Firewall Leak Through RTSP Port 554

Hi all. Comodo Firewall isn’t detecting and also allows outgoing connections to RTSP (Real Time Streaming Protocol) Port 554. Nothing on my PC has Port 554 allowed for outgoing connections, but I noticed that Comodo Firewall allows connections to this port without any intervention.

If you look at the screenshots below, you can see that when using VLC Player to stream mobile video from, Comodo just allows the traffic unhindered.

For reference, in the below rules HTTP ports = Ports 80 and 443, and Non-Privileged Ports = Ports 1024-65535. With how it’s set at the moment, the only traffic that should be automatically allowed is to ports 80 and 443. Any ideas how/why it’s getting past the Firewall un-noticed?

Windows 8 Pro 64-bit
Comodo Firewall 5.12.252301.2551
VLC Player 2.0.5

The rule say Block UDP out and the connection is TCP.

Just ignore the UDP block rule, as it’s unrelated to the particular problem.

The problem is that the only connections allowed in the rules are TCP outgoing to ports 80 and 443, however there’s an outgoing TCP connection to port 554, even though there are no rules to allow it and Comodo doesn’t ask to allow it either.

The only thing I can thing of is that Comodo isn’t filtering rtsp:// protocols.

Rules are enumerated from the top down, so even though you have a rule that says only connect to ports 80 and 443, there’s nothing to stop the firewall searching beyond this rule. Hence the connection.

If you want to limit connectivity, you’ll need to create the allowed part or the rule and follow that with a block on everything you don’t want connections for. However, you should, depending on settings, receive an alert for anything not previously allowed.

If you can post a link to the stream we can see what’s happening…

Although it runs top down, I haven’t allowed it to connect to port 554, therefore it should ask me but it doesn’t.

If you look at the next screenshot, I have just created a block all rule at the bottom, but even with this rule in place, it still streams from Port 554.

Here’s an example URL:

Unfortunately, I’m unable to reproduce using the settings provided. It might be worth adding logging to your VLC rules.

[attachment deleted by admin]

Typical, the link was down. Try it again now as it’s back up.

I just turned on logging, but the Firewall Event logs only show one allowed connection and that’s to Loopback Zone (I have Loopback alerts switched on, so the firewall should have asked for permission about that as well, but it didn’t).

EDIT: Thinking about it, instead of asking, Loopback should be blocked with those rules.

I did try the connection, to make sure it was working, before I blocked it. Without a block rule I get alerts (image) as soon as the connection is attempted. With a block rule, it’s just logged.

[attachment deleted by admin]

OK, I think I’ve sorted it. I deleted the HTTP Port Set and re-created it again, and so far it seems to be working as it should now. I’ve no idea why, as I just used the exact same ports as I had before, so it’s got me completely baffled.

The only thing I can think of is something didn’t go right when I imported the Firewall Configuration last time I re-installed Windows. I think tomorrow I’ll re-do the other port sets too, as a precautionary measure. Very strange.

I’m glad you found a solution and thanks for letting us know. Any more issues, don’t hesitate to post.

OK, forget my last comment. I’ve been doing some more experimenting and have found the problem occurs when using ‘Exclude’ in the port sets. When I add an excluded port to the port set, that’s when the problem occurs.

In the first screenshot, you can see the Firewall working as it should and has blocked outgoing connections to port 554.

In the second screenshot, you can see the Firewall is not working as it should and is allowing outgoing connections to port 554, even though they should be blocked. The only difference between this screenshot and the first screenshot is the addition of the ‘NOT 82’ rule in the Port Set.

It doesn’t appear as though the port numbers are the actual problem here, the problem seems to be caused just by adding an excluded port. For example, if I excluded port 81 instead of port 82, it would have the same results.

As a test, I tried it with a port 8080 stream as well, and the results were the same.

URL: rtsp://

With just ports 80 & 443 allowed - Blocks stream from port 8080, as per the rules
When adding ‘Not Port 82’ - Allows stream from port 8080, thereby ignoring the rules

Definitely looks like there might be an issue there, as such, it’s probably worth filing a Bug Report Just make sure you use the appropriate format I’ll take a closer look at this later today.

Thanks for the reply. I’ve just looked at your links about filing a bug report, however is says to only report bugs/issues for the latest major version of CIS.

So, if there are any Devs reading here, although the original post was about RTSP Port 554, it appears that this issue is actually due to the exclude rule in port sets and is not specific to any particular protocol or port. Therefore, in order to reproduce the problem, instead of connecting to rtsp streams using VLC player, it’s probably easier to just use HTTP from a normal web browser. For example, if you visit the homepage from a web browser, it will try to connect to Flash ports 1935/843, and so you can reproduce the problem just as easy there, as you can see from the following screenshots:

Without exclude rule in port set (working correctly):

With exclude rule in port set (working incorrectly):

That’s an unfortunate consequence of using an older version - I still use 5.10. I’ll check v6 later today and if it displays the same behaviour, I’ll file a bug. However, that won’t help anyone using older versions, so you’ll probably need to fins a workaround. Basically, don’t combine allowed and disallowed ports in the same set…