hmmm... unable to navigate workgroup with CPF

Help for v2
#1

I’ve been running the CPF for a few days now, no issues getting online… but today I went to print something to my workgroup shared printer and it failed instantly… I tried to browse to the PC that the printer is installed on, and couldn’t.

I do have a “home” zone setup for my LAN address range… 192.168.X.1 - 192.168.X.255. And created 3 network control rules

  • Allow IP in/out source: "home Dest: “home” (original “wizard” created entry)
  • Allow TCP/UDP in/out source: "home Dest: “home” (just added to try something)
  • Allow ICMP in/out source: "home Dest: “home” (just added to try something)

… and figured that should have left the LAN wide open to itself

What else should I be trying?

I even tried setting the Security Level to “Allow All” temporarily on the fly and still couldn’t browse the network.

I noticed in a few spots in the log (about 4 times in the past 3+ days) entries similar too:

Date/Time :2006-06-19 05:52:31
Severity :High
Reporter :Network Monitor
Description: UDP Port Scan
Attacker: 192.168.X.1
Ports: 37384, 30472, 29960, 30728, 30984, 31752, 31240, 32008, 32264, 32520, 33288, 32776, 33544, 33800, 34056, 34312, 35080, 34568, 35336, 35592, 35848, 36104, 36872, 36360, 37128, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0
The attacker has been temporarily blocked

… now 192.168.X.1 is my router… is CPF blocking something it shouldn’t?

I should also mention that my router also acts as my DHCP server, and doles out static IP’s to each PC, and I am able to open a CMD window and ping each PC by IP, but not by name.

Can there be such a thing as a WAN or Internet Zone setup?

Setup problems
#2

G’day,

Have a look at

www.embsolutions.com.au/cpf_rule/index.htm

This is a flash based tutorial on the bare minimum rules required to let your PC 1) talk to your LAN, 2) talk to the internet and 3) shut out unsolicited traffic from the internet. The tutorial goes through how to create these three rules manually and the order they need to be in.

There is no rule for ICMP, but the parameters should be
Source : YOUR ZONE
Destination : YOUR ZONE
Protocol : ICMP
Source port : ANY
Destination port : ANY

This rule should appear as the second rule on the list, right under the rule that allows all TCP/UDP traffic to/from your LAN.

If this helps you fix the issue, can you please post the results here so others can benefit.

Hope this helps,
Ewen :slight_smile:
(WCF3) (WCF3) (WCF3) OI OI OI!

#3

Ewen,

Thank you for your reply.

There was some good progress I’d say, I still can’t browse the network, but at least I have a log entry now :slight_smile:

Date/Time :2006-06-22 01:02:17
Severity :Medium
Reporter :Application Monitor
Description: Application Access Denied (svchost.exe:0.0.0.0:ms-rpc(135))
Application: C:\WINDOWS\system32\svchost.exe
Parent: C:\WINDOWS\system32\services.exe
Protocol: TCP In
Remote: 0.0.0.0:ms-rpc(135)

Which is weird since I have 4 entries (Basic Popup Logic not enabled) in my Application control rules for svchost with services as the parent as you can see in my attached screen shot. (I added a foreground image to show the parent/child relationship as well). And one of them is specifically for TCP IN, and it allows 0.0.0.0-255.255.255.255 on ports 0-65535.

It’s a funny log entry, bt I’m ready for the next tweak :slight_smile:

Many thanks in advance!
Daniel

[attachment deleted by admin]

#4

Just wanted to mention that I have upgraded to the 2.2.0.11 CPF, hoping it might resolve my issue; but was not the case.

So, seeing as I was going to reboot after installing a new application anyway… I thought I’d try see what disabling “Secure the host while booting” would do… and sure enough that got me back onto my workgroup… it must be interfering with the Browser service in the booting stages i guess.

Is there something else I can adjust that will allow me to keep the “Secure the host while booting” option set? I kinda like that feature… well the idea of it anyway.

#5

Just use the wizard to add your network as a trusted zone. It will solve your problems and its the easier way :wink:

#6

pandlouk,

I had used the wizard first, it added 2 IP based rules to the base rules that CPF installed with. Then when Ewen pointed me to the flash tutorial, i dumped all the rules and started from scratch following the guide.

I no longer have any IP based rules.

[attachment deleted by admin]

#7

Oops, I have missed that on the tuttorial of panic.
Here it goes:
First delete the ICMP rule. You don’t need it.
Second modify the other 3 rules. Instead of protocol TCP/UDP select IP and “IP details = any”
Third add another rule over the default IP block rule Like this:

Action = allow
Protocol = IP
Direction =out
Source IP= any
Remote IP =any
IP details = any

ps.panic you should modify your tutorial. with these rules the netbios requests will be blocked :stuck_out_tongue:

#8

Pandlouk,

Ok, i adjusted my rules to be…

Allow, IP In/Out, Zone:Home, Zone:Home, Any
Allow, IP Out, Zone:Home, Any, Any
Allow, IP Out, Any, Any, Any
Block & Log, Ip In, Any, Any, Any

But looking at that as my 4 rules… Rule 3 looks to make rule 2 redundant… did I do it right, or do i just need…

Allow, IP In/Out, Zone:Home, Zone:Home, Any
Allow, IP Out, Any, Any, Any
Block & Log, Ip In, Any, Any, Any

Thanks in advance :slight_smile:

#9

Well i decided to give the new rules a try, so i re-enabled the “Secure the host while booting” and rebooted… which recreated the workgroup problem… so i disabled it, kept the new rules, rebooted and the workgroup was fine again…

“Secure the host while booting” seems to be the key. If it is disabled, am i “open” until CPF loads?

#10

Dont worry about it. Never mind disabling that option, even critical processes CPF.exe and cmdagent.exe can not start because of some reason, inbound defense will always remain active as soon as booting sequence starts.

That option is much useful for non-networked, single connection PCs that are highly susceptible to infections etc.

I personally do not enable it.

Egemen

#11

You are right the default and wizard rules are as following:
Allow, IP Out, Any, Zone:Home, Any
Allow, IP In, Zone:Home, Any, Any
Allow, IP Out, Any, Any, Any
Block Ip In, Any, Any, Any

(the reason of the separate rules is to have more control over them, through the logs)