Hello, I can’t understand how this works:
When Comodo firewall is on custom policy, I’ll be using “internet download manager” or “IDM” as an example.
#1 UDP out to IP 192.168.1.1 over port 53 #2 TCP out to IP 127.0.0.1 over port 443
Details: #1
Application IDM
Action -
Direction OUT
Protocol UDP
Source IP 192.168.1.2
Source Port -
Destination IP 192.168.1.1
Destination Port 53 #2
Application IDM
Action -
Direction OUT
Protocol TCP
Source IP 0.0.0.0
Source Port -
Destination IP 127.0.0.1
Destination Port 443 or 80
" - " = changeable value.
Q1: What does #1 means? and is it better to allow or block?
Q2: What does #2 means? and is it better to allow or block?
Q3: by allowing both is there a security risk? can these rules interact with each other to allow the software using them to control the network or have an unlimited access.
PS:
when blocking #1 IDM will not work.
when blocking #2 IDM still works.
IDM is an example nothing more, but I can see some other programs using these connection methods.
I have read the following but didn’t answer my questions.
#1 is your PC sending a DNS request to your router (192.168.1.1). This is required to resolve a name into an IP address. If you block, it will fail.
#2 is the rule to use IDM as a local proxy to allow multiple simultaneous connections. If you block, IDM should only allow a single download stram at a time. If you allow, IDM will use however many connections (default=4, maximum=16) it is currently configured for.
Q2 After blocking the loopback I am still able to to get a many as 16 connections. (youtube tested)
-I get a prompot from comodo saying idm wants to access 127.0.0.1 over port 443, during the download or after the download ends in about 15 sec.
-it’s doing more 443 to the loopback more than 80.
-I want to know why it’s doing this
Q3 not answered
EDIT: I looked at the logs and saw something interesting.
the prompt from comodo about idm access to 127.0.0.1 over port 443 is exactly 1 MIN after lunching IDM.
after looking at logs:
-if I allow idm access to the loopback then idm next try to connect to 184.173.188.107:443.
-if I block idm access to the loopback then idm will not do that.
the thing is the firewall only asks about the loopback (no prompt about the 2nd connection!!)
I see in the logs that the 2nd connection was allowed comodo didn’t ask me!!!
And this “184.173.188.107” is so weird can bypass comodo firewall, even if I add a manual ask rule to comodo firewall under idm rules to ask me, this connection is bypassing comodo.
hmm, I add a block rule to “184.173.188.107” under idm rules after allowing the loopback comodo prompt comodo blocks the 2nd connection to “184.173.188.107”.
but when no block rule (or even when ask is added) comodo firewall allow the connection automatically because the parent connection (the loopback) was allowed.
Details:
LOOPBACK CONNECTION (THE FIRST CONNECTION)
Application IDM
Action Asked
Direction OUT
Protocol TCP
Source IP 0.0.0.0
Source Port -
Destination IP 127.0.0.1
Destination Port 443
Alert Related Alert
IDM Calling home (THE Second CONNECTION) (5 sec difference (after the 1st) in the logs).
Application IDM
Action Allowed (WTF!)
Direction OUT
Protocol TCP
Source IP 192.168.1.2
Source Port -
Destination IP 184.173.188.107
Destination Port 443
Alert
Re. Q2;
I may have misread or misunderstood the IDM documentation I found on the web. Port 80 is used for http (standard web protocol) and port 443 is used for https (secured web protocol). Does the condition you reported (multiple port 443 requests by IDM) occur when you are only downloading from http sites and are not downloading from a https site? I don’t know as I don’t use IDM.
Re. Q3;
127.0.0.1 is a local loopback connection. You can think of this as a network inside your PC where different components are inter-communicating. Whether this is a security risk depends totally on what applications are installed on your PC and which of these are using the connection. Until this is known, anything I or anyone else offers would be, at best, a guess.
Can these rules interact with each other to allow the software using them to control the network or have an unlimited access? They are not rules, they are connections (or attempted connections if you block them). As such, whether they can interact depends on what applications are attempting to use the connections (see answer to Q3 above).
As I mentioned above according to Comodo Logs, This loopback connection occur exactly 1 min after starting idm.exe (doesn’t matter http sites or https).
And I was about to report a Vulnerability of comodo, because the 2nd connection to the idm homepage will be automatically allowed if I allow IDM to access loopback.
I think IDM using this to find noobs who use cracked idm.
It is 2 step connection (loopback then idm calls home 5 sec in between).
I will not report the Vulnerability because once I add a block rule under idm rules to this “idm homepage IP” comodo will block it even after allowing the loopback.
Now:
WHY the connection to the idm homepage is automatically allowed if I allow IDM to access loopback ???
Forget IDM, my conclusion from this that once you allow a program to access the loopback, comodo Firewall will assume that program is safe and allow some connections silently. (not all but some)
