limited connectivity [Resolved]

Ever since I’ve installed Comodo firewall I get a “limited connectivity” message after some time on my LAN network icon in the systray. All open network connects are closed and the network is not available anymore, but until then all works perfectly. If Comodo application monitoring is disabled the message does not come.

I assume I blocked something I shouldn’t have, but what? I removed all blocks that might cause this.

I have a similar (the same?) problem, without a LAN. After a while (a few hours) the connection is killed. After rebooting everything is back to normal. For the moment I uninstalled Comodo because of this problem.

I seem to remember someone commenting on an emergency mode… where CPF feels there have been major enough problems that it’s monitors to block everything for a period.

Sorry I don’t have alot of details, but it sure sounds like this could cause your symptom.

Most likely that you are being attacked and CPF is trying to protect you!

Read this:

TCP Flood / UDP Flood / ICMP Flood
Flood attacks happen when many packets of data are sent either via TCP, UDP or ICMP with a spoofed IP source address which will never send back a response to the destination server. This results in a backlog of responses. When this is done multiple times from multiple sources it floods the destination server, which has a limit of unacknowledged responses it can handle. This will ultimately bring down the server. By default, Comodo Personal Firewall is configured to accept limited traffic for a set duration, for example, 30 packets per second so that if the packets threshold is exceeded, a DOS attack is detected and the Firewall goes into emergency mode. The firewall will stay in emergency mode for the duration set by user i.e time to stay in emergency mode, by default, the duration is set to 120 seconds. In the emergency mode, all inbound traffic is blocked except those previously established and active connections. However, all outbound traffic is still allowed.

Please check this to see whether you are being attacked or not, if not then please let us know so that we can investigate this further to find the real cause.

Your help is greatly appreciated.

Melih

In my case outbound connections didn’t work either.
Which is the recommended version if I want to try again, the latest stabe or the beta?

Pls try the beta. There is a link in the Beta forum section.

Can you pls tell us if this happens again with that Beta (fairly stable) and we’ll try to explore the issue.

thanks
melih

I have installed CPF today and I have the same problem.

When I click on repair it gets as far as ‘Aquiring network address’ and just sits there for a while before saying there is limited or no connectivity. The only way I can get it to connect is to click on “Allow all” on the CPF right click menu and then on repair. Once I have connection then I can restore CPF.

As far as I can tell I am not under attack, I can see no logs reporting this, plus I have had the problem for the last couple of hours.

I will also try the beta

OK, tried the beta and I get the same problem. As far as I can tell the responses are identical.

TCP Flood / UDP Flood / ICMP Flood
In the emergency mode, all inbound traffic is blocked except those previously established and active connections. However, all outbound traffic is still allowed.

All existing connections are closed and outbound is not allowed anymore. I am not under attack, since I also have a hardware firewall in my office and there the same behaviour is shown.

I narrowed the problem down to the application monitor: when it is on, this behaviour occurs. When off there are no problems. I noticed that Application Behaviour Analysis switches on and off with application monitoring, so I’ll run with AM on and ABA off for a while.

I installed the beta this morning and after about three hours the connection was killed.

Posting the entire log would probably be a bit too much. I’ll try to summarize:
I simply allowed everything (and applied “remember” where appropriate), except for one thing:

Date/Time :2006-07-09 09:15:10
Severity :High
Reporter :Application Behavior Analysis
Description: Suspicious Behaviour (svchost.exe)
Application: C:\WINDOWS\system32\svchost.exe
Parent: C:\WINDOWS\system32\services.exe
Protocol: UDP InRemote: 0.0.0.0:dhcp(68)
Details: D:\NIEUW\subtitleworkshop251\SubtitleWorkshop251\SubtitleWorkshop.exe has tried to use C:\WINDOWS\system32\svchost.exe through OLE Automation, which can be used to hijack other applications.Date/Time :2006-07-09 09:14:23

I did not allow this (but did not use “remember”), because SubtitleWorkshop.exe was closed quite some time earlier (btw, that happens from time to time, programs that are not running anymore are supposed to be using…etc. This even happens with harmless, normal programs).

In the hour after that, there where 14 messages like the one below (this is the last one before the connection was killed):

Date/Time :2006-07-09 10:16:20
Severity :High
Reporter :Application Monitor
Description: Application Access Denied (svchost.exe:0.0.0.0:dhcp(68))
Application: C:\WINDOWS\system32\svchost.exe
Parent: C:\WINDOWS\system32\services.exe
Protocol: UDP In
Remote: 0.0.0.0:dhcp(68)
The last two of these messages were only 5 seconds apart, the rest was “spread out”:
10:16:20
10:16:15
10:15:06
10:14:38
10:13:39
10:11:41
10:07:45
09:59:55
09:59:13
09:57:52
09:55:07
09:49:37
09:38:38
09:16:40

Apart from that there seems to be nothing strange in the log. Perhaps apart from this (but this was about 50 minutes before the connection was killed):
Date/Time :2006-07-09 09:25:23
Severity :High
Reporter :Network Monitor
Description: UDP Port Scan
Attacker: 10.0.0.138
Ports: 2823, 58886, 59142, 59398, 59910, 60166, 60422, 60678, 60934, 61190, 61446, 61958, 63238, 63750, 64006, 65030, 65286, 263, 519, 775, 1031, 1287, 1543, 2055, 2567, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0
The attacker has been temporarily blocked

The same attack(er) appeared in the log after a reboot at 10:28:34.

So far so good. Things are starting to look like that at least my problem might be caused by the ABA. I’ll leave this is like this for now, see what happens.

I think you’re right. After the connection was killed, Windows could not repair it until the application monitor was turned off.

Try turning the AM (1st option) on but the ABA (4th option) off. See if it then also occurs.

Nope, no good. I still get the same problem. Looks like I will have to find another firewall

Please dsable the following options:

1 - “Security->Advanced->Monitor DNS Requests”
2- “Security->Advanced->Secure the host while booting”
3- “Security->Advanced->Secure against trojan protocols”

If you still have problems, you must send your logs so that we can see what happens.

Egemen

Since 2 & 3 were off by default, it seems 1 is the culprit; “monitoring DNS queries” off and I have no problems.

I tried to install Comodo Personal Firewall 2.2.0.11 for the first time tonight. When the product is installed, even if set to Allow All, I cannot acquire a network address; just what this thread appears to be addressing. The only way to get an IP is to uninstall CPF.

Back on-line I found this thread and this suggestion:

1 - "Security->Advanced->Monitor DNS Requests" 2- "Security->Advanced->Secure the host while booting" 3- "Security->Advanced->Secure against trojan protocols"

I re-insatlled, it had to affect (not surprising since Allow All also fails) and I uninstalled again to get back online.

I now just noticed this part of the message:

If you still have problems, you must send your logs so that we can see what happens.

Before I reinstall again just to harvest the logs, will the logs be obvious to me? Are they some sort of *.log file in the application dir?

Also, do you want them attached here or emailed somewhere?

Thanks,
Gene

Ok, I gave thsi one more try for tonight. I installed 2.3.2.21_BETA - same issue: even with “Allow All” I couldn’t get an IP and had to uninstall to get back on-line here.

I did capture the log:

Comodo Personal Firewall Logs 
    Date Created: 21:21:28 30-07-2006 
Log Scope: Last 30 days      
Date/Time :2006-07-30 21:17:46
Severity :Medium
Reporter :Network Monitor
Description: Inbound Policy Violation (Access Denied, IP = 192.168.0.2, Port = 5353)
Protocol: UDP Incoming
Source: 192.168.0.3:listen(1025) 
Remote: 192.168.0.2:5353
Reason: Network Control Rule ID = 3 
End of The Report 

My PC should be issued IP address 192.168.0.2 from the router (this is the IP assigned to my MAC address). 192.168.0.3 is my Tivo box.

Hope this helps.
Gene

Two things I would recommend checking:

  • Go through the Add a Trusted Zone wizard, which will also add some Network Rules
  • And ensure the Block All IP Rule is on the bottom

In the end, you should have a set of rules like I have (in the image attached, except for Rule ID 3 that I added manually) but may need to move them around so that they are in the same order as mine.

[attachment deleted by admin]

Thank you, but this still did not work. I also would have expected that by enabling ‘Allow All’, stuff like this shouldn’t matter.

The only variable I can’t affect is that I have SyGate firewall installed, but it is disabled and the service is disabled so it doesn’t start. I need it ‘present’ for a VPN package to work to run, but it just needs to be present, not running.

With it in this present-but-disabled state, ZoneAlarm works fine; I’m not sure if CPF is as forgiving.

I think I’ve reached my limit on this one, but thank you for your help.