My only global firewall rule

[Guest]

[LeoniAquila]

First of all, I'm a complete novice when it comes to networks and firewalls. I'm more into local system activity.

Now, my PC is not in a home network, it's just connected to the Internet. No hardware firewall, no router. Simple as that. Long ago (in CFP 3.0 I guess) it seemed like someone/something tried to connect to my machine. Despite the default Comodo rules I got some alerts of incoming connection attempts once in a while. Thus I got help at this forum to create a global firewall rule. It's simply "Block IP In From IP Any to IP Any Where Protocol Is Any" and I'm still using it, after every reinstallation of CIS (for whatever reason) I delete the default global rules and add my own rule.

Although I'm a firewall novice this rule appears to me as it would block just about every kind of connection coming in to my PC. So, can anyone explain - very simply please - how is it possible that I can actually surf, use DC++, and use Spotify without any connection problems whatsoever?

Thank you.

[kail]

Unsolicited - Traffic you didn't ask for.
Solicited - Traffic you asked for.

There is nothing wrong with that rule, it will basically any block any inbound unsolicited connection attempts that an application hasn't grabbed. This is something that router users don't often need to worry about, because most routers do that by default. Now, this works because applications often open up ports to listen on for inbound connections attempts and this circumvents the global block rule because the port is already open (which is what you want). Sometimes, application dependent, you need to create special application rules to handle the inbound traffic & force a port open, but it is rarer these days I think. Another way, I suspect, for traffic to circumvent the global block rule is to use something like UPnP or port mapping, where all the inbound connections are, in effect, solicited (already established).

[bluesjunior]

I don't know any more than you LeoniAquila but your rule is the same as the bottom Global rule in the Default Comodo CIS settings with the exception being that you are not logging the blocks. Here is a screenshot of my Global Rules all default except for the top one which allows my DHCP to get an address renewal from my IP. I have the same sort of layout as you a single desktop PC connected direct to the internet by broadband cable through a Fast Ethernet modem.

[LeoniAquila]

Thanks kail, slightly clearer now.

Thanks bluesjunior, I forgot that the default block rule actually is exactly the same as mine (except that I have no logging).

Why are there some other global default rules, the ones that allow certain traffic (as shown in bluesjunior's screenshot)? Obviously I don't need them?

[bluesjunior]

When my PC updated to 3.10 529 the default Global Rules were as below but after I applied Kyles set up guides and went to create the Port 67 & 68 DHCP rule I noticed that the had changed to the way they are now and have been in previous versions.
 I can't tell you why yours are different it must be something to do with your own personal settings.

[EricJH]

I am not initmately familiar with the workings of DC++ but as far as I know this is a p2p program. For p2p programs you must have an open port for incoming, unsolicited, traffic. To make that work you need to open a port under Global Rules.

Without an open port for the incoming traffic you will have less download capabilities. As a consequence the situation is as follows. Either you are happy with having less download capabilities (that may also translates to lower download speed ) or your firewall is not functioning properly. With regards to the latter run Diagnostics and see if there are Active connections just to be on the safe side of things.

[LeoniAquila]

It's not p2p, it's direct file sharing.

[Quill]

It's not p2p, it's direct file sharing.

to be fair, it's still p2p. (person to person)

Anyway, for DC++ to work correctly you need to allow a Global IN rule. I can't remember the port, but without it, it's not going to work very well. Sure, you might be able to download from others, but they won't be able to get from you.

To be honest, I don't know how you have managed with just a block IN rule...

I know from experience, we can do without Global rules completely, but if you place a single global block IN, to my mind, that's exactly what it does.

[LeoniAquila]

to be fair, it's still p2p. (person to person)

Fair enough.

Anyway, for DC++ to work correctly you need to allow a Global IN rule. I can't remember the port, but without it, it's not going to work very well. Sure, you might be able to download from others, but they won't be able to get from you.

Might be true... I'm actually hardly using DC++, and I don't share anything, so I can't really tell whether that part works or not.

I know from experience, we can do without Global rules completely, but if you place a single global block IN, to my mind, that's exactly what it does.

I read long ago that some users use CFP/CIS without global rules, but I wouldn't feel safe doing so. What if you launch a program with possibility to send and receive data, and you have no application rule for it (nor any global rule) - thus it's open for incoming attacks? Would CFP warn about such an incoming connection attempt as the application lacks a rule?

Thanks.

[Quill]

I remember there being a long thread on here somewhere, it's probably buried in the archive board somewhere. As far as I can remember, we came to the conclusion that Global Rules, whilst useful for a number of reasons, aren't essential.

For communication to take place there must be an appropriate rule, that's true for both inbound and outbound traffic. If you think about an application like uTorrent, for example, you can see that it needs to have a rule that allows TCP and UDP IN and OUT. If that rule doesn't exist, uTorrent won't work. Now think about how that rule is catered for under CIS.

Application Rule - (this is only part of the whole rule)

Action = Allow
Protocol = TCP or UDP
Direction = In
Source Address = Any
Destination Address = Any
Source Port = Any
Destination Port = [Your uTorrent Port]

Action = Allow
Protocol = UDP
Direction = Out
Source Address = Any
Destination Address = Any
Source Port = [Your uTorrent Port]
Destination Port = Any

So, what about a Global rule for this, is it necessary? Well the answer to that is, it depends. First we need to look at the current rules, if there is a block rule that disallows all inbound traffic, then we will need a rule:

Action = Allow
Protocol = TCP or UDP
Direction = In
Source Address = Any
Destination Address = [Your uTorrent Port]
Source Port = ANY

If, on the other hand, there are no Global Rules, then there is nothing to prevent communication in either direction.

Again, think about a common configuration for Global rules:

The first rule is always invariably:

Allow IP OUT ANY ANY ANY

And the final rule is almost always invariably:

Block IP IN ANY ANY ANY

In the middle, rules, such the one above for uTorrent, will exist.

So, Yes, we can exist with out Global Rules, they simply make some things easier to achieve.

[LeoniAquila]

Thanks a lot for explaining, although I don't really follow all details.

If, on the other hand, there are no Global Rules, then there is nothing to prevent communication in either direction.

What mainly concerns me is the possibility of a hacker to somehow access my PC, provided that I have no global rules. Can they enter my system somehow, when it's just idle, and no application (like uTorrent - although I don't have uTorrent) is running?

If my concern is insubstantial, what about having uTorrent (or any application that uses the network) running - would those "allow" rules you wrote compromise the system as there are no application "block" rules, nor any global rule?

[Quill]

The example I posted for uTorrent is only a small portion of the whole. At the bottom of each application rule, I have an ASK or a BLOCK depending on what I'm trying to do. if I happy a rule works, I place a block and log, it it's a work in progress I use Ask and log.

The last rule I have in Application Rules Is Block IP IN/OUT ANY ANY ANY.

If I decided not to use Global Rules, then this last rule is fundamentally the same as your Global Rule.

As I said earlier, There has to be an Allow rule somewhere in the pathway for a connection to be made, this applies to both in and outbound communications.

[LeoniAquila]

OK

The example I posted for uTorrent is only a small portion of the whole. At the bottom of each application rule, I have an ASK or a BLOCK depending on what I'm trying to do. if I happy a rule works, I place a block and log, it it's a work in progress I use Ask and log.

The last rule I have in Application Rules Is Block IP IN/OUT ANY ANY ANY.

If I decided not to use Global Rules, then this last rule is fundamentally the same as your Global Rule.

As I said earlier, There has to be an Allow rule somewhere in the pathway for a connection to be made, this applies to both in and outbound communications.

Being the last rule I guess hierarchy applies? Basically the rule is active, but those above it (in the rule tree of the application) override it?

[Quill]

Exactly. Just the same as Global rules.

[LeoniAquila]

Thanks, it's a bit clearer now.

[Tags:]