Port Unreachable

animal · June 27, 2007, 9:30am

Every few minutes I’m getting a ‘port unreachable’ message in the log. Most seem to be coming from the router, but some also from other machines in the local network. All ports are allowed in/out on my local network.

Should I be concerned? Is there a way of tracing what is causing this?

panic · June 27, 2007, 12:31pm

Can you please post a transcript of the logs so we can see exactly what CFP is reporting.

TAI
Ewen

animal · June 27, 2007, 1:01pm

Here’s an example:

Inbound Policy Violation (Access Denied, IP = 192.168.24.240, Port = 8611)Description: Inbound Policy Violation (Access Denied, IP = 192.168.24.240, Port = 8611)

Protocol: UDP Incoming
Source: 192.168.24.240:3929

Destination: 255.255.255.255:8611

Reason: Network Control Rule ID = 6

192.168.24.240 is one of the machines on my network.

Inbound Policy Violation (Access Denied, IP = 192.168.136.1, Port = 8611)
Description: Inbound Policy Violation (Access Denied, IP = 192.168.136.1, Port = 8611)

Protocol: UDP Incoming

Source: 192.168.136.1:3933

Destination: 255.255.255.255:8611

Reason: Network Control Rule ID = 6

192.168.24.1 is the router.

Regards
Animal

kail · June 27, 2007, 2:48pm

Ports 8611-8614 TCP/UDP are used by Canon (Printers/Cameras) I believe. With the IP Destination of 255.255.255.255, this is some sort of broadcast coming from 192.168.24.240 going to all systems on the LAN. The question is does your system need/use it? If not, it can be blocked silently to stop it filling up your Log.

animal · June 27, 2007, 3:06pm

My Apologies…

Here is the correct sample!:

Inbound Policy Violation (Access Denied, ICMP = PORT UNREACHABLE)
Description:Inbound Policy Violation (Access Denied, ICMP = PORT UNREACHABLE)
Protocol:ICMP Incoming
Source: 192.168.24.1
Destination: 192.168.24.2
Message: PORT UNREACHABLE
Reason: Network Control Rule ID = 13

kail · June 27, 2007, 6:40pm

So, its coming from the router (192.168.24.1) to you (192.168.24.2) & it is unsolicited. I assume that your router is fully functional? Is the router shared? How many other LAN PCs are there? Have you defined a “Trusted Zone” in CFP (Security - Tasks) that includes you (the system with CFP) LAN IP, the router’s LAN IP and any other “trusted” LAN IPs (ie. systems that have unfettered access to your system)?

Sorry for the barrage of questions. The message is probably nothing to worry about.

animal · June 27, 2007, 8:19pm

I believe the router is fully functional - not known any problems or issues to date. Been installed for a couple of years.

Yes, the router is shared (5 machines plugged into it).

The other PCs on the LAN vary, but there are usually 5 real machine plus a couple of virtual machines (VMWare).

Yes, there is a trusted zone which covers 192.168.24.0 - 255.

The messaqe is occuring every couple of minutes or so and occasionally one comes from one of the other machines on the LAN.

Regards
-Terry

animal · June 27, 2007, 9:19pm

I may have a clue - I found a similar message to one of the DNS servers…

kail · June 27, 2007, 10:49pm

I think that could be an Outbound Violation, rather than an Inbound. It is usually an ICMP Unreachable going to the DNS. It is a superfluous message that is not needed & the DNS will ignore it anyway. It can be blocked silently to remove its presence from the Log.

So, you the think the router is being provoked into sending you this message by another LAN system? I’m not sure why the router would send it to you though… I mean to it you’re an arbitrary IP on a LAN (or does the router know otherwise?). I don’t think it can of come from the Internet, since routers… erm… route Internet traffic to you & the routers part in it is transparent at this level. Some routers can be updated/controlled on certain ports. I would suspect the router would only talk to your system if your system is talking to it. If a router isn’t doing DHCP or something, they don’t usually volunteer much info… except to route of course. Mind you, that sort of thing it is specific to the router & how its configured really.

animal · June 28, 2007, 6:53am

Thanks Kail,

Yes, it’s outbound - here’s a log entry:

Date/Time :2007-06-28 07:19:44
Severity :Medium
Reporter :Network Monitor
Description:Outbound Policy Violation (Access Denied, ICMP = PORT UNREACHABLE)
Protocol:ICMP Outgoing
Source: 192.168.24.2
Destination: 208.67.220.220
Message: PORT UNREACHABLE
Reason: Network Control Rule ID = 13

(I’ve discovered the export as HTML feature :-)).

Happens irregularly i.e. last nite at around 22:00, then twice this morning at 07:10 & 07:20, so not so frequent.

Router does DHCP, though all current machines are hard coded to IP addresses and there is a range of IPs defined for DHCP. It also acts as DNS forwarding any requests to the proper DNS servers. Some of the machines (incl mine) have 208.67.220.220 and 208.67.222.222 as secondary DNS configured.

The messages I’m most concerned about are these:

Date/Time :2007-06-28 07:25:54
Severity :Medium
Reporter :Network Monitor
Description:Inbound Policy Violation (Access Denied, ICMP = PORT UNREACHABLE)
Protocol:ICMP Incoming
Source: 192.168.24.1
Destination: 192.168.24.2
Message: PORT UNREACHABLE
Reason: Network Control Rule ID = 13

As they seem to originate from the router and occur every minute or so.

In the Network Control, I have a rule that allows any TCP/UDP in or out for any machine on the lan i.e. 192.168.24.0 to 192.168.24.255.
I have also allowed pings (ICMP in/out Echo request) between lan machines.

Unfortunately I am working blind as I have no idea what the difference is between TCP, UDP and ICMP, nor do I know what ports are for what (well, I know a little - very dangerous :-)).

I’m perhaps being a little paranoid as the router has a decent firewall with all ports blocked and ignores pings from the outside world. Seems to pass security tests pretty well.

Would like to know what this traffic is though…

Regards
Animal

kail · June 28, 2007, 3:43pm

OK, on the Outbound violation to the DNS. Usually, from other cases, they are frequent & don’t appear to be to any specific schedule. I mention this only because yours seem to be a little different. Not so frequent & appear to run to a rough schedule. Could be something on your system… Windows Updates, Time-Sync,… etc… that is provoking it. Wild guess, not certain. They could be nothing as I first said.

Yes, HTML export Log… is much easier.

Now, what concerns you…

TCP, UDP, ICMP, etc… are all different Communication Protocols that you system/LAN uses. You don’t really need to worry about them to much, other than that they exist & are methods of communicating. CFP will always say which protocol it is talking about if it is relevant.

All the LAN IPs in the message are in your Trusted Zone & yet the Log entry clearly state that rule 13 is the trigger. Based on your previous postings, rule 13 must be your Final Block & Log rule. It stops any unsolicited (not asked for) traffic. But, to get to Rule 13 it would have had to dropped through your Trusted Zone rules first & not trigger them. Can you post a screen shot of your Network Monitor rules with the screen maximized & the Inbound Trusted Zone rule selected. Thanks.