BTW I'm getting these outbound requests a long time after I've closed utorrent.
The outbound ICMP 3.x will be in reply to an inbound connection attempt from an remote p2p machine. Sending back the ICMP 3.x is telling that remote machine that utorrent isn't running on your machine.
However, your machine sending back a “sorry, we’re closed” notice doesn’t mean the remote machine will get the notice. They may have a firewall which is blocking ICMP traffic inbound to them. Or they could just have a ■■■■■■ p2p client that doesn’t care. In which case, the remote p2p client will keep trying until it times out. That can be hours, or that can be days.
So, yes you do make the ICMP 3.x stuff outbound. And you should also allow it inbound, so that your p2p client will known when a remote server has gone offline. Else your client is going to try their machine for hours, or days, until it times out. It works both ways.
As when people try to connect to me when on the PS3 it shows the destination address as my IP and not 192.168.0.25 or My IP / 192.168.0.25 then the rules that are created for Windows Operating System appear to have to be the same, like you are saying causing the ICS host to be insecure. It would be good if Comodo Firewall Pro could detect what was aimed at the host computer and what was aimed at the PS3 / other PC's. Then we could set rules for just the PS3 and not the PS3 and the ICS host PC. Note to Comodo- if you can differentiate between where traffic is aimed give users the option to create custom rules depending on where the traffic is aimed, e.g. which internet device in the ICS set-up. Hopefully this can be added in an update.
That's an ICS limitation, and a CFP limitation. ICS doesn't provide the proper kind of redirection, and CFP doesn't have explicit interface rules. CFP can kind of fake it using Network Zones, but that doesn't work when trying to distinguish specifically between interfaces. It's been a known problem for a while.
Something just occured to me, that might clarify or confuse some things.
Your LAN setup is like this:
Internet – bridge – ICS host
I’m suspecting that your bridge is already taking PPPoE on the Internet side, and just plain standard Ethernet on the ICS side. That means your router/NAT box doesn’t need to talk PPPoE, as the bridge is already doing that for you (which is likely why the ISP keeps control of it). Configure your router for just a normal dynamic address, and it should work in place. Easy test is to set up like this:
Internet – bridge – router – ICS host
You should still be able to get to the internet. If not, post what kind of router you have, and I can dig into the configuration details thru the vendor web site.
Since it’s now set as a bridge the router isn’t doing anything. When I turn the PC internet wouldn’t automatically be on. I have set up a PPPoE connection via the Windows wizard and set that to allow an unsecured password and put it in the startup folder so during boot-up the internet will connect without me having to go to Start > Connect To etc.
The router could only work via setting up a PPPoE connection or possibly a PPPoA connection. I’ll have a go with the router tomorrow and post print screens of the options available to me (its 10.33PM here in England ATM).
The Router is a BT 2700HGV; it is made by 2Wire (www.2Wire.com is written on the bottom of the router). It should still work with non-BT connections as I looked at a guide of how to do it and that guide said you can use non-BT connections as long as you connect to the internet via PPPoE / PPPoA - just how I currently connect to the internet.
As for the PS3 via ICS I am currently trying ask rules at the top of the list for windows applications - Windows Operating System, System and svchost. Rather than just using ask for all ports I have set it specifically for a “Euro 2008” port range I made; then I can allow requests on those ports when expecting it - e.g. at the team select screen where I can’t normally connect with other players. The ask rule of TCP/UDP , in/out , destination ports Euro 2008 port range didn’t work so I am going to try changing it from UDP to TCP. Unfortunately Global Rules can’t be set to ask. Things are still being logged and automatically blocked - even though the only automatic block rule is ICMP in where message is ECHO request - :S.
Well it still works if I delete the global rule and I am going to try deleting the rules for system/windows operating system/svchost to narrow down which appplications the ports are open with. For some reason when I am playing Euro 2008 the TCP ports don’t get used so I didn’t need to forward those. I will get probably get the router out later as there seemed to be alot of lag in all of the games I have played via ICS so far - this could just be bad luck and me getting connected to people with bad internet or it could be that the ICS is slowing down the connection between me and the other player.
I think that ask rues don’t work poperly as all I did was change the “Ask where destination ports are Euro 2008 port zone” to Allow.
ICS will slow things down compared to using a “direct” connection via a router. You’ll propbably find that Euro 2008 uses UDP, as opposed to TCP. Most games use this as it doesn’t require a return confirmation of received packets, which speeds things up.
It’s a shame it will slow things down :(. Euro 2008 is actually supposed to use some TCP ports according to the manual (see post 2).
TCP} 21250-21259, 9980-9989, 443, 80
UDP} 3659, 6000 and possibly 3658
But I actually only needed to forward ports 3659 & 6000 - its strange.
I’ll let you know how I get on with the router.
