eMule -- a lot of TCP OUT connections

Hi all,

I have Comodo Internet Security 3.5. After connecting eMule KAD service, a lot of TCP OUT connections appear in the Outbound Active Connections window. I counted about 1 new TCP OUT connection per second… after a few minutes more than 150 outbound connections are open, each one having a different source port.
I don’t think this is normal, is there any way from Comodo interfaces to limit the source ports?

I tried going to the Firewall tab → Advanced → Network Security Policy → selected emule.exe: I see everything is allowed (Allow IP Out From IP Any To IP Any Where Protocol Is Any).
I’ve tried to add a rule by selecting a specific Source Port (e.g. Allow TCP Out From IP Any To IP Any Where Source Port Is 52000 And Destination Port Is Any). If I well understood, this rule should allow only 1 source port to be used for outgoing TCP packets. But, this rule is simply ignored, I’m still getting lots of outgoing TCP connections with each one a different port open…

Even after removing emule.exe from the list, Comodo restores the allow everything rule the next time eMule connects to the Internet.

Do you know if there is any way to limit the outgoing traffic?
I’d like to limit open ports for outgoing traffic and know which ones.

Thanks!
MMax

eMule actually uses 3 ports. One is for IP, 2 are for UDP.
The IP and one of the UDP ports are randomly selected unless you select specific ports to be used. The second UDP port I am unsure of. I didn’t notice it until I had set up my wireless router. (My thought is since it has uPnP capability to set up the router, this port may have something to do with that.). The two ports you select in eMule (1 IP and 1 UDP) would be the only ports you need to open in your firewall.

I allow most (trusted) connections from my computer out to my network, and use the router’s hardware firewall to allow only specific traffic in from and out to the Internet (only the 2 user selected ports in eMule see the outside world. All others are blocked.)

CIS shows numerous active IP/UDP connections for eMule (as I would expect) but does not show any port information.

Since eMule is probably listed in D+ as one of your trusted applications, allowing it the firewalled ports (assuming you block everything else not governed by your rules) it desires each time it restores the rule would be normal.

Does this help you any?

Thanks John for your feedback.
I checked my eMule, I see 1 TCP port (21336) and 1 UDP port (21382) allowed.
I’ve attached a screenshot of my Network Security Policy window: as you can see, I’ve highlighted the 2 ports above in red. However, there are many others, listed as “TCP OUT”, that are different from the 2 above. It seems like every free port is used when a new connection is needed.
Is there any way to restrict the usage of ports for outgoing connections?

I allow most (trusted) connections from my computer out to my network, and use the router's hardware firewall to allow only specific traffic in from and out to the Internet (only the 2 user selected ports in eMule see the outside world. All others are blocked.)
I do not currently own an external router, any other way to control the traffic thru software?
Since eMule is probably listed in D+ as one of your trusted applications, allowing it the firewalled ports (assuming you block everything else not governed by your rules) it desires each time it restores the rule would be normal.
I've tried doing the following steps: - Removed emule.exe from Defense+ (Computer Security Policy) window - Modified rules in Firewall (Network Security Policy) window as follows: a) Allow TCP Out From IP Any To IP Any Where Source Port Is 21336 And Destination Port Is Any b) Allow UDP Out From IP Any To IP Any Where Source Port Is 21382 And Destination Port Is Any - Launched eMule and connected KAD --> same issue, a lot of TCP ports open - Checked rules in Firewall (Network Security Policy) window --> 2 new rules got automatically added on top: *) Allow TCP Out From IP Any To IP Any Where Source Port Is Any And Destination Port Is Any *) Allow UDP Out From IP Any To IP Any Where Source Port Is Any And Destination Port Is Any a) Allow TCP Out From IP Any To IP Any Where Source Port Is 21336 And Destination Port Is Any b) Allow UDP Out From IP Any To IP Any Where Source Port Is 21382 And Destination Port Is Any - Basically my 2 rule (a and b) are now useless and every port is again allowed.. - How to avoid rules being restored?

[attachment deleted by admin]

Check out this tutorial for E Mule: https://forums.comodo.com/frequently_asked_questions_faq_for_comodo_firewall/tutorial_for_emule_with_comodo_firewall_3-t14735.0.html .This will make a tailor made rule for E Mule.

In addition you need to make a general rule for the incoming traffic TCP and UDP ports as well.

Thanks EricJH for the link. I’ve tried the suggested rule, it also restricts the outgoing TCP/UDP ports to [1025-65535]: this is causing a few outgoing connections to be firewalled because they are in the [0-1024] portion, but they are just a few. Do you see a problem with it?

About outgoing TCP connections, I observed the behavior of eMule for some minutes: it seems that at the beginning a lot of connections are created (200+), then the number gradually decreases to 5-10, then increases again to 70+ and so on…

I’ve tried to edit the rule to limit outgoing traffic to 5 ports only, but this causes eMule to be firewalled as outgoing ports seem to be randomly chosen by the application…
Do you see any risk in letting eMule choosing by itself which source ports open for outgoing TCP connections?

In addition you need to make a general rule for the incoming traffic TCP and UDP ports as well.
Can you please clarify me how to?

From what site did you download eMule?
Are you sure you downloaded a “regular” and not infected copy of emule?

Remember that the Official eMule Forum is this one
h**p://forum.emule-project.net
and only from here you are sure you are “downloading” eMule and not a different thing

Yes hullboy, that’s the link, thx for checking.

I think this topic goes in the wrong direction.

after a few minutes more than 150 outbound connections are open, each one having a different source port.
I don’t think this is normal, is there any way from Comodo interfaces to limit the source ports?

That behaviour is normal. The mentioned allow rules rule for outgoing UDP and TCP traffic reflect this. You cannot llimit that behavriour with E Mule and I guess you can make block rules to limit outgoing traffic for E Mule for a limited set of ports. But the latter makes no sense to me

I don’t think there is a problem with E Mule making outgoing connections on random ports. That’s the nature of the p2p the beast.

What I am curious about is why you think there is a problem. Do you think your security is compromised by the sheer fact of E Mule connecting out on a big amount of random port numbers?

Hi EricJH, Thanks for your feedback, you got my point. I just wanted to get a confirmation that this behavior is normal and is not going to cause any security issue. I thought having applications connecting to a small and controlled set of ports (even for outgoing traffic) would have been more secure, also in terms of having the firewall resources focused to control a small set of ports and not overloading the firewall engine. If this is normal I’m fine with it :slight_smile:
Thanks