Outbound Policy Violation (Access Denied, ICMP = PORT UNREACHABLE)

Hello,

Is the following normal? It happens every 5 seconds. I tried, from reading another post which referred to Spirit Airlines, to create 2 new rules set to allow ICMP out. The codes added were 37,38. However, I am still getting the same logged messages every 5 seconds.

Date/Time :2007-01-17 05:23:04
Severity :Medium
Reporter :Network Monitor
Description:Outbound Policy Violation (Access Denied, ICMP = PORT UNREACHABLE)
Protocol:ICMP Outgoing
Source: 220.41.60.70
Destination: 86.106.202.122
Message: PORT UNREACHABLE
Reason: Network Control Rule ID = 9

Date/Time :2007-01-17 05:22:53
Severity :Medium
Reporter :Network Monitor
Description:Outbound Policy Violation (Access Denied, ICMP = PORT UNREACHABLE)
Protocol:ICMP Outgoing
Source: 220.41.60.70
Destination: 218.216.240.130
Message: PORT UNREACHABLE
Reason: Network Control Rule ID = 9

Date/Time :2007-01-17 05:22:53
Severity :Medium
Reporter :Network Monitor
Description:Outbound Policy Violation (Access Denied, ICMP = PORT UNREACHABLE)
Protocol:ICMP Outgoing
Source: 220.41.60.70
Destination: 200.206.179.161
Message: PORT UNREACHABLE
Reason: Network Control Rule ID = 9

Date/Time :2007-01-17 05:22:48
Severity :Medium
Reporter :Network Monitor
Description:Outbound Policy Violation (Access Denied, ICMP = PORT UNREACHABLE)
Protocol:ICMP Outgoing
Source: 220.41.60.70
Destination: 216.36.154.250
Message: PORT UNREACHABLE
Reason: Network Control Rule ID = 9

I get a few of these types in my log files. But mine resolve to Microsoft domains.

I took the liberty of running a RevDNS on 220.41.60.70. The PTR record returned the domain softbank220041060070.bbtec.net which is based in Tokyo.

I also did the same on the destination 86.106.202.122. There was no DNS A record to be found, so all i can say is this IP is located in Romania. Its either a host in Romania, or its an open relay.

The next log entry resolves to domain kctv17130.ccnw.ne.jp in the Phillipines.

My conclusion is that this is not normal. Also bear in mind that IP spoofing may well be confusing matters. However, the main thing is that the communication is being blocked. I’d have more cause for concern if it wasn’t :wink: As for a solution - run whatever anti-spyware you have (maybe SpyBots or Ad-Aware) and see if that cures the problem.

You get a lot of those if you use a torrent program or similar.

I read your post again, and it sounded like you wanted to allow port unreachable.
The rules in network monitor should look like this in that case.
Remember to move them above the default block rule.

Action : Allow
Protocol : ICMP
Direction : In
Source IP : Any
Destination IP : Zone (your static IP or Any)
ICMP Details : Port Unreachable

Action : Allow
Protocol : ICMP
Direction : Out
Source IP : Zone (your static IP or Any)
Destination IP : Any
ICMP Details : Port Unreachable

This has all happened without any torrent program running. I am in Japan, so the first one doesn’t raise any alarms, but Romania? Philipines? That’s when I started questioning.

They can continue to come until you get a new IP (if you have dynamic IP)…
Even if you have closed your torrent app, if you use one.
It can be something else as well…

I had the same problem with OpenDNS servers 208.67.222.222 and 208.67.220.220. Thanks AOwl for instructions on how to set up the rules to allow them. (:CLP)