Firewall alert shows 127.0.0.1 for remote address

Hi,

I’m using CIS 5.8.213334.2131 with the FW in custom mode and disabled D+ and Sandbox.
For some apps (e.g. Speccy, VidCoder, Launchy) if they want to connect to the Internet the firewall alert shows 127.0.0.1 for the remote address.

Can anyone cofirm this?
Shouldn’t the alerts show the correct external IP address?

Thank you

Edit:
Im using Win7 x64.

Alright, I’ve found out why this is happening.
I’m also using Avast and when I disable the Web-Shield module the IP’s display correctly.
But that doesn’t explain why this behaviour happens only with some apps.

Anyone knows how I can make the firewall alerts show the correct external address without disabling Web-Shield?

From what I understand, the way Web Shield works is all your HTTP traffic will be proxied through it so that it can scan it. The traffic is then relayed to your browser and vice versa. So, you are truly connecting to your local computer via Web Shield and it then goes and gets any web pages you request. Comodo should still show the traffic generated from Web Shield to the Internet though. Is this not the case? As far as what your asking for, there would have to be an interface Web Shield to pass that information on and and interface for Comodo to receive that information. I dont see that happening on either parts as they are competitors.

But why do some alerts show the remote address and some 127.0.0.1?

Any traffic that is proxied through Avast is going to show your localhost as the remote connection. Any connection that goes directly to the Internet (Avast going out to retrieve the web pages or a connection that does not go through Avast) should be showing the remote address.

Thanks for your reply!

Alright, it seems that the Web-Shield only catches outgoing connections on port 80.
So all firewall alerts for apps with an outgoing connection on port 80 show the address 127.0.0.1:12080.
You can also check the active connections in CIS and see that AvastSvc.exe apparently is responsible for the proxy part. All connections on port 80 are associated with it.

Avast has an option to scan traffic only from know browser processes only. I’ll probably enable that option.

Hello,
I know this is an old thread, but I would have the same question: Why is the firewall reporting a an application that tries to connect to the internet with 127.0.0.1 ?
I have also Avast installed, but even when disabling the web-shield I do get this message.
a similar picture is even given with the help, so it seems to be normal …

So I’m not sure how to deal with this message. I don’t like any software to connect to the net if I do not know why and where it connects too, but in this case it seems to be a local connection …
But why is Comodo firewall reporting this connection as a connect to the internet ?

thanks for any information

Hermann

The 127.0.0.1 address is the loopback/localhost address and is used for communication between components of an individual process or between processes on the same machine. In the case of Avast, the web-shield creates a local transparent proxy. This results in relaying all HTTP requests through the proxy via 127.0.0.1. Avast then makes the ‘real’ connection to the Internet.

Application → 127.0.0.1 → Web-Shield → Internet

A lot of applications make use of this address range for internal communication and the address is catered for by some of the pre-defined rules, such as web browser. If you’re creating your own rules, you should consider allowing these requests.

Hello Radaghast,

thanks for the feedback!
As I have disabled the Web-Shield already i guess I do have another software that is doing the same …

Do you have any idea how I can figure out which one it is?
As in the help there is the example of the Teamviewer I guess this is a similar case. So a potential candidate is Ultra VNC ?

The firewall states that the application is trying to connect to the internet. How does the firewall knows, that a connection to 127.0.0.1 is not targetted to the local PC ?
When the firewall knows that this request is targetted to the internet it should know where the real target is, and wich application did re-direct it to 127.0.0.1, doesn’t it ?

Thanks for any help !

Hermann

The firewall alert should tell you which application is requesting access.

The firewall states that the application is trying to connect to the internet. How does the firewall knows, that a connection to 127.0.0.1 is not targetted to the local PC ? When the firewall knows that this request is targetted to the internet it should know where the real target is, and wich application did re-direct it to 127.0.0.1, doesn't it ?

The localhost address - 127.0.0.1 - is invalid on the Internet, it’s only used for inter/intra-process communication on a local device. The firewall alert just uses generic language, so it sees a connection and produces an alert.

The proxy settings I referred to above only apply to Avast/Avira and other similar local proxy applications. When an application, such as firefox makes a loopback connection it’s talking to itself and the destination address is 127.0.0.1.

Hello Radaghast,

thanks for your fast response!
Yes, of course you are right, and the Firewall tells which application it is requesting the access … I wanted to ask for the application that makes the local proxy.

Regarding the localhost address I still do not understand some things:
The message from the firewall is stating two different things: The localhost address would indicate that this is a local access, but the message says the application would like connect to the internet. Which information is correct now ?

I have installed an additional firewall, because it is not easy to configure Win7 Firewall to control outgoing traffic. So target for me is to find out if this connection is now going to the internet or not.
And it seems to me, that any local proxy (e. g. from Avast Web Shield) makes it impossible to control the outgoing trafic, if it makes the firewall believe that the connection goes to an internal target and sends the request afterwards to the internet, as AVAST is a trusted software that needs to connect to the internet.

it seems, that I can have either Web-Shield or outgoing trafic filtered (easily), but to get both it requires much more effort in configuring firewall and Web-Shield.

And as mentioned: I had disabled the webshield and I still got the warning … so if any local proxy is involved it seems not to be Avast web-shield.

Sorry if I’m asking stupid questions here …

Hermann

Apologies, I’m not sure I understand the question?

Regarding the localhost address I still do not understand some things: The message from the firewall is stating two different things: The localhost address would indicate that this is a local access, but the message says the application would like connect to the internet. Which information is correct now ?

As mentioned above, the language is generic. The firewall sees a connection and presents an alert, it doesn’t discriminate between a local connection and a remote connection in the alert title.

I have installed an additional firewall, because it is not easy to configure Win7 Firewall to control outgoing traffic. So target for me is to find out if this connection is now going to the internet or not.

loopbacl/localhost addresses - 127.0.0.1 - cannot be used on the Internet. These addresses exist solely for the purpose of communicating between processes on a local PC.

And it seems to me, that any local proxy (e. g. from Avast Web Shield) makes it impossible to control the outgoing trafic, if it makes the firewall believe that the connection goes to an internal target and sends the request afterwards to the internet, as AVAST is a trusted software that needs to connect to the internet.

it seems, that I can have either Web-Shield or outgoing trafic filtered (easily), but to get both it requires much more effort in configuring firewall and Web-Shield.

As you’re using Avast you should read Comodo Firewall and Avast 7

And as mentioned: I had disabled the webshield and I still got the warning .. so if any local proxy is involved it seems not to be Avast web-shield.

Applications use loopback for their own communication, as mentioned, it may have nothing to do with Avast.

Sorry if I'm asking stupid questions here ..

The only stupid questions are the ones you don’t ask.

Take a look at the image, this is firefox communicating with itself.

[attachment deleted by admin]

H.

I have a very similar (if not the same) issue, but have never had an Avast product installed on my machine - so the “web shield” being the cause for me is ruled out.

What I did do recently, is migrate from an AMD platform (ASUS Crosshair II Formula + 1090T) to an Intel platform (MSI Z77A-GD55 + i5-2500k). I thought since the migration that the firewall was still working fine, but maybe I hadn’t yet noticed. Not too sure then if the hardware change has caused the trouble.

So I uninstalled, rebooted, and re-installed CIS. The firewall driver is active in my network adapter properties, but for whatever reason doesn’t work. I’m using “Custom Policy” mode for it, and it can only see loopback connections, and no internet connections at all. I have even tried “Block All” internet activity, but everything can see the internet as if there’s no firewall whatsoever.

Gonna give an alternative firewall app a bash and see if that works.

Just thought I’d post on where I’m currently at with my troubleshooting.

I’m using Win7 x64 and CIS v5.10.2282572253

Update 1: with a different firewall app; I’m seeing similar fishy behavior, but I can at least block all internet activity - which works, where CIS’s “block all” doesn’t. Very odd…

Update 2: Woohoo! ;D It was caused by VMWare’s bridged network protocol. I removed it to see CIS take flight. Never had the issue before migrating to the Intel platform, and I’ve been using CIS and VMWare together for many months already. All in all; I’m just glad it’s working now.