IP Mask and Host Name Options?

[Guest]

[Toggie]

Continuing my endeavours to create a more defined and secure rule set for Comodo, I have a query regarding the use of two options under 'Application control Rules' namely, 'IP Mask' and 'Host Name.'

To better understand my question, let us take an example application, in this case Avast Anti-Virus Home, my AV of choice.

Avast uses a great many servers to deliver updates, each with its own IP address. These servers are configured in CIDER notation, which I assume is a supernet:

66.98.0.0./16
67.15.0.0/16
.
.
75.126.0.0/16

And so on.

Further investigation of the Avast 'setup.ini' file located in the Avast program directory, provides us with the host name for these servers:

Server=download24.avast.com
IP=67.15.196.21

Where the number at the end of 'download' changes based upon IP address.

To confute rules for Avast one could simply use:

avast.setup [ANY] 80 TCP Out Allow

However, to be more precise about which servers Avast is allowed to connect to requires more thought and this is where I need some guidance.

Would it be possible to use the 'IP Mask' or 'Host Name' options within CPF to create more specific rules for applications such as Avast.

For example (and I'm guessing the net mask here) under IP Mask, would this work?

66.98.0.0
255.255.0.0

Alternatively, does the 'Host Name' option support wild cards?

If these options are not possible, can anyone think of any other means by which one might achieve this goal?

Thanks for any help. 

[Toggie]

From what I can see via my tests, the 'Host Name' option is a non-starter. After specifying a host name in the field provided, CPF appends a block of reserved IP addresses, curiously in the format:

NAME : [host name] - 192.168.255.255 - 192.168.255.255

So it would seem this is only useful for something on a LAN.

I'm still working on the IP Mask...

[panic]

From what I can see via my tests, the 'Host Name' option is a non-starter. After specifying a host name in the field provided, CPF appends a block of reserved IP addresses, curiously in the format:

NAME : [host name] - 192.168.255.255 - 192.168.255.255

So it would seem this is only useful for something on a LAN.

I'm still working on the IP Mask...

You can add a routable address (or its non-resolved WWW name) as a host name in a block rule. I'm sending you a PM in more details as to how I use this.

Cheers,
Ewen :-)

[Toggie]

I think I'm being a bit dim

I've just realised I should be able to use the 'IP range' option. Assuming I can identify exactly each CIDR blocks Avast uses. entering something like:

67.15.0.1 - 67.15.255.255

Should work...

[Triplejolt]

NAME : [host name] - 192.168.255.255 - 192.168.255.255

I'm still working on the IP Mask...

You don't need to. This specifies a single host (or a single host broadcastaddress in this case). I believe Comodo already assumes the host subnetmask is 255.255.255.255 (which is standard when specifying hosts).

Instead of working with B-class address range, why not just use the URL? Just insert the download24.avast.com in the host-field and let Comodo do the lookups for you? 

[Toggie]

You don't need to. This specifies a single host (or a single host broadcastaddress in this case). I believe Comodo already assumes the host subnetmask is 255.255.255.255 (which is standard when specifying hosts).

Instead of working with B-class address range, why not just use the URL? Just insert the download24.avast.com in the host-field and let Comodo do the lookups for you? 

Hello Triplejolt

The problem with this approach is that Avast appears to use a great many individual servers, which change, more or less, each time it updates. By entering 'download24.avast.com' in the 'Hoat Name' field, Comodo correctly queries for the IP Address and inserts 67.15.196.21 - 67.15.196.21.

Doing that way would require a significant number of rules, one for each server.

Toggie

[Toggie]

Plan B

It seems that if I am not specific with the host name i.e. download24.avast.com and use just avast.com, CPF will, quite cleverly, append the entire range of IP Addresses assigned to an entity. The same is also true for services such as gmail.

smtp.gmail.com gives a single address
gmail.com gives the entire range

Simple when you know how 

[panic]

Well spotted Toggie. Very clever indeed.

ewen :-)

[Toggie]

LOL  I'll let you know if it doesn't work!

[panic]

LOL  I'll let you know if it doesn't work!

I'd rather you let me know if it did. LOL

[Triplejolt]

By entering 'download24.avast.com' in the 'Hoat Name' field, Comodo correctly queries for the IP Address and inserts 67.15.196.21 - 67.15.196.21.

Doing that way would require a significant number of rules, one for each server.

Well... if avast use different hostnames for every server, then you do. I wasn't aware of this, and I must admit it differs from how other competing companies do this. Usually, it's one hostname used in an "umbrella" fashion (in lack of a better word for it). But if Comodo accepts and can use domain names, then by all means. It's a clever solution indeed. Didn't think of that, lol

Post the results. For the FAQ atleast

[Toggie]

Well... if avast use different hostnames for every server, then you do. I wasn't aware of this, and I must admit it differs from how other competing companies do this. Usually, it's one hostname used in an "umbrella" fashion (in lack of a better word for it). But if Comodo accepts and can use domain names, then by all means. It's a clever solution indeed. Didn't think of that, lol

I agree its a strange way to do things. I would have thought a front end/back end server solution, with a single identifier for the connection i.e. download.avast.com, would have been more sensible, but if you look in the Avast setup.ini file located in the programs install directory, you can see the server that avast last connected to along with its IP.

Post the results. For the FAQ atleast

As soon as I have finished testing I'll put together a guide, perhaps, after its been approved, it may be a useful addition for the FAQ.

Toggie

[Triplejolt]

Excellent idea!
And maybe the devs will update the hostname field to eg. wildcard and include it in the latest helpfile

[Tags:]