I’ve used the stealth port wizard to create a set of rule to block incomming connections.
All my ports are stealthed unless those two.
I’ve tried to add special block rules ; you can’t create a rule for port 0 (invalid port number)
I could create a rule for port 1 but it was still reported as closed unless I ran an application that listened to that port such as TCP Listener.
If I check ‘Do protocol analysis’ the ports are reported as stealthed!
So this is clearly a bug that needs to be fixed because it means that the traffic to these ports goes directly to the OS (who is the one answering ‘closed’) without being filtered by CIS…
Comodo treats the port 0 as invalid but according to grc:
Description:
"Port Zero" does not officially exist. It is defined as an invalid port number. But valid Internet packets can be formed and sent "over the wire" to and from "port 0" just as with any other ports.
Related Ports:
Background and Additional Information:
The designers of the original Berkeley UNIX “Sockets” interface, upon which much of the technology and practice we use today is based, set aside the specification of “port 0” to be used as a sort of “wild card” port. When programming the Sockets interface, the provision of a zero value is generally taken to mean “let the system choose one for me”. Programmers who specify “port 0” know that it is an invalid port. They are asking the operating system to pick and assign whatever non-zero port is available and appropriate for their purpose.
As a result of this programming convention, there has traditionally been no way for Internet Sockets programmers to generate or receive “port 0” Internet traffic. So port zero was set aside and never defined or used. Although times and technology have changed dramatically, port zero has remained something of an unexplored “no mans’s land”.
However, with the widespread and growing availability of operating systems offering the “Raw Socket” programming interface — which provides the means for deliberately generating port zero packets — the presence and security of “port zero” is of growing importance.
The “Port Authority” revision to GRC’s ShieldsUP! services and NanoProbe technology offers the generation of port zero probes to enable users to verify, secure, and stealth their system’s handling of these potentially troublesome Internet packets.
I passed both test just fine. What are your rule set? You have opened another thread about Global rules I have answered. On first sight (and I don’t pretend to be an expert) it seems to be a question of proper settings, not a bug.
did you disable ‘Do protocol analysis’ before taking the test? Have you a direct connection to the internet?
If it was just a configuration issue, modifying the above setting would not influence the test and global blocking rules would work.
In my global rules, I just have a bunch of ICMP block rules (the one set by the stealth wizard) and on top of that an allow rule for ICMP comming from a zone containing several IP addresses of trusted computers.
apart from that, in the advanced setting I just have ‘block fragmented IP datagrams’ and protect the ARP cache
Same configuration, but ARP OFF (maybe useless for 3 PC behind a LAN)
I have opened all ports on the router before taking the test.
Port 0 stealth
Port 1 stealth
Proactive Mode - FW Custom Policy Mode here.
Do you know how to import the default CSI profiles?
You could start anew with a default profile, test, and then compare with your modified profile.
Thank you for this suggestion, I switch over an old configuration (a default one I think) with the same settings but with almost no rule and it worked.
So I switched back to my current settings and started deleting OS related rules one by one until I deleted the one corresponding to the ‘program’ named “Windows operating system” where I have the follwing:
Windows operating system
allow ip out to anything with any protocol
allow ip in from the zone named SafeComputer with any protocol
Block and log everything else
if I remove the line ‘allow ip out to anything with any protocol’ the ports 0 and 1 are reported as stealthed…
It remains strange though what rules do you have for ‘Windows operating system’?
I’ve removed the rule ‘Windows operating system’, I think it’s was a left over of a previous version of CIS, I remember adding it because at that time incoming blocked connections were not logged, so I added this rule just for the ‘block and log everything else’.
Now, even without this rule, incoming blocked connections are logged…
I am still learning here, and the CSI definitions can easily lead to confusion.
You have to differentiate Network Rules from Global Rules. They both interact with each other.
They are read in a different order according IN/OUT connections.
Shall I assume your are talking about the Global rules window only?
These are my Global rules
This is the “router” in your OS, it receives a packet for port 0, the Stack has not application listening for this and responds with a TCP RST a Reset packet to say there’s nothing here.
The WOS Allow out rule allows this traffic send back and therefore GRC reports you not being stealth.
From the help file i have attached the rule order.
N.B> Global NETWORK rules are read from top to bottom, regardless of direction. If an outbound packet is being tested (and there is no corresponding application rule) and the first rule applies to inbound, it fails the first test anbd falls through to be tested against the next rule. This is repeated until a rule is either satisfied or it reaches the global BLOCK ALL rule which should be at the bottom of the list.
I think the reason why you check ‘Do protocol analysis’ the ports are reported as stealthed is when you check,comodo will check all packets.If one of the packets is considered to be invalid,comodo will deny.So the result of the grc’s test is stealthed.
This is the "router" in your OS, it receives a packet for port 0, the Stack has not application listening for this and responds with a TCP RST a Reset packet to say there's nothing here.
The WOS Allow out rule allows this traffic send back and therefore GRC reports you not being stealth.
Thanks for the explanations but it seems still abnormal that port 0 and 1 were treated differently than other ports. (all other ports were stealthed)
N.B> Global NETWORK rules are read from top to bottom, regardless of direction. If an outbound packet is being tested (and there is no corresponding application rule) and the first rule applies to inbound, it fails the first test anbd falls through to be tested against the next rule. This is repeated until a rule is either satisfied or it reaches the global BLOCK ALL rule which should be at the bottom of the list.
And if there is no ‘block all’ rule at the end then it’s asked, right?
Is the order important too in the ‘Applications rules’?
Shall I assume your are talking about the Global rules window only?
These are my Global rules
No, I was talking about the application rule, I don’t know if having a rule for ‘windows operating system’ is normal or not
I think the reason why you check 'Do protocol analysis' the ports are reported as stealthed is when you check,comodo will check all packets.If one of the packets is considered to be invalid,comodo will deny.So the result of the grc's test is stealthed.
Indeed, it seems that those two ports are not considered in some part of the applications for invalidity reasons or some algorithm that break when the port is 1 or 0 (I am a hobbyist developer myself and these ‘special’ values are often the cause of such bugs)
As I understand it CIS uses the term “Windows Operating System” against any traffic that is not associated with a particular application. Which potentially allows just the sort of unaddressed traffic that is supposed to be blocked.
If you do need such rules they should go in the Global rules section rather than under “Windows Operating System”.
