I have a question regarding the three configuration options in the Stealth Ports Wizard. I understand that each setting-type will create it’s own distinct set of rules in the “Global Rules” section of the Network Security Policy. What I can’t grasp is the accordance of each set of rules with their the corresponding configuration.
The third configuration - Block all incoming connections stealth my ports to everyone - will insert a “block all” rule, as it should. I gather that. But, the other two rules should, if I infer correctly, create an “ask” rule for every incoming connection: All incoming connections from outside the trusted network for “Define a trusted network stealth my ports to everyone else”; every single incoming connection for “Alert me to incoming connections stealth my ports on a per-case basis”, which they don’t. Why is that so?
I’m not a Network expert, but here is my take on this.
Option 2, Stealth my Ports on a Per case Basis will stealth your ports, but open specific ports when an application requires it open. You are still required to confirm an initial alert to allow the program access through the firewall, though.
If there is no matching block rule it will result in an Alert so you won’t “see” the ask rule but it’s build in the software. So it’s there but you just don’t see it.
What would be the difference between the in-built “ask” rule and a user created “ask” rule? If I have no global rules, would the in-built “ask” work as a default-deny policy?
I guess it is the ICMP rules that stealth my ports, right?
Normally there should not be a difference between a user ask rule or a built in one, only exception i know is the “Windows Operating System” for traffic that has no application listening it’s up to Windows how to handle these packets, as far as i know those set to ask will be permitted, the rest should prompt.
And no Stealth ICMP rules only block ICMP protocol packets so they won’t block TCP or UDP Packets.
See them as 3 different languages you need to understand all 3 to know what they are saying.
ICMP is basically created for troubleshooting/diagnostics reasons.
TCP is a connection oriented protocol that knows if the packet it send was received by the other party.
UDP is connectionless and sort of fire and forget, it does not care if it was ever received by the other host/party. Thus having less overhead making it quicker to send data but also less reliable.
All 3 need their own “stealth” and as they are part of the IP group creating a rule with IP in it will handle all 3 protocols.
So if I receive a connection from an IP on the TCP protocol and I choose not to respond to the connection, the sending host would only know of the failed establishment, but not the reason (handled by the ICMP protocol) for it.
I am guessing that the ICMP packet would send a reply with the reason for the failure, thus revealing my presence. If no ICMP reply is sent, it would mean that the host cannot identify the problem and would assume that the PC existing on that particular IP is offline. Am I right?
Am I right in assuming that those are reasons for the “global” ICMP rules to stealth ports?
For TCP connections the host connecting to you will start a so called 3way handshake it will send you a Synchronize request SYN and if the firewall blocks this request it won’t respond at all.
Normally your system would have responded with a SYN ACK triggering the remote host to send an ACK and finish the 3way handshake.
On a non listening port your OS would send a TCP RST (Reset) Packet telling the remote host that there is nothing listening on the chosen port.
So not responding at all is called “stealth” because the remote host does not know if you are alive and blocking or that you are not even there, but to make this guess work you have to be totally stealth one single bit of packet that get’s triggered to respond back to the remote host will tell him that your Firewalled because of the received traffic.
For a UDP connection ICMP handles the error messages, If a host tries to connect to your system on a port that is not listening the ICMP protocol will send a type 3 code 3 message, telling the remote host “destination unreachable, port unreachable” also telling the remote host that your system is alive = not stealth.
Normally, when I receive alerts for new TCP connections, what are they - threeway handshake initiations or the first packet sent as the beginning of data transfer after the threeway handshake? If it is the second, then, since the threeway handshake would have already taken place, the sending host must be knowing that I am online. In which case, blocking the packet would be of no use because, though the data sent would be blocked, the host will be able to “see” me.
For a UDP connection ICMP handles the error messages, If a host tries to connect to your system on a port that is not listening the ICMP protocol will send a type 3 code 3 message, telling the remote host "destination unreachable, port unreachable" also telling the remote host that your system is alive = not stealth.
I had read about the ICMP messages on Wikipedia. The article has a list of 17 or 18 messages.
So I probably can assume that those ICMP rules are explicitly for UDP connections. Does it also mean that COMODO firewall is not capable of hiding the system in case of TCP packets? Because, to do that, rules for blocking “acknowledgment” responses (SYN ACK) and “diagnosis” responses (TCP RST) would required.
The firewall alerts for everything that is not in the state table, if it was a normal connection that would be a normal TCP SYN packet, but if i would craft a packet it will also alert because it does not know that session it belongs to. So all TCP requests that are not explicitly handled and put on the state table are alerted. If you wait till the timeout expires for the alert there won’t be any response going back from your host to the attacker, if you block it the same. So your stealth.
I had read about the ICMP messages on Wikipedia. The article has a list of 17 or 18 messages.
So I probably can assume that those ICMP rules are explicitly for UDP connections. Does it also mean that COMODO firewall is not capable of hiding the system in case of TCP packets? Because, to do that, rules for blocking “acknowledgment” responses (SYN ACK) and “diagnosis” responses (TCP RST) would required.
The ICMP rules are a combination of real ICMP rules (mask request, timestamp request) and error control (the unreachables). CIS can give you complete stealth for all.
Nonetheless, you have cleared my main doubt. Now I have to research some more and gather as much information as I can to gain a clearer understanding of the subject.
A mechanism that the firewall uses to keep track of existing connections basically.
It builds a table of src ip, src port, dst ip, dst port to keep track of the state of that specific session.
If you like to know more, feel free to ask.
Also playing around with a Packet sniffer like Wireshark can give a good understanding of what’s happening on a network.