Note to moderator: I wasn’t sure where to post the following questions (contained in the attached Word document). Feel free to move this post to the appropriate forum. I’m simply posting it here because the questions I raise may be typical to new users.
I told you I would be back after the holidays with more crafted questions! I’ve uploaded a Word document with some questions along with screenshots. It would be appreciated if someone could review and answer if possible.
Please post these questions into this topic. It will not help new users if they cannot search for the questions & seeing the answers without seeing the questions might cause confusion. Thanks.
Here are the questions from the attached Word document. The screenshots are still referred to, but the questions have been extracted to this post:
What exactly is the screenshot of the Application traffic and Connections (in the attachment) telling me?
a. Is there multiple threads of Firefox looping back to my machine? In other words, this is internal traffic that is staying inside my machine, right?
b. How about iTunes, this ■■■■■■ is connecting out to the iTunes music store most of the time when running – is that what I’m seeing here? I know IP 192.168.1.105 thru 192.168.1.255 is still in my machine (i.e. – the “System” entry), but why is iTunes showing a range from 192.168.1.105 – 224.0.0.251? Isn’t that outside my machine?
I understand that the Network traffic (in the attached screenshot) shows what protocol is being used on the network, but why should I care whether TCP, UDP, ICMP, or “others” are being used? Is it just a nice picture, or does it add value of some sort? After all, its just the protocol that an application is choosing to send packets over, right? What value is this information? How could it indicate “suspicious” activity?
An attached screenshot shows the Network Control Rules as they stand now after taking some advice from Monogod. While I understand some of this, can anyone interpret rules 3,4,5,6? I thought ICMP should be blocked? No? And in rule #6, what is the GRE protocol for? Shouldn’t pretty much all protocols except TCP and UDP be blocked? Probably my misunderstanding, I’m sure. An explanation would go a long way towards educating me.
Also, what is the difference between blocking & logging just “in” as opposed to “in/out”?
4. Can someone explain the Component Control Rules a bit? How do they get there? Perhaps when I “allow” applications? For example, did the attached screenshot component rule get created when I allowed Adobe Photoshop Elements to do something? Is there something to be gained from reviewing these “rules” every now and again? What can it tell me and what should I be looking for here?
The Traffic-Application screen shows the distribution of the network traffic over applications & the Connections screen shows all the current connections.
1a. This is merely the way Firefox works. Multiple tabs all loop-back into one external connection.
1b. Yes, 192 IPs are local IPs. 224.0.0.251 is a multicast broadcast address & could will be external to your system. But, I don’t know how iTunes works. There is no way to tell if the System entry is related to iTunes.
High amounts of UDP/ICMP/Other traffic on the Traffic-Network screen might indicate a DoS-type attack. Other traffic alone would be suspicious. See Advanced Attack Detection and Prevention (Security - Advanced). Under the Miscellaneous tab CFP has the option to Monitor other NDIS protocols than TCP/IP. CFPs help says…
[b]Monitor other NDIS protocols than TCP/IP[/b]
This will force Comodo Firewall Pro to capture the packets belonging to any other protocol diver than TCP/IP. Trojans can use their own protocol driver to send/receive packets. This option is useful to catch such attempts. This option is disabled by default: because it can reduce system performance and may be incompatible with some protocol drivers.
… so, it is possible to get “strange” protocols & the Traffic-Network screen might be your first indication of this. If you started getting non-TCP/IP traffic then you would turn the above option on to allow CFP to inspect them.
No, not all ICMP should be blocked, some are required in order that your system works normally.
Rule 3: This allows an outbound ICMP Echo Request, without this rule your pings will not work.
Rule 4: This allows an inbound ICMP Fragmentation Needed. Without this rule some commands will fail (eg. TRACERT) & you might experience connections and/or speed issues with some web sites.
Rule 5: This allows an inbound ICMP Time Exceeded. As rule 4.
Rule 6: GRE stands for Generic Routing Encapsulation. You can read more this here (Wikipedia Link). You need it.
In/Out blocking? Blocking IN prevents inbound communications, where as blocking IN/OUT prevents both inbound and outbound communications. Inbound stuff your system receives & Outbound stuff is sent by your system.
Component Monitor is for those programs & libraries that do not interact with the user directly, where as the Application Monitor is for those program that do interact with the user. So, when you allow an application, such as photoshop.exe, then all the libraries (EXEs, DLLS, OCXs, etc…) that photoshop.exe uses will be added to the Component Monitor & photoshop.exe will be added to the Application Monitor.
If you accidentally block something, then you would need to review the blocks listed in both the Application Monitor & the Component Monitor to resolve it. Other than being interested, there is no specific need to periodically review the contents of these Monitors.