Blocked Zones blocking unspecified & apparently unrelated site [M276]

The bug/issue

1. What you did: Added FW Application Rule for all executables. Block Outgoing IP, Source Address Any, Destination Address vkontakte.ru, IP Any
2. What actually happened or you actually saw:Lost connections to some sites, other than vkontakte.ru
3. What you expected to happen or see:I Expected block ONLY vkontakte.ru
4. How you tried to fix it & what happened:—
5. If its an application compatibility problem have you tried the application fixes here?:—
6. Details & exact version of any application (execpt CIS) involved with download link:—
7. Whether you can make the problem happen again, and if so exact steps to make it happen:[b] Yes, problem can be repeated.

• Create FW Rule. Block&log Outgoing IP, Source ANY, Destination vkontakte.ru, IP Any.
• Open any browser and try to go to https://forum.comodo.com
• as result - refused connection and record in FW Log

8. Any other information (eg your guess regarding the cause, with reasons):[b] This behaviour is still from 3.x version of Firewall. When we record “hostname”, actual Rule in Registry become Rule with IP, discovered at creation of Rule time.
   vkontakte.ru has several IP
   87.240.188.251
   87.240.188.252
   87.240.188.253
   87.240.188.254
   93.186.224.240
   93.186.224.241
   93.186.224.242
   93.186.224.243
   87.240.188.249
   87.240.188.250

“Lowest” IP become AddrStart REG_SZ in Rule in Registry. (87.240.188.249)
“Highest” IP become AddrEnd REG_SZ in Rule in Registry (93.186.224.243)

So we will block ANY IP from 87.240.188.249 to 93.186.224.243
forum.comodo.com has IP 91.199.212.149 , so it will be also blocked. No matter that it has no relations with vkontakte.ru

[/b]

Files appended. (Please zip unless screenshots).

1. Screenshots illustrating the bug:
2. Screenshots of related CIS event logs and the Defense+ Active Processes List:
3. A CIS config report or file.
4. Crash or freeze dump file:

Your set-up

1. CIS version, AV database version & configuration used: CIS version 3.0.x-5.3.181415.1237, Any configuration
2. a) Have you updated (without uninstall) from CIS 3 or 4: No
   b) if so, have you tried a clean reinstall (without losing settings - if not please do)?:
3. a) Have you imported a config from a previous version of CIS: No
   b) if so, have U tried a standard config (without losing settings - if not please do)?:
4. Have you made any other major changes to the default config? (eg ticked ‘block all unknown requests’, other egs here.):—
5. Defense+, Sandbox, Firewall & AV security levels: D+=Any , Sandbox=Any , Firewall =Any, except Disabled , AV = Any
6. OS version, service pack, number of bits, UAC setting, & account type:
   [b] Seen on:

• Windows 7, with and w/o SP1, x32 & x64, UAC enabled, Administrator
• Windows Prof, SP2 and SP3, x32 & x64, Administrator

7. Other security and utility software installed:No
8. Virtual machine used (Please do NOT use Virtual box):No

Thank you for your bug report in the required format.

Moved to verified.

Thank you

Dennis

I understand, that current behaviour is “by design”, because it presents since 3.0.x version of Comodo Firewall.

Anyway, will there be any comments from developers?
This “bug” is very “not nice”, because it is no matter what hostname exactly we are trying to block. Only condition is more than one record in “nslookup”.

I just want more “bi-directional” feedback

Thank you.

A. THE BUG/ISSUE (Varies from issue to issue)
[ol]- Summary - Give a clear summary in the topic subject, NOT here.
Creating a Bocked Zone for a specific domain name, inadvertently causes an apparently unrelated domain to be blocked.

• Can U reproduce the problem & if so how reliably?:
  Reproducible always.

• If U can, exact steps to reproduce. If not, exactly what U did & what happened:

1. Open Blocked Zones
2. Create a new Blocked Address
3. Choose Host name
4. Enter hardmob.com.br
5. Save and check the website is blocked using any browser
6. In the same browser try to open globo.com
7. globo.com is also blocked even though it has a completely different IP address

• If not obvious, what U expected to happen:
  It would appear hardmob.com.br uses Cloudflare for obfuscation and attack blocking and it’s the Cloudflare addresses that are being blocked by CIS - this can be seen in the registry:

HKEY_LOCAL_MACHINE\SYSTEM\Software\COMODO\Firewall Pro\Configurations\2\Firewall\Blocked Addresses\0\Address\IPV4

141.101.113.96
190.93.242.96

globo.com is - 186.192.90.5

It’s possible cloudflare is interfering somehow, although I don’t know why. Blocking cloudflare in blocked zones has no effect on globo neither did blocking another site - wikileaks - that also uses cloudflare. I also tried the blocking in Outpost firewall and it worked correctly.

• If a software compatibility problem have U tried the conflict FAQ?:
  N/A

• Any software except CIS/OS involved? If so - name, & exact version:
  N/A

• Any other information, eg your guess at the cause, how U tried to fix it etc:
  See - Can someone explain why I can’t block this properly? (bug confirmed!) for more detail.

• Always attach - Diagnostics file, Watch Activity process list, (dump if freeze/crash). If complex - CIS logs & config, screenshots, video, zipped program (not m’ware)
  [/ol]

I’m using version 5.10 without CCE/Killswitch so nothing to attach. I did try version 6 in a VMWare 9.1 VM and the result was the same. These reports are really irrelevant to this issue

B. YOUR SETUP (Likely the same for each issue, so you can copy forward)
[ol]- Exact CIS version & configuration:
CIS 5 or 6 any recent build Configuration is unimportant, use any.

• Modules enabled & level. D+/HIPS, Autosandbox/BBlocker, Firewall, & AV:
  N/A

• Have U made any other changes to the default config? (egs here.):
  N/A

• Have U updated (without uninstall) from a CIS 5?:
  No

[li]if so, have U tried a a clean reinstall - if not please do?:
N/A

[/li]- Have U imported a config from a previous version of CIS:
No

[li]if so, have U tried a standard config - if not please do:
N/A

[/li]- OS version, SP, 32/64 bit, UAC setting, account type, V.Machine used:
N/A

• Other security/s’box software a) currently installed b) installed since OS: a= b=
  [/ol]

None

Edit: Even more bizarre, having a blocked zone with hardmob.com.br causes Windows update to fail, actually, it connections to Akamai to fail, which is what Windows Update is using.

With the blocked zone:

C:\Windows\system32>ping www.microsoft.com

Pinging lb1.www.ms.akadns.net [65.55.57.27] with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.

Ping statistics for 65.55.57.27:
    Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

Removing the zone allows the ping and Windows Update to proceed.

Edit 2:

With the hardmob.com.br blocked zone present:

hardmob.com.br - IP Addresses at Cloudflare: (Blocked)
141.101.113.96
141.101.123.96
190.93.240.96
190.93.241.96
190.93.242.96

nsaneforums.com - IP Addresses at Cloudflare: (Blocked)
141.101.116.192
141.101.117.192

Wikileaks.org - IP addresses at Cloudflare: (Not Blocked)
141.101.112.19
141.101.113.19
141.101.123.19
190.93.240.19
190.93.241.19

[attachment deleted by admin]

PM to discuss report etc sent.

Thank you very much for your report in standard format, with all information supplied. The care you have taken is much appreciated by Comodo, and will increase the likelihood that this bug can be fixed.

Developers may or may or may not communicate with you in the forum or by PM/IM, depending on time availability and need. Because you have supplied complete information they may be able to replicate and fix the bug without doing so.

Many thanks again

Mouse

Can you please check and see if this is fixed with the newest version? Please let us know whether it is fixed or you are still experiencing the problem.

Thank you.

PM sent.

Can you please check and see if this is fixed with the newest version (6.2.282872.2847)? Please let us know whether it is fixed or you are still experiencing the problem.

Thank you.

PM sent.

Can you please check and see if this is fixed with the newest version (6.3.294583.2937)? Please let us know whether it is fixed or you are still experiencing the problem.

Thank you.

PM sent.

A. THE BUG/ISSUE (Varies from issue to issue)
[ol]- Summary - Give a clear summary in the topic subject, NOT here.

• Can U reproduce the problem & if so how reliably?:
  Every time.
• If U can, exact steps to reproduce. If not, exactly what U did & what happened:
  a: Create the first network firewall record by IP address (webmoney IP).
  b: Create the second by domain name (webmoney).
  c: Create firewall rules to allow “webmoney” and to allow “webmoney IP”
  d: Open Firefox and use the firewall rule for webmoney. Then go to the site for “webmoney.ru” and the site “rambler.ru”, and see that Rambler.ru does not work, but webmoney does work.
  e: Then open Firefox and use the firewall rule for “webmoney”. You will find that both Rambler.ru and webmoney.ru both do work.
  f: The IP addresses in the hosts do not intersect with the domains, thus there is a bug in CIS as it should work both times.
• If not obvious, what U expected to happen:
  The firewall should be able to correctly resolve the DNS to the correct IP address.
• If a software compatibility problem have U tried the conflict FAQ?:
  NA
• Any software except CIS/OS involved? If so - name, & exact version:
  NA
• Any other information, eg your guess at the cause, how U tried to fix it etc:
  A related bug report can be found here:
  https://forums.comodo.com/format-verified-issue-reports-cis/blocked-zones-doesnt-work-normally-with-a-certain-host-name-t86614.0.html;msg621656#msg621656
  [/ol]

B. YOUR SETUP (Likely the same for each issue, so you can copy forward)
[ol]- Exact CIS version & configuration:
CIS 6.3.302093.2976

• Modules enabled & level. D+/HIPS, Autosandbox/BBlocker, Firewall, & AV:
  AV - scanning on access, Sandbox - disabled, HIPS - safe mode, firewall - user rules mode
• Have U made any other changes to the default config? (egs here.):
  Yes. The configuration is attached.
• Have U updated (without uninstall) from a CIS 5?:
  No
  [li]if so, have U tried a a clean reinstall - if not please do?:
  NA
  [/li]- Have U imported a config from a previous version of CIS:
  no
  [li]if so, have U tried a standard config - if not please do:
  impossible
  [/li]- OS version, SP, 32/64 bit, UAC setting, account type, V.Machine used:
  “Windows 7 Максимальная” 64 bit, no SP, UAC 3/4, admin, no Virtual Machine
• Other security/s’box software a) currently installed b) installed since OS: a=no b=windows 7 firewall (disabled)
  [/ol]

[attachment deleted by admin]

Actually, it seems that this is more a limitation of CIS than a bug.

One issue is that blocking one domain by host name may block many other web sites. Also, it seems that when using blocking by host name the firewall will resolve the matching IP address only at the beginning of the Windows session. When the IP address changes during the Winndows session blocking will of course fail. Also, blocking by IP address can be an arduous task finding them all for big sites like from Google, Microsoft Updates etc. Also, I will be fair and let you know that this information did not come from me, but from EricJH. My personal understanding of how the firewall works is limited.

Thus, in general it is recommended that CIS not be used for this sort of purpose. For that reason I will move this to the HELP section of the forum. Perhaps someone will have advice for how to get CIS working for your specific purposes.

Thank you.

Hello

This is a bug.
IP addresses does not intersect. Rules in ip address by DNS contains actually ip addresses.

Correct firewall work cannot entail mutual unlock these from. Similar behavior I see on other sites шт CIS 5.12,
it’s not a coincidence.

And, similar rules in Linux iptables work correctly, although the restrictions there similar.

Okay, I will move this back and process it further. However, please note for future reference that you should just copy and paste the code. Then put your responses after the colons, so it looks like what is now in the first post. Also, please answer anywhere where I have put question marks.

In addition, please attach a list of the processes running on your computer. This will help the devs to diagnose the issue if it turns out to be dependent on something particular on your system.

Let me know if you have any questions.

Thank you.

Process list in screenshot

[attachment deleted by admin]

Thank you very much for your report in standard format, with all information supplied. The care you have taken is much appreciated by Comodo, and will increase the likelihood that this bug can be fixed.

Developers may or may not communicate with you in the forum or by PM/IM, depending on time availability and need. Because you have supplied complete information they may be able to replicate and fix the bug without doing so.

Many thanks again.

Two small comments:

1. In firewall window with Firefox to “rambler.ru” or many other “*.ru” sites does not view rule “Firefox webmoney ip”, but view rule “Firefox webmoney” (in well behavior firewall do not view both). In “webmoney.ru” firewall window view both rule (well).

2. Uninstallation CIS6 and reply installation do not change firewall behavior

I’m afraid I don’t quite understand what you mean by this. Can you please explain in greater detail?

Thank you. I have now updated this in your post.

For 1. An additional comment relating the GUI work. Non significant.

The concept of rules is allowing request to site “webmoney.ru”, and ask with request to other sites.
In time to start FireFox browser, rules allow some sites. No “webmoney.ru”, no “rambler.ru” and others.
In access to all sites firewall doing ask to user.

In firewall ask for request “rambler.ru” (and many others) has “FireFox webmoney” rule (see ramblerRuScreem.gif), allow “www.webmoney.ru” and related sites by DNS (see network zone in webmoneyNetworkScreenRule.gif). Not see “FireFox webmoney ip” rule with manual ip from DNS “www.webmoney.ru”.
In ask for “www.webmoney.ru” have “FireFox webmoney” rule and “FireFox webmoney ip”, allow “www.webmoney.ru” and related sites by DNS and by manual ip from DNS (see webmoneyRuScreen.gif).

i.e. rules filter in ask box at this stage relates firewall work with this rules.

[attachment deleted by admin]

Okay, for now though I believe this report concentrates on the main issue. This will make it easier for the developers to address it. Thus, do you see anything wrong with this particular bug report?

If you see any additional bugs, please create a new topic for them. Only one bug can be processed per topic.

Thanks.