Need to know how to create a proper Network Monitor rule

So, at around 9:40 today (it’s now two hours later), someone started sending me TCP packets with malicious/invalid flags. It seems he found me through the p2p client Soulseek, as he’s trying to get in through the port I use for it. So far, Comodo’s blocked everything, but I’ve gotten probably around 250-300 malicious packets from him. I recognize most of the flags, except CWR and ECE, but he’s sending stuff like SYN FIN RST, which I’m pretty sure is malicious. He’s also sending me fake or malformed TCP packets that have lengths that do not match the size of the wire (I have no idea what that last sentence means, actually, but Comodo’s logging it).

My question is how do I effectively block this guy’s IP? I created a rule under the Network Monitor to block everything, but I remember reading that the placement on the list matters, so I’m not sure if it’s working. Do I need to put it above or below the “BLOCK and LOG IP IN or OUT FROM IP [Any] TO IP [Any] WHERE IPPROTO IS ANY” rule? I created it below, and was still getting attempts from this guy, so I have no idea if it’s working or not. Actually, I was even getting them after I changed my dynamic IP, though I admittedly reconnected to Soulseek.

Also, would changing the port I use for Soulseek help at all? I guess I should mention that I also have that port forwarded.

Also, a minor question: is the flag combination ACK FIN RST malicious? I get them all the time from various IP’s.

Good day,

Go to my blocked network zones and ADD the ip of the gui to your blocked network zones. Now he can say good bye to sending you malware files…

Where is “My Blocked Network Zones”? Is it part of Comodo?

My version’s probably old, it’s 2.4.18.184. I’m running on Windows 2000.

EDIT: Man, I just had my first DDoS attack ever, to my knowledge. Today is not a good day. Also, my log seems to have been erased. Maybe it exceeded the 10mb limit, sheesh.

ooh sorry man, I thought you were using the 3.0 version and higher… hmmm… (:THNK)… I am wondering if 2.4 version of the firewall has a similar feature like the “my blocked network zones” in the version 3.0… But it is such a loooong time ago I used that version! I report back to you when I know the answer!

Thought so based on what you reported as beeing logged is long time missing for logging in version 3.x.
From the top of my head a ACK FIN RST is no good, but i’ll have to look that up.

The blocking rule for Block IP From To ANY port’s Any should be on top of all others that way it’ will be the first rule that matches. If you need more details, i can check tomorrow on a host running 2.4.x