Firewall Rules No acting as expected -

Hi -
Trying to use comodo firewall to force a program (uTorrent) to only be able to send traffic FROM a specific adapter (my vpn adapter) on ip address range 10.4.x.x to 10.9.x.x - Setup up the following test to verify its working.

Using - Version 5.10.228257.2235

Basically, Step one - Launch uTorrent with VPN disconnected (this means the allowable address range doesn’t exist, and hence uTorrent should be able to send NO Traffic
Yet - uTorrent is sending out a packet from - Why can it do this?

Step two connect vpn, uTorrent runs / works as expected -Only thing odd is Comodo is still asking me what I want to do with packets - even though i have a policy defined

step 3 - drop VPN, expect uTorrent to halt traffic, yet instead, torrent continues to run with even more traffic being sent from - I don’t understand how this is possible.

3 Screen shot attached, you can see the rules, connections using currports etc

Can anyone explain this?


[attachment deleted by admin]

Your rules tell utorrent the following:

  1. It can receive connections from any address in -
  2. It can’t receive connections from any address in -
  3. It can’t connect to any address in -
  4. It can’t connect to any address in -

These rules don’t prevent utorrent from connecting/receiving form any other IP address.

Thanks for the reply,

Im sorry, perhaps I dont understand how the rules work,

Doesnt for example. rule 3, which says:
Block and log ip out from not in (range) to mac any where protocal is any

mean I shouldnt be able to send traffic OUT from any ip other than the range specified? The From should dictate source address - How does that evaluate to

  1. It can’t connect to any address in -

Please Clarify,

Thanks -

My bad, I obviously need new glasses, as I missed that :-[ That rule should indeed prevent connections not specified in the range.

I seem to remember from past questions regarding utorrent and VPN connections, that it’s better to use the MAC address of the OpenVPN TAP adapter rather than the IP address block. As I understand, this helps prevent utorrent form ‘leaking’ Maybe worth a try.

Thanks for the suggestion, I tried it with the MAC also… same rule as rule 3, but with the MAC of the vpn adapter in there - when the VPN drops off, uTorrent still happily runs on the 192 subnet… Very odd.

Im at a loss!

Bump… Anyone have any other ideas on this?

I was playing around with this today, can you try the following rule change:

Action - Allow
Protocol - TCP or UDP
Direction - In
Source Address - VPN
Destination Address - Any
Source Port - Any
Destination Port - Any

Action - Allow
Protocol - TCP or UDP
Direction - Out
Source Address - VPN
Destination Address - Any
Source Port - Any
Destination Port - Any

Action - Block
Protocol - TCP or UDP
Direction - In/Out
Source Address - Any
Destination Address - Any
Source Port - Any
Destination Port - Any

Thanks - Iwill try it…

Any reason why you specifically block TCP / UDP, instead of just all IP Traffic?

OK - Tested it out - Never even got a chance to test the VPN out - With those rules, utorrent is still sneaking through packets on the 192 subnet… - (TCP)

Log entries: (I xed out the IP’s)

4/3/2012 11:01:22 AM Added uTorrent.exe TCP x.241.99.41:2710
4/3/2012 11:01:22 AM Removed uTorrent.exe TCP x.211.88.54:80
4/3/2012 11:01:23 AM Removed uTorrent.exe TCP x.241.99.41:2710

Is there anything else I can do on my end to help this? Happy to run more tests if you can think of anything -

Thanks -

have you turned off allow connection from the firewall options page and set stealth all ports on a per case bases and ask me for connection? Or something like that.

  • Firewall Security level is set to custom, as that says in the description only allow traffic that adheres to security policy. (with the rules provided in this thread in place) -

I didnt play with the stealth port because the goal here is to block only utorrent…

Thanks -

Curiously, I’m not seeing any ‘leaking’ with these rules, did you add them exactly as listed?

Yes, and I took the utorrent rule set and moved it to the top of the list -

Could it be OS specific? Im running windows 7 ultimate 64 -

Another thing I was thinking is, perhaps its an issue with currports (the program im looking at the traffic with) I assumed the firewall would have to get the packet first because it looks like its at the driver level, is this a bad assumption?

I ran the test on x64 and I also use currports, so the problem lies elsewhere. What settings are you using in utorrent?

OK - Ill do my best to give you what I think is relevant… if I left out a specific setting you need to know, just let me know:

Connection -
Port used for incoming connections: 5xxxx
Upnp Port Forwarding - enabled
Nat PMP port mapping - enabled
Add Windows Firewall exception - Enabled ( windows firewall is turned off on my machine)

BitTorrent -
Enable DHT - Enabled
Enable DHT for new torrents - Enabled
Enable Local Peer Disc - Enabled
Enable Bandwith Management - Enabled
UDP Tracker - Enabled
Ask Tracker to Scrape Info - Enabled
Enable Peer Exchange
Protocol Encryption Enabled, Alow incoming Legacy Connections Enabled

Advanced -
isp peer policy override - false
net.bindip - blank
net.disable incoming ipv6 true
net.discoverable true
net.outgoingip - blank

Thanks Again!

I configured utorrent with the settings you provided but I’m still not getting any ‘leaks’. One thing I would recommend is disabling port forwarding/mapping. It’s also worth playing around with DHT/PEX on and off.

Well Today I tried a few things -

went to the connection bittoremt options, disabled EVERYTHING (including DHT / PEX)- still leaks
uninstalled Comodo, and reinstalled - no dice…

I fear I am at a loss…