hamachi + ultravnc = no comodo

llol_slim · April 1, 2007, 10:21am

hi im new and just installed comodo firewall.
i love it, it seems much better than anything ielse i have ever usede.
however, i have my vpn setup (hamachi, www.hamachi.cc) and i use ultravnc to access my home computer via work.
i have tested it with comodo, and from home i can access the work computer (which doesnt have comodo) but work connecting to home doesnt work.

basically
work[no comodo] → home[comodo] works
home[comodo] → work[no comodo] does not work

i understand i can setup a trusted zone but hamachi sets IPs in a massive range so I’m not sure how to do it as I dont want any hamachi user on the server to be able to connect to my ultravnc

i have added ultravnc and hamachi to the allowed list but is still doesnt work.
I can see my attempts to connect in the logs and it says it has blocked it.

Please help
thanks

gibran · April 1, 2007, 12:14pm

yep I’m a bit confused, could you post the log regarding refused connection attempts…

llol_slim · April 1, 2007, 4:19pm

is it safe to upload my log with all the ip addresses?
I guess not so heres a censored version

http://img108.imageshack.us/img108/884/untitledup5.th.jpg
<<Clicky<<
my setup is

“HOME” (comodo installed)

“work” (comodo NOT installed)

I use Hamachi to create a VPN and give me my IP addresses
I want to use UltraVNC to remotely access “HOME” with my “WORK” pc

Sitting at “HOME” I can use UltraVNC to access my “WORK” pc and remotely control it

Sitting at “WORK” I load UltraVNC to access “HOME” but it does not connect and the above shows up in the activity log in Comodo Firewall

I hope this makes is clearer? I’m deserate as I will need access tomorrow in order to do my work

gibran · April 1, 2007, 5:40pm

You should create an inbound rule on port 5900.

Regarding the log you could export to html then save to txt and then search and rename ip adressess making sure the same ip adressess will get the same bogus name…

regarding private side ip add a private tag to the bogus address…

But if you public ip adresses are dynamic there is no serious drawback apart from telling you zone.

llol_slim · April 1, 2007, 5:54pm

i appreciate the help, but (sorry) could you give a little more info please? I created a rule and it hasnt made any difference
i went to “network control rules” clicked “add” then specified the “destination port” to “5900”
it didnt work, I also tried setting the “source port” to “5900” which also didnt work, and I tried both at the same time and that also didnt work.
I AM a n00b when it comes to firewalls

gibran · April 1, 2007, 6:05pm

Well, you could look at the log I cannot see, and see if the destination port is the same or if the source port is the same, the type of packet…

Maybe you could export it and rename the ip?

llol_slim · April 1, 2007, 6:52pm

ok ive replaced the ip with a bogus one

Date/Time :2007-04-01 17:07:43
Severity :Medium
Reporter :Network Monitor
Description: Inbound Policy Violation (Access Denied, IP = 192.168.1.3, Port = nbdgram(138))
Protocol: UDP Incoming
Source: 192.168.1.3:nbdgram(138) 
Destination: 192.168.1.255:nbdgram(138) 
Reason: Network Control Rule ID = 5

Date/Time :2007-04-01 17:07:43
Severity :Medium
Reporter :Network Monitor
Description: Inbound Policy Violation (Access Denied, IP = 1.123.12.12, Port = nbdgram(138))
Protocol: UDP Incoming
Source: 1.123.12.12:nbdgram(138) 
Destination: 5.255.255.255:nbdgram(138) 
Reason: Network Control Rule ID = 5

Date/Time :2007-04-01 17:06:48
Severity :Medium
Reporter :Network Monitor
Description: Inbound Policy Violation (Access Denied, IP = 1.123.12.12, Port = nbname(137))
Protocol: UDP Incoming
Source: 1.123.12.12:nbname(137) 
Destination: 5.255.255.255:nbname(137) 
Reason: Network Control Rule ID = 5

because i cannot get it to work.
thanks again

gibran · April 1, 2007, 6:58pm

these are network file and printer sharing protocol connections…
Not vnc

the longer is the list the better…

look for network monitor rules an application monitor rules

llol_slim · April 1, 2007, 7:04pm

ok

 
Date/Time :2007-04-01 17:07:43
Severity :Medium
Reporter :Network Monitor
Description: Inbound Policy Violation (Access Denied, IP = 192.168.1.3, Port = nbdgram(138))
Protocol: UDP Incoming
Source: 192.168.1.3:nbdgram(138) 
Destination: 192.168.1.255:nbdgram(138) 
Reason: Network Control Rule ID = 5

Date/Time :2007-04-01 17:07:43
Severity :Medium
Reporter :Network Monitor
Description: Inbound Policy Violation (Access Denied, IP = x.XXX.xx.XX, Port = nbdgram(138))
Protocol: UDP Incoming
Source: x.XXX.xx.XX:nbdgram(138) 
Destination: 5.255.255.255:nbdgram(138) 
Reason: Network Control Rule ID = 5

Date/Time :2007-04-01 17:06:48
Severity :Medium
Reporter :Network Monitor
Description: Inbound Policy Violation (Access Denied, IP = x.XXX.xx.XX, Port = nbname(137))
Protocol: UDP Incoming
Source: x.XXX.xx.XX:nbname(137) 
Destination: 5.255.255.255:nbname(137) 
Reason: Network Control Rule ID = 5

Date/Time :2007-04-01 17:06:43
Severity :Medium
Reporter :Network Monitor
Description: Inbound Policy Violation (Access Denied, IP = x.XXX.xx.XX, Port = 5900)
Protocol: TCP Incoming
Source: x.XXX.xx.XX:1065 
Destination: x.XXX.xx.XX:5900 
TCP Flags: SYN 
Reason: Network Control Rule ID = 5
In the attackers' world, this port is usually used by Trojan.Backdoor.Evivinc(5900)

Date/Time :2007-04-01 17:06:43
Severity :Medium
Reporter :Network Monitor
Description: Inbound Policy Violation (Access Denied, IP = x.XXX.xx.XX, Port = nbname(137))
Protocol: UDP Incoming
Source: x.XXX.xx.XX:nbname(137) 
Destination: 5.255.255.255:nbname(137) 
Reason: Network Control Rule ID = 5

Date/Time :2007-04-01 17:06:43
Severity :Medium
Reporter :Network Monitor
Description: Inbound Policy Violation (Access Denied, IP = x.XXX.xx.XX, Port = nbdgram(138))
Protocol: UDP Incoming
Source: x.XXX.xx.XX:nbdgram(138) 
Destination: 5.255.255.255:nbdgram(138) 
Reason: Network Control Rule ID = 5

Date/Time :2007-04-01 17:06:38
Severity :Medium
Reporter :Network Monitor
Description: Inbound Policy Violation (Access Denied, IP = x.XXX.xx.XX, Port = 5900)
Protocol: TCP Incoming
Source: x.XXX.xx.XX:1065 
Destination: x.XXX.xx.XX:5900 
TCP Flags: SYN 
Reason: Network Control Rule ID = 5
In the attackers' world, this port is usually used by Trojan.Backdoor.Evivinc(5900)

Date/Time :2007-04-01 17:06:38
Severity :Medium
Reporter :Network Monitor
Description: Inbound Policy Violation (Access Denied, IP = x.XXX.xx.XX, Port = nbname(137))
Protocol: UDP Incoming
Source: x.XXX.xx.XX:nbname(137) 
Destination: 5.255.255.255:nbname(137) 
Reason: Network Control Rule ID = 5

Date/Time :2007-04-01 17:06:38
Severity :Medium
Reporter :Network Monitor
Description: Inbound Policy Violation (Access Denied, IP = x.XXX.xx.XX, Port = nbdgram(138))
Protocol: UDP Incoming
Source: x.XXX.xx.XX:nbdgram(138) 
Destination: 5.255.255.255:nbdgram(138) 
Reason: Network Control Rule ID = 5

Date/Time :2007-04-01 17:06:33
Severity :Medium
Reporter :Network Monitor
Description: Inbound Policy Violation (Access Denied, IP = x.XXX.xx.XX, Port = 5900)
Protocol: TCP Incoming
Source: x.XXX.xx.XX:1065 
Destination: x.XXX.xx.XX:5900 
TCP Flags: SYN 
Reason: Network Control Rule ID = 5
In the attackers' world, this port is usually used by Trojan.Backdoor.Evivinc(5900)

Date/Time :2007-04-01 17:06:33
Severity :Medium
Reporter :Network Monitor
Description: Inbound Policy Violation (Access Denied, IP = x.XXX.xx.XX, Port = nbname(137))
Protocol: UDP Incoming
Source: x.XXX.xx.XX:nbname(137) 
Destination: 5.255.255.255:nbname(137) 
Reason: Network Control Rule ID = 5

Date/Time :2007-04-01 17:06:33
Severity :Medium
Reporter :Network Monitor
Description: Inbound Policy Violation (Access Denied, IP = x.XXX.xx.XX, Port = nbdgram(138))
Protocol: UDP Incoming
Source: x.XXX.xx.XX:nbdgram(138) 
Destination: 5.255.255.255:nbdgram(138) 
Reason: Network Control Rule ID = 5

Date/Time :2007-04-01 17:06:33
Severity :Medium
Reporter :Network Monitor
Description: Inbound Policy Violation (Access Denied, IP = 192.168.1.3, Port = nbname(137))
Protocol: UDP Incoming
Source: 192.168.1.3:nbname(137) 
Destination: 192.168.1.255:nbname(137) 
Reason: Network Control Rule ID = 5

Date/Time :2007-04-01 17:06:28
Severity :Medium
Reporter :Network Monitor
Description: Inbound Policy Violation (Access Denied, IP = 192.168.1.3, Port = nbname(137))
Protocol: UDP Incoming
Source: 192.168.1.3:nbname(137) 
Destination: 192.168.1.255:nbname(137) 
Reason: Network Control Rule ID = 5

Date/Time :2007-04-01 17:06:28
Severity :Medium
Reporter :Network Monitor
Description: Inbound Policy Violation (Access Denied, IP = 192.168.1.3, Port = nbdgram(138))
Protocol: UDP Incoming
Source: 192.168.1.3:nbdgram(138) 
Destination: 192.168.1.255:nbdgram(138) 
Reason: Network Control Rule ID = 5

Date/Time :2007-04-01 17:06:23
Severity :Medium
Reporter :Network Monitor
Description: Inbound Policy Violation (Access Denied, IP = 192.168.1.3, Port = nbname(137))
Protocol: UDP Incoming
Source: 192.168.1.3:nbname(137) 
Destination: 192.168.1.255:nbname(137) 
Reason: Network Control Rule ID = 5

Date/Time :2007-04-01 17:06:23
Severity :Medium
Reporter :Network Monitor
Description: Inbound Policy Violation (Access Denied, IP = 192.168.1.3, Port = nbdgram(138))
Protocol: UDP Incoming
Source: 192.168.1.3:nbdgram(138) 
Destination: 192.168.1.255:nbdgram(138) 
Reason: Network Control Rule ID = 5

Date/Time :2007-04-01 17:06:18
Severity :Medium
Reporter :Network Monitor
Description: Inbound Policy Violation (Access Denied, IP = 192.168.1.3, Port = nbname(137))
Protocol: UDP Incoming
Source: 192.168.1.3:nbname(137) 
Destination: 192.168.1.255:nbname(137) 
Reason: Network Control Rule ID = 5

Date/Time :2007-04-01 17:06:18
Severity :Medium
Reporter :Network Monitor
Description: Inbound Policy Violation (Access Denied, IP = 192.168.1.3, Port = nbdgram(138))
Protocol: UDP Incoming
Source: 192.168.1.3:nbdgram(138) 
Destination: 192.168.1.255:nbdgram(138) 
Reason: Network Control Rule ID = 5

Date/Time :2007-04-01 17:06:08
Severity :Medium
Reporter :Network Monitor
Description: Inbound Policy Violation (Access Denied, IP = 192.168.1.3, Port = nbname(137))
Protocol: UDP Incoming
Source: 192.168.1.3:nbname(137) 
Destination: 192.168.1.255:nbname(137) 
Reason: Network Control Rule ID = 5

Date/Time :2007-04-01 17:06:08
Severity :Medium
Reporter :Network Monitor
Description: Inbound Policy Violation (Access Denied, IP = x.XXX.xx.XX, Port = nbname(137))
Protocol: UDP Incoming
Source: x.XXX.xx.XX:nbname(137) 
Destination: 5.255.255.255:nbname(137) 
Reason: Network Control Rule ID = 5

Date/Time :2007-04-01 17:05:53
Severity :Medium
Reporter :Network Monitor
Description: Inbound Policy Violation (Access Denied, IP = 192.168.1.3, Port = upnp-mcast(1900))
Protocol: UDP Incoming
Source: 192.168.1.3:1062 
Destination: 239.255.255.250:upnp-mcast(1900) 
Reason: Network Control Rule ID = 5

Date/Time :2007-04-01 17:05:43
Severity :Medium
Reporter :Network Monitor
Description: Inbound Policy Violation (Access Denied, IP = 192.168.1.3, Port = nbname(137))
Protocol: UDP Incoming
Source: 192.168.1.3:nbname(137) 
Destination: 192.168.1.255:nbname(137) 
Reason: Network Control Rule ID = 5

Date/Time :2007-04-01 17:05:28
Severity :Medium
Reporter :Network Monitor
Description: Inbound Policy Violation (Access Denied, IP = 192.168.1.3, Port = nbdgram(138))
Protocol: UDP Incoming
Source: 192.168.1.3:nbdgram(138) 
Destination: 192.168.1.255:nbdgram(138) 
Reason: Network Control Rule ID = 5

Date/Time :2007-04-01 17:05:28
Severity :Medium
Reporter :Network Monitor
Description: Inbound Policy Violation (Access Denied, IP = 192.168.1.3, Port = nbname(137))
Protocol: UDP Incoming
Source: 192.168.1.3:nbname(137) 
Destination: 192.168.1.255:nbname(137) 
Reason: Network Control Rule ID = 5

Date/Time :2007-04-01 17:05:23
Severity :Medium
Reporter :Network Monitor
Description: Inbound Policy Violation (Access Denied, IP = 192.168.1.3, Port = nbname(137))
Protocol: UDP Incoming
Source: 192.168.1.3:nbname(137) 
Destination: 192.168.1.255:nbname(137) 
Reason: Network Control Rule ID = 5

Date/Time :2007-04-01 17:04:38
Severity :Medium
Reporter :Network Monitor
Description: Inbound Policy Violation (Access Denied, IP = 192.168.1.3, Port = nbname(137))
Protocol: UDP Incoming
Source: 192.168.1.3:nbname(137) 
Destination: 192.168.1.255:nbname(137) 
Reason: Network Control Rule ID = 5

Date/Time :2007-04-01 17:04:33
Severity :Medium
Reporter :Network Monitor
Description:Outbound Policy Violation (Access Denied, ICMP = PORT UNREACHABLE)
Protocol:ICMP Outgoing
Source: 192.168.1.4 
Destination: 192.168.1.1 
Message: PORT UNREACHABLE 
Reason: Network Control Rule ID = 5

Date/Time :2007-04-01 17:04:33
Severity :Medium
Reporter :Network Monitor
Description: Inbound Policy Violation (Access Denied, IP = 192.168.1.3, Port = nbname(137))
Protocol: UDP Incoming
Source: 192.168.1.3:nbname(137) 
Destination: 192.168.1.255:nbname(137) 
Reason: Network Control Rule ID = 5

Date/Time :2007-04-01 17:04:28
Severity :Medium
Reporter :Network Monitor
Description: Inbound Policy Violation (Access Denied, IP = 192.168.1.3, Port = nbname(137))
Protocol: UDP Incoming
Source: 192.168.1.3:nbname(137) 
Destination: 192.168.1.255:nbname(137) 
Reason: Network Control Rule ID = 5

Date/Time :2007-04-01 17:03:13
Severity :Medium
Reporter :Network Monitor
Description: Outbound Policy Violation (Access Denied, Protocol =  IGMP)
Protocol:IGMP Outgoing
Source: x.XXX.xx.XX 
Destination: 224.0.0.22 
Reason: Network Control Rule ID = 5

Date/Time :2007-04-01 17:03:13
Severity :Medium
Reporter :Network Monitor
Description: Outbound Policy Violation (Access Denied, Protocol =  IGMP)
Protocol:IGMP Outgoing
Source: 192.168.1.4 
Destination: 224.0.0.22 
Reason: Network Control Rule ID = 5

Date/Time :2007-04-01 17:03:03
Severity :Medium
Reporter :Network Monitor
Description: Outbound Policy Violation (Access Denied, Protocol =  IGMP)
Protocol:IGMP Outgoing
Source: 192.168.1.4 
Destination: 224.0.0.22 
Reason: Network Control Rule ID = 5

Date/Time :2007-04-01 17:03:03
Severity :High
Reporter :Application Monitor
Description: Suspicious Behaviour (CLI.exe)
Application: C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
Parent: 
Protocol: TCP Out
Destination: 127.0.0.1::1038
Details: C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe is an invisible application 

Date/Time :2007-04-01 17:03:03
Severity :High
Reporter :Application Monitor
Description: Suspicious Behaviour (CLI.exe)
Application: C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
Parent: 
Protocol: TCP Out
Destination: 127.0.0.1::1037
Details: C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe is an invisible application 

Date/Time :2007-04-01 17:02:58
Severity :Medium
Reporter :Network Monitor
Description: Outbound Policy Violation (Access Denied, Protocol =  IGMP)
Protocol:IGMP Outgoing
Source: 192.168.1.4 
Destination: 224.0.0.22 
Reason: Network Control Rule ID = 5

thanks again

gibran · April 1, 2007, 7:19pm

Well this should be a multi step process…

Reporter :Network Monitor
Description: Inbound Policy Violation (Access Denied, IP = x.XXX.xx.XX, Port = 5900)
Protocol: TCP Incoming
Source: x.XXX.xx.XX:1065

Destination: x.XXX.xx.XX:5900
Reason: Network Control Rule ID = 5

the Network Control Rule ID = 5 is the 5th rule in network monitor it is a block all rule every allow rule should be moved before it.

so assuming the destination port is fixed you should create a allow+log rule
TCP In
source ip any
dest ip any
source port any
dest port 5900

the next steps should require the creation of an application rule try this first