Help this newbie with CPF v3

Hi, everyone! (:WAV)

I have Cable internet running through my wireless linksys router and my laptop is the only computer in my network. I’m running Windows XP SP2. I’ve used Sygate Firewall for a few years, but have recently decided to try out Comodo because Sygate is a great firewall, but is no longer in development. I installed Comodo Firewall with Defense+ on. I’ve left it on default settings and used the Predefined Firewall Policies for Firefox, my email client Thunderbird, AVG, and other stuff like that. Everything works great so far, but I’ve decided it’s time I tighten up my rules a bit. OK, so here are pics of the pop up messages I get when I run Firefox, Pidgin, and Thunderbird. I would really appreciate you guys helping me to write rules for these applictions and to tighten up the firewalls rules in general (especially the Global Rules) for my type of connection as well.

Firefox:

http://img266.imageshack.us/img266/5070/ff1ar7.png

http://img514.imageshack.us/img514/7386/ff2mt5.png

http://img266.imageshack.us/img266/3245/ff3kq8.png

Pidgin:

http://img502.imageshack.us/img502/8869/pidgin1cv6.png

http://img521.imageshack.us/img521/4571/pidgin2gd8.png

Thunderbird:

http://img408.imageshack.us/img408/3678/thunderbird1vn2.png

http://img408.imageshack.us/img408/2633/thunderbird2kq2.png

I too am a Comodo firewall newbie. I used v2 for about a month before changing to v3. Ever since I’ve been plagued with popup alerts over and over and over. An example, Firefox just put out a maintenance release today which I let it install automatically. As soon as I did that I must have had 15-20 popup alerts for file after file and who knows what else related to the Firefox upgrade. These popups have gotten so numerous that I’m not even reading them anymore, I’m just hitting Enter over and over to get back to actually using my pc. I realize this isn’t isn’t the way I’m supposed to respond but I need to do something other than inspecting all the changed files that Firefox touched.

Am I doing something wrong?
Should I switch to a different firewall?
Help!

Russ

[at] nessa
The easiest wya to write tight rules fro applications is to change the Alert settings (FIREWALL - ADVANCED - FIREWALL BEHAVIOUR SETTINGS - ALERT SETTINGS). Setting this to VERY HIGH will produce alerts detaining protocol, direction, port and site. Clicking REMEMBER and ALLOW will create a tight rule for that app with these parameters.

[at] rick
Pain in the proverbial? Yep. Necessary? Even more so.

A necessary side-effect of increasing the security on our PCs is the need to increase both our knowledge and our scrutiny of it. The days of just trusting things are unfortunately gone. One of the core principles of CFP is that it will alert you when things have changed, as this can indicate unauthorised activity on your PC. Firefox got upgraded, so components within the app changed and the next time they were run, CFP noticed the change and alerted you. It is only doing what it is supposed to do and if it didn’t, then your security isn’t what it should be.

Hope this helps,
Ewen :slight_smile:

OK, thanks I’ll do that.

But is there a Global rule I can make for the loopback? Sorry, I’m a little confused about that and about multicast. Could someone explain that to me and how to make rules concerning those two? Maybe give me a little insight on what some of my Global rules should be other than the default block that is already there? Sorry, I just want a better understanding of this. I’ve read the FAQ, but I’m still a litte lost ???

G’day,

Do you mean a global firewall rule for the loopback? If so, you really don’t want that. You should be notified about anything trying to use the loopback for a connection. The method I outlined in my previous post was to create an application rule not a firewall rule. This rule would only allow access to the internet (using the parameters specified in the application rule) providing there was a firewall rule (also called a global policy) that allowed it.

It can be a bit much to get your head around at the start. The way I taught my mum was, if its an outbound connection, the application rule is checked first and then the firewall rule. If its inbound, the network rule is checked first and then the application rule.

When you are starting an application on your PC, the Defense+ part of CFP checks whether there are rules for that application that determine what it can do and what it’s connection parameters are. If the rule exists, it then check whether there is a firewall rule that can satisfy its outbound requirements. If there is, then it’s allowed out to play.

If someone out there tries to contact your PC, the firewall jumps in first and checks whether there is a rule that would allow this incoming connection on the ports specified in the incoming request. If there is, it then checks whether there is an application rule to cater for the incoming data and whether that application is active at the time. If there is no firewall rule to allow the access, it is blocked before any further checks are done.

Hope this helps,
Ewen :slight_smile:

Thanks you panic. You’ve been a huge help.

Alright, I’ve been searching the forums, try to learn as much as I can and looking other people’s rules to come up with ones that work for me. I’ve disabled NetBIOS and have attached pics of what I have so far. How does it look, should a change anything?

[attachment deleted by admin]

Lookin’ good Nessa. The global rules you’ve got are best described as minimalist :wink: but that’s not a bad thing IMHO. I run 8 rules that cover secured connections to three networks, but I’ve read of others that have an obscene amount of rules.

One little tip - stay away from rules that have a direction of IN/OUT. While it simplifies the rules list, separate rules for IN and OUT make trouble shooting a lot easier.

Is this PC on a LAN? If so, you’re going to need a couple of rules to allow inbound LAN traffic from IPs on your LAN.

Cheers,
Ewen :slight_smile:

Well, I have a cable modem connected to my wireless linksys router. My laptop is the only computer I have and it connects through wi-fi to my router and that’s how I connect to the internet. Since a LAN is a network of multiple computers, is what I have still considered a LAN even though I only have one laptop?I would like some help on making global rules for that if I have to.

As for the IN/OUT rules, do you mean I should separate the Block IP In/Out rule that I have in the Global rules?

Also should I tighten up the application rules for Pidgin? Before when I used Sygate Firewall, I had to allow inbound and outbound connections in order for it to work properly. Any suggestions?

Correct, your one laptop and its connection to your router constitute a network. Best definition of a network I’ve read is “a network is a series of devices connected toghether to enable the sharing of resources and services between those devices”. PC, router, printer, whatever - it’s all the network.

You could replace your current rule 0 (the top one) with two rules (one IN and one OUT) allowing traffic from a zone that you have defned as encompassing all the IP addresses used on your internal LAN (your PC and your router).

Defining a zone is done on the FIREWALL - COMMON TASKS screen and all you have to do is give it a name and enter the range of IP addresses you want to be included. Now you can use this zone reference in any rules and it will apply to all IP within the range assigned to that zone.

As for the IN/OUT rules, do you mean I should separate the Block IP In/Out rule that I have in the Global rules?

You can, but I’d place the BLOCK IN rule above the BLOCK OUT rule. No real reason why, I just always place them in that order.

Also should I tighten up the application rules for Pidgin? Before when I used Sygate Firewall, I had to allow inbound and outbound connections in order for it to work properly. Any suggestions?

If it’s working (and there’s nothing I can see in your rules to prevent it) why touch it?

Cheers,
Ewen :slight_smile:

OK, but how do I find out what are all the IP addresses used on my internal LAN?

Hey nessa,

Cick START - RUN and in the RUN dialogue, type in CMD and press ENTER. this will open a DOS-style window. In this DOS window, type IPCONFIG /ALL and press ENTER. This will produce a listing showing the current IP configurations of all currently active network adaptors in your PC. The two critical elemtents we are looking for are IP ADDRESS and DEFAULT GATEWAY.

IP ADDRESS is the currently assigned IP address of your laptops network adaptor.
DEFAULT GATEWAY ADDRESS is the IP address of your router.

These two addresses are the upper and lower limits of the zone you need to create.

There are three possible ranges of addresses that could be in use on your laptop and your router - 192.168.X.X, 172.16.X.X-172.31.X.X and 10.X.X.X. These are the three private, non-routable address ranges for use in private LANs. When creating a range you can either make the range exactly fit the address of your devices (e.g. 192.168.1.1 - 192.168.1.2) or you can make it cover the entire subnet (192.168.1.1 - 192.168.1.255).

Cheers,
Ewen :slight_smile:

Just so I’m clear on this:

Alright, the Default Gateway is 192.168.1.1 and the IP Address is 192.168.1.100.
So, my range should be (192.168.1.1 - 192.168.1.100) right?

And after adding these LAN rules to the Global rule set, along with the ones I already have, should I add any others? Like rules for DNS, ICMP, and DHCP, do I need those?

Sorry, please excuse my impatience, but I really want to getting this finished.
So if anyone, not just panic, can answer my questions, please post a reply. :THNK

OK, this is the last time I’ll bump this thread.
Come on guys, please help me? I’m still confused. (:SAD)

(:WAV) hi nessa
i don’t know much about your problem with router and anything else, but these are my global rules : (:TNG)

allow all outgoing requests if the target is IP in [192.168.0.1 - 192.168.0.255]<== LAN range
allow all outgoing requests if the sender is IP in [192.168.0.1 - 192.168.0.255]
block&log IP in from IP not in [LAN range] to IP in [LAN range] where protocol is any
block&log IP out from IP in [LAN range] to IP not in [LAN range] where protocol is any
block&log IP in from IP any any any

i don’t know how exactly these rules works or should i add something to the rules, but i’ve tried about 10 outbound leaktests & 2inbound leaktests. CFP3 pass them all :■■■■ .

Ganda

Hi nessa482,
What exactly you do not understand? (I’m tired and I 'm not in the mood of reading all the thread. :stuck_out_tongue:

Hi guys, thanks for replying. I appreciate it.

@ganda: Thanks, but will those rules work for me?

@pandlouk: I’m still unclear about the following:

;D ;D ;D i don’t know :smiley:
i have CFP3 installed on my laptop,and
i have a small cable LAN network in my office, (nothing to do with internet),
i have a software installed on my office server,
i want to access the software on that server from my laptop & prevent leaking, and those rule works perfect as far as i know (:NRD)
i don’t have any rule for DNS,ICMP,DHCP you mentioned, but i think i’m safe enough. so maybe you shouldn’t worry about it too much :smiley:

Thanks ganda, I really appreciate you trying to help me. :slight_smile:
But until I can get an answer to those questions above, I’m not going to try out your rules yet.

I’ve read the FAQs concerning them, but I’m still lost. Please I just want to set the correct rules that secure my type of connection and still allow it to function properly. Help me. :frowning:

Sorry for the delay, Nessa. Bastard boss insisted I do HIS stuff first! :smiley:

The addresses you’ve identified are correct for your LAN and for your zones. You can, but don’t have to, add rules using this zone for DNS, DHCP, ICMP etc. If you can surf the web from your laptop with CFP V3 installed and with your current ruleset active, then your DNS requests are being satisfied, likewise your DHCP allocation is working.

It is possible to overload on firewall rules, Nessa. More is not always better.

Cheers,
Ewen :slight_smile: