Comodo Firewall global rules and cfosspeed

DigDeep · January 13, 2013, 9:33pm

Hi!

Today I wanted to calibrate my internet connection with program called Cfosspeed.

Program could not calibrate connection, it was always on 0%
I then tried to ping “tracert www.cfos.de” and Request was timed out.

I tried to disable Filter loopback traffic but it didnt helped. But when I disabled firewall it worked.

I tried different firewall rules for spd.exe, but none works.

I tried to add this rule to spd.exe

Allow
ICMP
In/Out

Source address=Any
Destinaion address=Any
ICMP details=Any

I think this happens because of Comodo Firewall “Global rules”

http://shrani.si/t/1B/U8/Ow1GxDb/sshot-1.jpg

I probably could delete all ICMP rules and it would work, but this is probably not a good idea.

Spd.exe comunicates trough ICMP protocol

So im asking you what should I do in this case?
Is it safe to delete those ICMP rules?

[attachment deleted by admin]

DigDeep · January 13, 2013, 10:48pm

When I changed

Block IP In From MAC Any to MAC Any Where Protocol is Any

to Allow

Everything works fine. But why is this rule under Global rules. is this default setting or did I make it when I added rules for utorrent?

edit: even if i delete this rule, everything works ok.

Radaghast · January 13, 2013, 10:50pm

The easiest way to change the Global rules to allow tracert and also to provide a little more security, is to do the following:

Open CIS
Navigate to - Tasks\Firewall Tasks\Stealth Ports\Block Incoming Connections

This will change Global rules to allow the correct ICMP type for tracert, it will also add a final rule that blocks all unspecified connections. In future, if you have an application that specifically needs inbound connections, for example a p2p application, you’ll need to add an appropriate inbound rule above the final block rule.

In addition to the the changes to Global rules, depending on your settings, you mayl need an outbound application rule for tracert.exe. If you’re using ‘Safe’ mode tracert should work without intervention, if you’re using ‘Custom Policy’ mode, you should get an alert.

As far as ‘SPD.exe’ is concerned, the only rules you should need are those seen in the image. These are application rules.

[attachment deleted by admin]

DigDeep · January 13, 2013, 11:55pm

Above picture is showing Global Rules.

I deleted the last rule. And spd.exe and tracert.exe are working now.

Maybe you cant see the picture. So I will attach it

Here it is:

(if you didnt see this screenshot, you can now understand my first post better)

[attachment deleted by admin]

Radaghast · January 14, 2013, 12:31am

Indeed, the reason tracert is not working is because the last rule blocks the appropriate return ICMP packets, by making the change I suggested above, you allow ICMP Type 11 Code 0 (Time Exceeded) If you want, you can simply add a Global rule that explicitly allows this ICMP Type. If you decide to do this, you may also wish to add another for Fragmentation Needed (Type 3 Code 4).

C:\Windows\System32>tracert linx.net

Tracing route to linx.net [195.66.232.53]
over a maximum of 30 hops:

  1     *      442 ms     2 ms  Ozzy [192.168.1.1]
  2     *        *        *     Request timed out.
  3     2 ms     1 ms     1 ms  hidden
  4     2 ms     2 ms     1 ms  10.254.191.4
  5     3 ms     3 ms     2 ms  hidden
  6   181 ms   181 ms   182 ms  ge0-0.pr1.linx.net [195.66.225.254]
  7   184 ms   183 ms   183 ms  ivory.linx.net [195.66.232.53]

Trace complete.

[attachment deleted by admin]

DigDeep · January 14, 2013, 4:57pm

Is this what you ment(gobal rules) is this correct now? (pic 1)

I have this rules for utorrent and cfosspeed

is it safe to add Allow IP out from Mac any to Mac any where protocol is any

I just wanted to ask one more question, if I disable Filter Loopback traffic, can I remove Loopback zone under “network zones” (pic 2)

[attachment deleted by admin]

Radaghast · January 14, 2013, 10:53pm

Those rules appear to be correct for supporting tracert and fragmentation needed.

I have this rules for utorrent and cfosspeed
is it safe to add Allow IP out from Mac any to Mac any where protocol is any

In reality, you don’t need a Global rule to allow outbound connections, at least with your configuration.

I just wanted to ask one more question, if I disable Filter Loopback traffic, can I remove Loopback zone under "network zones" (pic 2)

Is there some specific reason you have for wanting to remove this zone? As fas a disabling loopback filtering, it’s really up to you. Basically, if you remove the check from this box, when using something like Custom Policy Mode, you won’t receive alerts from applications, such as your browser, for loopback connections. If you’re using Safe Mode, unless you’re using an application not on the safe list, you probably won’t see an alert.
[/quote]

DigDeep · January 15, 2013, 7:12pm

Ok, thanks for clarifying that.