New uPNP Router

This newby (well, non-IT guy) needs some detailed help.

Old router died. Replaced it with Linksys WRT 54G Wireless. My machine is connected via ethernet cable to router. Now I see several odd behaviors. Live Chat with Linksys rep was unsat in resolving. Basically he told me first of all to get rid of Comodo. Quoting:
“Dionalyn E. (10686): Actually, here’s the thing. The router alone is acting as a firewall. If you will enable another third party firewall on computers, it will only cause conflict and would hamper the connection. Router’s firewall is very strong because this type of firewall is a hardware one. That is why, we don’t recommend using another third party firewall when your devices are network behind the router.” End of quote.

When I told him that Comodo was not CAUSING the issues, only REPORTING them, he blamed Comodo for giving false reports.

In any event, he was not able/willing to even try to resolve the issues.

Here are the 2 problems I am seeing:

1. Several times a day (typically 4 or 5), my firewall log (Ver 3, build 276, by the way) reports the following event"

Blocked Windows Operation System UDP from 0.0.0.0 port 68 to 255.255.255.255 port 67"

It seems, from searching the web, that my computer is trying to establish an IP address (even tho it already has one). Apparently, sincy my machine does not know its own IP, it is using 0.0.0.0, and since it does not know the routers addy, it is using 255.255.255.255 (shotgunning). How do I deal with this? Is this a communication that should be blocked? Or should I somehow write a global rule to allow it. If I write a global rule to allow it, am I opening my system up to attack from outside?

2. I always see (in Firewall/View Active Connections) 12 or more svchost.exe connections as follows:
   TCP Out from 192.168.1.100 (my machine) varying ports (right now 2811 thru 2824) to IP 192.168.1 (my router) port (always) 2869. My research indicates this MIGHT be uPNP on the router, altho that makes no sense to me since it is the machine talking to the router, not other way around. In any event, it is taking system resources and cpu time to keep these connections open. The suggestion has been made to turn off uPNP at the router, which I can do if I have to, but I prefer not to. (seems like gelding a stallion). My taskbar CFW icon is a flood of red and green arrows.

(I have already turned off showing uPNP devices on task bar as recommended somewhere in this forum to ensure that CFW icon appears in the task bar. Having done that seems to have worked, altho I know it may be only co-incidental).

I suppose I could write a global rule to prevent all Outbound TCP connections to router port 2869, but I worry that doing so might cripple the system somehow. I’d prefer to allow standard connections, but I don’t see that I need 10 to 15 of them constantly.

Any advice / solutions will be appreciated. Please bear in mind I am not savvy with firewall rules, so be specific and complete in replies, please.

Thanks in advance

I can’t comment on all but here are my ideas.

Even though you are behind a router with firewall still a software firewall on your computer is mandatory for two reasons. A decent firewalll, not the XP and VIsta firewall, will also monitor for outgoing traffic (this may help to detect a nasty on your system) and you may want protection from the other computers in your local network.

The 255.255.255.255 address is I think a socalled broadcast address. Nothing to be worried about.

SVHost is the process of Windows that lets you contact with networks; when you block svhost in the firewall you will have no internet or network access at all. (:AGY) It will communicate with your router to get DNS server addresses as well as a local ip address for example. Perfectly normal traffic. The uPnP may add some extra as well.

I don’t mean to highjack the thread but just yesterday I was looking at the configuration of my WRT54G router. It’s used with a ADSL modem, a hard wired desktop and my wireless laptop. The computers do not share files, only an internet connection. I’ve set up static IP’s and port forwarded to use µTorrent. I also use Skype from time to time, and am thinking about installing Yamcam Yawcam - Help which also needs open ports and suggested enabling upnp. (I’ll address setting up a Yamcam rule in another thread)

All said, looking at the routers configuration I disabled upnp. Is this OK is it going to affect any of the above?

uPnP is not mandatory if the portforwarding is set up right and you have fixed IP’s set (you already did that). uPnP is there for convenience.

Oh OK, Thanks Eric

Hi tn_yank - Your question about the 0.0.0.0 to 255.255.255.255 connection: it is not necessary since you have a router. The router is almost certainly pre-configured to handle the DHCP and DNS requests that allow it to connect to the internet. You have not had any problems with the connection blocked, so evidently it is not necessary. Your computer does not have the DHCP records to refer to and so as far as it is concerned, it needs to acquire an IP address. Since the router handles the DHCP details, the connection is unneceesary. This is just my understanding and is a bit foggy on details. I would just ignore the connection attempt.
BTW, you seem to think that you have a static address? You home network usually has an address range like 192.168.0.0 - 192.168.0.255. This is common to many local networks and to use the internet, you need to acquire a dynamically assigned address, which is what DHCP does.
About the uPNP - you usually don’t need it once your system has been set up. However, if you are adding devices to your network - printers, network attached storage, and so on - it is much simpler to let the UPnP protocol sort out the setup. If you disable it, you may find that you need to re-enable it to use the automatic installation program that comes with any new device that you add later.

Hi tn_yank

if you have the upnp services SSDP Discovery Service and Universal Plug and Play Device Host enabled and set to automatic then upnp is enabled in Winxp which is needed if you want to use upnp in your router. 2869 connects when you boot up windows but it just listenins for any connections. When you launch an app that uses upnp or has upnp enabled in its settings then thats when svchost.exe 1900/2869 establishes a connection.

since you are using CFP 3.0 it will ask you everytime if you want to allow the connection if you tick only allow without remember me ticked. if you intend on using Upnp then its best never ticking remember me.

you might want to check linksys router’s site, there was a security flaw in their their router/s when upnp is enabled, i don’t recall which model router it was. but it would be best checking their site to see if your router is one thats effected and if you have the latest firmware they released already that addresses and fixes that issue.

Regards

Ron

I’m behind a router too.
I have deleted SVHost from network security policy and don’t experience any problems with internet connection (of course firewall is in custom policy mode). So this statement is not always correct.

Thank you, everyone, for your reply and advice.

I have turned “uPnP” off at the router and that has stopped the many open connections between my machine and the router at 192.168.1.1 port 2869. I sorta hated to do that but couldn’t find a way to stop it otherwise (other than a global rule, and thats a whole 'nuther bag 'o worms). The blocked connectiones in the “Events Log” between 0.0.0.0 and 255.255.255.255 remain.

“Another_One”, I don’t have a static IP addy. I suppose I could make one but haven’t had a lot of luck with LAN connectivity in the past wit static addys. As far as uPnP is concerned, I just want guests in my house to be able to log into the router for internet access with their laptops. I don’t have a printer server or storage device. Dunno if uPnP is required to allow whomever (with proper password) to log into the router.

Ron_75, I do (and have had) the 2 services you mentioned running. Re: not ticking “remember me”, would not that result in a flod of “Alert Box’s” ? Re: security flaws, you are correct. But (they say) that has been resolved in recent firmware upgrades.

Thanks again all, for replys. BTW, to anyone reading this thread, it is not a problem with Comodo, but with the way Microsoft (and other venders) write communication code in software.

uPnP allows applications to open and close ports on firewalls and routers. For example MSN Messenger is using it. Part of the p2p clients are capable of using it.

Hi tn_yank

if you have just this block rule (below) in your Global rules then it won’t flood you with alerts if you tick allow without remember me ticked, it will only ask permission to connect whenever you launch an app that requires the upnp service, the other block rule i can’t confirm on since i’ve not been able to get my my p2p upnp apps to work correctly with it yet. hope that helps
Block | ICMP | In | From Any IP Address | To Any IP Address | Where Message is ECHO REQUEST

Thanks, Ron_75.

I have written the rule you suggested. Should it be the first or last rule?

I’m still confused tho (I did say I’m firewall uneducated). There were 2 separate issues, originally.

One was Firewall Events reporting Blocking UDP 0.0.0.0 port 68 to 255.255.255.255 port 67. I never gave an “alert”; only way I knew it was happening was by chance looking in Firewall Events. This “Event” continues. Happens about 3 -4 times a day.

The second was numerous srvhost TCP connectiond from 192.168.1.1 (various ports) to the router always to port 2869. This, too, never gave any alerts. Just slowed the system way down from all the open connections. I turned uPnP off in the router set up and all the spurious connections went away. I’d prefer, tho, to find a way to stop needless connections (while maintaning bneeded ones) and keep uPnP active. (In other words, write a rule prohibiting outbound connections to router port 2869, but I suspect I NEED that connection at some times.)

So, in short, I am asking if this new rule you provided will solve either of the 2 mentioned problems. Can I turn uPnP back on with it? And, I’m not sure what rule I should untick “remember me”

I tried uploading an image of my rules, but I have not progressed to the ability to do that yet.

Thank you for your patience.

Hi tn_yank,

If this is Block | ICMP | In | From Any IP Address | To Any IP Address | Where Message is ECHO REQUEST the only rule you have in Global Rules then you won’t get any needless alerts, and you shouldn’t for within your network either as you can choose to allow them, alerts within your network should generally be safe, unless your using wireless then i would suggest it be best setting up WPA or WPA2 encrption in your router.

if you have this block rule Block And Log | IP | In | From Any IP Address | To Any IP Address | Where Protocol is Any within global rules then that is why you are seeing alot of blocked connections or connection alerts

could you list which block rules you have in your global rules?
and yes any block rule in global rules has to be last if there is anyother rules in there

to set up that rule is quite easy, you can goto Firewall/common task/stealth my ports and choose the second option - Alert me to incoming connections - stealth my ports on a per-case basis -
it will automatically add that rule and remove this block rule Block And Log | IP | In | From Any IP Address | To Any IP Address | Where Protocol is Any if you have it

P.S yes when you have that one block rule in global rule that i suggested and have upnp enabled in your router, then whenever you load up windows svchost.exe on port 2689 will ask to connect, its safe to click allow without remember me ticked, it will just one instance of it in the view active connections then, it will show it in listening mode and only time you should then get any alert for it is when you run an application that uses upnp to connect like a peer2peer upnp enabled app or msn messenger which you can select allow without remember me ticked.
the only reason i choose to select allow with remember me unticked is so that it has to ask me whenever it has to connect and that i can be safe knowing that it cannot connect to anything without having to ask me, you shouldn’t be getting any needless alerts though for not ticking remember me

If you have this global rule:

it’s better when it comes first in the list of your global rules.

BTW, when you choose “alert me to incoming connections” in stealth ports wizard, it places this rule at the top of the list, too.

Hi Ron_75

Here is are the global rules:

Allow All Incoming Requests if the Sender Is In [Network]
Allow All Outgoing Requests if the Target Is In [Network]
Allow All Outgoing Requests if The Target is IP In [192.189.1.1 -192.168.1.200]
Allow All Incoming Requests if The Sender is IP In [192.189.1.1 - 192.168.1.200]
Allow IP Out From IP To IP Any Where Protocol Is Any
Allow ICMP In From IP Any To IP Any Where ICMP Message Is FRAGMENTATION NEDED
Allow ICMP In From IP Any To IP Any Where ICMP Message Is TIME EXCEEDED
Block ICMP In From IP Any To IP Any Where ICMP Message Is ECHO REQUEST
Block and Log IP In From IP Any To IP Any Where Protocol Is Any

Notes:

1. “Network” of rule 1 and 2 is defined in Firewall/Network Zones as IP In [192.168.1.100 - 192.168.1.150]

2. The second and 3rd rules (specifying IP addys) are probably redundent. I had made them in order to get my LAN working before I learned to configure the LAN in Stealth Ports Wizard.

3. Stealth Ports Wizard set to Allow “Network”

And again, the issue is not so much needless (or even needed) alerts, but 15 or so srvhost connections out when uPnP is enabled in the router. All those connections had a very noticable drain on system performance.

My hope is to be able to enable uPnP at the router without the many connections. In the meantime, uPnP remains disabled and the connections are gone. All programs which may need uPnP (such as Windows Live Messenger) seem to function properly, altho it may be because they were set up and functioning before I disabled uPnP at the router. I will await your advise expertise before I change anything.

I do have Wireless set up and am using WPA Personal.