2 Replies Latest reply on Sep 6, 2013 11:23 AM by damageinc

    How to permit port 1900 UDP traffic in HIPS 8

    damageinc

      I am kind of baffled by a HIPS 8 firewall block I am seeing.  The event details are below and in the attached image.

       

      Event: Traffic

      IP Address/User: 127.0.0.1

      Application: Host Process for Windows Services (svchost.exe)

      Message: Blocked Incoming UDP - 127.0.0.1 : (56006) Destination 239.255.255.250 : (1900)

      Matched Rule: Block All Traffic (default implied block rule at bottom of firewall)

       

      I already have the "allow loopback" rule in my firewall (not in any LAG) as described in KB71230.  I am unsure how to create a firewall rule to allow this traffic.  Can anyone help?

       

      Thanks,

      DamageInc

       

      1900Block.JPG

        • 1. Re: How to permit port 1900 UDP traffic in HIPS 8
          Kary Tankink

          For this traffic, you would need to have:

           

          Allow Inbound

          IPv4

          UDP

          Remote IP: 127.0.0.1

           

           

          Source IP = Remote Network, since this is Inbound traffic.  I suspect your Loopback rule allows Local Network 127.0.0.1 (as that's the rule from the HIPS Catalog), which doesn't apply to this blocked traffic.

           

          FYI, the HIPS Catalog rule uses 127.0.0.1 and ::1 only.  I've see applications use any number of different IPs in the 127.x.x.x range.  You'll need to adjust your Loopback rule according to any blocked network traffic in the 127.x.x.x range, if necessary.

          1 of 1 people found this helpful
          • 2. Re: How to permit port 1900 UDP traffic in HIPS 8
            damageinc

            Hi Kary,

             

            Thanks, this actually seems to work.  I tried this a couple hours ago, and rebooted a few times, and sure enough, I got traffic to pass with a "reversed" loopback rule.

             

            I'm trying to understand why this rule is needed, though.  It seems like the loopback rule from the KB would have sufficed, since the source traffic was still 127.0.0.1.  Wouldn't this have counted as the local network?  Or, is this reversed because the traffic was inbound?

             

            Should the KB be updated to include this caveat?  This seems like it applies to that same situation.

             

            Would HIPS 7 have treated this traffic any differently?  I recall that HIPS 7 had these loopback rules built in by default.

             

            Thanks,

            DamageInc