Problems with incoming connections.

Hi All,

First, sorry for the long detailed post, but I hope I put down enough info for someone to have a good idea!!!

I’m having problems with incoming Remote Desktop and VNC connections when CFW is running.
It almost seems like all incoming connections are blocked.
I disabled CFW and Remote Desktop worked. I haven’t been able to try VNC yet with CFW Off.
Next I tried to uninstall and reinstall CFW, with no improvement.

I’m using XP SP2 with all updates and CFW 3.0.16.295.

I’m using Secure Shell (SSH) to tunnel the connections. My router is the SSH server so basically the TCP packets arriving at the Remote Desktop server (my PC) have the IP source address of the router, with the IP destination address of the PC. (I also used the SSH connection when CFW was disabled and Remote Desktop worked.)

When CFW is running I can see the incoming packets with Wireshark. The source address, destination address and ports all look correct, but there are no replies, and no entries at all in the Firewall Events Log. So if CFW is blocking the incoming packets it’s not generating any log entries. I’ve also tried setting the Alert Settings slider to ‘Very High’ and still no log entries.

Here are the CFW global rules I’m using:

• Allow IP In from Home Network to any address, any IP protocol.
• Allow IP Out from any address to Home Network, any IP protocol.
• Block ICMP In from any address to any address, Icmp Echo Request.

(Home network is defined as the subnet: 192.168.131.0/255.255.255.0)
(Router address is 192.168.131.254)
(PC address is 192.168.131.10)

Application Rules for svchost.exe are:

• Allow IP Out from any address to any address, any IP protocol.
• Allow TCP or UDP in from Home Network to any address, any source port,
  destination port 3389.

I read another post from November 07 about problems with Remote Desktop. Some forum members had success moving svchost up in the app rules list, so I tried that as well. I’ve also tried other setting, all ports all everything allowed… No luck!

What I’ve been describing is an attempt to connect to my home computer from work.

I also have CFW installed on the work computer. I connect to the work network over a Cisco VPN, and am able to use Remote Desktop to control the work computer. I tried copying the CFW rules form the work computer; global, services and svchost, to the home computer. So the rules and their order in the list are identical. But even with identical rules the work to home connection still doesn’t function.

I’ve tried everything I can think of except installing OpenSSH on the PC, or getting another firewall. I was using ZoneAlarm Internet Security Suite with W2K, but CWF is much lighter on resources. I really like the control it provides with the HIPS component. I’d hate to go back to ZA!

I’m looking forward to your replies.

Thanks in advance!

Frank

An Update…

I just tried enabling the Telnet server on my PC and connecting to it using the Telnet client in the router. Same results as with Remote Desktop. No connection possible, no mater what the Firewall Global or Application rules are set to. Once I disable the firewall by setting the slider to ‘Disable’ the connection goes through immediately.

So it looks like CFW is blocking all incoming connections. With no logs at all.

Frank

Hi.

Hope someone can help!

All incoming connections are blocked. Ping works, but no applications.
Outgoing connections work OK.
If I set the Firewall Security Level slider to ‘disabled’ then incoming connections work.
Any other setting and all incoming connections are blocked.

Using XP with all updates, CFW 3.0.16.295
Didn’t try incoming connections with the earlier release.

Global Rules:

• Allow IP In from Home Network to Any, Protocol Any.
• Allow IP Out from Any to Home Network, Protocol Any
• Block ICMP In from IP Any to IP Any where ICMP message is ECHO REQUEST

Sample Application rule for Telnet (tlntsvr.exe)

• Allow IP In from Any to Any, Protocol Any.

Nothing shows up in the Firewall Event Log either.

I’ve uninstalled and reinstalled twice and I was very careful to answer the installation question about needing incoming connections with a YES!

This is a new install of XP. No other firewall products have been installed prior to CFW.

Does anyone have any suggestions on what to try, or what I may have overlooked?
I’d be especially interested if there is any debug information that can be obtained.
Should I file a bug report? Unfortunately I don’t know how to reproduce this. I have CFW on a work computer as well and incoming connections work great!

Note: I made a post about this issue last night, but didn’t realize that ALL incoming connections were blocked at the time.

Thanks in advance.

Frank

Add a block and log all in at the end of your global rules to see what is happening there. Are you using a router?

sded,

Thanks for the reply!

I added a block and log rule to the end of the global rules.
There were no log entries for my incoming traffic.

I am using a router, but it shouldn’t affect the tests.
Here is the test set up:

• Telnet server is running on the PC.
• I open a telnet connection from the PC to the router which runs dd-wrt,
  a 3rd party linux based package.
• The router firmware includes a telnet client which I use to attempt a connection back to the PC.

The connection attempt fails, and no logs are generated.
If I disable the firewall then the router to PC telnet connection succeeds and I get a logon prompt.

Adding logging is a good suggestion!

But the block all rule stops outbound traffic. So I added a rule to allow and log all outbound traffic. I then checked the Log check box on all global rules in an attempt to log everything passing through the FW.
The results are not consistent. Only allowed UDP traffic and blocked traffic is showing up in the logs. Outbound TCP connections never show up. I know the rule is working because if I delete it the outbound connection is blocked. This makes it really difficult to troubleshoot a problem. I noticed the same behavior on CFW at work.

Frank

I actually suggested a “block and log all IN” so we could see if any inbound connection requests were being blocked by CFP. Checking the log in the two allow rules also does not show any inbound connection requests? I know that logging all outbound doesn’t work, so there may be some other logging issues. Under “view active connections”, do you show your telnet server listening on port 23? If not, add the telnet server rule under the “Windows Operating System” application. Do you have a copy of WallWatcher so you can look at the router traffic with the NIC?

sded,

OK, another clean install.
(I reinstalled ZoneAlarm after uninstalling CFW just to make sure that incoming connections work with ZA and they do.)

After the CFW install I added Block and log all incoming IP so the global rules look like:

• Allow All Outgoing Requests if Target it in [Home Network]
• Allow All Incoming Requests if Sender is in [Home Network]
• Block and Log IP from IP Any to IP Any where protocol is Any
• Block ICMP In from IP Any to IP Any where ICMP Message is Echo Request.

Added Telnet server to the Applications Rules and declared it a ‘Trusted Application’
Telnet server (tlntsvr.exe) is shown listening on port 23 under Active Connections.

I don’t have Wallwatcher, but used Wireshark to capture the packets on the PC.
(Capture of incoming Telnet packet is attached.)
Attempted local network telnet connection to PC. No response. Checked the View Firewall Events and it was empty.
Wireshark showed incoming packet to port 23 but no outgoing reply, so the PC is receiving the packet.
Disabled the Firewall and attempted Telnet Connection and it worked.
Re-enabled the Firewall
Tried to ping PC and it worked with Firewall enabled. (It always has.)

This may be a little more interesting…
Next Moved Incoming Requests Global Rule to the bottom of the list, effectively removing incoming permission for [Home Network].
Telnet in still doesn’t work.
Now Ping doesn’t work either.
Looked at firewall log:
Log shows Blocked ICMP 192.168.131.250 to 192.168.131.10 but no record for blocked telnet attempt.

So; incoming ICMP works as desired. Passes through when enabled, blocked and logged when disabled. Incoming TCP never allowed through and never logged when blocked.

I may take the PC (it’s a notebook) to work and try it there to see if there is any difference since incoming TCP works fine with CFW on the work machine.

Thanks for the help!!!

Frank

[attachment deleted by admin]

I took the PC to work. Incoming packets work just fine.
Was able to connect to the PC using Telnet and Remote Desktop.
When Global Rules were adjusted to block and log all incoming packets, TCP packets were logged.

So it appears that there is something about the packets being received on the home network that causes CFW to just drop them.

Wireshark captures of an incoming telnet packet show different TCP flags set.
Note that the packet that fails has the ECN and CWR flags set as well as additional parameters.

From work network - this one works:

No. Time Source Destination Protocol Info
10 3.478790 192.168.0.235 192.168.0.79 TCP zion-lm > telnet [SYN] Seq=0 Win=16384 Len=0 MSS=1460

From home network - this one fails:

No. Time Source Destination Protocol Info
15 5.539924 192.168.131.250 192.168.131.10 TCP 4526 > telnet [SYN, ECN, CWR] Seq=0 Win=5840 Len=0 MSS=1460 TSV=253940499 TSER=0 WS=0

I don’t have any idea on how to change what the router sends. Since the router firmware (dd-wrt) is quite popular, and is a linux derivative, I assume others will eventually have the same problem.

I’m assuming that filing a bug report would be the next best step unless someone has a suggestion.

Thanks,
Frank