I noticed a single Firewall Event blocked in CIS v5.12.256249.2599: Windows Operating System ICMP type 3 code 3 - Port Unreachable - from NIC zone to DNS IP address. The IP address is an item in [DNS] network zone. This has me puzzled: not only why the foregoing was trapped - per the below defined rules - but what actually precipitated this in the first place.
Windows Operating System is permitted ICMP out from in [NIC] to in [DNS] where ICMP message is PORT UNREACHABLE
Global Rules perimeter allows ICMP out from in [NIC] to in [DNS] where ICMP message is PORT UNREACHABLE
I allow the following ICMP inbound from MAC any to in [NIC] ICMP messages: TIME EXCEEDED, 11.1, FRAGMENTATION NEEDED, HOST UNREACHABLE; ICMP in from in [modem] to in [NIC] ICMP message NET UNREACHABLE & ICMP in from in [CIS] to in [NIC] ICMP message 3.10 are also allowed.
All ICMP out is restricted to specifically to PORT UNREACHABLE to 4 specific network zones (three CIS determinant server IP addresses and DNS IP).
All other ICMP inbound is blocked & logged. No undefined ICMP traffic was logged either in / outbound.
Aforementioned rules are parallelized betwixt Windows Operating System & Global Rules.
Explicit defined file-group, i.e. DNS, is allowed UDP out from in [NIC] to in [DNS] source port Any destination port 53. No undefined UDP traffic was logged.
Except for a web-page open - stateless condition - no application would’ve solicited DNS resolution at that time; web-browser obviously is an item in the DNS file-group, but its traffic is restricted to only well known http ports, i.e., 80, 81, 443, 8080; also Adobe RTMP, i.e., 834, 1945; also Yahoo web-mail specific ports, i.e., 5050, 843. However, that notwithstanding, nevertheless, and whatnot, the stateless condition of the web-page open at the time required no DNS resolution whatsoever. IOW, the browser was open, but no script driven-refresh present, neither advertisments nor was any user activity occuring, i.e., the session was in all actuality idle for several hours prior and after the blocked ICMP at issue.
The only wrinkle in the oinkment is TCP out from in [NIC] to in [DNS] source port Any destination port 53; SVCHost is the only app allowed that latitude.
I’m perplexed.
EDIT: thread title changed to reflect additional info glommed from inter-webs.