hi guys,
maybe only I can’t understand the issue, but please explain me:
my local net is 192.168.2.*, the router is 192.168.2.1. Actually my ip is 192.168.2.33.
The usual block all is the last rule #9 in my list.
I have got the following line in the activity log:
Date/Time :2007-09-30 15:46:56
Severity :Medium
Reporter :Network Monitor
Description: Inbound Policy Violation (Access Denied, IP = 192.168.2.13, Port = upnp-mcast(1900))
Protocol: UDP Incoming
Source: 192.168.2.13:1044
Destination: 239.255.255.250:upnp-mcast(1900)
Reason: Network Control Rule ID = 9
The source is another host on the local net, the destination is unknown for me. The questions are: why it is occured at all, why it is logged
“upnp-mcast” means Universal Plug & Play Multicast which broadcasts on UDP port 1900. It’s just a normal part of the Windows networking package which you can read about here
I’m really sorry, maybe I’m not familiar with this thing, but what does this ip (239.255.255.250) mean?
Is this the local host again?
And finally should I allow this, or preferred to block it out?
thanks
That is an internal (Intranet/LAN) Multicast IP address; it’s not an assigned IP address, such as for your computer - it could/can/will be used for different resources on the LAN at different times. The traffic itself is coming from another resource on your network. It’s already being blocked, as you can see in your logs.
A Multicast (typically, Protocol = IGMP) is basically a “shout out” to the network from a network resource (router, printer, etc) to see if anybody’s home (for some particular purpose). This seems to happen a lot more when a different method of communication is unsuccessful.
As to whether or not you should block it, I will say that’s ultimately up to you (and your level of paranoia). I will give you some guidelines that I use…
Is my connection working; am I able to do everything I need to?
Is the traffic already blocked?
If the answer is yes to both, I figure I don’t need to allow the incoming connection. Thus, I will create a rule to specifically block it without logging (so I don’t have to see it again). That is done this way…
Open Network Monitor. Go to the very last (BLock & Log All) rule.
Right-click and select “Add/Add Before.” Build the new rule this way:
Action: Block
Protocol: UDP (as per your log entry)
Direction: In
Source IP: Any
Destination IP: 239.255.255.250
Source Port: Any
Destination Port: 1900
OK, and reboot.
It can be a bit confusing and overwhelming. Most of it’s outside my paygrade, I’m afraid. You may find Wikipedia helpful to research things you come across; they usually have relatively easy-to-understand explanations. If all you have is that IP address, here’s how you can find out more info… search it on Google; one of the results is the ARIN page (you can also go straight to ARIN and look it up) http://ws.arin.net/whois/?queryinput=239.255.255.250 This shows the entire IP range associated… 224.0.0.0 - 239.255.255.255
