CFP and SSH without popups?

Hi,
I’ve been using Comodo Firewall Pro since Sygate went out of commission. I generally find that Comodo works well but in this case, it is working too well (as far as restricting traffic is concerned).

I have Cygwin installed on a desktop computer (OS is Win XP home) and it’s running SSH. I have a dynamic DNS service as well so that I have a static address to access the desktop. I’m using Putty from a laptop to try to access the desktop. SSH is running through port 22.

I thought I had established a rule to allow traffic from the dynamic DNS service through (ie, without a popup warning). However, when I try to log in, the desktop pops up and asks if I want to allow this traffic. For this to work as I intended, I will not be at the desktop or even in the vicinity of the desktop and therefore not available to tell CFP to allow this traffic.

I was able to get this working in the Defense+ Settings by lowering the General Settings to “Training Mode.” The problem there is that this allows ALL SSH traffic in and I receive regular requests for SSH access from points unknown. I only want to allow access through my dynamic DNS service and without a popup. I know this might not be an issue since you would need a login and password to get in to the computer but I would prefer to just allow my own traffic.

Looking at the CFP interface, I first went to Firewall>My Network Zones and created a Network Zone using the host name I created from the dynamic DNS service.

Next, I went to Firewall>Advanced>Network Security Policy and created an Application Rule. The Box is labeled “Network Control Rule” and is setup to Allow TCP/IP traffic In/Out in the zone that I created. I moved this rule to the top of the rules in case there is some hierarchy that these rules follow.

I have been going around and around with this for a while. I even contemplated learning how to use the TCP Wrappers in Cygwin. The prospect of figuring out how to setup this firewall was starting to seem as difficult as learning about TCP Wrappers. I decided to try this forum. I was not able to find anything related to this problem and I did read the fine manual (but obviously not well enough since I am here). I’m willing to read more if I’ve overlooked something. Otherwise, any suggestions are greatly appreciated. Thanks!

Mark

Your issue is a misunderstanding of what is going on with Dynamic DNS. DDNS just provides you an IP mapping service - that is it turns foo.ddns.com into 10.1.1.1 for example.

SSH, or any service connects you make will NOT come from the DDNS IP address - it’s not a proxy. They will come from the IP address you are connecting from. Therefore, you either have to allow all SSH connections if you’re going to be connecting from several different PCs where you don’t know the IP address before hand (and make sure SSH server is up to date in patches and you use a STRONG password), or you need to input the system’s IPs you will be connecting from in Comodo beforehand.

jp10558,
Thanks for the info. I have a strong password (>20 chars) and with the exception of IE7, I have all the MS updates on the SSH server so hopefully I’m covered there . I understand what you are saying but I thought I was able to create this rule in the prior version of CFP. I was able to connect before using DDNS but maybe I had CFP set to “Training.” Can I set up a rule using the MAC address(es) of the computers I will be using to connect to the SSH server? I know the rules can be set up by MAC address and since these don’t change (whereas IP addresses do from time to time), wouldn’t this work? Thanks.

Mark

Only if the systems are on the same switched network, i.e. not routed. If it’s going over the internet, the MAC addresses are lost IIRC.