My activity log is filling up with inbound policy violatons for which access denied. I assume this taking up resources and slowing down my internet speed. How do I correct for these violations?
R
If there’s anything I can assume, it’s that CFP is protecting your system by blocking unsolicited incoming connections. The only resource being expended is cpu and the logging in relation to this.
You can upload an edited sample of your log if you want us to examine what they are.
I would like to upload a sample of the log. How do I do it?
Right-click in the Logs window and export to html. You can then edit it by copying and pasting to a file editor like Notepad and blank out your private IP addresses. Most members like to save it as a .txt file. To upload files in this forum, when replying to a post, click on the Additional Options… at the bottom left corner and Attach the chosen file.
here is a sample of my log file:
[attachment deleted by admin]
I edited your log file to mask your IP. Here’s an overview of what each alert type means:
Severity :Medium
Reporter :Network Monitor
Description:Outbound Policy Violation (Access Denied, ICMP = PORT UNREACHABLE)
Protocol:ICMP Outgoing
Source: x.x.x.164
Destination: 85.178.247.18
Message: PORT UNREACHABLE
Reason: Network Control Rule ID = 6
The ICMP Destination Unreachable (message type 3) is sent back to the originator when an IP packet could not be delivered to the destination address because it couldn’t reach the port from your system to the internet. I get these all the time when I’m p2p’ing, which is normal. You don’t have to, but you can add a NetMon rule to allow these. (Users have noticed a slight speed increase in downloads if they add such rule :))
Severity :Medium
Reporter :Network Monitor
Description:Inbound Policy Violation (Access Denied, ICMP = PORT UNREACHABLE)
Protocol:ICMP Incoming
Source: 87.78.91.228
Destination: x.x.x.164
Message: PORT UNREACHABLE
Reason: Network Control Rule ID = 6
Same as above, only this time the direction is incoming so the other party (think of it as the internet) failed to reach your system’s ports.
Severity :Medium
Reporter :Network Monitor
Description: Inbound Policy Violation (Access Denied, IP = 64.180.29.214, Port = 1755)
Protocol: UDP Incoming
Source: 64.180.29.214:25423
Destination: x.x.x.164:1755
Reason: Network Control Rule ID = 6
Severity :Medium
Reporter :Network Monitor
Description: Inbound Policy Violation (Access Denied, IP = 220.115.132.14, Port = 46956)
Protocol: UDP Incoming
Source: 220.115.132.14:8534
Destination: x.x.x.164:46956
Reason: Network Control Rule ID = 6
These are normal. CFP is protecting your system from incoming connections, which don’t look like they are wanted.
Severity :High
Reporter :Network Monitor
Description: Blocked by Protocol Analysis (Fake or Malformed UDP Packet)
Direction: UDP Incoming
Source: 75.17.15.123:36233
Destination: x.x.x.164:54983
Reason: UDP packet length and the size on the wire(1397 bytes) do not matchDate/Time :2007-03-13 22:47:26
Also normal. I get these quite often for p2p.
After your very full reply I appologise for asking for more support. This is a screen print of my Netmon rules.
[attachment deleted by admin]
My post went off before I could comment. I hit return in order to confirm the file to attach. I hope you received the correct attachment showing the netmon rules. I initially chose the file I had previous sent, I then tried to change the attachment and I do not know if I failed.
I wanted to ask:
As I have previously added a rule to allow port 54983, which is the port that Azureus uses I am wondering what extra rule I should put in, and how to do it.
My PC doesn’t have any text/document graphics filter (only the cheap notepad and wordpad), so I’ll have to check out your attached document file on another machine tomorrow - unless someone else can see it then feel free to comment here. Also, you can modify any of your posts to change what you typed, including your attached files - they can be removed/re-uploaded.
I assume you mean to allow incoming connections to the listening port that you assigned in Azur as 54983? You need to define this in both AppMon and NetMon. The basic template (that I use for uTorrent, but should apply to Azur as well) is:
Action: Allow
Protocol: TCP/UDP
Direction: In
Source IP: Any (other Azu users’ IP addresses)
Destination IP: Any or Your Trusted Network/Zone, whichever applies (your system)
Source Port: Any (other Azu users can use any port, but we don’t need to know and care)
Destination Port: Listening Port you assigned for Azu (i.e. 54983)
I think you have guessed correctly. I can not send you the file as text because I took a screen print of the netmon and pasted it into a file capable of showing graphics.
I already had a rule in my netmon that does as you suggested. However as soon a I start up Azureus the log fills up mainly with
Inbound Policy Violation (Access Denied, ICMP = PORT UNREACHABLE)
It does not show in the log which port it is trying to reach.
Looking in the connection log it is showing the port as 54983 as being the source port. and seems to be stating that the connection worked.
Azureus also has a number of entries in the Applicaition control rules allowing any destination / port for tcp/udp in as well as out.
I prefer screenshots as jpg,png,gif,etc. rather than as doc.
You don’t have to allow ICMP port unreachable, but I do in order to increase net traffic speed a bit. The reason why CFP default NetMon rules don’t allow it is probably to keep the “stealth” status, but this is a debatable subject.
You should, if not done already, further restrict your AppMon rules to allow TCP/UDP In only for destination port 54983.
I’ve attached a part of my AppMon and NetMon rules. Notice how there are lots of ICMP. These are specifically to basically speed up my downloads. As always, remember to keep the default rule (Block IP In/Out) at the bottom of your list to block everything else.
[attachment deleted by admin]
I appreciate your help. Thank you.
In your sample netmon you blanked out a port. I assume that in my case it would be my Azureus listening port. Have I guessed correctly?
I attach my revised netmon rules. Please look them over in case I have accidentally undressed my machine.
Since adding the new rules into the netmon as suggested I have only a few violations but I do not know why as they should be covered by the rules. I attach the log.
[attachment deleted by admin]
Firstly, I still can’t see anything in your .doc file even with my other machine today. It’s blank 
:D.
Wow! Your netmon looks like mine except maybe the port # for my uTorrent vs yours for Azu ;D.
Ok. I see what you mean in your log (the last screenshot). Congrats (:CLP) you’ve reached my level because to this date I still can’t figure out the rule to get rid of ICMP=Unreachable (aside from allowing all ICMP In). There’s no net/port/host unreachable. Just plain generic unreachable. I filed a ticket on Jan 24, but official support hasn’t responded and it’s still on hold (probably still focused on version 3).
Great. At least I have it working at its best. Your help is greatly appreciated.
R
Ok. I deem this “case closed”.(:KWL)
Have you tried this one again, just in case?
https://forums.comodo.com/index.php/topic,2543.msg42268.html#msg42268
Just in case… (after all, sometimes we think things are one way, but they’re actually not… 
)
lM
What did I just say?
We don’t need to pester PnvUKVtm again. (:TNG)
ICMP Protocol is just one of the 55 codes from ICMP (type 3) that I already tested :o
Wasn’t aimed at PnvUKVtm; was aimed at you.
As I read thru the thread you linked, I saw you did not specifically mention that; when Triplejolt did, your response was
Yes. I recall seeing a specific log entry for that, but haven't in a long time. If there's a log entry for ICMP protocol unreachable, then it can't be that rule. Like I stated, I've tried all the Type 3 (unreachables) from 1 to 55.
If you haven’t seen it in a long time, isn’t it even remotely possible that it is related? Isn’t it worth the 42 seconds (+/-) it would take to create & implement that rule? If it doesn’t work, it only takes 2 seconds to remove the rule; if it does, voila!
Here’s a question for you… if you change to Allow All, do you still get that log entry? 'Cause if you don’t, you know what that means…
LM
Ahem.
[b]Yes[/b]. ... I've tried all the Type 3 (unreachables) from 1 to 55.
Yes was my answer to Triple’s question about the icmp protocol :P.
Don’t even need to change it to allow all. The Allow ICMP All for Incoming NM rule will do because I logged it before. But taking your old advice into consideration, it’s not “safe” to allow all.