svchost UDP 127.0.0.1 rule question

Hello

I allowed svshost.exe only the essential connections outwards the rest is on ask, so to say.

However, I tried to make one rule that allows svshost.exe to connect to my localhost to ports 40000-65000 by UDP. Problem is that it does not work. CFW aks me again and again repetitively and enters new rules as you can see here:

http://i56.tinypic.com/28j9tfa_th.png

Text is German but should not matter.

Can you tell me what the problem is or how I can solve it by one rule?

Make a rule using the following:

Action: Allow
Protocol: UDP
Direction: Out
Description: allow localhost to 40000-65000

Source address: 127.0.0.1
Destination Address: Any
Source Port: Any
Destination Port: choose port range 40000-65000

Eric

sorry that I didnt clear up everything. The issue is that CFW does not remember/save or make use of the rule you suggested. I know that cause I tried exactly the same rule myself…
Only the singular rules as in the screenshot seem to work.

You can’t constrain ports for loopback. Because it’s an internal connection within the process, it will use whichever port is available. The rule should be:

Action - Allow
Protocol - UDP (you’ll need TCP also)
Direction - Outbound
Source Address - Any
Destination address - 127.0.0.1
Source port - ANY
Destination port - ANY

Thank you, I got it.

Now, I wonder why I should filter local traffic at whole. May be that is the reason why we can configure it per switch…

Apologies, I’m not sure i understand the question. Would you mind providing a little more detail about what you’re trying to achieve.

What I meant is that we can configure under firewall settings when CFW shall give us an alarm for loopback calls.
I think I mixed things up. Having a rule and getting alarms are two different things.

The solution for my issue is yours. Make this rule:
Action - Allow
Protocol - UDP (you’ll need TCP also)
Direction - Outbound
Source Address - Any
Destination address - 127.0.0.1
Source port - ANY
Destination port - ANY

and I want be bothered anymore by getting asked to allow/block all these localhost questions and then to make the rules (see my screeni). The rest is trust. What I mean is, if I got a (or some) proxie tools running (that may have allowed outbound rules, like a web proxy) any malicious exe could gather outward access to the net by just connection to some localhost port in hope that there is a proxy running on a common port, couldnt it?

I understand now. if you’re using a local proxy such as proxomitron or privoxy, you must make sure you have the check-box for loopback alerts enabled, which it is by default (see image) and you will need to make sure you firewall rules are locked down and you receive alerts.

What you could try doing is modifying the rule above to something like:

Action - Allow
Protocol - UDP and TCP
Source Address - Any
Destination address - 127.0.0.1
Source port - ANY
Destination port - Enter a port range here, for example 49152–65535

Once you’ve done this, create another rule for svchost and place it at as the last rule for svchost:

Action - Block and log
Protocol - UDP (you’ll need TCP also)
Direction - Outbound
Source Address - Any
Destination address - 127.0.0.1
Source port - ANY
Destination port - ANY

It’s a bit of a double edged sword and by no means perfect, but using local proxies that use loopback is a potential problem.

[attachment deleted by admin]

Radaghast

I thank you again for your time and spent efforts to help me.

It seems to work now. I do not receive anymore of these endless warnings to allow/block each port alone.

What bugs me is that I was pretty sure that I had everything set up as you described in your last post. Only difference was and still is - but it works now - that I had setup a custom port group for this issue. A port group called ‘Syncplicity’ but any way could have called it ‘local proxies’ (and yes you are ■■■■ right, I use Proxomitron and …). This port group has only ports 42000-65500 in it.

Rest is set up as you described so nicely in your last post and Comodo seem to reckon now this rule and remembers it.

If things change I will come back. For so long I am happy and thank you and bow to this great product by Comodo.

cheers