ICMP = UNREACHABLE and PORT UNREACHABLE to DNS

Hello,

1.) I’m constantly getting the inbound policy violation

Access denied, icmp = unreachable

Before I was getting also messages for “host unreachable” or
“protocol unreachable”. After making matching rules, this doesn’t occur.

Now my problem:

Where can I make such a rule for the above?

Under ICMP Details is no possibility for it. There’s only
port/host/net/protocol unreachable
but not a “unreachable” without host/…

OK, it could use “any”, but that’s not what I want!

Is there a possibility in comodo or will it be in the next version?

2.) I’m regular getting an “Access denied, ICMP = PORT UNREACHABLE” as
outbound policy violation.

This occurs to the trusted DNS of my provider. Should I allow it? Why does
the DNS of my provider want to know about my ports? Is this normal behavior?

Thx
Achim

Hi, Achim.

I also have trouble finding the specific Network rule for this generic ICMP = Unreachable. The only way I know is to allow all ICMP (which is what I have right now, but I’m confident with my own setup to lose some “stealth” capabilities). I have a pending support ticket that’s opened for months, but the team will get back to it after v3 is released.

Here’s the thread: https://forums.comodo.com/index.php/topic,2543.0.html

Hi Achim

You could always use “Custom…” specifying any Type 3 Code combination you want/need. You can find a rather good list of Types 3 Codes here.

Where would make such a rule? In the Network Monitor before the final Block & Log rule.

ICMP Port Unreachable messages from your DNS. I believe that is a redundant reply sent by the DNS. If you allow your system to respond with an acknowledgment the DNS will ignore it anyway. So, it is not needed & you can safely block it. Some users don’t get hardly any of these messages, where other users receive loads. I’m in the latter group, I get so many that I created a silent Block (no Log) in the Network Monitor just above the final Block & Log rule in order that my Log didn’t get filled up with Port Unreachable messages.

Hope that helps.

Yeaah, custom types is the right thing. I didn’t see it myself.

For outbound icmp port unreachable I also created a silent block rule as you recommended.
Now the logs are much more well arranged.

Thx for help.

No problem, glad it helped.