How to identify blocking FW rule which is permanently firing? AirTunes again

Hi,

firewall is blocking and logging intrusions every 5…6 seconds, from “Windows Operating System” to my Airport Express port 14013, which is used for AirTunes remote speaker playing.

How can I identify which rule is causing the block?

Any help greatly appreciated,
thanks,
Peter.

Please, attach the screenshot of that logging. Without that, we cannot tell you anything specific.

… sorry, sure: attached the screenshot. Thanks for the prompt reaction!

[attachment deleted by admin]

If you go to CIS > firewall > network security policy > network zones > add > New network zone > “Airtunes” > Apply > Highlight “Airtunes” > Add > Address > IPv4 Single Address > Choose the IP of Airtunes > Ok > apply > apply >

then Open Stealth Port Wizard > Define a new trusted network > “AirTunes”

Ok

did this help?

What he said.

Although, I’d set up a rule for ‘Windows Operating System’ to allow:

TCP in from [gateway] to [NIC] dest port 14013

Why complicate the matter when you know incoming TCP from the [gateway] to the [NIC] on port 14013 is attributable to the ‘Airtunes’ app?

Thanks to both of you.

Good news: could not confirm this is related to AirTunes, since this is traffic between gateway and ethernet card.

Bad news: tried both rules, both did not work, firewall blocking continues. Seems to be something different.

Why did I think this is AirTunes: because disabling firewall makes iTunes recognize remote speakers, reproducably … and this was the only active blocking …

Hmm … strange.

I don’t imagine those ports relate to Airtunes, as Airtunes uses quite different ports. Take a look here:

If you can’t see your speakers, take a look at creating rules for UDP port 5353.

With regard to the WOS blocks, one important thing to remember, WOS doesn’t actually exist. There’s no process or application called Windows Operating System. It’s basically a catch all pseudo process that steps in to handle connections when no other process or application is available.

As these packets seem to be originating from your router? I’d take a look at the logs on that device and see if you can see what they make of traffic running over the originating ports.

One question. Are you running any P2P applications, if so, what ports have you assigned?

For the record. What IP address belongs to who?
192.168.178.1 belongs to …
192.168.178.24 belongs to …

Why don’t make of 192.168.178.x a network zone, and allow everything in the firewall application as long as BOTH source and dest are in the said network zone?

If WOS is the culprit, the only way to identify what WOS refers to is to “kill” it, i.e. to delete its rule, but the risk, as i experimented it myself, is hanging CIS and the Windows GUI itself from the resulting simultaneous “assault” of system rules requests: the only safe way is thus to create prior to this operation a asking rule for each system executable.

An intermediate way that could work is to set WOS to custom and ask, and the firewall itself to custom, highest alert level.

Thanks to all of you for your support! After having tried all the proposals without success, I got tired and tried one final option: uninstalling CIS and installing ZoneAlarm free, on comparable security level (ask for everything). Now everythings works, including iTunes with remote speakers - which is consistent with current threads on iTunes issues with CIS.

CIS team hope you’re not offended: there appear some things to be fixed.

Best - Peter.

It’s arlight;

you can come back later on the future if you wish:)

Best wishes on your travels Peter!

Jake

Please vote for this feature:

Log which rule was triggered