v3 not allowing a tracert

[Guest]

[pudelein]

Just a quick FWIW on this tracert issue.  I am using Windows XPSP2 with CFP 3.0.13.268.  I added one small rule at the top of the Global set, namely, "Allow ICMP IN From IP ANY to IP ANY Where ICMP Message is TIME EXCEEDED"; the default rule is used with the Application (tracert).  This works.  The Application rule allows all outbound items, whatever the protocol or addresses.  The Global rule allows the incoming TIME EXCEEDED.  More complicated rule sets add nothing additional for this application.

[gibran]

Just a quick FWIW on this tracert issue.  I am using Windows XPSP2 with CFP 3.0.13.268.  I added one small rule at the top of the Global set, namely, "Allow ICMP IN From IP ANY to IP ANY Where ICMP Message is TIME EXCEEDED"; the default rule is used with the Application (tracert).  This works.  The Application rule allows all outbound items, whatever the protocol or addresses.  The Global rule allows the incoming TIME EXCEEDED.  More complicated rule sets add nothing additional for this application.

Please post a screenshot of you global ruleset. Tracert needs also outbound icmp echo requests.

[gibran]

well, im back to ver 2.4 set to custom and all is fine. id be the first to admit, i really do need to start investigating the innerworkings of firewalls, and their many functions.but this upgrade left me behind. techdunce

Firewall wise V3 is pretty much like V2. Maybe the only thing that is different is that you have few processes that were hidden by that Allow traffic for applications certified by comodo.
So you can configure V3 firewall like you did with V2 (this time you get port sets and predefined policies to make your life easier, plus you can log application traffic too)

I guess the most noisy alerts came from file protection and registry protection. But something can be done.

Anyway if you would like and you are willing to install V3 on another pc I can reply your questions about the differences and how to mimic old V2 functionality (if possible).
So you can later write a FAQ about this topic 

[tech dunce]

thanks for that gibran, but if nothing else, this has shown me just how little i know about firewalls. i dont have another pc, but will stick with ver 2.4 for now and brush up my very limited knowledge on the subject.but, genuine thanks, techdunce

[sded]

Microsoft actually has a pretty good overview of firewalls at http://www.microsoft.com/technet/security/guidance/networksecurity/firewall.mspx that you might find interesting.  Their website, especially technet, seems to have a lot of good reference material on a lot of different topics.   

[pudelein]

[at]Gibran:

For tracert, the application rule provides the outbound requirements.  It allows tracert to use any protocol to any external address; that covers the need for ICMP echo requests.  The Global rule allows only ICMP 11 (Time exceeded) to enter for tracert or any other application.  Posting screenshots just doesn't seem necessary.

[gibran]

[ at ] Gibran:

For tracert, the application rule provides the outbound requirements.  It allows tracert to use any protocol to any external address; that covers the need for ICMP echo requests.  The Global rule allows only ICMP 11 (Time exceeded) to enter for tracert or any other application.  Posting screenshots just doesn't seem necessary.

I guess so as I can test that myself. That is just to provide enough information to member reading this topic.
Using no global rules you don't even need to allow ICMP Time exceeded so I guess you have at least an inbound IP deny after that rule.

[gibran]

thanks for that gibran, but if nothing else, this has shown me just how little i know about firewalls. i dont have another pc, but will stick with ver 2.4 for now and brush up my very limited knowledge on the subject.but, genuine thanks, techdunce

Who will write that faq then?
Anyway some members are planning a V3 userguide to cover all the topics any user should know. So you'll update to v3 soon

[adric]

[ at ] Gibran:

For tracert, the application rule provides the outbound requirements.  It allows tracert to use any protocol to any external address; that covers the need for ICMP echo requests.  The Global rule allows only ICMP 11 (Time exceeded) to enter for tracert or any other application.  Posting screenshots just doesn't seem necessary.

I agree and I have verified that adding this single rule gives me a tracert that functions normally. IMHO this rule should be part of the default rules.

Beats me why tracert works out of the box for Vista as reported by some.

Al

[Luxor]

That's only a revamped old 2.4 type ruleset

Actually ping and tracert are handled by
Allow ICMP Out From From IP Any to IP Any Where ICMP Message Is ECHO REQUEST
Allow ICMP In From From IP Any to IP Any Where ICMP Message Is ECHO REPLY
Allow ICMP In From From IP Any to IP Any Where ICMP Message Is TIME EXCEEDED

But I can only partly agree with you. The fact is we don't have any specifics about different installation-created ruleset.
During installation V3 settings change depending on the answers users chose.
I really cannot tell if another ruleset support ping or tracert but you have to admit that these are Support related tools.

A revamped old 2.4 ruleset it may be but it's not something that had to be created or edited by the user who was using Comodo v2.4. It worked staright out of the box without the need to start playing around with any settings.

IMHO that is the way it should be. I may of course be in the minority to have that view, but have that view I do. No problem with your view on this though as I'm sure you have none with mine.

However can I give you a story of my brother who visited me last night.

I asked him if he had installed the new version of Comodo. He had not done so yet (naturally that earned him a thick ear). I showed him this thread and explained to him that to get tracert to work he may have to go through all this just to run this simple task. I won't repeat his answer here as it's a family friendly forum. But needless to say Comodo 3 is not going on his PC.

So that's one potential user lost already. Which is a shame really.

Forgot to add that I got it working by making a rule in Global Rules to allow ICMP in/out as suggested by jasper2408 earlier in the thread.

[gibran]

A revamped old 2.4 ruleset it may be but it's not something that had to be created or edited by the user who was using Comodo v2.4. It worked staright out of the box without the need to start playing around with any settings.

IMHO that is the way it should be. I may of course be in the minority to have that view, but have that view I do. No problem with your view on this though as I'm sure you have none with mine.

However can I give you a story of my brother who visited me last night.

I asked him if he had installed the new version of Comodo. He had not done so yet (naturally that earned him a thick ear). I showed him this thread and explained to him that to get tracert to work he may have to go through all this just to run this simple task. I won't repeat his answer here as it's a family friendly forum. But needless to say Comodo 3 is not going on his PC.

So that's one potential user lost already. Which is a shame really.

Forgot to add that I got it working by making a rule in Global Rules to allow ICMP in/out as suggested by jasper2408 earlier in the thread.

I cannot really comment on this because I chose the configure it by yourself option in the installer.
I'm not against this argument but we need someone to test the installer option in order to profile default rules for each option
I guess one time I tried I got only an ICMP IN echo block but I don remember what option I used.
With that single global rule there would be no issue to get tracert working.

As there is not only one default global ruleset I guess things will get a bit more complicated.

[pudelein]

[at]Gibran,

You are correct!  When I installed V3, I chose to block all unsolicited incoming IP, so that rule had to be preceded by the ICMP 11 rule above it.  An alternative, of course, is simply to remove all Global rules altogether!  I suppose I could do this well enough, since I am behind a DSL modem/NAT router that also blocks inbound packets.  Maybe I don't trust that???

[gibran]

[ at ] Gibran,

You are correct!  When I installed V3, I chose to block all unsolicited incoming IP, so that rule had to be preceded by the ICMP 11 rule above it.  An alternative, of course, is simply to remove all Global rules altogether!  I suppose I could do this well enough, since I am behind a DSL modem/NAT router that also blocks inbound packets.  Maybe I don't trust that???

Actually global rules can handle some traffic that network rules cannot. I usually stick with the old way to configure CFP and I use global rules to define certain criteria all apps must follow. This way for example there would be no way for a trusted app to open an inboud connections on undefined ports without my explicit consent.

[john q private]

I apologize for the waste of bandwidth but it seems I literally just fixed the problem.

Your post isn't a waste of bandwidth as you posted a solution that someone else might need to get their tracert working.

  three pages later.........


Anyways, without going through all the motions yet, do the rules gibran posted allow tracert to function properly while blocking unsolicited pings?

[VanguardLH]

In a virtual machine under VMWare Server (free) where I have (or can revert to) a clean install of Windows XP Pro SP-2 (with all current updates) - and which is about as clean an OS as Comodo should expect any user to have - the tracert did not work.  It would still timeout.  I added the following global rule:

Allow ICMP In from IP Any to IP Any where ICMP message is TIME EXCEEDED

The app rule that was auto-generated by CFP3 for tracert.exe allowed the outbound connection while the global rule allowed in the inbound UDP packets.  This global rule does not allow ICMP for ECHO REQUEST or ECHO Reply (either direction) so the host should be stealthed against pings.

So with about as simple as I could get in defining just one global rule that only allowed unsolicited inbound UDP packets of type 11 (see http://www.iana.org/assignments/icmp-parameters) and letting CFP3 handle auto-defining the app rule for the outbound packets, I got tracert working.  This rule should already be included in the set of global rules as an install-time default - or the auto-generation of rules for certified programs should include both the app and global rules needed for a program to work.

Yes, I'll stick a link to this post in the wishlist thread but this really isn't a request for enchancement.  It is a bug so maybe I should put the link to this thread over there.

[Tags:]