tmas
May 20, 2006, 2:25am
21
Hey egemen and pandlouk!
OK, been trying the rules you suggested egemen and it’s working 100%! No leechers for over an hour now - and they aren’t even appearing in my Emule list as being On Queue! Perfect. Thanks so much to you both - we finally got there
panic
May 20, 2006, 2:52am
22
Hey egemen,
Thanks for your detailed explanation. It will undoubtedly be referenced continually in the future.
Would it be an idea to have a sticky note at the top of the forum containing high level / low level notes on common connection blocking scenarios?
The wording and layout you used is very simple to follow for the average user and still contains enough nuts and bolts to satisfy the dweebs.
Thanks in advance,
Hi pandlouk,
Yes the number 1 is the correct one. Actually they would be the same if we had a static filtering firewall. But stateful inspection makes them different.
TCP connections uses an alogrithm known as 3-way handshake while establishing the connections.
Lets say 83.117.175.X tries to connect to US. Below are the 3 steps of TCP connection establishment.
1 -83.117.175.X------SYN-----> US
Assume CPF is installed in US and let 83.117.175.X be our leecher.
CASE 1 : The only rule is “Block IP Out from IP ANY to IP 83.117.175.X”
1- 83.117.175.X------SYN-----> US This packet is going to be accepted because it does not match the rule
2- US -----SYN/ACK----> 83.117.175.X Although this packet matches the rule and makes us think CPF should block it, since it is a reply to a valid connection attempt, stateful inspection will allow it and thus the leecher will receive a reply
3- 83.117.175.X------ACK-----> US This will be accepted because it does not match the rule
As seen above, although we had a blocking rule for outgoing packets, stateful inspection did allow some outgoing packets.
CASE 2 : The only rule is Block IP In from IP 83.117.175.X to IP Any
1- 83.117.175.X------SYN-----> US This packet is going to be dropped because it matches our blocking rule thus the leecher will be blocked.
Since step 1 is not completed, step 2,3 wont take place.
Could you see the difference?
When a rule has a direction OUT attribute, “Source” fields represent our host and “Remote” fields represent the leecher.
Please do not hesitate to ask any points you need to be made clear.
Egemen
Hey Egemen
pandlouk
egemen
May 20, 2006, 10:51am
24
across during the tests that if someone uses an allow IN rule for TCP or TCP/UDP at a specific port (for p2P programs), then this port is not being stealthed when the program does not run. And this can be a security hole especially when users leave the default ports of those programs.
pandlouk
Hi Pandlouk,
Yes when some ports are allowed incoming traffic, Windows TCP/IP stack sends some sort of port closed message to the remote host that is trying to connect to the port. This “port closed” reply will make port scanners to think that it is “Closed” instead of “Stealth”. But while under attack or something serious, CPF will adaptively secure the host even if you allow the traffic to all ports in the network rules. So currently it does not pose a serious risk.
Nonetheless, we have added this issue to our list and it will be implemented to make better inbound protection.
Thnk you all for the cooperation,
Egemen
EDIT : We have changed this behavior and the fix will be available in the next update which is expected to be in a couple of days - 23/05/2006
panic
May 20, 2006, 6:11pm
25
Is this similar to the way ZoneAlarm adaptively stealths ports dependant upon user activity?
ewen
egemen
May 21, 2006, 11:37am
26
Hi Ewen,
I dont exactly know how ZA does this but CPF stealths the ports according to the attacker behavior. For example if it detects that an attack is in progress, it may temporarily block the attacker’s access or it may block the inbound traffic temporarily(emergency mode).
Egemen
When a rule has a direction OUT attribute, “Source” fields represent our host and “Remote” fields represent the leecher.
Hi, egemen & others -
I appreciated your explanation - this cleared up some confusion for me.
Could I please make a suggestion? Could you consider renaming the “Remote” field to “Destination”? I believe that having a Source / Destination pair makes more sense to the user than having a Source / Remote pair.
Cheers,
dooplex
zorank
July 4, 2006, 7:36am
28
Hi pandlouk,
Yes the number 1 is the correct one. Actually they would be the same if we had a static filtering firewall. But stateful inspection makes them different.
TCP connections uses an alogrithm known as 3-way handshake while establishing the connections.
Lets say 83.117.175.X tries to connect to US. Below are the 3 steps of TCP connection establishment.
1 -83.117.175.X------SYN-----> US
Assume CPF is installed in US and let 83.117.175.X be our leecher.
CASE 1 : The only rule is “Block IP Out from IP ANY to IP 83.117.175.X”
1- 83.117.175.X------SYN-----> US This packet is going to be accepted because it does not match the rule
2- US -----SYN/ACK----> 83.117.175.X Although this packet matches the rule and makes us think CPF should block it, since it is a reply to a valid connection attempt, stateful inspection will allow it and thus the leecher will receive a reply
3- 83.117.175.X------ACK-----> US This will be accepted because it does not match the rule
As seen above, although we had a blocking rule for outgoing packets, stateful inspection did allow some outgoing packets.
CASE 2 : The only rule is Block IP In from IP 83.117.175.X to IP Any
1- 83.117.175.X------SYN-----> US This packet is going to be dropped because it matches our blocking rule thus the leecher will be blocked.
Since step 1 is not completed, step 2,3 wont take place.
Could you see the difference?
When a rule has a direction OUT attribute, “Source” fields represent our host and “Remote” fields represent the leecher.
Please do not hesitate to ask any points you need to be made clear.
Egemen
Egemen,
From what you say, I would conclude that
(1) “Block” in network monitor rules implies “block only unsolicitated attempts to connect”
(2) “solicitated”=connections of SYN/ACK or ACK type
(3) “unsoliciated”=connection of SYN type
Did I get this right?
By the way, this would be perfect example for “library of examples” we discussed on the other post
https://forums.comodo.com/index.php/topic,828.msg5269.html#msg5269
It would be really good idea to have FLOW CHART of how CPF processes information!!!
Zoran
panic
July 4, 2006, 7:48am
29
Egemen,
From what you say, I would conclude that
(1) “Block” in network monitor rules implies “block only unsolicitated attempts to connect”
(2) “solicitated”=connections of SYN/ACK or ACK type
(3) “unsoliciated”=connection of SYN type
Did I get this right?
By the way, this would be perfect example for “library of examples” we discussed on the other post
https://forums.comodo.com/index.php/topic,828.msg5269.html#msg5269
It would be really good idea to have FLOW CHART of how CPF processes information!!!
Zoran
Hey Zoran,
(1) - Correct
(2) - Solicited means the data packet is being received by us as a response toa arequest we sent out.Example:
(3) - Insolicited means a data packet arrived at our PC that was not a response to a request sent by us.Example:
Hope this helps,
zorank
July 4, 2006, 10:08am
30
Okay, to play a devil’s lawyer (just for my own understanding):
A: some server (e.g. local) that sends message to me regulary informing me on updates
B: my computer
(1) A —SYN–> B (“hi there, I want to connect”)
At this stage packet (1) is unsolicitated, I did not ask for it. But, I accept it (e.g. having some network monitor rules that does this).
(2) B —SYN/ACK —> A (“okay, you’ve got my ear”)
(3) A—ACK—>B (“good let’s talk”)
now connection is established
(4) A—(data)–>B (“I have some updates for you, here they are”)
Okay, now at this stage, I haven’t really asked for (data) but it gets in. Is(4) solicitated or unsolicitated package?
Zoran
egemen
July 4, 2006, 12:35pm
31
For Blocking someone (even if I don’t get it, why you want shuch feature; unless the other party is a leecher), you should use:
Then move the rule up (over the default rule “Allow /IP Out/ Any/ Any”)
Hope it Helped
Direction field must be “IN” and SOURCE IP and REMOTE IP must be exchanged. Please have a look at the following message
https://forums.comodo.com/index.php/topic,193.msg1458.html#msg1458 to solve this problem.
Egemen
panic
July 4, 2006, 4:22pm
32
Okay, to play a devil’s lawyer (just for my own understanding):
A: some server (e.g. local) that sends message to me regulary informing me on updates
B: my computer
(1) A —SYN–> B (“hi there, I want to connect”)
At this stage packet (1) is unsolicitated, I did not ask for it. But, I accept it (e.g. having some network monitor rules that does this).
(2) B —SYN/ACK —> A (“okay, you’ve got my ear”)
(3) A—ACK—>B (“good let’s talk”)
now connection is established
(4) A—(data)–>B (“I have some updates for you, here they are”)
Okay, now at this stage, I haven’t really asked for (data) but it gets in. Is(4) solicitated or unsolicitated package?
Zoran
(4) is solicited because (2) said “OK, come on in”. That and the fact that you had an explicit rule that allowed the initial SYN in.
Ewen
A question, Egemen.
*. I use Putty to tunnel my way “in/out” the Net
…am I “special” case here, or do CPF Dev’s forgot about this type of connection?
egemen
July 5, 2006, 11:29am
34
A question, Egemen.
*. I use Putty to tunnel my way “in/out” the Net
…am I “special” case here, or do CPF Dev’s forgot about this type of connection?
If attackers’ IP addresses remain the same, i.e. if your proxy does not change the remote IP addresses no difference.
Ah, I see…
zorank
July 7, 2006, 3:47am
36
Hmmm… I see now. Happily jumping around filled with joy of life and a little extra understanding.
Many thanks!!!
Zoran
panic
July 7, 2006, 5:42am
37
LOL. Doesn’t take much to float your boat, Zoran.
