I’ve a problem in that Comodo will not allow access to a computer sharing it’s files and printers if I use the computer name of the laptop requiring access rather than it’s IP address.
The situation is as follows:
2 desktop PCs and I laptop
All run Windows XP Home Edition
They are in an office with 16 computers
I need to allow sharing among these 3 only without other computers gaining access
DHCP on router assigns IP addresses
Comodo is installed on both desktops but not the laptop.
The problem:
The desktop PCs always have their network cards plugged in to the network and, even though the PCs are powered down at night, their IP addresses never change so sharing between always works.
The laptop goes out of the office frequently and when it returns it’s assigned a different IP address which then results in the desktop sharing the printers blocking print jobs from the laptop.
I’d thought using the hostname option, rather than a single IP, would allow Comodo to recognize the laptop by it’s computer name on the network as safe and grant access. It doesn’t. File and printer sharing is blocked consistently.
I’m an outside tech working for the owner of the 3 computers in question but not the tech for the office as a whole so I don’t have access to the router configuration. Static IPs etc cannot be used.
Has anybody had this problem? Find or know of a solution?
Or am I possibly misunderstanding the hostname option. I’d thought it meant it would allow access to a computer by using it’s network computer name which doesn’t change as opposed to using it’s IP address which does change.
Thanks in advance for any help anyone can offer,
Geoff
I’m guessing that the IP address assigned to the laptop is a private IP address… since it operates & was assigned an IP on the corporate LAN type. If that’s true, then you could create a limited IP range that the laptop operates within or add the range to your Trusted Zone (is a Trusted Zone defined?). But, if the laptop is a corporate one, then there can still be problems. Unfortunately, some companies customise that bit (LAN) of the operating system to meet their specific requirements or have complex configurations and even customised scripts.
The hostnames do work. But, CPF still needs to resolve the name into an address. So, if that works or not is dependent on if you have set-up the name translations correctly (HOSTS file on all hosts) and/or on your system(s) configuration/set-up.
Thinking out loud: I beginning to suspect that you might need to emulate what the corporate LAN is doing to get this right & I think that might include DHCP, DNS… something along those lines.
Are you allowed to create a second LAN connection on the laptop? Would this upset the corporate LAN? Can you even do that on XP HE? LOL ;D
To the best of my knowledge there aren’t any customized settings on the LAN. The equipment was installed and configured by a drinking buddy of the business owner - I kid you not! I’ve met him and doubt he has the knowledge to “get fancy” with the LAN because he didn’t seem to understand the problem when I tried to explain it to him. I’m no expert as this either but I’m sure I’m more knowledgeable than he is. Unfortunately, he’s the owner’s buddy and I’m not allowed access to the router configuration.
I don’t have a trusted zone or limited IP range defined because either case can and has allowed other computers access that we want to block. This because the IP addresses of other computers in the office at large change and sometimes fall within the allowed range, giving them access to confidential files on the 3 computers I’m trying to protect.
The problem seems to be, as you suggest, that CPF is unable to resolve the laptop network name to an IP address so the laptop is blocked. You mentioned using the hosts file to handle this problem. Can you offer some example entries that will allow CPF to resolve the laptop name to whatever the current address is for the laptop?
I see… In this case your system would attempt to resolve the name using the defined DNS. Oops. I bet that didn’t work. I can give you the classic HOSTS file entry & you might even find it in your HOSTS file…
So far, when the laptop’s IP changes, it’s always been in the 192.168.1.102 to 109 range. I think I’ll try using the hosts file to map each of the IPs to the laptop’s network name and see what happens.
But, I don’t think the 192.168.1.102-109 range is very big & you’re unlikely to get an external inbound connection attempt with that IP. CPF would scream, since the header would need to be spoofed (faked). The range is part of a private internal IP range (not for internet use). In addition, if the laptop & the other 2 desktops were correctly set-up within the same Trusted Zone, then there shouldn’t be a trouble at all (without using names). After, they are all plugged into the same LAN (Right?) & despite the IP changing on the laptop… this is what makes the difference, the definition of the Trusted Zone. I don’t think defining an even larger range would pose a problem either. Mainly, because for an inbound request to be included in the Trusted Zone, whatever the IP number is, it must be physically plugged into your LAN… or is it that you have a wireless LAN?
I don’t think I’ve explained my problem very well.
We’re not concerned about attacks from the Internet, or outside the office LAN in general. CFP and the anti-virus products should provide adequate protection for that situation.
My concern is keeping out other computers within the LAN. I looked at the Trusted Zone setup and it appears to include every computer on the LAN which is what we’re trying to avoid. Trusted Zone does allow me to specify a range of IPs but that doesn’t really solve the problem if a newly connected computer, that is NOT part of the group of 3 I’m trying to protect, gets an IP within the trusted range. Nor does it help if the laptop in question is connected and gets an IP outside the range specified.
Since the IP addresses of the computers on the LAN, and the laptop I’m trying to allow access for, keep changing the only solution I can see is to allow access by the laptop’s network computer name. But CPF can’t seem to resolve the name to the laptop’s IP. I’ve searched all over the net looking for a solution and think your hosts file idea has promise.
I’d considered yet another router within the office containing the 3 computers in question but that raises another issue in accessing a central network connected printer downstairs. Which has it’s own IP address and would end up on a different subnet.
These are all CAT 5 connections by the way, no wireless involved.
This networking and security stuff gets frustrating sometimes but it does feel great once I’ve found a solution for a particular client’s problem.
You’re problem is somewhat different than mine but the background problem seems to be the same. CFP doesn’t always work the way you’d expect it too, especially after reading through every word in the help file and searching the forums then doing what appears to be the right thing.
I’ve never had to reboot the computer but it is usually necessary to shutdown and restart CFP to get a rule to take effect. But sometimes a new rule starts to work immediately without a CFP restart.
I guess the program needs some more fine-tuning by the developers to take care of these problems.
Good luck with your problem if it hasn’t yet been solved. I’m still trying to solve mine.
OK. If the IP address of the 3 unwanted PCs on the office LAN keeps changing, then currently your only option would be using the hostname. However, I don’t think you can use the HOSTS file to correct this one (since the IP addresses change). You will need to use whatever DNS solution the office LAN has implemented. The office PCs, if set-up correctly, should have hostnames that are recognised, resolved & used by other PCs on the LAN.
Failing that, you will need the ability to specify MAC addresses in CPF. CPF cannot currently do this. But, it is on the Wish List with a status of Pending.
I haven’t been back to the client’s yet but did some research on Microsoft’s site re the hosts file.
You’re right, I don’t think multiple entries of IP addresses for the network computer name of the laptop will work. The following is from a Microsoft article:
“The Hosts file contains multiple entries for the same host on separate lines; if so, the first entry from the top of the file is used.”
If that’s the case, and the first IP address it finds in the hosts file is not the current address of the laptop, name resolution will still fail.
There is always scripting. I’m fairly sure that a couple of simple scripts could resolve this. You only need 2 scripts; One to remember the current IP number & then to set the IP number for your home LAN. And a second script to restore the IP number to what was previously stored. Digging around MS’ site will probably reveal some examples of how to do this. You’ll need to check scripting in the admin & networking sections. I’ve not done this personally.
Well, I’ve had absolutely no luck getting this to work. I even tried the free version of ZoneAlarm. It appears to let you use the computer name but what it actually does, when you’re setting up the host name properties, is lookup the CURRENT IP address. When the IP address changes, it blocks the laptop. It doesn’t “autodiscover” the IP address by host name.
I guess I’m going to have to test using a router within the office with the three computers and have it assign a static IP address to the laptop when it connects. Hopefully that will work.
If the two desktop PCs IPs don’t change, you could assign a static IP to the laptop (up high, around 192.168.1.210). Use a high address, as this is very, very unlikely to be auto assigned by the DHCP sever in your router if there are only 16 PCs on the LAN.
This static address, and the addresses of the two desktops could then be defined as a zone and then set as a trusted zone. Ensure that CPF is installed on the two desktop PCs with the same zones and rules in place.
The only problem I can foresee is in the unlikely event that the DHCP server allocates the IP address assigned statically to the laptop, while it is not connected to the LAN.
Worth a shot,
Ewen
P.S. Alternatively, you could ask the owners drinkin’ buddy LAN guru to restrict DHCP to a range of 192.168.1.0 - 192.168.1.127. That leaves you 128 IPs to play with.
P.P.S. Second alternative, get second NICs added to the desktop and run as a secondary LAN, alongside the original one.
Thanks for stepping in here with your thoughts. This issue is driving me crazy!
I did try to talk to the owner’s drinking buddy LAN guru last week. The conversation lasted all of a minute, maybe two. The glazed look in his eyes told me he had no idea, I may as well have been talking to the owner’s dog.
When I asked him why he couldn’t just configure the router to assign a static IP address to the laptop based on it’s MAC address I could see he had no idea what I was talking about. His suggestion, buy a second IP address from the local cable ISP!!! Then he said Good Luck and walked away.
The desktop IPs don’t change, even when they’re powered down and restarted the next day, which surprised me. I guess because the NICs remain plugged in they don’t lose their address from the router. At least I don’t have to worry about them.
Your suggestion of assigning a high IP address to the laptop would work except I don’t have access to the router configuration and the “guru” won’t or doesn’t know how to do it. But you gave me a thought, I’d like your opinion.
I can access the TCP/IP properties of the NIC in the laptop and instead of having it “Obtain an IP address automatically” I could select “Use the following address” and enter a high address. Do you think that would work??? I seem to recall I did that somewhere else but can’t remember where or why.
I would then, of course, have to setup the “roaming” feature in XP where the user could select the above setup while in the office or, when away from the office, the normal DHCP settings.
I’d rather not resort to another router or a second NIC in the desktops if at all possible. Running cables in that office would be a real problem due to it’s layout.
That’s exactly what I mean - assign a static IP address to the notebook somewhere around the 192.168.1.200 area.
DHCP should, all things being equal, start assigning IP address from the bottom of its autoassign range upwards. Some routers don’t even assign all 255 addresses to the autoassign range, some only assign 32, 64 or 128 addresses to the DHCP assign range. This being the case, and given that your LAN only has <20 units on it, DHCP should never get to the 200 mark, so you shouldn’t ever get a duplicated IP error.
To be thorough, on one of the desktops, click START and then RUN. In the RUN box, type CMD and press enter to open a small “DOS” window. In the DOS window, type “ipconfig /all” and press enter. This will produce a listing of the IP parameters current on that machine. Find the section dealing with the LAN card and note the DNS and gateway addresses it’s using. Meanwhile, back on the laptop, manually assign the 192.168.1.200 address with a netmask of 255.255.255.0 and the gateway address and DNS server addresses that match the dekstop machine we just ipconfig’d.
You can new setup network monitor rules for the three IPs - two desktops and the laptop.
Using static IP’s on your laptop may be a quick-fix in this particular situation, but gets cumbersome in the long run and is something I would advice against. Simply because static values can sometimes conflicts with the dynamically provided ones and as a rule-of-thumb is never used on laptops. No offence Ewen
To help you on your way to solve the problem, here’s a few quickly thrown together sugestions.
1. Does your laptop register itself successfully with the local DNS server? Does your firewall allow outbound UDP 53 queries?
To verify that your PC’s hostname is correctly mapped in the DNS record you can ping the hostname without the doimain.id eg PING Mylaptop and see if the reply matches your correct IP address and domain name. The result will look similar to this: Pinging Mylaptop.domain.com [Laptop IP address] with 32 bytes of data
Check that the domainname and IP address matches. Another method is to do a hostname lookup: nslookup [insert your IP address] and the result will hopefully look like this:
Server: servername.domain.com
Address: DNS Server IP address
2. Are you allowing access to the shared resources through your firewall based on IP addresses or hostnames? (Requires inbound access through TCP 445 (Microsoft-DS). Limited to match only those two computers hostnames ofcourse)
Try to telnet yourself to your laptop from one of the other computers using port 445. If you get a black DOS-prompt without any text, you’re in. If not… well you’re refused connection
3. What does your logs say? “When in need, 1st consult your logs”. They are there for a very specific reason
My thanks to all of you great people who’ve helped me with this problem.
I tried Comodo using the hostname but that didn’t work. I tried ZoneAlarm and hostname but that didn’t work. Both were really looking for the changed IP address but couldn’t resolve the new one by using hostname (COMPUTER NAME ON THE NETWORK) assigned to the laptop when it reconnected.
Since I had no control over the router in the office I was forced to use Ewen’s and Pandlouk’s advice and assigned a static IP address to each computer in it’s IP configuration utility. i.e XXX.XXX.XXX.123 then 124 and 125. I then configured Comodo to accept communications from those addresses only and so far no complaints from the users so all is well. Two days now and counting.
I chose this solution after speaking to the laptop user and finding that she only used the CAT5 connection in the office, never wireless. And only used wireless away from the office, never CAT5 cable.
So, the wired connection has a static IP assigned to it and the wireless uses DHCP. I did warn her that if she tries to used a wired connection away from the office she “could” have problems depending on the location, their hardware, configuration, etc.
I’ve got my fingers crossed here but so far I think it’s going to be OK for this situation.
Thanks again guys, your assistance was greatly appreciated and extremely helpful.
LOL ;D
Yep, that’s the standard hosts file alright.