Hi all! First of all, I’d like to say I was impressed with the features of this free firewall. But even better, it all works! However I have a small problem which despite my best abilities, I have not been able to overcome. I have Comodo Firewall installed on a Windows 2003 server which is connected to both my LAN and to my ISP. A DHCP Server service is running on the Windows 2003 but none of my clients are able to obtain an IP address. However if I “Allow All” in the security level, the clients get their IPs.
After a lot of reading, I ended up adding the following rules in position 0-5:
rule 0:
Allow UDP IN or OUT from IP 0.0.0.0 To IP 255.255.255.255 Where Source Port is IN[67,68] And Destination Port is IN[67,68]
rule 1:
Allow UDP In or OUT from IP Zone:[LAN] - 192.168.1.0/192.168.1.255 To IP Zone:[LAN] - 192.168.1.0-192.168.1.255 Where Source Port Is IN[67,68] And Destination Port is IN[67,68]
rule 2:
Allow IP OUT from IP [Any] To IP Zone:[LAN] - 192.168.1.0/192.168.1.255 Where IPROTO is ANY
rule 3:
Allow IP IN from IP Zone:[LAN] - 192.168.1.0/192.168.1.255 To IP [Any] Where IPROTO is ANY
rule 4:
Allow IP OUT from IP [Any] To IP Zone:[NoDHCP] - 169.254.0.0/169.254.255.255 Where IPROTO is ANY
rule 5:
Allow IP IN from IP Zone:[NoDHCP] - 169.254.0.0/169.254.255.255 To IP [Any] Where IPROTO is ANY
Now rules 2 - 5 were added after I defined Trusted Zones which is ok. the 169.254 zone is used in case my PPC needs synching through msActiveSync…
One thing I noted, in the Activity window in the Connections tab, I do see the following when my clients are trying to get an IP:
tcpsvcs.exe UDP In/Out 0.0.0.0:68 255.255.255.255:67 In:xxx bytes Out:0 byte
Any idea what I’m doing wrong? Thanks for the help
sorry for the late reply. Well nothing is logged in Activity–>Logs. But when one of my clients is requesting an ip, in Activity–>Connections, I briefly see the following:
tcpsvcs.exe | UDP In | 0.0.0.0:68 | 255.255.255.255:67 | xxxkb | 0b
The xxxkb has increasing values. After a while that line disappears. This indicates that my client’s request is reaching my server but the tcpsvcs.exe file is not sending out any packet. Why? In App Monitor, tcpsvcs.exe is defined as Allow UDP Out, Any Destination, Any Port but nothing is selected in the Misc tab.
Ok, here’s what I’ve done. I’ve cleared all rules except for the default ones. Now my Network Monitor reads as follows:
Id: 0
Allow UDP In from Any To 192.168.1.1, src port 67 and des port 68
Id: 1
Allow UDP Out from 192.168.1.1 to Any, src port 68 and des port 67
Id: 2
Allow IP Out from Any to Zone: 169.254.0.0/255.255.255.255, IPProto is Any
Id: 3
Allow IP In from Zone: 169.254.0.0/255.255.255.255 to Any, IPProto is Any
Id: 4
Allow IP Out from Any to Zone: 192.168.1.0/192.168.1.255, IPProto is Any
Id: 5
Allow IP In from Zone: 192.168.1.0/192.168.1.255 to Any, IPProto is Any
Id: 6
Allow TCP In from Zone: 169.254.0.0/255.255.255.255 to Any, src port Any and des port 990,999,5678,5721,26675
Id: 7
Allow TCP/UDP Out from Any to Any, src port Any and des port Any
Id: 8
Allow ICMP Out from Any to Any, ICMP Message is Echo Request
Id: 9
Allow ICMP In from Any to Any, ICMP Message is Fragmentation Needed
Id: 10
Allow ICMP In from Any to Any, ICMP Message is Time Exceeded
Id: 11
Allow IP Out from Any to Any where IPProto is GRE
Id: 12
Block & Log IP In or Out from Any to Any, IPProto is Any
whew…
Well I still can’t get an IP at the client side. One difference noted, after adding your changes and settings rules as above I can’t even see the tcpsvcs.exe in the Activity–>Connections…
Strictly speaking, if your Zone/Trusted Network is correctly configured, communication between nodes in the Zone (your LAN) should be allowed, which means you shouldn’t need any additional rules.
I notice you have two Zones and a rule allowing ports on one. The first thing to establish is the IP Address space being used on your LAN. Are you using 192.168… or are your using 169.254…
Having established which range your wish to use, ensure your server and clients are all correctly configured to use that range. Then remove the Zone rules in NM for the IP Address range your not using.
Personally, I can’t see why you should need to support the 169.254… address space, as this is used by Microsoft in the absence of a DHCP server. It’s referred to as APIPA or Automatic Private IP Addressing. It basically means that a client will auto assign itself and IP Address from that range if a DHCP Server cannot be found.
Well since clients with no IP broadcast over 0.0.0.0 and 255.255.255.255, then having only the LAN in the Trusted Zone would not be enough. I’ve included 169.254 in my trusted network for 2 reasons: 1st, just in case my 2nd NIC (the one connected to the adsl) is down and 2nd for my ActiveSync connection.
Something worries me though. According to the Activity–>Connections monitor, tcpsvcs.exe does receive the requests as I showed before, but nothing is being sent out as seen in the bytes out field. Now is it tcpsvcs.exe which issues the DHCP address or some other? And why do I have bytes sent 0 for tcpsvcs.exe?
When I Allow All, I do see the tcpsvcs sending out data and my clients are then given their ip. So my guess is that all my troubles have something to do with this tcpsvcs not sending Out any data…
This little trip in the DHCP has been quite interesting and allowed me to increase my knowledge-base in the very least…
just a couple of points. the address 0.0.0.0, is a reserved address, sometimes used to identify the home network and is also used as the default route in touting tables.
the address 255.255.255.255 is a global network broadcast address and is used by DHCP, initially during the discover phase and possibly later, during the renewal phase.
What I would like you to do is the following:
Open CFP and go to Activity/Logs
Right-click anywhere in the log window
Select “Clear all logs.”
Try to acquire an IP address from a client using ipconfig/release then renew
Go to Activity/Logs
Right-click anywhere in the log window
Select “Export to HTML”
Save the file
Attach the file to a post here, using ‘Additional Options’ (bottom left on the reply screen)
(:SAD) I had this problem on my server too… i really could not solve it no matter what rules i set so i just switched firewalls … only on my server 2003… i kept Comodo FW on the clients…
