Large Rulesets causes unpredictable result [I16]

A. THE BUG/ISSUE (Varies from issue to issue)
[ol]- Summary - CFW7.0, Large Ruleset causes unpredictable result

  • Can U reproduce the problem & if so how reliably?:
    Occasional
  • If U can, exact steps to reproduce. If not, exactly what U did & what happened:
    1:Set up CFW on a web server machine. In this way CFW acts as the firewall against attacks or unwanted accesses to HTTPD/FTPD/CGI programs which run on this machine.
    2:The errors experienced may be specific to my configuration, with which I set 16 network zones, each zone with about 20-40 address ranges making a total of 480-500 address or address range entries. In Rulesets, I added one new rulename. In this rule I added above mentioned 16 zones as actions of block and log, or allow (mostly block). In application rules, I applied this rule to web server programs.
    3:Thus, to replicate this it is probably best to import my config, which I will attach to this post. Note that loading the cfgx will not recreate the problem immediately. It happens after editing configs and/or exporting operations several times. When it happens, it remains persistent.
    4:The results are somewhat variable, but the occasional errors seem to come from the same source, which may be corruption due to large size of the ruleset. Problems happen after, for example, editing network zones, rulesets, application rules, and/or exporting, several times. When it happens, it remains persistent.
    In one case, the log was not created (when the ruleset exceeded about 470 or so of range entries). This “no log created” situation continued even if older sets with fewer range entries were imported. However, these used to work correctly. This was solved by uninstalling CFW, cleaning up the registry, and reinstalling.
    5:In other cases it became impossible for any incoming connections to make it to the computer. Again, the way to solve this was to uninstall CFW, clean up the registry, and reinstall.
    6:In other cases the list of 16 network zone definition was somehow erased. Sometimes only part of the zones were erased and sometimes they were gone entirely. This wipe-out situation could be recovered by importing an older set. Reinstalling was not necessary.
  • If not obvious, what U expected to happen:
    The firewall should be able to correctly handle these rules, regardless of how many zones and ranges there are. Even if a ruleset gets very large there should not be any corruption, assuming that is what is causing this.
  • If a software compatibility problem have U tried the conflict FAQ?:
    NA
  • Any software except CIS/OS involved? If so - name, & exact version:
    NA
  • Any other information, eg your guess at the cause, how U tried to fix it etc:
    CIS 5.12 did not have this problem.
    My guess is that this may be a buffer overflow problem.
    The problem seems to start when the ruleset starts containing around 470 addresses.
    This happens on two independent machines, that means, this is not a hardware problem.
    [/ol]

B. YOUR SETUP
[ol]- Exact CIS version & configuration:
CFW 7.0.317799.4142

  • Modules enabled & level. D+/HIPS, Autosandbox/BBlocker, Firewall, & AV:
    Default
  • Have U made any other changes to the default config? (egs here.):
    Yes. I will attach my exported config.
  • Have U updated (without uninstall) from CIS 5 or CIS6?:
    No, I uninstalled CIS 5.12 then installed 7.0.
    [li]if so, have U tried a a clean reinstall - if not please do?:
    I cleaned registry before installation.
    [/li]- Have U imported a config from a previous version of CIS:
    Yes, but it failed as above problem.
    [li]if so, have U tried a standard config - if not please do:
    Yes I did. It worked until the ruleset size was under 470 or so. But the problem took place when exceeded 500 or so.
    [/li]- OS version, SP, 32/64 bit, UAC setting, account type, V.Machine used:
    Win XP 32bit, SP3 + latest patches. Account is a member of admin. VM not used.
  • Other security/s’box software a) currently installed b) installed since OS, including initial trial security software included with system:
    a=(no other security software installed) b=none
    [/ol]

[attachment deleted by admin]

Thank you for reporting this issue. Please edit your first post so that it is in the format provided in this post.

Also, please export your current configuration and attach it to your first post.

Let me know if you have any questions.

Thanks.

Understand. Tried it, but, I am withdrawing this topic for a while since I am not familiar with
" [/li]
[/li]- [b] ? [li][b] "
type of writing. Will come back when I will be able to write.
Thanks for notification anyway. Tak

I understand the confusion. I have done my best to take your information and put what I could in the correct format. Please look over the first post and make sure that what is currently there is correct. Then, please replace the remaining question marks with your responses. We can continue from there.

Let me know if you have any questions.

Thanks.

Thanks Chiron, I edited the first post.
regards
Tak

Thank you for the additional information. Now I have a few questions.

What do you mean when you say that you are using Comodo Firewall as a Web Server? How is this setup?

Also, please attach your configuration as a cfgx file to the first post. If it does not allow it to be attached please put it in a zip file and then attach it.
Also, please create a diagnostics report and attach it to your first post.

Let me know if you have any questions.

Thanks.

Attached the zipped cfgx. I thought I had attached, but it disapaered there, even the modify screen does show that it is attached. ??? strange.

I meant “on a web server machine”, not “as a server program”. CFW act as the firewall against attacks or unwanted accesses to HTTPD/FTPD/CGI programs which run on the machine.

As to the diagnostic report, I must recreate the environment again on the severe to gather it. Please allow me some time.
Tak

Thank you. I have made major modifications to the first post. Please look over it very closely and let me know if I have adequately described the issue you are experiencing.

Also, as for the cfgx file, I again downloaded the zip file. Inside is a txt file, not a cfgx file. When you download it do you see a txt file on your computer?

Thanks.

Very sorry, uploaded the zip file with cfgx in it. (My error. cfgx was once rejected, so made it as txt.)
Note that just loading the cfgx will not immediately recreate the problem. It is intermittent, and I am still not sure the way to recreate. Problem happens after, for example, editing network zones, rulesets, application rules, and/or exporting, several times. When it happens, it remains persistent.
(monologue: Does editing config make required memory space expanding?)

Question: how can I create diagnostic report?
Tak

The diagnostic report can be created by opening the main GUI. Then click on the question mark icon. Under this select Support and then Diagnostics. This will run the diagnostics and give you the option to save them. Saving will automatically put it in a zip file, which you can then upload to the first post.

Let me know if you have any questions.

Thanks.

Have you been able to create the diagnostics report yet?

Thanks.

Sorry, not yet. Failing to recreate.
My newly made environment refuses to make it happen. Still trying.
Tak

No problem. If you are not able to recreate this within 2 days I will temporarily move this bug report to the Incomplete Issue Reports section. Then, once you can replicate this and attach the diagnostics report, I can move it back for further processing.

Thanks.

OK. Fair.

Okay, as you have not been able to replicate the environment I will now move this to the Incomplete Issue Reports board.

Topics in this board are not looked at by the devs. The reason is that putting bug reports in the required format, with the required files, ensures that the devs have enough information to understand and identify the bug.

To get your report forwarded to the devs please recreate the environment and attach the diagnostics report to your first post. Then let me know.

If you have any questions please do not hesitate to ask.

Thank you.

Can you please check and see if this is fixed with the newest version (8.0.0.4337)? Please respond to this topic letting us know whether it is fixed or if you are still experiencing the problem.

Also, note that all bug reports in the Non-Format section of the forum, which is where this report currently is, are mainly not looked at by the devs. Thus, if the bug you were experiencing is still not fixed please edit your first post so that it is in the correct format (found here, with all required attachments), so I can forward this to the devs and get this problem fixed.

Thank you.