ICMP = PORT UNREACHABLE, every 5 seconds

Hi all,

Maybe someone can help me sort out what happened, and clear a few things up for me.

I’m a new user of CPF, using the version I downloaded yesterday from Comodo. Everything was going fine until I ran a file that turned out to be suspicious, likely a trojan. (I know, me bad) My anti-virus and anti-spyware stopped it for the most part, but then this was the remaining fallout, firewall side:

  • I noticed in CPF a large number of high severity events (on Summary page)
  • I checked out the logs, and there was indeed an ICMP outbound event almost exactly EVERY 5 seconds
  • weird thing is, after I rebooted, I check the logs and the events from that period are missing!!! How is this possible ??? ?
  • luckily, at the time I exported the events to HTML; I provide a sample entry below
  • I created a quick rule (“BLOCK and LOG ICMP OUT from any ip to any ip where icmp message is any”), moved it to top of rule list, and checked “Alert me…”, but I was not getting any alerts! ??? What gives?

Here is a sample event from HTML:

Date/Time :2006-10-16 12:59:31
Severity :Medium
Reporter :Network Monitor
Description:Outbound Policy Violation (Access Denied, ICMP = PORT UNREACHABLE)
Protocol:ICMP Outgoing
Message: PORT UNREACHABLE Reason: Network Control Rule ID = 7

Each event was to a different remote IP, fairly random looking…

Hmm, this “Rule ID = 7” must refer to the default rule “BLOCK and LOG IP IN or OUT from any to any where iproto is any”… (I had one new rule of my own at the top of list at the time, hence why 7). Hmm, but that rule also has checked “Alert me…” checkbox, yet I was not getting any alerts on this, but simply happened to spot a high “high severity event” count on Summary page… Weird…

Any light shed on any of the points above would be most helpful.

Other than that, (L)

That ICMP message is very common when you use a torrent program or something like that.
You can adjust your rules to get rid of the messages if you want that.
First you must be sure that you don’t have a trojan or anything. Scan your computer with a couple of antispyware programs and a antivirus program. Maybe an onlinescanner too, just to be sure. Use HiJackThis to make a log and see if you find anything suspicious. If you are unsure, just post it here and someone can probably help you.
About not getting a log even if you have specified that you want one, i really don’t know… hmmm…
And yes, the rule id7 is the default block rule that has stopped that ICMP going out.
It would be nice if you could post a screenshot of your networkrules, and a log from HJT.

OK, here goes:

(screenshot, hjt log attached)


  • rule IDs 0,1 are mine
  • I occasionally run an FTP server on my LAN, hence rule ID2
  • rule ID3 is for emule
  • yes, I really need to run a registry cleaner to clean up stuff after uninstalled apps… ;D

[attachment deleted by admin]

That’s because the logs aren’t saved after a reboot.

This will change in later versions.

:o Yikes!

No… wait… ??? That doesn’t seem right… I just brought up CFP, went to logs, and the oldest entry is from yesterday 9PM (when I installed CFP, I think). I most definitely rebooted at least once since then…

I’m using CFP

It looks good to me, but i hope that a more knowledged person will have a look at it…

Only thing i could find was.
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
This belongs to FlashGet download manager - the trial bundles Cydoor adware, but when you register the ads disappear

I experience the same with the “port unreachable” messages all the time, - but only when I run emule (i did the p2p/emule-settings suggested elsewhere on this board). I guess that’s normal from what I can understand from this thread.

But does it in ANY way limit my connection with emule/p2p ?

I mean, are certain people that i would normally be able to share/download from locked out or something?
I wouldn’t think so, since emule doesn’t in any way say that it should be blocked or anything, but is it for sure?
Do i have nothing to worry about? does emule work as good as if i didn’t use comodo at all, now that i get these “port unreachable” messages?

Thank you in advance.