sites blocked, need a little help.

techdunce · July 3, 2009, 12:37am

Hello, Im having ongoing trouble accessing some sites, and am all out of ideas, dont mind saying (and not for the first time ) Firewall’s defeat me. Am posting screenshots, the first one is the “Events” which all relate to being blocked from “rapidshare.com”, and the next two are “all” my rules. Im hoping someone can spot what or where the “Block” is originating from, or failing that, maybe even eliminate the Firewall from the equation.Thanks again, Techdunce

[attachment deleted by admin]

kail · July 3, 2009, 12:49am

The IGMP blocks on 224.0.0.1 will not be the cause of this. Are there any other types of block messages in the event logs? Make the window bigger before you take a picture. thanks. Also what happens when you try to access the site? What message do you get?

techdunce · July 3, 2009, 12:57am

Hello Kail, and thanks for the quick reply. The times in event log match exactly the time I hit the enter button to browse to the site, or sites, could something else be blocking me, and Comodo is just logging it, or am I way off the mark. Here’s another screenshot, slightly larger ;D and thanks again, Techdunce Oops, forgot to tell error messages. “Message contains no data” is just one, Firefox couldnt find server, Timed out etc etc, Ive seen them all at this stage, but nothing consistent, different messages all the time, thanks again, Techdunce

[attachment deleted by admin]

system · July 3, 2009, 1:15am

H, I merged the topics as they are about the same issue.

I assume your router is at 192.168.1.1 and your IP address is 192.168.1.33?

The 224.0.0.1 are simple anouncements from your router and likely nothing to do with your problem.

Did you create the rule for svchost. exe that I suggested?

techdunce · July 3, 2009, 1:23am

Hello again Toggie, your assumptions about my IP address (and router) are correct. I did create the rule you mentioned, but in an effort to solve this issue, I just backed up to a week old Ghost image, recreated rules,(didnt back them up before hand >:( ) and now that you remind me, will recreate the svchost rule. But the rule did exist when I reverted to Ghost, so that not the prime cause, but apologies for confusion, and no problem with the merged post. Thanks again for help, Techdunce

EDIT: Rule created, still having trouble, but at least all rules are back in order. Thanks again, Techdunce

system · July 3, 2009, 1:36am

One thing I do notice is hat firefox is trying to query DNS using TCP, which, while valid in some rare circumstances, is a potential problem.

Make sure your svchost rules and your rule for firefox are correct. In most normal situations DNS queries are performed via UDP on port 53.

techdunce · July 3, 2009, 1:41am

Hello again, the rule for Firefox is “custom, Browser” and svchost is “custom, outgoing”, not sure how to modify after that, how would I correct this behaviour, thanks again for assistance, Techdunce

P.S. Should mention, Im not completely blocked, its intermittent, but the majority of attempts do get blocked, just worth mentioning. Can reboot to get site open, but this doesnt always work, really annoying, also, could that behaviour from Firefox be the cause of this issue, or is it something else in your opinion.

EDIT: Its 3AM here Toggie, so am gonna get some sleep, maybe “defrag” my head will definitely check back here ASAP, in the meantime, thanks for sticking with it, Techdunce

system · July 3, 2009, 8:52am

What we really need to see are the ‘real’ block logs. The Windows Operating System 224.0.0.1 items are not a real problem.

techdunce · July 3, 2009, 9:06am

Morning Toggie, Im not sure what you mean, but in order to get to the bottom of this, I’ll post any logs you can think to ask for. When you say “real logs”, what am I missing. Thanks again, Techdunce

system · July 3, 2009, 9:23am

Hi, sorry that was a bit vague. What I meant to say was, we need to try and identify what is causing these seizures, to do that we need information. I’m hoping we may be able to get that from the logs.

Try this for me, create a global rule

Block and DON’T LOG IP In
Source = ANY
Destination = ANY
IP Details = IGMP

This should stop all the extraneous stuff we don’t need to see.

techdunce · July 3, 2009, 9:57am

Hello again, here’s a screenshot of the new rule, I also took a look at logs in Router Firewall, but it wasnt set up to log much, as you’ll see, logs refer to 2000, long before my ineterest in computers. Thanks again.
P.S. Ive been on to my ISP and they had some reports of issues trying to access"Ebay" but nothing else (they’re looking into it) however nothing about sites Im having trouble with, and I can access ebay no problem. Help is great, thanks again, Techdunce

[attachment deleted by admin]

techdunce · July 3, 2009, 10:04am

Ok, after making new rule, tried to access rapidshare to see events, funnily enough, I accessed it this time, like busses isnt it, never when you need em ;D but tried another site Im having lots of trouble with, couldnt access it, and event logs didnt change, so the new rule (I think) is having the desired effect. Thanks again, Techdunce

system · July 3, 2009, 10:12am

but tried another site Im having lots of trouble with, couldnt access it, and event logs didnt change, so the new rule (I think) is having the desired effect. Thanks again, Techdunce Smiley

Does that mean it’s filtering out all the 224 entries but not logging anything else?

techdunce · July 3, 2009, 10:21am

Here’s a new screenshot, it does seem to logging some events, the two topmost are new, the third event from the top was created just before new rule. So, I think it is filtering out “224” and still logging other events

[attachment deleted by admin]

system · July 3, 2009, 10:48am

Well one thing that’s immediately apparent from that screen shot, is the destination port firefox is trying to connect to, 843?

The standard browser rule only allows connections to 80, 443 and 8080. If you wish to connect to non standard ports you will have to add them to your ‘My Port Sets’ under HTTP ports.

techdunce · July 3, 2009, 10:58am

Hello, Im not sure what you mean by “non standard ports”, am I right in thinking the site Im trying to access is non standard, and if I make that rule the problem might go away, would this explain why I can sometimes gain access, also, is it safe to make this rule. Hope you’ll forgive my lack of knowledge in this area,thanks again,Techdunce

EDIT: Just created a rule for port 843, still no access, worth a try though, Techdunce

system · July 3, 2009, 11:25am

Web browsers typically use (HTTP) TCP port 80 and (HTTPS) TCP port 443 for connectivity. Some local proxies use port 8080. Anything other that that is considered non standard. Typically if a site uses a non standard port, they have good reason for doing so, and those reasons may not always be good.

I just tried to connect to that site and it failed, even though it responds to a ping. I’d suggest it’s a problem with the site.

techdunce · July 3, 2009, 11:57am

Well Toggie, if you too are having trouble accessing it, then that makes me feel a little better (if you know what I mean )As far as rapidshare goes, Im able to access it at the moment, but thats fairly normal with this issue, I can gain access at first, then nothing. Will keep you posted if connection fails again. Thanks once again, really appreciate your efforts with this, Techdunce

EDIT: Yep, blocked again, rapidshare, giveawayoftheday.com, nothing in logs, really annoying
Error message is “document contains no data”. Is the new rule stopping this event being logged, Ive had a look windows “event viewer” and can find nothing related, at least as far as I can tell, Techdunce

Citizen_K · July 3, 2009, 1:47pm

How did you make the rule for port 843?

My suggestion would be to add a rule to the FF rule to allow TCP outgoing traffic om port 843.

Here is the drill. Double click on the FF rule and change to Custom. Choose use custom olicy → Copy from → Copy from predefine security policies → web brower → Add → now fill in the following:
Action: Allow
Direction: In
Protocol: TCP
Description: Allow outgoing on TCP 843
Source Address: Any
Destination Address: Any
Source Port: Any
Destination Port: 843

Then push Apply to add the rule. The rule will be added under the basic block rule (with the red icon). Drag the rule somewhere above the block rule. Now ok and apply your way back to the main screen.

Now try accessing the site again. When the problems persists. Look at the time the problem occurs and show us the Firewall log of around the time you are accessing the site.

Also give us the url of the site that is giving problems. Does the same thing happen when using another browser?

techdunce · July 3, 2009, 4:08pm

Hello ErichJH, 1) I originally made the rule in “My port sets”, (didnt know any better) but have just now followed your lead, and created rule accordingly.
2)Tried accessing site, with no luck, nor has Firewall event logs changed since I made the new global rule earlier.
3) The URL of the sites Im having trouble are numerous, but “rapidshare.com” is one, and “booktraining.net” is another. Have tried typing URL’s in address bar, have tried from links and bookmarks, all with no luck. This problem started a while back, and at first was just an odd glitch, but has progressed into something much worse now. Had trouble accessing yahoo mail earlier, just another example. Posting new screenshots of new global rule, Firefox error message, although in FF case, its just one of many(document contains no data etc) and the rule you advised. Thanks again for help, much appreciated, Techdunce

[attachment deleted by admin]