I have Comodo Firewall set to filter IPv6.
Using “System” as an example (in Application Rules), by default it has “Allow System to Send/Receive Requests if the Target is in Home #1”.
Local traffic, however, is to/from fe80:: addresses.
How do I edit Home 1 so that it recognizes those local fe80 addresses?
Hi Grid,
Thank you for reporting.
May i know your product name(CFW/CIS) & version ?
Also provide the win version along with system bit type
Thanks
C.O.M.O.D.O RT
Thank you.
This is CIS v12.2.2.8012 running on Win 10 x64.
Hi Grid,
Thank you for providing the requested information, let me check and update you.
Thanks
C.O.M.O.D.O RT
Ensure you have “Filter IPv6 Traffic” enabled under Firewall settings. This is unticked by default. You’ll then need to run the Stealth Ports task under firewall tasks and that’ll add the blocking rules. If your runnin Block Incoming, you’ll need to add the ICMP rules for IPv6 to work. See attached.
Eroc
I don’t understand why I need to run the Stealth Ports task - I’m not trying to make the machine invisible to other PCs.
I simply want “Allow All Outgoing/Incoming Requests If The Target is in Home #1” to include IPv6 requests (i.e. fe80 local link addresses).
Those rules are already generated when you add a trusted network. The block rule generated by stealth ports is for blocking exception to those rules.
Anyway, enable IPv6 filtering for filtering IPv6 traffic otherwise it’s just allowed or based on Windows Firewall rules
Except that’s just it - the rules that were auto-generated are only set up to recognize the Home network on Ipv4. There is nothing that tells it that local link IPv6 addresses (fe80:
are also part of that trusted network.
As a result, I’m being asked to approve/block every local communication. And without the proper filtering, I can’t do a Remember Allow without also granting access to internet communications, which I don’t want.
So if there isn’t a way to set this up automatically, that’s fine - how do I create a rule that just targets IPv6 local link addresses?
You can just add a rule in the Global Rules and add Home #1 as destination address. You can also add a rule with Loopback (Local) as that filter is enabled by default
Filter Loopback Traffic along with Filter IPv6 are already checked, and they clearly aren’t addressing this.
And your filter example will not cover this because you are showing only a single, exact address - whereas local-link addresses cover a range of fe80::/64.
I need to know how to specify fe80::/64 in CIS.
Like this.
Thank you!
Adding that to Home #1 fixed the issue completely.
You’re welcome.
I do prefer to add it to network zone “Loopback Zone” as it is related to IPv4 127.0.0.1 loopback.
Find the same issue when enable filter IPv6 traffic
It seems Comodo firewall global rule dose not contain any IPv6 incoming rules especially icmpv6 ndp
I find default global rules with filter IPv6 traffic switch on, Comodo firewall log will show a block info
as following:
Protocol:ICMPv6 source ip:fe80::1 des:ff02::1 icmpv6 type: Chinese version says:“邻机请求”. It seems Neighbor Discovery Protocol but I dont know which type 135 or 136
Neighbor Solicitation (Type 135)
Neighbor solicitations are used by nodes to determine the link layer address of a neighbor, or to verify that a neighbor is still reachable via a cached link layer address.
Neighbor Advertisement (Type 136)
Neighbor advertisements are used by nodes to respond to a Neighbor Solicitation message.
I try to find the same traffic with eset firewall, they have some default rules for ipv6 traffic.
So is it possible for Comodo firewall add these IPv6 rules become oobe rules even if not choose filter IPv6 traffic.
eset firewall has default icmpv6 rules:
allow necessary incoming icmpv6 type 1,2,3,4,129,130,131,132,133,134,135,136.
So I really want CFW like eset firewall does: fully close Windows defender Firewall and totally controled by CFW
Last,Thx for bring us best hips and firewall!
You just need to allow ICMP for Packet too big, Time Exeeded and then 134,0 & 135,0 & 136,0 if you have Stealth Ports set to Block Incoming. If your still having issue, can you post FW logs.
Yes,it’s enough! Wait next version to automatically add this rules.
Thx for you help!