Hi, to all CFP 3.0 fans and users.
I have router Edimax ADSL2++ and CFP 3.0 on my computer. However, there is one issue that really bothers with my router and CFP 3.0. what I really want is next:
I want to allow all inbound traffic to my computer so CFP 3.0 can block it. what I’ve discovered is that despite I had NAT enabled with firewall+SPI enabled in my router, CFP 3.0 still blocked some incoming intrusions that router didn’t.
So, I decided to simply allow all inbound traffic to my computer so CFP 3.0 can block it.
But is there any way how to do that?
Basically, I want to make router useless, so that CFP 3.0 can do its job.
what I can do to disable NAT?
I’ve had no problem with disabling firewall+SPI and when I deactivate NAT all internet traffic is blocked-I can’t surf.
How to disable NAT completely, how to make my default IP gateway usable in the same way I had in previous modem, so CFP 3.0 can continue to block intrusions like it did with my previous modem.
It’s just matter of trust, I simply trust CFP 3.0 more than any router in this world.
Can anyone please help me with this kind of configuration?
I simply want to disable my router’s protection completely (I want to disable NAT completely), and let CFP 3.0 do all the dirty job of blocking inbound (and outbound) intrusion attempts.
Is this possible in any way?
Big thank you for any help you can give me.
G’day,
Unfortunately, NAT is necessary, but you can achieve what you want. It’s not a one-step solution, but it is do-able, but I’d like to explain why we need to do it this way.
A router, in a nutshell, has two network interfaces - one facing inwards towards your PCs and the other facing outwards towards the internet. The inwards facing router network interface and your PCs will generally have a private IP address. The outwards facing router network interface card will have a public IP address assigned by your ISP connection.
When your PC attempts to fetch a web page from the internet, your request initially goes to the router. The router will then remove the private internal address from the request and replace it with the public IP address assigned by the ISP. The data request, with the public IP address inserted, is then forwarded on through the ISP network to the internet.
The reason the IP addresses get swapped is because private IP addresses are non-routable. If one of your data packets made it onto the internet with the private IP address intact, it would be swallowed at the first public router it encountered, as private addresses cannot go outside the original network they were assigned to (in this case the network that exists between your PC and the inwards side of your router).
Meanwhile, back at the router, the reply to your request has been received. The router then performs the same IP address swapping, but in reverse, swapping the public IP address for the internal one assigned to your PC and then it forwards it to the internal LAN.
If you are behind a router, then you have to have NAT.
Now, on to your problem.
DON’T DO IT!
Simple as that, just don’t do it.
It would be better if you could provide details on the attempted intrusions that apparently bypassed your router, so we can see exactly what the nature of the problem is. Can you let us know what happened, with any and all relevant details?
I would strongly recommend that you leave the routers firewall enabled, regardless of your opinion of its efficacy. If you only had three intrusion with the firewall enabled, how many do you think you’ll get with it disabled? And how much extra work will these additional intrusions place on CFP, thereby affecting your use of your PC?
If you still want to push ahead …
If you want to use CFP as your only firewall, you will need to do what is known as port forwarding. This is where your router is instructed to receive inbound data and forward it directly to a specified IP address inside the LAN, after NAT’ing the address.
If want ALL ports forwarded AND you have more than one PC on your LAN, then that PC is going to have to act as a gateway for the other PCs, as ALL inbound data would be directed to a single IP address (your PC). Depending upon the quantity of PCs on your LAN and the data density of their network connections, this could place a significant load on the PC acting as a gateway.
The link below is to a guide on port forwarding for your router (or what Edimax router I assume you have, since you haven’t quoted a model number).
http://www.portforward.com/english/routers/port_forwarding/Edimax/Wi-Fi_ADSL2+/Wi-Fi_ADSL2+index.htm
Sorry this is such a long post, but I felt a greater detail of information may have been better than just a canned solution to the presented problem.
Hope this helps,
Ewen 
Hi, Panic, first of all big thank you for very quick response.
So you recommend not to disable NAT and firewall and SPI in my Edimax ADSL2+ router. OK.
Regarding logs, only thing that was really blocked was the following: my own 192.168.2.1 both incoming and outgoing and one routed-this i DON’T UNDERSTANS, however when I really enabled my SPI and firewall with NAT of course logs were completely empty, since all the traffic was 100% blocked by router itself (when firewall and SPI were enabled).
Here is my problem with router-I want outbound control, this is what I really miss, maybe I should simply un-install CFP 3.0 (but i’LL LEAVE Comodo’s Safe Surf toolbar in it for buffer overflow protection)
How do I know my router control what application, process program connects to the internet?
Despite, I did fresh re-install from scratch, and my computer is 100% clean, I’d still be happy if it could ask me that this program/process/driver is trying to do this or that or it’s trying to connect to the internet.
Any solution possible?
After all, why would I need CFP 3.0 or any other software firewall if I have a router now?
Big thank you for your reply, again.
CFP IS your outbound protection, not the router.
Routers can only ever know about incoming. They assume that traffic originating on the internal LAN is trusted traffic and allowed out (with a few exceptions).
CFP IS your means of application control.
Can you provide the IP address, protocol and any other details of the attempted intrusions?
Ewen
Hi, Panic, here is what my log says:
Protocol: IGMP (type 34) source IP: 192.168.2.10 Destination IP: 224.0.22 Direction: Outgoing Action taken: Blocked
than
Protocol: UDP source IP: 192.168.2.10:137 Destination IP:192.168.2.255:137 Direction: Outgoing Action taken: Blocked
Protocol: UDP soruce IP: 192.168.2.10:138 Destination IP: 192.168.2.255:138 Direction: Outoging Action taken: Blocked
So, what does it mean?
Il looks like you have few configuration issues with multicast and broadcast connections.
portrange (135-139) is reserved for DCOM and netbios and can be enforced using svchost application rules and/or global rules
svchost is now part of Windows Updater Applications group
[Windows Updater Applications] is defined as
[0] D:\WINDOWS\system32\svchost.exe
[1] D:\WINDOWS\system32\msiexec.exe
[2] D:\WINDOWS\system32\wuauclt.exe
[3] D:\WINDOWS\SoftwareDistribution*
[4] D:\WINDOWS\system32\wupdmgr.exe
[5] D:\Program Files\COMODO\Firewall\cfpconfg.exe
As I don’t know if you provided you router log, here it is my current CFP ruleset:
Firewall\Common Tasks\My Port Sets
-
Netbios & DCOM
IN (135-139)
445 -
Incoming TCP
Add yours -
Incoming UDP
Add yours
Firewall\Common Tasks\My Network Zones
-
Local Area Network
IP in [your network IP Mask (eg 10.0.0.0/255.0.0.0)]
IP 0.0.0.0
IP 255.255.255.255 -
Internet-wide Multicast
IP in 224.0.1.0-238.255.255.255 -
Special & Local Multicast
IP in 224.0.0.0-224.0.0.255
IP in 239.0.0.0-239.255.255.255
Firewall\Advanced\Predefined Firewall Policies
-
LAN
Allow IP In From In [Local Area Network] To IP Any Where Protocol Is Any
Allow IP Out From IP Any To In [Local Area Network] Where Protocol Is Any
Allow IP Out From IP Any To In [Special & Local Multicast] Where Protocol Is Any
Block and Log All Unmatching Requests -
LAN & Outgoing
Allow IP In From In [Local Area Network] To IP Any Where Protocol Is Any
Allow IP Out From IP Any To In [Local Area Network] Where Protocol Is Any
Allow IP Out From IP Any To In [Special & Local Multicast] Where Protocol Is Any
Allow TCP or UDP Outgoing Requests
Block and Log All Unmatching Requests
Firewall\Advanced\Network Security Policies\Application Rules
- System - LAN or LAN & Outgoing
- Explorer - LAN + ALLOW TCP OUT to host crl.microsoft.com
Firewall\Advanced\Network Security Policies\Global Rules
- Allow TCP In From IP Any to IP Any Where Source Port ANY And Destination Port Is In [Incoming TCP]
- Allow UDP In From IP Any to IP Any Where Source Port ANY And Destination Port Is In [Incoming UDP]
- Allow TCP In from Any IP to Any IP where Source Port is 20 and Destination Port is ANY (To enable Active FTP transfers)
- Block and Log TCP or UDP Out From IP Any to IP Any Where Source Port is In [Netbios & DCOM] And Destination Port Is ANY
- Allow and Log TCP or UDP Out From IP Any to IP Any Where Source Port Is In [Privileged Ports] And Destination Port Is Any
- Allow TCP or UDP Out From IP Any to IP Any Where Source Port Is Not In [Privileged Ports] And Destination Port Is Any
- Allow IP out from Any IP to Any IP where the protocol is GRE (Needed for PPTP)
- Allow ICMP Out From From IP Any to IP Any Where ICMP Message Is ECHO REQUEST
- Allow ICMP In From From IP Any to IP Any Where ICMP Message Is ECHO REPLY
- Allow ICMP In From From IP Any to IP Any Where ICMP Message Is TIME EXCEEDED
- Allow ICMP In From From IP Any to IP Any Where ICMP Message Is FRAGMENTATION NEEDED
- Block and Log IP In/Out From From IP Any to IP Any
Last Step Should be to use Firewall\Common Tasks\Firewall Stealth Configuration and Choose “Define a New trusted network” and allow [Local Area Network] and [Special & Local Multicast]
NOTE: When you add your private IP range to yout [Local Area Network] Zone don’t forget to add Your Network Address (usually ending with .0) and Brodcast Address (usually ending with .255) Using IP Masks or IP Ranges
eg: Network Address: 10.0.0.0, Brodcast Address: 10.255.255.255
IP Mask 10.0.0.0/255.0.0.0
IP Range 10.0.0.0-10.255.255.255
You can delete Allow IP In From In [Special & Local Multicast] To IP Any Where Protocol Is Any from your global rules
Protocol: UDP source IP: 192.168.2.10:137 Destination IP:192.168.2.255:137 Direction: Outgoing Action taken: BlockedProtocol: UDP soruce IP: 192.168.2.10:138 Destination IP: 192.168.2.255:138 Direction: Outoging Action taken: Blocked
These 192.168.X.X addresses are from your LAN. Ports 137 and 138 are used in Microsoft networking. They are OK to ALLOW.
The other one I’m not sure about.
Is uPnP disabled on your router? If not, then it is usually recommended to disable it. Turn it off and see if the IGMP alerts vanish.
Please note that IGMP is different to ICMP
Ewen