Hi,
I can’t figure out why Crashplan on my computer is able to connect to their cloud even though I have Traffic Filtering set to Custom Ruleset and CrashPlanService.exe is not listed under Application Rules. Comodo also never asked me about the program as far as I can remember. What settings are allowing this application and how can I ensure that no application is allowed without CIS asking for permission first?
Check the global rules, you may have a rule that allows all outgoing traffic (If memory serves me right some default config has that) Also, go to advanced settings for the firewall and make sure “Do NOT show popup alerts” is deselected.
If firewall is set to custom ruleset and the application in question isn’t in the rules then the global rules will still apply, so if you have an allow all outgoing rule there then that applies to those applications as well, I’d recommend removing any such global rules.
Thanks for the tips, I was about to check those but after restarting my computer today, CIS asked permission for Crashplan. I must have allowed the connection earlier but did not check “remember”. Duh. It’s a bit misleading (IMO) that when applications ask for a loopback connection, choosing Allow actually creates a rule where destination is ANY. This way users are granting programs full internet access even though the dialog asks about loopback connection.
So much for that, but since I started asking questions here’s another thing I’ve been wondering about the Global Rules. From the CIS documentation:
Therefore, outgoing traffic has to 'pass' both the application rule then any global rules before it is allowed out of your system.
Right now I don’t have a global rule to allow outgoing internet access, yet my programs can communicate by just being on the Application Rules list. Why is this?
What is the default action (ie. “last rule”) of the Global Rules list?
To change this behavior you want to increase the alert frequency, that decides what rules are applied when you select “Allow” and “Block” for a firewall alert, I assume yours is set to Low or around that area, I personally have it at the highest which I think is “Very High” or something like that, that means instead of only looking at inbound/outbound it also looks at ip-address and ports tcp/udp etc.
Because for outgoing traffic the application rules list has a higher priority, besides that the lack of an allow rule in global rules does not by itself imply a block rule, it implies the global rules doesn’t have a rule for the traffic and hence it’s left to the application rules and if there aren’t any application rules then you’ll see an alert.
Application rules and global rules have different priorities when it comes to outbound and inbound traffic. Application rules have a higher priority when it comes to outbound traffic but global rules have a higher priority when it comes to inbound traffic, at least I think that’s how it works, it’s a bit complicated and personally I’m not a fan of the system.
Incoming traffic first passes through Global Rules and then through Application Rules.
Outgoing traffic first passes through Application Rules and then through Global Rules. Outgoing traffic is controlled by application rules; the Global Rules will generally allow outgoing traffic.
Meaning that if you want to block ALL applications from outgoing traffic to a certain IP then that becomes cumbersome since you first need to create a global rule and then also add it to every application rule as well as presets.
Not relevant to the issue at hand but an example of the shortcomings of the global/application rule system.
Thanks, so by default Global Rules will allow traffic ie. if no rules match then it is allowed. The quote I posted from documentation led me to believe this wasn’t the case. If the last line on the Global Rules list would be a grayed out “allow all”, this would be instantly clear.
CIS doesn’t have the best UI, but they do have a neat forum 
No, if there is no “Allow all outgoing traffic” or similar then there is no such rule in effect.
Only the rules present are in effect, there are no hidden rules.
What I was discussing with EricJH is irrelevant to this topic, ignore it. 
No hidden rules per se, but the Global Rules list seems to allow traffic if there are no matching deny rules. I haven’t found any documentation where this is stated (nor within CIS UI or the web) which I found very confusing.
The global rules doesn’t allow anything unless there is a specific allow rule for the traffic, there may be other things that allows the traffic, for example Firewall settings, Application Rules, answering a firewall alert without checking “Remember my answer” (Which creates a session rule)
Lets say you have the firewall in Custom Ruleset and you’ve disabled “Do NOT show alerts” and lets say you don’t have the application in the application rules and lets say you don’t have any “allow outgoing” rules in Global Rules, then you will see an alert for the connections the application is trying to make, it won’t be allowed through unless you specify it somewhere.
Now the same scenario as above but you have a global rule that says “Block all outgoing” and an application rule that says “Allow all outgoing” at that point it will allow the outgoing traffic.
Now the same scenario as above but you have a global rule that says “Allow all outgoing” and an application rule that says “Block all outgoing” at that point it will block the outgoing traffic.
Oh ok so the traffic doesn’t have to have an allow rule on both lists - if a match is found on the first consulted list then that action is taken regardless what the second list says. If no match is found on either one, an alert dialog is shown. Correct?
But why then does the Comodo manual (Global Rules, Firewall Protection, Best Firewall, Network Connection - COMODO) state that outgoing traffic has to
'pass' both the application rule then any global rules before it is allowed out of your systemwhen this doesn't seem to be the case?
Wait… I’m sorry I was wrong, having re-read and re-tested it is as it is said in the help text. It has to pass by both, what exactly that means I have to think about, I’ll come back with my conclusion soon.
Edit: Alright lets make a bullet point…
Application Example.exe is trying to make an outgoing connection, The firewall is set to Custom Ruleset.
[li]Yes
[list]
[li]According to application rule, is the traffic allowed, blocked, “Ask” or not specified?
[list]
[li]Allowed
[list]
[li]According to global rules, is the traffic allowed, blocked or not specified?
[list]
[li]Allowed
[list]
[li]Result: Allow the traffic
[/li]
[li]Result: Block the traffic
[/li]
[li]Result: Allow the traffic
[/li]
[/list]
[/li]
[/list]
[/li]
[li]Result: Block the traffic (Global rules are irrelevant here)
[/li]
[li]According to global rules, is the traffic allowed, blocked or not specified?
[list]
[li]Allowed
[list]
[li]Result: Ask the user
[/li]
[li]Result: Block the traffic
[/li]
[li]Result: Ask the user
[/li]
[/list]
[/li]
[/list]
[/li]
[li]According to global rules, is the traffic allowed, blocked or not specified?
[list]
[li]Allowed
[list]
[li]Result: Ask the user
[/li]
[li]Result: Block the traffic
[/li]
[li]Result: Ask the user
[/li]
[/list]
[/li]
[/list]
[/li]
[/list]
[/li]
[li]According to global rules, is the traffic allowed, blocked or not specified?
[list]
[li]Allowed
[list]
[li]Result: Ask the user
[/li]
[li]Result: Block the traffic
[/li]
[li]Result: Ask the user
[/li]
[/list]
[/li]
[/list]
[/li]
[/list]
[/li]
[/list]
And that’s just the outgoing traffic, then we also have the incoming traffic which I don’t want to get into… Now perhaps you see why I think it’s a bit complicated, even I, after a few years, had misunderstood it!
Edit: Even then that was wrong, have updated to represent the actual logic…