IGMP Outbound Violations

capatt · November 2, 2006, 4:51pm

Hello
A couple times every day CPF logs an IGMP outbound violation, blocked by my rule 7 (which is everybody’s last default rule, I believe). Of course, there’s no indication of what’s causing this. How can I find out what application is doing this and is it a concern? Why is it happening?

Thank you!

kail · November 3, 2006, 11:27pm

Hi

If the destination address is your Domain Name Server (DNS) & it was an IGMP Port Unreachable, then this is OK. Somebody did post an explanation of why it was being rejected… I believe our systems are doing this out of correctness & apparently the DNS will ignore the response anyway.

In fact, I was getting so many of these violations, that I ended up creating a rule (immediately before the last default blocking rule) that blocked all outbound IGMP Port Unreachable requests silently.

pcbill · November 4, 2006, 4:07pm

Hi Krail,

I am new to Comodo!! Love it!!

I too have a medium severity log everyday. It says: Outbound Policy Violation (Access denied, Protocol=IGMP)

Protocol is Outgoing
Source is my IP
Destination is 224.0.0.22
Reason is Network Control ID#7

I have read every question in the Comodo forums pertaining to this. I understand it. My goal is to create a rule to prevent Comodo from posting this log and not loose any security. I have been unsuccessful to this point.

I am behind a Belkin PreN router. The only thing I have modified after installing Comodo 2.3.6.81 is adding a trusted zone for my router. I also have a laptop connected wireless to my router and it posts the same log with it’s own IP address. My zone is my Intel ethernet card with an ip range in rule 0 IP out and 1 Ip in.

Can you please ceate a rule for this and show me how to implement it??

PCBill

AOwL · November 4, 2006, 4:31pm

If you want to stop it, do like Kail and create a rule to stop it, without log right above the default stop rule.
I did the opposite… ;D First i created a rule that allowed it, and now i have made another zone for IGMP that allow it and it is before the other zone at the top of the list.
If you want to be able to play streaming media on your network you might need it.
Sending IGMP was off by default on my router, and i have turned it on just to test streaming audio/video on my network.
You can go in to your routers settings and check if you have an option to enable or disable it.

EDIT:
Kail mean ICMP port unreachable in his post above, and i meant IGMP… Sorry.

kail · November 4, 2006, 5:05pm

224.0.0.22? 224.0.0.0-239.255.255.255 is reserved for IPv4 Multicast (RFC 3171) and I already know that Cisco’s IOS uses this. So, it could either be your router or something else on your system (like UPnP, File Sharing, etc…) is trying to use IPv4 Multicast. If it is UPnP, then I think you should get additional messages relating to UPnP.

AOwL · November 4, 2006, 6:10pm

I think my router said 239.255.255.255 for IGMP.
My IGMP zone for that was 239.255.255.255-255.255.255.255
I don’t know if it works yet, but i will try it tomorrow.

pcbill · November 6, 2006, 5:48am

Kail,

I have not received any other listings at all in my log especially pertaining to Upnp.

In the process of trying to figure this out:

I turned off file sharing and I’m still getting the log.

I turned off my router and when I reboot I don’t get anything in my log but then I was not connected to the internet.

So I removed my router and connected directly to my AirBridge which gives my my access to the internet which now gives me 2 items in my log instead of 1.

Now I get an incoming policy violation (echo request) from an ip address belonging to my isp provider to my ip address and an outgoing from my ip to 224.0.0.22. Both denied by Comodo.

Do you think my incoming echo request is related to my outgoing or is 224.0.0.22 something else on my computer trying to comunicate out?

PCBill ???

pcbill · November 6, 2006, 6:38am

Kail,

May I ask ,that rule you created,can you describe step by step how to create it?

your help would be appreciated

PCBill

AOwL · November 6, 2006, 8:34am

I will try to guess his rule.

Action : Block
Protocol : IP
Direction : Out
Source IP : Any (zone)
Destination IP : Any
IP Details : IGMP

You might be able to disable sending IGMP in your router.

You need it if you are going to use multi cast, streaming audio/video on your network.
You can then make an allow rule that looks like this.
Action : Allow
Protocol : IP
Direction : In
Source IP : Any
Destination IP : Any (zone if you have one)
IP Details : IGMP

Hope it helps

EDIT:
Kail meant ICMP in his post, so it will look like this.

Action : Block
Protocol : ICMP
Direction : Out
Source IP : Any (zone)
Destination IP : Any
ICMP Details : ICMP port unreachable

pcbill · November 6, 2006, 2:45pm

Thanks AOwl,

The first rule you described works for me,I don’t get that violation after bootup listed in my log. I can go on the internet and view streaming video without adding the 2nd rule. So what would be the advantage of adding the 2nd rule? I don’t understand what you meant by using steaming video on my network!

Question: What am I giving up as far as security with these 2 rules added in?

I am limited in knowlege when it comes to networking and firewalls,I appreciate your help!

Thanks

PCBill :BNC

AOwL · November 6, 2006, 2:56pm

With the first rule you don’t give up anything in security. (to my knowledge)
The second rule is only if you don’t make the first one, and have problems sending streaming audio/video on your network.