Network rules for common games

G’day all,

As follows is a listing of the settings required for some common games. Please note that I don’t necessarily have all of these games and have not tested these rules - that where you guys come in. :wink:

If you have one of these games, can you please manually create the appropriate network rule and test the game. Once tested, please post the results back here.

Once each rule has been tested, the results will be placed into a reference topic on the forums for others to use.

Some games require more than one rule, as they need a mix of protocol, single ports and port ranges. Please set up all rules requried for a game.

If you have any suggestions on how to make the rules tighter, please add this info to your test results post.


World of Warcraft (1/2)

Action : Allow
Protocol : TCP
Direction : In/Out
source IP : ANY
Remote IP : ANY
Source Port : ANY
Remote Port : A set of Ports - 3724, 6112

World of Warcraft (2/2)

Action : Allow
Protocol : TCP
Direction : In/Out
source IP : ANY
Remote IP : ANY
Source Port : ANY
Remote Port : A port range - Start port : 6881 - End Port : 6999



Call of Duty 1 and Call of Duty 2

Action : Allow
Protocol : TCP/UDP
Direction : In/Out
source IP : ANY
Remote IP : ANY
Source Port : Any
Remote Port : A set of ports - 20500, 20510, 28960


Call of Duty - United Offensive

Action : Allow
Protocol : TCP/UDP
Direction : In/Out
source IP : ANY
Remote IP : ANY
Source Port : Any
Remote Port : A set of ports - 20500, 20510, 20600, 20610, 28960


Half Life (counterstrike) and Half Life 2 (1/3)

Action : Allow
Protocol : TCP
Direction : In/Out
source IP : ANY
Remote IP : ANY
Source Port : Any
Remote Port : A port range : 27020 - 27039

Half Life (counterstrike) and Half Life 2 (2/3)

Action : Allow
Protocol : UDP
Direction : In/Out
source IP : ANY
Remote IP : ANY
Source Port : Any
Remote Port : 1200

Half Life (counterstrike) and Half Life 2 (3/3)

Action : Allow
Protocol : UDP
Direction : In/Out
source IP : ANY
Remote IP : ANY
Source Port : Any
Remote Port : A port range : 27000 - 27015


Warcraft II

Action : Allow
Protocol : TCP/UDP
Direction : Out
source IP : Any
Remote IP : Any
Source Port : Any
Remote Port : A port range : 6112 - 6119



Warcraft III

Action : Allow
Protocol : TCP
Direction : Out
source IP : Any
Remote IP : Any
Source Port : Any
Remote Port : 6112


Battlefield 1942

Action : Allow
Protocol : UDP
Direction : Out
source IP : Any
Remote IP : Any
Source Port : Any
Remote Port : 14567


Alien V Predator (1/3)

Action : Allow
Protocol : TCP/UDP
Direction : In/out
source IP : Any
Remote IP :Any
Source Port : 80
Remote Port : 80

Alien V Predator (2/3)

Action : Allow
Protocol : TCP/UDP
Direction : In/out
source IP : Any
Remote IP :Any
Source Port : A port range : 8000 - 8999
Remote Port : A port range : 8000 - 8999

Alien V Predator (3/3)

Action : Allow
Protocol : TCP/UDP
Direction : In/out
source IP : Any
Remote IP :Any
Source Port : A port range : 2300 - 2400
Remote Port : A port range : 2300 - 2400


SAP R/3 Rel. 4.6D

Action : Allow
Protocol : TCP
Direction : In/Out
source IP : Any
Remote IP : Any (can be server specific)
Source Port : Any
Remote Port : A port range : 3200 - 3399


Command and Conquer (All variants) (1/3)

Action : Allow
Protocol : TCP
Direction : In/Out
source IP : Any
Remote IP : Any
Source Port : Any
Remote Port : A set of ports : 3840, 4005, 4808, 4810, 4995, 7000, 7001, 7002, 28910, 29900, 29920

Command and Conquer (All variants) (2/3)

Action : Allow
Protocol : UDP
Direction : In/Out
source IP : Any
Remote IP : Any
Source Port : Any
Remote Port : A set of ports : 1234, 1235, 1236, 1237, 4000, 5009, 5400

Command and Conquer (All variants) (3/3)

Action : Allow
Protocol : TCP/UDP
Direction : In/Out
source IP : Any
Remote IP : Any
Source Port : Any
Remote Port : A port range : 1140 - 1234


Diablo II

Action : Allow
Protocol : TCP
Direction : In/Out
source IP : Any
Remote IP : Any
Source Port : Any
Remote Port : A set of ports : 4000, 6112


DOOM 3

Action : Allow
Protocol : TCP/UDP
Direction : In/Out
source IP : Any
Remote IP : Any
Source Port : Any
Remote Port : 27666


Deus Ex

Action : Allow
Protocol : TCP/UDP
Direction : In/Out
source IP : Any
Remote IP : Any
Source Port : Any
Remote Port : A set of ports : 7790, 7791, 7792, 8777, 27900


FEAR

Action : Allow
Protocol : TCP/UDP
Direction : In/Out
source IP : Any
Remote IP : Any
Source Port : Any
Remote Port : 27888


Ghost Recon

Action : Allow
Protocol : TCP/UDP
Direction : In/Out
source IP : Any
Remote IP : Any
Source Port : Any
Remote Port : A port range : 2346 - 2348


Need for Speed 3

Action : Allow
Protocol : TCP/UDP
Direction : In/Out
source IP : Any
Remote IP : Any
Source Port : Any
Remote Port : 1030


Need for Speed Underground (1/2)

Action : Allow
Protocol : UDP
Direction : In/Out
source IP : Any
Remote IP : Any
Source Port : Any
Remote Port : 3658

Need for Speed Underground (2/2)

Action : Allow
Protocol : UDP
Direction : In/Out
source IP : Any
Remote IP : Any
Source Port : Any
Remote Port : A port range : 30900 - 30999



Quake 3

Action : Allow
Protocol : TCP/UDP
Direction : In/Out
source IP : Any
Remote IP : Any
Source Port : Any
Remote Port : 27960


Ventrilo

Action : Allow
Protocol : TCP/UDP
Direction : In/Out
source IP : Any
Remote IP : Any
Source Port : Any
Remote Port : 3784


Thanks in advance,
Ewen :slight_smile:

An excellent work Ewen! You did it again!

Best regards,
Egemen

Great Ewen (:CLP)

I don’t undestand why you need a network rule for an application.
Why not just create an application rule for each game and allow it certain ports within that?

]-[

I don’t see any reason to specify selected ranges of ports. Just select any. If it’s legit app i don’t see any reason to limit it. Especially not games. Was there really any rogue game? Haven’t seen any for decades… If it’s a bad app you don’t even allow it to connect (at all).

If i’m sitting behind a router and i have the same internal IP all the time, should i set it in remote IP? Should i do it in all rules in network monitor? Does it matter? Safer or not?

The whole idea of specific ports for specific apps for a specific purpose is to make the perimeter security as tight as possible while still allowing full functionality.

IMHO, one of the core principles of desktop security is to make your desktop … ummm … secure.

Opening all ports is certainly easier though, but totally sidesteps the purpose of having a configurable firewall.

ewen :slight_smile:

If you have a static IP, then by all means, set it. Setting it to ANY for the source accomplishes the same thing though. The source for outbound requests is always the PC that CPF is running on, so it will always allow your IP address, regardless of what it is. Setting it to ANY (or “ZONE”, assuming that you’ve defined one) allows for LANs that DHCP an address to each workstion as they log in, so they may or may not get the same IP each time.

hope this helps,
ewen :slight_smile:

I would appreciate if you could make me an example… on how to set up at network control rule for this scenario…

Let’s say that i have set up my router to give 3 computers the same IP all the time.
192.168.1.100
192.168.1.101
192.168.1.102
I wan’t to both play a LAN game and be able to play a multiplayer game on internet.
The game uses UDP port 27000
I have made a trusted zone called “comodo”. (is it better to use a trusted zone than int. IP?)
How would YOU set this up?

Action :
Protocol :
Direction :
source IP :
Remote IP :
Source Port :
Remote Port :

Action : Allow
Protocol : UDP
Direction : In/Out
source IP : Zone - comodo
Remote IP : Any
Source Port : Any
Remote Port : 27000

Providing the zone “comodo” has been defined identically on all three PCs, this same rule could be replicated onto all the PCs on your LAN.

Wouldn’t it be great if you could define this zone and this one rule on one PC and “push” it across your LAN to all the other PCs? Hmmmm …? :wink:

ewen :slight_smile:

Sorry, Ewen, I’ll be more specific.
If I’m running, say, World Of Warcraft, the wow.exe file is going to be knocking on CPF’s door asking for free passage. There has to be an entry made for CPF in the Application Monitor list whether or not you open the ports in the Network Monitor or else wow.exe is not getting online. Why not just define the necessary ports in the Application Monitor entry?

]-[

“Wouldn’t it be great if you could define this zone and this one rule on one PC and “push” it across your LAN to all the other PCs? Hmmmm …?”

Yes it would… (:HUG)

Thanks for the rule… (:AGL)

It would be nice to save all the rules you are making for the next time you install CPF…

It would be nice if there were a dropdown above “action” when you set a networkrule, where you could choose the most common games and programs, so it fills in the default ports for them… ::slight_smile:

I really don’t see reason to complicate where you certanly don’t have too. Limiting IE6 would be reasonable, but limiting games is not. I just don’t see a reason to do this.
Afraid of something hooking the game exe and using it to connect to net? Highly improbable if you ask me.

The problem is wow.exe isn’t the only component of World of Warcraft accessing the net, and by the time the game has entered full screen mode, you cant see the popups to allow the resonse.

Comodo are aware that gaming is an issue with the firewall and there are development steps underway. The listing I originally posted was merely meant as a guide for anyone who wanted to try and get their games running until Comodo come up with a better solution.

I agree with you, setting them up through the application monitor would be preferable. Hopefully Comodo will head down this road somehow, possibly by assuming the primary executable (in this case - wow.exe) is the parent for all logically spawned or executed components for that parent and allow them the same permissions as the parent.

Time will tell, but I’m confident that Comodo will get on top of this.

Hope this helps,
ewen :slight_smile:

There are always two philosophies to any one viewpoint and we obviously are looking atthis from opposite ends.

My take on a firewall is to assume no trust, block all and then set up the minimum permissions for those applications I want to get out. Setting tight restrictions makes it far, far easier to find out whats wrong when/if something goes wrong. Setting all ports open for all apps (or most apps) is, IMHO, only a short step up from not bothering to have a firewall at all.

Running a firewall on a “most open” basis is, again IMHO, placing too much trust in elements outside of your control. The internet, by definition, is an untrusted network, after all.

We’ve all got the option to set up the firewall how we see fit, or how it best suits our individual needs. The beauty of CPF is its flexibility in that you can set it up your way, I can set it up mine.

cheers,
ewen :slight_smile:

Since installing comodo FW some of my games (BF2, COD2) won’t run. I used process explorer to check the running processes and under the game is macrovision cleanup.exe (the game is shown as running in process exp. but will not start). Also running was comodo agent service and appeared to be corresponding in CPU usage to cleanup.exe. I did some googling on cleanup.exe and appearently it’s some sort of copy protection and one report said it conflicted with some firewalls.

I checked the network control rules and TCP/UDP was at the top and
already set to:

Protocol: TCP/UPD
Direction: In/Out
Source IP: Any
Remote IP: Any
Remote Ports: Any

IP In/Out was set to block so I set it to allow everything, but games
still wouldn’t run. Tech support has been no help. (:AGY)

Macrovision cleanup is a real pain in the bum. IT is conflicting with the firewall not the other way around.

You may have misunderstood how CFP works with its rules. The Network Monitor sets up rules that determine HOW data can get in or out of your PC. The Application Monitor determines WHAT can get out. The two system work hand in hand. For games, the critical thing, assuming that the default Network monitor rules are in place and haven’t been changed (for whatever reason) is that an Application Monitor rule is created for the game components that require network access.

If you want I will look into cleanup.exe and see if I can work out an App Mon rule for it and the games executable.

I checked the network control rules and TCP/UDP was at the top and already set to:

Protocol: TCP/UPD
Direction: In/Out
Source IP: Any
Remote IP: Any
Remote Ports: Any

IP In/Out was set to block so I set it to allow everything, but games still wouldn’t run.

If you’re going to leave your rules like this you may as well not have a firewall, because you are explicitly setting the firewall to allow ALL traffic IN and ALL traffic OUT, regardless of source or destination. Bad. Very bad!

Hope this helps,
Ewen :slight_smile: