Opening a port for inbound

I have a program called Bonjour that allows me to connect to an airport extreme (Apple wireless router) that acts as a print server.

Essentially, port 5353 needs to be open inbound for Bonjour to see my printer, and I did this before (about a year ago) when I had Comodo firewall.

I ditched Comodo for a while and have gone back to it, and now, without making a rule for that port to be open, Comodo is not blocking it and Bonjour works perfectly.

My question is, why is Comodo allowing this to happen? It SHOULD have port 5353 closed, but obviously it is open (without me allowing it), and it’s not giving me the warm fuzzies!

Thanks for any insight into this.

If the Airport is on the same LAN, and you setup a trusted zone, then all ports are open to it.
It all depends on what Network Monitor rules you have setup.

Thanks for the reply.

The airport is in fact on the same LAN, but I didn’t configure anything in Comodo for the LAN. Does it do it automatically now with Comodo Pro or something? I see in the “add/remove/modify a zone” area that local area network is present. Is that why it’s open?

Drew99GT,

Please look at CFP’s Network Monitor. I’m thinking you will see two rules… One will Allow IP Out from Any to Zone (said Zone will encompass the IP addresses of your LAN) where IP Details are Any. The other will Allow IP In from Zone to Any where IP Details are Any.

This will be why your networked printer is able to connect. At some point, you must have used CFP to define a Trusted Zone/Network; this will add the aforementioned rules to NetMon to allow the network to communicate.

LM

Actually, there is only IP out, no IP in. I never created a trusted zone; the network monitor rules are the default Comodo rules. Plus, the port for Bonjour is TCP/UDP, not IP.

Any other reason why it could be open without me allowing it??? ???

Only other option is that the printer does not actually require an inbound connection (although that would be odd). In that scenario its inbound connection is in response to the outbound request.

I say that is odd because normally (for whatever reason), networked printers seem to constantly scan & ping everybody on the network. Perhaps your interface is a little more sophisticated than the average bear…

LM

IP is superset of TCP/UDP, i.e, if you are allowing IP then TCP/UDP are allowed as well.

Now, quickly googling Bonjour, it turns out it is actually the Multicast DNS protocol, and it needs (as you stated above) port UDP 5353 open. The twist here is that it needs the port open to multicast address 224.0.0.51 . Even if you setup a trusted zone, it should not work.

This leads me to believe that you have CFP set to “Allow all”!!!

If this is the case, then please do the following:

  • Set CFP back to “Custom”
  • Add a trusted zone for the LAN
  • Add a Network Monitor rule:
    ALLOW UDP IN FROM IP 224.0.0.51 TO IP [Any] WHERE SOURCE PORT IS [Any] AND DESTINATION PORT IS 5353
  • Post the Network Monitor rules here …

An Application Monitor rule is probably needed as well, but I am not sure what is the “exe” of the Bonjour service. (Should be listed in Windows services)

Nope, it’s always been on custom, and the network moniter rules are exactly the defaults that come with Comodo.

You say you’ve recently reinstalled CFP; what version do you have?

LM