Outbound Policy violation

Just installed CPF 2.4.18.184 today using automatic setup. Only change I made was changing the “alert frequency” to “very low”. This is on a Win XP Home SP2 system. It’s a stand alone PC.

I’m seeing an entry in the logs like this:

medium severity from network monitor

desc: outbound policy violation (access denied, ICMP port unreachable
protocol: ICMP outgoing
source: 192.168.1.97
destination: 192.168.1.254
message: port unreachable

I use a DSL connection from Bellsouth.net. I know the destination listed above is Bellsouth. However, I am by no means very knowledgeable about network connections, etc.

Is this something I should be concerned about??

I also am showing a network monitor medium error with “net unreachable” as the message and the source and destination reversed from above.

ed y isp is same as yours bellsouth.net. same thing happens here. i always thought it was my computer talking to my westell modem. i may be wrong. it happens both in and out reversing the ips. i have in the past typed in the ip ending in 254 (dont have it front of me} in the adress bar and page would come up showing modem info plus various tests you can perform to test your connection etc. hope this info will be useful. at any rate comodo logs it, never had any problems, in this regards. darth

Hey Ed,

This entry is in the logs because Network Monitor does not by default allow this type of traffic. Any IP address 192.168.x.x is an internal, non-routable address. The last octet being .254 just shows that it is part of the subnet mask, and is likely related to a “keep-alive” ping between computer and router (your modem may have routing capabilities), to ensure, as Opus Dei pointed out, that make sure the client (your computer) is still active on the connection. So that’s some of the techno mumbo-jumbo…

On the real-language side, it is probably not anything to be concerned about.

If you find that after a period of time you’re losing your internet connection without any obvious reason, but a quick “Repair” or a reboot fixes it, you may want to add a simple Network Rule to allow the traffic. To do so, you would simply open Network Monitor, right-click on the very bottom “Block & Log All” rule, select Add/Add Before. Build the rule like this:

Action: Allow
Protocol: ICMP
Direction: Out
Source IP: Any
Destination IP: Any
ICMP Details: Any

If you have no connection issue but the log entries keep coming, you can always add a Network Monitor rule to Block without Logging. You would do it exactly as above, but set it to Block instead of Allow. The position of the rule should be right above that bottom Block & Log All rule.

Some folks are concerned about allowing ICMP traffic for security reasons. Based on reading some technical security info, this really isn’t that big of a risk.

Hope that helps,

LM

Thanks to all for the info. I haven’t had any connectivity problems at all (yet) but may go ahead and take it out of the log. It just clutters things up.

They do tend to clutter things up… If you don’t have any connection issues within a 24-hour period, you’re probably good to go to block w/o logging.

LM