Trouble firewalling cabled network

csqwared · December 21, 2006, 8:56pm

Hi

I’m having trouble firewalling a cable networked system - 2 computers 1 running XP Pro the other XP Home. XP Pro is the host machine and I have been connecting to the internet through a USB modem connected to that machine using ICS, also printer sharing.

Both machines now have Comodo installed as I understand without a router two firewalls are required.

I have no problem using the host machine and the internet with Comodo running, however, try as I might I cannot seem to get the client machine connected. I have read the FAQ’s and advice on setting up rules to no avail, just confused now. I note a post dated 14/12/06 by Firemaner with a similar problem but since the poster hasn’t yet replied to you I thought I’ld ask.

Thanks

cc

Little_Mac · December 21, 2006, 9:23pm

Greetings, c² and welcome to the forums (:WAV)

Okay, so you know your host machine is working fine with CPF. Just a question, but do you know that your ICS is setup and working fine (firewalls aside)? For testing purposes, if you turn off CPF, or change its mode to “Allow All” can your client machine connect to the internet?

Next, some basic questions (you may have already done this when you’ve gone thru the FAQs, so no offense):

When you installed CPF (both machines), did you choose Automatic (as opposed to Manual/Advanced)?
Have you modified any of the six CPF-created default Network Rules? (both machines)
Have you run the Network Wizard (Security/Tasks/Define a New Trusted Network - lower left)? (both machines) (this will add two more Network rules, which should be in positions #0 and #1).
And finally, have you run the Application Wizard (Security/Tasks/Scan for Known Applications - lower right)? (both machines)

Now, what specifically happens when you try to access the internet on the client? Any error messages, symptoms, etc? (either machine)
In CPF (on both machines) what do you see in the Activity Logs?

That should start us off.

LM

csqwared · December 22, 2006, 8:23pm

Thanks for the reply. I trieds the system with CPF turned off (just the Windows firewall operating on both machines operating) and everything works fine, access to shared printer and Internet.

On installation in both cases the Automatic option was chosen.

None of the initial rules have been modified they were as follows:-

0=Allow - TCP/UDP out, Any,Any,Source Port Any destination Port Any
1=Allow - ICMP out,Any,Any,ICMP Message is Echo Required
2=Allow - ICMP in,Any,Any,ICMP Message is Fragmentation Needed
3=Allow - ICMP in,Any,Any,ICMP is Time Exceeded
4=Allow - IP out,Any,Any,IPPROTO is GRE
5=Block/Log - IP in/out,Any,Any,IPPROTO

I have run the application wizard on both machines.

Host machine has an IP of 192.168.0.1 Subnet mask of 255.255.255.0 with a note saying Manually Configured.
Client machine has an IP of 169.254.6.78 Subnet mask of 255.255.0.0. note saying Automatic private address.
I have run the Network Wizard with the following result:-

The wizard only “sees” its’ own IP address and has added two rules in postion 0 and 1
0 is now Allow - IP out Any,Zone (Host) 192.168.0.0. to 192.168.0.255,IPProto is any
1 is now Allow - IP in and the reverse of the above but with the same IP spread.

The client machine wizard “sees” both IP addressesand I’ve added the host address as the trusted zone with the alteration to rule 0 and 1 as above.

The log of the host machine doesn’t seem to show any activity connected to this network (going by time tried to access) whilst the client machine has various entries relating to the host IP address e.g.
Network Monitor Inbound Policy Violation (Access denied IP (192.168.0.122 Port = nbname(137))
Network Monitor Outbound Policy Violation (Access Denied IP 192.168.0.1 Port 2869
Network Monitor Outbound Policy Violation (Access denied, Protocol =IGMP)

Sorry that’s so long winded, hope it all means something.

Thanks again

cc ???

Little_Mac · December 22, 2006, 9:04pm

If you highlight those alerts (one at a time) and look down at the bottom, to the “detail” box, what’s the network rule that’s associated with this block? It should have the rule ID. Give the complete details on the Inbound and first Outbound Violation (I’m not concerned about the IGMP at this point; I don’t think it’s part of the problem).

It looks like we’ll need to create a new rule, or adjust the current, in order to keep from stopping the communication between the computers.

LM

csqwared · December 23, 2006, 5:21pm

Hi and thanks

I’ve tried disabling and enabling the network connection, one at a time on each machine and the only activity I now get is the IGMP one. On the host machine, when the network is re-enabled I get:-

Outbound Policy Violation (Access denied, protocol=IGMP)
Details:-

IGMP outgoing
Source 192.168.0.1
Destination 224.0.0.22
Rule ID = 7

On the client machine:-
Outbound Policy Violation (Access denied, protocol=IGMP)
Details:-

IGMP outgoing
Source 169.254.6.78
Destination 224.0.0.22
Rule ID = 7

The activity on the client machine mentioned previously were:-

Inbound Policy Violation (Access denied IP 192.168.0.22 Port nbname(139)
Details:-
Protocol UDP Incoming
Source 192.168.0.1:nbname(137)
Destination 192.168.0.122:nbname(137)
Rule ID = 6

and

Outbound Policy Violation (Access Denied IP 192.168.0.1 Port = 2869
Protocol TCP Outgoing
Source 192.168.0.122:1307
Destination 192.168.0.122:2869
TCP Flags SYN
Rule ID = 5

Thanks again ???

csqwared · December 23, 2006, 9:21pm

Hi again

Thanks for your help so far but I’ll be away from my machine now until 28th December so won’t be able to respond to any posts. Wishing you all the best and thanks again.

cc

Little_Mac · December 24, 2006, 12:36am

No problem.

when you return, here’s a couple questions for you.

What are Rule ID 6 & 5, that are blocking the incoming and outgoing, respectively? The IPs there look like they’re router & computer related (internal network IPs, not external); in this case, between your modem and computer. If you go to Start/Run and type in “cmd”, then when the dos window opens, type “ipconfig /all” at the prompt; does it show you any of those IPs?

The IGMP is multicasting. A number of apps use it, such as Messenger, and I think some audio/video transfer files. If it’s happening without you intending it to, or doesn’t seem in conjunction with a specific program, you can continue to let it be blocked. If you do not use Messenger, it may be the culprit, and you can always disable it, thus stopping the multicast protocol. I do not think that your ICS will be using multicast as part of the connection sharing.

Presuming you’re gone with the holidays, here’s wishing you the absolute greatest!

LM

rwa · December 26, 2006, 1:43pm

Hi,

sorry to interfere, but I think I’m experiencing the same problem over here. My setup is as follows:
ISP cable modem, host computer with 2 network adapters (1 for ISP the other for LAN), client computer inside the LAN connects through the host computer to the internet. The host computer is running Windows XP with Internet Connection Sharing enabled and Comodo Firewall; the client computer is running both Windows XP with Sygate Personal Firewall and Ubuntu Linux.

This setup was working without problems before I was running Comodo Firewall on the host computer (I was using Sygate too), but after I switched, I couldn’t access the internet from within the LAN anymore.

I noticed that if I switch security level in the CPF to allow all, when the client computer requests for an IP address, the dhcp process works and afterwards if I switch back the security level to custom the internet access will still be available on the client computer, even after reboot.

I turned on logging for TCP/UDP Out and I noticed the same messages as the user above, regarding IGMP: here is how it looks like

Date/Time :2006-12-26 07:21:03 Severity :Medium Reporter :Network Monitor Description: Outbound Policy Violation (Access Denied, Protocol = IGMP) Protocol:IGMP Outgoing Source: 192.168.0.1 Destination: 224.0.0.22 Reason: Network Control Rule ID = 13

I also have a similar Outbound Policy Violation log entry involving my public IP address and another Inbound Policy Violation originating from my ISP gateway: all have the same Reason: Network Control Rule ID = 13.

LATER EDIT

It appears I found a fix for my problem! I did a little reading about the whereabouts of IGMP and it turned out it lurks on port 2. So what I did was to add the following rule to Network monitor

ALLOW TCP OUT FROM IP 192.168.0.1 TO IP RANGE: 192.168.255.255 WHERE SOURCE PORT IS 2 AND DESTINATION PORT IS [ Any ]

and packets started to move on my LAN client computer. I noticed that Comodo enacts its rules in a sequential manner and, since the rule was not activating when I placed it above the lowest Block rule in the list, I decided to move it on top of every other rule (do tell if this is not a good decision - I figured it was because these ip ranges only belong to private networks and my contact to the outside world is through a public network). I used only one IP address in the FROM field because the ICS gateway is always 192.168.0.1 - also, an IP range could be used

Little_Mac · December 27, 2006, 9:16pm

Okay, so the ICS uses multicasting as part of its connectivity. Good to know. You are correct in placing that new rule above the bottom block rule; otherwise it won’t work. ;D

CPF reads/filters thru the rules from the top downwards; it won’t stop until it hits something that forces it to. That bottom block rule would do just that; it’s there to keep all the bad things out.

LM