Anyone good at configuring a difficult program out there?

 Hi, I have a program network of 3 computers (one being the "server") that is connected to the internet via a router.  The two "workstations" need to connect to the "server" for a program that requires dcom on port 135.  With my current setup, I have 3 routers, one for this network, one for a seperate network, and the last one to connect them to the internet (each having it's own IP address).  I'll label them as: 

router#1 = my connection to the internet
router#2 = other network
router#3 = my network

 I know this is not the best way to wire this, but re-wiring isn't an option (unfortunately).  I need to give the 2 workstations unrestricted access to and from the server for this program, however restrict it's access to the internet.  They should be able to access the internet through router#1, but not the program.  The server and the 2 workstations are on my network (router#3).  I also got this in the log file, I believe this is related to it.

Severity: High
Description: Application Access Denied (svchost.exe:(IP of server): ms-rpc(135))
Application: c:\windows\system32\svchost.exe
Parent: c:\windows\system32\services.exe
Protocol: TCP Out
IP: (IP of server)
Port: 135

I have some rules set up, but I think I got it all fouled up. Help please??? (Sorry, I did say it was rather complicated)

I’m pretty sure this is do-able, but we need a few more clues first.

Can you let us know the internal IPs of the three routers and the internal IP addresses of each of the three PCs (and nominate which IP is the server)?

Can’t go forward without these details.

Cheers,
Ewen :slight_smile:

Ok, let see if I can get it all down for you.

router#1 = 192.168.1.1 = my connection to the internet
router#2 = 192.168.1.2 = other network
router#3 = 192.168.1.3 = my network

The computers in question are 192.168.1.20 through 192.168.1.50.

There actually is a 4th computer that needs access due to a network printer. These 4 computers are are follows:

192.168.1.36 <— This is the server
192.168.1.35
192.168.1.44
192.168.1.34

 Let me know if you need any other info.  I think I got everything you asked for.  Thanks for your help, Panic...   :■■■■

Thanks for the additional detail, but the way you have presented it has raised a few more questions.

“The computers in question are 192.168.1.20 through 192.168.1.50.”

Are we dealing with just the three PCs specifically nominated (plus the one that hosts a printer) or do you have a LAN of 30 PCs? If there are thirty PCs, can you outline the entire LAN so we can come up with a solution that suit your entire environment and hopefully reduces future modifications.

Either way, do you have any flexibility in the addresses assigned to each PC? If so, the solution running through my head at the moment would require renumbering some of the PCs to form logical zones within CFP for both the DCOM access and for prohibiting internet access to some PCs.

Cheers,
Ewen :slight_smile:

The way it's set up here, we actually have 2 independent LANs, side by side.  Then both LANs connect to the internet router.  The other LAN is in the Bar/Grill.  I don't have access to any of those computers and they don't need access to mine.  I also want Comodo to not show any popup, as some of the people here will click anything, even if they don't understand what it is.   :(  Their IP's end in .20 through .22.  Here is a full breakdown of our setup.

Server: 192.168.1.36
FD2: 192.168.1.35
Bill: 192.168.1.44
Dan: 192.168.1.34
Sales office: 192.168.1.31
Ashley’s computer 192.168.1.33
Pam’s Laptop: 192.168.1.50

This first set of computers is on router#3 IP:192.168.1.3. The first 4 have to be able to connect to each other. The last 3 computers I don’t have access to, but they need to be able to communicate with the computers Server & Dan. Both of those computers have a printer attached.

Main Bar Server: 192.168.1.20
Bar1: 192.168.1.21
Bar1: 192.168.1.22

These 3 computers are on router#2 IP:192.168.1.2. I do not have access to them, but they don’t need access to anything on the other router.

The last router is router#1 IP:192.168.1.1. Both the other routers are connected to this one to give internet access.

Unfortunately the only computers that I can do anything with are Server, FD2, & Bill. I’m not allowed to change IP’s, but I can make them more secure. I’ve installed Comodo on all 3, but can’t seem to get the rules to work with the software on all 3 of these machines. Grrrr. Do you have any ideas? Thank you for taking the time to help. I really do appreciate it.

(L) Bill

Hey Bill,

As follows are two groupings of rules. The first grouping of five rules is for what I consider to be your primary LAN (i.e. the one you have control over). The second grouping is to allow the PCs to access the shared printers. In all, eight rules.

Let me know if you have any difficulties with these, or if I’ve stuffed anything up (ALWAYS a possibility ;)).


This set of five rules allows all TCP/UDP communications IN or OUT between 192.168.1.36, 35 and 44. It also allows access to and from the internet router (192.168.1.1) and blocks all TCP/UDP comms from the other LAN (192.168.1.20-22).

These rules need to be created on 192.168.1.35.36 and 44.


COMMON RULES FOR SERVER (192.168.1.36), FD2 (192.168.1.35), BILL (192.168.1.44)

Action : Allow
Direction : IN/OUT
Protocol : TCP/UDP
Source IP : 192.168.1.36
Destination IP : ANY
Source Port : ANY
Destination Port : ANY

Action : Allow
Direction : IN/OUT
Protocol : TCP/UDP
Source IP : 192.168.1.35
Destination IP : ANY
Source Port : ANY
Destination Port : ANY

Action : Allow
Direction : IN/OUT
Protocol : TCP/UDP
Source IP : 192.168.1.44
Destination IP : ANY
Source Port : ANY
Destination Port : ANY

Action : Allow
Direction : OUT
Protocol : TCP/UDP
Source IP : ANY
Destination IP : 192.168.1.1
Source Port : ANY
Destination Port : ANY

Action : Block
Direction : IN
Protocol : TCP/UDP
Source IP : (IP Range) 192.168.1.20 - 192.168.1.22
Destination IP : ANY
Source Port : ANY
Destination Port : ANY


The following three rules are for Server (192.168.1.36) and Dan (192.168.1.34) to allow shared printer access from 192.168.1.31, 33 and 50.

These rules need to be set up on both Server (192.168.1.36) and Dan (192.168.1.34).

Action : Allow
Direction : IN
Protocol : TCP/UDP
Source IP : 192.168.1.31
Destination IP : ANY
Source Port : ANY
Destination Port : (Range of ports) 137 - 138

Action : Allow
Direction : IN
Protocol : TCP/UDP
Source IP : 192.168.1.33
Destination IP : ANY
Source Port : ANY
Destination Port : (Range of ports) 137 - 138 :

Action : Allow
Direction : IN
Protocol : TCP/UDP
Source IP : 192.168.1.50
Destination IP : ANY
Source Port : ANY
Destination Port : (Range of ports) 137 - 138


It’s a pity you don’t have any latitude with your IP addressing, as this whole scenario could have been reduced to two ZONE rules and a single additional rule. C’est la vie!

Hope this helps,
Ewen :slight_smile:

Forgive me for asking a couple of questions, if I may. Shouldn’t the above read as follows?

Action : Allow
Direction : IN/OUT
Protocol : TCP/UDP
Source IP : ANY
Destination IP : 192.168.1.1
Source Port : ANY
Destination Port : ANY

Also, why do the rules for the computers with printers attached set for Direction IN only? Doesn’t printing require IN/OUT traffic, or am I wrong there. It wouldn’t be the first time.

Unfortunately, with just the rules you gave me, I can’t access the internet or the server. I double checked my input, but I’ll admit, most of it I understand and sounds like it should work. Comodo is definately blocking, but I don’t understand why. Any ideas?

Thank you for your time Ewen. :slight_smile:

LOL Bill. Amazing what you discover when you work things out with good old fashioned pen and paper.

I totally missed 192.168.1.3 - the router that connects the PCs you’re concerned with to each other and to the internet router. I’ll give myself an uppercut, OK?

I’ve attached a lan map based on your description of your network for your reference, displaying the three routers and the three “segments” we’re interested in. The segment on the left of the diagram bears no part in the rules. The segment on the right side only needs access to the printers and to the internet. The centre segment is the one we’re creating rules for.

I’ve divided the rules up into four sections - 1) intra-lan communications between the four PCs, 2) internet access for the four PCs under your control, 3) blocking traffic from the other segment and 4) allow shared printer access to the nominated PCs.

This set of fourteen rules allows all TCP/UDP communications IN or OUT between 192.168.1.36, 35 and 44 and 192.168.1.3. It also allows access to and from the internet router (192.168.1.1), allows shared printer access from 192.168.1.31,33 and 50 and blocks all TCP/UDP comms from the other LAN (192.168.1.20-22).


NETWORK MONITOR RULES FOR SERVER (192.168.1.36), FD2 (192.168.1.35), BILL (192.168.1.44) AND DAN (192.168.1.34) TO ALLOW COMMUNICATIONS BETWEEN THE FOUR PCs UNDER YOUR CONTROL

Action : Allow
Direction : IN/OUT
Protocol : TCP/UDP
Source IP : 192.168.1.36
Destination IP : ANY
Source Port : ANY
Destination Port : ANY

Action : Allow
Direction : IN/OUT
Protocol : TCP/UDP
Source IP : 192.168.1.35
Destination IP : ANY
Source Port : ANY
Destination Port : ANY

Action : Allow
Direction : IN/OUT
Protocol : TCP/UDP
Source IP : 192.168.1.44
Destination IP : ANY
Source Port : ANY
Destination Port : ANY

Action : Allow
Direction : IN/OUT
Protocol : TCP/UDP
Source IP : 192.168.1.34
Destination IP : ANY
Source Port : ANY
Destination Port : ANY

Action : Allow
Direction : OUT
Protocol : TCP/UDP
Source IP : ANY
Destination IP : 192.168.1.3
Source Port : ANY
Destination Port : ANY

Action : Allow
Direction : IN
Protocol : TCP/UDP
Source IP : ANY
Destination IP : 192.168.1.3
Source Port : ANY
Destination Port : ANY

NOTES:
Any this time, I didn’t forget the gravy. :wink:


NETWORK MONITOR RULES FOR SERVER (192.168.1.36), FD2 (192.168.1.35), BILL (192.168.1.44) AND DAN (192.168.1.34) TO ALLOW INTERNET ACCESS FOR THE FOUR PCs UNDER YOUR CONTROL

Action : Allow
Direction : OUT
Protocol : TCP/UDP
Source IP : ANY
Destination IP : 192.168.1.1
Source Port : ANY
Destination Port : ANY

NOTES:
This rule only requires a direction of “OUT” as the incoming data is seen as a valid response to our outbound request.


NETWORK MONITOR RULES FOR SERVER (192.168.1.36) AND DAN (192.168.1.34) TO ALLOW SHARED PRINTER USAGE FROM 192.168.1.31, 33 AND 50.

Action : Allow
Direction : IN
Protocol : TCP/UDP
Source IP : 192.168.1.31
Destination IP : ANY
Source Port : ANY
Destination Port : (Range of ports) 137 - 138

Action : Allow
Direction : IN
Protocol : TCP/UDP
Source IP : 192.168.1.33
Destination IP : ANY
Source Port : ANY
Destination Port : (Range of ports) 137 - 138 :

Action : Allow
Direction : IN
Protocol : TCP/UDP
Source IP : 192.168.1.50
Destination IP : ANY
Source Port : ANY
Destination Port : (Range of ports) 137 - 138

NOTES:
This rule requires a direction of “IN” as the response data sent back to the originating PC is seen as a valid response to an authorised inbound request.


NETWORK MONITOR RULES FOR SERVER (192.168.1.36), FD2 (192.168.1.35), BILL (192.168.1.44) AND DAN (192.168.1.34) TO BLOCK TRAFFIC FROM THE 192.168.1.20-22 LAN SEGMENT AND TO BLOCK ALL TRAFFIC (OTHER THAN PRINTER SHARING TRAFFIC) FROM 192.168.1.31, 33 AND 50.

Action : Block
Direction : IN
Protocol : TCP/UDP
Source IP : (IP Range) 192.168.1.20 - 192.168.1.22
Destination IP : ANY
Source Port : ANY
Destination Port : ANY

Action : Block
Direction : IN
Protocol : TCP/UDP
Source IP : 192.168.1.31
Destination IP : ANY
Source Port : ANY
Destination Port : ANY

Action : Block
Direction : IN
Protocol : TCP/UDP
Source IP : 192.168.1.33
Destination IP : ANY
Source Port : ANY
Destination Port : ANY

Action : Block
Direction : IN
Protocol : TCP/UDP
Source IP : 192.168.1.50
Destination IP : ANY
Source Port : ANY
Destination Port : ANY

NOTES:
This set of rules MUST appear below the rule that allows 192.168.1.31,33 and 50 to access the shared printers.


I’d recommend removing the previously defined rules completely and starting again. Don’t remove any of the standard rules automatically created by CFP. Only remove the manually added rules.

I’d start by adding one group of rules first and check whether the rules do what we want them to. If they work, go to the next group. If not, yell for help, but check the firewalls logs and include that info in your next post.

Please bear in mind that the order the rules appear in is critical, as the rules are read from top to bottm. That’s why there is a “catch-all” block rule at the bottom to nab anything that doesn’t match the rules above it in the list. This is why I added the note about the shared printer rule needing to appear ABOVE the rule that block comms from the other lan segment.

A word of advice, the rules could have been made much more concise and logical if the IP address could be rearranged in to “bands” based upon geogrpahic location. For example, the left hand segment on the lan map could be renumbered 192.168.1.100 - 192.168.1.149. The centre segment (the ones under your control) could be renumbered 192.168.1.150 - 192.168.1.174. The right hand segment could be renumbered 192.168.1.175 - 192.168.1.199.

Renumbering them like this allows for future growth within each area, but allows devices in each area to be classified and grouped by address. In doing this, you could creates zones within CFP that encompass each area. Off the top of my head, you would only need 4 zones - one for the routers, one for the left segment, one for the middle segment and one for the right hand segment - and then create rules based on the zones.

Grouping your address like this also makes it easier to troubleshoot intra-lan communications problems.

It would be appreciated if anyone else could review the diagram and the rules to make sure I haven’t stuffed something up. :wink: TIA

Hope this helps (and I hope I got it right this time)
Ewen :slight_smile:

[attachment deleted by admin]

 Umm.  Stupid question.  I can find the log from within Comodo, but where on the hard drive do I find it?  Id rather not have to type the whole thing out.  We're closer, before I couldn't load Epic ithe any of the firewalls turned on.  Now it does until I turn on the firewall on server.  I'm double checking my rules.  I'll post what I find out in about 24 hrs, ok?  Peace...

The traditional method of extracting the log is to right-click in the Logs window and export to HTML.

The unorthodox method is to navigate to C:\Documents and Settings\All Users\Application Data\Comodo\Personal Firewall\Logs and open the Logs.log file.

OK. We’re getting closer.

What is Epic and what are its requirements?

Ewen :slight_smile:

Ok, my rules are set correctly. With the firewall turned on for FD2, but off for the server, Epic can connect (before both had to be shut off). Now just when we turn on the server’s firewall can we not connect.

 Here is what I know about Epic.  It is a Property Management Software.  It allows day to day operations in a hotel.  We do not have tech support.  Unfortunately, that would cost $2400, not an option right now.   I have very little info on how to set it up with a firewall, but I'll type out the full directions we have for setting up Epic on a new system.  Any other requirements remain unknown to anyone here (This system came with the hotel when it was purchased 2 years ago).  Hopefully you'll see something.

Directions for installing Epic on a new Win XP system, (after the “C:\Epic” directory is copied from the server to the new computer).

1.) Click on My Computer
2.) Open up local c: drive, make sure "C:" & “C:\Epic” are both shared
3.) Open up Epic folder
4.) Doubleclick storageserver.exe (it puts itself in the system tray)
5.) Doubleclick storageserver.exe in the system tray to open it up and hit close
6.) Go to start - run - type “dcomcnfg” without the quotes and hit enter
7.) Double click on component services on right side of screen
8.) Double click on computers - double click on my computer - double click on DCOM Config
9.) Scroll down until you find storobj-object - right click on it
10.) Make sure the path to storageserver.exe is “C:\Epic\storageserver.exe”
11.) Under location tab, the top 2 boxes should be checked
12.) Under identity tab, interactive user should be checked
13.) Under security tab, all 3 need to be set to custom
14.) Under each, select advanced, make sure that users amonymous & everyone have everything checked
15.) On the firewall, Epic.exe, Storageserver.exe, & Trainingserver.exe need to be under exceptions.
16.) If there is an advanced button, go there under exceptions to allow FTP server
17.) Also add port 135 to exceptions, port name DCOM

Hopefully I haven’t scared ya away with all that. Pretty much #1 though #14 are to set up access to/from the server (before a filewall is ever introduced to the equation). I’m going to attach log files from both server and FD2. Hopefully this will help. Let me know if you need anything more, ok?

I used rar to compress them as the one for server was almost 500k already. Both are attached. One thing I did notice, on the Log file for FD2 there was this entry:

Date/Time :2007-04-07 00:48:26
Severity :High
Reporter :Application Behavior Analysis
Description: Suspicious Behaviour (svchost.exe)
Application: C:\WINDOWS\system32\svchost.exe
Parent: C:\WINDOWS\system32\services.exe
Protocol: TCP Out
Destination: 192.168.1.36::ms-rpc(135)
Details: C:\WINDOWS\system32\mmc.exe has tried to use C:\WINDOWS\system32\svchost.exe through OLE Automation, which can be used to hijack other applications.

This occured when I used a program called setname.exe, from Epic. It allows us to test the conection to the server. It failed even though I got a popup about the above and approved it. Huh??? I’m thoroughly confused…

[attachment deleted by admin]

Hey Bill,

Try setting an application monitor rule for setname.exe and mmc.exe, allowing all activities and ignoring the parent.

Cheers,
Ewen :slight_smile:

 Grrrr.  I didn't have permissions set up for mmc.exe on the server, but I did on FD2.  Still no go.  Any other ideas?  We gotta be really close...

Hey Bill,

If Epic is installed on “Server” and FD2 needs DCOM access to it, you could use the brute force method and set up two explicit network monitor rules ( one IN and one OUT) specifically for the ports required and move them to the top of the list (or at least above any block rules). Turn logging on for this rule (this is just a temporary measure).

Prior to adding these and testing, clear your logs, add the rules and then test. You should then just have log entries showing the allowed traffic or entries from a block rule. Export the logs and post them here.

Just think, soon you’ll look back on this as a fun learning exercise. 88) :wink:

Ewen :slight_smile:

That would really be great. :BNC I want to make sure I understand what you want me to do, ok? You want these 2 rules before everything else we’ve added on both the server and FD2. I have the rules as follows:

Action : Allow
Direction : OUT
Protocol : TCP
Source IP : 192.168.1.36
Destination IP : 192.168.1.35
Source Port : 135
Destination Port : 135

Action : Allow
Direction : IN
Protocol : TCP
Source IP : 192.168.1.35
Destination IP : 192.168.1.36
Source Port : 135
Destination Port : 135

 Is this correct, or did I butcher it again?

Bill,

These look correct, providing “Server” is 192.168.1.36 and FD2 is 192.168.1.35.

Let us know how you go.

Ewen :slight_smile:

Well, no smileys yet… Attached are the new logs. Rule 22 is my block all. Let me know what you think.

[attachment deleted by admin]

Hang in there. :wink:

In the FD2 logs, the port 67 and 68 log entries are related to auto IP assginment by DHCP from the 192.168.1.3 router. AS we seem to be dealing with statically assigned IPs, these can be ignored.

The critical entry is the last on - RPC (135) blocked outbound.

Date/Time :2007-04-07 03:33:43 Severity :Medium Reporter :Application Monitor Description: Application Access Denied (svchost.exe:192.168.1.36: :ms-rpc(135)) Application: C:\WINDOWS\system32\svchost.exe Parent: C:\WINDOWS\system32\services.exe Protocol: TCP Out Destination: 192.168.1.36::ms-rpc(135)

Try adding an application monitor rule for SVCHOST.EXE with SERVICES.EXE as the parent, 192.168.1.36 as the destination, to port 135.

Once we’ve established outbound comms from FD2 we need to check how it is received on SERVER. Then again, it might just work. :wink:

Ewen :slight_smile:

My friend. You absolutely rock! I did what you said and added the following to the server:

Application : C:\WINDOWS\system32\svchost.exe
Parent : C:\WINDOWS\system32\services.exe
Allow: TCP OUT
Destination IP : 192.168.1.35
Destination Port : 135

 I'm assuming I'll have to do similar a application rule on the other computers that are running Comodo?  Thank you very much for you help!  Please, have yourself a refreshing drink (alcoholic or non, your preference).   :■■■■  You deserve it after this one!  

BTW, I finally saw and responded to your message. Peace…