Need help setting rules for Win7 Homegroup and weird log behavior

Hi,

I’ve been using Comodo on different computers since before it was part of CIS (version 2.x or 3.x I think).
Back then I had found a post (from soyabeaner if my memory serves me right) with detailed instructions on how to setup Comodo to block incoming internet traffic and safely allow LAN communication.
It also incorporated pandlouk’s uTorrent guide.
Anyway all that to say that I’ve been using those settings since then without a problem.

That was until recently, when I installed CIS on a new Win7 Home Premium HTPC and tried to setup Homegroup.

I have two other computers (a PC and a laptop) on my network connected to a router.
Both are running Win7 Home Premium but I never took the time to setup the Homegroup before I got the HTPC.

Here are my firewall settings:


Ports
=========
HTTP Ports
+ 80
+ 443
+ 8080

POP3/SMTP Ports
+ 110
+ 25
+ 143
+ 993
+ 995
+ 465
+ 587

Privileged Ports
+ In [0 - 1023]

Unprivileged Ports
+ In [1025 - 65535]

Netbios & DCOM
+ In [135 - 139]
+ 445

Incoming TCP
+ 42319

Incoming UDP
+ 42319


Network Zone
==============
Loopback Zone
IP in [127.0.0.1 / 255.0.0.0]

Local Area Network
IP in [192.168.1.0 / 255.255.255.0]

Special & Local Multicast
IP in [224.0.0.0 - 224.0.0.255]
IP in [239.0.0.0 - 239.255.255.255]
IP 0.0.0.0
IP 255.255.255.255


Predefined Firewall Policies
=============================
LAN
Allow UDP In From IN [Local Area Network] To In [Special & Multicast] Where Source Port Is Any And Destination Port Is Any
Allow UDP OUT From IN [Local Area Network] To In [Special & Multicast] Where Source Port Is Any And Destination Port Is Any
Allow IP In From In [Local Area Network] To In [Local Area Network] Where Protocol is Any
Allow IP OUT From In [Local Area Network] To In [Local Area Network] Where Protocol is Any
Block And Log IP In/Out From MAC Any To MAC Any Where Protocol Is Any (Block and Log All Unmatching Requests)

LAN & Outgoing
Allow UDP In From IN [Local Area Network] To In [Special & Multicast] Where Source Port Is Any And Destination Port Is Any
Allow IP In From In [Local Area Network] To In [Local Area Network] Where Protocol is Any
Allow IP OUT From MAC Any To MAC Any Where Protocol is Any
Block And Log IP In/Out From MAC Any To MAC Any Where Protocol Is Any (Block and Log All Unmatching Requests)

uTorrent
Allow TCP OR UDP In From MAC Any To MAC Any Where Source Port Is In [Unprivileged Ports] And Destination Port Is 42319 (Rule for incoming TCP and UDP connections)
Allow TCP OR UDP Out From MAC Any To MAC Any Where Source Port Is In [Unprivileged Ports] And Destination Port Is In [Unprivileged Ports] (Rule for outgoing TCP and UDP connections)
Allow And Log TCP Out From MAC Any to MAC Any Where Source Port Is In [Unprivileged Ports] And Destionation Port Is In [HTTP Ports] (Rule for HTTP requests)
Block And Log IP In/Out From MAC Any To MAC Any Where Protocol Is Any (Block and Log All Unmatching Requests)


Global Rules
========================
Allow And Log UDP In From In[Local Area Network] To In [Special & Multicast] Where Source Port Is Any And Destination Port Is Any
Allow And Log UDP Out From In [Local Area Network] To In [Special & Multicast] Where Source Port Is Any And Destination Port Is Any
Allow IP In From In [Local Area Network] To In [Local Area Network] Where Protocole Is Any
Allow And Log TCP OR UDP Out From In [Local Area Network] To In [Local Area Network] Where Source Port Is In [Netbios & DCOM] And Destination Port is Any
Block And Log TCP OR UDP Out From MAC Any To MAC Any Where Source Port Is In [Netbios & DCOM] And Destination Port is Any
Allow And Log TCP OR UDP Out From MAC Any To MAC Any Where Source Port Is In [Privileged Ports] And Destination Port is Any
Allow TCP Or UDP Out From MAC Any To MAC Any Where Source Port Is Not In [Privileged Ports] And Destionation Port Is Any
Allow UDP In From MAC Any To MAC Any Where Source Port Is Any And Destination Port is In [Incoming UDP]
Allow TCP In From MAC Any To MAC Any Where Source Port Is Any And Destination Port is In [Incoming TCP]
Allow ICMP Out From MAC Any To MAC Any Where ICMP Message is ECHO REQUEST
Allow ICMP IN From MAC Any To MAC Any Where ICMP Message is ECHO REPLY
Allow ICMP IN From MAC Any To MAC Any Where ICMP Message is TIME EXCEEDED
Allow ICMP IN From MAC Any To MAC Any Where ICMP Message is PORT UNREACHABLE
Allow ICMP IN From MAC Any To MAC Any Where ICMP Message is FRAGMENTATION NEEDED
Allow IP Out From MAC Any To MAC Any Where Protocol Is 47 (GRE)
Block And Log IP In/Out From MAC Any To MAC Any Where Protocol Is Any


Application Rules
========================
Comodo Internet Security        = Outgoing Only
Windows Updater Applications    = Outgoing Only
C:\Windows\System32\svchost.exe = LAN & Outgoing
System                          = LAN & Outgoing
Windows System Applications     = Outgoing Only

Now my questions / problems:

  1. I have created a Homegroup on my main PC, all the computers can see each other and connect to each other (through explorer) but the HTPC and the laptop are unable to join the Homegroup.
    I realise the problem is probably because Comodo is blocking almost all the IPv6 traffic which I think Homegroup is using to do it’s thing.
    Is it because IPv6 traffic gets blocked ?
    If yes, what rules should I define ?
    If not, what’s blocking the Homegroup ?
    Also, my computers only have link local IPv6 adresses for now (fe80::/10) but my ISP is offering /60 prefixes and I’m planning to activate it once everything is stable.
    How can I configure Comodo to properly filter IPv6 traffic once activated.

  2. I noticed a weird behavior with the firewall log.
    It seems like not every connections that comply to a “And Log” rule gets logged as it should.
    For exemple, for two similar connections

  • A: svchost.exe [1184] UDP OUT 192.168.1.105:49970 - 239.255.255.250:3702
  • B: svchost.exe [2816] UDP OUT 192.168.1.105:51335 - 239.255.255.250:1900

Only connection A appears in the log although, if I’m not mistaken, both should trigger Global rule #2.
Is this normal ?

  1. Do you think my sets of rules are secure or should I restrict more on the multicast IP range and ports ?
    Am I over-doing it with the rules just to be able to provide logs on the multicast and netBios traffic?
    Maybe I should trust my LAN more ?

Thanks in advance for your help

A few things before getting started on this. First Homegroups have ipv6 as a prerequisite, so you need to ensure the stack is enabled on each homegroup participant. A link local address is fine for this purpose.

I’d suggest reading through HomeGroup and Firewall Interaction as a starting point. Although it pertains to the Windows 7 firewall, the requirements set-out within, are also applicable to third-party firewalls.

As far as your existing rules are concerned, I’m afraid I find them a little confusing, as It’s difficult to ascertain which processes they’ve been applied to. For example, you also appear have application rules for the system process (Lan and Outgoing) and another rule for Windows System Applications (outgoing only), which by default contains the system process. Likewise svchost.

Also, your global rules are a little confused. You seem to be mixing allow and block rules in a slightly random hierarchy and placing blocks better suited to application rules (NetBIOS) within this hierarchy.

On the subject of ipv6, CIS does have support, but it’s seems to be still a ‘work in progress’ However, by checking the box to enable ipv6 filtering, found in the Firewall Behaviour tab, we have a starting point. Also, if you’re behind a router, that will change the way the assigned block from your ISP will be deployed.

With regard to the log not capturing the upnp rule, do you have any upnp devices on your LAN? It should fire if everything is configured correctly. See image.

On a final note regarding homegroups, the easiest way to make sure the participants can communicate is by allowing the system process and svchost.exe full communication between each node. This could be achieved by applying a ‘LAN network zone’ rule pair, to each service. this would allow all IP traffic in and out. In addition, you will need to allow traffic over icmpv6 between each node, ipv6 traffic out on port 3587 and wmpnetwk.exe (media services) need outbound on ipv6 and ipv4 on port 2869 (SSDP) Depending on other media services you may chooses to use, other rules may be necessary

My advice, when creating your LAN Network Zone, in addition to adding the ipv4 block, also add the ipv6 and link local blocks.

I hope this helps getting you started. Let me know if I can be of further help

[attachment deleted by admin]

Radaghast thank you very much for your reply and that great source of info about Homegroup.
You just confirmed what I suspected about Homeroup using IPv6 to do its thing.

Also thank you for your inputs about my currents rules although I’m a bit surprised that you finnd them confusing.
I guess I’ve been using them for so long that I see logic and clarity where there’s only randomness and confusion for others!

Let me try to explain in more details the purpose of the rules and the result I’m trying to accomplish.
Maybe you can then confirm if what I’m doing is right or point where my assumptions are flawed.

While going over the rules, keep in mind that I prefer to rely on more global rules than on application rules because I trust a lot more CIS blocking unwanted traffic than my ability (or anyone using the computer) to systematicaly answer correctly to every security popups (which often happen in an untimely fashion).

So here I’ll list my goals and point to the rules that I think accomplish them.

  1. I want to authorize LAN traffic in and out while also log NetBios and multicast communication.
    Global Rule (GR) 1, 2, 3, 4, 6 and 7

  2. I want to block outgoing NetBios traffic to the outside world.
    GR 5

  3. I want to allow outgoing traffic (LAN and Internet) but log the packets using unprivileged ports.
    GR 6 and 7

  4. I want to allow incoming TCP and UDP traffic from the internet only on the ports I authorize.
    GR 8 and 9

  5. I want to be able to ping the LAN and outside world but only be “pingable” byt the LAN.
    GR 10, 11, 12, 13 and 14

  6. I want to be able to connect to a VPN.
    GR 15

7 I want to block and log everything else.
GR 16

Regarding my application rules

  1. I want to let svchost.exe and system to accept incoming traffic from the LAN only and authorize any outgoing traffic. That’s why I set them as [LAN & Outgoing] and leave WOS so the rest of the associated application are defined as [Outgoing Only].
    That is if the order of the application rules applies like in the global rules (top to bottom).

Now I realize that I don’t need to split the incoming LAN traffic into the multicast and regular rules but I had the log setup at that level at one point in my testing and forgot to simplify them once I moved the log at the global rules level.

They could be simplified to this:


LAN
Allow IP In From In [Local Area Network] To MAC ANY Where Protocol is Any
Allow IP OUT From MAC ANY To In [Local Area Network] Where Protocol is Any
Allow UDP OUT From MAC ANY To In [Special & Multicast] Where Source Port Is Any And Destination Port Is Any
Block And Log IP In/Out From MAC Any To MAC Any Where Protocol Is Any (Block and Log All Unmatching Requests)

LAN & Outgoing
Allow IP In From In [Local Area Network] To MAC ANY Where Protocol is Any
Allow IP OUT From MAC Any To MAC Any Where Protocol is Any
Block And Log IP In/Out From MAC Any To MAC Any Where Protocol Is Any (Block and Log All Unmatching Requests)

I hope it’s now a bit less confusing.

Regarding the log problem I mentioned.

I think my router is a upnp device but I don’t understand how it can be causing the issue I have.
For 2 similar connection (differing only on the port numbers) appearing in the View Active Connections only 1 get logged.
That’s what I can’t understand.
Maybe you can spot something that I missed.

Once again thank you in advance for your help.

If I understand correctly, you’ve broken the rules down the way you have, primarily so you can capture log information, but I guess you don’t trust traffic that originates on your LAN?

Using Global rules to control the flow of traffic is fine, providing you understand that doing so, gives you no control over which application/process will make use of the rule.

I’m still a bit confused by your application rules. You have:

System = LAN & Outgoing
Windows System Applications = Outgoing Only

In LAN and Outgoing you have:

Allow IP OUT From MAC Any To MAC Any Where Protocol is Any

But the Windows System Applications group already allows this, likewise for svchost and other system processes. (Personally, I always delete all the default rules, they’re far to liberal)

With regard to the upnp log entry, if you have SSDP and updp services enabled and running, then if the rule is fired, it should log. Do your use upup to forward the utorrent ports in your router or do you do it manually?

You are correct, it’s for the log information but not so much because I don’t trust my network but because I’m trying to understand what’s going on.
Once I do I’ll most likely remove/merge the log rules into simpler ones

I understand the risk with the use of global rules and the need to have a close look at the applications rules that get auto-generated after a answering popup.

I think I know what’s causing the confusion about the WOS, system and svchost rules.
It’s because of the blocking rule I put in the predefined policy.
Back when I first used those rules Comodo didn’t have a WOS file group so the [LAN & Outgoing] needed a “OUT any” and a “block anything else” rule.
Are you suggesting I remove the outgoing and the blocking rule on the [LAN & Outgoing] policy and let the outgoing traffic be managed by the WOS applications rules ?
Like so:


LAN & Outgoing
Allow IP In From In [Local Area Network] To MAC ANY Where Protocol is Any

Or should I leave them like they are and remove the WOS rules entirely ?

Now about the upnp, I don’t use it for uTorrent and I don’t think any other application I have does.
I also don’t see any option in my router do disable upnp and SSDP.
The router is provided by my ISP along with a media box for the TV.
I think the TV box needs the upnp feature to work properly.
Unfortunately that doesn’t explain the missing log for one of the connection.
I guess I should go report it as a bug then.

Just to clarify. In your first post you have:

Application Rules

Comodo Internet Security = Outgoing Only
Windows Updater Applications = Outgoing Only
C:\Windows\System32\svchost.exe = LAN & Outgoing
System = LAN & Outgoing
Windows System Applications = Outgoing Only

These two default rules refer to groups found in D+. They’re included to try and make it easy for novice firewall users to get up and running. Of particular interest (image below) in your situation is the Windows System Applications (this is not WOS - Windows Operating System). Are we talking about the same thing?

With regard to upnp, it’s likely the STB will use this. One easy way to check, is to disable the service. Open the start menu and type services.msc in the search box. When the window opens scroll down until you find upnp and just after, ssdp. you can set these to stopped and if you want, disabled. Ashort trial with these disabled will alert you to their need, or not.

[attachment deleted by admin]

I’m sorry, my bad.
I meant Windows System Application.

So should I just remove it and keep the LAN & Outgoing as it is or make the change like I suggested ?

Do you mean to stop/disable the services on the STB or on my Computer ?
If it’s the STB I don’t think I can turn it off as it use a custom OS and UI.

For the most part, the System process and svchost are the only two that need Internet access from the WSA group. If your LAN & Outgoing rule fully supports their needs, then I’d say ditch WSA and the Updater rule.

Apologies, I meant disable the services (temporarily) on the PC.