I’m looking for a solution to COMODO Firewall blocking DSL lease renewal (and net acquisition on bootup). As my efforts to fix this appear to be failures, I come seeking help!
EQUIPMENT:
Fujitsu DSL modem, Linksys BEFSX41 Router, Realtek RTL8139 Fast Ethernet with ACPI support.
Running Windows XP Pro, SP2
SYMPTOMS:
When COMODO Firewall starts up (i.e. after a boot/reboot), it apparently prevents establishing a connection to the Internet. My workaround was to switch the Security Level to “Allow All” and reboot the system. The net connection is made and a DSL lease acquired, then I switch the Security Level back to “Custom.”
My DSL lease renewal always fails; according to XP Pro, it’s a failure to get an IP address (from my router/DHCP Server?). My workaround is to move the Security Level slider to “Allow All,” click the “Repair” button on the Local Area Connection Status window to regain the DSL lease, then reset COMODO to “Custom.”
WHAT I’VE TRIED:
I cobbled together a new Network Control Rule:
ALLOW and LOG UDP OUT from IP RANGE: 192.168.1.1 - 192.168.1.100 to IP RANGE: 72.235.80.4 - 72.235.80.12 where source port is 1024-4999 and destination port is 53.
This eliminated the many reported blocked attempts to reach Verizon’s DNS servers, but didn’t resolve anthing else.
I added svchost.exe to the Application Control Rules list:
svchost.exe, Destination: 255.255.255.255 (Port 67) UDP Out, ALLOW <–not sure what this does
svchost.exe, Destination: 192.168.1.1 (Port 68) UDP In, ALLOW
svchost.exe, Destination: 192.168.1.100 (Port 68) UDP In, ALLOW
I originally had the last two rules lumped together in one, with destination set as a range, later tried splitting them into two separate rules with specific destination ip’s. Either way, it didn’t resolve anything. Worse, I still see those svchost functions blocked as reported in the Activity Logs, so these rules apparently had no effect.
So, I still need to find the settings which will allow net connection and lease acquisition to happen transparently (without intervention). Any ideas/suggestions I should try? TIA!
Since you have a router, you have to make a trusted network/zone. Follow the wizard. (security/tasks)
Do that first, and we can take it from there.
Check the log what’s getting blocked.
If you make rules in network monitor, you have to put them ABOVE the default block rule. Did you choose “auto” at install?
Sorry AOwL your post wasn’t up when I started writing this post. ;D
I’ll give it a shot!! (:TNG)
You might try this.
Set the firewall to custom again.
Clear your Activity log by right-clicking and choosing “Clear logs” then right-click your connection icon in the Taskbar on the lower right and choose Repair. Watch the log to see what events happen to see if something is getting blocked. This should show you what is being called to connect. Doing this with your firewall set to Custom will block anything that doesn’t have a rule to allow it.
On most programs that I have used, if the connection isn’t allowed the first time it tries to connect then it won’t try again without restarting the application again and this makes it hard to find the ports without some effort. By choosing the repair you are forcing everything to try and connect from the beginning again. Then just use the blocked ports entries to guide you on setting up your rules.
On my Linksys wireless router the first thing that happens is a Ping ( Echo Request) Inbound from the router IP to my IP. If this request isn’t allowed then I get no connection.
I only have a Trusted Zone setup that trusts only the router IP and no rules for connections to the router except the Inbound Ping allow in the Network Control Rules section. I also have both Upnp and SSDP Discovery Services disabled.
Thanks for your help Jasper.
It’s like we both say, if he makes a trusted zone, it should work.
And as you say, always check the log for blocked connections, and make a rule for it, at least those you wants…
No problem AOwL. I usually just hang back as you guys do a great job of helping everyone. My replies are too wordy I’m afraid. I’m the guy who you ask for the time and I tell you how to build a clock instead. (:TNG)
Sorry for responding late, but the COMODO forums were down yesterday (cannot access database, or somesuch). I have done the following, following your recommendations as best as I could:
Created a new zone for my router:
Zone Name: Linksys BEFSX41 Router
Start Range: 192.168.1.1
End Range: 192.168.1.100
I noticed that COMODO Firewall had created a zone for my Ethernet Adapter by default.
I left this alone.
Used the wizard to make that a Trusted Zone. COMODO then added two network control rules:
ALLOW IP OUT FROM IP [Any] TO IP ZONE: [Linksys BEFSX41 Router] - 192.168.1.1/192.168.1.100 WHERE IPPROTO IS ANY
ALLOW IP IN FROM IP ZONE: [Linksys BEFSX41 Router] - 192.168.1.1/192.168.1.100 TO IP [Any] WHERE IPPROTO IS ANY
Meaning (if I’m reading it right):
Allow my computer to send to devices in the trusted zone.
Allow my computer to receive from devices in the trusted zone.
Added a Network Control Rule to allow pings from router/gateway to my computer:
ALLOW ICMP IN FROM IP 192.168.1.1 TO IP 192.168.1.100 WHERE ICMP MESSAGE IS ECHO REQUEST
Cleared the Activity Log
Clicked “Repair” from the Local Area Connection Status window. Repair fails “Renewing your IP Address”.
The following appeared in the Log:
Three incidents of this…
Medium Severity
Description: Application Access Denied (svchost.exe:192.168.1.1:dhcp(68))
Application: C:\WINDOWS\system32\svchost.exe
Parent: C:\WINDOWS\system32\services.exe
Protocol: UDP In
Destination: 192.168.1.1:dhcp(68)
…followed by one incident of this:
High Severity
Description: Application Access Denied (svchost.exe:255.255.255.255:bootp(67))
Application: C:\WINDOWS\system32\svchost.exe
Parent: C:\WINDOWS\system32\services.exe
Protocol: UDP Out
Destination: 255.255.255.255:bootp(67)
All this is strange since I previously added these Application Control Rules:
If I understand you right.
Have you set your router to give you a static IP 192.168.1.100?
Have you set your PC to use a static or auto IP?
Create a (Block & Log, ICMP, In/Out, Any, Any, Any) rule, that you place just above the default block rule. Now you can see in log if you need some more ICMP rules. This might not have to do with your problem, but can be helpful in the future.
Go to security/advanced/misc and uncheck “do not show alerts for apps…”
Raise the alert frequency slider to the top.
If you haven’t done this, reboot your PC.
Now, you allow and remember eveything with svchost and see if you can get a connection.
Post any log entries you get, and we will see what they say.
I believe the router assigns IP dynamically, but it always seems to be 192.168.1.100.
Do rule changes take effect “on the fly,” or is a reboot necessary?
Any ideas as to why the two Application Control Rules I wrote for svchost apparently had no effect?
“Now, you allow and remember everything with svchost…” This worrys me a bit since I also have an issue with svchost trying to contact the strangest places. I wish I knew what applications were using services/svchost.
Offhand, I don’t recall any application on my computer with auto-updating other than anti-virus programs (AVG Free, Trend Micro Antivirus), anti-spyware programs (Spybot S&D, Spy Sweeper with Sophos antivirus), Windows Update, and of course, the COMODO Firewall itself. I have an older copy of Ad-Aware (free) on my computer; I should probably remove that. I used Trend Micro’s HouseCall and Kaspersky’s Online scanner, so some of their baggage is on my computer. I don’t believe they auto-update, since they are on-demand services.
When I look at “Security | Advanced | Miscellaneous,” under “Firewall Alerts” I see these items checked: “Enable Alerts” and “Skip loopback UDP connections.” “Do not show any alerts for the applications certified by COMODO” was already unchecked. I presume the default Alert Frequency Level = Low is responsible for no pop-ups showing up?
I’ll try to record what pop-ups I see after resetting the Alert Frequency to High and rebooting. And report back here… ;D
You sometimes need to restart CPF or even Reboot your PC before some rules take affect.
Don’t be afraid of allowing svchost, because you can always delete the rules after your tests.
You can do a lookup on the IP’s that are used. http://www.iptools.com/
Change your rule
ALLOW ICMP IN FROM IP 192.168.1.1 TO IP 192.168.1.100 WHERE ICMP MESSAGE IS ECHO REQUEST
Make it ICMP IN, Any, zone, Any
ICMP Out, zone, Any, Any
You can see if allowing all icmp makes it work.
You might consider going in to your router settings and see if you can set up the router to give you a static IP, and then set up your connection in windows to have a static IP.
Typically the Linksys router IP is a static one, since it’s internal (I have one myself) - this is the 192.168.1.xxx (your gateway address). The external IP is assigned by your ISP, and is by default dynamic (unless you’re paying for a static one, and then you’d know…); this will be provided through your DSL modem.
Here’s something to think about… some DSL providers use an application on your computer to connect through to their network to establish that you are who you say you are (so to speak). Mine does that (SBC); they use something called IPInSight or Visual IP or something. I believe it connects using svchost.
Maybe some of this will help shed some light on your problem.
I have a similar router at home (might even be the same one; not sure), and installed CPF; I did not experience any issues like you have. Unfortunately I can’t check on it more right now, as Windows hates me at the moment, and I have to reinstall. :’(
But will that resolve the problem Gekko is having? I don’t guess I’ve ever seen the “internal” IPs to be anything but static. The lease may be renewed, but the IP stays the same. On a LAN, they might be renewed dynamically (although I’ve not seen it), but on a true network (such as at a business where there’s a server that controls the internet, has networked drives, etc) I think they’re always statically assigned as part of the communication protocol.
Gekko, if you go to Start/Run/cmd and type ipconfig /all. This will show you all this info. If you reboot and it has changed, you know something’s dynamic. This will not show your external IP; only internal.
Here’s a question that I don’t think got answered… What do your CPF logs show when the connection is blocked? When CPF blocks and logs a connection, it should log which Network Rule caused the block (down at the bottom of the details it will say “Reason” and “Network Control Rule x” where x is a number). Then check that rule to see why it’s blocking the access.
Another thought after that is to check the boxes to skip the loopback connections. I know that causes some people problems on a LAN. You can see if that helps.
I need help with this problem as well, though I do not have a router. I do not understand anything about setting network control rules. Basically what occurs is that after a while my svchost.exe will try to renew my ip address for my dsl connect. I have a DSL modem. Comodo does not allow the renewal. I have this application rule set for svchost.exe, set as free as it will possibly allow. “all activities for this application” and skip advanced activity checks". I also unchecked the monitor DNS queries that I saw in another forum question similar to this and my internet connection still fails to renew after a few hours. So basically I have to shut Comodo down, renew my IP connection and then start the firewall back on again. Please explain to me in simple terms what I need to do to correct this. I like this software and would like to continue to use it, but it seems complex, in this regard as I did not have this problem with zone alarm. I was looking for an alternative to zone alarm because I do not like their new upgrade that is going to be released in January.
Welcome to the CPF forums! On the downside of CPF’s solid security and level of sophistication, is the difference (and thus confusion) the rulemaking creates. Once you’ve got some basics out of the way, you won’t find a better firewall (not at the present, anyway) - that’s not my opinion, independent professional testing shows it.
If you do the following, hopefully this will resolve your issue:
Go to Security/Tasks, and run the Scan for known applications Wizard in the lower right corner. It’s automated and will require nothing from you other than a click or two. Once that’s finished, reboot your computer. You should be good to go now (and you should be able to remove the Application rule for svchost; you shouldn’t need it - I don’t have one on either computer I’m running DSL on).
If you still have trouble, you may need to run the Define a new trusted network Wizard - Security/Tasks/ lower left corner. I don’t think you will, though.
Hope this helps,
LM
PS: Here’s a couple of links to test results for CPF’s security:
Welcome to the forum.
Don’t worry about not knowing anything about this firewall.
It isn’t too complicated. You will learn…
Just ask questions here in the forum.
When your connection can’t renew your IP,
doesn’t the log in CF say anything?
Try to remember to have a look at it the next time you loose the connection.
Right click in the rules, and export it as html. Attach it here, so we can help you.
I have already done both of those things that you mentioned. When first setting up the firewall, Comodo ran the scan for known applications. Actally, it did not recognize svchost.exe in this scan. Which I thought was odd. It didn’t recognized many programs. I’m not certain why. It only recognized the application when it made the outgoing communication. I do have the setting at custom/learning, so that I can monitor the program closely, instead of having everything at a trusted automated stated. Could this be the reason?
I have ran it twice again, hoping to find and fix this problem. It has also already recognized my Network Adapter and seems to have it in my trusted network. This is why I am so stumped. I cannot figure out why it is blocking this communication. I did not reboot I only turned off comodo and turned it on several times when the changes where made. I will try that to see if new settings are recognized.
FYI, I ran the Define a new trusted network Wizard when I was trying to figure out a fix, it basically set up a duplicate of what had been set up by default at instalation.
I’ll let you know what happens. Hopefully the reboot will be the simple answer.
