How To - Understanding & Creating Network Control Rules properly

[Guest]

[Hillbillycj]

I have a newbie question. I was using ZA Pro for years until it became bloated and buggy, so I switched to Sunbelt Kerio, but the latest edition has shown up conflict between itself and Easy CD Creator 5. So I discovered Comodo and thought I'd give it a try.

Computer A <-----
                             \
                               \
                                 ------------>
                                                    \ 
                                                     Switch <-----> NAT Router <-----> Internet
                                                    /                       DSL Modem
                                 ------------>
                               /
                              /
Computer B <------

This is a simple map of my home network. Being a "newbie" to the Comodo Firewall, I read and re-read the instructions in this thread and wrote my rules for computer A and Computer B accordingly. All applications on both machines that ask for internet access and have it granted are getting out fine.

Now... A sees B and B sees A, in that I can share files between A and B, and between B and A. Computer A is Win XP and Computer B is Win 2K. Computer B cannot "see" my shared printer which is attached to computer A and if I open up "My Network Places" on Computer B only Computer B is listed on the map of my network. I can access Computer A from B by virtue of having mapped the network shares before installing Comodo on both machines. Also both machines are rejecting ICMP requests from the router, the error message in the log says "Port unreachable". My trusted zone is set for IP ranges from 192.168.1.0 to 192.168.1.255.

1. Am I supposed to set up in and out rules for the router as I did for computers A and B? (in other words treat the NAT router as a kind of third Computer, Computer C)

2. The Win XP machine lists the shares on both machines OK including the shared printer attached to the Win 2K machine but the Win2K machine does not. Both machines have their rules set as instructed by this FAQ post, source and destination IP's adjusted accordingly for each machine. Anyone else come across this and resolved the issue? If so what did you  do?

3. Is it normal to have so many ICMP rejections listed in the logs of both machines (at least two an hour), with a source IP of the router itself?

Thanks for any help you can give...

Hillbillycj

[AOwL]

Welcome to the forum.

1. If you have set up a trusted zone, that should be enough. Is your router's IP in that zone? I don't have any special rules for my router.

2. It works for me, but I had to remake the network in windows for all computers before I got it to work properly. Check both computers shred folders so you have full rights to see and change in there.

3. I also had a lot of messages from the router. You can do as you prefer. Block them or allow them. Some people say that you should block them and some say that it doesn't matter... I have allowed port unreachable in my zone.

[m0ng0d]

First off, welcome to the forums.

1. Am I supposed to set up in and out rules for the router as I did for computers A and B? (in other words treat the NAT router as a kind of third Computer, Computer C)

Is your router not in the same IP range as your 2 PC's?  192.168.1.?

2. The Win XP machine lists the shares on both machines OK including the shared printer attached to the Win 2K machine but the Win2K machine does not. Both machines have their rules set as instructed by this FAQ post, source and destination IP's adjusted accordingly for each machine. Anyone else come across this and resolved the issue? If so what did you  do?

I can recall some possible issues...

• Win XP might be using simple sharing mode, which might not be compatible with Win2K
• both machines may be trying to be the master network browser and conflicting
• you may be using blank passwords

... in any event, it doesn't immediately sound like a CPF issue, but I can't discount it.

.. one far-out thought... are you sure you ran the Define a new trusted network wizard on the WinXP PC?

3. Is it normal to have so many ICMP rejections listed in the logs of both machines (at least two an hour), with a source IP of the router itself?

I'm not receiving entries like you suggested.  I took a look in my log and the only ICMP block was an outbound one from my PC to the internet.

I also do not use a switch between myself and my router, I use the LAN ports on the router itself... so my topology does not exactly pattern yours.

It sounds like you have an excellent start with CPF configuration on both PC's.  What I suggest is that you open a new topic in the Help section related to the network shares between Win2K and WinXP; some google whacking may help as well.   Hopefully someone will have a fresher memory on that subject than myself, as it has been at least a couple years since I've touched a Win2K system.

[Hillbillycj]

Thanks for the welcome, and the responses.

Is your router not in the same IP range as your 2 PC's?  192.168.1.?

Yes it is. In fact both Computer A and B are set up to get their IP addresses automatically. They both get their addresses from the NAT router.

I can recall some possible issues...

Win XP might be using simple sharing mode, which might not be compatible with Win2K
both machines may be trying to be the master network browser and conflicting
you may be using blank passwords

... in any event, it doesn't immediately sound like a CPF issue, but I can't discount it.

As far as the network shares on both machines are concerned I have the same setup as I had before I installed Comodo, when I was using Kerio. If I exit the Comodo program on both machines, everything is fine and dandy, the problem does not exist.

If I disconnect the mapped network shares and try to connect to the network, I have to supply a password on both machines.

.. one far-out thought... are you sure you ran the Define a new trusted network wizard on the WinXP PC?

This may be where my understanding of this firewall's set up may be lacking.

I used automatic install on the Win2K machine, but not on the XP machine. Each installation found
the respective machine's ethernet cards and defined them accordingly. If I look at the bottom right side of the display on the summary screen, I can see the ip address, subnet mask and mac address of each card. I will recheck all settings on both machines later (at work right now). I am certain that I followed the instructions on both machines to the letter, I did the XP machine first. In fact I had the problem in both machines until I followed your instructions. 

Perhaps I should uninstall on the XP machine and re-install using automatic install?

1. If you have set up a trusted zone, that should be enough. Is your router's IP in that zone? I don't have any special rules for my router.

Yes, the router is within the IP range of the Zone, both computers' networking parameters are set up for dynamic IP addressing.

The router is a Westell 6100 DSL modem, and performs the functions of DNS server, Internet Gateway, NAT router, and firewall. The "home network" side IP address of the router is fixed at 192.168.1.254. The router generally assigns each network card it sees an IP address starting at 192.168.1.97, in decending order depending upon how many machines are connected to the switch. The modem/router only has two connections for the computer, ethernet or USB. I have had as many as four machines connected to it.... 192.168.1.96, 95, 94 etc. through the switch.



[ at ]AOwL
I have not as yet set any special rules for the router. I was waiting for some advice first. So thanks for that.  As far as the ICMP rejections are concerned, are these genuinely originating from within the router just to see if the two networked computers are still awake, or is the originating source IP masquerading as the IP address of the router/modem? If it is the former, then I see no reason not to allow the ICMP packet through. If it is the latter then, yes, reject it.

I am still very much on the learning curve, so this setting the rules stuff is all new to me, but at least I'm learning something.

Thanks for your help.

Hillbillycj

[AOwL]

Try to make a auto install on your XP machine, and see if it works.

[m0ng0d]

The end results of running the Define a new trusted network wizard are Rules 0 &1 in my screen shot... just make sure both installations of CPF have those same rules, and that the zones are identical (same IP range).

[Hillbillycj]

Thanks Guys

Well, I'm making progress. Last night I checked both installs. The XP settings were correct. The 2K settings... had not defined a specific zone for Computer A on Computer B. Did so, made sure both the in and out rules on both machines were at positions 0 and 1. Re-booted both machines, and the same problem existed. Exited CPF on both machines. Exercised the LAN by causing traffic to flow from A to B and from B to A. Opened "My Network Places" on both machines. Icons for Computers A and B appeared on both machines. Opening up the Computer A icon on Computer B showed all shares including the printer. Likewise the Computer B  icon from A.

Restarted CPF on both machines. Rechecked My Network Places on both machines. The icons for both machines are present on both machines. Opened Computer A's icon from B (the problem child)...
All appears to be working now with the firewall active. I guess the next step will be to reboot both machines and see if the problem comes back or if I'm in the clear.

I'll keep you posted. 

Hillbillycj

[Hillbillycj]

Unfortunate....

Rebooting the machines resulted in the problem returning. Uninstalling the firewall and rebooting both machines resulted in the problem going away. Reinstaling Comodo using automatic install on both machines... problem came back. Uninstalling on both machines and reinstalling Kerio, problem stays away. This is obviously a configuration issue, and more than likely my misunderstanding of how to configure this firewall properly. 

The "My Network Places" issue, is actually being displayed on both machines. 

The Comodo setup automatically sets a trusted zone for the LAN with IP ranges from 192.168.1.0 to 192.168.1.255. This includes the NAT router (192.168.1.254). Since this device is the gateway from the LAN to/from the internet, should I not remove the "blanket" trusted zone  and set up a zone for each trusted machine in the network and create rules for the router?

So... back to the drawing board.  :

Hillbillycj

[user239]

I have just installed the Comodo firewall. I wanted to create a new network control rule (clicking on +Add), but after I set the parameters and click OK, the new rule does not show up in the list.
I tried to modify or delete the existing rules as well or move them up or down, but these functions do not work either. What could be the problem?

[m0ng0d]

Unfortunate....

Rebooting the machines resulted in the problem returning. Uninstalling the firewall and rebooting both machines resulted in the problem going away. Reinstaling Comodo using automatic install on both machines... problem came back. Uninstalling on both machines and reinstalling Kerio, problem stays away. This is obviously a configuration issue, and more than likely my misunderstanding of how to configure this firewall properly. 

The "My Network Places" issue, is actually being displayed on both machines. 

The Comodo setup automatically sets a trusted zone for the LAN with IP ranges from 192.168.1.0 to 192.168.1.255. This includes the NAT router (192.168.1.254). Since this device is the gateway from the LAN to/from the internet, should I not remove the "blanket" trusted zone  and set up a zone for each trusted machine in the network and create rules for the router?

So... back to the drawing board.  :

Hillbillycj

On install, CPF does create the trusted zone, but does not create the Network rules for that zone... you need to run the Define a new Trusted Network wizard... view this install video for the basic install steps.

[m0ng0d]

I have just installed the Comodo firewall. I wanted to create a new network control rule (clicking on +Add), but after I set the parameters and click OK, the new rule does not show up in the list.
I tried to modify or delete the existing rules as well or move them up or down, but these functions do not work either. What could be the problem?

Welcome to the forums.

It seems to me that the issue is you cannot modify your registry, as that is where are the rules are recorded.

So the question is, "why can't you modify your registry"?

• are you using other security software that protects your registry?
• are you using a LUA (limited user account)?
• etc...

[BullHorn]

This is a very very good thread.

Thanks!

[m0ng0d]

Glad you find it helpful.

[wwwdotcom]

Hello,

Thank you for putting this thread up. I pretty much have the default settings regarding Network Control Rules.  I think I added 1 for utorrent to work and then today I saw 2 rules for ICMP In.  If they are both supposed to be there can you tell me the settings for both?

Next, I would like to know from the start, how many rules in total are there supposed to be?  It appears we need 6.  In this thread, I saw 4, and one of them didn't seem to correspond to any of the 6 I had after installing Comodo.

Finally, I would like to know what order these should be in.  I know the one that is set to "BLOCK" should be at the bottom, but what about the rest?

[m0ng0d]

Hello,

Thank you for putting this thread up. I pretty much have the default settings regarding Network Control Rules.  I think I added 1 for utorrent to work and then today I saw 2 rules for ICMP In.  If they are both supposed to be there can you tell me the settings for both?

Next, I would like to know from the start, how many rules in total are there supposed to be?  It appears we need 6.  In this thread, I saw 4, and one of them didn't seem to correspond to any of the 6 I had after installing Comodo.

Finally, I would like to know what order these should be in.  I know the one that is set to "BLOCK" should be at the bottom, but what about the rest?

I've attached a pic I assembled that shows the 8 rules and details in the order CPF assembles them.  (the bottom 6 are the defaults, the top 2 are the new rules added by the trusted zone wizard {not required if you are not on a network/LAN/Router}).  If you've created a custom rule, just make sure it is above the "Block All" rule and you should be OK.

[Tags:]