Log - ICMP=PORT UNREACHABLE

Hi all

All my logs seem to contain these days are endless Medium Severity, Network Monitor logs:
(Any chance of making the details window in the Logs report copyable to clipboard?)

Description: Outbound Policy Violation (Access Denied, ICMP=PORT UNREACHABLE)
Protocol: ICMP Outgoing
Source: my computer LAN IP
Destination: my first DNS server IP
Message: PORT UNREACHABLE
Reason: the last default network rule to block all

It’s probably caused by Spamihilator regularly checking my mail and that’s OK, not a problem.
But just wondered if this particular ICMP event should actually be allowed. Everything seems to be working OK, but I’m a natural worrier ;D

Mark

i see that warning alot too in the logs, was wondering the same thing. is it blocking something useful? (R)

Same here!

I was receiving occasional alerts like that also. It seems that it was just my pc contacting my ISP’s DNS server. I created a rule to allow a single local IP (my pc) to contact a single destination IP (my ISP’s DNS server) via ICMP. I placed this rule before the last “Block & Log” rule.

DR

Just checked my logs and noticed it as well, wonder what it is.

Hey everyone, See if this thread helps:

https://forums.comodo.com/index.php/topic,1904.msg14047.html#msg14047

Thanks :smiley:

No problem justin.

If you get a bunch of these in your log then do what I did.

Create a new rule that states: block IMCP out, from any, to any where IMCP message is port unreachable. put this right above the “block all” rule and this will keep your logs clean.

I wasn’t so much wanting to keep my logs clean, but was wondering (as a few others here were) if something was being blocked that shouldn’t be. It is only my computer connecting to one of my IP’s DNS server. I allow these to happen when an application wants to but wondered what was happening here and if something useful was being interfered with.

Mark

I was wondering if I should do that. But I don’t know what is causing the log entry and whether the process is benign or not.

Mark

Not really to be honest. I’m not sure I understand egemen’s reply.

Mark

I am also wondering what is being blocked and Egeman’s reply doesn’t explain it (for me anyway). ???
Sooooooo…I created a rule that will allow and log the attempt to contact my DNS servers so maybe I can see who is calling. I don’t know if it will work since I’m new to firewall config and would appreciate it if someone would let me know if I’m barkin’ up the wrong tree!

Thanks and…

               (V)

When an UDP port is closed, a host sends back an “ICMP Port Unreachable” to reveal the status of a port.

That rule is usable when you allow some incoming connections in the network monitor. If you allow some incoming UDP connections, when no application is listening, your host will send this message. We put this rule to provide stealth even there is a network rule that allows incoming UDP rules.

In short, it is there to prevent somebody probing your UDP ports from receiving any reply if they are closed.

When you initiate a DNS request, incoming replies are statefully allowed. But somehow the host needs to send port closed message after these replies. I am sure it is something specific to DNS protocol.

If you do not plan to add some ALLOW rules for incoming UDP ports in network monitor, you can safely add an ICMP out rule for such a message.

Hope this helps,
Egemen

Thankyou Egemen for a speedy reply and for clarifying!

Some of the emoticons should read:
Comodo Forums Rock!, Comodo Moderators Rock!, etc., etc., etc.!

                                                            (:CLP)

Brilliant, thanks egemen. I understand now.

I have been in many software discussion forums since my Prestel days in the 80s (some oldies from the UK may remember) and I have never come across the support, understanding and professionalism I have here from all the Comodo staff. In dealing with us here, never once have I ever sensed dismay, annoyance, aggression - how many programmers and developers can we say that about?! OK you may have a good moan in the coffee room ;D but here you maintain professionalism that is a credit to your company.

I’ve been meaning to say this for a short while now. CPF has faults (I currently have a serious one in a support ticket) and it could be improved, but you guys just prove yourselves in so many ways that our trust for you and your products grows by the day.
(:CLP)

Mark

Hi all,

Just to add a little to egemen’s excellent explanation, this is what I think might be happening:

Sometimes a DNS request may take too long time to resolve by the DNS server, so the request times out in the application that made the request and another one is sent (and so on). Eventually, a reply to the first request arrives from the DNS server. The application accepts it and closes the UDP port assigned to receive the reply. But then the replies to the other requests arrive as well. Since the UDP port is already closed by the application, the “ICMP Port Unreachable” message is sent.

Something similar happens when the firewall is blocking the DNS request with a popup. When you click “allow”, it seems several accumulated requests may get sent out. The DNS server will send replies for all these requests, but the application only expects one reply.

I hope this makes sense.

effel

That is an excellent explanation. I’ve just one question… in your opinion, should this out-bound ICMP communication be allowed to a DNS or would it be better to block it?

Thanks, in advance…

Another excellent suggestion effel, makes sense to me.

Thanks.

I suppose we could write a rule to block it but as CPF is catching it any way it’s not causing any harm except filling up the log.

kail,

I don’t think DNS servers pay any attention to the ICMP Port Unreachable messages when they are replying to requests. They will just send their reply and forget about it.

Allowing outbound ICMP Port Unreachable messages is only useful if you are running a public DNS server yourself. Then other DNS servers and clients querying your server will be able to more quickly determine if your DNS server for some reason is unavailable (ie. the DNS server service is not running).

But for normal clients, there is no need for these messages to be sent to the DNS server, since the server isn’t expecting any acknowledgements to its replies (unlike TCP, UDP is sort of like a simple “send and forget” protocol). So, in my opinion, blocking these outbound ICMP Port Unreachable messages isn’t doing any harm.

effel