How To - Understanding & Creating Network Control Rules properly

Frequently Asked Questions (FAQ) for Comodo firewa
81

Thanks a lot panic.
And about my second question, does anybody know how to make a network control rule that allow a pc in a lan to see and connect with others, while the others can`t see and connect to it? 88)

82

The easiest way to answer this is to look at the Trusted Zone rules that CPF can make. These 2 rules are…

  • ALLOW IP OUT FROM IP [Any] TO IP Zone WHERE IPROTO IS ANY
  • ALLOW IP IN FROM IP Zone TO IP [Any] WHERE IPROTO is ANY

The 1st one lets your PC go out on the network and talk to devices on it and get a response back.

The 2nd one let’s other devices on the network talk to your PC whenever they feel like it (without waiting for your PC to start the “conversation”)

So if you don’t want the “other” PC’s to be able to get a response from you… remove the second rule.

83

OK…I’m a brand brand newbee here to Comodo. (:WAV) I have 1 computer here at home and I am connected to a DSL provider through a Westell 6100 modem.
So…the logs show many many continiously repeated “access denied” reports of “echo requests” and “port unreachable” between 192.168.x.x and 192.168.x.x . I think that this is my modem or ISP provider address and my computer address. Tell me if I’m right or wrong…Anyway, I think that the two are suppose to communicate with eachother. Should I create a network control rule and allow these two addresses to communicate?
Thank you !!

84

welcome to the forums, brian (:WAV)

The 192.x.x.x addresses are internal addresses (such as on a LAN/network). If you look on the bottom right corner of your post here, you’ll see your external IP address; this will match up with your ISP.

Your Westell modem may be functioning as a router (you’d have to check your manual to see if has that capability), and thus creating an internal “network” with your computer. However, my personal criteria would be: Is your internet connection functioning for all your purposes? If so, then you probably don’t need to allow it.

In other words, if it ain’t broke, don’t fix it… :wink:

Hope that helps,

LM

85

brian,

A quick search and looking at the online specs from Westell says that the 6100 is a routing modem, with Network Address Translation and a Stateful Packet Inspection hardware firewall.

Is it wireless as well? That I didn’t see…

LM

86

Hi and Thanks !!!
My Westell 6100 is not wireless…provided by BellSouth. It is wired to my computer and then to the telephone jack.
My previous firewall was ZA Free. And I remember the same exact issue whereas the same frequent logs were generated. When I clicked on that log in ZA it sent me to a ZA link which described it as something like…it was likely my ISP provider(?) trying to “ping”(?) to my modem(?) to see if everything is OK. So I allowed 192.168.x.x and 192.168.x.x. Otherwise my internet surfing is fine with Comodo except for all those denied logs its generating and wondering if it is the same “ping” as I had with ZA…It looks like it…Why does the ISP ping the modem all the time?
When I type in the IP address 192.168.x.x in my search browser it brings me right to the BellSouth internet service modem page…I hope you can understand all this…Thanks all.

87

so in other words, you want me to read 6 pages of whatifs so before I can use the software I can call myself a network wiz? ■■■■■ the network. I like things simple and if it takes six pages to figure this out that is a waste of my time.

88

You might check out this page: https://forums.comodo.com/index.php/topic,6167.0.html… It’s a compilation of tutorials/explanations on various aspects of CFP, and common application/network questions. It has been taken from the original topics, and locked to prevent questions/responses. Each section within has an embedded link to the original topic, where you can post additional questions if you need.

That might save you the “six pages”…

LM

89

Brian,

It is not uncommon for an ISP to ping you, as part of your IP lease ~ their system regularly “checks” the computers to which it has issued an IP address, to make sure they’re still active, and possibly to renew that IP lease (which normally has an expiration time period). But that would typically show from an IP actually belonging to the ISP; it won’t be a 192.x.x.x address.

It sounds like you’re getting your modem setup when you put the IP address in; if it looks like some sort of login page, that’s probably what it is. It’s also not uncommon for your router to “ping” your computer, as part of its role in the whole IP lease scenario.

If you go to Start/Run and type in “cmd”, then at the prompt in the DOS window that opens, type “ipconfig /all”, it will show you IP addresses for things like:

Your computer. Your DNS Server. Your DHCP Server. Your WINS Server. Your Default Gateway. You may see some duplicates. The only one that’s likely not a 192.x.x.x address will be the DNS Server; this one will belong to your ISP.

If you have only the one computer and/or you’re not sharing any files with any other computers (if you have more than one), you can limit that “Trusted Network” to the range of the highest 192.x.x.x IP given. For example, let’s say that your DHCP Server and Default Gateway are both 192.168.1.1, and the WINS Server is 192.168.1.2, and your computer is 192.168.1.3. Your Trusted Network could be created as a range from 192.168.1.1 to 192.168.1.3.

By setting that Zone as a Trusted Network, you allow all traffic across that range, which should clear out those entries. If those entries are coming from IP addresses outside that range, I’d be asking why…

LM

90

Hey Mac,

If we’re going to create a zone that covers only those IPs currently in use (e.g. 192.168.1.1 - 3), would we also need to create a second zone covering just 192.168.1.255 to allow for broadcasts?

Ewen :slight_smile:

91

With the router i have it told me to make it the DNS server to all of the computers. I would say this is due to the different ways that the routers work, possibly.

92

That would make sense, if we want to interact with/allow the broadcast traffic… If it’s only one computer, no file sharing or ICS, etc. why would we need to?

I personally have it set up only for the DNS, Gateway, and DHCP; it has worked so far - at least AFAIK… ;D

LM

93

Little Mac…OK and thanks, but to tell you the truth, I really dont comprehend this firewall that well. Its a little complicated fore me with all the rules and settings. Can I just “set it and forget it” Do I leave it in “Learn” and for how long?
I would like to keep it because its suppose to be the best firewall, but I dont want to have to fool with it…Thanks (:WIN)

94

Brian,

I agree that CFP is not the most “newb-friendly” firewall in the world, due to the level of its complexity; at this point it’s a bit of a trade-off (security vs easy). A number of users have requested more “user-friendly” features, which I think is probably a good thing. However, I am confident that regardless of your computer skill level, this firewall is not beyond your reach.

If you’re on a hard-wired router/modem (which you’ve said you are), then you don’t have much to worry about with those log entries, in my opinion. There’s always a possibility that someone has physically connected to your home’s wiring, etc but that’s probably not very likely.

That said, you can do one of a couple things:

  1. Ignore the logs as long as everything seems to be working (ie, you can browse, check your email, etc).
  2. Automatically create a Zone that will encompass them (Security/Tasks/Add a Zone) and then set that as “trusted” (Security/Tasks/Define a New Trusted Network).
  3. Manually create two Zones - one to allow the current IP Configuration (as per my earlier post) and set that as a Trusted Network (as per item 1); one to define everything from that point through the end of the IP range, and use that Zone to define a Block and don’t Log rule in your Network Monitor.

Item 1 is obviously the easiest; however, you get a lot of “clutter” in your logs. This is the “ignore” approach.

Item 2 is VERY EASY to do (it’s almost fully automated); it will allow the traffic automatically and won’t clutter your logs. Given you’re not wireless, this is the “set and forget” option.

Item 3 would the one for the PC junkies… ;D If you wanted to do so, it’s easy enough, and any of the Mods here (as well as any number of other users) can walk you through that.

Hope that helps,

LM

95

Hi Little Mac…OK, I called my ISP DSL provider BellSouth and they said that one of those IPs is my computer and the other IP is BellSouth (or my modem?). Anyway they said that I should allow those two IP addresses to communicate or its possible I could loose my connection (or something like that…its hard to understand while “chatting” with a tech…you feel somewhat under a constraint) I had been allowing Comodo to block it with no disruptions(?)
Anyway…I went into Network Monitor and created a 5th and 6th ID and moved the Block and Log (previously #5) to the 7th position. ID 5 and 6 are just those single IP addresses in/out. Does this sound correct and the right position? I let them log and now it just says Info instead of block.
ALso…what about the “Learn” in the Component Monitor"…I set it to ON and now every time I turn on my computer it goes back to Learn…How should it be set??
Thanks 8)

96

Brian,

If you want, we can take a look at your Network Monitor rules setup, to make sure it looks ok. Open NetMon to full-screen, and capture a screenshot. Save it as a jpeg (you can cut/mask your IP address if it shows in there, if you like) and attach to your post under “Additional Options.”

For Component Monitor,

  1. I’d leave it set to “Learn” for a week or two, until you’ve run pretty much all your applications. Then to “On.”
  2. After turning it “On” click the “Apply” button. Wait a minute, then reboot.

LM

97

hi.

i have a few questions too. i used sygate personal firewall before, and i thougt i will try other firewalls. i have a stupid surecom ep4904sx router, with 3 PC-s on it (and only one external IP address from our fantastic local cabletv company). i use this router in DMZ mode for 192.168.1.2 since this is the only way i can be connectable constantly. so the router lets everything happen between my pc and the net.
i installed your product, and after setting up network control rules for bittorrent and soulseek and emule, i realized that it works good, but if i quit these programs, there are still traffic flowing into my pc (comodo’s log says access granted) for more than half an hour. i tried removing these new network control rules, and tried adding trusted applications (skip parent check, allow all activities, skip advanced security checks, allow invisible connection attempts). but as i figured out, network control rules have a higher priority than application control rules. so no matter how much trust i give to an application, a network control rule will still block it. but if set a network control rule, it wont know which application it should trust (and wont know whether the app is running or not), so the problem above arises. so my first question is: how to solve that?
another thing is, that if i disable various icmp traffic, dcc on mirc wont work. so i wanted to enable all icmp traffic between my router 192.168.1.1 and my pc 192.168.1.2 so that if a problem is emerging, the router and the firewall could communicate well. and here is the second (maybe lame) question: is there any difference between an icmp packet coming from the net, forwarded by the router to my pc AND an icmp packet simply coming from the router itself towards my pc?
i would be happy to manage being p2p-connectable and secure with your firewall, so please answer me even if my whole theory is wrong :smiley: thanks in advance

98

You’re soooooo close to getting your head around how CFPs rules work. :wink:

You’re correct in saying that network monitor rules have the final say as to what gets in or out, regardless of what application rules are set up. The bit you’re missing is that CFP will only allow traffic in on an allowed port IF there is an application rule that allows an application to listen on that port AND that application is running.

If you have a network monitor rule that allows (for example) a DCC connection inbound and you have an application monitor rule to allow DCC to accept inbound connections, CFP will block inbound connections on the nominated port unless DCC is running. Once DCC is running, CFP will alllow the incoming connections.

Hope this helps,
Ewen :slight_smile:

99

hehe. why didnt i think of that… thanks for the help, it works now as it should.

100

Hello everyone. Very interesting read. I am new to CFP. I installed CFP several days ago and everything is going well. All the rules seems to be working and I have not encountered any problems. I have one issue that continues to concern me. My log files indicate that I am blocking pings from my ISP [outbound policy violation/ICMP outgoing/source: 192.169.15.100/dest: 25.25.5.149/Msg: port unreacheable].

I am concerned that if time warner’s ping continues to go unanswered that my internet connection will be disconnected. Is there a rule modification that I should consider or can I just ignore the log entries.

Thanks in advance
Jim
Charlotte, NC