Hi,
I have Comodo Firewall 3.8. The firewall is blocking an application I have marked as trusted (iomega network storage application). I am at my wits end as to why it should be blocking a trusted application. There are no errors that I can see in the log files, intrusion attempts are 0. The application uses an IP that is already defined as part of a trusted IP range.
Zonealarm is quite happy with the application on my other PC, but Comodo isn’t. How can I find out why Comodo is blocking this app?
Also how can I see a list of my trusted applications and blocked applications?
After a bit more investigation on these forums I enabled very verbose error reporting and this is what I get now:
Date/Time Application Action Source IP Source Port Destination IP Destination Port Protocol
09/04/2009 20:37:24 Windows Operating System Blocked 84.31.249.198 4134 192.168.2.2 3724 TCP
(This was classed as an intrusion atempt by Comodo)
It seems that Comodo is seeing this process as a windows process and not as an iomega process. The process tree seems to confirm this, where the iomega process is showing as a sub-process of the windows process. The IP address 84.31.249.198 doesn’t seem to be a valid url so I am not sure what is going on here. Maybe this is some sort of of loopback error.
Click on Firewall/Advanced/Network Security Policy.
scroll down to find the app you are looking for.
To make changes, select it and click the appropriate button on the right.
Check the Defense+ rules for this program.
You are looking at the Firewall, but maybe it isn’t seeing anything because the program itself has been blocked.
Also try removing the program from Defense+ and re-running the program. you should see an alert to allow it to run.
I don’t think it has anything to do with Defense+ because it it is active the whole time, yet the application only runs if I disable the firewall and is not dependant on whether Defense + is enabled or disabled.
Nevertheless I did do what you suggested and try deleting it from Defense+. It didn’t actually ask to add the application but popped up with a message that it is “learning” the behaviour of the app.
I would have thought that the 2 rules I have active in firewall should be enough to allow the app to do anything, but I must be missing a rule to get it to work. It seems a bit weird to me that Comodo is obviously stopping the application from running correctly but not generating any errors while doing it!
Still stuck I am afraid - anything else you can suggest?
Have you tried making a rule for System in application rules.
Use the Stealth Ports Wizard to create and trust the IP of the device and you should get 2 global rules(for the IP) and 2 application rules for system.
Thanks for the tip. Unfortunately I haven’t got a clue what you are talking about and how or why it would help :-/
I have no idea what the Stealth ports wizard is used for, what you mean by System, why this would create different rules and where or how I would see these rules.
Obviously I tried running the Stealth Ports wizard and putting in the IP address as a start and end IP range but it would not go beyond this point.
Please would you or someone explain in more details what the stealth wizard does and how it might help.
Thanks for all the ideas so far - unfortunately I am still stuck.
You may have allready tried this and dont no if it will help,but its worth trying as upnp may be used by the device so windows may need some info.
Anyway go to Stealth ports wizard,click on next/Check “I would like to define and trust a new network”
Put in the IP range of your network(you could try starting off with the full network i.e. -->192.168.0.1—192.168.0.255
If this helps we could trim it down later.
Now click on “Finish”
You should receive the message “your firewall has been configured accordingly”
Now have a look in Firewall/Advanced/Network Security Policy/Application rules
You should see 2 rules for system–> 1.Allow System to send requests if the target is IP in (your network)
2.Allow System to receive requests if the sender is IP in (your network)
In Global rules you shouldhave 1. Allow all outgoing requests if the target is IP in (your network)
2. Allow all incoming requests if the sender is IP in (your network)
Thanks again. I did try this with IP range 192.168.0.1—192.168.2.255 Note that this wider than the range you suggested. I checked in application rules and saw the new rules in System and in Global - just like you said, they were there.
Still not working.
Something is still bothering me and this gives me an idea. It has always bothered me that CF is not generating any error messages even with all alerts enables and maximum verbosity, yet the application is still being blocked. Perhaps then the application is NOT being blocked by CF directly but by some process that is enabled when CF is enabled and disabled when CF is disabled.
Something you could try for testing purposes is to disable Defence+ permanantly.Go to Defence+/Advanced/Defence+ Settings/Check the box “Deactivate the D+ permanantly” and then re-boot your computer.
This could help ascertain whether D+ is interfering in any way.Re-enable after though
By the way,are there any entries related in Defence+/view Defence+ events or any files in “My Pending Files”
Let me try to wrap my head around it. Can you tell us more about your network setup?
As far I understand you have a Network Attached Storage device that is connected to your local network. You use an application to connect to the device?
Could you try adding the addresses 0.0.0.0 and 255.255.255.255 to the Global Rules using the Stealth Ports wizard as described in the above? These are broadcast addresses.
When looking at the Global rules make sure all rules (green icon) are above the basic block rule (red icon). Otherwise rules are not being used
Thanks for all the help Matt and everyone else, I was beginning to despair that we could solve the problem!
I still have a question or two.
Since I had to deactivate “Block Fragmented IP datagrams”, how safe is my computer now and why would this block without logging - it caused no end of trouble by not logging?
When a connection is opened between two computers, they must agree on a Mass Transmission Unit (MTU). IP Datagram fragmentation occurs when data passes through a router with an MTU less than the MTU you are using i.e when a datagram is larger than the MTU of the network over which it must be sent, it is divided into smaller ‘fragments’ which are each sent separately. Fragmented IP packets can create threats similar to a DOS attack. Moreover, these fragmentations can double the amount of time it takes to send a single packet and slow down your download time.
Comodo Firewall is set by default to block fragmented IP datagrams i.e the option Block Fragmented IP datagrams is checked by default.
Thing is you should be fine anyway as your behind a router and have DOS(denial of service) protection configured in “Attack Detection Settings”–>Intrusion Detection.
No idea why it doesn`t log anything,it never has,would be helpful too 88)
A great thanks to you all. I had the same problem and was about to uninstall comodo and go back to trust Vistas firewall (Douh). Disabling “Block Fragmented IP datagrams” worked like a charm!
Another satisfied customer! Had no problem accessing the Iomega NAS from a wired desktop running Win7 and Windows firewall, but was tearing my hair out trying to access via wireless laptop running Comodo firewall. Ascertained it was the firewall blocking access and finally found this thread. As others have said, unchecking ‘block fragmented IP datagrams’ solved it. However whilst I’m happy running like this at home - or on known router-firewalled networks - I’m still a little concerned about accessing on unknown networks, Blimey I sound like Donald Rumsfeld talking about known unknowns, unknown knowns and unknown unknowns!
