Can I Figure Out Why A Firewall Rule Isn't Working?

I’ve been trying to add profiles for all of the games I play. Now Magic DOTP is a series with unique releases in 2010 and one per year between 2012-2015. All but 2015 work with the same Firewall application settings. But DOTP 2015 does not. I’ve been messing around with it and I just cannot get it to see the other PC on my LAN (also running the game). If I disable the Firewall or these application specific rules, my local PC’s can play together with no problems.

I’ve tried messing around with all sorts of rule configurations, but I just can’t figure out why this game is different than its predecessors. My understanding of Firewalls is very basic. Otherwise, I am very PC literate and generally tech savvy. So I’m curious, is there any way I can figure out why this game won’t connect?

----------------------------------

Desired Firewall Activity: Allow LAN Access & Block Internet Access

Application Rule #1
Description: Allow LAN Access
Action: Allow
Protocol: IP
Direction: In or Out
Source Address [Tab]

  • Type: Network Zones
  • Zone: Home Networks
    Destination Address [Tab]
  • Type: Network Zones
  • Zone: Home Networks
    IP Details [Tab]
  • IP Protocol: Any

Application Rule #2
Description: Block Internet Access
Action: Block
Protocol: IP
Direction: Out
Source Address [Tab]

  • Type: Any Addresss
    Destination Address [Tab]
  • Type: Any Address
    IP Details [Tab]
  • IP Protocol: Any

Network Zone [Defined As]
Description: Home Network
Type: IPv4 Address Range
Start IP: 192.168.000.000
End IP: 192.168.255.255

G’day,

To achieve the desired result (Allow LAN access but exclude internet access for a particular app), you need to have two rules for that application (1 for LAN access and 1 for internet blocking), but the order the appear in the rules list is critical as CIS reads the rules from the top down. If your Rule #2 is above your Rule #1, then it will be blocking ALL traffic (LAN or net) as you have specified “Any” for the source and destination addresses as this also includes the internal IP address of your router.

Try the following (the significant changes I’ve made are in RED and BOLD);

Application Rule #1
Description: Block Internet Access
Action: Block
Protocol: IP
Direction: Out
Source Address [Tab]

  • Type: Any Addresss
    Destination Address [Tab]
  • Type: YOUR ROUTERS INTERNAL IP ADDRESS (Probably something like 192.168.0.1)
    IP Details [Tab]
  • IP Protocol: Any

Application Rule #2
Description: Allow LAN Access
Action: Allow
Protocol: IP
Direction: In or Out
Source Address [Tab]

  • Type: ANY
    Destination Address [Tab]
  • Type: Network Zones
  • Zone: Home Networks
    IP Details [Tab]
  • IP Protocol: Any

Network Zone [Defined As]
Description: Home Network
Type: IPv4 Address Range
Start IP: 192.168.000.000
End IP: 192.168.000.255

Enter the two rules shown above IN THE ORDER THEY ARE SHOWN HERE.

The logic behind these two rules is as follows;

  1. Application sends out a packet
  2. CIS checks the destination address to see if it matches your routers internal IP address
    3a. If it matches, CIS drops the packet, thereby blocking internet access
    3b. If it does not match your routers internal IP address, it ignores rule #1 and then retests against rule #2
    3c. If the destination address is within the defined zone, the packet is passed out to your internal network
    3d. If the destination address is not within the defined zone, it is blocked by default

Again, the order the rules display in the rules list is critical. If they end up out of order, you can use the “Move Up” and “Move Down” buttons to adjust them accordingly.

Hope this helps,
Ewen :slight_smile:

P.S. Note the small change to your Network Zone definition - 192.168.255.000 changed to 192.168.0.255.

First of all (beyond what panic mentioned) I’d say check the logs (if logging isn’t enabled for Rule #2 then enable it) and see if anything stands out as being relevant to local multiplayer e.g. outgoing multicast packets etc.

Blocking outgoing to router doesn’t block internet access because outgoing internet packets going to e.g. google don’t have the destination ip of the router, if they did then that’d mean the packets had the end destination of the router and would never get to google. So if rule #1 matched then it’d drop packets with the end destination of the router but not packets with the end destination beyond that (internet packets)

Holy cow this worked!! I have been working on this for the last four days with absolutely no progress. You have lifted a great weight off of my shoulders. Thank you so much for helping me solve the issue and even more so for explaining to me how the process worked. You are awesome Ewen. Thank You!!! ;D

I have enabled this rule now but cannot find the log. Is this something I would find in the program interface or in a actual log file on my hard drive?

I am using a Steam Emulator to play this particular game so the normal in game features like leaderboards and multiplayer with other Steam players doesn’t work. So when an in game feature throws out an error, I am not sure if it is because the internet has been successfully blocked or because I am using an emulator these features do not work like normal. I’m trying to follow what you said and it sounds like your saying that the configuration Panic provided will not stop internet access by the program? I admit, I am having trouble following your explanation due a lack of understanding of the subject matter :embarassed:.

What I understood you to be saying is this:

[ol]- Block Internet Access rule doesn’t work because packets being sent to the destination of 216.58.218.142 (Google.com) would not be stopped by this rule, which only stops packets being sent to the destination of 192.168.0.1 (routers internal ip address).

  • If packets are destined for 192.168.0.1 the rule activates and stops them. Then those packets are checked against the Allow LAN Access rule and allowed to access the LAN address they are destined for (192.168.0.2).[/ol]

Do I understand this correctly? If so, how would you recommend addressing this situation to successfully block internet access?

View CIS Logs, Firewall Software, Log Monitor, Defense+ Filter|Internet Security (btw I also meant the rule from your previous rules, the block all rule)

After looking at the rules Panic gave I now understand them a bit differently. Rule #1 should still not block Internet access, I don’t understand the point of the rule to be honest. Rule #2 should allow Outgoing LAN access (and incoming LAN AND Internet packets as a side effect of changing Source to Any) but it doesn’t allow outgoing Internet packets and there is no third rule to allow outgoing Internet packets so those should either be blocked/allowed/alerted for but it depends on your other settings. I tried those rules for another application on my own system and the result was that it wasn’t allowed to connect to the router directly but it was allowed LAN access and alerted for Internet access… But if it works for you then we should perhaps just leave it be, besides why do you want to disable Internet access for it anyway?

Edit: Personally I would revert back to your old rules, enable logging for the second rule (block rule), check the logs and try to see if any kind of multicast address or similar is being blocked.

:o That is the primary point of doing this, so I will stop using it.

I don’t want to allow incoming internet packets either. I’m trying to achieve 100% LAN only traffic being allowed. By alerted do you mean logged?

Even if it works as it is, I’m trying to learn how to do it correctly. Granting LAN only access to an application seems like a useful thing to know. Something I’d like to know when the situation arises in the future. Plus what works for a single application would work as a Global Rule as well :-TU. I’m using Magic DOTP and some of my other games as my testing ground because they are LAN friendly applications I have setup and ready to go that I can test my firewall stuff out with. The real world gain isn’t immediately useful but the underlying knowledge is :azn:.

Concerning why am I doing this currently, I will soon be setting up a multi-computer network in my home. I want the computers to be able to communicate with each other for file sharing and using specific LAN friendly programs, but I want the ability to block internet traffic when I want to. I have five kids and I’d like to control their access on a PC by PC basis for parenting purposes ;D. More generally, I find this interesting and would like to learn more.

Sounds good to me. I went ahead and reverted to my old settings and am have used logging to try and identify what is going on. I looked up multicast addresses and read that the full range of multicast addresses is from 224.0.0.0 to 239.255.255.255. None of the IP’s showing up blocked fall within that range. From waht I can tell, it seems to be blocking anything bound for an internet IP 100% successfully.

There is only one occurrence which stands out. The SmartSteamEmu that I use to play over LAN broadcasts on 255.255.255.255:31313. That is being blocked. From my understanding 255.255.255.255 is a special address which in Internet Protocol standards stands for this network (i.e. the local network). So why is it being blocked? I tried going in and editing “Home Network” in Network Zones to add the single IPv4 Address of 255.255.255.255, but it is still being blocked according to the logs. Any idea how I would allow this address? Perhaps, since it is special it needs to be handled in a special way?

(:CLP) Thank you so very much for your help (:AGL).

UPDATE
I figured out the Alerts thing. I set the rule to Ask instead of Block. When it asked me about connecting to any Internet IP’s I said block. When it asked about anything within the network, I said allow. This created two new rules that are not IP specific.

  1. Allow IP In From MAC Any To MAC Any Where Protocol Is Any
  2. Block And Log IP Out From MAC Any To MAC Any Where Protocol Is Any

I’ve set the rule back to Block as the result of that method seemed counterproductive. Let me know if you feel different.

G’day again.

There are several ways to control kids internet access (the most effective of which is to duct tape them to a chair and feed them vitamin supplements - only kidding), but in a multi device network, it does become more difficult the more endpoints there are, the greater variety of OS’s there are, and on and on.

The areas you need to examine are;

  1. Do they all connect via the one internet connection (i.e. your router)?
  2. If they are on a Windows device, are they logging on as an administrator or a standard user?
  3. Do their devices have a static IP address or a DHCP assigned one?

If the answer to 1) is “Yes”, then your focus should primarily shift to your router (unless you really want to spend the rest of your days updating 5 devices). Most routers have the ability to display currently connected devices and to block or allow access based on IP address or MAC address.

If the answer to 2) is “Administrator”, you may want to think about making their logins a Standard User. This will prevent them making changes to the devices configuration.

If the answer to 3) is DHCP, you may want to think about changing it to a static IP. This makes it simpler to track who is or is not connected to your router. It also makes it easier to set up Block/Allow rules in your router. If your router supports it, also look into setting up the Block/Allow entries based on the devices MAC address, rather than the IP address. If your router does support Allow/Block by MAC, then you don’t really need to change the IP address type form DHCP to static.

If it were me, I would;

  1. Record the MAC addresses of the kids devices
  2. Setup a static IP address on each connecting device
  3. Change the user type to Standard rather than Administrator
  4. Setup access tables in the router based on the MAC address

Hope this helps,
Ewen :slight_smile:

I just switched over to FIOS so I have a new router in there. The last one I had was awful concerning options. Maybe I’ll luck out with this one. Thank you very much for all of the feedback ;D. I figured I’d have to go software to control each individual device. Using the MAC address hadn’t occurred to me yet. I need more sleep! Feel like my memory is getting away from me :embarassed:.

I’d say remove it from your home network network zone and instead create a specific rule for it.

[b]Application Rule #2 (bump the block rule down to #3)
Description: Allow LAN Access
Action: Allow
Protocol: IP
Direction: Out
Source Address

  • Type: Any Address
    Destination Address
  • Type: Single IPv4 Address
  • IP: 255.255.255.255
    IP Details
  • IP Protocol: Any[/b]

Save and restart the game and retry and if it doesn’t work check the logs again (make sure to sort and check the date and time so you don’t mistake previous blocks for current blocks)

The detail of the rules created from answering alerts are decided by the “Alert Frequency” Firewall Settings, PC Firewall, Firewall Protection | Internet Security (scroll down to Alert Frequency)

(I’ll be gone during the weekend so I’ll reply again on Monday if there are any further questions)

This rule was the final piece of the puzzle. It works flawlessly! I also appreciate the link teaching me how to gain better control of the rules created by alerts. Thank you so much for your continued support and help Sanya IV Litvyak. You are awesome and have furthered my ability to work with Comodo. Thank You ;D

:BNC (:CLP) (:LOV) :■■■■ (:AGL)