After CIS Firewall installation and after using CIS for a while CIS automatically created two Network Zones being “Home #1” and “Home #2”. Both Network Zones contain one IPv4 address and one IPv6 address.
Both the IPv4 addresses (so one IPv4 address in Home #1 and one IPv4 address in Home #2) are normal local / link-local addresses being 192.168.xxx.xxx and 169.254.xxx.xxx. No problem there.
However there is an issue with the assigned IPv6 addresses in the created Network Zones.
Network Zone Home #1 contains an IPv6 address which is a NON local IPv6 address (address not revealing here)
Network Zone Home #2 contains an IPv6 address which IS a local IPv6 address being fe80::/10.
So my question is: What is CIS trying to accomplish by adding a NON local IPv6 address to Network Zone Home #1 and just allowing applications to connect In and Out to the internet without the user knowing?
It doesn’t feel safe when CIS assigns a NON local IPv6 address to a Home Network Zone, so what is happening here?
Try removing the network zones apart from loopback.
Untick the Do not show popup alerts and treat location as…
Ensure IPv6 Firewall Filtering is enabled and run Stealth Ports wizard to have IPv6 rule.
Re-starting should show the pop-up for your network.
Speaking of which, ensure you have the ICMP rules:
Add the following ICMPv6 rules to the global rules section, choose ICMP for protocol and then go to ICMP details tab and use ICMPv6 Type from drop down list.
Packet too big
Time Exceeded
Custom and use Type 134 code 0
Custom and use Type 135 code 0
Custom and use Type 136 code 0
The custom rules are for neighbour solicitation and router advertisement which are needed for IPv6 to work if you have Stealth Ports - block all enabled.
Meanwhile as another test, I imported a fresh default Firewall Security configuration file (taken from C:\Program Files\COMODO\COMODO Internet Security directory) into CIS than restarted the system and did wait a little for the Home Network Zones to be created (playing around with some apps to trigger network connections).
Now the same issue happens again, again a NON local IPv6 address is listed in Home #1 next to a local IPv4 192.168.xxx.xxx address.
Of course one can work around this issue but key point here is that CIS, with a default config, assign a NON local IPv6 address automatically to a Home Network Zone which it should not do because it causes security issues.
EDIT: Oh I forgot to mention, with the default config the “Filter IPv6 traffic” setting is disabled and yet a IPv6 address is added to a Home Network Zone? ???
Nope, not using a VPN (did never install a VPN on my system) or other gateway. Using a normal plain ISP router/modem connection.
When I use a “What’s My IP” tool on the internet I do see that same IPv6 address. . . creepy.
It still gets added even when IPv6 filtering is off?
How can it be added when IPv6 filtering is off? Is the “Filter IPv6 Traffic” setting not a CIS global on/off IPv6 filter switch?
I would expect this setting to switch IPv6 filtering completely on or off.
It could be that if your using both ethernet and wifi and/or connecting to another device that may be the cause.
I thought it detected your IPv6 address no matter what but I automatically enable it out of habit when I install CIS/CF I’m not 100% sure or certain.
My router (Sky) acts as a gateway and is my DNS so I can’t replicate at my end but I’ll let someone else jump in who has time to experiment or investigate further. Big week ahead and other things on at the moment.
Home #1 and Home #2 are assigned to Firewall rule System. If I would know what exes/processes/services belong to System I could maybe trace back what is happening.
Import a default Firewall Security configuration file (from C:\Program Files\COMODO\COMODO Internet Security directory)
Activate the imported config file.
Go to “Advanced Settings → Firewall → Network Zones” and untick the setting “Do not show popup alerts and treat location as”.
Click OK button to close the Advanced Settings window.
Leave all other CIS setting at default.
Restart system and log on to desktop.
Leave the desktop idle for a while (do nothing).
After a while the CIS “Network Detected” Alert pops up for IPv4 address 192.168.xxx.xxx
Select “I am at Home” in the “Network Detected” Alert popup.
Go again to “Advanced Settings → Firewall → Network Zones” and unfold “Home #1”. “Home #1” contains the IPv4 address for which the “Network Detected” Alert popup was raised but there is also that IPv6 NON local address again for which there was no “Network Detected” Alert popup raised!!!
I’ve even tried to create multiple Firewall rules for application “System” with
Action : Ask
Protocol : “Created rules for all available options”
Direction : In or Out
Source / Destination Address and Ports : Any.
and removed both Home #1 and Home #2 Firewall rules from “System” and moved the “System” Firewall rule (with all the Ask rules) to the top of the Firewall rules list and than restarted the system.
After restart and desktop logon Firewall started popping up many Firewall Alerts for application “System” (as expected) but none of these Firewall Alert popups did show that same IPv6 address that is being added to the Home #1 Network Zone. After all “System” Firewall Alert popups were answered I checked the Network Zones Home #1 (I did remove Home #1 and Home #2 before system restart) and found that the IPv6 address was again added to Home #1 (as said, without any Firewall Alert popping up for that IPv6 address). IPv4 address 192.168.xxx.xxx was also added to Home #1 again and for that IPv4 address a “System” Firewall Alert did popup.
So were does this IPv6 address which is being added each time to Home #1 come from?
Computer IPv6 address is being exposed in the Home #1 Network Zone.
Application “System” (svchost) is able to establish Home #1 local IPv4 connections In or Out and can also establish NON LOCAL connections to the internet In or Out via the exposed IPv6 address.
Firewall Network Zones Detection creates an NON LOCAL IPv6 leak in Home #1, this is serious matter.
Are you sure you are looking at the filter IPv6 setting correctly? I would think it just means that Comodo would be inspecting IPv6 traffic just as it would IPv4. If you have IPv6 turned on in network settings, then websites would be able to detect your IPv6 address as they would your IPv4 address. To prevent them from detecting your IPv6, you would need to turn off IPv6 in networking or use a proxy/vpn no?
Yes I’m very sure.
Because I couldn’t believe what was happening I even uninstalled CIS and installed old version 12.0.0.6882 and used it with default Firewall Security config settings in which the filter IPv6 setting is disabled out-of-the-box (but I’ve checked it anyway) and also with this old version the IPv6 non local address got added to the Home #1 Network Zone.
Of course when using a browser the computer IPv4 and/or IPv6 addresses are being exposed. This is normal as a browser has it own set of Firewall rules in which you allow these connections.
To my believe Home Network Zones should only contain local IP addresses (IPv4 and/or IPv6) that belong to a LAN and not to a WAN.
Clearly your ISP is providng public you a IPv6 address block which in tunr is distributed by your router for eact endpoint. Take a look at manage networks firewall task to get an idea of why this is occuring. CIS will always detect IPv6 addresses assigned to network adapters it can see regardless of IPv6 filtering firewall setting. Your getting hung up by the name of “detect private networks” when in fact it doesn’t matter the type of address being assigned to your computer, CIS will keep track of it and define it as part of a network zone. You would still get this alert if you were to directly connect to your modem and get an IPv4 public address assigned to a NIC.
I think that I indeed got carried away by the part “Private” which I thought that Home Network Zones would only contain locally assigned IP addresses for computers connected inside a LAN (computers <-> modem/router connections) which addresses are not directly visible on the WAN (modem/router <-> ISP connection).
In the manage networks firewall task I see locally assigned IPv4 addresses (range 192.168.xxx.xxx) to computers but I don’t see the IPv4 address that is actually being used to connect to the WAN (internet). Therefore I also expected to see only locally assigned IPv6 addresses (range fe80::/10 or else what is defined as locally on IPv6) but I only saw these IPv6 addresses appearing which are also being used to connect to the WAN.
Locally assigned LAN IPv4 addresses seem to be “isolated” from the IPv4 address which is used on the WAN and maybe for IPv6 this “isolation” is not always applicable.
Maybe it depends on the hardware (NIC/modem/router) how IPv6 addresses are being assigned/handled/treated or distributed between computers and modem/router and whether these IPv6 addresses appear (being used) on LAN connections or on WAN connections as well.