Firewall + Netgear SC101 san problems

tinybilbo · February 9, 2007, 10:34pm

Hi
I have just installed comodo firewall (and updated it) and every works very well.
But ( there’s always a but…) I do have one problem.
I have a netgear SC101 - this is a san device that works on DHCP and takes up 2 IPs.
It requires a driver to be installed onto each PC that accesses it as well as a background service to be running at all times.

I have allowed full access to the background service (in Application Monitor).
Both Ip’s Have been fixed (in the router) despite being DHCP and they have been fully allowed (in Network Monitor) and both rules appear above the “block” rules.

I have 3 problems… that appear in my logs.

1)Severity :High
Reporter :Network Monitor
Description: Blocked by Protocol Analysis (Fake or Malformed UDP Packet)
Direction: UDP Incoming Source: 192.168.1.4:20001
Destination: 192.168.1.2:1038
Reason: UDP packet length and the size on the wire(8226 bytes) do not match

2)Severity :High
Reporter :Network Monitor
Description: Blocked by Protocol Analysis (Fragmented IP Packet)
Direction: IP Incoming Source: 192.168.1.4
Destination: 192.168.1.2 Protocol : UDP
Reason: Fragmented IP packets are not allowed

3)Severity :High
Reporter :Network Monitor
Description: UDP Port Scan
Attacker: 192.168.1.4
Ports: 9483, 3339, 3595, 3851, 4107, 4363, 4619, 4875, 5131, 5387, 5643, 5899, 6155, 6411, 6667, 6923, 7179, 7435, 7691, 7947, 8203, 8459, 8715, 8971, 9227, 0, 0, 4, 0, 0, 0, 36864, 0,
The attacker has been temporarily blocked

For the time being I have disabled “do protocol analysis” and “block fragmented IP datagrams” in Security/Advanced/Advanced Attack Detection And Prevention/Miscellaneous
and then the Device works properly.
I have not found a solution to the 3rd problem - the port scan (nor do I know why the device makes a port scan) although despite blocking it’s IP, I never seem to lose access to the device (data transfer must be be thru the other IP).

As stated everything works so I am on the whole happy - but I would really like to re-enable the “do protocol analysis” and “block fragmented IP datagrams” as well exempt the device being blocked for port scanning.

Has anyone got any ideas on howto to do this?

Many thanks (for a great product - It’s a keeper )

syhc · July 20, 2007, 10:34pm

tinybilbo,

Great post (:CLP). I have had problems with firewalls with the Netgear SC101 before, and your detailed analysis has pointed me to the right direction, since I have just installed Comodo Firewall Pro.

I agree - great program (R).

One thing I’ve found is that I needed only to disable the “Do protocol analysis” in Security > Advanced > Advanced Attack Detection and Prevention > Miscellaneous. Keeping “Block fragmented IP datagrams” checked appear to still work with Netgear SC101.

I agree also that a good enhancement for Comodo Firewall Pro is to enable selective disabling of the “Do protocol analysis” for certain trusted source/destination IPs, while allowing this to be enabled globally.

wavemaster · August 7, 2007, 1:04pm

Thank you for this solution

I run multiple SC101 SAN and needed to adjust both of the above mentioned parameters to enable all devices/drives to be accessible

running latest drivers/utility

colirv · October 30, 2007, 9:04am

That worked for me too - it’s all I had to do but I needed to do both.