Hello fellow Comodians. I am using uTorrent sometimes and i´ve created a rule to allow traffic on the dedicated port i have for it. It works fine, but i get a lot of alerts in the log, they look like this:
Network control rule ID = 11 in this case the built-in Block&Log IP In/Out rule that i have as the last rule in the set.
Anyone knows why i get these constant alarms when running uTorrent? They only appear when that program is active. Is it some kind of ICMP flood or? Can i leave it as is or should i create a rule for it?
Torrentprograms tend to create a lot of ICMP logs…
It’s safe to just ignore them, but you could create rules to get rid of them…
Do you have
ICMP IN or OUT/Any/Any/Echo Reply
ICMP OUT/Any/Any/Echo Request
If you have those and still get the logs you can try this.
ICMP IN or OUT/Any/Any/Any
If you have a rule like this they should go away…
You can move it below the block rule when you’re not using torrent.
An expert user can tell you if it’s safe to use the last rule. I use it… ;D
Since the rule number that blocked it is 11, then it safe to assume that rule 11 is your final blocking rule (or it should be, any rule after this one will be ignored). You’re getting the message, since that rule is a block & log rule. If blocking this “ICMP = UNREACHABLE”, doesn’t harm uTorrent, then there is no reason to dent your stealth status. Create a rule before rule 11 to block (but, not log) the ICMP = UNREACHABLE packet. A silent block.
Thanks for the answers, it explains the alerts. The thing is that i suspect this blocking has a negative impact on the uTorrent performance regarding download speed. Is it a major security hazard to make a rule like the one AoWL suggest in his posting? From what i understand that rule is permitting this kind of traffic through the firewall? Im also behind a Linksys router (cabled) with a SPI firewall enabled so i kinda feel pretty secure as it is already, but i dont want to put my box at risk.
I pass the andvanced portscanner test, stealth test and exploit test on Pcflank. That was with the router in DMZ. The router itself stelths you from internet if it’s on, so i think that you are safe with both on. Look at the image to see my network rules.
I have three ICMP rules configured, all of them parts of the default ruleset that comes with Comodo.
Allow ICMP Out Any Any Where ICMp Message is Echo Request.
Allow ICMP In Any Any Where ICMp Message is Fragmentation Needed.
Allow ICMP In Any Any Where ICMp Message is Time Exceeded.
Is your suggestion that i replace these three rules with one rule that says:
Allow ICMP IN OUT Any Any Any and rely on the SPI firewall in the router to take care of the rest?
Try first with this, and if it doesn’t work, just try the “All” rule.
Allow ICMP In or Out / Any / Any / Where ICMP Message is Echo Reply.
The rule sounds like you wouldn’t be stealthed, but at least i am… even with the “all” rule…
