CFW - Incoming TCP always blocked

Hello - hope you can help!

Same notebook computer on two different networks, Home & Work.

On the Work network incoming connections work correctly. If a block all incoming rule is added, blocked connections are logged.

On the Home network all incoming TCP connections are blocked however Ping works. If a block all incoming rule is added, blocked TCP connections are not logged while blocked ICMP connections are logged.

Using XP SP2 all updates installed and CFW 3.0.16.295

Global Rules:

• Allow All Outgoing Requests if the Target is in [Home Network]
• Allow All Incoming Requests if the Sender is in [Home Network]
• Allow All Outgoing Requests if the Target is in [Work Network]
• Allow All Incoming Requests if the Sender is in [Work Network]
• Block and Log IP In From IP Any to IP Any Where Protocol is Any
• Block ICMP In From IP Any to IP Any Where ICMP Message is ECHO REQUEST

Sample Application rule for Telnet Server: ‘C:\WINDOWS\system32\tlntsvr.exe’

• Allow all Incoming and Outgoing Requests (Trusted Application)

Used Wireshark to capture the incoming connection request on both networks.
Note that the Home Network packet has additional TCP flags set.

(Home network uses a Buffalo Tech router with dd-wrt (3rd party linux based) firmware installed.)

Work Network (the one that works):

No. Time Source Destination Protocol Info
10 3.478790 192.168.0.235 192.168.0.79 TCP zion-lm > telnet [SYN] Seq=0 Win=16384 Len=0 MSS=1460

Home Network (the one that does not work):

No. Time Source Destination Protocol Info
15 5.539924 192.168.131.250 192.168.131.10 TCP 4526 > telnet [SYN, ECN, CWR] Seq=0 Win=5840 Len=0 MSS=1460 TSV=253940499 TSER=0 WS=0

Complete Wireshark packet capture for incoming Telent on both networks is attached.

I’d like to be able to use Remote Desktop on the Home computer but this issue effectively prevents that. I hope you can find and resolve this issue. If you need any additional information please let me know!!!

Thanks,
Frank

[attachment deleted by admin]

Hi Frank,

Can you give some more information?
Do TCP packets pass normally throughout your Home Network when firewall is disabled (rightclick on icon in tray->firewall->disabled)?
Can you exit/disable all processes (except TCP packet sender and firewall) and test again?

Try to uncheck all items under firewall->advanced->attack detection settings and test again.

On the Home network all incoming TCP connections are blocked however Ping works. If a block all incoming rule is added, blocked TCP connections are not logged while blocked ICMP connections are logged.

Reading your ruleset I see that you enabled logging only on block all. So the block incominc ICMP is not needed. That rule should also log blocked incoming TCP connections.

In addition to the other mandatory info needed as per goodbrazer post please post a ipconfig output and your configured network zones.
Please check Microsoft Security Center to confirm that windows firewall was disabled (Vista)

goodbrazer & gibran,

I apologize for not following the ‘How to Submit Bug Reports’ in the initial post!

At this point I suspect that there is something the router
(probably the dd-wrt firmware) is doing to TCP packets
that it initiates or forwards that CFW doesn’t like.
That incoming packets are being dropped before the global
rules processing.

Without CFW or when using ZoneAlarm Security Suite incoming connections
work completely.

The info you requested follows:

Thanks!

Frank

• Dell Inspiron 8000 Notebook
• Pentium III 850MHz, 512MB RAM (x32)
• Windows XP Pro SP2, all updates as of 2/12/08
• Running Applications:
  • CFW 3.0.16.295 (x32)
  • Avira AntiVir PersonalEdition Classic - latest version
  • Truecrypt 4.3a (Disk encryption)
  • Acronis True Image 10 (Backup & Disk imaging)
  • OneTouchMon (Visioneer Scanner utility)
  • ATI Desktop Control Panel
  • I8kfanGUI.exe (3rd party fan control utility for notebook)

*** Problem & Symptoms:
All TCP packets appear to be blocked by CFW when notebook is connected to the home network.
Incoming TCP works OK when notebook is connected to work network.
Pinging notebook works at home and at work.

Originally started debugging this issue when trying to use XP Remote Desktop from work.
But testing with Remote Desktop is cumbersome so I started using Telnet to test
this issue.
Only one computer at home but Router with dd-wrt firmware has a linux telnet client.
To test, I connect to router’s Secure Shell server using Putty client.
Start telnet client on the router and attempt to connect back to PC. No response.
Set CFW firewall to ‘Disabled’ and telnet connection from router to PC works.
Ping from router always works, so ICMP packets are passed.
Global rule set up to block and log all incoming packets logs incoming ICMP packets,
but never incoming TCP packets.

*** Steps taken to resolve this issue:
Posted problem on Comodo Firewall V3 forum. Performed steps requested by ‘sded’.
Uninstalled / reinstalled CFW 3 times so far, being very careful of setup selections.
Disabled AntiVir Virus Scanner, later tried uninstalling AntiVir Virus Scanner.
Tried with default settings just after install.
Tried all firewall settings from Disabled to Custom Policy Mode.
Only works when Disabled.
Tried Alert settings of Very Low to Very High, no effect.
Cleared ‘ICS’ check box
Attack Detections Settings: Increased Traffic Rate from 20 to 200 packets/sec for all settings
since complete blocking of incoming packets sounds like firewall is in ‘emergency’ mode, but
I’ve never received any alerts or log messages saying so.
Cleared all options 'Block Fragments, Protocol Analysis, Checksum, and Monitor other protocols.
Tried various allow and block rules in global settings to attempt to determine if packets
are making it past the global rules. Never got log notifications for incoming TCP when a global
rule was set up to block all incoming packets. Always got log notifications when ICMP ping was blocked.
Logging blocked packets did function correctly on work network but not at home.
Tried disabling Defense+, no effect.
Tried removing CFW and installed ZoneAlarm Security Suite.
Incoming connections worked flawlessly.
Preformed ‘clean’ uninstall of ZASS and reinstalled CFW.
(Note: Most of this debugging effort occurred before ZASS was installed so
there is no possibility that left over ZASS components have been interferring with CFW.
I used ZASS with W2K on this computer. XP was a clean install, not an upgrade.)
Captured incoming TCP packets on home and work networks using Wireshark.
Results attached in prior post.

***Defense+ & Firewall+ modes:

Defense+:
Normally ‘Clean PC Mode’, tried ‘Disabled’ also.
Trust Signed Applications checked.
All ‘Monitor’ Settings checked.

Firewall+:
Normally ‘Custom Policy Mode’, also tried ’ Train with Safe’, ‘Training’, & ‘Disabled Modes’
Alert Settings: Tried Low, Very Low & Very High.
ICS box cleared (also tried with box checked), all other Enable boxes checked.

***Reboot / BSOD- Never experienced a reboot or BSOD with this issue.

Do TCP packets pass normally throughout your Home Network when firewall is disabled (rightclick on icon in tray->firewall->disabled)?

YES! Works every time when firewall is disabled.

Can you exit/disable all processes (except TCP packet sender and firewall) and test again?

Disabled Processes, services and drivers:

• AntiVir - Disabled APP startup, disabled 2 services, disabled 3 drivers.
• Truecrypt - Disabled APP startup, disabled driver.
• Acronis True Image - Disabled all autostart Apps, disabled service, disabled driver.
• OneTouchMon - disabled APP startup
• ATI Desktop Control Panel - Disabled APP startup, disabled service.
• I8kfanGUI - disabled APP startup, disabled driver.

Rebooted.

• Checked process list using Sysinternals Process Explorer.
  Only CFW and Process Explorer are running. Exited Process Explorer.

Tested incoming connection using Telnet

• Set Firewall to ‘Training’ Mode.
• Started Telnet Service on PC.
• Started Putty SSH client on PC.
• Connected from PC to Router using SSH.
• Started Router Telnet client
• Tried connection back to PC with ‘telnet 192.168.131.10’
  No response. Timed out.
• Set Firewall to disabled.
• Press up arrow then enter (to ensure I had the same command as before)
• Telnet immediately connected to the PC server.

Try to uncheck all items under firewall->advanced->attack detection settings and test again.

• Cleared Block Fragments check box. All others already clear.
• Set Firewall to ‘Training’ Mode.
• Tried connection back to PC with ‘telnet 192.168.131.10’ on Router.
• No response. Timed out
• Set Firewall to disabled.
• Press up arrow then enter (to ensure I had the same command as before)
• Telnet immediately connected to the PC server.

In addition to the other mandatory info needed as per goodbrazer post please post a ipconfig output and your configured network zones.

ipconfig output:

Windows IP Configuration

    Host Name . . . . . . . . . . . . : dd8xdg01
    Primary Dns Suffix  . . . . . . . :
    Node Type . . . . . . . . . . . . : Hybrid
    IP Routing Enabled. . . . . . . . : No
    WINS Proxy Enabled. . . . . . . . : No

Ethernet adapter Local Area Connection:

    Connection-specific DNS Suffix  . :
    Description . . . . . . . . . . . : Intel 8255x-based PCI Ethernet Adapter (10/100)
    Physical Address. . . . . . . . . : 00-20-E0-65-31-9E
    Dhcp Enabled. . . . . . . . . . . : Yes
    Autoconfiguration Enabled . . . . : Yes
    IP Address. . . . . . . . . . . . : 192.168.131.10
    Subnet Mask . . . . . . . . . . . : 255.255.255.0
    Default Gateway . . . . . . . . . : 192.168.131.250
    DHCP Server . . . . . . . . . . . : 192.168.131.250
    DNS Servers . . . . . . . . . . . : 192.168.131.250
    Primary WINS Server . . . . . . . : 192.168.0.2
    Lease Obtained. . . . . . . . . . : Wednesday, February 13, 2008 7:03:20 AM
    Lease Expires . . . . . . . . . . : Monday, January 18, 2038 7:14:07 PM

Configured Network Zones:

• Loopback Zone: IP In[127.0.0.1/255.0.0.0]
• Home Network: IP In[192.168.131.10/255.255.255.0]
• Work Network: IP In[192.168.0.79/255.255.255.0]

Let’s check similar configuration of firewall if you don’t mind.

Export your current firewall’s configuration (Miscellaneous tab).

Delete all global rules. Set firewall to custom policy mode.

Add “Windows Operating System” to application rules: firewall->advanced->network security policy->add->select->running processes

Move it to the top of the list and create rules for it:

allow&log/ip/in-out/Zone:HomeNetwork/Zone:HomeNetwork/any
allow&log/ip/in-out/Zone:WorkNetwork/Zone:WorkNetwork/any
block&log/ip/in-out/any/any/any

What are results?

I’m going to read your post meanwhile ca you confirm tha"Do protocol analisys" is disabled In attack detection settings?

BTW does changing your zones to ip ranges rather than netmask yeld different results?

• Home Network: IP In[192.168.131.10/255.255.255.0]
• Work Network: IP In[192.168.0.79/255.255.255.0]

Found a related resource:

This is a follow-up to some earlier email about problems with some faulty network equipment that either blocks SYN TCP packets which have the CWR and ECE TCP bits set to indicate ECN-Capability, or which respond to such SYN packets with a Reset. Recent studies indicate that such bugs may affect a small but significant fraction of popular web sites. The TBIT web page at "http://www.aciri.org/tbit/" has a pointer to some of these studies.

Looking at Explicit Congestion Notification wikipedia article I got the idea that this could be related so some QOS (quality of service) setting in windows and in the router. I may be wrong but if there is a way to disable trafficshaping and such in your router plelase give it a try.

goodbrazer & gibran,

I didn’t run the tests you requested but instead concentrated on finding a way to disable Explicit Congestion Notification (ECN) on the router.

I found a good article on ECN at: The Cable Guy - October 2006 | Microsoft Learn

Basically when an ECN capable system initiates a TCP connection is sets SYN, ECN, & CWR.
If the target is ECN capable is replies with SYN, ACK, ECN. If not then it just replies with SYN, ACK.

The linux 2.4 kernel, which the router firmware (dd-wrt) uses, supports ECN and has it enabled by default.
Windows prior to Vista does not support ECN. Vista supports it, but it is disabled by default.

In the linux 2.4 kernel, ECN can be disabled with the following command:
echo “0” > /proc/sys/net/ipv4/tcp_ecn
(This is what I used.)

When ECN is enabled, incoming connections are blocked.
When ECN is disabled, incoming connectors work.

If I execute:
echo “1” > /proc/sys/net/ipv4/tcp_ecn on the router and attempt to telnet from the router to the PC, the incoming connection is blocked.

If I then execute:
echo “0” > /proc/sys/net/ipv4/tcp_ecn on the router and attempt to telnet from the router to the PC, the incoming connection succeeds.

I used wireshark to verify that ECN is indeed disabled and here are the results:

With ECN enabled:
6 0.471582 192.168.131.250 192.168.131.10 TCP tdmoip > telnet [SYN, ECN, CWR] Seq=0 Win=5840 Len=0 MSS=1460 TSV=3026427 TSER=0 WS=0
(No reply)

With ECN disabled:
44 17.252799 192.168.131.250 192.168.131.10 TCP lv-jc > telnet [SYN] Seq=0 Win=5840 Len=0 MSS=1460 TSV=3028105 TSER=0 WS=0
45 17.253277 192.168.131.10 192.168.131.250 TCP telnet > lv-jc [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1460 WS=0 TSV=0 TSER=0

I also tried Remote Desktop from work and it connects as well!
(I’m using SSH to set up secure work to home connection, then tunneling Remote Desktop through the SSH connection.)

This resolves the issue for me.
I hope that COMODO modifies the firewall so it doesn’t just drop incoming ECN connections, since other linux systems probably have ECN enabled by default as well.

Again, thank you for your help!!!

Frank

Yep I thought so. I found this.

This is a follow-up to some earlier email about problems with some faulty network equipment that either blocks SYN TCP packets which have the CWR and ECE TCP bits set to indicate ECN-Capability, or which respond to such SYN packets with a Reset. Recent studies indicate that such bugs may affect a small but significant fraction of popular web sites. The TBIT web page at "http://www.aciri.org/tbit/" has a pointer to some of these studies.

This issue may be unrelated to CFP. Are incoming connetions blocked even if cfp firewall is disabled?

I’ve only experienced this issue with incoming connections that originate from my router. Incoming connections forwarded through the router are OK. In every case that I tested, when CFW was disabled, or I used a different firewall product (ZoneAlarm), incoming connections from the router always worked!

So, if I hadn’t installed CFW, then I probably would not have experienced this issue.

Frank

Ok, tanks for pointing out this. Just confirm this issye with 3.0.17 and do protocol analisys disabled and we have more than enough info. :-TU

Yes it is with 3.0.17. I updated before running the final tests.