I set up the firewall with a rule for azureus (bittorrent client) according to what I found on this forum i.e.
“Allow TCP or UDP IN from IP [ANY] to IP [ANY] Where source port is [ANY] and destination port is xxx(the port I specified)”
the only other rules I have beside the default ones are 2 set up by the wizard for a local network/zone.
All was working fine until the last day or so I had 240+ high severity alerts. All were blocked by protocol analysis. Almost all are outgoing and say “fragmented IP packet” or “Fake or Malformed UDP packet”. Some were incoming and say something about invalid flags. I wanted to comment in more detail but my log seems to have reset and I can no longer see them all. I have the log set to 100MB. The incoming ones seemed to be for a port other than the one I specified for azureus. The outgoing all seemed to be from the port I specified so I was wondering why they are “fragmented” or “fake or malformed”. Keep in mind with the large number I was unable to read them all, and now am unable to look at any of them further since it seems my log has reset. I also have some high and medium severity that are either incoming or outgoing and the contain the IP of the DNS servers for my ISP. I also have an uncountable number of medium severity that are all “outbound policy violation(access denied, ICMP port = unreachable)” with various outgoing IPs . These medium severity cases seem to happen constantly no matter what I am doing. I am not sure what program I have running that is sending these out. I am running version 2.4x ( the most recent non-beta version) of the firewall. I have a linksys router with NAT and firewall, and a laptop on inside the local network. I thought maybe the ICMP were part of local network traffic but I have a trusted zone rule covering that local range, and the IPs listed in the log are clearly not part of that range (192.168xxxx or whatever the default local ip range and subnet is). The high severity all seemed to be while running azureus, minus two that were incoming and had “invalid flags” or whatever listed as the reason. Sorry for the length. I seem to have three distinct problems 1) large number of high severity while running bittorrent client 2) perpetual medium ICMP errors when no browser or azureus is running 3) a few high severity incoming invalid flags(unknown at the moment if azureus was running at the time or not)
Any help at all would be appreciated. I can list the few programs I have running in my tray along with the services etc that run and connect for various other programs in further detail as requested. I am somewhat boggled as I have been employed over the last 15 years at several companies where I was working on mixed unix/dos/windows/netware networks as a user and administered a mixed netware/windows set of local networks for about 8 years, so consider myself rather experienced. Again any help would be appreciated. If anyone knows how to look at the log that seems to have reset or to export the log to text .csv or something similar would also help. If this is not possible with the firewall I would offer a suggestion to the developers to include some kind of feature in the future to allow exporting a text file log on a user set basis(scheduled or on demand) so the user can look over past logs in further detail when needed for troubleshooting. The fact I cannot seem to now look at the log entries I had open when I started writing this post is quite frustrating. Again sorry for the length of my post. Also if I need to ask tech support by email or ticket or whatever regarding this someone please let me know. Thanks edit: After I posted this I found the option to right click on a log entry and export to html, but as I went to do this and changed the log size to last 30 days from today my firewall froze up and task manager wont let me kill it because the system locks it.
Ok I have logged for several days and most of the high severity events seem to be from a few IPs. To the developers: I do not understand the technical aspects of the torrent protocol, is it possible that protocol analysis will log some legitimate torrent traffic is suspect since they are fragments of files by definition? I use azureus, which is set to automatically block IPs that repeatedly send bad packets, from what I understand. Some of what the firewall is blocking is clearly correct because it is going to a port other than the one I have designated for the torrent client, but some seems to be going to the correct port and so forth. My question is does the protocol analysis portion of the firewall handle the torrent protocol correctly? Is there a possibility that needs some tweaking? These IPs are not being banned by azureus automatically so is this something on their end possibly and I should contact them? In the mean time I have gone through my firewall logs and then listed each IP that causes a high severity alert in the firewall in the azureus list of banned IPs manually. As for the medium severity ICMP events in the log, those are obviously a different issue and should maybe be another thread. I have been exporting my log to html every day or so if anyone would like to see portions of the log. It does impress me with the power and depth of this firewall though as these are things that no windows firewall I have used have blocked, although I have used Firestarter in linux and that seems to block and log alot of events when using azureus. Thanks for a fantastic product and keep it up, I am recommending everyone I know start using this software and ditch whatever lousy firewall they have.
It is possible that you are receiving fragmented IP packets. You can modify this at : Security->Advanced->Advanced attack detection and protection->Miscellaneous section and modify
Do protocol analysis and Block Fragmented IP Datagrams options to stop such alerts temporarily.
Thanks for the reply. You are saying uncheck those two options? I am not worried about all of the alerts if it is blocking things it should be. Some of the events show packets going to a port other than the one I specified for torrents. I would assume that should not be happening as a part of legitimate communication? If it blocks some legitimate torrent packets right now I am not too concerned, my torrents will just go a bit slower, I would rather not risk it. I am contacting azureus through the forum they have at sourceforge in regards to this. I thought azureus was supposed to block an IP after so many bad packets, but maybe because the firewall is blocking it the azureus client is not aware and therefore maintains a connection with these IPs? As for the ICMP medium alert events, I am not at all worried about those, would just like to know what is causing it because it seems to be perpetual. If I have some service or application running that is attempting these connections I would like to figure it out, nothing I am running seems to be having any errors because of this. Is anyone aware of a utility similar to sysinternals tcpview that would show ICMP traffic and what program is making/attempting connections since the firewall log doesn’t show that? Thanks again for the reply.
egemen, the azureus forum was very helpful in regards to the high severity events. It seems some bittorrent clients caches connections or sessions for awhile and keep trying to connect for days now! even though I have not had it running. I turned that pc off and used wireshark(ethereal) to watch the traffic and it varied. Mostly it was about 1 connection attempt per minute, but sometimes alot, like about 40 in 3 minutes while I was watching. So the firewall was doing its job nicely, now I just need to figure out why I get the few invalid flag attempts (which are not to the azureus port, but various ports). For the ICMP I looked and about 99% are outgoing to my ISPs DNS servers. I made a rule to block and not alert for those events, but I can also allow and not alert, is there any reason to have ICMP traffic with the DNS server? Is it something I need to allow? It doesn’t seem to hinder anything with it blocked. It may be because I have a LAN setup to share files, and possibly my pcs are broadcasting ICMP or something to each other and also DNS maybe since they see that as a part of the network in a way? Anyhow thanks for the help, it seems the issue is not the firewall or azureus but some other crappy bittorrent clients that keep attempting connections that are long dead. I am just going to change the port I use every so often to keep most of that traffic from hitting my pcs. Excellent firewall , I get more and more impressed with it each day.
egemen: bit of a follow up. After my last post I learned a bit more on the azureus forum. The previous thing I said about some torrent clients caching long after and attempting connects is true. I changed my port and am still getting hit with these attempts, but my hardware firewall is dropping them since that old port is no longer open. On switching ports I did notice your suggestion was correct, shutting off fragmented packets and protocol analysis sped up my torrents quite a bit. I was told on the azureus forum that CPF is blocking fragments that are used in torrents, and some of the invalid flags are actually used by the torrent clients and are more than likely not malicious activity. I will post parts of my logs so people can see the alerts I got, and suggest people with torrent problems turn of those two options as you described above to clear up issues while running torrents. When I am not running torrents I am keeping those options enabled. It might be helpful in a future version to allow a feature where an application or port would be exempt from those options while allowing to keep them on if this is possible. In other words keep the fragment packet blocking and protocol analysis ON except for certain applications or ports specified by the user. I am not sure what way would be easiest/safest/technically feasible to implement since I am not a programmer. Here are portions of my logs with the IPs xxxx out by me. These are a few examples, the Invalid flag events very on what the flags are.
Date/Time :2007-02-08 22:19:13
Severity :High
Reporter :Network Monitor
Description: Blocked by Protocol Analysis (Invalid Flag Combination)
Direction: TCP Incoming
Source: xxxx
Destination: xxxx
Reason: FIN RST is an invalid TCP flag combination
Date/Time :2007-02-08 20:18:00
Severity :High
Reporter :Network Monitor
Description: Blocked by Protocol Analysis (Fragmented IP Packet)
Direction: IP Outgoing
Source: xxx
Destination: xxx
Protocol : UDP
Reason: Fragmented IP packets are not allowed
Date/Time :2007-02-08 20:18:00
Severity :High
Reporter :Network Monitor
Description: Blocked by Protocol Analysis (Fake or Malformed UDP Packet)
Direction: UDP Outgoing
Source: xxx
Destination: xxx
Reason: UDP packet length and the size on the wire(1508 bytes) do not match
As you can see, some are incoming and some are outgoing. The ICMP medium(yellow) alerts I still have not resolved, but they are almost all to my ISP DNS server. I have not yet figured out which application is responsible or if it is a system process. This is unrelated to azureus and occurs on my both coomputers which run CPF. I am not very concerned about it but would like to figure if this is traffic I should allow or not.
Date/Time :2007-02-08 20:03:40
Severity :Medium
Reporter :Network Monitor
Description:Outbound Policy Violation (Access Denied, ICMP = PORT UNREACHABLE)
Protocol:ICMP Outgoing
Source: 192.168.1.10
Destination: xxx (ISP DNS)
Message: PORT UNREACHABLE
Reason: Network Control Rule ID = 8
Just thought I’d bump this with some info for you, in case you’re still wondering…
Apparently this:
Date/Time :2007-02-08 20:03:40
Severity :Medium
Reporter :Network Monitor
Description:Outbound Policy Violation (Access Denied, ICMP = PORT UNREACHABLE)
Protocol:ICMP Outgoing
Source: 192.168.1.10
Destination: xxx (ISP DNS)
Message: PORT UNREACHABLE
Reason: Network Control Rule ID = 8
Is caused by those continued cached connection attempts you see after you close the p2p app. If you create a rule to Allow Out ICMP Port Unreachable, it will give the response to the torrent that you’re no longer there, and stop the flood sooner. This should get rid of a lot (if not all) of those High Severity events.
Hi, I’m getting the same problem with azureus. I put in the suggested rule and that prevents the ICMP errors, but I’m still getting the “udp packet length and the size on the wire” problem. The only advanced attack detection feature I have turned on is “Do protocol analysis”. Should I turn off that as well?
No! Those alerts are normal. I get them quite often when p2p’ing. That’s one the great benefits that CFP has over other firewalls (like the XP one) in terms of restricting network traffic. As per its description, it blocks all suspicious packets in & out.
What’s also concerning is that you have the Block fragmented IP datagrams option disabled. That’s another great feature.
Well, I have to turn both those options off, as the errors are reporting during standard Azureus traffic. Also, every single time one of those errors is triggered, my hard drive spins like crazy. I’d rather not burn out my hard drive for having too many false-positives. I’ll just have to turn those options back on when not using azureus.
cnadolski, I know the reason why your hard drive is spinning like that. Yep. I have super acute hearing. 8) That is a different issue with logging & cpu usage:
Version 2.4 - cpf.exe and high CPU
https://forums.comodo.com/index.php/topic,6819.0.html
https://forums.comodo.com/index.php/topic,6933.0.html
https://forums.comodo.com/index.php/topic,6943.0.html
Thanks for the advice, but I’m kinda stuck in this instance, since I’m running a webserver on that machine, so I need to keep the logs on in case of a DDOS or other such problem. I’m aware that “Do Protocol Analysis” and “Do Checksum Verification” help protect from DDOS, but I’ve compensated by lowering the thresholds for DDOS attacks. Is there any way that I can turn these two options on from the command line so that I can run a script to turn them off/on as soon as azureus starts/exits?