How To - Understanding & Creating Network Control Rules properly

Hi all. I just installed comodo with its default settings which are said to be robust. But I look at my network control rules and see this:

ID Permission Protocol Source Destination Criteria
0 Allow TCP/UDP Out Any Any
1 Allow ICMP In Any Any Where icmp message is echo request
2 Allow ICMP In Any Any Where icmp message is fragmentation needed
3 Allow ICMP In Any Any Where icmp message is time exceeded
4 Allow IP Out Any Any Where IPPROTO is GRE
5 Allow (+log) IP In/Out Any Any Where IPPROTO is any

Surely the “allow” rules for IDs 1,2 and 3 for allowing incoming echo requests are not a good thing? I’ve always been told that allowing ping requests to your computer is a security risk. These are the default settings. Should I change them to “block”. Also what is IPPROTO GRE?

Thanks.

I saw (and thought) the same thing when I saw those rules propagated on CPF when I installed it a few weeks ago. I worked my way through m0ng0d’s Network Rules post and redid it in accordance with that. I didn’t think all the “In” was very good, and a lot of the other stuff just didn’t make sense to my non-computer-genius brain. ??? I had to take some ibuprofen. (:TNG)

I believe the default for rule ID 1 is actually “ICMP Out”, not “ICMP In”. This should allow you to be the “ping-er” but not the “ping-ee”.

Rule IDs 2 and 3 seem to have something to do with determining the appropriate packet size to transmit over a connection, and letting your system know when it needs to re-send data that was lost in transit.

I believe I read that those ICMP lines are needed to resolve some “issues” that people were having seeing some content on certain web-sites.

Please understand that my guide here was written based on an older version of CPF where there were only 3 default rules. My goal was to help people understand how they worked and why they were added as defaults; then I threw my 4th rule in for good measure.

The default rules have evolved over time and are still an excellent starting point. The largest thing that should “separate” users is whether or not they are part of a LAN… because if you’re not on a LAN, the ZONE can be easily replaced by your IP in the rules (for example).

Regarding the In/Out “combo” rules… They are invalid for the most part. There are some valid examples of rules using it, but I always prefer using separate rules; keeps things straight in my mind… and I like being able to set a rule to Log if i want to watch the traffic or troubleshoot. If the rule contains specific traffic, then my log will be small and easy to sort through to find what I am looking for.

Monogod,
What are the current (Nov. 17, 06) default rules?

As of the official build 2.3.6.81…

The default rules are:

ID Permission Protocol Source Destination Criteria
0 Allow TCP/UDP Out Any Any
1 Allow ICMP Out Any Any Where icmp message is echo request
2 Allow ICMP In Any Any Where icmp message is fragmentation needed
3 Allow ICMP In Any Any Where icmp message is time exceeded
4 Allow IP Out Any Any Where IPPROTO is GRE
5 Block (+log) IP In/Out Any Any Where IPPROTO is ANY

If you run the Add Trusted Network Zone wizard (if you share a LAN with other PC’s), you will also get: (which I promote to be the new ID 0 & 1 rules)

ID Permission Protocol Source Destination Criteria
0 Allow IP Out Any ZONE
1 Allow IP In ZONE Any

Monogod,

Thank you very much for taking time to respond. I began a thread: Desktop Security Products/Comodo Firewall/Help/Basic Setup Novice Questions (Nov 14, 06). Several of my initial questions remain unanswered. If you have the time I’d love your input. I need someone technically savvy enough to compare/contrast the automatic configuration with Stem’s setup. I can tell you fit the bill. :slight_smile:

Also in re to a fix for Avast issue--if there isn't one coming could you please let me know. I understand not all Avast/Comodo users are experiencing difficulties. We were told to upgrade to version 2.4 on the Avast forum, however, I see a Chinese version has been released. I can appreciate the challenge of producing multilingual versions. If this is Comodo's focus for the time being, it's understandable & I can make decisions accordingly. 

Perhaps I should have PM’d you. It’s not my intent to double post.

Michele

There is an English version too, not just Chinese,

AOwL,
You must be referring to the beta release with multiple known issues. Is it buffer overflow that causes the 2.3.6 conflicts with Avast? The logic in beta use as a means of “issue-free” resolution escapes me.

Just a quick question. I have these rules set as the above default with the trusted network included. How come I mainly see Outgoing Blocked items (re Rule 7) yet very very few incoming blocked items? Is it just a case that I’m going to relatively safe sites? just asking…

Most likely you are using a router/firewall that is protecting/stealthing you from inbound unsolicited traffic.

We also need to keep in mind that an Outbound rule does contain an InBound side… for the results of your request to come back to you.

Thanks for your reply… Yeah, I’ve got a Linksys WAG354G Gateway with it’s firewall switched on. Back when I as a ZA user I used to get all sorts of blocked incoming though I expect CPF filters the stuff better. Anyways, thanks for answering my question.

Eric

CPF would only filter it better if your firewall does not have SPI (A good implementation).

Actually, does anyone know how good the implementation of the most popular brands like billion, dlink, netgear is? I would really like to see some technical papers (-: …

cheers, rotty

Do you mean how good CFP works with routers?

WOW, WOW, WOW…

again…WOW…

I have spent the last 2 - 3 HOURS pouring over every single thread I could find to help me - a newbie to COMODO and network rules - understand if the default network rules the software has defined for me out-of-the-box is something I should add to, modify, or just leave alone…

Be forewarned gurus and those who answer questions on this forum: I am slowly compiling several (no, numerous) questions that will hopefully educate me on different aspects of the firewall in general, but it seems fitting to jump in here for a clarification, and also to introduce myself as a newcomer and someone who will be asking many questions in the future (like a fifth grader in sex ed). Okay, well maybe that’s a stretch.

But a quick question before I go back to compiling even more questions in my quest to understand:

Monogod states in this thread "If you run the Add Trusted Network Zone wizard (if you share a LAN with other PC’s), you will also get: (which I promote to be the new ID 0 & 1 rules)ID Permission Protocol Source Destination Criteria
0 Allow IP Out Any ZONE
1 Allow IP In ZONE Any "

Monogod, so just to be clear:

  1. if I have a Home Lan, you advocate replacing the default rules 0 and 1 with these. Is that correct?

  2. What does Comodo consider a LAN? Actual computers talking to one another behind the firewall? What if I only have one computer, one printer, a wireless router and an external hard drive? Is that set up considered a LAN? If so, how come I never see any alerts when I connect to my external drive or printer? Note: I have seen Pandlouk’s thread that recommends adding the IP address as the router as trusted (see I told you I always read first!), but I’m still working through that one because I’m not sure how to find the IP address of my 2WIRE wireless router. PS - if anyone knows how I can do that, please speak up, otherwise I’ll post that question in my “questions to post” thesis coming up. I’m not sure if Pandlouk means put the WAN address or LAN address, or even how to know where to find it for the wireless router. I know how to do an “ipconfig”, but not sure of which address I need, or even if “ipconfig” will give me the address Pandlouk speaks of.

  3. If what I have is not considered by COMODO to be a “LAN”, then do I need to change the COMODO default rule 0 and 1. Indeed, can I DELETE them if I do not have to replace them with the ones you recommend?

Many more questions to come folks, I’m just warming up! But it is nice to see a bunch of really nice down-to-earth people on a forum for a change that don’t talk down to those that don’t have a clue. I’ve read many, many threads on this forum and can tell that most just enjoy talking about these types of things.

Happy Holidays!

imaginos

Welcome, imaginos, bring on the questions! Someone will answer… :wink:

A couple quick points of clarification:

The 2 rules for the LAN/Network which m0ng0d proposes as the “new” rules 0 & 1 does not mean to remove the original rules 0 & 1, if I have understood him correctly in the past. You have six rules created by default with an Automatic installation. When you run the network wizard, you get the two additional rules, which should be in positions 0 & 1, thus giving you a total of eight rules.

If your external HD & printer are USB/FireWire/etc items, you will not see them. They’re not a “networked”. If your external HD and printer are connected to some sort of network hub/switch for hardware, and then that hub is connected to your router, then that’s a different story; they are part of the network and should be seen.

LM

First off, welcome to the forums.

I guess my “document” is getting a little outdated. In earlier CPF versions, new rules added through the wizard were placed at the bottom of the list (current verison now puts them up top where they belong)… therefore, you had to promote them to the top (raise them up higher in the list). Rules are handled/followed in the order listed… which is why any rule you create will need to be above the last rule which BLOCKS all in/out traffic.

I was not suggesting replacing any rules… simply reordering them.

Comodo considers nothing to be the LAN. The perspective to CPF is that it is alone in the world and cares only to protect the PC that it is installed on.

But by using the trusted Zone Wizard, we can tell Comodo that some IP (or range of IP’s like a LAN IP Range) is considered friendly/trusted… allowed to talk with your PC. And there is no rule that says you can only have one trusted “zone”.

The bonus of creating a zone is that it allows us to enter a limited number of rules. Imagine if you had a LAN of 10 PC’s… to save you from having to enter 10 rules is why Zones are so handy.

But when the only other network device is your Wireless Router, then you should not have to create a zone at all… but merely a rule (or rules) as Pandlouk’s guide for keeping a wireless network secure suggests. In fact, if you did define wide zone, and someone did manage to hijack your internet connection (break into your wireless)… they would be on the same LAN as you and could possibly browse your PC and steal information… not a good thing.

External drive and printers are peripherals of your PC… unless they are network devices that use RJ-45 (ethernet) connections and grab network IP’s.

If you currently have wireless connectivity, you should be able to use the “Gateway” defined/listed in ipconfig as your routers address.

You are a LAN of one; 1 PC on a LAN network with no neighbor PC’s. Take away your router, and you are not on a LAN.

You will need to add (not replace) the rule(s) that Pandlouk has outlined in his wireless post, but using your Router’s IP of course.

Hope that helps!

Oh, and make sure you enable WPA security on your Wireless router as well.
(S)

Thanks for the welcome. I knew you would be helpful.

All that is understood, actually. Scary.

A couple clarifications though please:

ipconfig returns:

Connection-specific DNS Suffix. : gateway.2wire.net
IP Address: …: 198.168.1.105
Subnet Address:…: 255.255.255.0
Default Gateway…: 192.168.1.254

So in my “trusted zone” I want to add 192.168.1.254, correct? Please confirm. Also, when I define a “trusted zone” for my wireless router do I use the same IP address for the start range and the end range?

  1. So by doing #1 above, I am telling Comodo that the only network device that is allowed to communicate with my laptop is the router, right? And since that is the only “networking” device I have in my setup, I’m good to go? And yes, all the peripherals I mentioned before are all USB/Firewire connected, so they would not be considered networking devices.

  2. To better enhance correspondence here, how does one insert a screenshot into a post? I see the “insert image” option, but it simply gives me the html img tags. Can I not just paste an image from the windows clipboard, or do I have to have a URL to refer to or upload an image?

Thanks again,

imaginos

I’ll let m0ng0d answer the wireless router question, but I’ll take on the 2nd one.

You can attach a screenshot by using the “Additional Options” right below the text box, for a jpg, gif, etc. If you want to paste into your text, you’ll need to use something like imageshack, photobucket, etc to host the picture and generate the html coding for it, to include here.

I personally prefer the attachment to the inline image, but that’s just me… :wink:

LM

It’s a great feeling when all the knowledge starts falling into place (:NRD)

Absolutely correct. Just give the “Zone” the name MyRouter or something meaningful to you.

Remember that it is a 2 step process:

  • Create the new zone as you described using Add/Remove/Modify a Zone, then
  • use the Define a new trusted network wizard to add the 2 new rule for that zone.

This process opens the gate for communication to flow to/from your PC to/from your Router.

As Little Mac suggested, the Additional Options… link in the forum post allows you to attach an image. We’d need to download it to see it, but is still effective sharing.

Here, I’ve attached a screenshot of my network rules for you to see how that works. As you can see, I called my Network LAN.

Sounds like we are winning! (:CLP)

[attachment deleted by admin]