Firewall log skips many packets. [285]

The bug/issue

  1. What you did: Sent series of ICMP packets to test logging.
  2. What actually happened or you actually saw:

Firewall’s log is missing most packets, even when ordered to log.

I made a test with a set of rules with logging enabled for ICMP ping test (rules are later explained). I sent 10 pings, but only 3-4 Echo Requests were recorded as Allowed Out. No Echo Reply as Allowed In was recorded (yes, the destination was up and responding). It did not matter if I ping from my workstation or myself from external shell (except that Blocked In Echo Requests were logged, however only about half of the sent).

Here are the rules I had:

  • A preset called “ICMP Scan”:
    allow & log, ICMP, out, from *, to *, ICMP: Echo Request
    block & log, IP, in/out, from *, to *, IPprot: any
  • This preset was applied to few test applications: NetLab, WinMTR and ordinary ping.exe
  • Global rules:
    allow & log, ICMP, out, from *, to *, ICMP: Echo Request
    allow & log, ICMP, in, from *, to *, ICMP: Echo Reply
    allow & log, ICMP, in, from *, to *, ICMP: Time Exceeded
    block & log, ICMP, out, from *, to *, ICMP: any
    block & log, IP, in, from *, to *, IPprot: any

What is strange… the preset (and applications) did not needed “allow, ICMP, in, Echo Reply” to work… ???

  1. What you expected to happen or see: I expected to see all packets outgoing/incoming in log.
  2. How you tried to fix it & what happened: Unable to fix (all rules had logging enabled).
  3. Details (exact version) of any software involved with download link:
  4. Any other information (eg your guess regarding the cause, with reasons):

Files appended

  1. Screenshots illustrating the bug:
  2. Screenshots of related event logs or the active processes list:
  3. A CIS config report or file.
  4. Crash or freeze dump file:

Your set-up

  1. CIS version, AV database version & configuration used: CIS 5.0.162636.1135 / 6262 / customized “proactive security”.
  2. Whether you imported a configuration, if so from what version:
  3. Defense+ and Sandbox OR Firewall security level: D+: Paranoid / SB: Enabled / FW: Custom Policy.
  4. OS version, service pack, no of bits, UAC setting, & account type: XP SP2
  5. Other security and utility software running: None.
  6. Virtual machine used (Please do NOT use Virtual box): None.

We would very much appreciate it if you would edit your first post to create an issue report in line with the bug forum guidelines and format here. You can copy and paste the format from this topic.

To understand the reasons why we ask you to follow these guidelines please see below.

WHY WE ASK YOU TO FOLLOW THESE GUIDELINES
Bugs/issues can be impossible or very time consuming to fix if developers don’t have enough information to reproduce them. Since CIS is free, development time is limited. So if you want your issue fixed, please use the format below to describe it.

To avoid clutter, issues not described in the format below your post will not be moved to the ‘moderator verified’ issues topic. This means that the developers may not look at it.

Best wishes and many thanks in anticipation

Mouse

That’s not consistent behaviour of CIS it should log them all.

No Echo Reply as Allowed In was recorded (yes, the destination was up and responding). It did not matter if I ping from my workstation or myself from external shell
That is expected behaviour of a Stateful Inspection Firewall; Statefull will trump a rule:

In computing, a stateful firewall (any firewall that performs stateful packet inspection (SPI) or stateful inspection) is a firewall that keeps track of the state of network connections (such as TCP streams, UDP communication) travelling across it. The firewall is programmed to distinguish legitimate packets for different types of connections. Only packets matching a known connection state will be allowed by the firewall; others will be rejected.
(except that Blocked In Echo Requests were logged, however only about half of the sent).
Blocking of unsolicited packets is what we expect but of course it has to log them all.
Here are the rules I had:
  • A preset called “ICMP Scan”:
    allow & log, ICMP, out, from *, to *, ICMP: Echo Request
    block & log, IP, in/out, from *, to *, IPprot: any
  • This preset was applied to few test applications: NetLab, WinMTR and ordinary ping.exe
  • Global rules:
    allow & log, ICMP, out, from *, to *, ICMP: Echo Request
    allow & log, ICMP, in, from *, to *, ICMP: Echo Reply
    allow & log, ICMP, in, from *, to *, ICMP: Time Exceeded
    block & log, ICMP, out, from *, to *, ICMP: any
    block & log, IP, in, from *, to *, IPprot: any

What is strange… the preset (and applications) did not needed “allow, ICMP, in, Echo Reply” to work… ???

Again Stateful Inspection doing its work.

So just to confirm - the issue referred to above is the only valid issue, Eric?

Thanks

Mouse

We would very much appreciate it if you would edit your first post to create an issue report in line with the bug forum guidelines and format here. You can copy and paste the format from this topic.

To understand the reasons why we ask you to follow these guidelines please see below.

WHY WE ASK YOU TO FOLLOW THESE GUIDELINES
Bugs/issues can be impossible or very time consuming to fix if developers don’t have enough information to reproduce them. Since CIS is free, development time is limited. So if you want your issue fixed, please use the format below to describe it.

To avoid clutter, issues not described in the format below your post will not be moved to the ‘moderator verified’ issues topic. This means that the developers may not look at it.

Best wishes and many thanks in anticipation

Mouse

That’s the only valid issue. It does not log all things it should be logging. The other observations are a result of not taking into account the nature of Stateful Inspection.

OK, I agree, but ICMP is not really stateful (however sessions can be virtualized). Anyway for few years I used other stateful fw which logged solicited replies, that’s why I was confused.

BTW. Updated my first post to meet the rules (sorry for a delay).

OK many thanks for putting the report in standard format.

Moving to format verified

Best wishes

Mouse