I’ve recently installed Comodo to replace ZoneAlarm. I’ve been able to get just about everything configured so that it connects correctly to the network. The only problem I’m having is the networked HP All-in-one which apparently does a port scan which Comodo blocks. Today, I needed to totally shut down Comodo just to send a document to the printer.
I’ve got my internal IP addresses mapped as a trusted zone, a network rule for the printer’s ip address set up to allow TCP or UDP, in or out, to any port, and all the HP executables set up as allowed as well.
Under Security/Advanced attack & detection, I’ve got the Port Scan Probing rates set to 500. The Miscellaneous tab has only the Block Fragmented IP Datagrams checked. Everything under Security/Application Behaviour Analysis is checked.
I’ve seen only a couple of posts on the issue, but not any sort of resolution. Is this issue something that can be configured for, either now or in an upcoming version? Because other members of the family use this pc, I can’t expect them to have to disable the firewall each time they want to print.
Unfortunately none of these are relevant to this issue. Here’s what happens…
If the port is not blocked (by Comodo), then I’m able to print ok. All the programs associated with HP are set to allow all connections. Every so often, for whatever reason, the HP All-in-one scans the ports to all computers on the network. There’s some client software on the PCs that requires/expects this. When this happens, Comodo sees it as an attack and shuts down the connection to the printer’s ip.
After the set amount of time in the settings (right now still at 5 minutes), the port is opened again until the printer scans the port again.
Your log pic reminds me of Emergency Mode, which can’t be disabled but can be controlled to a certain extent:
Security > Advanced > Advanced Attack Detection & Prevention > Configure > In the Intrusion Detection tab, these various settings can lower the chances of emergency mode from kicking in. See if that works.
Cross that out. It looks like you have to allow 192.168.1.50 access or define whatever IP range (e.g. 192.168.1.1 - 192.168.1.100) in addition to that IP as a trusted network.
Curiousity question, what model of HP All-in-One is this? It could be something in its settings that could stand some tweaking.
For comparison, a printserver that I once had the misfortune of having to work with, broadcast itself to any and all in 4 different protocols (TCP/IP, IPX, the original Netbeui, and Appletalk), and it couldn’t be configured to not broadcast. The workaround was to put it behind a cheap NAT/router configured to forward the printer ports in TCP. The LAN could then talk to the printserver, but the printserver was shouting in its own little rubber room.
I eyeballed your screenshot of the CFP log. It could well be that the packets coming from the printer are not IP packets, but are being interpreted as UDP/IP packets.
That’s why I’m asking about the model. If it talks other protocols, that may be what you’re seeing, at least in part.
Thanks for the log and rules snapshots. You’ll need to make a change to your rule 0. Multicast addresses cannot be source addresses. You need to rule to be “allow and log UDP from any to 188.8.131.52/255.255.255.0” (to catch the range, rather than 184.108.40.206 - no particular reason why the range, just my force of habit)
I checked the hp.com/support site for the 2575 printer. Nice printer, and you’re right in that there aren’t a lot of options to set. A couple of things to check, though… In the network settings, turn off mDNS, and turn off “Instant Share” which seems to be some kind of photo sharing service that HP has. These are probably already turned off, but it wouldn’t hurt to make sure. If there isn’t a “turn off” option, then don’t worry about it. The documentation I rather hurriedly read wasn’t all that clear.
The short summary of that page is to open UDP ports 161, 427, and 137, and TCP ports 9220, 9500, and 9290.
Your log is showing a bunch of UDP port 0 scans. Port 0 isn’t really defined, so I’m suspecting these are bad packets or partial packets. It could be that the printer ethernet hardware is bad. That would take a packet sniffer to confirm, and I don’t think things are to that point yet.
Reading back to the beginning, there seems to be a confusion in the Source & Destination, whose roles are reversed, depending on the direction of the connection (incoming or outgoing). Since these “attacks” are UDP port scans, we’re dealing with incoming connection problems. This means Source IP must be your printer’s IP of 192.168.1.50, whereas the Destination IP is your computer IP (or ANY or whatever Trusted Zone you have setup) with the Destination Port being anything that’s available (i.e. according to your first screenshot of the log, it seems to range in the 30000 area).
I hope it’s something as simple as just one rule you need at a minimum like:
Source IP: 192.168.1.50
Source Port: ANY?? → This one I’m not sure
Destination IP: computer IP (or ANY or whatever Trusted Zone you have setup)
Destination Port: 30000 - 35000 (or the relevant port range the printer potentially uses)
What does your rule #2 Zone for the VIA Compatable Fast Et… cover? Does it include 192.168.1.50?