CPF not Stealth?

Good day everyone!

I’ve been reading post on the forum regularly but this is my first post. I’ve tried several ip scanner from other pc on our network against my pc and i’m stealth. I can’t test on GRC and other similar sites because we are on a router firewall and as i’ve read the results might be incorrect. Today I tested Colasoft MAC scanner against my pc, and to my surprise my ip and MAC showed up. Is there a rule that I can add on so that my ip and MAC will be totally stealth from other pc’s on our network?

Thanks a lot. This is a great site. More power!

If i understand this correctly you are scanning from the same subnet as the host with CFP on it ?

This could get tricky because your going to kill some of the network basics but you can try to create a global block rule based on MAC address of the scanning host. I wouldn’t do that if i was you though.

So only the local user can find you because the Scanner is sending ARP Requests and waits to see if there is a ARP reply for every ip address it asks responses for. Basic network functionality also used to detect duplicate ip addresses on local subnet’s. This won’t let the attacker in, it will only give him your mac address and ip number.
If he/she gains access to the local switch on the network he will also have this information and you can’t block nothing on that ! a switch needs to know which mac address is on which port to function normal.

Thanks for the response. Same subnet, yes. I don’t want to block specific ip. What I intend to do is to be totally stealth on my own network (both ip and MAC), other than to trusted ip’s like my gateway and servers. Is that possible? Can CFP do it?

I would add that when I ping my pc from other pc’s or ping the subnet’s broadcast ip, arp -a command is not showing my ip. Doing an ip scan from other pc’s don’t show my pc as well. So I thought I’m stealth even to other pc’s on my subnet. But using colasoft mac scanner shows otherwise. My ip and MAC is not stealth at all.

Try the following, Go to Firewall, Advanced settings, Attack detection settings.

Enable Protect the ARP Cache.
Enable Block Gratuitous ARP Frames.

Reboot to be sure and try the scan again see if this helps.

Thanks but both are already enabled. What particular protocol or port is responsible for ARP broadcast?

https://forums.comodo.com/leak_testingattacksvulnerability_research/possible_arp_spoofing_vulnerability-t22729.0.html
http://www.antiarp.com/English/e_index.htm

Thanks firebit. As I read the link you posted it seems that CFP as of now has no capability in itself to filter ARP traffic and I need other protection like AntiARP or other packet filter like CHX-I 3.0 (WIPFW also?) to do such. Am I correct? If that’s the case, is there any plan from the Comodo dev team to integrate such feature to CFP v3 to make us more stealth?

What would the problem be then ? The only bad thing that could happen to you with a ARP spoof of your default gateway so someone could do a ‘Man in the Middle’ attack on you. But that is prevented by “Protect The ARP cache”.

The scanner must be on you local LAN, and knows your MAC and IP, as i said before if he owns the SWITCH on the network he knows ALL MAC - IP’s there is nothing you can do about that not even with CHX or AntiARP.

ARP is a layer 2 protocol where ip tcp/udp are 3 and 4.
See this Link for some Q&A on ARP

Not yet tried CHX-I cause I believe the development stopped. If I understand interloper correctly CHX-I could be configured to allow ARP traffic only from the gateway and everything else are denied. WIPFW as what I’ve read is also a powerful packet filter like CHX-I. I’m using it right now, no problem with CFP. I just don’t know yet how to make the same rule interloper created. Or if CFP can do the same by creating a certain rule, that will be very great.

If everyone on my subnet can know my ip and MAC other than the admin, the possibility of ARP poisoning/spoofing is not remote. Being stealth on my own subnet other than to my trusted ip’s will make that very difficult if not impossible, IMHO.

On what “Local Subnet” are you on then ? i guess it’s not a home network ?
If on this subnet only pc’s reside and all you “server” and other traffic goes directly trough your default gateway i don’t see the problem.

I’m behind our company’s router and all the employees’ pc’s are on the same subnet. I scanned my pc from other pc using Colasoft MAC scanner. Both pc’s on the same LAN behind the same router.

Can you tell me again then what you are afraid of ?
Are there “servers” on the local subnet like fileshares, mailserver, webserver, ftp server etc ?

I’m not stealth from other pc’s on the LAN which I believe better be. We have file and mail server.

Have you tried to put the scanner host mac address in the global rules and block all requests from it ?
See if it still can resolve you MAC/IP ? if this works then we could put up a list of “known” hosts and block all others on the local network, but then again i would not go through all this trouble unless you have “hackers” audience on your local network.

My intention is to block all unsolicited traffic including ARP request from within the LAN but allow traffic that I initiate (not to totally blocked specific ip in/out).

I know, i have an idea but if first have to know it blocking the mac of the scanner host works…
Otherwise it’s not even worth trying the other thing that poped my mind.

Mind if I throw in a question from left field?

If you’re on a corporate LAN, do your LAN admins know you’re attempting to hide your presence on their LAN?

Ewen :slight_smile:

I believe there’s no way I can hide from him because he has the control over our switch, router and firewall, so he can see all incoming/outgoing connections. I can’t hide from my switch and router coz that means no connection at all.

Can anybody help me on this.
1.) I blocked the scanners MAC Direction IN (tried all TCP/UDP/ICMP/IP) Destination Address ANY Source Port ANY Destination Port ANY, it still can see my ip and MAC. Tried Direction Out / In/Out the result the same.
2.) I blocked the scanners IP Direction IN (tried all TCP/UDP/ICMP/IP) Destination Address ANY Source Port ANY Destination Port ANY, it still can see my ip and MAC. Tried Direction Out / In/Out the result the same.
3.) I blocked the other pc’s MAC/IP and scanned from my pc, I can see its MAC and IP. Tried all Protocol and Direction.

I’m sure CFP is working because Block All Mode blocked all traffic.

Confirm please. Want to know if my pc have problem or CFP. The scanner is Colasoft MAC Scanner

That won’t work, all options in the global rules are Layer 3/4 ARP is layer 2 so there is no rule you can make to block ARP traffic. You can’t do this with CIS/CFP.