How To - Understanding & Creating Network Control Rules properly

[Guest]

[OD]

I see. So, in more technical terms and plz correct my terminology if it's wrong, I understand that the rule doesn't make the firewall check all outgoing packets for compliance with what it specifies, rather than allow tcp/udp sockets to be opened on the local host and connected to a remote host. This makes sense as, after a socket opens thanks to the rule, incoming traffic *can* be received through it... however after the socket is opened, no checks are made on the packets. Is that right?

Also, what would work differently if the protocol of rule at hand changed to "IP Out" with a criterion of "IPPROTO is any"?

Thanks

No, if Understand you coreectly that is not the way it works

In stateful Packet inspection every packet is checked againsts the rules
In Comodo 2.4 All requests are first checked against the network rules and then must pass to the application rules to pass a packet must be allowed of both sets of rules

I believe the way it works is when Your Computer makes an outgoing request Comodo has some way of remembering to whom the request was sent and what type of request was made and what application made the request I don´t know exactly what metthod it uses to do this. or for how long it will remember I  imagine it is not very long, as your PC is constently making requests and verifiying the information it recieves back.

Also, what would work differently if the protocol of rule at hand changed to "IP Out" with a criterion of "IPPROTO is any"? No i don't think you would notice much differencein the behavior, it would allow you to ping out. only allowing TCP/UDP does not include ICMP and will not allow pinging unless allowed by anouther rule.However ALL IPPRORTO´s is a much larger set than TCP/UDP

OD
Below are some comments on how CPF 2.4 Work

Comodo's firewalls use a method I call adaptive stealthing. If there is a network rule to open a particular port, that port will only be opened if there is an application running that can use that port. The ports are not just opened because there is a rule, they are only opened if there is a rule AND an appropriate application.

Hope this helps,
Ewen :-)

Thanks
A TCP/UDP rule allows traffic for TCP and UDP protocols but blocks the attacks because from the version 2.1.0.1 and later if a port is not being currently used by any program CPF stealths it.
It is different from a rule that will allow all traffic where  Protocol = Any (this last one will allow netbios and other kind of attacks).

ps. I have also checked the vulnerability on pcflank, symantec and other sites. It took me about 2 hours for compleeting the tests. And on every single test my computer was stealthed.

[madanasta]

OD, thanks for the detailed reply.

I feel I have a complete idea of what each kind of rule means and how to define them now .

I'm still curious exactly how this method of remembering requests made and allowing replies works, however. Even though I'm about to look for such myself right away, is anybody aware of any Comodo whitepaper, technical doc, etc. that describe how network rules are processed?

Also, the question on changing the rule's protocol from TCP/UDP to IP was about whether the behaviour of allowing "reply" packets to "request" ones is still there in case of IP, or an additional incoming rule whould have to be defined. But I guess I can check that on my own (a ping will do I think).

madanasta

P.S. I feel I need to apologize for possibly not making too much sense with what I write/ask. I am not a firewall expert and to now I perceived a firewall's work as checking each packet against a set of rules and appropriately allowing it or discarding it... and that's it. Advanced techniques such as port/application matching and remembering outgoing traffic are pretty much unknown to me, hence my questions and concerns

[panic]

P.S. I feel I need to apologize for possibly not making too much sense with what I write/ask. I am not a firewall expert and to now I perceived a firewall's work as checking each package against a set of rules and appropriately allowing it or discarding it... and that's it. Advanced techniques such as port/application matching and remembering outgoing traffic are pretty much unknown to me, hence my questions and concerns

No need to apologise when you're looking to increase your knowledge.

The only truly dumb question is the one that never gets asked.

Ewen :-)

[joe2007]

Reading this thread on "How To -- Understanding & Creating Network Control Rules Properly" is . . . interesting.  To say the least.

My observations:
Imaginos says that he's spent 2-3 hours reading and trying to understand exactly what to do.  I can relate to that.

Mongod says that his _earlier_ post on guidlines is now out of date due to a new version.

And, most of all -- there's NINE (9!) freakin' _pages _ (screens) in this thread!!
That's certainly NOT what _new_ users of CFP need or want, for starters.

It appears that longtime users of CFP are debating esoteric fine points (over NINE pages of threads? -- unbelievable!) when what new users need is a) _one_ post that is b) _up-to-date_ for c) the _current_ version of CFP. 

The moderator should have one thread on "what to do now when you are just beginning" and a separate thread (this one, I guess) for the oldtimers to debate nuances until the cows come home.

[Little Mac]

joe2007,

Here is what you're lookin' for...
http://forums.comodo.com/index.php/topic,6167.0.html

As for the "new version" version of the tutorial, the only differences are nuances, and some wording.  The process is still the same.

Hope that helps,

LM

[joe2007]

Little Mac, that's a very helpful link.  Thanks.

[helmutreg]

This How  To .... introduction is really helpful and it seems to me, that the first three rules described would be a good choice for default rules, when installing CFP - especially as they are relatively easy to understand. I am however a little disturbed by the fact, that the default rules delivered with CFP are so more complex, to a degree that I cannot interpret them. Could somebody explain, what the - hopefully - advantage of these default rules is?

[Little Mac]

Welcome to the forums, helmutreg.

As I understand it, the default rules have been found to be beneficial for ease-of-use for the majority of computer configurations.  Some computers/setups have need of some of those rules (like the GRE, etc).  Many do not.  Since trying to track down and configure such rules would involve a high degree of complexity, it is easier to include them by default.  That way all the folks that want a "set & forget" setup are better taken care of right out of the box.

Hope that helps,

LM

[helmutreg]

Thank you Little Mac,
I find it reassuring that the default rules have been found to be beneficial for ease-of-use for the majority of computer configurations.  In order to build an own set of rules by extending/altering the default rules it would be very helpful however, if some knowledgable member of this forum could provide an interpretation/explanation of each of the default rules.
I hope this is not asking for too much, but I really think it could help a lot of beginners - one step beyond the help provided in the "How To  ..." tutorial.

helmutreg
 

[Little Mac]

helmutreg,

I don't know how much 'help' this will be to beginners, as you're delving into the guts of Internet Protocol where only the most intelligent of folks hang out, but I'll give it a shot (and no, I don't normally hang out there...).

Referring to this post for a breakdown of the default rules:
http://forums.comodo.com/frequently_asked_questions_faq_for_comodo_firewall/tutorials_a_compiled_resource-t6167.0.html;msg45547#msg45547

ID 0 Allows your computer to connect Outbound, as explained by m0ng0d
ID 1 Allows your computer to use Ping utilities Outbound (ping, traceroute, etc)
ID 2 Will Allow a message from the user's router to the computer that fragmentation is needed on an IP datagram; it is a subset of a Destination Unreachable message
ID3 Will Allow a message from the user's router that an IP datagram was discarded due to it taking too long to reach destination or to be recompiled if fragmented; commonly used by traceroute to identify gateways
ID 4 Generic Routing Encapsulation has to do with IP tunneling and Virtual Private Networks; this rule Allows the computer Outbound connection using this protocol.
ID 5 This is your safety net; it must remain in the lowest/last position.  It will Block all traffic (whether In or Out) that has not previously been explicitly or implicitly Allowed.  If you add any rules below this rule, they will be blocked.

Hope that helps,

LM

Note:  To those who do hang out in the 'world of internet protocol knowledge' please feel free to correct errors with or clarify my explanation of these default rules. 

[helmutreg]

Hi Little Mac,
Even if you sound sceptical, your explanation helps! At least I feel more comfortable, if I understand what is going on with these rules. And then I now can put in additional rules - e.g. for other PCs on the LAN - without scruples, that I might get in conflict with the existing rules.

Thank you

HelmutReg
 

[Dailyfree]

I have no problems setting & creating any network rules but however I have a question. At the present moment, I have a total of 89 Network Control Rules in use. Is there a maximum number of rules for Comodo Firewall and what effect does it have on my PC resources, if any?

Daily

[Little Mac]

Dailyfree,

I think you get the prize for having the most # of Network Monitor rules!  Not sure what that prize is (lemme check with the guys).

I've not heard of any maximum # of rules.  It would seem that this would add some drag to the system, due to the increased level of filtering, but some of that would depend on the volume of traffic being filtered.  Given that I've not come across anyone with this many rules (to my current knowledge), you might be your own best judge of the resource impact.

LM

[Dailyfree]

Little Mac,

Thank you for the reply.

Drag? None at all! Rather, it makes my web experience better for each rule that I add.
(Correction, as of today, 106 rules created. )

Prize? Is there a prize?   Let me at it!

I just love to make this great piece of software go the limits, if it has any.

Daily

[panic]

Little Mac,

Thank you for the reply.

Drag? None at all! Rather, it makes my web experience better for each rule that I add.
(Correction, as of today, 106 rules created. )

Prize? Is there a prize?   Let me at it!

I just love to make this great piece of software go the limits, if it has any.

Daily

106!!!

I'm doing my damndest to get the number of network policies/rules down to the barest minimum without sacrificing security (currently down to 7)! Application policies/rules are another matter.

Interesting to hear that there is no discernible lag with that many rules. I'd suspect that some are not being triggered and rules further up the list are handling things. The only way to check this is to enable logging on all rules, but with 106 rules, you may get flooded.

Cheers,
Ewen :-)

[Tags:]