Hello all.
I am using the new CIS 3.5.53896.424 (Firewall only) but am having troubles getting uPNP to work.
Since uPNP uses multicast (which is more like unsolicited connections), I have to manually create rules that allow such connections.
However, Comodo Firewall doesn’t seem to honor these rules.
Under Network Security Policy → Global Rules - I have created rules that allow incoming as well as outgoing connections on src/dst ports 5431, 2869 and 1900 (TCP and UDP).
Using a sniffer tool (Wireshark and SmartSniff), I was able to confirm that my computer is not receiving these requests even though these rules are put into place and are matching the above criteria. (For some reason, there is no indication on the firewall logs that Comodo did really block these requests) I have tried putting these rules also under the System application, as well as the svchost.exe application, and no avail. In fact, the sniffer tool was able to tell me there wasn’t any other connections originating form my router when I am on Custom Policy mode, but the outgoing connections was okay. (In other words, I can contact the router, but the router cannot contact me back)
The firewall has to be disabled in order for the computer to receive these multicast requests and be able to forward ports correctly.
Just out of frustration and to confirm that my rules are not too restrictive, I added a rule under Global Rules that allowed IP In/Out from ANY to ANY. This, however, still fails to work as my computer are not receiving the multicasts from my router. Any idea how I can fix this? This used to work in the old version of CPF… Curious…
Anyone have any ideas? A bug, perhaps?
Thanks!
You can create a multicast zone and add it as trusted using the stealth port wizard
Zone : [Special & Local Multicast] is defined as
-----------------------------------------------------------------------------------------
[0] IP In [224.0.0.0-224.0.0.255]
[1] IP In [239.0.0.0-239.255.255.255]
Or you can use in custom made policies
[code=Only allow lan traffic][0] Allow IP Out From IP Any To Zone [Local Area Network] Where Protocol Is Any
[1] Allow IP In From Zone [Local Area Network] To IP Any Where Protocol Is Any
[2] Allow IP Out From IP Any To Zone [Loopback Zone] Where Protocol Is Any
[3] Allow IP Out From IP Any To Zone [Special & Local Multicast] Where Protocol Is Any
[4] Block & Log IP In/Out From IP Any To IP Any Where Protocol Is Any
Thanks for the reply.
It is still not working. As I said before, I have tried this in Global Rules:
Allow IP In/Out From IP Any To IP Any Where Protocol Is Any
and that still did not fix the problem.
As of now, the only way for the sniffer to catch the multicast packets is when I switch the firewall mode to “Disabled”. (:SAD)
I used CFP and I use CIS now and I was always able to use multicast services without issues.
Entries in the log are only added if a block rule has a log flag set. So it is possible that a rule is blocking the traffice without logging.
Multicast traffic need at least application rules so I guess you can add a logging flag to svchost and system policies and allow IP IN/OUT.
What firewall policy is set for Windows Updater Applications ?
Is Windows Updater Applications placed before or after svchost.exe policy?
I have deleted the policy for Windows Updater and System and svchost.exe is already on Allow IP - ANY. Sad. As I said, this only occurred in this version - I have never had this problem before with the old CPF. (The one I am using is part of the bundle of the newly released CIS)
Something you could try just for testing/logging purposes memo is to Edit the rule for “Trusted Application” via Pre-defined Firewall Policies so that you have logging ticked and then give system/svchost the policy trusted app
It should then be allow all incoming and outgoing requests with the little icon on to show logging.This may help to see what needs what so you can set the appropriate rules.
Yup, did that as well… Did not give anything that my sniffer doesn’t give… 
Try to go Firewall → Advanced Tasks → Attack Detection Settings → Miscellaneous and unset ‘‘Block fragmented IP datagrams’’
Under “View Active Connections”, is anything shown as listening on these ports? Try putting the rules (with log) under Windows Operating System and make sure they are not blocked there. This is where multicast packets are usually checked if there is no specific listener.
Nope, it is not blocked there.
I think I figured it out though, as it seems that Comodo thinks my router is flooding my system and blocked it within the block settings in advanced settings. What is interesting though is that Comodo does not show any blocked entries shall a host be blocked with Flood protection.
I have increased the number of packets and it seems that uPNP is working okay now.
Any ideas?
[offtopic]@Gibran. Thank you for the explanation on the Multicast and Network zone. I now have proper uPnP communication with my router.[/offtopic]