allow dhcp server service on windows 2003

Hi all! First of all, I’d like to say I was impressed with the features of this free firewall. But even better, it all works! However I have a small problem which despite my best abilities, I have not been able to overcome. I have Comodo Firewall installed on a Windows 2003 server which is connected to both my LAN and to my ISP. A DHCP Server service is running on the Windows 2003 but none of my clients are able to obtain an IP address. However if I “Allow All” in the security level, the clients get their IPs.

After a lot of reading, I ended up adding the following rules in position 0-5:

rule 0:
Allow UDP IN or OUT from IP To IP Where Source Port is IN[67,68] And Destination Port is IN[67,68]

rule 1:
Allow UDP In or OUT from IP Zone:[LAN] - To IP Zone:[LAN] - Where Source Port Is IN[67,68] And Destination Port is IN[67,68]

rule 2:
Allow IP OUT from IP [Any] To IP Zone:[LAN] - Where IPROTO is ANY

rule 3:
Allow IP IN from IP Zone:[LAN] - To IP [Any] Where IPROTO is ANY

rule 4:
Allow IP OUT from IP [Any] To IP Zone:[NoDHCP] - Where IPROTO is ANY

rule 5:
Allow IP IN from IP Zone:[NoDHCP] - To IP [Any] Where IPROTO is ANY

Now rules 2 - 5 were added after I defined Trusted Zones which is ok. the 169.254 zone is used in case my PPC needs synching through msActiveSync…

One thing I noted, in the Activity window in the Connections tab, I do see the following when my clients are trying to get an IP:
tcpsvcs.exe UDP In/Out In:xxx bytes Out:0 byte

Any idea what I’m doing wrong? Thanks for the help

Hi jedimaster, welcome to the forum :slight_smile:

Couple of quick questions:

  1. Are your clients also running CFP?
  2. In the Log files on the Server/Clients do you have any entries related to DHCP (ports 67/68)


sorry for the late reply. Well nothing is logged in Activity–>Logs. But when one of my clients is requesting an ip, in Activity–>Connections, I briefly see the following:
tcpsvcs.exe | UDP In | | | xxxkb | 0b

The xxxkb has increasing values. After a while that line disappears. This indicates that my client’s request is reaching my server but the tcpsvcs.exe file is not sending out any packet. Why? In App Monitor, tcpsvcs.exe is defined as Allow UDP Out, Any Destination, Any Port but nothing is selected in the Misc tab.

Any ideas???

oh and I just tried it with a clean XP client with no firewalls (disabled the Windows Firewall)…

If your only running CFP on the server, you will need Network Monitor rules to allow UDP ports 67 and 68 In and Out.

In Essense:

Client----->request - from port 68 to port 67------>Server
Server----->response - from port 68 to port 67 ---->Client

So, in Network Monitor:

From = ANY
To = Server IP Address
Source Port = 67
Destination Port = 68

From = Server IP Address
To = ANY
Source Port = 68
Destination Port = 67

It may well be that you will be prompted to allow the DHCP Server Service in Application Monitor too.

Try this and see what happens…


Ok, here’s what I’ve done. I’ve cleared all rules except for the default ones. Now my Network Monitor reads as follows:
Id: 0
Allow UDP In from Any To, src port 67 and des port 68
Id: 1
Allow UDP Out from to Any, src port 68 and des port 67
Id: 2
Allow IP Out from Any to Zone:, IPProto is Any
Id: 3
Allow IP In from Zone: to Any, IPProto is Any
Id: 4
Allow IP Out from Any to Zone:, IPProto is Any
Id: 5
Allow IP In from Zone: to Any, IPProto is Any
Id: 6
Allow TCP In from Zone: to Any, src port Any and des port 990,999,5678,5721,26675
Id: 7
Allow TCP/UDP Out from Any to Any, src port Any and des port Any
Id: 8
Allow ICMP Out from Any to Any, ICMP Message is Echo Request
Id: 9
Allow ICMP In from Any to Any, ICMP Message is Fragmentation Needed
Id: 10
Allow ICMP In from Any to Any, ICMP Message is Time Exceeded
Id: 11
Allow IP Out from Any to Any where IPProto is GRE
Id: 12
Block & Log IP In or Out from Any to Any, IPProto is Any


Well I still can’t get an IP at the client side. One difference noted, after adding your changes and settings rules as above I can’t even see the tcpsvcs.exe in the Activity–>Connections…

Let’s try and break this down:

Strictly speaking, if your Zone/Trusted Network is correctly configured, communication between nodes in the Zone (your LAN) should be allowed, which means you shouldn’t need any additional rules.

I notice you have two Zones and a rule allowing ports on one. The first thing to establish is the IP Address space being used on your LAN. Are you using 192.168… or are your using 169.254…

Having established which range your wish to use, ensure your server and clients are all correctly configured to use that range. Then remove the Zone rules in NM for the IP Address range your not using.

Personally, I can’t see why you should need to support the 169.254… address space, as this is used by Microsoft in the absence of a DHCP server. It’s referred to as APIPA or Automatic Private IP Addressing. It basically means that a client will auto assign itself and IP Address from that range if a DHCP Server cannot be found.

Well since clients with no IP broadcast over and, then having only the LAN in the Trusted Zone would not be enough. I’ve included 169.254 in my trusted network for 2 reasons: 1st, just in case my 2nd NIC (the one connected to the adsl) is down and 2nd for my ActiveSync connection.

Something worries me though. According to the Activity–>Connections monitor, tcpsvcs.exe does receive the requests as I showed before, but nothing is being sent out as seen in the bytes out field. Now is it tcpsvcs.exe which issues the DHCP address or some other? And why do I have bytes sent 0 for tcpsvcs.exe?

When I Allow All, I do see the tcpsvcs sending out data and my clients are then given their ip. So my guess is that all my troubles have something to do with this tcpsvcs not sending Out any data…

This little trip in the DHCP has been quite interesting and allowed me to increase my knowledge-base in the very least…

just a couple of points. the address, is a reserved address, sometimes used to identify the home network and is also used as the default route in touting tables.

the address is a global network broadcast address and is used by DHCP, initially during the discover phase and possibly later, during the renewal phase.

What I would like you to do is the following:

  1. Open CFP and go to Activity/Logs
  2. Right-click anywhere in the log window
  3. Select “Clear all logs.”
  4. Try to acquire an IP address from a client using ipconfig/release then renew
  5. Go to Activity/Logs
  6. Right-click anywhere in the log window
  7. Select “Export to HTML”
  8. Save the file
  9. Attach the file to a post here, using ‘Additional Options’ (bottom left on the reply screen)

What is the IP Address of you Server?

(:SAD) I had this problem on my server too… i really could not solve it no matter what rules i set so i just switched firewalls … only on my server 2003… i kept Comodo FW on the clients…

Sorry to hear you had a problem mindlessmissy, stick around, hopefully we’ll get this fixed and you can put CFP back on your server :slight_smile: