none
Win CE firewall unable to use. RRS feed

  • Question

  • I enabled firewall in Platform builder OS design project and since then my device is not pingable from any PC. 

    Do I need to change the rules to enable this.

    Also My application uses a range of ports like xx500 to xx511 but that also failed to work even when i created rules for inbound and outbound tcp .

     

    Please help....

    regards

    Aji

    Tuesday, January 25, 2011 11:39 AM

All replies

  • The default rules for the firewall should allow ping replies: check for [HKEY_LOCAL_MACHINE\COMM\Firewall\Rules\AllowICMP_ECHO_REPLY] in the registry

     


    Luca Calligaris lucaDOTcalligarisATeurotechDOTcom www.eurotech.com Check my blog: http://lcalligaris.wordpress.com
    Tuesday, January 25, 2011 12:58 PM
  •  

    Yes I had only enabled firewall and I able to see [HKEY_LOCAL_MACHINE\COMM\Firewall\Rules\AllowICMP_ECHO_REPLY] in the registry

    ie in the common.reg file.

     

    I dont have persistent storage for registry ,will this effect the firewall working....

    It is like i can ping from device to other PCs but other PCs cannot ping it.

     

    also when i programmatically disable firewall then i am able to ping from other PCs.

     

    thanks

    Aji


    Tuesday, January 25, 2011 4:10 PM
  • "ie in the common.reg file." but the question is, do you have htis key in the registry on the device?  Start by checking your _FLATRELEASEDIR\reginit.ini, or using the Remote Registry Viewer.
    Bruce Eitman (eMVP)
    Senior Engineer
    Bruce.Eitman AT Eurotech DOT com
    My BLOG http://geekswithblogs.net/bruceeitman

    Eurotech Inc.
    www.Eurotech.com
    Tuesday, January 25, 2011 4:33 PM
    Moderator
  • Yes I am able to find it in the reginit.ini file .

     

    thanks 

    Aji

    Tuesday, January 25, 2011 4:41 PM
  • Can you post all firewall settings inside your registry ? Also firewall rules. Regads, Paolo.
    Wednesday, January 26, 2011 8:13 AM
  •  

    My device is having 2 Ethernet interfaces will it make any difference....

    The reginit.ini have these entries

     

    ; @CESYSGEN IF CE_MODULES_FW6

     

    ; Firewall

    [HKEY_LOCAL_MACHINE\Drivers\BuiltIn\FW6]

       "Prefix"="FW6"

       "Dll"="fw6.dll"

       "Order"=dword:30

       "Index"=dword:0

     

    ; @CESYSGEN IF CE_MODULES_IPNAT

    ; @CESYSGEN ENDIF

     

    ; Allow DHCP unicast response UDP packet to port 68

    [HKEY_LOCAL_MACHINE\COMM\Firewall\Rules\DHCPUnicastResponse]

        "Mask"=dword:24         ; FWM_PROTOCOL | FWM_PORT

        "Flags"=dword:A         ; FWF_ALLOW | FWF_INBOUND

        "PrivateHost"=hex:02,00 ; AF_INET

        "Protocol"=dword:11     ; IP_PROTOCOL_UDP

        "Port"=dword:44         ; 68

     

    ; Block packets with source address spoofed to be broadcast

    [HKEY_LOCAL_MACHINE\COMM\Firewall\Rules\SourceBroadcast]

        "Mask"=dword:802        ; FWM_PUBLIC_HOST | FWM_PUBLIC_HOST_MASK

        "Flags"=dword:09        ; FWF_BLOCK | FWF_INBOUND

        "PrivateHost"=hex:02,00 ; AF_INET

        "PublicHostMask"=dword:FFFFFFFF

        "PublicHost"=hex:02,00,00,00,FF,FF,FF,FF

     

    ; Block packets with source address spoofed to be loopback

    [HKEY_LOCAL_MACHINE\COMM\Firewall\Rules\SourceLoopback]

        "Mask"=dword:802        ; FWM_PUBLIC_HOST | FWM_PUBLIC_HOST_MASK

        "Flags"=dword:09        ; FWF_BLOCK | FWF_INBOUND

        "PrivateHost"=hex:02,00 ; AF_INET

        "PublicHostMask"=dword:FFFFFFFF

        "PublicHost"=hex:02,00,00,00,7F,00,00,01

     

    ; Block outbound ICMP message to make port scanning and fingerprinting more difficult

    [HKEY_LOCAL_MACHINE\COMM\Firewall\Rules\BlockOutboundICMP]

        "Mask"=dword:20         ; FWM_PROTOCOL

        "Flags"=dword:11        ; FWF_BLOCK | FWF_OUTBOUND

        "PrivateHost"=hex:02,00 ; AF_INET

        "Protocol"=dword:1      ; IP_PROTOCOL_ICMPv4

     

    ; Allow specific outbound ICMP that we want

    ; Below rules allow outbound ICMP_ECHO_REQUEST and ICMP_ECHO_REPLY

    ; If desired, add similar rules for ICMP_ROUTER_REQUEST, ICMP_TIMESTAMP_REQUEST and ICMP_MASK_REQUEST

    ; Note that appropriate inbound ICMP_XXX_RESPONSE messages will be allowed from the host to which

    ; the outbound ICMP_XXX_REQUEST message is sent.

    [HKEY_LOCAL_MACHINE\COMM\Firewall\Rules\AllowICMP_ECHO_REQUEST]

        "Mask"=dword:28         ; FWM_PROTOCOL | FWM_TYPE

        "Flags"=dword:12        ; FWF_ALLOW | FWF_OUTBOUND

        "PrivateHost"=hex:02,00 ; AF_INET

        "Protocol"=dword:1      ; IP_PROTOCOL_ICMPv4

        "Type"=dword:8          ; ICMP_ECHO_REQUEST

     

    [HKEY_LOCAL_MACHINE\COMM\Firewall\Rules\AllowICMP_ECHO_REPLY]

        "Mask"=dword:28         ; FWM_PROTOCOL | FWM_TYPE

        "Flags"=dword:12        ; FWF_ALLOW | FWF_OUTBOUND

        "PrivateHost"=hex:02,00 ; AF_INET

     

        "Protocol"=dword:1      ; IP_PROTOCOL_ICMPv4

        "Type"=dword:0          ; ICMP_ECHO_REPLY

     

     

    ; @CESYSGEN IF CE_MODULES_IPV6HLP

    ; @CESYSGEN ENDIF

     

    ; @CESYSGEN IF CE_MODULES_TCPIP6

    ; @CESYSGEN ENDIF

     

    ; @CESYSGEN ENDIF

     

     

    Thanks 

    Aji

     

    Thursday, January 27, 2011 6:40 AM
  • But I can see the DHCP is working.....
    Thursday, January 27, 2011 11:00 AM
  • ;Lets enable ping
    [HKEY_LOCAL_MACHINE\COMM\Firewall\Rules\EnabledMyPING]
        "Mask"=dword:28   ; FWM_PROTOCOL | FWM_TYPE
        "Description"="{73687012-EF70-4054-A809-6D3EE8ED982E}"  
        "Flags"=dword:A   ;FWF_ALLOW | FWF_INBOUND
        "PrivateHost"=hex:02,00   ; AF_INET
        "Protocol"=dword:1      ; IP_PROTOCOL_ICMPv4
        "Type"=dword:8          ; ICMP_ECHO_REQUEST

    ;enabling inbound ports
    [HKEY_LOCAL_MACHINE\Comm\Firewall\Rules\AllowedTCPInbound]
    "Description"="Allowed inbound TCP ports"
    "Mask"=dword:24 ;FWM_PORT | FWM_PROTOCOL
    "Flags"=dword:A ;FWF_ALLOW | FWF_INBOUND
    "PrivateHost"=hex:02,00 ;Applies to all IPv4 hosts
    "Protocol"=dword:6 ;Applies to TCP Protocol
    "PortMin"=dword:c544 ;50500
    "PortMax"=dword:c54f ;50511
     
    ;enabling outbound ports
    [HKEY_LOCAL_MACHINE\Comm\Firewall\Rules\AllowedTCPOutbound]
    "Description"="Allowed outbound TCP ports"
    "Mask"=dword:24 ;FWM_PORT | FWM_PROTOCOL
    "Flags"=dword:12 ;FWF_ALLOW | FWF_OUTBOUND
    "PrivateHost"=hex:02,00 ;Applies to all IPv4 hosts
    "Protocol"=dword:6 ;Applies to TCP Protocol
    "PortMin"=dword:c544 ;50500
    "PortMax"=dword:c54f ;50511

    after making these entries I am able to ping and communicate on my ports

    Don't know why I cant make the second and third rules work if i don't make this first rule ie EnabledMyPING....
    is it that ICMP need to be enabled for tcpip communication to work...any idea....

    Any way thanks a lot
    regards
    Aji Varghese
    Friday, January 28, 2011 2:24 PM