Firewall logging

Hello

Firewall does not log all blocked requests. I ran an “All Service Ports” test at grc.com (scanned port range is 0-1055), but firewall log viewer does not show all blocked port scan requests. The scanning was successfull, all my ports were stealth. I have 2 global blocking rules:
-block and log icmp in from ip any to ip any where icmp message is echo request
-block and log ip in from ip any to ip any where protocol is any

So where are the missing blocked events?
Anyway it doesn’t matter which port scanner I use, the result is the same.

(And what if the logging misses important blocked request that needed to build up a connection. How do I know what to allow, if the log can’t tell me?)

I’ve attached a screenshot of what the fireall has logged during the port scanning (grc.com).

Cheers
Zvara

[attachment deleted by admin]

Any idea? Melih? Egemen? Umesh? Comodo staff? Anybody? :slight_smile:

If you are behind a router or a modem with a built in firewall your GRC tests will be inaccurate.

I don’t have a dedicated firewall.

Any idea? Melih? Egemen? Umesh? Comodo staff? Anybody?

How about a guess? At some point the port scan was detected by Comodo, and the scanning host (4.79.142.206) was blocked for whatever period you have specified in Firewall - Advanced - Attack Detection Settings - Intrusion Detection. It may be that the connection attempts from the temporary blocked suspicious hosts don’t make it to the logs at all.

Do you have another PC at your disposal to test that theory? You could launch a port scan from it and ping your host at the same time, to see if Comodo will block the scanning host out (ping replies should stop at that moment) and whether it will log the blocked connection attempts from the scanning host after that.

Well how do you connected? I have a 2Wire Gateway DSL modem and it has a built in hardware firewall but I still use a software firewall. Shields Up will tell you this also.

Is your computer connected directly to the internet, or do you have a router? A NAT router will not pass most incoming connection requests, even without a firewall.

I’m connected to the internet directly. I have a cable modem. It doesn’t have a firewall in it.

It may be that the connection attempts from the temporary blocked suspicious hosts don't make it to the logs at all.

Suspicious host is blocked for 5 minutes (default setting). But the time difference between two logged events is just a few second. And the source host is the same.

Do you have another PC at your disposal to test that theory?
Unfortunately no.

Maybe my ISP blocks thoose “missing” port scans, so they can’t reach my pc?

If you have a cable modem it probably has a buit in firewall. Most do. You can check the modem settings if you know what modem you have. All I do is type in my IP address and it gives me my modem settings. What kind of modem is it? Have you seen all the settings it offers?

What kind of modem is it?
It's a Motorola SBV5120E SURFboard Cable Modem. But it doesn't have a built-in firewall.

It’s a long time I’m waiting for someone else to notice that; thank you, zvaragabor.

“temporary blocked suspicious hosts” shall make it to the logs, in the first place, regardless if logging is enabled or not, in the same way they did in the old times of CPF 2.4

Most people rely on hardware FW’s built in routers/ switches so they are only concerned with what data comes out from their PC’s.
I’m directly connected – not even a cable modem, so I can confirm I’ve never had any warning or log entry, regardless of what port scans I’ve bombarded my FW with.
(ver. 3.0.16.295x32)

Yes, my guess was wrong, I’ve just run the same ShieldsUp! test and observed the same Comodo behavior. It’s funny how there’s that almost stable “+1 +33 +33 +33” pattern in both zvaragabor’s and my logs, like:

Action … Destination Port

Blocked 296
Blocked 297 (+1)
Blocked 330 (+33)
Blocked 363 (+33)
Blocked 396 (+33)
Blocked 397 (+1)
Blocked 430 (+33)
Blocked 463 (+33)
Blocked 496 (+33)
Blocked 497 (+1)

Your guess was not necessary wrong; maybe FW blocks that host at some point, but it doesn’t warn the user about it. Logs in 2.4 are also stepping n(33) ports.
I’ve even lowered UDP and ICMP floods to 15 packets/sec, in an attempt to get a log entry.

It's funny how there's that almost stable "+1 +33 +33 +33" pattern in both zvaragabor's and my logs, like:

Maybe it’s a feature to short down the log size.

Still have no explanation about this? Anyway who else notices the same behavior?

I have the same problems with the log.

ps.both 2.4 and 3.0… give me the same results.

I’ve also noticed that logging seems to have a life of its own ;D
I would not bet any money on it. :slight_smile:

Al

Good to hear that not I’m the only who noticed that. :slight_smile:
I really hope that Comodo will fix this “feature”. :-La