Comodo Firewall Log not showing some blocked events

Hi guys. Hope someone can shed some light on this.

I installed Comodo Firewall v 3.0.25.378 on Windows XP SP3. Within Comodo Firewall, I set the firewall alert frequency to Very High, so I would get the most number of alerts. I went to grc.com to do the Shields UP test. Shields UP uses the IP 4.79.142.206 to do the probes. I created a Global Rule like this:

Block and log IP IN from 4.79.142.206 to IP any where protocol is any

For the Shields UP test, I used a custom port probe with a range of 2000 thru 2063. Shields Up reported that all the ports were stealthed. So far so good.

But when I checked the Comodo Firewall logs, there were only four entries in the log: for ports 2061, 2029, 2063, 2031.

I repeated the test with a different set of ports: 3000 thru 3063. Again Shields UP reported that all ports were stealthed, but the Comodo Firewall logs showed only entries for four or five ports (and not all the 64 ports as one would expect). Why are there no entries for the other ports? I had asked in the rule I made for all blocks to be logged. Am I missing something obvious here?

First of all Shields Up will test your hardware firewall first so if you are behind a hardware modem thats why. Did you try running the stealth port wizard and selecting the option to “block all incoming connections”?

Nope, you’re not missing anything. The report function in CFP does not list all the log entries. What you’re getting in the report output is a representation of the log, with duplicates or near-duplicates trimmed out.

Personally, I find that annoying, as I like to read logs in raw form. There are tools available to read the CFP log, and I’m sure that you’d find all the logging data to be complete.

Thank you for the reply.

I will fill in more details. If I have missed something, please ask.

Setup: My computer has two LAN cards (192.168.0.1, 192.168.1.2). I am behind a Xavi Technologies X8821r+ home broadband modem/router. I believe that the firewall on this router has been turned off, but I can’t say that with 100% guarantee. An ethernet cable runs between the router (192.168.1.1) and one of my LAN cards (192.168.1.2).

Yesterday a friend had come over to look at my problem. He installed some software called Wireshark and took a look at the output while Shields Up at grc.com was doing the port probes. What he told me was that he had turned Wireshark to monitor my LAN card of interest (192.168.1.2). He said that since I use the other LAN card to connect to my laptop, it’s not of any interest in this problem.

He told me that upon looking at the TCP packets send from Shields Up, there was a packet sent to probe every port in question, 2000 thru 2063, and the second time, 3000 thru 3063. He said he was 100% sure (I think he looked at destination ports for each packet). What he told me was this: 192.168.1.2 is getting all the 64 TCP packets sent by Shields Up. I can ask him for more details if need be.

He said that my modem was passing everything to my LAN card, so my modem was not doing the blocking. He also said it was odd that Comodo Firewall log was showing only four or five of the 64 blocked events. But he didn’t know why, and he uses Zone Alarm Free, and is not familiar with Comodo.

Thanks to you both, Vettetech and grue155 for the reply.

Your better off turning on your hardware firewall. I can pass the Shields Up with flying colors even without having Comodo installed.

I never changed any of the settings on the modem. A technician from the ISP had installed it and configured it. The attached image shows the firewall settings on my modem.

[attachment deleted by admin]

I looked up the router documentation on the web. That seems to be a quite capable router. The “Firewall” tab seems to be more of an administrative function. The “IP Filter” tab is what the router provides that would be comparable to what CFP provides. Unless you have set some kind of filtering rules, the router is most likely not doing any filtering. According to the documentation that I saw, it does have that capability. Which can be useful in some instances.

I would enable it anything that isn’t enabled. You may have to restart your modem also. Then uninstall Comodo and head over to Shields Up and see what happens. Explore the other options also. Here is my 2Wire firewall screen. I love all the options.

[attachment deleted by admin]

CFP3 does not have a true logging capability, and logs only selected ports and blocks. How it selects is a bit of a mystery; there is some undocumented logic defined by the developers to do the selection. But it is not consistent. Example: Unhooked my router, and connected directly to the internet to take a series of snapshots. The first shows the stealth results from GRC for the common ports, a scan of all the ports listed in the run. Comodo was first set up with a global rule to block and log all incoming TCP and UDP. The figures gc1t-gc3t are the results of 3 consecutive runs of Shields Up. Note that they are much abbreviated and all slightly different . I then changed the global rule to block all IP in and log and got the figure gci. Again different, with an ICMP thrown in. The attachments are from the firewall events/more display in CFP3, advertised as the raw log. I haven’t seen specific information on more detailed logs of CFP3 or any tool to access them. You will find a number of help requests and bug reports about logging- https://forums.comodo.com/empty-t22939.0.html is a good example-, but CFP3 simply does not provide a complete logging capability.

[attachment deleted by admin]

Thanks guys for all the responses.

OK. So CFP does not provide complete logging. I would not have known that if I hadn’t asked you here.

Before asking, I had checked the most current user guide of CFP. Here is what the guide says in the section VIEW FIREWALL EVENTS under FIREWALL TASK CENTER:

The 'Firewall Events' area contains logs of actions taken by the fireall. A 'Firewall Event' is recorded whenever an application or process makes a connection attempt that contravenes a rule your Network Security Policy (Note: You must have checked the box 'Log as a firewall event if this rule is fired' for the event to be logged.)

Log Viewer Module
This area contains a full history of logged events for both the Firewall and Defense+ modules.

The language used in the user guide is not clear enough. It gives you the impression that every event for which you made a ‘Block and Log’ rule will be available for you to see when you open the log.

One sentence should have been added stating explicitly that the log report does not record every blocked event, so you may not find some blocked events in the log. That would clear things up.

Some of this discussion is over my head, because this is the first time I am tinkering with low-level control rules. All these years I was a Zone Alarm Free user.

Here are the firewall rules (the IP Filter tab) of my modem. If someone could quickly scan the list, and give me any advice, that would be cool. This is the orig configuration that was done by the ISP technician.

Image is attached. Please zoom, because it’s big.

[attachment deleted by admin]

Zone Alarm free is no better then Windows Firewall. It cannot protect you one bit. Zone Alarm Pro is good but still not as good as Comodo. Have you looked at the modem manufactures site for help?

I am using Comodo Firewall now. I meant that I was using Zone Alarm Free for all these years prior to installing Comodo Firewall very recently.

Certainly you could deny some of the allowed ports, since you are probably not using all the possible capabilities like snmp, zone dns transfers, … that are opened in your router firewall. But since CFP3 is behind it, the that should take care of any extraneous stuff for you. Only standard thing I see missing offhand is allowing port 20 inbound so that you can do active FTP, but may be buried somewhere not obvious. And you can probably live with only passive FTP. :slight_smile:

Quoting the modem manual that I found on the web

Security Level: Select None, Medium, Low, or High. This setting determines which IP Filter rules take effect, based on the security level specified in each rule. For example, when High is selected, only those rules that are assigned a security value of High will be in effect. The same is true for the Medium and Low settings. When None is selected, IP Filtering is disabled.

Your screen shot is showing a Security Level of “None”, so your IP filtering is turned off.

The rules presented are an interesting set, as these are for a type of configuration that I wouldn’t expect a home or a small office to use (ever heard of SNMP? It uses port 161, and is used for hardware device control). This is more an office “LAN managed” type of rule set.

If you ever do want to use the modem IP filtering, I’d suggest making notes on what their rules are for example purposes, and then deleting the whole lot. Then you can enter rules that you understand what the rule is supposed to do, and why you need it.

Thank you very much, sded and grue155.

I am new to this, so I will go slow. My confidence level and my knowledge are not high enough to tinker too much.

And thanks to everybody for clearing things up about the limitations of logging in CFP.

You guys were very helpful, so I will come back later when I have questions about CFP. I’ve just about started using it.

I’ve been doing some more reading in the modem manual, and have a few suggestions for making sure things are reasonably secure.

On the Services tab, for Blocked Protocols, I’d check the box for Netbeui. That will make sure than no Windows networking traffic can get by the modem and out on to the Internet. CFP should do this, but setting it here is a backup.

On the Admin tab, under Management Control, clear all the checkboxes for WAN access. You don’t want somebody out in the wild changing your modem settings. These checkboxes should be clear already, but best to make sure.

And also on the Admin tab, under User Config, change the password on the admin account if it is still the factory default.

I have followed your three suggestions, and changed the admin password, blocked Netbeui, and removed WAN access.

Just curious. So far my login/password was the factory default of admin/admin. That’s very easy to guess for anybody. And as you can see from the images I have attached, WAN access was enabled. So suppose I had given you my external IP address, is there an easy, casual way you could have accessed and modified the modem settings?

[attachment deleted by admin]

Quite easily, using the same method that you’re using. A web browser, for HTTP access. It’s a good thing that you turned it off. It can keep you from getting surprised. One of the attack methods going around these days, is to get access into the modem/routers, and change the DNS nameserver settings to use nameservers that are under control of the bad guys. They set up a transparent proxy, and capture all your passwords. And then drain any financial accounts they can find. Default passwords are the main method for getting in.