What does this entry in CFP3 Fw events mean ?

Netman · December 25, 2007, 2:39am

Can someone kindly explain what does this entry in CFP3 Fw events mean ?

And if it needs fixing, how to do it ?

Please see the attached screenshot.

Thanks

Matt

System: WinXpPro SP2

[attachment deleted by admin]

system · December 25, 2007, 2:56am

Don’t know anything about your network, but this is a DHCP discover broadcast by your computer looking for a DHCP server to give it an IP address. If you get one anyway through other methods, this is redundant. If you need to allow it, you can make an explicit allow rule and put it under WOS in the network policies.

bluesjunior · December 25, 2007, 10:07am

This is exactly what I am getting thousands of, One every 5 seconds and although several people tried to help in the "Help needed for Firewall Rules"thread I started regarding this problem, nothing so far has succeeded in stopping it. If anyone knows how to cure this I would be eternally grateful.

system · December 25, 2007, 1:53pm

Add the rule to WOS block/udp/out/0.0.0.0/255.255.255.255/68/67 if you want t to block it. Don’t log it.
I use allow/udp/out/any/any/any/any and let it go, since it is an outgoing broadcast from my computer.
You may need to create a place in the network policies for WOS if it is not there yet.

adric · December 25, 2007, 2:32pm

If there is no application entry for WOS, shouldn’t the global rule IP OUT any any any allow the broadcast?

Al (Merry Christmas) Adric

Netman · December 25, 2007, 2:38pm

Thanks sded,

What is WOS, and how to create a place for it, I understand all the rest of it ?

Thanks again

Matt

adric · December 25, 2007, 2:46pm

WOSystem application needs to be added via Add → Select → Running Processes when creating a rule for it for the first time. Select the top entry (Windows Operating System).

Al (Merry Christmas) Adric

system · December 25, 2007, 3:34pm

Application rules out are done before the global rules. I think it has to be allowed by an application rule first-at least that is the way it works for me. Should work that way so you don’t have an “allow everything I forgot to block”.

adric · December 25, 2007, 3:51pm

Hmmm, I don’t know what to make of that I do not have WOS defined as an application and I have logging set on for the global outgoing rule. IGMP is allowed but UDP is not. I will add WOS and make a rule to log 0.0.0.0 ans see what happens.

Al

[attachment deleted by admin]

system · December 25, 2007, 4:11pm

Must be one of the Comodo default rules. Don’t know otherwise why you would allow allow IGMP multicast, block UDP (DHCP) broadcast-unless you have a trusted network?

adric · December 25, 2007, 4:31pm

There is a default Loopback Zone in the network zone definitions. Looks like this and the global rule for outgoing is enough and there is no need for a WOS application entry. At least the log seems to indicate this.

Maybe if I Add 0.0.0.0 and 255.255.255.255 to my network zone definitions, that will also be enough and I won’t need an entry for WOS.

Al (getting more and more confused) Adric

system · December 25, 2007, 4:51pm

Yeah, I don’t see how defining a zone and not saying anything about it in the rules should do anything. I took it as just a convenience fo the explicit loopback rules. Is your network trusted? I have no problem with Comodo making default rules (Maybe WOS is a safe application with a ruleset somewhere?) but I have ranted (including to Melih) about Comodo doing it and not telling me what they are. And ah, the myseries of SPI!! But I try to make everything explicit (left over from Kerio 2 days) and don’t use global rules, partly because they do stuff like you showed in your log and add to the general confusion.

bluesjunior · December 25, 2007, 4:57pm

Maybe if I Add 0.0.0.0 and 255.255.255.255 to my network zone definitions, that will also be enough and I won’t need an entry for WOS.

Adric,
I have already done the above from advice I received from Zortag in the thread I started on this same problem(Firewall rule help needed) and it didn’t help. Perhaps one of the moderators could merge the two threads and we maybe could get a solution to this annoyance.

system · December 25, 2007, 5:01pm

bluesjunior, which rule did you atually add and where? The network zones stuff doesn’t do anything until you make a rule about them, and since WOS is being blocked, that is where the rule goes.

bluesjunior · December 25, 2007, 5:13pm

Sded,
I followed the instructions given to me by Zortag on the above mentioned thread started by me. He wrote the following advice but haven’t heard any more from him.

bluesjunior - During the later stages of the Comodo installation process, a query-box poped up announcing that it had “found a new network”, asking if you wanted trust it, name it, etc, etc. This is your Local Network! By default, Comodo chose to name the network, by using the name of the Ethernet card, this is unfortuneate, as they could just as easily (this first time only) defaulted to calling it something like “Local Area Network”. First I would suggest renaming the network, it makes no real difference to Comodo, but you get the “thing” named to what is a common reference.

Firewall → My Network Zones
Hightlight “VIA VT6102 Rhine II fast Ethernet Adapter - Packet scheduler miniport.”
Click Edit
Enter “Local Area Network” (without the quotes)
Click Apply, Apply, etc (however many times it takes to get back to main “Comodo” app)

Then go back in and fix the addresses, by adding /removing (see instructions in my previous post) so that the two zones “Loopback Zone” (automatically created by Comodo), and “Local Area Network” look like:

Loopback Zone
IP IN [127.0.0.1 / 255.0.0.0]

Local Area Network
IP in 192.168.100.10 / 255.255.255.0 (no change)
IP 0.0.0.0
IP 255.255.255.255

You should NOT be seeing any traffic blocked that is within the this Local Area Network, that is if the Source Address and Destination Address (look in the log) are BOTH in the Local Area Network (ie 192.168.0.x, where x is any number 0-255, OR 0.0.0.0 OR 255.255.255.255). If you still are getting blocked messages for local traffic, then you’ve got a rule issue.

adric · December 25, 2007, 6:05pm

Yes, I defined my network with the Stealth Ports Wizard (a range of IP Addrs 0-255)

Al

system · December 25, 2007, 6:43pm

bluesjunior,
maybe I missed it but I didn’t see anywhere in the procedure where you made it a trusted zone. Do you have global rules to allow all in and allow all out for that zone? If not, go to stealth port wizard and declare it a trusted zone. Again, a zone does nothing until you make rules about it.

bluesjunior · December 25, 2007, 8:13pm

Thank you Sded. Would you mind walking me through the procedure?. I am 60 and not very PC technical. I just knew something wasn’t quite right.

system · December 25, 2007, 9:16pm

TO make sure your network is trusted, go to firewall/common tasks/stealth port wizard. Select “Define a New Trusted Network” and Next and select your zone. This wil allow your LAN to talk internally with no blockage. Even if you have already got the rules in your global rules, won’t hurt to have them again. See if that helps.

bluesjunior · December 25, 2007, 9:35pm

Thank you Sded,
I will try that and see how it goes.