Problems with Call of Duty 4, Quake Live and maybe the stealth ports wizard

Hello

If I want to play Quake Live or CoD4 online the game will get pined while connecting to the game I choose.


http://img208.imageshack.us/img208/8977/zwischenablage02xv.th.jpg

and

http://img521.imageshack.us/img521/6600/zwischenablage03b.th.jpg

This is how far I will get.

I allowed the games all they like to do (firewall and Defence+) but it dosn’t changed anything.
Settings are at custom and paranoid and the only way to play the games online is to disable the firewall. Whatever settings I use for Defence+ it won’t change anything.

I compared my settings with an other person who uses Comodo to and we use the same settings. With one difference.

I set Stealth Port to Block all incoming and hide my ports, like I did back at comodo 3.x.
I tried to set it back to Alert me but it don’t changed anything. There was no question while trying to connect.
I tried to open some ports too, but maybee they where wrong or even that won’t help.

Where is the problem. Is it realy the Stealt Port Wizard? And how can I fix it.

Sorry for my bad english. I can read english very good but I should write more :wink:

Dont open ports for ingoing traffic to use a game!

when you first start a game, switch to trainings modus of defense+ (short as possible! its just the easiest way). when you reached the menu of a game, return to desktop and switch back to safe mode. Dont forget to switch back!

in firewall every game will run with this rule: “game.exe” allow OUTgoing TCP+UDP any adress any port. you will receive requested packets… you dont need to receive unrequested packets, so you dont need ingoing rules or open ports!

Dont use this rule for ingoing!

Use the stealth port wizard to block all ingoing and make you invisible. its ok. i play games with the mentioned things :slight_smile:

tell if this does the trick. maybe in the case of quake live, it could be related to firefox rules, as its a browser initiated game. then you have to make a compromiss, as you would otherwise open firefox itself permanent for things which only the game needs. when i used quake live, i allowed by a per case basis in the running process without “remember my answer”. long ago.

Firewall:
CoDMP.exe
Allow IP In/Out From IP Any to IP Any where protocol is Any
Direction out

Firefox the same.

Defece+ deaktivatet.
See my first post. It does not work.

And I didn’t write. I can play other Onlinegames perfectly. Need for speed world was the last one I tried.

Another thing I noticed. Why I can’t delet any item from the Firewallrules? I press delet, I chose delet by right clicking. If I open the security polices again it is back.

WHAT?
Firewall:
CoDMP.exe
Allow IP In/Out (???) From IP Any to IP Any where protocol is Any
Direction out (???)

Firefox the same.


treat firefox as “browser”.

how can you make a rule for “allow IN/OUT”, and saying “direction OUT”?
thats impossible.

ok, your last sentence is the big hint in this case:
you forget to press all the “OK” buttons. a rule is valid AFTER you pressed the OK on the main page where you are at. before, the changes are temporary in wait, and still not valid.

i played cod6 (any games run) with this settings:

allow (game.exe) TCP/UDP OUTGOING. thats all!

maybe you have made a mistake in defense+. erase all rules you have for that game. and dont forget to press “OK” on the main pages after all changes are done.
start the game, defense+ SHORT in trainingsmodus. switch back. before you start, make the firewall rule.
And Play :slight_smile:

DONT use “allow ingoing” rules… otherwise every time when you use your firefox (with such a rule), everyone is allowed to come in… you want to use the internet, so you dont need people to come in themself. what you request, will come… the rest can be blocked. so use only OUTgoing rules, if you are not a server running (a real server), or using p2p (a real p2p client, not any game).

to use a “allow ingoing any adress, any port” rule is the same as if you invite everyone to come into your pc.

@Clockwork
I know. It was just a test.

I think in Comodo 4.0 there was writen something like I wrote above.
In Comodo 5.0 this ist not written. The out was the direction iside the networkt control rule.

After the Updater didn’t said any word about Comodo v5 I deletet v4 and restartet all network settings.
If it is to complicatet to update, why there is no information shown…

Then I testet CoD4
Stealthport at max, Sandbox offline, Defence+ at training, allow all (did not save that). The same as in the first post.
Then CoD4 with an self createt rule. IW3mp.exe (Yea, the realy don’t like treyarch).

Action: Allow
Direction: Out
Protocoll: TCP & UDP
Sourceadress /Destination: Any
Source Port/ Destination: Any.

Same as above.

I don’t think you can compare CoD6 and 4. CoD6 still used an server based system based on the god old Quake 3 Engine code.
CoD6 uses a new matchmaking system. (Maybe with some parts of the old code)
Quake live is just Quake 3 for the browser.
I didn’t testet other Q3 Engine Games so far because there where lots of km away. Now I will try them. Maybe just the good old Q3 Networkengine has some problems with stealthport.

As I said. Other games (newer and older) don’t hafe any trouble.

This is a CIS BUG. And no configuration will help!

After I installed COMODO Internet Security 5.0.162636.1135, I can’t play Ragnarok Online anymore as it doesn’t allow the game to connected to its server correctly anymore somewhy. Do whatever you want with CIS5 configuration, it will not allow RO to connect. “Faulty internet connection setting” said RO’s server moderator.
MuOnline works fine tho.

Luckily, I still have a backup of CIS4 installation. I will now downgrade and hope, that some year, CIS5 will support online games too.

as an example of how easy q3 engine games run:
urbanterror or enemy territory even run with just UDP(!) outgoing ;).

i dont see what could cause your problems. my games all run. even steam games… i have NO game that needs more than TCP+UDP OUTgoing.
i played quake live too. and that needed a little “trick” because its “in firefox”. and i dont wanted to allow things permanent for firefox when its just for a game.

when i should say a “bug”, then its the incompatibillity which happens sometimes when punkbuster kicks for an unallowed driver… when you have comodo… but it doesnt happen allways (some versions are “fixed” somehow).

Ok, I had a lot to do in the past time.

But now I have tried more games.

Exe of the game
UDP + TCP or IP (tried both)
OUT to any destination

Stealthportassistent at max.

Works for Black Prophecy (uses IP at the Moment), Hearts of Iron 2, STO, Champions Online, Unreal Tournament 2004 (I think, played it a longer time ago).

Won’t work for

Call of Duty (1, 2 and 4), Quake Live, World of Tanks, other ID-Tech 3 games (I’m shure I tried Elit Force. I’m not shure if I tried SoF2).

In World of Tanks the game stucks at the the table where all player are listet while the map is loaded. No playernames are shown. After some time I get an “Connection Interrupted”
In CoD 4 I get stuck at Syncronizing game settings (after some time: Connection timed out) and in Quake Live at “awaiting gamestat”.

I even createt this games as safe applications which are allowed to do everything. Didn’t worked. (I deleted that after the test).
The only way to play these games online is to set the firewall to disabled. So it is relatet to Comodo.

But I don’t see how. Or what I should do.

And no, I don’t forget to press OK

Maybe it is something where Comodo and my internetconection are playing together. I am in a big homenetwork connectet through a VPN (Cisco) to a VPN Server which leads my connections to the internet. But I don’t see how this would make a problem together with comodo.

try what happens if you use the defense+ trainings mode very short while starting the game. maybe it isnt the internet what is blocked. dont forget to switch back to normal mode after first starting the game. dont use trainings mode for the firewall!
or maybe better just disable the defense for the test, as it wouldnt create rules while that, unlike tranings mode.

and i used the rules UDP+TCP outgoing for any games. i played some of your mentionings.

quake live is a firefox plug in. so it would need a rule in firefox or its container. i would make those rules temporary, as you use the browser for something outside the game. so it should not have many permanent rules for the game.
make a rule in the firefox rule set, UNDER all the rules of it: ask any rest. or better: ask any rest which is in port range of the game. so you dont get useless questions too often.

Forgot to write.
All test where made with just the Firewall active. Defence + was disabled.

The problem is relatet to the firewall. But I don’t see how.

All games have UDP + TCP outgoing all.

I think it has something to do with stealth ports, but I’m not shure. But even if it has to do with it. It can’t changed back for the current “Zone” as it seems.
And the stealthport can’t deaktivatet temporaly without deactivating the whole firewall. And it can’t be deactivatet for on programm.

the stealth port wizard 3 basically adds a rule in global rules “block ip(=any protocoll) ingoing any”.

this rule should not have an impact on playing games. you just dont get questions for unrequested ingoing traffic. playing a game on the other hand requests packets. so all should be fine with that rule.

what you said about quake live, i got the same message. until i realized, that a rule in firefox is needed. the predefined rule of firefox says as last rule “block the rest”? thats why you dont get a question if you play a plug in game. try my suggestion for quake life. see above!
easiest way to test: erase the rule in application firewall rules for firefox and its plug in container. then you get asked again. start the quake, and answer the questions manually. if the screen doesnt allow you to answer the question, press windows button, or similar for getting to desktop.

after this test went good, use again the predefined policy for browser… and if you know how, change this predefined rule for browser to add as last rule on bottom of this set:
ask outgoing destination any, destination port (usual quake ports)
dont forget to make the rules for the game per case and temporary. or choose temporary “outgoing only”. you dont play allways the game, but firefox would allways have otherwise the permission which only the game would need.

i cant say anything about vpn. i just know, that games should run with my suggestions usually.

Does not work. I allowed anything for Firefox and the plugincontainer.
I was unable to join a normal match and there was no question.

But I was able to start a local trainingmatch but I was able to do this with the old settings.
I was able to start a multiplayermatch when I turned of the Firewall (disabled).

I realy don’t see the problem and I know, that all games SHOULD run with the settings udp and tcp (or IP) out to all destinations.

some possible explainations. maybe there is an existing rule in your set which avoids it to function. what happens if you try for a test a “default given” configuration? safe yours before, so you can easily go back to it.

or your connection with vpn is somehow a reason. but why do other games work for you…

just a side note. both games use punkbuster? have you made all rules for these processes too?

Punkbuster A and B are allowed UDP, TCP, ICMP and IP OUT to all destinations. Do they need in?

I don’t see the Option to set the Firewall back.

Also I can’t imagin which configuration should block some games and others not.

The only, lets say global Settings for global Applications are the AnyConnect VPN Client (Just set make it so and save it when they asked the first time → UPD and TCP or IP out)
Eset (antivirus, use just comodo Firewall and defence +) with IP out from any mac to any mac

And System (Windows I think) UDP and TCP OUT to any destination (should it be trustet to do all?).

And what should be used for SVhost?

Global Rules (I don’t set them, they where there from the start)

IP OUT from any mac to any mac with any protocol
ICMP IN from any mac to any mac where ICMP Messege is Fragmentation needed
-"- where Message is TIME EXCEEDED
Block IP IN from any MAC to any MAC, any protocol

PS
So many Hits and nobody else has an idea or had such a problem?

As far as Quake Live is concerned, see Comodo + Quake Live The configuration for games such as this are pretty minimal, especially if you don’t want to manually create rules.

Perhaps you should post a screenshot of your firewall Application rules…

I opend Port 4077 and 5222 for the Plugincontainer and now I am further to “Awaiting connection” with an counting number. Opening the Portrange of 27000-27999 also didnt’ helped
So I think not opend ports could be one part of the problem.

The funny thing is, after allowing all Ports as source I just got “Awaiting Gamestat”.
After deactivating the firewall, all went fine and I was able to join a game.

But for CoD4 my Rule is at the moment
Allow UDP and TCP Out from any MAC to any MAC where Sourceport is Any and Destinationport is Any.
I would say, this is allowing CoD4 to use the whole Portrange for outgoing connections. But it won’t work.

I know I deactivatet some ports in Windows (but I don’t know anymore which they where, my win is up to 3 years old by now). But because deactivating the firewall helps, the problem should be the firewall and as it now seems ports.

Nice that it seems that the ports games needed are never listet.

Which rules do you think off

Application Rules, Global Rules, Network Zones or Port Sets.

It’s possible the firewall is not the problem. If you’re using Punkbuster, it may well be a problem with D+. It certainly used to be the case that the two were incompatible.

Re: Comodo Firewall 3.8.65951.477 causes PunkBuster kick

Obviously, that is an old post and things may have changed…

Nice that it seems that the ports games needed are never listet.

It’s not really the responsibility of Comodo to list all the ports used by games, besides, there are plenty of places that list these already.

Which rules do you think off

Application Rules, Global Rules, Network Zones or Port Sets.

The information contained in Network zones and Port sets is meaningless, unless it is used as part of an Application or Global rule. Application rules control processes, whilst Global rules are typically use to control protocols and ports. Unless you’re running a game server, you shouldn’t need to create any specific inbound rules.

As far as I’m aware, the the only port COD uses is 28960 over both TCP and UDP and it should be enough to create the rule for this as an outbound Application rule - inbound will be handled by stateful inspection. Punkbuster, typically uses the same port as the game, however, you can also specify the port specifically, which is UDP OUT - Port 27666 (I can’t remember specifically, but you may also need to allow UDP out to Ports 24300-24399)

i hope you didnt complain that there are many hits but no solution atm.

in my case, this topic would have given me the needed information. it would work for me. what is difficult is just this:
we dont know automatically what is the little difference in your case what makes it not the specific solution for you.

about that “ports for games mostly are not told”: in the past you needed to allow ingoing traffic per rule. to make these “holes” as small as possible, you needed to know the important ports to OPEN FOR INGOING. today, you dont need rules to allow ingoing, as the reuqested packets are allowed to come in by an outgoing rule. i have NO GAME which would need open ports for ingoing.
punkbuster needs out only too. i would just allow its questions, and if some questions are asked again, try to make it a little more “unspecific”, so it allows simillar attempts from the punkbuster in the future (example 127.0.0.1 port any). dont do more than asked.

the problem in this case, and why i thought about a rule as causing this problem: you dont get a question, when the game starts. when you use the predefined rule for browser, the last line is: BLOCK THE REST. as long as this rule is part of your firefox rule set, you will not get a question for quake live.
i changed the rule, and i get the question. (firefox+container outgoing only, for test if you get a question. if not, there is something most probably allready covering this question with a block).

any parts of windows (system, svchost ect) should NEVER have permission to allow ingoing (dont use trusted for them). this is the basic reason why you use a firewall. you maybe trust the program, but you dont know what will try to come in!

@Radaghast
I can play the games without problems with D+ activatet but the firewall deactivatet. So punkbuster and D+ are not the problems (together and allone). Same thing for Quake Live and World of Tanks.

And I’m not blaming Comodo for not having such lists but the gamedevelopers that there are not such lists. I know in normal cases it is not needed to open ports today (for outgoing) but you can configurate some rooters this way and as it seems comod :smiley:

And the Problem is not just quake live. I even tried to delet all rules in D+ and the firewall and allow every question without saving it. “Awaiting Gamestat”. My first configuration of the plugincontainer was not the predefined browserrule but a custem rule with allowing new questions. Qlive didn’t worked. Now I’m using the browserrule

And I don’t use Inboundrules. Just outgoing.
I will try the CoD4 ports tomorow.

@clockwork
Thats my problem. I don’t see the little difference in my configurations making things not work. There where enough hints and things I tried out. And they all should have worked. It should have worked at the beginng. But it didn’t. Even opening the ports for outgoing in Quake Live did not helped compleatly. I was still unable to join the server.

Is it possible I killed a Service that is needed for this games while comodo is activatet but not if it is not activatet (I know, silly idea)

But with the rule (Firefox and Plugin) TCP and UDP Out from any to any Mac while port is any, I was not asked again starting Qlive. Is there a Block?

For the system applications I don’t use trusted. But I thought that they could get an more restriktet rule.

I’m adding pics of my application and the global rules.

Maybe there is something I did not see.

I’m realy at the end of my knowledge.

[attachment deleted by admin]