Hello all I am new to comodo and trying to figure out how it works.
I have a weird concern about a strange source ip in my firewall log.
it shows:
windows operating system blocked UDP 169.254.1.??:???(random last digits and port) destination:169.254.1.255:5000
this is happeneing like every couple seconds!
that is not my internal, or internet ip address… nor is it my network or any pc on my network. whats going on here?
Hi cooloutac,
Those IP’s are from windows self assigned range.
When windows can’t get an IP from a DHCP server It gives itself one and then tries to find other windows machines to work with.
So do you have a connection problem?
nope don’t have any connection problem. Why does this happen? So this is normal then? if so…I guess the only problem then would be how to stop these firewall events from bloating up the whole log.
i can’t imagine this being normal though… it looks like i have thousands of these taking up the whole log. I looked in the network security policies for something that says windows operating system but i don’t see it.
I only see system… which is also a different item in the firewall event log.
any ideas? tks for your help.
Well it shouldn’t be doing that.
What Operating System, and how are you connected to internet?
Do you have multiple NIC’s?
i have windows xp home sp3. I only have one lan card. I am connected to my router through ehternet wire.
i had a thought maybe it had something to do with verizon fios… but each cable box has its own ip address in the same range as my pc and my network.
What do you have under Firewall > Common Tasks > My Network Zones
Loopback 127.0.0.1
And ?
or maybe it does have something to do with that. I noticed when trying out norton 2009 it listed all the cable boxes in the house on the network. I just recently got refunded from zonealarm after upgrading to their super resource hog and less secure extreme edition. I won’t even go into that. but maybe its the windows or comodo that doesn’t recognize the cable boxes? i’m clueless so dont’ mind me. zonealarm never even detected the cable boxes before.
i do notice the windows operating system being blockied with another ip adresss of my pops pc on my home lan. prolly cause i ahven’t added him as trusted yet.
but maybe these other ones are the cable boxes it doesn’t recognize?
sry i type too much lol I have the loop back 127. etc… and i have HOME with my internal ip adress and network range. 192.168.1.255.
I just had a Duh
There is something else on your network that is having IP trouble.
Just realized incoming blocks.
So something on your LAN isn’t getting a LAN IP from your router.
i have a feeling now its the cabe boxes now dang. comodo knows something is there… which is more then zonealarm does. but it can’t diferentiate between non pc devices maybe.
i could be wrong but thats my guess. I have to check the log on my pops pc too…to see if he has the same issue.
If they get IP from your router then restarting the misbehaving device should fix it.
oh thats an idea… maybe restart the router? i hope i don’t have to pinpoint which cable box it is haha. but thats a great idea tks man.
well i just went into the router and seen that all the cable boxes in the house are still listed with their ip address. I thought maybe they might have gotten unrecognized which has happened once before to me… and i have to reset the router.
i will try to reset it anyways though once the network is free and let you know what happened.
Restart the devices to make them request fresh IP.
Restarting router shouldn’t make a diff.
Whatever it is , it was started at some time the router was off, gave itself an IP and has been lookin for a friend ever since.
oh ok, hmm interesting… so the router wouldn’t make a difference its on of the connected devices.
man we have 6 boxes in the house thast gonna be a pain in the rear haha. also the router lists another pc on my network(granpops) that is off at the moment. he is dhcp. me and my pops are static. all the cable boxes are coax dhcp. don’t know if that means anything.
If these blocks are still a steady stream you could go around and shut down 1 thing at a time and check on your firewall logs to see if the blocks stop when they do that’s your bad 1.
that didn’t work is there anyway i can just stop these events from being logged?
also maybe was thinking it had something to do with stealth port?
also what does windows operating system mean… exactly what file is being accessed? what uses port 5000.
after reading this forum with a guy with exact same problem as me (diff firewall it looks like) Strange Router UPNP Activity - Verizon FiOS | DSLReports Forums
i’m under the impression that is has something to do with the verizon fios router and comodo.
like i said when i used the norton firewall trial yesterday… it showed all six boxes in their “network map” and listed them as non pc motorola devices which they are. I think maybe verizon fios just has weird network activity that some firewalls think is nuts. lol
The solution this guy had was to disable STP on the ethernet port… so what the heck does that mean and how do i do that hehe.
nevermind i was reading on that same forum its a bad idea to do that might cause lots of problems… plus might conflict with my VOD and menu guides on the cable boxes.
So if u can just suggest to me how i can omit this specific event from being logged in the firewall…
tks for your help.
I gotta say though the comodo firewall is def more intense then norton or zonealarm lol
pretty good piece of software here.
OK, yea it looks like UPNP traffic, but the addresses it’s using are just not working for me.
So you unplugged each device one by one and it never stopped the blocks?
Does your router have an active connection window, does it show anything connected with the IP in question?
Do you have any wireless, on your network?
I don’t want to alarm you but this is an old yet informative page you should read.
I just believe it is important to solve this, rather than cover it up.
Go to Device Manager → look up the Ethernet network adapter → select it → click right and choose Properties → go to the tab Advanced and see if STP is there to set → if so the disabled it → Ok. May be you need to renew/restore the network connection.
STP is a protocol used between devices functioning as a packet bridge, and is used only on a LAN segement. It is not an IP protocol, and so shouldn’t be recognized by CIS, or pretty much any other firewall. It’s in the same protocol set as ARP. It’s one of those things that if you need it, and it doesn’t work, your LAN is dead.
Seeing traffic on 169.254.1.255 is unusual. If it was normal broadcast traffic, it would be using the address 169.254.255.255. And the 169.254.x.x address space is pretty much used only by Windows machines. I don’t know of a CPE router that uses it.
A quick check of your machines, from a command prompt, type “ipconfig /all” and see what machine is configured to use the 169.254.x.x address range.
If no machine is using that address space, and you’re still seeing log entries, then it will be necessary to install a network monitor like Wireshark (www.wireshark.org) on one of your machines to capture packets to find out what is going on.