Firewall Options.

[Guest]

[fell_cbr]

Which options are best for a Home User (i connect trough DSL, there are no other devices on my Network)

i've marked Protect Arp Cache, Block Fragmented IP Dg., Do Protocol Analysis, Monitor NDIS protocol other than TCP/IP

i've read through Comodo Help and its a bit cryptic for me..


how do i treat P2P programs like uTorrent? should i put it on my Thrust list, choose outgoing only or another option?


I'm sorry if those question are noobish, first time using CIS, i will post any other questions on this topic.

[L.A.R. Grizzly]

Which options are best for a Home User (i connect trough DSL, there are no other devices on my Network)

i've marked Protect Arp Cache, Block Fragmented IP Dg., Do Protocol Analysis, Monitor NDIS protocol other than TCP/IP

i've read through Comodo Help and its a bit cryptic for me..


how do i treat P2P programs like uTorrent? should i put it on my Thrust list, choose outgoing only or another option?


I'm sorry if those question are noobish, first time using CIS, i will post any other questions on this topic.

Choose Proactive Security

All I have checked are Block Fragmented IP and Do Protocol Analysis. You may run into trouble having Protect Arp Cache checked (this is for advanced setups). Run the Stealth Ports Wizard and choose Block all incoming connections and make my ports stealth for everyone. You can check your ports here:

https://www.grc.com/x/ne.dll?bh0bkyd2

My uTorrent settings: I allow it in the Sandbox as Trusted and in my Network Security Policy I have 2 custom rules:

Allow TCP Out From Mac Any to Mac Any Where Source Port Is Any And Destination Port Is Any
Allow UDP Out From Mac Any to Mac Any Where Source Port Is Any And Destination Port Is Any

uTorrent works fine with these settings on my system. In uTorrent under Connection, choose Randomize Port Each Start. You can open uTorrent and see which port it's using and then check that port at Shields UP! You should find that it is stealthed.

[fell_cbr]

Choose Proactive Security

All I have checked are Block Fragmented IP and Do Protocol Analysis. You may run into trouble having Protect Arp Cache checked (this is for advanced setups). Run the Stealth Ports Wizard and choose Block all incoming connections and make my ports stealth for everyone. You can check your ports here:

https://www.grc.com/x/ne.dll?bh0bkyd2

My uTorrent settings: I allow it in the Sandbox as Trusted and in my Network Security Policy I have a custom rule:

Allow TCP Out From Mac Any to Mac Any Where Source Port Is Any And Destination Port Is Any
Allow UDP Out From Mac Any to Mac Any Where Source Port Is Any And Destination Port Is Any

uTorrent works fine with these settings on my system. In uTorrent under Connection, choose Randomize Port Each Start. You can open uTorrent and see which port it's using and then check that port at Shields UP! You should find that it is stealthed.

Why Sandbox uTorrent? i don't know if theres anything that will make uTorrent misbehave, it doesn't update sometimes?

you say i may run into troube enabling Protect Arp Cache, what may happen?

if i enable randomize ports on utorrent say, if he used por X on my last session and now he is going to use Y does he close port X?

sometimes i get alerts that says that my system is trying to receive a connection from the internet like the one on the attached screenshot, is that normal behavior (windows checking for update or something) ?

[L.A.R. Grizzly]

1) Why Sandbox uTorrent? i don't know if theres anything that will make uTorrent misbehave, it doesn't update sometimes?

2) you say i may run into troube enabling Protect Arp Cache, what may happen?

3) if i enable randomize ports on utorrent say, if he used por X on my last session and now he is going to use Y does he close port X?

4) sometimes i get alerts that says that my system is trying to receive a connection from the internet like the one on the attached screenshot, is that normal behavior (windows checking for update or something) ?

1) I don't Sandbox uTorrent, I have it as a trusted file.

2) http://forums.comodo.com/index.php?action=search2  Just type in ARP Cache. You can try this setting if you want. Previously, there were many complaints when the average user had this checked. I think I remember that it's not necessary unless you are networking.

From CIS Help:

"It should be noted, that a successful ARP attack is almost always dependent on the hacker having physical access to your network or direct control of a machine on your network - therefore this setting is of more relevance to network administrators than home users."

http://help.comodo.com/topic-72-1-284-3024-Advanced-Settings.html

http://forums.comodo.com/firewall-help-cis/protect-the-arp-cache-t61591.0.html;msg433911#msg433911

3) Yes. uTorrent closes the previous port and chooses another when reopened.

4) Did you choose Proactive Security? You may have a Windows setting that requires incoming connections (such as Windows Automatic Updates).

[fell_cbr]

1) I don't Sandbox uTorrent, I have it as a trusted file.

2) http://forums.comodo.com/index.php?action=search2  Just type in ARP Cache. You can try this setting if you want. Previously, there were many complaints when the average user had this checked. I think I remember that it's not necessary unless you are networking.

From CIS Help:

"It should be noted, that a successful ARP attack is almost always dependent on the hacker having physical access to your network or direct control of a machine on your network - therefore this setting is of more relevance to network administrators than home users."

http://help.comodo.com/topic-72-1-284-3024-Advanced-Settings.html

http://forums.comodo.com/firewall-help-cis/protect-the-arp-cache-t61591.0.html;msg433911#msg433911

3) Yes. uTorrent closes the previous port and chooses another when reopened.

4) Did you choose Proactive Security? You may have a Windows setting that requires incoming connections (such as Windows Automatic Updates).

That was very.. very helpful 

Yes, i'm using proactive security since i've read chiron's guide..

[fell_cbr]

I did a leak test and those were the results



how can i improve my results?

[L.A.R. Grizzly]

how can i improve my results?

Simply, don't use the leak test! It wasn't designed to test Comodo with the new Sandbox feature. It's quite old.

http://forums.comodo.com/install-setup-configuration-help-cis/where-can-i-download-this-comodo-firewall-551957861383-t84885.0.html;msg606020#msg606020

[EricJH]

However a useful test it is old in the sense of that it is made to test a HIPS only solution. The sandbox will skew results. You may want to read Getting Accurate Leak Test Results to learn more how to test with sandbox enabled.

Or follow How To Install & Configure CIS for Max Protection & Min Alerts if you want a quick and easy solution.

[BoredNow]

Making port 445 available to the internet is asking for trouble.

http://www.grc.com/port_445.htm

Making Utorrent "trusted" is also asking for trouble.

[L.A.R. Grizzly]

Making Utorrent "trusted" is also asking for trouble.

A "trusted file" just means that it's not Sandboxed. The program is still covered by D+ and the Firewall.

[BoredNow]

Rules...

https://forums.comodo.com/firewall-help-cis/utorrent-help-t84531.0.html;msg603907#msg603907

[L.A.R. Grizzly]

Rules...

https://forums.comodo.com/firewall-help-cis/utorrent-help-t84531.0.html;msg603907#msg603907

Those are Firewall Rules and have nothing to do with the Trusted Files List in D+.

[BoredNow]

...and in my Network Security Policy I have a custom rule:

Allow TCP Out From Mac Any to Mac Any Where Source Port Is Any And Destination Port Is Any
Allow UDP Out From Mac Any to Mac Any Where Source Port Is Any And Destination Port Is Any

[L.A.R. Grizzly]

I don't allow any incoming.

uTorrent randomly chooses ports from 10000 to 65535, so I see no need to set port ranges.

So, except for port ranges, how do my settings differ from Rule 2 and Rule 3?

[fell_cbr]

Rule 6
Action = Block (enable Log as a firewall event if this rule is fired)
Protocol = IP
Direction = In/OUT
Description = Block and Log All Unmatching Requests
Source Address = Any
Destination Address = Any
IP Details = Any

the guides you refer poin to blocking out..your sixth rule for blocking is In and Out, why?


EDIT: Should i also disable "Do Protocol analysis" while torrenting?
EDIT2: On your TCP out rule, the destination port is a port set, why not only use port 80? should i also create a global rule?


On my Global Rules i have this..
http://img842.imageshack.us/img842/8161/53812085.jpg
doesnt the two rules overlap each other?


EDIT 5? : is it okay to have a lot of events on the firewall, some of them are IPV6 with those rules
http://img26.imageshack.us/img26/3751/97948808.jpg

[Tags:]