Author Topic: How do I configure Comodo Firewall to recognize IPv6 local (fe80) addresses?  (Read 816 times)

Offline Grid

  • Comodo Member
  • **
  • Posts: 34
I have Comodo Firewall set to filter IPv6.

Using "System" as an example (in Application Rules), by default it has "Allow System to Send/Receive Requests if the Target is in Home #1".

Local traffic, however, is to/from fe80:: addresses.


How do I edit Home 1 so that it recognizes those local fe80 addresses?

Offline C.O.M.O.D.O RT

  • Comodo Staff
  • Moderator
  • Comodo's Hero
  • *****
  • Posts: 838
Hi Grid,

Thank you for reporting.
May i know your product name(CFW/CIS) & version ?
Also provide the win version along with system bit type

Thanks
C.O.M.O.D.O RT

Offline Grid

  • Comodo Member
  • **
  • Posts: 34
Thank you.

This is CIS v12.2.2.8012 running on Win 10 x64.

Offline C.O.M.O.D.O RT

  • Comodo Staff
  • Moderator
  • Comodo's Hero
  • *****
  • Posts: 838
Thank you.

This is CIS v12.2.2.8012 running on Win 10 x64.
Hi Grid,

Thank you for providing the requested information, let me check and update you.

Thanks
C.O.M.O.D.O RT

Offline Eric Cryptid

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 2900
  • Security Saskquatch
I have Comodo Firewall set to filter IPv6.

Using "System" as an example (in Application Rules), by default it has "Allow System to Send/Receive Requests if the Target is in Home #1".

Local traffic, however, is to/from fe80:: addresses.


How do I edit Home 1 so that it recognizes those local fe80 addresses?

Ensure you have "Filter IPv6 Traffic" enabled under Firewall settings. This is unticked by default. You'll then need to run the Stealth Ports task under firewall tasks and that'll add the blocking rules. If your runnin Block Incoming, you'll need to add the ICMP rules for IPv6 to work. See attached.

Eroc

Moderator: Any concerns? PM me and/or review the Forum Policy
System: 64 bit Win 10
Realtime Protection:CIS 12

Offline Grid

  • Comodo Member
  • **
  • Posts: 34
I don't understand why I need to run the Stealth Ports task - I'm not trying to make the machine invisible to other PCs.

I simply want "Allow All Outgoing/Incoming Requests If The Target is in Home #1" to include IPv6 requests (i.e. fe80 local link addresses).

Offline Eric Cryptid

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 2900
  • Security Saskquatch
I don't understand why I need to run the Stealth Ports task - I'm not trying to make the machine invisible to other PCs.

I simply want "Allow All Outgoing/Incoming Requests If The Target is in Home #1" to include IPv6 requests (i.e. fe80 local link addresses).

Those rules are already generated when you add a trusted network. The block rule generated by stealth ports is for blocking exception to those rules.

Anyway, enable IPv6 filtering for filtering IPv6 traffic otherwise it's just allowed or based on Windows Firewall rules

Moderator: Any concerns? PM me and/or review the Forum Policy
System: 64 bit Win 10
Realtime Protection:CIS 12

Offline Grid

  • Comodo Member
  • **
  • Posts: 34
Those rules are already generated when you add a trusted network. The block rule generated by stealth ports is for blocking exception to those rules.

Anyway, enable IPv6 filtering for filtering IPv6 traffic otherwise it's just allowed or based on Windows Firewall rules


Except that's just it - the rules that were auto-generated are only set up to recognize the Home network on Ipv4.  There is nothing that tells it that local link IPv6 addresses (fe80::) are also part of that trusted network.

As a result, I'm being asked to approve/block every local communication.  And without the proper filtering, I can't do a Remember Allow without also granting access to internet communications, which I don't want.


So if there isn't a way to set this up automatically, that's fine - how do I create a rule that just targets IPv6 local link addresses?

Offline Eric Cryptid

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 2900
  • Security Saskquatch
You can just add a rule in the Global Rules and add Home #1 as destination address. You can also add a rule with Loopback (Local) as that filter is enabled by default

Moderator: Any concerns? PM me and/or review the Forum Policy
System: 64 bit Win 10
Realtime Protection:CIS 12

Offline Grid

  • Comodo Member
  • **
  • Posts: 34
Filter Loopback Traffic along with Filter IPv6 are already checked, and they clearly aren't addressing this.

And your filter example will not cover this because you are showing only a single, exact address - whereas local-link addresses cover a range of fe80::/64.

I need to know how to specify fe80::/64 in CIS.

Offline CISfan

  • Comodo's Hero
  • *****
  • Posts: 1790
Like this.

Offline Grid

  • Comodo Member
  • **
  • Posts: 34
Thank you!

Adding that to Home #1 fixed the issue completely.


Offline CISfan

  • Comodo's Hero
  • *****
  • Posts: 1790
Thank you!

Adding that to Home #1 fixed the issue completely.

You're welcome.

I do prefer to add it to network zone "Loopback Zone" as it is related to IPv4 127.0.0.1 loopback.

Offline NinjaUmbra

  • Newbie
  • *
  • Posts: 5
Find the same issue when enable filter IPv6 traffic
It seems Comodo firewall global rule dose not contain any IPv6 incoming rules especially icmpv6 ndp
I find default global rules with filter IPv6 traffic switch on, Comodo firewall log will show a block info
as following:
Protocol:ICMPv6 source ip:fe80::1  des:ff02::1 icmpv6 type: Chinese version says:"邻机请求". It seems Neighbor Discovery Protocol but I dont know which type 135 or 136
Neighbor Solicitation (Type 135)
Neighbor solicitations are used by nodes to determine the link layer address of a neighbor, or to verify that a neighbor is still reachable via a cached link layer address.
Neighbor Advertisement (Type 136)
Neighbor advertisements are used by nodes to respond to a Neighbor Solicitation message.

I try to find the same traffic with eset firewall, they have some default rules for ipv6 traffic.
So is it possible for Comodo firewall add these IPv6 rules become oobe rules even if not choose filter IPv6 traffic.


Offline NinjaUmbra

  • Newbie
  • *
  • Posts: 5
eset firewall has default icmpv6 rules:
allow necessary incoming icmpv6 type 1,2,3,4,129,130,131,132,133,134,135,136.
So I really want CFW like eset firewall does: fully close Windows defender Firewall and totally controled by CFW
Last,Thx for bring us best hips and firewall!

 

Free Endpoint Protection
Seo4Smf 2.0 © SmfMod.Com Smf Destek