Help - Outbound Connections

Hi folks, hope you can help

I want to start understanding what all the Outbound Connections are that suddenly appear when I visit websites. If I can understand them then I want to look at blocking those I don’t want.

The problem is . . . how can I understand what those connections are?

When I look at the active connections window in Comodo Firewall I can see the destination IP Address, but that means nothing to me. How do I go about determining what each IP Address is and thus where the data is going to?

Thx in advance

In general the browser needs to be able to connect to web-servers on two ports 80 and 443. The latter is used for secure connections.

Most web-sites have a URL friendly name, but computers work with bits and bytes - not friendly names. So when you go to www.some-web-site.com your computer issues a domain name service name resolution request to a DNS server. All DNS servers have IP addresses, and those are provided by the ISP and live either in your modem / router / gateway, or manually configured on your PC in network connection TCP / IP properties.

The DNS server will return an IP address with 4 octects, i.e., numbers from 0-255 seperated by dots. Both the DNS request and reply are transmitted IP protocol UDP on port 53. Once the PC knows what the IP address it send out TCP packets on port 80. The destination server may say, hey, what’s up, call me back on port 443. The PC does that and then the servery may say, o.k., we can talk now on port 80.

But that’s in general. More specifically, a browser will need to be able to communicate on well known HTTP ports. These include: 80, 81, 443, 8080. But certain content on these web-sites may require additional ports, e.g., Adobe RTMP: 843, 1935. Moreover, if you you web-mail, e.g., Yahoo Mail, then it will be necessary to allow TCP transmission on port 5050 & 843.

Other web-sites may require different ports, e.g., Amazon wants to talk on port 6667

So there you have it. You allow

UDP out from your PC, i.e., NIC IP address, to all DNS server IP address on port 53
TCP out from your PC, i.e., NIC IP address, to Any IP address s on ports in [HTTP ports]
TCP out from your PC, i.e., NIC IP address, to Any IP address s on ports in [Adobe RTMP ports]
TCP out from your PC, i.e., NIC IP address, to IP in [web-mail] on ports in [web-mail server ports]
TCP out from your PC, i.e., NIC IP address, to IP in [Amazon] on port 6667

You don’t really need the last rule unless you go there a lot and hate always answering allow for that IP address on port 6667

And that’s it. When the browser asks to access an IP address on port 1234, or any other port not defined above, you can allow it, but don’t tick ‘remember’; you may never go back to that site again. 99% of the time the browser is fat dumb and happy with the above rules.

All DNS is done by UDP to destination port 53, except in one case: TCP protocol DNS on port 53 (its because the packet is too big for UDP). But only one application does that as far as I know: SVCHost. If you’re in standard configuration, then SVCHost is something you don’t have to worry about for awhile. But if you ever try to figure out what it does, that issue will come up.

Furthermore, you never have to worry about inbound rules for anything; CIS blocks all unsolicited connections automagically. When you send UDP out to DNS, DNS comes back in, but CIS knows you sent that out. IF UDP comes in from someplace and you didn’t ask for that, it gets blocked. Same with all the other TCP packets comeing back from the web sites on 80, 81, 443, 8080, etc. You asked for them.

Any packets coming in that didn’t ask for: get blocked w/ out an alert.

Oh, and one last thing: local loop-back. The browser may ask for access from 0.0.0.0 to 127.0.0.1 (or vice versa). Doesn’t matter what ports that’s on, but that’s the browser talking to your PC and the PC talking to the browser. To make that easy, set up a network zone called local_0, and local_127. Then just use those zones as necessary in whatever rules you need wherever. Other applications will need access rules for that too, but not many. Harmless. Give it what he needs and CIS stops bothering you.

Its so much easier working with network zones than typing the stinkin’ numbers in all the time.

Hi

I appreciate the comprehensive background info . . . but that’s not answering my original question as far as I can tell.

Let me rephrase

In my list of Outbound Connections there are hundreds of outbound TCP entries with destination IP addresses. Some of those will be normal required things, but many will be marketing spy info, spam and other ■■■■.

Thus on an IP by IP basis, I want to know what those destination IP’s are. i.e. which company do they belong to, what info is being sent. I then intend to block those connections which I deem to be unnecessary.

With a bit of basic surfing I have discovered websites like IPINFO and INFOGEEK and DPIP which let you enter an IP address and then it will tell me the company it is associated with. For example, just about any IP address beginning with 74 looks to belong to Google.

Are there any good established lists of IP addresses to block to avoid being spied on all of the time?

Does this now make sense?

COmodo firewall have a option to block all outbound connection
under firewall tabe there is a option STEALTH ports
click on the first block all incoming connection

Networks are arcane and enigmatic - and IP addressing is central to their use - until one has an epiphany and the light goes on: OH! Its that simiple! Yes it is.

For the browser, these are the only rules you need (get rid of all the IP address specific rules):

allow UDP out from your PC, i.e., NIC IP address, to all DNS server IP address on port 53
allow TCP out from your PC, i.e., NIC IP address, to Any IP address s on ports in [HTTP ports]
allow TCP out from your PC, i.e., NIC IP address, to Any IP address s on ports in [Adobe RTMP ports]

ports in [HTTP ports] is a port set created manually; it has ports 80, 81, 443 & 8080
ports in [Adobe RTMP ports] is a port set created manually; it has ports 843, 1935

Any port not in those two port sets is special, and is addressed ad hoc basis. It doesn’t matter what the destination IP address are - its the browser - and it goes where you send it.

If you’re using DHCP to assign the IP for your NIC, then the source IP address will be MAC Any - because your host IP address is dynamic - it could be any one of 65,000 IP address. The destination will always be MAC Any for the standard HTTP ports; you don’t know where you’ll surf to. ‘MAC Any’ is how CIS makes the rule to address any IP address. The same with DNS servers, if you don’t know what they are, you use ‘MAC Any’ as the destination and assume ALL UDP on port 53 is DNS look-up.

The only time that the browser will alert is if any IP wants to connect to any port not specified in the aforementioned port sets. These alerts can be allowed, but don’t create the rule for them unless you go to that web-site often. Then create a rule for that IP address specifically to the special destination port.

For example, my previous post listed: allow TCP out from your PC, i.e., NIC IP address, to IP in [Amazon] on port 6667

[Amazon] is a network zone that contains an Amazon IP address(es). If I co there, the active connections might show 5 connections to that IP address, e.g., one to port 80, one to port 443 and one to port 6667. No other website needs port 6667, so no special rule is specified for that.

I can go anywhere on the web and the three rules will work w/ out alerts. But if I click on the eMail button on my Yahoo home-page, then I need the following rule (or I’ll get an alert):

allow TCP out from your PC, i.e., NIC IP address, to IP in [web-mail] on ports in [web-mail server ports]. T

[web-mail] is a network zone that contains the servers for Yahoo Mail, and [web-mail server ports] is a port set that contains 5050 & 843.

this one rule allows access to any one of 66,045 IP address, each able to connect to one of two different ports, i.e., 5050 or 843.

If I look at active connections while at the browser Mail web-page, I may see several connections to any IP in [webcs.Yahoo] containing the following netmasks:

67.195.186.0 / 255.255.255.0 - 255 IP allowed
69.147.84.0 / 255.255.255.0 - 255 IP allowed
198.136.0.0 / 255.255.0.0 - 255 * 255 IP allowed
98.139.60.0 / 255.255.255.0 - 255 IP allowed
216.215.121.0 / 255.255.255.0 255 IP allowed

In addition to the Yahoo home page, there may be Yahoo home-page IP address that can connect to any one port in the set 80, 81, 443, 8080 and 843 & 1935

But one rule addresses the additional requirement of the browser to do web-mail - and I don’t care which IP it connects to now, two hours from now, today, tomorrow or next week. The Yahoo Mail load balancing server determines which IP address to provide to my browser’s DNS query when it looks up www.YahooMail.com And any IP address that’s related to Yahoo Mail, for me, is implicitly trusted. But no other web-site needs to hit ports 5050, 843 or 6667, so that’s why I have an explicit rules for those ports exclusive to those particular IP address exclusively for Yahoo Mail & Amazon.

The reason you have all those rules is because CIS is creating rules for each web-site you visit (or you’re allowing them with ‘remember’ ticked for each alert).

If you don’t want to be bothered to set up the rules manually, then just implement the pre-defined policy [web-browser] and be done with it.

[at]Antonio

If I block ALL outbound connections won’t that result in websites not running? I already know if I block certain IP addresses then certain websites won’t work. For example the IP Blocks
74.125.133.0-255 and 74.125.230.0-255 seem to belong to Google and blocking them prevents Google and associated things like Gmail from working.

I’m trying to block ONLY the specific IP addresses that outbound connections appear to be created for where the destination IP is some marketing company which is “scraping” my machine for info. The only way I can see of doing this is to painstakingly monitor what connections are opened when I visit any given website, then go and find out what company is behind the associated destination IP address and then block that IP in the firewall. This is tiresome work. You would think someone would have done this already with all the major spam and marketing IPs.

Does this make sense because I’m not sensing people are understanding what I am trying to do?

@WxMan1

I’m not understanding all the tech stuff you are posting.

Do you understand what I am trying to achieve?

I want to be able to visit and use my favourite websites but at the same time I want to block all the spam marketing and data scraping activities that normally go on when I visit the sites.

I was never understanding you’re referring to the entries in the active connections list. I thought you’re talking about your firewall rules.

You don’t block ads with CIS. Third party ad-blockers do that.

E.g., Blocking Unwanted Connections with a Hosts File

If you implement that, I’d recommend to utilize Spybot immunize feature; the immunize feature adds it own entries into HOSTS and puts those into the Internet Restricted Zone.

Another suggestion is to use PrivDog, and if you’re using Firefox as your browser, I heartily endorse NoScript.