XP Remote Terminal Connection and Commodo PFW [Resolved]

tfr1025 · March 20, 2007, 8:36pm

Hi,
I have an unusual problem with Commodo 2.4.18.184 and I haven’t seen it elsewhere in the Forum.

Commodo runs very well on by Dell 9150, XP-SP2. The peculiar behavior comes when I access that machine from my Laptop using XP’s Remote Desktop Connection. II’m then reading Email and lick on a hyperlink, the browser won’t accept the connection. If I then stop and immediately start Commodo, everything goes well for the rest of the session.

Am I missing some sort of configuration?

Thanks,
Tom Ryan

Little_Mac · March 20, 2007, 9:55pm

Welcome, tfr1025 (:WAV)

Your logs should hold the key to this… When you click on the link and the connection fails/page won’t open, what entries are generated in the log file? You can post that here by going to Activity/Logs; right-click an entry and select “Export to HTML.” Save & reopen the file; highlight & Copy the entries, then Paste them into the textbox of your next post.

Then we’ll see what we have…
LM

tfr1025 · March 22, 2007, 10:50pm

Hi,
I’m attaching the log file from the latest incident as a txt file. Every time I try to paste it into the message box and post it, it looks okay on Preview but says “Message Box Empty” when I post it.
Tom Ryan

[attachment deleted by admin]

Little_Mac · March 23, 2007, 3:34pm

Tom,

I tell you what… given the text-pasting difficulty, why don’t you just ZIP the HTML file and upload that. This is doggone hard to read thru:

TNX,

LM

tfr1025 · March 23, 2007, 3:58pm

Good suggestion - here it is.
Tom

Little_Mac · March 23, 2007, 4:45pm

Thanks, Tom.

You’ve got roughly 5 hours of logs there; it’s hard to tell what relates exactly to the email link issue. I do see that nearly all (if not 100%) of the block entries are coming from two different IP ranges assigned to Comcast - the 75.x.x.x and 24.x.x.x Do either of these match the external IP address of the machine you’re logging into? And does the other go for the laptop, at your “remote” location that you’re connecting from?

Also, will you do the following:

Log in to the home computer via remote connection. Open your email client (I presume you’re reading email thru a client like Outlook Express, etc, rather than online, or you wouldn’t need remote access…).

Now go to Activity/Logs in CFP, right-click an entry, and select “Clear all Logs.” NOW click on a link in your email. As soon as the connection fails (page doesn’t open), re-export, save, and upload the logfile. This way we will only be looking at a minute or two of logs, and will relate much more closely to the situation at hand.

TNX,

LM

tfr1025 · March 24, 2007, 1:57am

Hi LM,
A limited log is attached per your note. It’s from tonight.

All of our PC’s attach to Comcast through a Linksys router and thus have 192.168 type addresses. The router uses an IP address beginning with 75.69.1… (I can email the exact address if needed).

Thanks for your help.

Tom

Log Scope:: Today

Date/Time :2007-03-23 21:47:52
Severity :Medium
Reporter :Network Monitor
Description: Inbound Policy Violation (Access Denied, IP = 75.x.x.x, Port = upnp-mcast(1900))
Protocol: UDP Incoming
Source: 75.x.x.x:8008
Destination: 239.255.255.250:upnp-mcast(1900)
Reason: Network Control Rule ID = 11

Date/Time :2007-03-23 21:47:02
Severity :Medium
Reporter :Network Monitor
Description: Inbound Policy Violation (Access Denied, IP = 75.x.x.x, Port = upnp-mcast(1900))
Protocol: UDP Incoming
Source: 75.x.x.x:51493
Destination: 239.255.255.250:upnp-mcast(1900)
Reason: Network Control Rule ID = 11

Date/Time :2007-03-23 21:46:57
Severity :Medium
Reporter :Network Monitor
Description: Inbound Policy Violation (Access Denied, IP = 75.x.x.x, Port = upnp-mcast(1900))
Protocol: UDP Incoming
Source: 75.x.x.x:51493
Destination: 239.255.255.250:upnp-mcast(1900)
Reason: Network Control Rule ID = 11

Date/Time :2007-03-23 21:46:52
Severity :Medium
Reporter :Network Monitor
Description: Inbound Policy Violation (Access Denied, IP = 75.x.x.x, Port = upnp-mcast(1900))
Protocol: UDP Incoming
Source: 75.x.x.x:8008
Destination: 239.255.255.250:upnp-mcast(1900)
Reason: Network Control Rule ID = 11

Date/Time :2007-03-23 21:46:47
Severity :Medium
Reporter :Network Monitor
Description:Outbound Policy Violation (Access Denied, ICMP = PORT UNREACHABLE)
Protocol:ICMP Outgoing
Source: 192.168.1.125
Destination: 208.67.222.222
Message: PORT UNREACHABLE
Reason: Network Control Rule ID = 11

Date/Time :2007-03-23 21:46:47
Severity :Medium
Reporter :Network Monitor
Description: Inbound Policy Violation (Access Denied, IP = 75.x.x.x, Port = upnp-mcast(1900))
Protocol: UDP Incoming
Source: 75.x.x.x:2250
Destination: 239.255.255.250:upnp-mcast(1900)
Reason: Network Control Rule ID = 11

Date/Time :2007-03-23 21:46:47
Severity :Medium
Reporter :Network Monitor
Description: Inbound Policy Violation (Access Denied, IP = 75.x.x.x, Port = upnp-mcast(1900))
Protocol: UDP Incoming
Source: 75.x.x.x:8008
Destination: 239.255.255.250:upnp-mcast(1900)
Reason: Network Control Rule ID = 11

Little_Mac · March 24, 2007, 2:49am

Tom,

I saw at least one match to your external IP in the log, so I copied/pasted it as text in your post and edited the IPs for privacy, and removed the zip file.

I’ll PM you about the router’s external IP, as that will be needed to see exactly what’s blocked.

LM

tfr1025 · March 24, 2007, 7:09pm

Hi,
The system would not let me respond to the PM so I’ll post here:

Hi “LM”,

Yes that is the IP address for the router. I suspect the 24 series address is probably the Comcast Mail server.

Thanks,
Tom

Little_Mac · March 26, 2007, 3:35pm

Tom,

Do both computers have Comodo firewall on them?
When you are connecting from the laptop to the home network, is the laptop behind a router, such that it has a “network” IP address also? Is its external IP address always the same, or does it change?

I don’t see anything specific that would say something is being blocked, so I wonder if it’s an issue of timing, or some other allowance…

We’re going to need some rules screenshots, but I want to know first the other questions…

Tnx,

LM

tfr1025 · March 26, 2007, 8:47pm

Hi LM,

Both the host and the Laptop are running Comodo.

The laptop is behind the same router as the desktop. Hence it gets a 192.168 address.

The other curious thing: When I close Commodo after seeing a link blocked, the browser doesn’t immediately recover the page. After I then restart Comodo, everything goes normal. (Just happened when I inked to your post)
Tom

Little_Mac · March 27, 2007, 12:23am

Okay, now you’ve gone and confused me, Tom… ??? You said in your first post that you’re connecting via remote desktop connection from the laptop to the desktop. Now you stated they’re behind the same router, thus the 192.x.x.x IP address?

Do you perhaps mean to refer to ICS (Internet Connection Sharing), wherein you have a Host computer that is connected to the internet, and other computers (clients) connect to that Host, rather than directly to the internet themselves?

Just want to clarify, and make sure I understand. At any rate, I think we’re looking at some rules issues to be cleared up.

TNX,

LM

tfr1025 · March 27, 2007, 2:22am

Hi LM,
I guess I wasn’t clear. Let me try again.

There’s no ICS involved.

The desktop and laptop are both part of the same in-home network. IE - they both get DHCP addresses handed out by the Linksys router, which in turn talks to the Cable Modem and the Internet.

Since the desktop (perhas I shouldn’t have said "host) has email files and lots of applications I don’t keep on the laptop, I use Remote Access to log onto that environment to have access to “our stuff”.

The laptop can access the Net indepently, of course, but it doesn’t have the applications, data, etc that I need from the Desktop environment.

It’s when I logon to the desktop and access the Net that way when the problem occurs.

Hope this helps…
Tom

Little_Mac · March 27, 2007, 2:02pm

Okay, now I’m with you. Thanks!

You will want to do the following on both machines, in the Firewall (if you have not already):

Go to Security/Tasks, and Add a Zone. This Zone will encompass a range of IP addresses (the LAN) that will include both computers, the router, etc. The default will give you the entire subnet, which is probably fine for the moment.

Then, in Security/Tasks, Define a New Trusted Network; you will use the Zone you have already created, to define the trusted network. This will add two rules to your Network Monitor, at the top of the list. One will allow IP Out from Any (that computer) to the Zone; the other will allow IP In from the Zone to Any (the computer). After doing so, reboot both computers.

On the desktop, make sure you have the email client listed in the Application Monitor, and that you can utilize the links directly (ie, when physically logged in to the desktop). If this doesn’t work by itself, it’s certainly not going to work thru VPN.

Then let’s see what happens…

LM

tfr1025 · March 27, 2007, 10:30pm

Works like a charm, LM!

Thanks for your help - it’s nice to find vendors with great support!

Tom

Little_Mac · March 27, 2007, 11:56pm

Tom,

Glad that’s working for you now! Glad you think that’s great support, too, since it took me a couple tries to figure out what you were trying to do… ;D

I’ll go ahead and mark the topic resolved for other users’ benefit. If you do experience a problem with this, it starts acting up again, etc, just PM me or another Mod with a link to the topic, and we’ll be glad reopen it for you.

LM