I’m not sure if httpd spawn several processes. Then we should be able to see that process. If you mean threads, then we should see the process listening on port 80. But the process listening on that port is httpd.exe which is a service.
Although monitor Ndis protocol was not under mentioned path, in fact it was under attack detection, I’ve enabled it, restarted pc, the manually started/stopped/started httpd/mysql. Result was the same.
Then I have uninstalled Usergate and VMware. Result is the same. Usergate is proxy server with NAT funcitonality.
httpd actually spawn other processes in order to handle clkient connections. Using tools like process explorer it’s possible to see them.
Once the server has started and performed a few preliminary activities such as opening its log files, it will launch several child processes which do the work of listening for and answering requests from clients. The main httpd process continues to run as the root user, but the child processes run as a less privileged user.
Anyway the hot issue is that cfp cannot trap the connections. Viev active process/connections is only a side utility IMHO.
Usergate has a firewall option too.
Anyway did you check the network adapter configuration to see if the corresponding drivers were removed?
Did you attempt to connect to those services alter restarting them?
Did you check if there are new cfp entries for these sevices after you attempted a connection?
Please write as much info you can. Even if the result is the same and if this is not helping you there are chances that another user or a developer could find clues about this issue.
Anyway did you check the network adapter configuration to see if the corresponding drivers were removed?
Yes, they are removed. The only one left is Network Monitor Driver, I guess vendor is microsoft.
Did you attempt to connect to those services alter restarting them?
If you mean httpd/mysql services, then yes.
Did you check if there are new cfp entries for these sevices after you attempted a connection?
Still no rules related to these services
It looks like to me that only outgoing connections are being intercepted. All applications that are listening are not being intercepted on incoming connection to them. Out of ideas for now
I tested again using high alert level and latest 3.0.22 beta cfp in custom policy mode.
Looks like cfp can trap outbond connections to mysql but not the inbound one on port 80
I have no av installed too.
I’ll try to bring this to dev attention.
Please test one last time using an inbound connection from the internet with the latest barebone config.
Hello guys,
I’m about to switch to another fw, since my pc is exposed and I don’t have any solution. I would like to have some test version to confirm a bug is fixed or provide whatever information is required to track this issue. However if I switch to another fw I will not be able to do that for some time.
I guess this will require some time.
Take all action you demm necessary an check this topic from time to time. As soon as I’ll get infos I’ll post here.
I attempted to reproduce this ussue using http://www.wampserver.com/
I have no antivirus. CFP version 3.0.22
Firewall in Custom policy mode.
Alert Level set to High.
All alert settings checkbox enabled under firewall behaviour.
staring all Wampserver services (include apache, php and mysql) and attempting
a connection to http://127.0.0.1/ doesn’t trigger any alert.
However if I attempt to load phpmyadmin from the wamp page(http://127.0.0.1/)
Cfp trap the connectipn from httpd to mysql
Developers pointed out this is behaviour is by design as my testcase involved loopback connections.
This mean I needed to test using two pc on the same LAN.
I attempted to reproduce this ussue using http://www.wampserver.com/
I have no antivirus. CFP version 3.0.22
Firewall in Custom policy mode.
Alert Level set to High.
All alert settings checkbox enabled under firewall behaviour.
staring all Wampserver services (include apache, php and mysql) and attempting
a connection to http://ServerLANIP/ trigger an alert.
All subsequent connections will not until the Wampserver services are stopped and started again.
Allowed connections will be listed in view active connections though the one that triggered an alert may not be listed.
View active connections list is refreshed slowly so you need to wait few second to see the actual connection status.
