Newbie here pls be kind.
Have difficulty to get logs for blocked IPs.
I run a web server at home. COMODO firewall is used in this box. The box is dedicated as a server, and makes no outgoing accesses except windows update.
Moved from ZA to COMODO 5.9.221 about a month ago, assigned blocking IP ranges that behaves malicious activities. About 50 ranges I specified. Seems working as accesses from them have stopped.
Now, I cannot see logs for those IPs. I want to confirm that I am blocking right ranges.
Settings follow:
Under /firewall/network security policy/network zones/, I added several zones, and assigned IP ranges under each zone.
Under /blocked zones/, I added network zones which are specified in 1.
Under /predefined policies/, I added a name “Web server”. And added zones defined in 1 under /use a custom policy/ with checks in “log as a firewall event”. Blocked TCP or UDP, inbound, source type is network zone.
At the last lines of the /use custom policy/, I added “allow TCP/UDP from any mac to any mac” and “allow IP in/out from any mac to any mac”.
Under /application rules/, there are three Web service programs exist. FTPD, HPPTD and a cgi.
I assigned “Web server” as predefined policy for each of three programs.
In /Firewall/Firewall behavior settings/alert settings/, I moved the slide bar to “very high” and uncheked “UDP request”. The reason of UDP uncheck is log flood from my other PC on the same network. TCP is check marked.
There may be redundant assignment in above process, but must be working.
I had 5 to 20 blocked IPs a day when I was using ZA. But, none appears in /firewall/view firewall events/ list.
Tried it. Situation changed, but very difficult to explain. Anyway I try.
Have blocked all IP In/Out, at the last line of Global Rules, for five minutes.
All accesses from outside stopped. I confirmed this by my smart phone.
Log appeared as application “Windows Operating system” is blocked. Some other
outside IPs appeared as blocked. So access from outside really stopped. Note that
log is not for HTTPD as application.
Strange thing follolws:
4. Blockings of “Windows Operating system” have been recorded before this trial, say,
three times a day. They are from outside IPs. (I have more than 300 page views a
day.)
5. Those blocked IPs are not in the specified blocking IP ranges, that means they must not
be blocked.
6. Moreover, HTTPD log indicates that those accesses (exact time and IP) to HTTPD are
successfully completed. So I assumed that they are not serious problems.
I should have said to make the rule block and log for all IP inbound. Sorry about that.
3. Log appeared as application "Windows Operating system" is blocked. Some other
outside IPs appeared as blocked. So access from outside really stopped. Note that
log is not for HTTPD as application.
When CIS does not see a program listening for for example unsolicited incoming traffic or when a block rule is there it will log it as blocked by Window Operating System (WOS)
Strange thing follolws:
4. Blockings of "Windows Operating system" have been recorded before this trial, say,
three times a day. They are from outside IPs. (I have more than 300 page views a
day.)
5. Those blocked IPs are not in the specified blocking IP ranges, that means they must not
be blocked.
6. Moreover, HTTPD log indicates that those accesses (exact time and IP) to HTTPD are
successfully completed. So I assumed that they are not serious problems.
Does this help analysis? Best rgds.
Tak
When the logs state blocked by WOS it means no program was listening or a block rule was executed.
Incoming traffic first goes through Global Rules and then through Application Rules. For outgoing traffic it is the reversed order. I hope this helps to get a better understanding.
OK, I narrowed down the problem area. The procedure to recreate the problem follows.
Assume that my smartphone IP on 3G network is 11.22.33.44.
Go to /Firewall/NetworkSecurityPolicy/NetworZones/. Add a New Zone named “Smartphone”, with “public network” checked.
Under the “Smartphone”, add a new address range. Type is IPv4 address range, start 11.22.0.0 end 11.22.255.255. Hit Apply, hit OK.
Under /PredefinedPolicies/, add a new name “WebServer”, select “UseCustomPolicy”,
add a rule with action block, log checkmark, protocol TCP or UDP, diection In/Out, sorce address is “Network Zone” (this is important), select zone of “Smartphone”.
Add a rule to allow any access of IP in/out from any MAC to any MAC, below the rule of Smartphome.
Hit Apply, hit Apply, hit OK.
Under /ApplicationRules/, find web service software say HTTPD. Select it, hit Edit.
Select “UsePredefinedPolicy”, Specify “WebServer”
Now, try accessing web server by smartphone. The access is blocked but NO LOG IS RECORDED. This is the problem.
Then,
5. In predefined rule of WebServer, remove the Smartphone rule.
Add one rule of block, log, TCP/UDP, IN/OUT, source address of range 11.22.0.0 - 11.22.255.255. Move up this rule above “Allow any access” green icon.
Hit Apply, hit Apply, hit OK.
Now try access the web server. The access is blocked and the LOG IS RECORDED.
So, I think the problem resides in predefined policy assignment. When the type is Network Zones, the log is not recorded. Seems to be a bug.
Unfortunately, I have so many IP ranges to block. Want to use the type of “Network Zone” here.
When working with rules for incoming and outgoing traffic for an application it is best to make two separate rules; one for the incoming traffic and one for the outgoing traffic.
Thanks, Eric,
But, it did not do any change. This is probably because the box does not do any outbound requests with few exceptions. Anyway I have changed IN/OUT to IN only.
Have finally resolved the problem by myself. I have removed the list in “Blocked Zones”. All entries were removed. Logs came up after this.
I am not sure about the priority between “Blocked Zones” and “Predefined Policy”+“Application Rules”, but this removal resolved the problem.
Question still remain, but I will not chase that, which is “Why logs did not appear when ‘Blocked Zones’ blocked inbound access.”