I think I need help to config CFP without blocking too much...

Hello!
Since a couple of weeks, my CFP was “forgeting” some things, so I finally decided to reinstall it, and take the chance to add SafeSurf. Now I have to config it again… and I didn’t remember a couple of problems I am facing now.

  I am a student, on the IT area, so I can't just block everything, because that could give me other problems... but I also don't want to have to reinstall windows the day after having to finish some "homework".

  Currently I am having a port 135 alert each 5 minutes, and I have been unable to find info about if it is safe to block that port...

I use the following things (mainly):

• IIS 5: needed to run Visual Studio. Ports 80 and 443 (and maybe some other I am not aware about)

• SQL Express: for the VS programs, as well as my database clases (I don’t remember the port it uses)
  These things doesn’t need to be reachable from internet. At least, not for now.

• Apache Webserver: use it to test things for the forum I admin. It is useful if it can be reached from inet (it uses ports 6060 and 6080)

• MySQL: runs on its standard port… I think it should not be reacheable from internet, things hosted in apache should reach it as “localhost”.

• Hamachi: I use it to play games, and to allow some friends to remotely control my computer, from time to time.

• logmein: to allow the same friends to remotely control my computer. I also have used it to show some “homeworks” without having to deploy them at university… since I can’t deploy anything there.

• I also share printers and folders at home, and also I provide internet access to my mother’s computer, using my computer as gateway.

• VMWare: I use it to “play” with things, without breaking my windows… if something goes wrong there, there is no problem, since the important stuff is on my “real” machine.

  And I use Windows XP pro SP2, protected by CFP 3, and Avast! Free (maybe I will move to Comodo Antivirus v3, once it is available).

  So, I would like to “trust” my local area network, my hamachi network, the VMWare virtual network adapters, and at the same time try to be as secure as possible… Last time I think I managed to config it all by myself, but now I am a bit puzzled… Any advice ???

Hello Jabbit, look here;
https://www.grc.com/port_135.htm

I had already seen that page (and I am a bit depressed, because last time I scored a perfect stealth … but now I failed). I got a bit confused, and finally ended up blocking incoming connections from any address except my local network, TCP/UDP, from any port, to any address, with destination ports 135, 137,138 and 139. And I hope that was the right thing to do…

do you have a router??

No, I use an USB ADSL modem (PPPoE connection), and I use a crossover cable to connect to my mother’s computer, using the network devices. The printers are USB, so there is no need to use a hub or anything like that.

Since I reinstalled CPF, when I click in a link in an email, at Mozilla Thunderbird, nothing happens, it should open the url in a firefox tab, but…

Hmm that’s odd! it works for me. Have you got the latest versions? And what happens if you open up firefox,thunderbird - and then click the email link? You could try going into your computer security policy, deleting them and then turn D+ onto training mode.

It happened before (before reinstalling), with a program named dmx.exe, it was supposed to open a browser window and load the index of the apache server. I solved it by setting it as trusted app… but I don’t find how to do that with Thunderbird, Defense+ “knows it”, so it didnt ask anything… I will try with the predefinied policies…

Ok, I deleted the computer policies, and Defense+ was already in training mode, and nothing happened… then I tried writting a link at ms excel, I clicked on it, and got a message saying: “action blocked due restrictions in you computer. Contact your sysadmin” (it was in spanish, so I translated to english).

  I don't know what can be the problem, yesterday night everything was working fine... and the only change I did was to reinstall CFP, this time with SafeSurf..

Comodo → Defence+ → computer security policy → Find thunder bird and delete its entries

Then run thunderbird again, you should get a pop-up

I did it, but I am still waiting for a pop up… anyway, I found the problem, it was not CFP… or I think it wasn’t… after uninstalling the firewall, I ran ccleaner, and then I installed the new version. Now I added the removed (fortunatelly I saved the removed entries) entries to the registry, and now the links work again… after reading a lot of people runs ccleaner to keep their registry clean, I thought it was safe… and it seems I was wrong (I use it to clean files, but I never dared to use it with the registry… I think I wont do it again).

Anyway, I still need to block IIS from receiving connections from inet… I’d like to be stealth again, except when I start Apache. Maybe I should have saved my firewall config, but I had a lot of rules, and I was not so careful when I made them, so I wanted a “fresh” config.

I think now I need MORE help… with the reinstallation and improper registry clean up, my system turned unstable, so I reinstalled windows (backing up things= 1 hour, reinstalling from a ghost image= 6 minutes 32 seconds). I installed CFP, and then the fun started… I had a lot of problems to make my ICS (shared internet connection) to work… maybe I made some errors (like disabling windows firewall, I used to do that, without consequences, but now I noticed it seems to be linked to ICS… it’s weird). I also found CFP was blocking the client computer connection attempts, and I thought I had created a rule to avoid that problem… that is also new for me (I have been using CFP since last year, and I never caused any problem with that connection).

This is just a sample:

30-08-2008 6:40:12 C:\WINDOWS\system32\svchost.exe Blocked 192.168.0.49 1454 192.168.0.1 2869

I will attach the CFP config, extracted with the reporting script… I have the firewall’s log too, but I won’t attach it unless I am asked to do it, since I don’t know if it is polite to do that.

[attachment deleted by admin]

Looking at your config report, you have one of the more heavily used machines that I have encountered.

A couple of things stand out in your CFP rules.

In your Global RUles, you have these two rules

[0] Allow            IP      Out    From  IP [192.0.0.1] To  Zone [Local Area Network #1]  Where Protocol Is Any
[1] Allow            IP      In     From  Zone [Local Area Network #1]  To  IP [192.0.0.1] Where Protocol Is Any

I think the 192.0.0.1 is some kind of typo error, as that is just a single IP address, and it isn’t on your LAN. The default zone rules usually have these as “any” or “Local Area network #1”. Very very rarely is it ever just a single IP address.

One thing that is missing, is a rule to allow Multicast traffic (IP range 224.0.0.0 thru 239.255.255.255). A lot of things will use multicast address for coordination (routers, UPnP, LAN management, etc), and will act strangely when multicast is blocked off. You would need to add a rule like this:

all IP I&Out from any to zone[multicast] where protocol is any

and zone[multicast] is the IP range 224.0.0.0 thru 239.255.255.255.

You log note of

30-08-2008 6:40:12     C:\WINDOWS\system32\svchost.exe     Blocked     192.168.0.49     1454     192.168.0.1     2869

is most likely a UPnP status packet. UPnP uses port 2869, among others.

With the number of active IP address shown in your CFP config report, have you checked your Windows routing setup (command prompt, and run “netstat -nr” ) to see if the packets are going where they’re supposed to?

In reading back over the postings in this topic, I’m understanding your LAN structure to be something like this:

(DSL)------ modem ------ YourPC -----(x/o cable) ------- OtherPC

where YourPC is configured as a Windows ICS host, running IIS and a number of other services (apache, sql).
Do I have that correct?

Indeed, the idea was to define “Local Area network #1” as any IP from 192.168.0.1 (my computer always has that one, since it is the internet gateway) to 192.168.255.255 (the IP of my mother’s computer is dynamically assigned… once I tried to assing it a fixed IP, but for some reason it caused problems). I was sure I had set it that way, but I figure it is more likely I made a mistake, than to think CFP changed it… I corrected the zone definition now.

There was an error y “Mi Hamachi” zone too… the idea was to allow IPs in range 5.0.0.1 to 5.255.255.255, since I suppose only people in my hamachi network can connect to my computer… and that network is pass protected, and the name of it not published, so if I don’t invite somebody, it is unlikely that somebody can connect by himself… I hope.

One thing that is missing, is a rule to allow Multicast traffic (IP range 224.0.0.0 thru 239.255.255.255). A lot of things will use multicast address for coordination (routers, UPnP, LAN management, etc), and will act strangely when multicast is blocked off. You would need to add a rule like this:

all IP I&Out from any to zone[multicast] where protocol is any

and zone[multicast] is the IP range 224.0.0.0 thru 239.255.255.255.

But… that range is an external range of IPs… would it be safe to allow anything in that range? I am not sure what does multycast means

You log note of

30-08-2008 6:40:12     C:\WINDOWS\system32\svchost.exe     Blocked     192.168.0.49     1454     192.168.0.1     2869

is most likely a UPnP status packet. UPnP uses port 2869, among others.

Yes, that was my mother’s computer trying to connect to my computer, and didn’t know why it was blocked… the error in the Local area network #1 definition explains it… I hope it won’t happen again, since I redefined it the right way (or what I think it is the right way)

With the number of active IP address shown in your CFP config report, have you checked your Windows routing setup (command prompt, and run "netstat -nr" ) to see if the packets are going where they're supposed to?

In reading back over the postings in this topic, I’m understanding your LAN structure to be something like this:

(DSL)------ modem ------ YourPC -----(x/o cable) ------- OtherPC

where YourPC is configured as a Windows ICS host, running IIS and a number of other services (apache, sql).
Do I have that correct?

Yes, but since I just reinstalled windows, apache and sql server express are not instaled yet… Anyway, of course, I try to activate these services just when I need them… that is the good thing about XAMPP apache distribution, it includes a lot of things (apache, mysql, filezilla ftp server, etc…), but they just ran when you need them… Unfortunatelly IIS is not that friendly. I use IIS for developing web things with visual studio (I am studying that this semester). SQL server express is for that, and also for my database classes this semester… with some luck I won’t need it again after december. Apache and mysql are used to test (and fix things when something breaks, in a forum which I admin… well, I am one of the admins… the “unskilled troubleshooter”).

A strange thing I notticed, is my USB ADSL modem used to have an 192.168.X.X IP (just like my mother’s computer), but now it has 169.254.110.174

Also, now I have a lot more entries when I run “ipconfig” at command prompt… I figure I enabled some windows services I didn’t have before…

Thanks for your help, I really apreciate it :-TU

Multicast is a special purpose broadcast address space. It’s defined as LAN-only traffic. It’s not something to worry about at the moment, but something to consider for a little later.

A strange thing I notticed, is my USB ADSL modem used to have an 192.168.X.X IP (just like my mother's computer), but now it has 169.254.110.174

I’m slightly confused now. USB modems usually don’t have IP addresses. A modem is just an electrical signal translator, turning ethernet packets into DSL waveforms and back again. Modems do often provide an internal web server for configuration, but the address is almost always a factory set fixed address. What kind of modem do you have, make and model? There may be something in it’s configuration that needs to be changed.

The modem, acording to the device manager, is an SpeedTouch™ USB ADSL RFC1483
I was told that, since SP2, WinXP ask USB modems to have an IP, and that cause some problems… for me, usually it means I must wait until windows is not trying to refresh the modem’s IP, to be able to activate internet, otherwise the connection attempt fails. I don’t know if that is the intended behaviour, but it has been working that way for 2 years now… and I have seen forums talking about how to get around the problem…

Doing some google searches based on your description, it sounds like you have a Thomson ST330 (Thomson bought the Speedtouch product line from Alcatel a few years ago). The Thomson web page for the ST330 is here

From what I can find, the device driver is the key to making the modem work. It is very likely creating a network device that gives you the interface to whatever configuration settings it provides. An “ipconfig /all” would likely tell if that guess of mine is anywhere near right.

The RFC1483 is a reference to the Internet standard about network bridging. The context would imply that your modem is working as a network bridge, and not as a router. A check of the device driver properties may confirm that.

So long as it’s working, I wouldn’t want to change anything without very good reason.

Now that I’m getting a better understanding of what your setup is about, I’m going back over your CFP config report. I may have some changes for you tomorrow.

My first quick review shows you need to add a rule, so the ICS address assignments using DHCP can work.

This should be added to your Global Rules:

Action: Allow
Protocol: UDP # select from the pulldown list
Direction: In/Out
Source Address: any
Destination Address: single IP: 255.255.255.255
Source Port: any
Destination Port: a port range: start 67 end 68

Then move this new rule to the very first rule in the list of Global Rules.

This should let DHCP address assignment work properly, so the other machine gets a proper address, and I suspect your modem will also get a proper address.

I’ll probably have more tomorrow.

I’ve done a more complete review of your config report. There are a few things that need to be changed in your Application Rules.

Your report shows this ruleset for svchost.exe

Application 0: C:\WINDOWS\system32\svchost.exe Treat as: [Custom Policy]
----------------------------------------------------------------------------
[0] Allow            UDP     In     From  IP In [192.168.0.49/255.255.255.0] To  IP Any  Where Source Port Is Any And Destination Port Is Any
[1] Block & Log      TCP     In     From  IP Any  To  IP Any  Where Source Port Is Any And Destination Port Is Any

I’m going to propose this as a slightly different ruleset for svchost:

[0] Allow            UDP     In     From  IP Any To IP [255.255.255.255] where Source Port is [67-68] and Destination Port is [67-68]
[0] Allow            IP      Out    From  IP Any To Ip Any where protocol is any

svchost is the DHCP pprocessor, so it has to be able to receive the DHCP requests that come in on IP 255.255.255.255. Otherwise, svchost should have only outbound traffic.

The ruleset for your System, which handles broadcast traffic and other such co-ordination traffic, had these rules:

Application 5: System Treat as: [Custom Policy]
----------------------------------------------------------------------------

[0] Allow            IP      Out    From  IP Any  To  Zone [Local Area Network #1]  Where Protocol Is Any
[1] Allow            IP      In     From  Zone [Local Area Network #1]  To  IP Any  Where Protocol Is Any

[2] Block & Log      IP      In     From  IP Any  To  IP Any  Where Protocol Is Any

[3] Allow            IP      Out    From  IP Any  To  Zone [Mi Hamachi]  Where Protocol Is Any
[4] Allow            IP      In     From  Zone [Mi Hamachi]  To  IP Any  Where Protocol Is Any

[5] Allow            IP      Out    From  IP Any  To  Zone [Red Doméstica]  Where Protocol Is Any
[6] Allow            IP      In     From  Zone [Red Doméstica]  To  IP Any  Where Protocol Is Any

[7] Allow            IP      Out    From  IP Any  To  IP Any  Where Protocol Is Any

I’m going to propose a slightly different set of rules for System:

[0] Allow            IP      Out    From  IP Any  To  Zone [Local Area Network #1]  Where Protocol Is Any
[1] Allow            IP      In     From  Zone [Local Area Network #1]  To  IP Any  Where Protocol Is Any

[2] Allow            IP      Out    From  IP Any  To  Zone [Mi Hamachi]  Where Protocol Is Any
[3] Allow            IP      In     From  Zone [Mi Hamachi]  To  IP Any  Where Protocol Is Any

[4] Allow            IP      Out    From  IP Any  To  Zone [Red Doméstica]  Where Protocol Is Any
[5] Allow            IP      In     From  Zone [Red Doméstica]  To  IP Any  Where Protocol Is Any

[6] Allow            IP      Out    From  IP Any  To  IP Any  where protocol is any

[7] Block & Log      IP      In     From  IP Any  To  IP Any  Where Protocol Is Any

As you can see, the difference is in the ordering, as rules are processed in sequence, first match wins. This moves the universal blocking rule to the very end, so that all the traffic in the network zones is allowed to pass.

I’ll have some Global Rules for you in a little bit.

And now for the Global Rules.

Your machine is running as an Internet facing ICS host, which gives you a different kind of rule structure from the usual Windows setup. You have to provide services and connections for another machine, while keeping that machine safe. You have to provide DHCP address assignments, provide Internet accessible services, and still have a usable machine. Not an easy combination.

I’ll start with the basic structure of rules for an ICS machine, and note places where other rules will be added later on. This will make it easier to understand what the rules are, and so make it easier to change them later, as needed.

This adds one network zone to your existing definitions: Multicast, defined as 224.0.0.0/240.0.0.0. It covers that special purpose LAN-only broadcast address space.

A reminder, that CFP processes Global Rules in sequence, first match wins.

Here’s the proposed ICS ruleset:

[0] Allow            UDP     In/Out From IP Any To  IP [255.255.255.255]  Where Source port is [67-68] and Destination port is [67-68]

[1] Allow            IP      In/Out From Zone [Local Area Network #1] To  Zone [Local Area Network #1] Where protocol is any
[2] Allow            IP      In/Out From Zone [Local Area Network #1] To  Zone [Multicast] where protocol is any

[3] Block        TCP Or UDP  In/Out From IP Any  To  IP Any  Where Source Port Is Any And Destination Port Is In [Problematicos]  

[4] Allow        TCP or UDP  Out    From Zone [Local Area Network #1] To IP Any where Source Port is any and Destination Port is any
[5] Allow           ICMP     Out    From Zone [Local Area Network #1] To IP Any where ICMPmessage is any
[6] Block            IP      Out    From Zone [Local Area Network #1] To IP Any where protocol is any

[7] Hamachi rules go here

[8] Allow           ICMP     In     From IP Any To IP Any where ICMPmessage is PortUnreachable
[9] Allow           ICMP     In     From IP Any To IP Any where ICMPmessage is HostUnreachable
[10] Allow          ICMP     In     From IP Any To IP Any where ICMPmessage is TimeExceeded
[11] Allow          ICMP     In     From IP Any To IP Any where ICMPmessage is FragmentationNeeded
[12] Allow          ICMP     In     From IP Any To IP Any where ICMPmessage is NetUnreachable

[13] inbound Internet accessible port rules go here

[14] Block&Log       IP      In     From IP Any to IP Any where protocol is any

Now, to explain what this proposed ruleset is trying to do:

The rule 0, is a DHCP rule. Because your machine is an ICS host, providing dynamic addresses, you’ve got to make sure that the address request packets get thru the rules. Putting this rule first does that.

Rules 1 and 2, allow your LAN (your machine, and the other machine) to talk to each other, using whatever protocols and addressing they need. And, by restricting to be ‘from your LAN’, the ruleset is tightened up considerably.

Rule 3, is the Netbios/Windows networking blocking rule. Only your LAN should have access to those Netbios ports.

Rules 4,5,6 allow your LAN to talk outbound to the Internet. Note that rule 6 is a blocking rule. There are a lot of other Internet protocols. This blocking rule makes sure than only the allowed TCP, UDP, and ICMP protocols are used.

Rules 8 thru 12, are allowing ICMP error messages to come in from the Internet. These may be coming to your machine, or to the other machine. CFP is limited in how it handles ICMP traffic, in that it doesn’t really have a selective ‘any’ on the ICMP types. So it is necessary to list them, one by one. These 5 rules cover the most common error conditions encountered on the Internet.

Rule 14, is the universal blocking rule. Anything not explicitly allowed is blocked here. You’ll need to watch your CFP log to find out if you need to change the rules.

Note that with this basic ruleset, you are ‘fully stealthed’ to the Internet. Your machine and the other machine on your LAN can get out to the Internet, but nothing from the Internet can contact any machine on your LAN.

Since this proposed basic ruleset doesn’t have any rules allowing Internet accessible servers, then some additional rules are needed. I’m marked the placeholder where the rules should go. In your earlier postings, you had an Apache server running on port 6060 and 6080. Using that as an example, you would have these two rules:

[13.1] Allow      TCP        In     From IP Any To IP [192.168.0.1] where Source Port is any and Destination Port is 6060
[13.2] Allow      TCP        In     From IP Any To IP [192.168.0.1] where Source Port is any and Destination Port is 6080

Your ICS host machine IP address is always 192.168.0.1, and since that is where the Apache server is running (and nowhere else on your LAN), that is your rule destination address. The destination port is where the server is listening. The direction ‘In’ means that CFP is exposing this IP address and port to the Internet.

I don’t have any experience with Hamachi, so my attempt at workable rules may not be workable. But, here goes:

[7.1] Block        TCP       In     From IP Any to Zone [Mi Hamachi] where Source Port is any and Destination port is 6060
[7.2] Allow        IP        In/Out From Zone [Mi Hamachi] To Zone [Mi Hamachi] where protocol is any
[7.3] Block        IP        In/Out From Zone [Mi Hamachi] To IP Any where protocol is any
[7.4] Block        IP        In/Out From IP Any to Zone [Mi Hamachi] where protocol is any

I’m following the basic rule structure for VPN connections in these Hamachi rules. The intent is to keep Hamachi traffic within the Hamachi address space, and keep non-Hamachi traffic out. This will not keep Hamachi traffic from accessing your machine, as servers on your machine will attach themselves to your machine’s Hamachi address. If, for example, you don’t want your Apache web server accessible in the Hamachi address space, you will need to protect the port, per example of rule 7.1.

When you get all the details worked out, you’ll have a very extensive ruleset. ;D

Thanks for your help, I used to “make rules” without really knowing what was I doing… it used to work, but it is a really bad policy to follow, if we intend to keep things secure.

I implemented most of the rules you have designed for me, except for Hamachi, since I managed it from Aplication Rules, instead of Global Rules. And I am thinking… what if I manage Apache ports from Aplication Rules? Would the allowed ports open just when Apache is running, and closed when it is not running?

Sorry for not having replied before, I saw your post, but I didn’t have time to answer or implement the rules, until now.

Implementing the rules consumed some time, I don’t dare to thing how much time did you need to make them, but I thank you again for your very valuable help

By the way, I have a question… in the rules you wrote for me, when you write Zone [Local Area Network #1], do yo refer to it, as I tried to define it (a range of IP, from 192.168.0.1 to 192.168.255.255), or as CFP defines it (overwritting it each time I change it) as an IP Adress Mask: 192.168.0.1/255.255.255.0)?