CIS Firewall Questions

I’m testing CIS on Windows 7, and I have read the User Guide, but I have some lingering questions that I hope someone here can answer:

  1. The Filter IPv6 Traffic option under Settings > Firewall > Firewall Settings is unclear (or at least I hope it is). The User Guide indicates that, “if enabled, CIS will filter IPv6 network traffic in addition to IPv4 traffic.” This option seems to imply that unless enabled, IPv6 outbound and inbound communication is completely unfiltered by the firewall, but that just sounds silly, so I hope I’m missing something. What precisely does this mean?

  2. I’m aware that IPv6 can be disabled per network adapter, but I’m specifically trying to determine: can the firewall be configured to block ALL outbound and inbound IPv6 communication?

  3. My firewall log indicates that some application called simply, “Windows Operating System” is being blocked.
    a) What is the file or process associated with this application? In other words, what is this?
    b) How do I determine what firewall configuration or rule is responsible for blocking this (or any) application?

Thank you,

np

1) The Filter IPv6 Traffic option under Settings > Firewall > Firewall Settings is unclear (or at least I hope it is). The User Guide indicates that, "if enabled, CIS will filter IPv6 network traffic in addition to IPv4 traffic." This option seems to imply that unless enabled, IPv6 outbound and inbound communication is completely unfiltered by the firewall, but that just sounds silly, so I hope I'm missing something. What precisely does this mean?
Correct IPv6 traffic is ignored unless the option is enabled.
2) I'm aware that IPv6 can be disabled per network adapter, but I'm specifically trying to determine: can the firewall be configured to block ALL outbound and inbound IPv6 communication?
Yes but it is not as easy due to the fact that you can not define IPv6 specifically when creating rules, unless it is for encapsulation or tunneling. To block pure native outbound IPv6 packets you would use the source address and exclude option in the source address window. For incoming packets just set the firewall to stealth ports mode.
3) My firewall log indicates that some application called simply, "Windows Operating System" is being blocked. a) What is the file or process associated with this application? In other words, what is this? b) How do I determine what firewall configuration or rule is responsible for blocking this (or any) application?
It means the packet was blocked from reaching the Windows kernel to be processed by the Windows networking stack. You normally would see this type of logging if either you have a global block rule with logging enabled, or a late UDP response packet destined for the application that had an open UDP socket but the socket has been closed.

Thank you, futuretech, I appreciate your response! I have some followup questions below:

Hmm… Let me ask the question another way: what happens when your computer receives an inbound communication via IPv6 when this option is disabled?

That’s good to know, but:

a) What is the file or process associated with this application?  In other words, what is this?
b) How do I determine what firewall configuration or rule is responsible for blocking this (or any) application?  Surely, there must be some way to determine what rule fired, even if a global block rule is responsible.

Thank you,

np

If an application is listening for connections over IPv6 then it will receive the connection request from the remote host, the firewall will not stop or monitor the connection even if you have a block rule in place. Windows will process IPv6 packets as if there is no firewall in place.

a.) tcpip.sys it the Windows networking stack and is the kernel mode drive responsible for sending/receiving network packets.
b.) It would help to know the details of the blocked event, if the source and destination port is zero, then it is a blocked fragmented packet due to block fragmented IP traffic firewall setting. If the protocol is ARP then anti-arp spoofing setting is blocking gratuitous ARP packets, other wise the block event is being logged due to a rule with log this event is set for a global rule.

Thank you again for your clarification, futuretech! It is most appreciated!

Wow. :o Honestly, I’m somewhat shocked by this, but it’s definitely important to know! As a future enhancement to the product, I strongly recommend enabling the creation of firewall rules based on IPv6.

I see. I have attached a small snapshot of the Firewall Event log filtered specifically for the application “Windows Operating System”. My local subnet is 192.168.10.1/24, and my host IP is 192.168.10.131. Any insights?

Additionally, I realize that cmdagent.exe and cmdinstall.exe are integral parts of Comodo CIS, but I’m somewhat alarmed that they are trying to access the internet, particularly since I think I have disabled all the options that would seem to justify it, including:

  • All the options under General Settings > Updates
  • The User Statistics option under General Settings > Logging
  • The Enable HIPS option under General Settings > HIPS Settings
  • The Enable Cloud Lookup option under General Settings > File Rating Settings
  • The Enable VirusScope option under General Settings > Advanced Settings > VirusScope
  • The Enable Website Filtering option under General Settings > Advanced Settings > Website Filtering
  • Lastly, I have only installed the firewall portion of Comodo CIS (that is to say, no anti-virus)

Any idea why these components of Comodo CIS are attempting to access the internet? In an effort to provide all the relevant information, I’ve also attached a small snapshot of the Firewall Event log filtered specifically for the applications “cmdagent.exe” and “cmdinstall.exe”. Again, my local subnet is 192.168.10.1/24, and my host IP is 192.168.10.131.

Thank you very much for your help!

np

Yes a wish report is requested to default enabled filter IPv6 but sadly has not been implemented yet. For your blocked WOS events do you have any global block rules with logging enabled? Then that will explain the blocked events. For cmdagent accessing the Internet, it is either performing OCSP requests for checking the revocation status of digitally signed applications that you execute. It could also be the schedule tasks that still run even with telemetry and CMC being disabled, it will still look for the telemetry config for when you do enable the options. They are supposed to fix it so that the tasks do not get rest, but for now you can disable the tasks then change the tasks to read-only in C:\Windows\System32\Tasks\Comodo.

Your depth of knowledge and understanding of how Comodo CIS works is very impressive! Thank you, futuretech! :slight_smile:

Yes, as a matter of fact, I do have a catch-all global rule (after all of my Allow rules) that Blocks (and logs) All IP traffic In or Out to/from my LAN and the Internet. Basically, if I have not specifically enabled the communication, I want to block it.

Fantastic! :BNC

Back to cmdagent.exe and cmdinstall.exe for a moment: do you know if it will cause any problems if I were to simply create global block rules to prevent cmdagent.exe and cmdinstall.exe from accessing the internet?

Lastly, this question is a bit off the reservation, so-to-speak, but I’m at wits’ end trying to figure out and resolve another strange problem that I’ve been encountering, so I’m just asking on the chance that you or someone may know what’s going on and how to resolve it. My topmost application rule is to allow chrome and firefox to be treated as web browsers, as defined in the “Web Browser” ruleset. Yet, for some unknown reason, youtube videos don’t seem to play – upon hitting the play button, they just spin and spin. As far as I know, youtube doesn’t even use flash anymore, so I don’t think flash is the problem. I am utterly confounded… :-\ Does youtube perhaps require additional ports beyond those defined in the “HTTP Ports” portset?

Thank you,

np

Just a brief update to let you know that I figured out what was going on and resolved the problem. I was using an external USB DAC for audio, and there was some kind of incompatibility. The problem resolved itself as soon as I unplugged the USB cable. Weird…

So, anyway, no need to respond to this issue, but I am looking forward to reading your response on my other question:

Thank you,

np

You won’t be able to perform manual updates, submit files for analysis, or do manual file lookup. Just to note use the application rules section to control outgoing connections as application rules are processes first for outbound connections. Also if you have logging enabled you will know which application was blocked from making the outgoing connection, whereas in global rules will only identify WOS.

Excellent! All good points, thank you very much for all of your help, futuretech! :slight_smile:

np