Firewall rule help needed

I am getting loads of these Windows Operating System being blocked the Destination IP is always 255.255.255.255.There are others as well but the vast majority are to the IP mentioned. I haven’t a clue as to what they mean but would like someone to explain how to set a rule so as I didn’t get them anymore. Bear in mind that i am old and not very PC technical.

I followed the advice given on setting some rules regarding HTTP I got on another thread a few days ago and this reduced it greatly for a time but now today it is up on approx 3000 alerts since this afternoon( approx one every 5 seconds). I would appreciate if someone could give me a walkthrough on a rule to stop this.

Thanks in advance.

Could you post a sample of you log files please.

Hi

255.255.255.255 sounds like some sort of broadcast (by your system). Wild guess would be that it’s being caused by the Windows Services SSDP Discovery Service and/or Universal Plug and Play Device Host… is SVCHOST the application responsible? Does it mention a port (eg. upnp-mcast(1900))? Do you have a router?

First off thanks for the replies guys.

Toggie, I am afraid I don’t know how to post a log copy.

Kail, I don’t have a router I have an ethernet broadband connection to a single PC.
The way it is written in the logs is as follows.

Application—Action—Proto—Source IP—Source—Dest IP----------Destination.
WOSystem–Blocked–UDP–10.133.88.1—67----255.255.255.255----68------.

They seem to come in blocks of 7-8 every 5 seconds. There are other WOS events logged as well but by far the most of them are the one mentioned above. I hope this is of help.

bluesjunior, please see this post for details on how to post:

IMPORTANT: HOW TO WRITE HELP REQUESTS

Are you on a cable network?

the detail you provided is for DHCP. The 10… address is a reserved address, that is, not usable on the Internet, only private networks.

Please post your logs.

Toggie,
I am with Virgin Media on a cable network here in UK. I will read the link you gave and see if I can figure something out. What exactly do you mean by

"the detail you provided is for DHCP. The 10… address is a reserved address, that is, not usable on the Internet, only private networks2

This is the only PC connected to the internet from my home.

I have tried to follow the instructions given in sending log files and hope this works.

[attachment deleted by admin]

Toggie,

I opened it ok and it seems to have worked. I followed the step by step instructions in the link you gave and this told me to delete the logs and reboot. The logs in the zipfile are from the first minutes signing in after reboot. I have deleted my home address as advised. Hope this helps.

Hi bluesjunior.

The log was fine, thank you. it’s as I said above, it’s DHCP traffic. If, as I believe, you are on a cable LAN, then this seems to be a feature of those environments, we’ve seen it before.

If your system is working correctly, then you can simply create a rule to block and not log these packets.

Thanks for your reply Toggie.
Excuse my ignorance but could you give me a walkthrough of how I do that?

IP 255.255.255.255 as well as IP 0.0.0.0 should be defined as part of you Local Network, they are special addresses.

Firewall → My Network Zones
Highlight an address in your already defined Local Network (whatever you named it)
Click “Add”
Select “A New address”
Select “A single IP address”
Enter one of the above addresses
Click “Apply”

Repeat to add the second address.

Hi Zortag,

When I opened up Network Zones there were two entries as follows.

Loopback Zone: IP in 127.0.0.1 / 255.0.0.0

and the second one was.

VIA VT6102 Rhine II fast Ethernet Adapter - Packet scheduler miniport.
IP in 192.168.100.10 / 255.255.255.0

I followed the instructions you gave me and added the 255.255.255.255 rule to the VIA listing and the 0.0.0.0 one to the Loopback listing. I followed your instructions above but am still getting loads of 255.255.255.255 blocked intrusion attemptseven after rebooting. Have I done this correct or not. You mentioned a Local Network but there was no mention of this. Do I need to create one and if so how?.

255.255.255.255 is a Network broadcast address and is used by, amongst other things, a DHCP client to locate a DHCP server. 0.0.0.0 is a reserved address which generally relates to routing and is specifically used to indicate the default route in the absence of any better route.

bluesjunior.

Are you on a cable Internet connection?

Toggie, Yes I am.

ooh virgin media, same as me ;D

I can’t be certain since Virgin media must have cusotmers with alot of old connections from the older cable companies virgin media swallowed up lol,

but when you first installed CFP 3 did you get any logs for your 192.168.. IP trying to connect to 192.168*.* on a netbios port say 137? if so then you should have allowed that and set it as remember me, because it is your ISP just querying you at regular intervals. well your router querying your PC. just something to check incase your connection and cable modem is the same as mine. if you can let us know when you joined Virgin media, whether it is Virgin media your broadband is from or if your broadband was setup with Telewest or NTL cable. which others ones there are i don’t know. Virgin Media is made up of alot of connections. from its own to all the other cable companies it acquired and that customers still are running on :smiley:

bluesjunior - During the later stages of the Comodo installation process, a query-box poped up announcing that it had “found a new network”, asking if you wanted trust it, name it, etc, etc. This is your Local Network! By default, Comodo chose to name the network, by using the name of the Ethernet card, this is unfortuneate, as they could just as easily (this first time only) defaulted to calling it something like “Local Area Network”. First I would suggest renaming the network, it makes no real difference to Comodo, but you get the “thing” named to what is a common reference.

Firewall → My Network Zones
Hightlight “VIA VT6102 Rhine II fast Ethernet Adapter - Packet scheduler miniport.”
Click Edit
Enter “Local Area Network” (without the quotes)
Click Apply, Apply, etc (however many times it takes to get back to main “Comodo” app)

Then go back in and fix the addresses, by adding /removing (see instructions in my previous post) so that the two zones “Loopback Zone” (automatically created by Comodo), and “Local Area Network” look like:

Loopback Zone
IP IN [127.0.0.1 / 255.0.0.0]

Local Area Network
IP in 192.168.100.10 / 255.255.255.0 (no change)
IP 0.0.0.0
IP 255.255.255.255

You should NOT be seeing any traffic blocked that is within the this Local Area Network, that is if the Source Address and Destination Address (look in the log) are BOTH in the Local Area Network (ie 192.168.0.x, where x is any number 0-255, OR 0.0.0.0 OR 255.255.255.255). If you still are getting blocked messages for local traffic, then you’ve got a rule issue.

Ron_75,
I was originally with NTL for years until it was taken over by Virgin Media who I am with now.

Zortag,
I followed your instructions to the letter and now have My Network Zones set up as you advised. Nonetheless I am still getting the same Blocked messages in the log for 255.255.255.255

As you mentioned it must then be a Rules problem so I opened the Network Security Policy and under Application Rules > System, I have two rules with the designation “Block”. The first states:

Block TCP In from IP Any to IP any Where source port is in (HTTP Ports) and destination port is any.

The second is under Windows Operating System and states:

Block IP In / Out From IP Any to IP Any where protocol is Any.

Under Global Rules the only “Block” designation is as follows:

Block and Log IP In from IP Any to IP Any where protocol is Any.

I hope this is of use and I really appreciate your help.

Ah ok, well its different than mine then, mine was with telewest. I’m still using the orignal modem that came with my connection with them, you might be too but the local network stuff must be different. Like Zortag said I would think that too. when you first install CFP, the first alert you get is from your local area network. I have a router so for me it showed 192.168.. trying to connect to my PC’s internet IP 192.168.. selecting block would just make it keep doing that, its safe to accept though since its just ones ISP doing checks, once i allowed it I ain’t ever had any more entries for that, as for 255.255.255.* thats a subnet mask IP not sure if thats ones Local Network zone/IP . but look slike Zortag would know

Ron_75,
Telewest became NTL or vice versa before becoming Virgin Media. I had an old black box modem before but after having connection problems with it they gave me one of the new blue Ethernet ones as a replacement.

hi bluesjunior,

yeah i remember that telewest bought out NTL or NTL bought telewst out, I can’t remmeber which one bought out who, then virgin media bought them out lol. my box is different its a Motorola white box, I think its the original Telewest cable box, which is ■■■■ good I would never let virgin replace it lol. but they’ve never been round to do so anyway.

so I’m sure yours and mine connects differently for instance mine uses one of the netbios ports for listening for incoming connection from my ISP, which most connections don’t use netbios anymore.

what you can do is in the firewall/view active connections when you first load up your PC if your box is always on like mine, then click on active connections to see what is listening from the list of connections, then if you post it someone should be able to make out if one is your ISP making a connection,
not sure what IP or service it would show, for me it shows my routers IP which is easy for me to recognise that my router is querying my PC