v3 not allowing a tracert

[Guest]

[john q private]

Funny. I woke up this morning and realized that if I allow all ICMP in and out then I will be visible at least when it comes to ping.

I came back to this thread and noticed my thoughts this morning weren't too far off apparently.

All I can say is that with the previous release, I had no problems running a tracert. Now, saying that I cannot say if I was pingable because I never pinged myself until the issue being kicked around here came up.

I've tried the various options given out here. The results are this: if I make the rules to allow for tracert then I can ping my own IP; if I erase the rules then I cannot ping myself but tracert doesn't work.

Maybe I'm paranoid, but I personally don't like my PC being visible even if it is by tiny little insignificant ping. So I guess the only thing I can do in the meantime is delete all rules for ICMP and tracert and adjust ICMP rules when I need to run a tracert. I'll also be experimenting with the rules and see if I can figure something out.

[VanguardLH]

I am running under Windows XP.  I did NOT have any rules (app or global) defined for ICMP.  I had defined global rules for the Echo Request and Echo Reply (but forgot the Timeout) but decided there was not point.  My NAT router's firewall has an option to block inbound pings and I don't care about any of my intranet hosts pinging each other.  So I deleted those global ICMP rules. 

When I run tracert.exe, CFP3 auto-generates an app rule for it because apparently it is a certified application.  The rule it defines lets it connect out to any host.  I even tried changing the connect direction from Out to In/Out but that did not help. 

At this point, the only way I get tracert to work (and without defining gobs of extra global rules which should not be required, especially since app rules are used first for outbound connects so the tracert app rule should be used) is to disable CFP3.  However, after finding out that the HIPS in CFPs is missing the most critical feature of a HIPS - that of regulating what can load into memory (regardless of what access rights it may be given thereafter) - it looks like CFP3 is something of a bastadarized HIPS-enabled product.  Every HIPS product that I've used will let me block specified programs from loading but not CFP3; see my other post.  I consider blocking of programs a critical feature of HIPS and without it means I really don't care what else of HIPS is supported in CFP3.

Online Armor is looking more promising as the upgrade from CPF 2.4.  And no problems with tracert, either, with Online Armor.

[Luxor]

Well I still can't get tracert to work and that is on an XP machine and a Vista machine.
I know Comodo 3 is different but I have used many a firewall over my long computing years and never had a situation when tracert wouldn't work as it should.

This could be a bad thing in my view and please bear with me while I explain why.

Let's say that my broadband connection is really poor, you know the one where pages won't load, speed is as slow as being on a 26k modem. What's the first thing a normal user will do ? Get on the phone to their ISP tech line. The conversation could go as follows:-

Hello Tech Support.

(User) My broadband is not working properly.

(tech) Can you do a tracert for me sir/madam.

(user) Yes how do I do that ?

(tech) Run the CMD and type in tracert www.google.co.uk

(user) OK

(tech) can you tell me the result.

(user) Yes it says
          
          Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\User Name>tracert www.google.co.uk

Tracing route to www.l.google.com [64.233.183.147]
over a maximum of 30 hops:

  1     1 ms    <1 ms    <1 ms  www.routerlogin.com [xxx.xxx.x.x]
  2     *        *        *     Request timed out.
  3     *        *        *     Request timed out.
  4     *        *        *     Request timed out.
  5     *        *        *     Request timed out.
  6     *        *        *     Request timed out.
  7     *        *        *     Request timed out.
  8     *        *        *     Request timed out.
  9     *        *        *     Request timed out.
 10     *        *        *     Request timed out.
 11     *        *        *     Request timed out.
 12     *        *        *     Request timed out.
 13   163 ms   172 ms   184 ms  nf-in-f147.google.com [64.233.183.147]

Trace complete.

(tech) Do you have a firewall ?

(user) Yes I use Comodo v3

(tech) Can you turn off your firewall please and run the tracert again ?

(user) Yes Ok.........     .......... Oh it works now !!!!!! I get this.

C:\Documents and Settings\User Name>tracert www.google.co.uk

Tracing route to www.l.google.com [64.233.183.104]
over a maximum of 30 hops:

  1    <1 ms    <1 ms    <1 ms  www.routerlogin.com [xxx.xxx.x.x]
  2     *        *        *     Request timed out.
  3   184 ms   169 ms   167 ms  popl-t3core-1a-ge-110-0.inet.ntl.com [62.255.81.
81]
  4   146 ms   143 ms   151 ms  pop-bb-a-so-210-0.inet.ntl.com [213.105.174.234]

  5   174 ms   181 ms   185 ms  nth-bb-b-so-010-0.inet.ntl.com [213.105.172.13]

  6   177 ms   179 ms   179 ms  tele-ic-1-as0-0.inet.ntl.com [62.253.184.2]
  7   173 ms   195 ms   204 ms  212.250.14.66
  8   223 ms   222 ms   210 ms  209.85.252.42
  9   232 ms   251 ms   249 ms  209.85.248.80
 10   241 ms   230 ms   258 ms  72.14.232.141
 11   250 ms   202 ms   158 ms  72.14.233.83
 12   206 ms   222 ms   242 ms  216.239.43.34
 13   206 ms   193 ms   190 ms  nf-in-f104.google.com [64.233.183.104]

Trace complete.


(tech) I think it could be your firewall, I would suggest using a different one.

(user) Yes you may be right, I will thank you for your help

(tech) No problem have a nice day.

See what would happen there ?
Lots of a potential user base who try Comodo 3 will uninstall and use something else.

Not something we want really is it. 

[jasper2408]

Please add your suggestions in the Wishlist V6 thread. Comodo does like to see what features the users want and they do listen.


jasper

[Luxor]

Please add your suggestions in the Wishlist V6 thread. Comodo does like to see what features the users want and they do listen.


jasper

Done though I wouldn't call it a wish more a necessity. 

[gibran]

Tracert Works correctly with this ruleset:

Useful Firewall rules and policies

Firewall\Common Tasks\My Port Sets

• Netbios & DCOM
      IN (135-139)
      445
  
• Incoming TCP
      Add yours
  
• Incoming UDP
      Add yours
  

Firewall\Common Tasks\My Network Zones

• Local Area Network
      IP in [your network IP Mask (eg 10.0.0.0/255.0.0.0)]
      IP 0.0.0.0
      IP 255.255.255.255
  
• Internet-wide Multicast
      IP in 224.0.1.0-238.255.255.255
  
• Special & Local Multicast
      IP in 224.0.0.0-224.0.0.255
      IP in 239.0.0.0-239.255.255.255
  

Firewall\Advanced\Predefined Firewall Policies

• LAN
      Allow IP In From In [Local Area Network] To IP Any Where Protocol Is Any
      Allow IP Out From IP Any To In [Local Area Network] Where Protocol Is Any
      Allow IP Out From IP Any To In [Special & Local Multicast] Where Protocol Is Any
      Block and Log All Unmatching Requests
  
• LAN & Outgoing
      Allow IP In From In [Local Area Network] To IP Any Where Protocol Is Any
      Allow IP Out From IP Any To In [Local Area Network] Where Protocol Is Any
      Allow IP Out From IP Any To In [Special & Local Multicast] Where Protocol Is Any
      Allow TCP or UDP Outgoing Requests
      Block and Log All Unmatching Requests
  
• Web Browsers with FTP capabilities
      Allow Outgoing TCP Requests
      Allow Outgoing DNS Requests
      Block and Log All Unmatching Requests 
  

Firewall\Advanced\Network Security Policies\Application Rules

• Svchost - LAN & Outgoing
• System - LAN or LAN & Outgoing
• Explorer - LAN + ALLOW TCP OUT to host crl.microsoft.com

Firewall\Advanced\Network Security Policies\Global Rules

• Allow TCP In From IP Any to IP Any Where Source Port ANY And Destination Port Is In [Incoming TCP]
• Allow UDP In From IP Any to IP Any Where Source Port ANY And Destination Port Is In [Incoming UDP]
• Allow TCP In from Any IP to Any IP where Source Port is 20 and Destination Port is ANY  (To enable FTP CLIENT Firewall Policy)
• Block and Log TCP or UDP Out From IP Any to IP Any Where Source Port is In [Netbios & DCOM] And Destination Port Is ANY
• Allow and Log TCP or UDP Out From IP Any to IP Any Where Source Port Is In [Privileged Ports] And Destination Port Is Any
• Allow TCP or UDP Out From IP Any to IP Any Where Source Port Is Not In [Privileged Ports] And Destination Port Is Any
• Allow IP out from Any IP to Any IP where the protocol is GRE (Needed for PPTP)
• Allow ICMP Out From From IP Any to IP Any Where ICMP Message Is ECHO REQUEST
• Allow ICMP In From From IP Any to IP Any Where ICMP Message Is ECHO REPLY
• Allow ICMP In From From IP Any to IP Any Where ICMP Message Is TIME EXCEEDED
• Allow ICMP In From From IP Any to IP Any Where ICMP Message Is PORT UNREACHABLE
• Allow ICMP In From From IP Any to IP Any Where ICMP Message Is FRAGMENTATION NEEDED
• Block and Log IP In/Out From From IP Any to IP Any

Last Step Should be to use Firewall\Common Tasks\Firewall Stealth Configuration and Choose "Define a New trusted network" and allow [Local Area Network] and [Special & Local Multicast]

NOTE: When you add your private IP range to your [Local Area Network] Zone don't forget to add Your Network Address (usually ending with .0) and Broadcast Address (usually ending with .255) Using IP Masks or IP Ranges

eg: Network Address: 10.0.0.0, Broadcast Address: 10.255.255.255
IP Mask 10.0.0.0/255.0.0.0
IP Range 10.0.0.0-10.255.255.255

[adric]

Tracert Works correctly with this ruleset:

I really don't care if it works with that rule set. The default policy needs to be enhanced so that
tracert works out of the box. Especially since it is a white listed application. If this is a workaround, ok,
but it should not be up to the user to start adding rules so that standard system components will work with the firewall.

This problem is another one of those works for some and doesn't work for me situations In my case it does not work correctly on my XP Pro-SP2 system.

Al

[Luxor]

Tracert Works correctly with this ruleset:

gibran thanks for posting that.

I am not able to try it out at the moment as I have too many other things to be doing just now but I will try it later on.

But I think this emphasises the point I was trying to make. Just look at all the steps a normal user would have to take just to get tracert to work. If they come to the example scenario I gave, then what normal everyday user who just want's to do a tracert at the request of their ISP is going to want to go through all that ?

I know the answer as I have a lot of friends who's computer expertese is switching it on, browsing the net and then switching it off again.

If I was to suggest that they follow all these instructions just to do a simple tracert, then I can quite confidently say that Comodo Firewall 3 would be off their computer faster than you could say uninstall.

I just find it odd and bizarre that such a basic function takes all these steps to function properly.  

[sded]

[Vista Ultimate] Tracert works out of the box for me, but I still think even programs with default settings need to added to the Policies when activated for those of us who might want to change the settings.  I presume we can override the default settings with explicit adds to the Policies-is that true, Comodo?

[gibran]

gibran thanks for posting that.

I am not able to try it out at the moment as I have too many other things to be doing just now but I will try it later on.

But I think this emphasises the point I was trying to make. Just look at all the steps a normal user would have to take just to get tracert to work. If they come to the example scenario I gave, then what normal everyday user who just want's to do a tracert at the request of their ISP is going to want to go through all that ?

I know the answer as I have a lot of friends who's computer expertese is switching it on, browsing the net and then switching it off again.

If I was to suggest that they follow all these instructions just to do a simple tracert, then I can quite confidently say that Comodo Firewall 3 would be off their computer faster than you could say uninstall.

I just find it odd and bizarre that such a basic function takes all these steps to function properly.  

That's only a revamped old 2.4 type ruleset

Actually ping and tracert are handled by
Allow ICMP Out From From IP Any to IP Any Where ICMP Message Is ECHO REQUEST
Allow ICMP In From From IP Any to IP Any Where ICMP Message Is ECHO REPLY
Allow ICMP In From From IP Any to IP Any Where ICMP Message Is TIME EXCEEDED

But I can only partly agree with you. The fact is we don't have any specifics about different installation-created ruleset.
During installation V3 settings change depending on the answers users chose.
I really cannot tell if another ruleset support ping or tracert but you have to admit that these are Support related tools.

On a sidenote I'm trying to gather enough consensus for this in order to make troubleshooting and rulesharing easier.

I believe that this forum should be addressed as a feature of comodo products and not as a separate entity. This mean that forum related enhancements and tools should be addressed with the same level of efforts/priorities.

As security is a delicate matter is better to provide a cradle to nurture member training and awareness rather that addressing some aspects in one place. For examle another long desired CFP Wish is a way to create rules from log entries. This can make things a lot easier but what about untrained users that will blindly allow eveything to remove blocked entries in  the log?

There is no tools that can protect users without any intervention so sharing knowledge and experience for me is the only long term solution.

[tech dunce]

sorry for butting in, but these rule sets are all well and good for all those lucky people who seem to have PHDs in firewalls, but what about  the rest of us. i am confused,frustrated, and have lost all confidence, i have no idea if i am protected or not. im sure this is a powerful program,and is forging ahead, but its well and turly left me and, judging by your forum, lots of others behind. USER FRIENDLY IT IS NOT. techdunce

[gibran]

sorry for butting in, but these rule sets are all well and good for all those lucky people who seem to have PHDs in firewalls, but what about  the rest of us. i am confused,frustrated, and have lost all confidence, i have no idea if i am protected or not. im sure this is a powerful program,and is forging ahead, but its well and turly left me and, judging by your forum, lots of others behind. USER FRIENDLY IT IS NOT. techdunce

That why I asked this some time ago. This is my latest post.

Hallo,

Comodo has a very active Forum Community and V3 specifically suggest this Forum to ask for Support.

So in order to further improve support requests and troubleshooting V3 should have a Ruleset and Configuration Report.

This way Members don't have to post screenshots and export Logs.

There should be only one place to go to generate a full textual report that list all the rules in a textual or HTML format.
This will shorten mostly all support Topics and will reduce the need to ask for missing or incomplete infos.

Another way to improve support would be the ability to import a textual rule in an application. So if a member doesn't know how
to use the configuration dialogs it will possible to import another member generated ruleset for that app.

I guess that D+ Diagnostic can export its report too or provide a more detailed one in order to troubleshoot ceratin incompatibilities and issues.

Anyway if you are suggesting that exist a software that allow even inexperienced user to configure it I need an example to look at.
I guess that windows xp firewall could be one of these but it is simply because it doesn't grant any protection at all.

[tech dunce]

That why I asked this some time ago. This is my latest post.

Anyway if you are suggesting that exist a software that allow even inexperienced user to configure it I need an example to look at.
I guess that windows xp firewall colud be one of these but it is simple because it doesn't grant any protection at all.

well, im back to ver 2.4 set to custom and all is fine. id be the first to admit, i really do need to start investigating the innerworkings of firewalls, and their many functions.but this upgrade left me behind. techdunce

[MikeG]

Hope I don't get flamed for this suggestion but I haven't used tracert since I came across PingPlotter.

There is a free version which does everything tracert does and has a nice GUI, and you can save as many web addresses to ping as you like in the menu. Just double-click the one you want to ping.

It can be found here...
http://www.pingplotter.com/download.html
You need to track down the free version though.
It's the bottom line of the page in that link.

It worked first time with CFPv3 by just 'allowing' it.

Mike.

[gibran]

 can you post a screenshot of your global rules?

[Tags:]