Something interesting in firewall logs, ICMP blocks.

Hello, last days I checked my firewall logs see there is something blocks by CFP, protocol is ICMP. I checked all the forum topics about ICMP and types. But can’t found the same proplem, so I want to open a topic.

My Comodo settings are like Kyle’s suggestions on Guides section. I didn’t touch any global rules. I made some application rules as Outgoing Only, like System and Svchost. I’m not use a wireless router/modem and use my ISP’s DNS. I’m not use any P2P programs like torrents.

I checked my firewall logs and see there is an IP is blocked several times and several days. Not day by day or date by day. In some days, and sometimes.

Application: Windows Operating System
Action: Blocked
Protocol: ICMP
Source IP: An IP the same ISP as me.
Source Port: Type(3)
Destination IP: My localhost
Destination Port: Type(0)

I want to know about ICMP what is this, and what these types do. Is something going strange on my computer or what are they?

Thanks.

On Wikipedia there is a list of ICMP messages

The one you are receiving means that the other IP address Destination network is unreachable.

May be it is NETBIOS that gets bounced back by the IP address. If I understand your network set up correctly your computer is connected to a modem with no router present. That sounds like cable internet. Is that correct.

Does your IP address happen to be in the 10.x.y.x range?

Hi EricJH thanks for your reply.

Yes, you are right I connected to a modem with no router, I use cable internet. But my IP adress not in the 10.x.y.x range. NETBIOS ? Could you explain it more?

Why that is happen? I want tou understand that. Did someone try to connect my computer or whatever?

You are so helpful, thanks again.

Is the IP address in the 192 or 172 range by any incident?

The traffic is coming from an other computer to yours telling the network is unavailable. Since the logs report that WOS catches the event that means that no program is listening. But it is also an answer to a request from your computer. That means that the program which did the request was immediately closed after it did that request and when the ICMP message came back it got caught by WOS.

Do you use a p2p program like uTorrent or similar programs?

EricJH thanks again, no that IP adress not in this range. Our ISP providers IP range not in that ranges 192 or 172. It is just a IP adress from my provider.

Also an answer to a request from my computer? That means there is a program that cause this?

I didn’t do any rules for WOS. I don’t use any P2P program. My programs except security applications and browsers; just Live Messenger and my ISP’s setup program.

I’ve scan my computer weekly with several other programs. They always said there is no any problem or infection.

Do you need anything more? And I want to ask something again, Can ICMP messages come from any website I visited? I asked this because of that is always the same IP maybe an advertisement casue this, it isn’t come daily and not everyday. Someday and sometimes. If you want I can send you a HiJackThis log.

The question about 192, 172, and 10 ranges was asked to you because these ip are LAN non routable ip: no one can make an intrusion to you wiat these adresses excepting yourself (i.e., your own LAN).

You can’t keep anyone on the web to adress icmp requests to your computer, and notably ping echo and router sollicitations; but you should definitely forbid every of them outside of your LAN and ISP.

About denying icmp in kerio firewall, the rules edicted 5 to 9 should be enforced in your comodo settings:
http://websecurite.free.fr/kerioPF.htm

Hi brucine, thanks for your reply.

I can say my LAN (Destination thing in my first post) in range of 192. But the source thing not in this range, it is an IP from my provider like 80.x.y.z, 85.x.y.z, 88.x.y.z . Is everything clear right now?

I don’t want anyone on my computer of course. So I open this thread what is this request or ICMP or protocols. I understand a bit not very much. I’ve just follow your comments and helps.

So that is up to you. If you want a screen I can send.

Thanks again.

I am not a tech, Silver Wolf, and internet information is most certainly more valuable then mine.

Let us however make some things clear.

-You have a way to determine what is coming from your ISP and what is not.
The documentation provided by your iSP, offline or online, shall tell you about your iSP DNS, and they are always fixed (a primary one and a secondary one if the first fails), whereas your own WAN IP might not be static.
If not, google for “ISP DNS” or similar to learn about them.

-ICMP is not an application, but a regular protocol like http or ftp: this means that no one is connecting to a computer when typing “icmp something”, but that any regular software or malware create ICMP packets as soon as they travel on Internet.
Also note that you and me are not interesting targets for a peculiar hacker: whatever packets are not send specifically to you and me, but by robots scanning the web and searching for a security hole.
As you can see, the ICMP control codes are very numerous:

and the turnabout is that Comodo does not, like some other firewalls, clearly state the numerical code of the control message.
In an optimal situation, your computer should not answer to any unwanted WAN sollicitation, and should not even show it exists:
As a consequence:
-the forbidding rules 7 to 9 linked in my kerio link should be applied
-and you should also forbid the main flaws: any Netbios connexion should be forbidden outside of your LAN (no connexion allowed to and from ports 137 to 139, i even forbid 135 and 445); forbid ping, upnp…, from your firewall and/or the appropriate OS services, including this capacity in your router if you have one.
In this regard, black viper provides very valuable advice for windows:

In short, you have in a global point of view no reason to allow anything else then your ISP echo requests, dns port 53: make a rule allowing ICMP for your ISP adresses, followed by one forbidding all ICMP requests.

Thanks brucine. I understood much more things right now.

Mainly, I’m not a proffesional on those things, making firewall options or something like that. ICMP is not a application, I know this. I read about ICMP and the codes. I don’t have much things in my computer. So I’ve suprised when I saw those thinks on my log, quickly I’ve came here. EricJH and you have tried to help me as you can. Thanks for this.

I’ve want to clear something again. I don’t have any router. Just a modem, I use cable connection. Modem was a gift from my ISP. But I know that modem I use not a good choice. I should try to change this thing for my confident. Anyway, I can say that my modem doens’t handle much more options inside of it.

I said that before I don’t know much thing about Comodo’s options and configuration. How can I do that things you’ve said add block rules for codes of 7 and 9?

I try to know about NETBIOS, thanks for this advice. One more thing came up right now: How can I understand that my computer is clear?

Remember, this is quite a theoric discussion: you and me have nothing to steal, and only an ethical point of view lead us to keep robots to access our computers; moreover, the firewall alert is a normal situation, no one can connect longer then 3 or 4 mn on Internet without any connexion attempt, the question is not to limit these alerts, but to deny whatever intrusion they could be responsible of.

The virus/trojan aspect is very different, as we must keep our computers to be crashed and/or to communicate informations in our back, but still here, we must remember that most of these problems are due to the user’s behavior and come from “the dark side” (porn sites, warez, but also instant messenging, opening a wide range of ports).

  1. My own firewall options are, in the avdanced menu, firewall settings, personal strategy, maximum alert level, everything checked excepted ICS.

Detection settings are default (Block fragmented packets); Denial of dervice attacks can be monitored by protocol analysis.

You can modify the per protocol used ports in the common tasks, ports item:
-http: 80 and 443 are enough.
-pop/smtp: only 25 and 110 have to be allowed in a general situtaion
-You can add whatever you like, e.g.:
Netbios:
ports 135 to 139
port 445
(I know, 135 and 445 are not Netbios, but it makes a rule instead of two, but, anyhow, this rule does not seem to work).

Still in the common tasks, you can add your LAN zone, e.g.
LAN
169.254.0.0 to 169.254.255.255 if dynamic ip
192.168.0.1 to 192.168.0.255 if static
You can choose to hide your ports in the furtive ports, defining the zone as the precedent one.

Let’s go back to the advanced tasks, network security strategy.
You shall note that the global rules menu provides predefined ip and icm rules, but you can still modify that:
e.g., you could add a rule forbidding every icmp in: as the firewall reads the rules up to down (very important to remember when you write rules) it shall allow the 2 icmp default rules and forbid everything else.
Also remember the first and most important rule: as to remember where you are going, change only one rule at a time, and immediately check if your internet/mail still work.

Let’s now go the applications menu, where you shall allow or deny a rule when asked: beware, the firewall is here very dumb, when prompted to edict a rule, it shall be set only for the port used or for every port, modify immediately after the rule to your needs.

As an example, my svchost.exe rules:

UDP OUT
Source adress: any
Dest adress: 255.255.255.255
Source port: 68
Dest port: 67
Allow

UDP OUT
Source adress: any
Dest adress: 212.27.40.240-217.27.40.241 (replace by the DNS of your ISP)
Source port: any
Dest port: 53
Allow

Netbios rule:( beware, denies your LAN if any)
UDP/TCP IN/OUT
Source adress: any
Dest adress: any
Source port: any
Dest port: 135-139
Deny, Log

UDP OUT
Source adress: any
Dest adress: any
Source port: any
Dest port: any
Deny, Log
Comment: only the upper sets of UDP rules are allowed

Controlling TCP/UDP requests:
TCP/UDP IN/OUT
Every source and destination
Ask

Controlling ICMP
Say you want to allow your ISP:
ICMP, IN
Source adress: any
Dest adress: 212.27.40.240-212.27.40.241
ICMP details: any
Allow

And forbid any other request:
ICMP, IN/OUT
Source adress, Dest adress, ICMP details: any
Block and Log

Control IP requests:
IP, IN/OUT
Source adress, Dest adress, IP details: any
Ask.

Concerning kerio rules ( Kerio PF- Firewalls) they provide you what ICMP packets should be allowed or denied.
According to kerio, you should:

ICMP IN: Echo Reply, Destination Unreachable, Time
Exceeded
Allow

ICMP IN: Echo
Deny

ICMP OUT: Echo Reply, Destination Unreachable, Time
Exceeded
Deny

ICMP IN/OUT: Echo Reply, Destination Unreachable, Source Quench, Redirect,
Echo, Time Exceeded, Parameter Prob, Time Stamp, Time StampReply, Info Request,
Info Reply, Address, Adress Reply, Router Advertisement, Router Solicitation (ALL)
Deny.

These settings do not have (as i did) to be made for each asking application, but can be globalized in Advanced Tasks, Network security strategy, global rules.
Note that Comodo is by default very permissive, allowing Time Exceeded IN and everything OUT.
The kerio ICMP policy is largely more secured.

  1. Windows services
    Report, as said and if using windows to: http://www.blackviper.com/

  2. Testing

  3. Ports
    The most commonly used tests are:
    check sdv: http://check.sdv.fr/
    grc shields up: GRC | ShieldsUP! — Internet Vulnerability Profiling  
    pc flank: http://www.pcflank.com/ is transient with what follows, because it also provides intrusion tests

  4. Exploits/intrusion tests
    pc flank: cf. supra
    matousec: http://www.matousec.com/downloads/#ssts
    foundstone: Antivirus, VPN, Identity & Privacy Protection | McAfee
    comodo…: Test My PC Security

Thanks brucine, I should did some searches then may I can add these things to my firewall. These are very confuse me. How can I say that, I’m not sure I can do the correct things. So I may skip these settings.

Thanks for your helps and thanks for you to spend some time for my problem.