Understand Protocols and Communication rules for Beginners

As this is a highly focussed series of questions and answers, I would ask other forum users not to post in this topic yet, until we have reached a logical conclusion. I ask this not to exclude other users, but to hopefully eliminate confusion and remain focussed on the original questions asked. Thanks in advance

To Panic

This is the second and final chapter to comprehend the basic usage of protocols and ports during rules creation in “Application rules” and in “Global Rules” in the CSI Firewall. This topic is Rules and Ports Specific. It should help the beginners (and myself) to understand the logic during a rule creation (and communication) and to avoid creating generic rules as: Alow - TCP/UDP - In/Out| Source Address: Any | Destination Address: Any | Source Port: Any | Destination Port: Any

To follow this thread, a good understanding of the CSI user manual is requested. So, if you did not read it, do it now, and it will help you understand the technical definitions and the CSI setting configurations we will not explain here.

Intro:

There are plenty of web definitions about UDP/TCP/IP and port. It is linear, technical and it does not help much when you want to create a rules in the CSI firewall. So basically, the questions I attempt to answer here are: What is What - a service, a software, a zone; What needs What - UDP, TCP, IP; and What does What - send on port/receive on port.

As the title mentions, this topic is generic. There are already many threads explaining rules sets for a given application on this board. Yes, I can read them, yes, I can copy the correct rules set in my firewall Application rules when I follow the threads, but do I understand the rules: No, I do not or very imperfectly. So that’ is all what it is about, to understand what you are going to read elsewhere on the COMODO board, and to understand what rule you are going to create for yourself using the Firewall.

Let’s ask the first question (Applications, Services and Pizza Delivery):

What needs to communicates in my computer? Sure enough, when I use an application, it needs to connect from my PC to its server over the internet to download an update by example. That’s clear. I can imagine that: if I am hungry, I go out, buy food, get home, eat. I am stuffed.

When it gets less obvious is when an application communicates INSIDE of my computer? Why? What for? If I use the previous example: I am home, and I call myself to ask myself if I am fine?!? Gee! never thought the applications inside my PC felt so lonely?

Now, we already know about the applications because most of the time we have to download them over the internet. But, hey, what about my desktop by example? Is it an application of some sort? Does it have to communicate with another component at any level through the firewall? I guess not, but suddenly I am not too sure (see, we begin to think smart).

And finally, the services. But wait! what is a service in my PC? In real life a service is someone or something I request to do something for me against a fee: Pizza delivery - a service that delivers food at my place, etc. So I guess, a PC service is something that does something inside my computer - to help it? But hey! wait again, if I push on my keyboard keys WINDOW + R and then type in the small windows SERVICES.MSC, I get a huge list of services. That’odd, their names sound like applications to me??? So is a Service ALSO an Application - like the applications in my program files folder? And does a service application communicates in the same manner as the applications I usually download over the internet? Wow! I suddenly feel very confused.

That’s it. This is the first step of our understanding. It is not even about protocols yet, communication direction, or port number. It is just to differentiate what is inside our beloved computer. So the next time you see System or svchost.exe by example (what are these for?), you could say to yourself: I know who you are and I know what you do.

I took the liberty to use a humorous touch in my questions, but it is not too far the reality. Think of average person (as I) trying to explain himself a logic looking at a firewall window. Even is best IT pal, when trying to help will speak about IP stacks, Datagarm headers, etc. It might be way head of the target: simply to get the logic.

Now let’s hear an expert:

What is the local loopback and why do I need one?

The local loopback address (a standard reserved address of 127.0.0.1) is used whenever an application needs to access a service running on the same computer as itself.

The loopback address can be used to access local services, such as webservers, that are usually only accessed over a network and have no local interface. Additionally, most modern operating systems that implement TCP/IP regard the name “localhost” as being equivalent to 127.0.0.1.

In a nutshell, the local loopback provides a means of communications for multiple components running on the one PC. In the same way that your PC forms part of a network when you log in to the internet, internally, your PC runs its own little network between the different pices of software running on it. This little internal network runs over the 127.0.0.1 network interface.

What are Windows services?

A Windows service is an application this is designed to perform specific functions or provide specific capabilities and it is designed to operate without human intervention or management. As a rule, they will run as long as windows is running and their operation is entirely transparent to the user.

Windows services do have some degree of user configurability, but this is mostly limited to whether it is loaded automatically with Windows or whether it is started on demand by another application or if the user needs to invoke it manually.

In a DOS sense (and that’s DOS as in Disk Operating System, not Denial Of Service ;)) they are like a TSR (Terminate and Stay Resident) application, which, when loaded into memory, continued to run in the background and can be invoked while other applications are running. There are also similarities, conceptually, to a Unix daemon.

Many services, but not all, show up in the PROCESSES list in TASK MANAGER, most often with a username of SYSTEM, LOCAL SERVICE or NETWORK SERVICE. Note that not all processes with the SYSTEM username are services. Services that do not show up in the PROCESSES list are generally run through svchost.exe as DLLs loaded into memory.

Internal Communication

Let’s go deeper with the loopback before to pass to the services.

In a nutshell, the local loopback provides a means of communications for multiple components running on the one PC.

In the same way that your PC forms part of a network when you log in to the internet, internally, your PC runs its own little network between the different pices of software running on it.

This little internal network runs over the 127.0.0.1 network interface.

Could you give an example of the bold part in the last sentence? I understand my PC being part of the internet network. I use a Realteck Ethernet card - my network interface. When I connect the internet I receive an IP address from my provider e.g. 1234 and I can connect other IP addresses over the internet e.g. 2345 or 3456. My IP address is not related to my network interface since I use a dynamic address

Do I have to understand 127.0.0.1 network interface as a FIX IP address? Then, it would be the address of my computer (acting as a server) to which X pieces of software connect using their own internal fix address and port - as in an CSI application rule?

Edit 1: I won’t modify my posts even if, in the meantime the expert answers, I come to a new conclusion. However I will add any new relevant information as they come.

Edit 2: I have just faced a new Alarm while launching an application (see: Pic1) - I currently do not have a Trusted loopback zone set in CSI. I guess, that’s the requested example of internal communication

I have also noted the Alert setting very high explains much more about a rule set than Medium:

SMPlayer Allow | TCP | Out | SA: Any | DA: Any | SP: Any | DA: Any - Alert setting Medium
SMPlayer Allow | TCP | Out | SA: Any | DA: Single IP 127.0.0.1 | SP: Any | DA: 2249 - Alert setting Very High

In this example SMPlayer the software is the client and contact 127.0.0.1 (my own pc) on my pc port 2249.

Here are some questions:

1. Do Inbound internal connections exist using 127.0.0.1 (or are they only Outbound)?
2. Do internal connections always use exclusively the protocol TCP (I will not see a rule with UDP or IP)?
3. Do Internal connections usually use random ports or fixed ones?

[attachment deleted by admin]

127.0.0.1 is a defined, recognized standard for a loopback address. Every PC has one and every PC uses the same address for its loopback address.

When I said “runs over the 127.0.0.1 network interface” I was not referring to a physical network interface, like the Realtek network card you mentioned. 127.0.0.1 is purely a LOGICAL (as opposed to physical) network interface.

Do I have to understand 127.0.0.1 network interface as a FIX IP address?

Yes, 127.0.0.1 is THE address of your local loopback. No other, only that one.

Then, it would be the address of my computer (acting as a server) to which X pieces of software connect using their own internal fix address and port - as in an CSI application rule?

Firstly, there is only one local loopback address. Pieces of software are not allocated their own internal address and port. There is one address and one only.

It is the address of the internal network within your PC, regardless of whether it is acting as a server or not. PCs outside of your PC CANNOT CONTACT YOUR PC VIA THE 127.0.0.1 ADDRESS. This internal network cannot get out of your PC and contact anything else, nor can any external devices contact the local loopback network on your machine.

It is an internal network purely for internal, intra-applicaton communications. Nothing more, nothing less.

Don’t read too much into it.

On to your questions :

1. Do Inbound internal connections exist using 127.0.0.1 (or are they only Outbound)?

See above. The 127.0.0.1 address is ONLY for internal inra-application communications. It is impossible to receive an inbound request from another PC for that address. Packets with that address in it are dropped if they try to traverse the internet, in the same way that packets with private addresses in them are dropped. They are known as non-routable addresses.

2. Do internal connections always use exclusively the protocol TCP (I will not see a rule with UDP or IP)?

Internal communications, same as for external communications, can use whatever protocol is best suited or mandated by the connection. There is no hard and fast rule on this.

3. Do Internal connections usually use random ports or fixed ones?

They use fixed ports, as they are generally communicating with another, already running application which is listening on a specific port for requests. Example : Service A is running and listening on port 12345. Application B, which needs to send data via service A, must send the data to port 12345, otherwise service A would never hear the request.

Cheers,
Ewen

You explanation is very clear. It is quite abstract, but I am almost there.

They are known as non-routable addresses

The 127.0.0.1 address is ONLY for internal intra-application communications It is [b]impossible [/b] to receive an inbound request from another PC for that address It is the address of the internal network within your PC, regardless of whether it is acting as a server or not ... They use fixed ports, as they are generally communicating with another, already running application which is listening on a specific port for requests. Example : Service A is running and listening on port 12345. Application B, which needs to send data via service A, must send the data to port 12345, otherwise service A would never hear the request.

So my analogy between a local and a basic Internet communication - between a host and server, each of them with a different IP address - is somewhat incorrect. Does that mean (referring to your example) a local communication will always have the Source as the application or the service enabling the communication and 127.0.0.1 as the Destination, no matter if the target is another service or application?

Now, how can I understand* the local rule below, and will the Source Address always be Any?
SMPlayer Rule: Action: Allow | Proto: TCP | Dir: Out | S-A: Any | D-A: Single IP 127.0.0.1 | S-P: Any | D-A: 2249.

*in the sense: what is SMPlayer.exe doing?

A routable address is an IP address that does not fall into the category of non-routable.

Non-routable addresses are those that have been designated for private (LAN as opposed to internet) use. Examples of non-routable, private address ranges are 192.168.0.0 - 192.168.255.255, 172.16.0.0 - 172.16.31.255 and 10.0.0.0 - 10.255.255.255. If a packet from one of these address does manage to leak out onto the internet, the packet would be dropped by the first router it encounters outside it’s home network.

Does that mean (referring to your example) a local communication will always have the Source as the application or the service enabling the communication and 127.0.0.1 as the Destination,

The application requesting access (in this case “smplayer”) is attempting to send data to a specific port on the local loopback interface. What happens to the data from this point onwards is solely determined by whatever application is listening on that port on the local loopback interface.

no matter if the target is another service or application?

It can’t be anything but a service or application, so there is no “if” about it.

Now, how can I understand* the local rule below, and will the Source Address always be Any? SMPlayer Rule: Action: Allow | Proto: TCP | Dir: Out | S-A: Any | D-A: Single IP 127.0.0.1 | S-P: Any | D-A: 2249.

*in the sense: what is SMPlayer.exe doing?

In the case of an outbound rule, the source is always your PC. ANY, in this instance, isn’t really descriptive, but it actually means “MY PC”, or the PC running CIS.

In plain English and with the corresponding rule segments in RED, the above rules is saying “Let smplayer.exe (Action: Allow )send data outwards (Dir: Out ), using TCP protocol (Proto: TCP ), from whatever IP address is currently assigned to this PC (S-A: Any ) to the address 127.0.0.1 (D-A: Single IP 127.0.0.1), specifically to port 2249 (D-A: 2249). I will choose what port I want to hear a response on (S-P: Any ) and will tell 127.0.0.1 when I get in touch with it.”.

The application requesting access (in this case "smplayer") is attempting to send data to a specific port on the local loopback interface

I see my error, the source is always the PC

What happens to the data from this point onwards is solely determined by whatever application is listening on that port on the local loopback interface

How would you agree with the following?

A local communication will always be my computer letting an application or service communicate with another application or service (but we don’t know which one) trough, or at destination of, his local network interface 127.0.0.1?

Forgive me to look stubborn, but in the case of an application connecting his server over the internet* (out rule) there is my IP, the IP of the receiver, and a straight line to connect both ends - the sender to the receiver. I am somewhat confuse to define the local end, since 127.0.0.1 is not the final receiver, but an application or a service is.

*Unless my definition is incomplete or erroneous

In plain English and with the corresponding rule segments in RED, the above rules is saying "Let smplayer.exe (Action: Allow )send data outwards (Dir: Out ), using TCP protocol (Proto: TCP ), from whatever IP address is currently assigned to this PC (S-A: Any ) to the address 127.0.0.1 (D-A: Single IP 127.0.0.1), specifically to port 2249 (D-P: 2249). I will choose what port I want to hear a response on (S-P: Any ) and will tell 127.0.0.1 when I get in touch with it."

This is more than helpful :-TU

This is only true for outbound communications, as we are the ones starting the communications request. If someone is trying to contact our PC, they have started and they are the source in an inbound request to our PC.

How would you agree with the following?

A local communication will always be my computer letting an application or service communicate with another application or service (but we don’t know which one) trough, or at destination of, his local network interface 127.0.0.1?

Forgive me to look stubborn, but in the case of an application connecting his server over the internet* (out rule) there is my IP, the IP of the receiver, and a straight line to connect both ends - the sender to the receiver. I am somewhat confuse to define the local end, since 127.0.0.1 is not the final receiver, but an application or a service is.

*Unless my definition is incomplete or erroneous

Not all outbound connections go through the local loopback, only those applications that are coded to do so. A browser doesn’t need to use the local loopback, although I believe that some versions of firefox do (not 100% sure on this, but pretty sure ;))

Concern: My previous post May 22, 2009, 08:11:15 PM and your answer

I have omitted an information, sorry about it. Could you return to my post of the May 22, 2009, 08:11:15 PM and read it as “for LOCAL communications ONLY”, then answer it once again.

On my post of May 22, 2009, 08:11:15 PM, my statement:

I see my error, the source is always the PC (Omission: in the case of a local communication)

On my post of May 22, 2009, 08:11:15 PM, my question:

how would you agree with the following? (Omission: in the case of a local communication)

On my post of May 22, 2009, 08:11:15 PM, my comparison:[i]

Local communication vs. a standard communication over the internet

My comparison intended to clarify the following difference: During a standard communication I can give a name to the destination Address IP (e.g. Avria on my computer will update on the Avira server. It will be my IP connecting the Avira IP to get the update. If I update Comodo, it will be my IP connection Comodo IP to get the Comodo Update. I know the connection end since it is always a different IP. What confuses in my understanding of a local communication is all services (system/svchots, etc) and applications (avira/comodo, etc.) communicate locally using a 1 single IP 127.0.0.1 but I don’t know - or I cannot see - the end (i.e. the applications or services they contact). Is this correct/normal and do I understand local communication correctly?

PS: I will introduce the next topic as follow: The topic about loopback - local communication is now close, let’s now talk about x (services, zones, ports, etc.)

I don’t want to have to know any of this. I want my security software to be intuitive enough to take care of it on it’s own.

Can I make a suggestion? If we are discussing loopback connections, rather than refer to them as LOCAL (which some could interpret as meaning LOCAL as in LOCAL AREA NETWORK), could we refer to them as INTERNAL?

As sumary;

INTERNAL
Communications that occur between two or more software components within the one PC that do not connect to any external device

EXTERNAL INBOUND
Communications that occur between two or more separate devices (PC, server or router etc.) on a local LAN or over the internet and are initiaited by the other device

EXTERNAL OUTBOUND
Communications that occur between two or more separate devices (PC, server or router etc.) on a local LAN or over the internet and are initiaited by you

Are we agreed on these definitions?
Ewen

:-TU ;D Very useful information. Now Im blocking localhost, cause I have a malware version of Windows XP Pro >:-D

We repeat

As this is a highly focussed series of questions and answers, I would ask other forum users not to post in this topic yet, until we have reached a logical conclusion. I ask this not to exclude other users, but to hopefully eliminate confusion and remain focussed on the original questions asked. Thanks in advance

“Me too’s” are also included in the above request.

Are we agreed on these definitions?

That’s exactly that + you point out an important difference I could not understand before. Do you mind if I quote one of your previous answer? Let’s add these questions to my last post - it is related

Panic Reply #4 on: May 22, 2009, 04:20:28 PM

[…]The 127.0.0.1 address is ONLY for internal inra-application communications. It is impossible to receive an inbound request from another PC for that address[…]

[…]They use fixed ports, as they are generally communicating with another, already running application which is listening on a specific port for requests. Example : Service A is running and listening on port 12345. Application B, which needs to send data via service A, must send the data to port 12345, otherwise service A would never hear the request[…]

During a communication, I only think about the source and the destination to make my “big picture”. If Avria updates on its server over the internet, I say to myself Avira is the source: ah! this it is an outbound communication. If x connection arrives to my PC (from any software), I say to mysefl: ah! this is an inbound connection.

When it comes to internal communications, my reasoning loses ground: In your example above […]Service A is running and listening on port[…] I immediately think: Service is listening, ah! this is an inbound communication. Now reading the sentence above your example […]It is impossible to receive an inbound request from another PC for that address[…], I think “heee!!” (and I stop to say to myself “what a wonderful world” :P)

Could you think about an easy definition to mark the difference between Internal communications with External communications :
I came with this one: “no matter what service or application listen and no matter what service or application talk, when it is Internal, we can not refer them as Inbound or Outbound connections”

Correct! If it is an internal communication, no other device is involved and therefore it cannot be outbound to another device or inbound from another device.

Inbound and outbound only refer to communications to or from another device (PC, server, router etc.).

As an example;

Internal communications : If you put your hand near a stove and can feel that it is hot, your brain tells your hand “Don’t touch that! It is hot!”. No other person is involved. This is internal communication.

Inbound communications : Your wife tells you “Don’t touch the stove - it is hot!”. You have received a communication from an outside source. This is external inbound.

Outbound communications : You tell your children “Don’t touch the stove - it is hot!”. You have sent an outbound communication to an outside destination. This is external outbound. This is also redundant because children rarely listen to their parents.

Further to outbound communications : When you tell your children the stove is hot, they may respond to you “OK”. Their reply to your initial outbound communication is not considered an inbound communication. It is considered to be a response to your outbound communication. When you request a web page in your browser your have issued an outbound communication. When the web server responds and sends the data back to you, the data is not considerd an inbound communication. It is considered to be a response to your request.

You may have seen the term “unsolicited inbound”. This refers to an outside device attempting to contact your PC without your PC having requested the contact first. Inbound BLOCK rules are designed to prevent this sort of unsolicited inbound communication. In cases like P2P software (Azureus, eMule, Limewire etc.), where your PC can act as a server, you would need to set up inbound ALLOW rules for the P2P port, as other PCs will attempt unsolicited contact with your PC to share files.

Cheers,
Ewen

Internal communication has been defined. I will come back to the previous message when we will discuss external communications. Before to close the internal communication topic, let’s look at the CSI settings “exclusively related to the Loopback zone ;)”

Internal communication + Loopback zone setting options in CSI

Q1. when I install CSI is there a loopback trusted created automatically (I remember the LAN wizard only)?

a. In the My Network Zone
b. In the > My Network Security Policy > Application rules
c. In the > My Network Security Policy > Global rules

Q2. My Network Zones - General questions

a. My Network Zones Module is only a place to centralize information (and to launch some wizards - which ones please?) in use in different locations in CIS?
b. The entries in My Network Zone does not affect any settings in the CSI. By example if I enter a loopback zone in my Network Zones, no CIS settings in the firewall will be affected, unless I use my Stealth my Ports wizard + select my loopback zone (global rules) or insert a new manual rule “loopback” in my Application rules. Correct?

Thread temporarily in stand-by for a week or so.