My Network Zones, Stealth Ports Wizard not behaving as expected [RESOLVED]

[Guest]

[eBatch]

CFP 3.0.25.378
Broadband (via ADSL modem router)
WinXP SP3 - all latest updates
Logged in as user (with full admin rights)
Also running Avast AV v4.8, SpyBot 1.5.2 (but not Tea Timer - disabled before CFP installed), Ad-Aware 2008
Zone Alarm 7.0.473.000 uninstalled before installing CFP
---------------

Have just installed CFP and having a few issues with network settings.

1. If I add a new network (e.g. with an IP range) under My Network Zones, it is there for the duration until I reboot.

2. Similarly, if I remove the automatically created "Local Area Network #1", it reappears after a reboot even if I disable "Automatically detect new private networks".

3. Can use a network created under My Network Zones to define a new trusted network (using Stealth Ports Wizard). The references to the network name (in Network Security Policy - Global Rules) persist after reboot even though the network definition has been "lost" (see 1. above). As the network definition has been lost, the trusted network is ineffective.

4. In Stealth Ports Wizard, using "Block all incoming connections - stealth my ports to everyone" doesn't remove references to pre-existing network (in Network Security Policy - Global Rules) and network access (in and out) is not disabled.

[Vettetech]

Not sure about your network problem cause I have never needed to use that feature but if you want to apply new global rules you need to delete the old ones first. You also dont need to use the "block all incoming connections" rule cause you have a hardware firewall. Be sure your hardware firewall is configured properly. That is your first line defense.

[gibran]

3.0.25 does not apply network zones changes when CFP GUI is running. Please Close CFP manually using the tray icon Exit menu entry soon after applying your Network Zones changes.

[eBatch]

Thanks gibran, that effectively "solves" my points 1, 2  and 3. However, I find it very surprising that a sophisticated product such as CFP still has what can only be described as such a basic flaw.

WRT to my point 4, I've tried this again using the same approach as you suggested. But no difference and access is still permitted to/from my network. Am I right in my expectation that references to pre-existing network (in Network Security Policy - Global Rules) should be removed when using "Block all incoming connections - stealth my ports to everyone"? If not, how can one see the effect of "Block all incoming connections - stealth my ports to everyone" in the CFP settings?

Vettetech - I appreciate that there is a hardware / firmware firewall in the router (which I have set to maximum security and latest firmware from 3com), although sometimes this does let the odd packet through. In any event, I see no real harm in having additional protection. Plus, on occassion, I have cause to use a 56k dial-up connection (and have also had to resort to a simple broadband modem when the router crapped out).

[gibran]

Thanks gibran, that effectively "solves" my points 1, 2  and 3. However, I find it very surprising that a sophisticated product such as CFP still has what can only be described as such a basic flaw.

WRT to my point 4, I've tried this again using the same approach as you suggested. But no difference and access is still permitted to/from my network. Am I right in my expectation that references to pre-existing network (in Network Security Policy - Global Rules) should be removed when using "Block all incoming connections - stealth my ports to everyone"? If not, how can one see the effect of "Block all incoming connections - stealth my ports to everyone" in the CFP settings?

That issue was reported recently although I don't know when it was introduced. I'm not a developer but I guess the complexity of CFP development was related to such issues. I suppose that there are different devs working on CFP and that there are many code versions and this could lead to issues like this one. I guess that the issue itself fell though the cracks of QA testing since it was a GUI bug. I read somewhere that is possible to setup automated tests for regression bugs but I guess this will not apply to GUIs (This means that all possible GUI interactions should be manually tested).

A likely scenario would be that some dev commented out the code that saved Network Zone setting to test some new functionality and another dev used that code branch to make a other changes and finalize a release.

Explicitly closing CFP from the tray icon forces CFP to save all settings. I guess that the fact your network zones were not saved during a normal windows shutdown/reboot would imply that there is another different section of CFP code to handle that case (although is possible that CFP is terminated before it completely saves your configuration during shutdown) but some additional test would be needed.

As for point 4 the wizard was only meant to create rules I guess a built-in logic to find and remove redundant or unneeded policies goes way above its scope.
A related issue reported before should have been about existing policies that feature removed network zones (invalid rules), IIRC devs coded a solution for that but I don't remember what it was of if it is still there.

It is entirely my speculation but I think that the current CFP GUI could be entirely replaced in future, after all there is a somewhat related ongoing project  Comodo Remote Management meant for enterprise setups with AD. My guess is that CFP GUI and V3 engine are totally independent entities.

[eBatch]

gibran - thanks for such an informative reply.

[3xist]

This thread is now closed.

If you need this thread re-opened, Please PM any online Moderator.

[Tags:]