Unblocking IP (used by Utorrent)

Comodo Internet Security - CIS Firewall Help - CIS
1

Hi this is my first post in this forum. I have been using CIS 5.5.195786 on Windows 7 for about three months and am slowly coming to understand how it is structured. I still have a lot of basic problems with it that are not well explained (or explained at all) in the user guide. For example:

I get a CIS popup that an external computer is trying to get access to mine. Well, I’m not expecting anyone so my natural impulse is to block the IP address. Then I remember that I’m running UTorrent, so could this be a Torrent server wishing to connect to me? I am also using PeerBlock to keep the undesirables out.

When I check my Log Viewer of Firewall Events, I see that the reason for this blocked request was that C:\Windows\System32\svchost.exe had a UDP In request from a source IP in a European country that matched the IP of one of my peers in UTorrent. Quite possibly this was legit (though why wasn’t CIS asking me about every other peer request?).

My question is: Does CIS add this IP address to a list of blocked IPs, and if so, where the heck is this list kept? I’ve searched everywhere. I haven’t set up a special filter for UTorrent as suggested here (https://forums.comodo.com/guides-cis/firewall-tutorial-for-utorrent-with-comodo-internet-security-t15677.0.html), nor is my problem exactly the same as the one posted here (https://forums.comodo.com/guides-cis/firewall-tutorial-for-utorrent-with-comodo-internet-security-t15677.0.html), since this referred to another home computer that was blocked.

Now if I’ve blocked this IP, will I be notified again when it asks again? I think I should unblock it, so how do I do this? Surely there must be a list of blocked IPs somewhere in Comodo, not simply in the list of firewall events.

Thanks for your help with this.

2

Welcome.

I get a CIS popup that an external computer is trying to get access to mine. Well, I'm not expecting anyone so my natural impulse is to block the IP address. Then I remember that I'm running UTorrent, so could this be a Torrent server wishing to connect to me? I am also using PeerBlock to keep the undesirables out.

When I check my Log Viewer of Firewall Events, I see that the reason for this blocked request was that C:\Windows\System32\svchost.exe had a UDP In request from a source IP in a European country that matched the IP of one of my peers in UTorrent. Quite possibly this was legit (though why wasn’t CIS asking me about every other peer request?).

The fact that you’re using Windows 7 and the inbound request is against svchost.exe leads me to suspect it’s an IPv6 tunnelled address, either 6to4, or more likely, a Teredo address. This is something that, unless you specifically deny, will happen automatically, as both the OS and uTorrent are designed to use IPv6 tunnelling.

Essentially, this is just another peer connecting to you, to ask for a part of whatever it is you’re sharing, it’s just using a slightly different method.

If you don’t want to use tunnelling, you can easily disable this, by copying and pasting the following into a command prompt:

netsh interface ipv6 set privacy state=disable
netsh interface ipv6 6to4 set state state=disabled
netsh interface ipv6 isatap set state state=disabled
netsh interface ipv6 set teredo disabled

My question is: Does CIS add this IP address to a list of blocked IPs, and if so, where the heck is this list kept? I've searched everywhere.

CIS won’t add any addresses to a ‘block list’ unless you specifically tell it to do so. This achieved by using the ‘Blocked Zones’ option, which can be found under Firewall/Network security policy. However, if you block a connection, either outbound or inbound, CIS will, depending on your settings, create a rule in firewall/Application rules.

I haven't set up a special filter for UTorrent as suggested here (https://forums.comodo.com/guides-cis/firewall-tutorial-for-utorrent-with-comodo-internet-security-t15677.0.html), nor is my problem exactly the same as the one posted here (https://forums.comodo.com/guides-cis/firewall-tutorial-for-utorrent-with-comodo-internet-security-t15677.0.html), since this referred to another home computer that was blocked.

It’s a good idea to make sure your firewall is correctly configured for the applications it supports. You should really think about creating specific rules for uTorrent, if you haven’t already done so. This thread has a slightly more up to date tutorial.

Now if I've blocked this IP, will I be notified again when it asks again? I think I should unblock it, so how do I do this? Surely there must be a list of blocked IPs somewhere in Comodo, not simply in the list of firewall events.

Thanks for your help with this.

As I mentioned earlier, If you’ve blocked an inbound connection, it will appear under application rules and will be associated with the application that it was destined for. So, it it was an inbound request for svchost.exe, depending on your firewall configuration, you should find something blocked under that process. It should also turn on logging for that connection.

If you’re unsure, post screen-shots of your firewall Application and Global rules here. Use ‘Additional options’ in the reply box to attach screen-shots

3

Thanks Radaghast for your welcome and detailed reply. :slight_smile:

I attach screenshots of the relevant application rules as requested. It seems that the svchost.exe request is indeed coming from uTorrent.

Could you please give me an example of how such a rule to allow a particular IP might look, or if I let one tunnelled request in, must I let all in? My preference would be to look down my list of uTorrent peers, and if I see one that’s not getting through who has a large percentage of the file pieces that I need, to let just this one through and not any others; then when Torrent has downloaded, I could for safety’s sake withdraw this permission but share this file with others.

In the meantime I am studying your thread https://forums.comodo.com/firewall-help-cis/utorrent-problems-t70329.0.html;msg500592#msg500592

[attachment deleted by admin]

4

It could well be a Teredo connection that’s been blocked for svchost, but because your firewall settings are likely in safe mode, the rule created is far to generic to say for certainty. Would you mind posting a screen shot of an ipconfig /all from a command prompt, please.

The second entry for uTorrent shows you’re not allowing anyone to connect to you for pieces of whatever you’re sharing, you’re simply allowing outbound connections. Have you done this for a reason?

Could you please give me an example of how such a rule to allow a particular IP might look, or if I let one tunnelled request in, must I let all in? My preference would be to look down my list of uTorrent peers, and if I see one that's not getting through who has a large percentage of the file pieces that I need, to let just this one through and not any others; then when Torrent has downloaded, I could for safety's sake withdraw this permission but share this file with others.

In all honesty, my personal recommendation, at this time, would be to disable the tunnelling options, as described above. You’re not going to gain significantly, in terms of more peers or faster transfers and instead, may well be presenting a weakness, in terms of security.

Unfortunately, ISPs have been terribly slow in providing support for IPv6, even though all modern operating systems fully support the protocol. The tunnelling options were/are really meant as a way to transition to IPv6 in situations where the protocol is not fully supported. If you’re really interested in using IPv6, you could check with your ISP regarding their plans for deployment, or you could use a free Tunnel Broker, which I use.

If you really want to use Teredo, you will need to create some Application rules (and maybe some Global rules, depending on your current configuration) for svchost.exe:

Application Name - svchost.exe (This rule is for the iphlpsvc)
Action - Allow
Protocol - UDP
Direction - In and Out
Source Address - ANY
Destination Address - ANY
Source Port - (Port Range) 49152 to 65535
Destination Port - (Port Range) 49152 to 65535

Application Name - svchost.exe (This rule is for Teredo relay)
Action - Allow
Protocol - UDP
Direction - Out
Source Address - ANY
Destination Address - ANY
Source Port - ANY
Destination Port - 3544

Realistically , you’re not going to be able to pick and choose the connections you wish to use, as you won’t necessarily be able to tell who is using a tunnelled connection, even though they may show in the peer list with a Teredo address.

5

Thanks again Radaghast. Apologies for not replying sooner, I’ve been very busy.

It could well be a Teredo connection that's been blocked for svchost, but because your firewall settings are likely in safe mode, the rule created is far to generic to say for certainty. Would you mind posting a screen shot of an ipconfig /all from a command prompt, please.

Here it is, edited for privacy:

C:\Windows\system32>ipconfig /all

Windows IP Configuration

   Host Name . . . . . . . . . . . . : [private]
   Primary Dns Suffix  . . . . . . . :
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No

Ethernet adapter Local Area Connection:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Atheros AR8131 PCI-E Gigabit Ethernet Con
troller (NDIS 6.20)
   Physical Address. . . . . . . . . : [xx-xx-xx-xx-xx-xx]
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : [xxxx::xxxx:xxxx:xxxx:xxxx](Preferred)
   IPv4 Address. . . . . . . . . . . : [xxx.xxx.xxx.xxx](Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Lease Obtained. . . . . . . . . . : Tuesday, 9 August 2011 9:38:43 PM
   Lease Expires . . . . . . . . . . : Tuesday, 16 August 2011 9:38:43 PM
   Default Gateway . . . . . . . . . : [yyy.yyy.yyy.yyy]
   DHCP Server . . . . . . . . . . . : [yyy.yyy.yyy.yyy]
   DHCPv6 IAID . . . . . . . . . . . : [xxxxxxxxx]
   DHCPv6 Client DUID. . . . . . . . : [xx-xx-xx-xx-xx-xx-xx-xx-xx-xx-xx-xx-xx-xx]

   DNS Servers . . . . . . . . . . . : [xxx.xxx.xxx.xxx]
                                       [xxx.xxx.xxx.xxx]
   NetBIOS over Tcpip. . . . . . . . : Enabled

Wireless LAN adapter Wireless Network Connection:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Realtek RTL8191SE Wireless LAN 802.11n PC
I-E NIC
   Physical Address. . . . . . . . . : [xx-xx-xx-xx-xx-xx]
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes

Tunnel adapter isatap.{xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx}:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Microsoft ISATAP Adapter
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

Tunnel adapter isatap.{xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx}:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Microsoft ISATAP Adapter #2
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Local Area Connection* 9:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   IPv6 Address. . . . . . . . . . . : [xxxx::xxxx:xxxx:xxxx:xxxx](Preferred)
   Link-local IPv6 Address . . . . . : [xxxx::xxxx:xxxx:xxxx:xxxx](Preferred)
   Default Gateway . . . . . . . . . : ::
   NetBIOS over Tcpip. . . . . . . . : Disabled

C:\Windows\system32>

Would you please take a look at the above and suggest what steps I should take.

The second entry for uTorrent shows you're not allowing anyone to connect to you for pieces of whatever you're sharing, you're simply allowing outbound connections. Have you done this for a reason?

Not quite clear what you mean by this. If I’m allowing outbound connections, doesn’t that imply that people are free to upload what they need from me? Or is there a difference? Certainly I’m not doing this deliberately, although I notice that my download speeds are sometimes very low even with plenty of seeders around. I seem to be missing your point here. What should I now do to help those on uTorrent that I’m not doing now? Thanks again.

6

As suggested above, you have Windows in it’s default configuration, which in Windows 7 and Vista, means IPv6 is enabled and in use. Of the tunnel adapters used by the Windows implementation of IPv6, only the Teredo adapter is active, as can be seen by the "Media disconnected’ status for ISATAP.

At this point you have a choice, you can use the method I recommended above to disable tunnelling, or you can modify your Application firewall rules to allow Teredo.

Not quite clear what you mean by this. If I'm allowing outbound connections, doesn't that imply that people are free to upload what they need from me? Or is there a difference? Certainly I'm not doing this deliberately, although I notice that my download speeds are sometimes very low even with plenty of seeders around. I seem to be missing your point here. What should I now do to help those on uTorrent that I'm not doing now? Thanks again.

P2p applications are actually client/server applications, so for other members of a swarm to download from you, you have to give your p2p application server rights. This basically means allowing inbound connections to the designated port of your p2p application. You can take a look through this thread for an idea about how to configure uTorrent.
[/quote]