Inbound Policy Violation

Blackoberst · November 28, 2006, 10:03pm

Hi,

I’ve checked my Comodo firewall log, and I saw that it was logging different messages with the same description, Inbound Policy Violation. And the difference in time between every message is about 20-30 seconds. Why is this happening?

I atached the log.

[attachment deleted by admin]

Blackoberst · November 28, 2006, 10:51pm

I searched some topics and I managed to find out what’s happening. ;D
I’ve created three rules to block incoming ICMP IN/Any/Any/ where the ICMP message was HOST/NET/PORT UNREACHABLE.
I’m using uTorrent. Is there any chance that the rules above could affect my up/down speed?

AOwL · November 28, 2006, 11:31pm

It might affect it. I have allowed those (host, port), but you are welcome to report if you think uTorrent is getting slower with your block.

Blackoberst · November 29, 2006, 11:37am

It seems that those rules don’t block traffic. And there aren’t so many messages logged.

Now I receive these :

Date/Time :2006-11-29 13:20:41
Severity :Medium
Reporter :Network Monitor
Description: Inbound Policy Violation (Access Denied, IP = 86.107.126.xxx, Port = ms-rpc(135))
Protocol: TCP Incoming
Source: 86.107.121.5:4026
Destination: 86.107.126.xxx:ms-rpc(135)
TCP Flags: SYN
Reason: Network Control Rule ID = 9

What is ms-rpc?

Date/Time :2006-11-29 13:20:51
Severity :Medium
Reporter :Network Monitor
Description: Inbound Policy Violation (Access Denied, IP = 86.107.126.170, Port = 52276)
Protocol: TCP Incoming
Source: 89.36.244.72:2810
Destination: 86.107.126.xxx:52276
TCP Flags: SYN
Reason: Network Control Rule ID = 9

There are a lot of incoming requests for port 52276, 1936, 2885, 2771.

And also this:

Date/Time :2006-11-29 13:22:41
Severity :High
Reporter :Network Monitor
Description: Blocked by Protocol Analysis (Invalid Flag Combination)
Direction: TCP Incoming
Source: 125.236.179.151:54572
Destination: 86.107.126.xxx:1101
Reason: ACK FIN RST is an invalid TCP flag combination

I’ve received five or six in a row.

AOwL · November 29, 2006, 2:11pm

ms-rpc is Microsoft Remote Procedure Call

The last one in your post looks like someone was trying to get in from New Zealand to Canada?, Romania?.. :o ;D

Blackoberst · November 30, 2006, 8:18am

I’m from Romania (:WAV)
The ip was from New Zeeland. I’ve traced the ip.

But what about the connections coming from 52276? They’re a lot. Are they in conection with uTorrent?

Thanks for the help!:d

AOwL · November 30, 2006, 3:48pm

What port have you set up uTorrent to use? You can’t use random.

Blackoberst · November 30, 2006, 7:15pm

For uTorrent it’s 24211.

AOwL · November 30, 2006, 7:23pm

Does the 52276 appear when you use uTorrent?

Have you made a rule in network monitor for port 24221?
You should also uncheck UPnP and random in uTorrent.

Blackoberst · November 30, 2006, 7:57pm

Yes, I’ve made a rule for 24211.
I haven’t checked if it appears when uTorrent isn’t active, but I will.
Random is unchecked, but UPnP is checked. I’ll try and see what happens.

Thanks!

Blackoberst · December 4, 2006, 8:37pm

I changed my utorrent port, now it’s 55000, but now a lot of connections coming from 24211 are beeing blocked an locked. Shouldn’t the tracker update with my new port?
I’ve unchecked UPnP, and the messages with port 52267 beeing blocked keep appearing. :-\

AOwL · December 4, 2006, 8:41pm

Try to reboot your PC.
I think uTorrent should update to the new port, but it will take some time maybe…

Blackoberst · December 4, 2006, 8:52pm

Done that. Doesn’t work.
And I’m also sending a large number of fragmented/fake or malformed ip packets through UDP. Some of them are through port 55000, some have no port.
Probably generated by uTorrent? Is it normal?

AOwL · December 4, 2006, 10:12pm

Yes it can be normal.

Have you tried to just turn off network monitor and see if it works?

Have you tried to go to security/advanced/advanced attack detection and prevention, and turn off some things in there? or any other things in advanced?