Port madness!

Today, my speeds were starting to slow down considerably.
I closed azareus and on restarting it, comodo was asking me if I wanted to allow azareus on port 6880. ( Later on when reloading azareus, it requested 6880 plus another port number as well.)


http://img522.imageshack.us/img522/2458/screenshot345ju6.th.jpg

I denied it twice and comodo then made 2 entries into my application monitor, blocking that port.


http://img73.imageshack.us/img73/2006/screenshot346zj5.th.jpg

Consequently, azareus won’t work until it’s fixed.


http://img408.imageshack.us/img408/3811/screenshot349sb6.th.jpg

I don’t understand. Comodo is configured in app monitor and network monitor for port 52163. Azareus is configured for port 52163. Where did this port 6880 come from?
I deleted all my azareus rules in comodo and started over, but the same thing happened when I tried to load azareus.
Btw, I have made one entry in application monitor to take care of TCP/UDP for both in and out, and one entry in network rules for TCP/UDP for both in and out. Is it important to have one for in and one for out, or is one entry per monitor ok?

At another point, ( and I can’t remember what I did to get it going ), I looked at the activity/connections screen, and amongst multiple entries of port 52163 scrolling down were occassional different ports for azareus. Should only have been port 52163 showing.

If I accept comodos request for port 6880 and the other port, azareus loads up fine, but it changes my entries in application monitor by adding a second entry, and changing the port number to ‘any’.

Just to update and clarify a little. I’ve also now got uTorrent installed. It’s working very well with comodo and doesn’t give me any alerts from comodo. Here is the way I have it set up and I’ve got azareus set up the same way. Azareus now uses port 47537 ( I changed it but it made no difference )

Application Monitor

C:\Program Files\uTorrent\utorrent.exe

Action:Allow
Protocol: TCP/UDP
Direction: In
Destination IP : Any
Destination Port :59478

Action:Allow
Protocol: TCP/UDP
Direction: Out
Destination IP : Any
Destination Port : Any

Network Monitor:

Action:Allow
Protocol: TCP/UDP
Direction: In/Out
Source IP: Any
Destination IP : Any
Source Port: Any
Destination Port :59478

Ditto everything for Azareus, except comodo still alerts me to Remote IP 127.0.0.1 Port: 6880 -TCP and then changes my destination port from 47537 to ‘Any’ if I accept.

Anyone?

Azureus needs to be able to connect to any outbound port, but it needs only one inbound port open.

The alert you get when Azureus tries to connect outbound to 127.0.0.1 (loopback address).

I think you should just go ahead and let it connect, or change the TCP/UDP Out from Block to Allow.

"The alert you get when Azureus tries to connect outbound to 127.0.0.1 (loopback address). "
Ah right, it’s an outbound port.

"Azureus needs to be able to connect to any outbound port, but it needs only one inbound port open. "
I believe my setup is already allowing any outbound port and is also set for one inbound port with the destination port number I entered, as per the rules I posted above.

“I think you should just go ahead and let it connect, or change the TCP/UDP Out from Block to Allow.”
I don’t have any TCP/UDP blocked, everything is on allow.

I do accept the 127.0.0.1 but it changes my destination port number in application monitor to ‘Any’. It doesn’t change anything in network rules. Why would an outbound request change my inbound destination port to any?

I’ve also got uTorrent installed now. It did the same thing once and changed my destination port. But now when I load uTorrent, it doesn’t alert me anymore. And once when it alerted me to an IP request, I accepted it and it DIDN’T change the destination port. I’m confused!

For P2P type applications the problems are usually centered around the incoming connections, since these are considered unsolicited & refused unless there is either a matching Network Monitor rule or there is an application actively “listening” on the port in question.

Network Monitor rules are not created or modified by the response to alerts, it is the Application Monitor & Component Monitor rules that are created/modified by alert responses. Network Monitor rules are created manually with the exception of Trusted Zone rules that are created by the Trusted Zone task.

The other thing to realise is that inbound communications pass through the Network Monitor first, where as outbound communications pass through the Application/Component Monitors first & then fleetingly through the Network Monitor hitting the standard Allow Out Any Any rule (usually the first NM rule), since this is dealt with by the Application/Component Monitor.

Also remember to check CFPs Log (Activity tab). The log provides a useful diagnostic aid as to what rules are needed & where they are needed, based on the blocks detailed in the log.

Thanks for the reply and explanation. Shall I just leave it as it is with the destination port set in network monitor and leave it as any in application monitor then? It keeps changing my destination port in application monitor to any so I may as well just leave it like that.

Yes, that is probably the best way to handle it… I only say probably since I don’t use these types of apps myself & that is why I didn’t post sooner.

More port madness. Sorry but comodo is starting to annoy me now. Again, no problems with windows firewall.
I cannot get activesynch to work with comodo. I’ve read the microsoft activesynch page and tried to configure comodo but can’t get it to work. Can someone please tell me exactly how to set up comodo? I’ve added 2 entries for Wcesmgr.exe ( TCP/UDP in, TCP/UDP out ) same for Wcescomm.exe, and Rapimgr.exe already had 2 entries there. I’ve added TCP/UDP in/out in network rules, with destination port as 5721 and source port 5679. Obviously this is wrong because it doesn’t connect.

http://www.microsoft.com/windowsmobile/help/activesync/default.mspx

What has been reported in CFPs Log with regards to ActiveSync?

BTW You don’t have any problems with Windows Firewall because it is completely and utterly useless (and that is being very kind).

Lol, you’re right actually. Windows is only one directional too. I shouldn’t keep mentioning windows firewall. I want to keep using comodo because everywhere I read on the net, comodo is the numero uno free firewall. It’s just a bit tedious and annoying to get programs blocked that never used to. Then again, I guess I never had such a relentless and meticulous firewall! I need to get past these teething problems. I’ve uploaded an html log ( I think that’s what you want?) and a screenshot of the connections screen. Thanks for your time.

LOG:
http://www.uploading.com/en/files/GPJ80INI/comodo.html.html
or
http://f55.uploading.com/c103d0516714544747f2404cce87c00c/46acd8b9/3/47/521/comodo.html


http://img47.imageshack.us/img47/5438/screenshot351nw8.th.jpg

Is the way I set this in network rules correct? Did I do the source and destination ports correctly based on the microsoft instructions on that page I linked?


http://img50.imageshack.us/img50/2035/screenshot352ug4.th.jpg

I’m still downloading your log as its +2MB & I have a slow connection. Since it is very large (everything I assume), then it will take me some time to decipher it & find the relevant ActiveSync entries. I posted a detail way of posting specific log examples here if you want to speed things up.

Looking at the Network Monitor screen shot you posted (its always best to maximize the screen before taking the screen shot btw) & the rule you’ve highlighted (rule 8 )… I’m afraid that it might not work… this is because both the source & destination ports have been specified (src: 5679 & dst: 5721), but the rule is for both IN & OUT. This means that the ports must always be what you stated in both directions at the same time. Usually, that does not happen. You normally need 2 rules (1 for IN & 1 for OUT) so that you can specify the correct port in the correct direction with the opposite port setting set to ANY. Does that make sense?

edit: sorted out the (rule 8) - (rule 8 ) thing + other typeos

Reason the “Azureus.exe” appearing three times in the table “Application Rules Control”?

If to keep only one “Azureus.exe” in the table “Application Rules Control”, with rule “TCP/UDP In/Out” it does not function?

OK, speed reading your log (I could have easily missed some things… a detailed examination will take a long time) I found these unique log entries (ignoring all the duplicates)…

Date/Time :2007-07-29 19:01:11 Severity :Medium Reporter :Network Monitor Description: Inbound Policy Violation (Access Denied, IP = 169.254.2.1, Port = ftp-ssl(990)) Protocol: TCP Incoming Source: 169.254.2.1:1046 Destination: 169.254.2.2:ftp-ssl(990) TCP Flags: SYN Reason: Network Control Rule ID = 9

Date/Time :2007-07-29 18:42:18
Severity :Medium
Reporter :Network Monitor
Description: Inbound Policy Violation (Access Denied, IP = 10.101.48.1, Port = dhcp(68))
Protocol: UDP Incoming
Source: 10.101.48.1:bootp(67)
Destination: 255.255.255.255:dhcp(68)
Reason: Network Control Rule ID = 9

Date/Time :2007-07-29 18:43:15
Severity :Medium
Reporter :Network Monitor
Description: Inbound Policy Violation (Access Denied, IP = 62.65.31.1, Port = 6881)
Protocol: TCP Incoming
Source: 62.65.31.1:27091
Destination: 81.97.219.41:6881
TCP Flags: SYN
Reason: Network Control Rule ID = 9

Date/Time :2007-07-29 18:43:42
Severity :Medium
Reporter :Network Monitor
Description: Inbound Policy Violation (Access Denied, IP = 83.208.232.58, Port = 52163)
Protocol: TCP Incoming
Source: 83.208.232.58:11490
Destination: 81.97.219.41:52163
TCP Flags: SYN
Reason: Network Control Rule ID = 9

Now CFP is blocking all these as unsolicited… they’re all hitting the default block & log rule (rule 9 in your case).

I suspect that we’ll have to do something about the 1000s of ICMP = PORT UNREACHABLE blocks… I suspect these are related to Azureus and/or uTorrent… and they might be breaking them or, at the least, preventing people from either downloading from you or listing what you’re offering.

But, I cannot find anything relating to ports 5721 or 5679… which I assumed were ActiveSync related (not had time to follow the MS link you posted).

Allan, sorry your post confuses me a bit… is it directed at me?

Yeah, makes sense. I just changed my network rules according to your instructions with source port set to 5679 with destination set to ‘any’ on UDP out,
and destination port set to 5721 with source port to ‘any’ on TCP in. Is that right? Here’s the screenshots.


http://img502.imageshack.us/img502/1967/screenshot353fo8.th.jpg


http://img502.imageshack.us/img502/9128/screenshot354pj3.th.jpg

Am I using the right port numbers as mentioned below? I assume I can choose any one of those port numbers as a destination/TCP/In port number, yes? And I assume Outbound UDP is the number to enter for source port?

"ActiveSync also uses the following ports for communication to/from these processes:

Inbound TCP:

990
999
5678
5721 *as a destination port, correct?
26675

Outbound UDP:

5679 * as source port, correct?

edit: forgot to mention, that didn’t work either. Do the rules I entered in application monitor require a destination port number? They’re all set to any. They are all TCP/UDP In. TCP/TCP/Out. Now that I’ve altered the network rules, do you want another html log?

Here is a screenshot of my application monitor. All the rules for activesynch can be seen for Wcesmgr.exe, Wcescomm.exe and Rapimgr.exe. I think that covers everything I can think of to show you for now. :■■■■


http://img165.imageshack.us/img165/189/screenshot355ot6.th.jpg

I am not using of the Azureus, but I read post and I was with this doubt.

Yes, that looks a lot better… for ActiveSync (AS) at least. But, you might need to create rules for all the AS OUTIN ports… the MS page doesn’t clearly state if they are optional or mandatory. However, let us clear the board (so to speak) & resolve the problem. Firstly clear CFPs log & do not try to use anything other than AS… avoid the torrents for the time being. This is to give us a clear picture of what happens. Test AS & check the log. Post any unique log entries that you find & let us see what we have.

We will address the other issues (torrents, DHCP, etc…) after we’ve got AS working.

edit: changed OUT to IN. Oops. ;D

Allan

Understood. Yes, those Azureus Application Monitor entries do look odd. We shall check those later after we’ve sorted out AS. Of course, resolving AS might give Roman5 all that he needs (in terms of method) to resolve this himself or to spot what is wrong.