network control rules

Learn about Computer Security Leak Testing/Attacks/Vulnerability Research
1

Hello everyone. I was just tring to get an application to complete a tst on my comp and with the firwall off it completed with it on and giving the program full access it failed. I had a rule in the network control that is no longer there. I didn’t think I deleted anything nor did i mean to permit something that shouldn’t be. I think it was a ip rule. Possible there by default since I never made any specific rule.

Is there a “block” rule that is generated by default. It may have been an “ip in rule”.There used to be a red one here.I never remember making it --it was just always there…

[attachment deleted by admin]

2

That last rule is not default, and i can’t see exactly what it is (port). Take a complete screenshot so we can see.
The last block rule, which YOU MUST HAVE, is to block everything else:

Action: Block
Protocol: IP
Direction: In/Out
Source and Destination: any
IP Details- IP Protocol: any

And create an alert- ticked, if you want to log the block rule.

You must have it!

3

Here is the full shot. Please be specific as possible if I have to create a new rule or modifuy one. Is that second screenshot the right rule. Sorry not too good with rules (:NRD)

protection level is exellent–but it notified me I had to reboot for config to go into effect

Thanks

[attachment deleted by admin]

4

Rockstar, at the very Minimum, this is what you need to do:

Right-click on Rule ID 5, select Add/Add After. This will open a rule editing/creation window. You will fill it in as follows:

Action: Block (and check “Create an alert if this rule is fired” in order to log any blocking action)
Protocol: IP
Direction: In/Out
Source IP: Any
Destination IP: Any
IP Details: IP Protocol: Any

OK.

Then reboot your computer to reset the rules change to the Network Monitor.

Your current Rule ID 5 is not a standard rule, although the rest are; any time I see a rule to Allow Inbound traffic, I am concerned. Please provide the full details of that rule (IP addresses, Ports, Protocols, etc), and explain what you are trying to accomplish with it.

TNX,

LM

5

Rockstar, you’ve got Rule ID 6 (per your second screenshot) nailed, looks like.

Now let’s just clarify Rule ID 5…

LM

6

I would delete no.5 . It’s allowing everything in TCP/IP! The last block would be blocking IGMP and not much more!

7

That’s my thought as well. However, I want to make sure if there’s a specific purpose that needs to be addressed, such as a p2p rule or something; without the details (which aren’t showing completely) it’s hard to say…

LM

8

Thanks guys I reallly appreciate this. see three screenshots for details of rules 5, 6, 7.

I really have no need for any special settings special meaning loose or not too secure. I don’yt need anything so tight as to be intrusive though.

HFS ~ HTTP File Server

It does not work. There is a self test that it fails unless comodo is off.

[attachment deleted by admin]

9

tried to modify that last post but session verification failed? any way after right clicking on rule 5 and doing as suggested it made another rule 7 which is the same as 6?

10

Those last 2 screenshots look duplicate.

The first screenshot is a rule you should delete. To understand what that rule says:
‘Allow packets come in and out, using protocols TCP or UDP, from any port or IP, to any port on your computer’. As you can see, this is not what a Firewall rule should look like, unless for some specific reason.

Now a Q: what’s tst? Or what exactly is it that you can’t do? I’m sorry if i’m not getting it, LM probably is, but do answer, even if it only serves to educate me :slight_smile:

11

Rockstar,

Would you please open your Network Monitor to full-screen size, then capture another screenshot of the whole thing (NetMon, we don’t need the surround GUI), and attach that to your post.

Since it looks like you have duplicated some rules, I want to see the whole thing. Don’t make any changes while we’re looking, ok? :wink:

TNX,

LM

12

The last 2 screenshots were duplicate. there was 2 in the panel the second one was created when I did what it said in the post from 10:48:08 the current config looks like in the attach.

The software HFS ~ HTTP File Server

is something I just saw today I am toatally no familiar with it But what I think happens-is [I think] a window opens[I did see that looks somewhat like ftp client and you can drag and drop a file or whatever onto it and then you give the ip to someone and they can just grab it or what ever.

Say I have a program that I want to share or a huge file or what ever I just drag and drop and see what happens. I haven’t tried it because it don/t run.I don’t really know what it can do…

There is a self test to see if it works…gets throught the firwall/router[I don’t have one] I guess

You can easily try it. There is no install just run .exe (:SAD)

sorry LM I deleted the duplicate and edited the other one. last 2 attach.

[attachment deleted by admin]

13

Rockstar,

Ok, the Network Rules look fine now. It appears to be the same as the default rules created at install. Should provide all the security you need, with functionality at the same time. Not too rigid, not too loose. For some applications like torrent/p2p apps, you may need to create specific Network Monitor rules due to port usage, but normally application rules are all you need from here…

Now, as far as HFS goes… Do I understand correctly that you are trying to use this filesharing application, but are unable to get it to connect to the internet?

LM

14

Hey Rockstar,

Looking at HFS’ website, it looks like you have to do some portforwarding in router, and create a network rule in CFP for Inbound on a specified port.

Here’s the PortForward.com link to the HFS section, where you can choose your router for specific configuration instructions. http://www.portforward.com/english/applications/port_forwarding/Http_File_Server-HFS/Http_File_Server-HFSindex.htm

Once you have the application window open for HFS, you need to click the button to turn it OFF. Then you can set the Port you want to use (you’ll want a high number port, that’s less likely to conflict - something like 47001 - 47556, which are unassigned). You will basically be forwarding that port in your router, and then create/add a new Network Monitor rule. This will only be if you are wanting to use your computer as a fileserver, that others can upload to (what it looks like, anyway). If you’re just using ito upload files to somewhere else, that doesn’t look like it’s necessary; just an application rule to allow HFS to connect outbound.

LM

15

Don’t use a router (:SAD)

I did have one once and did nothing other than dicconnect it. Cut my speed in 1/2 you think that could be the prob? It is not connected now,and I have now problems whatsoever except this.

attach out of oreder 3 1 2

[attachment deleted by admin]

16

I also have this in application monitor… Is that ok?? Should run --NO

[attachment deleted by admin]

17

Well, I can’t complete the selftest as I’m behind a router that is not under my control, and it fails without portforwarding set up.

It does appear to default to port 7000.

When I invoked the selftest, I had three popups from CFP:

  1. Listen Port 80
  2. DNS Port 53 (to my DNS Server)
  3. TCP Out to IP Address 207.x.x.x

I set the FW to create an application rule to allow it (item #3 only), and this is what it gave me:

HFS.exe with parent explorer.exe, Allow TCP Out, Any Source, Any Destination, Any Port (source/destination). In using it, I would probably want two application rules, as follows:

Allow TCP Out Any, Any, Any, Any (as above; just Out only)

Allow TCP In, Any, Any, Any, Single Destination Port (that you have defined in HFS).

You might then need another rule in the Network Monitor (above your bottom Block & Log rule; you can right-click that bottom rule, select Add/Add Before), as follows:

Action: Allow
Protocol: TCP
Direction: In
Source IP: Any
Destination IP: Any (or yours)
Source Port: Any
Destination Port: Single Port: (that you defined in HFS)

OK, and reboot.

That will allow TCP traffic in on that port. The HFS application will have to be actively running, in order to be able to receive the connection, though.

LM

18

I appreciate the work you put in (:CLP),but I don’t know if I need it that bad :THNK.I tried something. I allowed all traffic in comodo and turned on windows fw and ran the test–it just asked me if I wanted to continue blocking that application I said no and it passed the test. I don’t know if that is cool–what do you think–If I used it would only be with people I knew were "relatively’ safe. It would appreciate your opinion on how secure you think the windows fw is used like that.

19

Well, here’s the problem I see, as far as security…

When you set CFP to Allow All, you’re disabling all of the protection it provides. So at that point, it’s doing nothing for you. That’s like keeping a shotgun to protect your home, but never buying any ammunition for it. Basically, it does you no good! :wink:

IMO, the Windows FW is about as useful a firewall as spreading cream cheese over your computer. Which is to say, it does nothing. :frowning:

That being said, it’s all well and good to have CFP up the majority of the time and only disable it & use the WinFW when you’re using HFS. But during that time you’re using HFS, you’d have absolutely no protection. Stats on how quickly people on the internet run in to problems when they don’t have an active FW are pretty scary; and that’s not including running a fileserver…

I gather from your comment, that you don’t know if you need it that bad, that you consider the rulemaking to be a difficult task. If that’s what’s stopping you, I can assure you that it’s not really as difficult as it may seem, and I can guarantee you that you’ll learn more about how CFP works and become more confident with it.

We can take it in a series of steps to walk you thru, and really won’t be painful at all. That’s IF you want to do that. That is entirely up to you; I don’t get paid one way or the other! ;D Just let me know; I’m happy to help.

LM

20

Thanks for the offer :BNC. I probably will create the rules (:NRD).I need to read that last post and maybe print it out I think it would be good to learn more about comodo. I never really learned any of the ones I had. Norton PF 2003 and EZtrust personal firewall supplied free from my isp and now comodo.

I want to look at that program a little further and see what it is raeally all about. I probably don’t need it, since I can upload files to my test forum and let anyone who I say get them there. which is much safer I would imagine,but to add the rules and learn how to do it may make it worth while.

I will look for you to be online when I do it so you can bail me out (V)

Thanks again for your efforts today… (:CLP)