bump
bump
It looks like you are blocking CIS from functioning. Can you see what rule is made for Comodo Internet Security in Network Security Policy → Application Rules?
for me it says:
allow all outgoing
block & report all incomming
is guess i also have to allow all incomming ?
@edit: when i try to edit the rule it says “u have to edit it in the “premade rules””… so i cant really edit it? :S
The outgoing only rule is fine. No need to change it.
well i changed it now to allow all and still got 926 blocked connections today (~9 hours)
@edit: could it be that comodo changed its rule back to only allow aoutgoing? cause its set to that again without me resetting the rule… and i feel like while allowing all incomming & outgoing of CIS, i didnt have any blocked connections… but now its normal again (block all incomming) and i have 926 blocked ones?
Incoming traffic first sees Global Rules. And since you set the firewall to stealth it will block things. Changing a program rule does not change this.
There is no reason to worry. The firewall is doing its work.
the firewall is blocking 2200 connections which also contain IP which are from the comodo cloud (read that in some other thread where some guy hd the same ip as me getting blocked and an monderator said that this is an IP from the comodo cloud service). I sometimes even have to restart my PC cause comodo is freezing due to the massive blockings :S
and i used KIS before (where i also get all block reported) and there i didnt even had 10 blocks in a whole month… so smth is wrong here? 
bump
3082 times blocked today :S
Having lots of things blocked doesn’t mean you are in the danger zone. Are the alerts from Comodo only coming in at UDP port 4447? Or are there also instances blocked at port TCP 4446?
no they are all random ports… here is a list which i made when i created this thread:
http://beasty.wippiespace.com/stuff/fw.htm
never said it is dangerous but it is rly annoying… especially when comodo crashes (or slows down the internet) due to the amount of blocks (as posted in the video… sometimes is blocking like 1 connection per second… the number is increasing with each second until comodo crashed :S)
You need to close port 35272 on your router.
this port isnt and never was opened on my router
Sounds like you have a global rule that’s logging inbound blocks. Who cares?
My global rules:
Allow ICMP in from in [modem] to in [NIC] where ICMP message is ECHO REQUEST
Alllow ICMP in from IP any to in [NIC] where ICMP message is FRAG NEEDED
Block ICMP in from Not in [modem] from IP any where IP message is any
Allow ICMP out from in [NIC] to in [modem] where where ICMP message is PORT UNREACHABLE
Allow ICMP out from in [NIC] to in [CIS agent - TCP/UDP] where ICMP message is PORT UNREACHABLE
Allow ICMP out from in [NIC] to in [modem] where ICMP message is ECHO REPLY
Allow ICMP out from in [NIC] to in [modem] where ICMP message is FRAG NEEDED
Block and Log ICMP out from IP any to IP any where IP message is any
CIS will drop any unsolicited incoming IP traffic automatically w/out log entry. All my logs will show are unhandled host IP connection attempts per app. That’s all I care about.
My global rules are:
Allow outgoing request which go to [Home-Wlan]
Allow all incoming requests which come from [Home-Wlan]
Allow outgoing request which go to [VMWARE2]
Allow all incoming requests which come from [VMWARE2]
Allow outgoing request which go to [VMWARE]
Allow all incoming requests which come from [VMWARE]
Allow outgoing request which go to [Home-Network]
Allow all incoming requests which come from [Home-Network]
Block ICMP out of MAC any to MAC any for ICMP-Messege PROTOCOL UNREACHABLE
Block ICMP in of MAC any to MAC any for ICMP-Messege 17.0
Block ICMP in of MAC any to MAC any for ICMP-Messege 15.0
Block ICMP in of MAC any to MAC any for ICMP-Messege 13.0
Block ICMP in of MAC any to MAC any for ICMP-Messege ECHO REQUEST
Is there anything wrong with it? :S
I also had KIS 2010 configured to log everything (in and out) and never had so many blocks (not even 1% of the amount which i have now). So i belive that comodo is blocking smth which it shouldnt… and from what i read in some other topic , comodo blocks its own cloud system.
But maybe i´m wrong 
i just want to figure out what is going on
:-[
No logging rules for global, eh? Well, the culprit can only be a block/log in/out for ‘system’ You probably have a predefined policy for system (block and log all unmatching). Change it to custom. Establish the following rules:
allow UDP in from in [modem] to in [NIC] where src 137 dest 137
ask and log IP IN/OUT from IP any to IP any where protocol any
The first rule may not even be necessary if your gateway isn’t periodically submitting NetBIOS name query packets to you (and that can’t be disabled on the gateway).
The only unsolicited traffic coming into your PC should be source IP: gateway. If you are on a LAN and you’re doing file shareing, then the nodes on your LAN will access ‘system’ in an unsolicited manner. In that case the IP address of permissable inbound src addresses will need to be established and the appropriate rule for ‘system’ will need to be created. All outbound connection attempts to any IP address should be allowed per app. Anything inbound that isn’t initiated on the host gets blocked by ‘system’. ALL outbound app initiated IP connection attempts without a specific rule for the IP connection should generate an alert and log entry.
As far as global rules, ALL I care about is blocking inbout / outbound ICMP. Unsolicited traffic to the host gets droppped automatically by ‘system’ if an app hasn’t initiated connection to the inbound IP address. That’s the whole point of a stateful firewall. Who cares what’s being dropped. What I want to know about is when apps start phoning home by themselves. That’s a sure sign of a hijack.
I’d associate all your LAN & VMWare rules w/ host ‘system’ (not host global) as allowable source IP for each appropriate node on your LAN
hm i already have a custom rule for system:
Allow System to send request to [Home-Wlan]
Allow System to recive requests from [Home-Wlan]
Allow System to send request to [VMWARE2]
Allow System to recive requests from [VMWARE2]
Allow System to send request to [VMWARE]
Allow System to recive requests from [VMWARE]
Allow System to send request to [Home-Network]
Allow System to recive requests from [Home-Network]
Allow UDP in from IP [192.168.178.56 / 255.255.255.0] to MAC any if Sourceport is random and Destinationport is random
Allow TCP in from IP [192.168.178.58 / 255.255.255.0] to MAC any if Sourceport is random and Destinationport is random
Comodo Internet Security:
Allow all in and out
Windows-App for Updates:
Allow IP Out from MAC Any to Mac Any over Protocol Any
Windows-System-App
Allow IP Out from MAC Any to Mac Any over Protocol Any
All rules are translated from german to english… hope u understand what i tried to translate 
So is those are my rules… now i wonder if they are wrong… a rule with [NIC] (like u described above) isnt here… should i change smth?
Also:
Allow UDP in from IP [192.168.178.56 / 255.255.255.0] to MAC any if Sourceport is random and Destinationport is random
Allow TCP in from IP [192.168.178.58 / 255.255.255.0] to MAC any if Sourceport is random and Destinationport is random
192.168.178.58 = Homeserver
192.168.178.56 = not sure yet… i guess someones else computer … but why is it once UDP and then TCP ?
thanks
I removed from network security the rule-set for Windows-System-Applications. It is a file group composed of:
%windir%\system32\smss.exe
%windir%\system32\csrss.exe
%windir%\system32\winlogon.exe
%windir%\system32\spoolsv.exe
%windir%\system32\lsass.exe
%windir%\system32\wbem\WMIAdap.exe
%windir%\system32\wbem\WMIPrvSE.exe
C:\Program Files\COMODO\COMODO Internet Security\cavscan.exe
No rule for any of the above applications has ever been necessary.
I’ve also removed the Windows-updater Applications ruleset. It is a filegroup componsed of:
%windir%\system32\svchost.exe
%windir%\system32\msiexec.exe
%windir%\system32\wuauclt.exe
%windir%\SoftwareDistribution*
%windir%\system32\wupdmgr.exe
C:\Program Files\COMODO\COMODO Internet Security\cfpconfg.exe
I have a rules explicitely for svchost.exe and msexec each. The latter is only used when installing applications. The former for all Windows updating. You can leave your rule as is since SVCHost is quite complicated. You can search for my posts using keyword "SVCHost’ and my user name.
Instead of seperate rules for TCP & UDP in ‘system’, you can have one rule, e.g.,
Allow UDP or TCP in from IP [192.168.178.0 / 255.255.255.0] to MAC any if Sourceport is random and Destinationport is random
I.e., given the mask 255.255.255.0, both 192.168.178.56 & 192.168.178.58 are on the same subnet. Your gateway should have IP address 192.168.178.1 (it’ll be on the same subnet also).
NIC is a zone I made. It is my NIC, i.e., 192.168.0.64 (I use static IP). If you’re using DHCP or APIPA a zone with an IP mask will accomodate that. Its easier to select a zone than type in IP address all the time when mantaining updating firewall rules. The last rule for any network security policy should always be ask & log IP in/out from any to any where protocol is any. This will alert you - and make log entry - when app wants to make connection to new IP address.
If a new app wants to make IP connection. its o.k., to allow and ‘remember this’ the first time only. That will make a new rule for that app: Allow all from any to any src port any dest any. I hate allow any any rules. Who needs a firewall for thatr? Change the rule so that it is for specific source and destination IP. Add the 'ask and log rule to the end. If you add a new rule, you’ll have to drag the ‘ask & log’ rule to the bottom. You can drag the app rule in entirety. Sort your rules such that the most common is at the top. I have ‘system’ as first app, then DNS, then SVCHost, then other stuff in order of less frequent IP access.
DNS is a filegroup of all apps that need to connect to the internet and ask for DNS, i.e., UDP on port 53. Only one rule here: Allow UDP out from in [NIC] to in [DNS] where src port any dest port 53. Here DNS is a zone of DNS servers. Notice: no ‘ask & log’ rule. Why? Because any app that wants DNS resolution will hit on the app specific ‘ask & log’ rule. Then I simply add the app to the DNS filegroup and no additional changes to the firewall needs to be made.
SO. If there is no rule ‘block and log all mismatched’ in network security, either per app or in global rule, you should not have thousands of blocks in your log. The only log entries will be for apps trying to get out and no rule exists for the app to do that.
Meine Familie kommt vom Konstanz (aber Vatti vom Berlin und Mutti kommt vom Graz). Gruß Gott.
there is no rule with “block and log all mismatched” for an app or as global rule ( i posted my whole global rule list)… so what could cause the problem?
Well actually there are some apps which i block but those arent running. also they arent checked for making a protocol entry.
So i could delete the ruleset for comodo internet security, windows system application and windows update application… but leaving them as they are is no problem either?
Will check for your topic about svchost.exe 
Hmm rules with specific destination and source ip… that could make alot of popups for programs which make connections to different ips? like torrent,downloaders, browser, msn, chats,… even games and other random programs?
What i wans wondering: why do i have once UDP allowed for an specific IP and then TCP… both are servers in my local network and i both use them the same way :o
@edit: nice german btw :D:D
You HAVE to be logging blocked IP traffic somewhere. Das kommt nicht von die Heinzelmänchien. If not ‘block and log all mismatched’ its some other variation. Look at apps that have ‘outgoing only’ as predefined policy.
I fail see a purpose for Windows-System-Application ruleset. NONE of the associated components of that filegroup have ever asked for internet access on my system. Won’t hurt to leave it, but whatever for a security hole? IF any of the components need an IP connection, they’ll ask and if you allow, ‘remember this’, a rule for that app will get created. Worst case: you’ll eventually have a rule for each component anyways, and then why not just recreate a ruleset using the filegroup? Easy enough to do, just add the rules for each component to the file group.
Actually I neglected to mention that the first component of that filegroup is System, it is a process executing PID 4. The process called Windows Operating System is PID 0 and is System Idle Process. So if you delete Windows-System-Application, you will need a rule for the System process itself. That’s what I mean by ‘System’
You state you have rules like this:
Allow System to send request to [Home-Wlan]
For which application is that rule? And just what is ‘System’ in that rule? Is that a zone? How does the rule actually read? 'Cause I’m confused ‘send request to’ ???
IF you delete Windows-Updater Applications ruleset, SVCHost WILL complain it wants internet access. You can leave it as is, or merely allow & ‘remember this’ when SVCHost does knock on the door. IF you’re interested in establishing the least privilege security policy necessary, it’ll behoove you to investigate what SVCHost is all about. You’ll need a sparse log to get a grip on what its doing. So the first issue is paramount. You have to figure out what’s logging your blocked traffic. I’m telling you: its a rule that does that: if not in global, than some app rule is doing that in network security policy.
I wouldn’t mess with Comodo Internet Security until after you get a handle on SVCHost; that’ll train you on how to address CIS firewall rule.
As far as IP alerts, you will at first get a lot of alerts. But as you sort the various IP’s into specific zones by app, the alerts diminish. Eventually you only see one per month or so. Every time you see a new IP address for some app, you put it into the proper zone (by domain name by app), and you don’t have to change the firewall rules at all. You may have to create a new rule if a new domain name shows up, but that’s about it.
You’ll need to find a reverse DNS web-site and bookmark that. You’ll use it a lot.
As far as your servers, you’re using a mask, as such the last octet of the IP address is irrelevant. ALL 254 nodes on the subnet are allowed in. To make least privilege firewall rules make them like this:
Allow UDP in from IP 192.168.178.56 to MAC any if Sourceport is random and Destinationport is random
Allow TCP in from IP 192.168.178.58 to MAC any if Sourceport is random and Destinationport is random
If the last rule for ‘system’ is:
Ask and log IP in/out from IP any to IP any where protocol is any
You’ll be made aware of TCP connection attempt by 192.168.178.56 and UDP by 192.168.178.58 (if so, just change the rule to allow ‘TCP or UDP’ in from those IP address. Possibly that has something to do with ‘automatically detect new private networks’ (‘more’ tab, preferences). I have that unticked.