading through the FAQs and Guides but couldn’t find anything to help me with my problem.

I’m constantly getting the orange firewall alerts of the following nature:

Application: system
Remote: 192.168.1.1 - tcp
Port: upnp/ssdp(2869)

system
192.168.1.2. - tcp
nbsess(129)

svchost.exe
192.168.1.1 - udp
64806

system
192.168.1.2 - udp
nbname(137)

system
192.168.1.2 - udp
nbdgram(138)

system
192.168.1.2 - tcp
5357

svchost.exe
192.168.1.1 - udp
64264

svchost.exe
192.168.1.1 - udp
54666

svchost.exe
192.168.1.1 - udp
57757

.
.
.

and many others like these. I don’t know whether to allow or block these so I never take any action, so they keep popping up a million times a day. I’m using a router for my cable internet, with 2 computers connected to it. Can someone please help me understand what to do in these situations?

We would need further precisions, as the ports used depend, inter alia, of the OS and software you are using, and as we don’t know, excepting your first example, what are the remote and local ip and ports, and whether the protocol asks for in or out.

However, you seem to have a LAN with static LAN IP 192.168.1.n.

Inside this LAN, and if not wanting one of the LAN computers not to access another, everything must be allowed (e.g. whatever ip communication as long as both source and destination are 192.168.1.n).

This can be achieved by either defining a LAN trusted zone (192.168.1.1-192.168.1.255), either defining a rule for each application to allow the communications inside this same LAN zone.

Remembering that Netbios comunication (137-139) is normal in the LAN and that rules are read from top to bottom, you would, e.g., write a rule in svchost and system saying that 137-139 are allowed if between 192.168.1.n, immediately followed by a rule denying them outside this range.

The same goes for 5357 (web printing on LAN) and ssdp if you allow it (not a good idea, altough i have been told that Windows 7 LAN wouldn’t work without it); i don’t know what uses in your system the higher ports you are referring to but, again, it does not matter if both source and destination is LAN.

The rest of the entries in the list was following the same setup as the first item, I just didn’t want to keep writing application, remote, and port before each line. Is this what you mean?

However, you seem to have a LAN with static LAN IP 192.168.1.n.

Inside this LAN, and if not wanting one of the LAN computers not to access another, everything must be allowed (e.g. whatever ip communication as long as both source and destination are 192.168.1.n).

I’ll try to list as many details as I can to make my setup clearer.

• Cable internet connected to a Netgear router
• 2 desktops attached to the router via ethernet cable, 1 laptop wirelessly connecting
• Both desktops running Windows 7, laptop is XP
  According to router’s webpage (192.168.1.1):
• Under attached devices category, first computer’s IP address is 192.168.1.2, second attached is 192.168.1.3, and laptop’s is 192.168.1.4.
• Router is being used as DHCP server, starting with 192.168.1.2 and ending at 192.168.254

This can be achieved by either defining a LAN trusted zone (192.168.1.1-192.168.1.255), either defining a rule for each application to allow the communications inside this same LAN zone.

Remembering that Netbios comunication (137-139) is normal in the LAN and that rules are read from top to bottom, you would, e.g., write a rule in svchost and system saying that 137-139 are allowed if between 192.168.1.n, immediately followed by a rule denying them outside this range.

The same goes for 5357 (web printing on LAN) and ssdp if you allow it (not a good idea, altough i have been told that Windows 7 LAN wouldn’t work without it); i don’t know what uses in your system the higher ports you are referring to but, again, it does not matter if both source and destination is LAN.

Sorry, I don’t understand any of this.

In between the time of me creating this thread and you replying, I thought I would try using the guide to maximize firewall security posted in comodo’s forum https://forums.comodo.com/firewall-guides/setting-up-firewall-for-maximum-security-t30535.0.html. I noticed that I’m not getting any more alerts, and when I looked up firewall events, I noticed many actions are now being blocked. I’m not sure if they’re the same thing or not as the alerts I saw previously. 3 examples of blocked items are:

Application: Windows Operating System
Protocol: UDP
Source IP: 192.168.1.2
Source Port: 6233
Destination IP: 239.255.255.250
Destination Port: 1900

System
TCP
192.168.1.1
60277
192.168.1.3
2869

svchost.exe
UDP
192.168.1.1
51719
192.168.1.3
2869

Your router has both a LAN IP (192.168.1.1) and a WAN IP.
You don’t want to forbid any traffic inside of your own LAN, but to forbid it between the WAN side of your router and your LAN, and i suppose your router itself has a firewall.

In Comodo’s firewall, common tasks, my network zone, add a LAN zone, and say it is the 192.168.1.1-192.168.1.255 range.

Now, go to advanced tasks, network strategy, global rules: allow IP, in and out, all IP details, as long a both the source and destination are LAN.

Is this something I can do on top of the maximum security procedure I followed in the guide I mentioned above, or do I need to undo everything from that guide first? Here’s the link to the guide again https://forums.comodo.com/firewall-guides/setting-up-firewall-for-maximum-security-t30535.0.html. If I can keep the changes, is this basically setting up my firewall for maximum security with the exceptions that you’re telling me to create?

What did you mean by “but to forbid it between the WAN side of your router and your LAN”? And yes, my router has a firewall.

In peculiar situations (LAN is one) i wouldn’t rely on pre-wriiten Comodo rules, but set both firewall and defense+ to second highest security level, and wait for Comodo to ask me what to do.

The existence of a router makes the situation somewhat more complex, as it assumes that Comodo is installed on each of your computers.

You do not seem to understand how a home router works, actually being both a modem and a router.

As a modem, it connects to internet with your public internet ip, said WAN, it can be static or dynamic, it can look like (purely fictitious) 80.26.123.145.

As a router, it has its own private ip, said LAN, 192.168.1.1, while every of your computers has a similar LAN adress 192.168.1.n: these adresses are said non-routable, which means they are impossible to reach from internet.

In order to do so, the router has NAT rules, first redirecting 80.26.123.145 to 192.168.1.1, next redirecting 192.168.1.1 to the 192.168.1.n asking computer.

It is very difficult to protect such a system, the most secured ways being either only one computer connected to the modem, and the others sharing the connexion with the first (ICS), either professionnal hardware firewalls.

If not, the security requests ans tests shall hit not one of your LAN computers, but directly the router, and shall subsequently fail; the first measure is hence to securize the router, you must ensure of most of the protection measures it allows: if not needed, deny DMZ and NAT forwarding to a specific LAN computer, deny ping…

Deny, if you don’t need it, each of your LAN computers to access the others by disabling the corresponding windows services and shares: now, the requests you have to decide shall depend of the traffic from internet (whatever remote ip excluding 192.168.1.n) and not of your internal traffic anymore.

Thanks for the explanation, it’s much clearer now. Sorry if I’m not generally familiar with most of what you say since like you guessed, I’m not learned regarding this topic. But I’ll try my best and hope you don’t mind me asking for further clarification if needed.

It is very difficult to protect such a system, the most secured ways being either only one computer connected to the modem, and the others sharing the connexion with the first (ICS), either professionnal hardware firewalls.

I’m assuming professional hardware firewalls aren’t common for home use, so in the ICS method, I have 1 pc connected to the router connected to the cable modem, then have the rest of the computers connected to the host pc using a wired hub?

If I choose to remain with my current setup instead, when you said it’s very difficult to protect, are you saying that I’m not secure enough even with my router’s firewall, Comodo firewall, and antivirus?

[b]If not[/b], the security requests ans tests shall hit not one of your LAN computers, but directly the router, and shall subsequently fail; the first measure is hence to securize the router, you must ensure of most of the protection measures it allows: if not needed, deny DMZ and NAT forwarding to a specific LAN computer, deny ping....

By “if not”, you mean that if I don’t do either the ICS or professional hardware firewall, correct?

What are security requests and tests?
Looking at my router’s settings, it looks like by default DMZ is disabled, NAT filtering is secured (while SIP ALG is not disabled), and it doesn’t respond to ping on internet port. With these default settings, is the router still going to fail?

Deny, if you don't need it, each of your LAN computers to access the others by disabling the corresponding windows services and shares:

What are windows services and shares?

And I thought the goal was to allow the LAN computers (the ones of the form 192.168.1.n) to access each other internally? Why deny?

now, the requests you have to decide shall depend of the traffic from internet (whatever remote ip excluding 192.168.1.n) and not of your internal traffic anymore.

So you’re saying that Comodo will now allow every connection whose source and destination IP’s are both of the form 192.168.1.n, but block connections whose source or destination is not of this form? (like 239.255.255.250, for example)

I'm assuming professional hardware firewalls aren't common for home use, so in the ICS method, I have 1 pc connected to the router connected to the cable modem, then have the rest of the computers connected to the host pc using a wired hub?

Tenants of this method use an old computer, “head of network”, whose only function is to be the host.
If using this particular computer for common use, you expose it itself to the same LAN turnabouts.
If using such a method, you should not use a hub (passively dispatching all the data over the whole network) but a switch (actively forwarding the data to the computer asking for it); an old modem-router, if you have one from a former ISP, also does the job.

If I choose to remain with my current setup instead, when you said it's very difficult to protect, are you saying that I'm not secure enough even with my router's firewall, Comodo firewall, and antivirus?

No, one must not be paranoid: it shall only mean that you probably won't be able to totally keep "internet" to access not your LAN computer themselves, but the WAN side of your router, and that you must edit redundant Comodo rules for each LAN computer. I don't know how to do it with Comodo, i came back to it recently, but to avoid tedious rewriting, the best way is to make the rules for one LAN computer, and the export them and import them to the next, only having then to change, say, specific rules for 192.168.1.2 by 192.168.1.3.

By "if not", you mean that if I don't do either the ICS or professional hardware firewall, correct?

Yes

What are security requests and tests?

You might fail when making online security tests (grc, sdv, pcflank, comodo...), because these tests shall evaluate not your LAN computers, but the WAN side of your router. The same goes of course not with security tests, but with real internet requests, legit or not. One way to temporarily overcome this behavior is to set the router as DMZ to one of your LAN computers, say 192.168.1.2, then testing the said computer protected by Comodo, and not the router itself.

What are windows services and shares?

Somehow long to write on a forum. Take a look, e.g., at http://www.blackviper.com/ to see what windows services, automatically enabled by windows in your back, should or not be allowed. Take also care, if XP and upper, to disable remote assistance.

And I thought the goal was to allow the LAN computers (the ones of the form 192.168.1.n) to access each other internally? Why deny?

It depends if you wish each LAN computer to access each other, or only the router; in whatever eventuality, you generally don't want to be alerted, and either need to write a deny or allow LAN rule, but in every circumstance without logging.

So you're saying that Comodo will now allow every connection whose source and destination IP's are both of the form 192.168.1.n, but block connections whose source or destination is not of this form? (like 239.255.255.250, for example)

If you make a LAN rule allowing 192.168.1.n, any request to a LAN ip coming from outside of the LAN, including 239.255.255.250, shall either be asked or denied depending of how you answer to this request. But 239.255.255.250 is not the best example, as this virtual ip is related (port 1900) to windows network discovery via Upnp/ssdp: you might need this authorization to fully access your hardware (printers...) inside your LAN, while you can deny it for WAN. In the same way, you could throw yourself out of internet if not allowing svchost for bootstrap (udp out, 255.255.255.255, ports 67 and 68).