How To - Understanding & Creating Network Control Rules properly

[Guest]

[Rotty]

With the router i have it told me to make it the DNS server to all of the computers.  I would say this is due to the different ways that the routers work, possibly.

[Little Mac]

Hey Mac,

If we're going to create a zone that covers only those IPs currently in use (e.g. 192.168.1.1 - 3), would we also need to create a second zone covering just 192.168.1.255 to allow for broadcasts?

Ewen :-)

That would make sense, if we want to interact with/allow the broadcast traffic...  If it's only one computer, no file sharing or ICS, etc. why would we need to?

I personally have it set up only for the DNS, Gateway, and DHCP; it has worked so far - at least AFAIK...

LM

[brianwilson]

Little Mac....OK and thanks, but to tell you the truth, I really dont comprehend this firewall that well.  Its a little complicated fore me with all the rules and settings.  Can I just "set it and forget it"  Do I leave it in "Learn" and for how long?
I would like to keep it because its suppose to be the best firewall, but I dont want to have to fool with it...Thanks

[Little Mac]

Brian,

I agree that CFP is not the most "newb-friendly" firewall in the world, due to the level of its complexity; at this point it's a bit of a trade-off (security vs easy).  A number of users have requested more "user-friendly" features, which I think is probably a good thing.  However, I am confident that regardless of your computer skill level, this firewall is not beyond your reach.

If you're on a hard-wired router/modem (which you've said you are), then you don't have much to worry about with those log entries, in my opinion.  There's always a possibility that someone has physically connected to your home's wiring, etc but that's probably not very likely.

That said, you can do one of a couple things:

1.  Ignore the logs as long as everything seems to be working (ie, you can browse, check your email, etc).
2.  Automatically create a Zone that will encompass them (Security/Tasks/Add a Zone) and then set that as "trusted" (Security/Tasks/Define a New Trusted Network).
3.  Manually create two Zones - one to allow the current IP Configuration (as per my earlier post) and set that as a Trusted Network (as per item 1); one to define everything from that point through the end of the IP range, and use that Zone to define a Block and don't Log rule in your Network Monitor.

Item 1 is obviously the easiest; however, you get a lot of "clutter" in your logs.  This is the "ignore" approach.

Item 2 is VERY EASY to do (it's almost fully automated); it will allow the traffic automatically and won't clutter your logs.  Given you're not wireless, this is the "set and forget" option.

Item 3 would the one for the PC junkies...   If you wanted to do so, it's easy enough, and any of the Mods here (as well as any number of other users) can walk you through that.

Hope that helps,

LM

[brianwilson]

Hi Little Mac...OK, I called my ISP DSL provider BellSouth and they said that one of those IPs is my computer and the other IP is BellSouth (or my modem?).  Anyway they said that I should allow those two IP addresses to communicate or its possible I could loose my connection (or something like that...its hard to understand while "chatting" with a tech...you feel somewhat under a constraint) I had been allowing Comodo to block it with no disruptions(?)
Anyway...I went into Network Monitor and created a 5th and 6th ID and moved the Block and Log (previously #5) to the 7th position.  ID 5 and 6 are just those single IP addresses in/out.  Does this sound correct and the right position?  I let them log and now it just says Info instead of block.
ALso....what about the "Learn" in the Component Monitor"....I set it to ON and now every time I turn on my computer it goes back to Learn.....How should it be set??
Thanks

[Little Mac]

Brian,

If you want, we can take a look at your Network Monitor rules setup, to make sure it looks ok.  Open NetMon to full-screen, and capture a screenshot.  Save it as a jpeg (you can cut/mask your IP address if it shows in there, if you like) and attach to your post under "Additional Options." 

For Component Monitor,
1.  I'd leave it set to "Learn" for a week or two, until you've run pretty much all your applications.  Then to "On."
2.  After turning it "On" click the "Apply" button.  Wait a minute, then reboot.

LM

[wavetrip]

hi.

i have a few questions too. i used sygate personal firewall before, and i thougt i will try other firewalls. i have a stupid surecom ep4904sx router, with 3 PC-s on it (and only one external IP address from our fantastic local cabletv company). i use this router in DMZ mode for 192.168.1.2 since this is the only way i can be connectable constantly. so the router lets everything happen between my pc and the net.
i installed your product, and after setting up network control rules for bittorrent and soulseek and emule, i realized that it works good, but if i quit these programs, there are still traffic flowing into my pc (comodo's log says access granted) for more than half an hour. i tried removing these new network control rules, and tried adding trusted applications (skip parent check, allow all activities, skip advanced security checks, allow invisible connection attempts). but as i figured out, network control rules have a higher priority than application control rules. so no matter how much trust i give to an application, a network control rule will still block it. but if set a network control rule, it wont know which application it should trust (and wont know whether the app is running or not), so the problem above arises. so my first question is: how to solve that?
another thing is, that if i disable various icmp traffic, dcc on mirc wont work. so i wanted to enable all icmp traffic between my router 192.168.1.1 and my pc 192.168.1.2 so that if a problem is emerging, the router and the firewall could communicate well. and here is the second (maybe lame) question: is there any difference between an icmp packet coming from the net, forwarded by the router to my pc AND an icmp packet simply coming from the router itself towards my pc?
i would be happy to manage being p2p-connectable and secure with your firewall, so please answer me even if my whole theory is wrong thanks in advance

[panic]

hi.

i have a few questions too. i used sygate personal firewall before, and i thougt i will try other firewalls. i have a stupid surecom ep4904sx router, with 3 PC-s on it (and only one external IP address from our fantastic local cabletv company). i use this router in DMZ mode for 192.168.1.2 since this is the only way i can be connectable constantly. so the router lets everything happen between my pc and the net.
i installed your product, and after setting up network control rules for bittorrent and soulseek and emule, i realized that it works good, but if i quit these programs, there are still traffic flowing into my pc (comodo's log says access granted) for more than half an hour. i tried removing these new network control rules, and tried adding trusted applications (skip parent check, allow all activities, skip advanced security checks, allow invisible connection attempts). but as i figured out, network control rules have a higher priority than application control rules. so no matter how much trust i give to an application, a network control rule will still block it. but if set a network control rule, it wont know which application it should trust (and wont know whether the app is running or not), so the problem above arises. so my first question is: how to solve that?
another thing is, that if i disable various icmp traffic, dcc on mirc wont work. so i wanted to enable all icmp traffic between my router 192.168.1.1 and my pc 192.168.1.2 so that if a problem is emerging, the router and the firewall could communicate well. and here is the second (maybe lame) question: is there any difference between an icmp packet coming from the net, forwarded by the router to my pc AND an icmp packet simply coming from the router itself towards my pc?
i would be happy to manage being p2p-connectable and secure with your firewall, so please answer me even if my whole theory is wrong thanks in advance

You're soooooo close to getting your head around how CFPs rules work.

You're correct in saying that network monitor rules have the final say as to what gets in or out, regardless of what application rules are set up. The bit you're missing is that CFP will only allow traffic in on an allowed port IF there is an application rule that allows an application to listen on that port AND that application is running.

If you have a network monitor rule that allows (for example) a DCC connection inbound and you have an application monitor rule to allow DCC to accept inbound connections, CFP will block inbound connections on the nominated port unless DCC is running. Once DCC is running, CFP will alllow the incoming connections.

Hope this helps,
Ewen :-)

[wavetrip]

hehe. why didnt i think of that.... thanks for the help, it works now as it should.

[jim28277]

Hello everyone. Very interesting read. I am new to CFP. I installed CFP several days ago and everything is going well. All the rules seems to be working and I have not encountered any problems. I have one issue that continues to concern me. My log files indicate that I am blocking pings from my ISP [outbound policy violation/ICMP outgoing/source: 192.169.15.100/dest: 25.25.5.149/Msg: port unreacheable].

I am concerned that if time warner's ping continues to go unanswered that my internet connection will be disconnected. Is there a rule modification that I should consider or can I just ignore the log entries.

Thanks in advance
Jim
Charlotte, NC

[Little Mac]

Jim,

Welcome to the forums (and tnx for the PM).   

A couple points to clarify, with this issue.

My log files indicate that I am blocking pings from my ISP [outbound policy violation/ICMP outgoing/source: 192.169.15.100/dest: 25.25.5.149/Msg: port unreacheable].

You will note that this is an Outbound violation.  Thus, its source is your computer, not an external source.  Also, if it were your ISP pinging you, it would be Inbound, and would not be a "port unreachable" it would be an "echo request."  By default all ICMP is blocked (In or Out) except for a couple specific ones - Echo Request Out, and I think Time Exceeded and Fragmentation Needed (I think).

I am concerned that if time warner's ping continues to go unanswered that my internet connection will be disconnected. Is there a rule modification that I should consider or can I just ignore the log entries.

According to IPNetInfo, the 25.25.5.149 is not your cable provider; it is:

1   25.25.5.149   Succeed   USA - Wisconsin   RSRE-EXP   DINSA, Ministry of Defence    25.0.0.0   25.255.255.255   Yes   DINSA, Ministry of Defence    DINSA, HQ DCSA, H4, Copenacre, Corsham   hostmaster[at]dinsa.mod.uk      +44 (0) 1225 813426      ARIN   

Unless IPNetInfo is smokin' something funny, that is...

At any rate, I have not ever noticed a problem personally keeping my internet connection active, and I block ALL ICMP traffic, whether In or Out.  The "keep alive" packets from your ISP regarding your internet connection, I believe, occur via TCP (and this will only occur over a period of inactivity (such as overnight; over which time it's likely the DHCP lease will expire anyway, and have to be refreshed - which should occur automatically, a factor of svchost.exe).  The DNS and DHCP leases are established with UDP, so that's not an issue either.   

LM   

[gibran]

Hallo,

I have  few questions for the devs...

It is possible to use this mask 192.168.0.0/255.255.0.0 to include a range of ip like this

192.168.10.9-10 (netmask 255.255.255.0)
192.168.111.2-5  (netmask 255.255.255.0)
192.168.200.6  (netmask 255.255.255.0)

or it would be needed to specify a range like 192.168.10.9-192.168.200.6?

which of these two is faster RANGE 192.168.1.0-192.168.1.255 or MASK 192.168.10/255.255.255.0?

and  which of these two is faster NOT RANGE 192.168.1.0-192.168.1.255 or NOT MASK 192.168.10/255.255.255.0?

What is the performance hit of a NOT  rule opposed to the lean and mean one?
ZONE [myzone] is slower than RANGE (ip range of my zone)?
Are hosts resolved only when the rule is created, loaded or on every connection?

TCP or  UDP has the same perpormance hit of two separate rules one for TCP and one for UDP

Is there ane rule-making trick performance-wise?

 

[jim28277]

Jim,

Welcome to the forums (and tnx for the PM).   

A couple points to clarify, with this issue.
You will note that this is an Outbound violation.  Thus, its source is your computer, not an external source.  Also, if it were your ISP pinging you, it would be Inbound, and would not be a "port unreachable" it would be an "echo request."  By default all ICMP is blocked (In or Out) except for a couple specific ones - Echo Request Out, and I think Time Exceeded and Fragmentation Needed (I think).
According to IPNetInfo, the 25.25.5.149 is not your cable provider; it is:Unless IPNetInfo is smokin' something funny, that is...


LM   

Thanks for the prompt response LM. It should have dawned on me that this was outgoing not incoming. BTW, it is Time Warner, I sent the wrong Ip information in my original message. The correct IP is 24.25.5.149/  I was really starting to get paranoid when the dept of defense name showed up in your response  . I'm not sure what I could be sending TW unless it has something to do with my TW login information (I use TW's web page as my home page in Firefox). Thanks again....Jim

[Little Mac]

Gibran,

I don't know the answer to your question.  My suggestion would be that given your interest, try it out and see... and then let us all know! 

LM

[Little Mac]

The correct IP is 24.25.5.149/  I'm not sure what I could be sending TW unless it has something to do with my TW login information (I use TW's web page as my home page in Firefox).

  Okay, that's a little better then!  If I remember correctly, ICMP Port Unreachable indicates that basically the connection was dropped/timed out because the destination was not responsive.  I could be wrong, though.  In the log entry, is there any indication of the application trying to make the connection, or of the specific port being used?

LM

PS:  Personally, I wouldn't be too worried about it, unless you notice problems with your connection being lost, or not being able to connect (ie, no connection available).  It is most likely the result of a Windows service running in the background, or some aspect of TW's installed application (the browser, and whatever else came off their install CD).  You could also contact TW and ask what that IP address is (what function it has on their end), and if they are aware of a need for ICMP traffic with it.

[Tags:]