[SOLVED!] What is wrong with my firewall?

Hi again,

https://forums.comodo.com/firewall-help/firewall-blocks-several-times-about-600-t50247.0.html

In this topic, I blocked some attacks or whatever like this from an IP on my country. With advices I set Network Secuirity Policy for svchost.exe as Outgoing Only. But nothing is happened. I saw Some IPs from the same area in my Active Connections as UDP OUT. It is from my router to stated IP. (1-2 bytes Out and 2-3 bytes In).

I did some settings and attached svchost.exe as Outgoing Only. But how this is still able to connect to my computer? Did I do something wrong? My Defense and Firewall settings is like this:

https://forums.comodo.com/defense-guides/setting-up-defense-for-maximum-security-t30473.0.html
https://forums.comodo.com/firewall-guides/setting-up-firewall-for-maximum-security-t30535.0.html

I don’t want to share anything else with strangers! What should I do right now?

How have you set System and WOS?

What kind of incoming traffic is it?
Can you post your global rules and rules for System and WOS?

How have you set System and WOS?

  • It is like default. I don’t touch anything except svchost.exe (I set it as Outgoing Only)

What kind of incoming traffic is it?

  • Okey. I try to explain it. I looked my firewall block log. And see there is an IP started with 78.172.X.X. Firewall blocks this IP about 10 times. (type UDP, Destination is 192.168.X.X, I think it is my local area.)
    After that thing I looked outbound connection(s) and see the same IP is here like this:
Protocol: svchost.exe - UDP OUT
Source: 192.168.X.X:Port
Destination: 78.172.X.X:Port (it is 78.172.239.63 when I looked.)
Bytes In: 2-3 KB
Bytes Out: 4-5 KB

I can’t remember what is the ports but may they are like 53962 for mine, 61309 for this IP/stranger.

Can you post your global rules and rules for System and WOS?

  • Of course, I can here they are:

For System:

Allow IP Out From IP Any To IP Any Where Protocol Is IGMP
Allow UDP Out From IP Any To IP Any Where Source Port Is Any And Destination Port Is Any

I can’t find Windows Operating System.

Any other questions you want to know?

I would recommend to set svchost.exe to TCP OUT Port 80 and 443, UDP Out Port 53, and LAN if you want.
Make a block all all rule with logging, and than this will be blocked.

You can add in network security policies System and WOS and block them both or use the Stealth port wizzard.

I would recommend block IGMP protocoll, normally this is not necessary for Internet. I would also remove the UDP out rule. Make your rules more specific to what the apps really need to get to internet.

It doesn’t seem that there is any inbound traffic.

You can check your Ports here: pcflank.com , http://port-scan.de/index2.php , http://nmap-online.com/ (make a custom scan, and let all ports scan, take a look at the options).
I think that all ports of your PC are closed.

The IP address 78.187.125.241 is part of Turk Telecom:

inetnum: 78.187.120.0 - 78.187.127.255 netname: TurkTelekom descr: TT ADSL-TTnet-meteksan static_ulus country: tr
Is that your provider?

The IP address 81.6.95.136 is part of Vodafone Turkey

inetnum: 78.187.120.0 - 78.187.127.255 netname: TurkTelekom descr: TT ADSL-TTnet-meteksan static_ulus country: tr
Does that ring a bell?

The IP address 65.55.158.80 is from Microsoft, It is most likely related to Windows Update.

What type of connection are you on?

Thanks for interest. Let me have to understand this. What are these ports and why only these ones?
After that what do you suggest to System or WOS rules? Could you write it clearly? How I block IGMP protocol and why? How I can do UDP out as specific?
Thanks again adioz86. I’m not very professional at this things.

And one more thing you said: ‘’ It doesn’t seem that there is any inbound traffic. ‘’
Is that means there is no strangers on my system and never be? (Because of I don’t have any inbound traffics.)

Sorry for the write errors.

Hi EricJH, yeah it is my provider, Turk Telecom. But I live in Istanbul, this IP adress coming from Ankara and the last ones from Izmir. The other part of my country?

I know about 65.55.158.80 it is from Microsoft. I never use any Vodafone product, so doesn’t bother me? As you wish I can list all of the other IP adresses to here. Do you want them?

And my connection type is… ADSL, provider is Turk Telecom.

What are the DNS servers for your provider? Go to Start → Run → type in cmd → enter → type ipconfig /all → enter. What DNS servers does it state?

Regarding the Vodafone IP address. Do you have software installed for a cell phone that is on the Vodafone network?

No, I don’t use any Vodafone products.

The other question you have asked, it is in my language how can I translate it? :frowning:
And there is nothing with DNS except, 192.168.1.2.

What should I do? As adioz86’s opinion should I set System as Outgoing Only too?

YOu should set System and WOS as blocked in network security policies. Go to Firewall-> advanced → network security policies → add → choose active process → on the top are WOS and System.
in network security policies you can also change Port ruleset for every app.
you can change sensitivity of your firewall here: Firewall → advanced → Firewall behavior settings → alert settings. I have set it to high and checked all boxes except ICS, because then you will get alert for every port for every app and every protocol. Most apps just need TCP Out Port 80/443.

You should remove the UDP Out rule in global rules and set the IGMP rule just to block.
Normally just svchost.exe at Port 53 needs UDP for name resolution. Some games need also UDP, these rules you will find while searching in google. I would not recommend to set all apps to use UDP out.
I think that there is noone on your system.
Have you tested port scanning? This should tell you which ports are opened.

Hi again,

As you say. I did like this:

Network Security Policies → System , as Blocked Application ‘’ Block All Incoming and Outgoing Requests ‘’

Network Security Policies → WOS , as Blocked Application ‘’ Block All Incoming and Outgoing Requests ‘’

Network Security Policies → svchost.exe, as Custom ‘’ Block and Log All Unmatcging Requests ‘’ , ‘’ Allow UDP Out From IP Any to IP Any Where Source Port Is 53 and Destination Port Is 53, ‘’ Allow TCP Out From IP Any to IP Any Where Source Port is 80 and 443 and Destination Port Is 80 and 443 ‘’

Firewall Behaviour Settings → Alert Settings, as High ‘’ I check all the boxes except 'This computer is an internet connection gateway (i.e an ICS Server)

Any other things I have to do?

your settings are wrong: I meant UDP out IP any to IP any Source: any Remote: 53
TCP Out IP any to IP any Source: any Destination: 443
TCP Out IP any to IP any Source: any Destination: 80
The block and log rule must be moved under all other rules, else everything will be blocked.

Okey I edited the rules for svchost.exe as;

Block and Log All Unmatching Rules
Allow and Log UDP Out From IP Any to IP Any Where Source Port Is Any And Destination Port Is 53
Allow and Log TCP Out From IP Any to IP Any Where Source Port Is Any And Destination Port Is 80
Allow and Log TCP Out From IP Any to IP Any Where Source Port Is Any And Destination Port Is 443

And for Port Scan I did it and the result is: Every ports is stealthed. No open ports. Should I add anything else? What do you think about other application and rules?

Oh sorry for the second post but after done like you said adioz86, I can’t connect to internet…
So I switch back to Outgoinly Only mode.

Hi again, thanks for everyone which helped me so far. I tracked the IP Adresses. And now see they are coming from Live Messenger.

In Live Messenger, if I talk about someone their IP came to me in svchost.exe as UDP Out, in msnmsgr.exe as TCP Out. I saw this today. (nearly 5-10 minute ago.) I had talked only one person, and told her/him please go there and write your IP number. And the IP adresses matches between each other. I think this is not an IP attack or some think like this? Do I wrong?

Thanks to Comodo for everything. :slight_smile:

do you use a router?
If it is like this, then you need a additional outgoing rule for svchost.exe: UDP Out IP any Dest. Port: 67

No, I do not use any router. Thanks adioz86 for your nice helping interest. :wink: