How To - Understanding & Creating Network Control Rules properly

[Guest]

[gibran]

Little Mac,

Thank you for the reply.

Drag? None at all! Rather, it makes my web experience better for each rule that I add.
(Correction, as of today, 106 rules created. )

Prize? Is there a prize?   Let me at it!

I just love to make this great piece of software go the limits, if it has any.

Daily

I bet you are using network policies to block some spammer or Ad server.
Maybe you'll get the same outcome if you add those IP to the %SystemRoot%\system32\drivers\etc\hosts file like this one
http://everythingisnt.com/hosts

[Little Mac]

I bet you are using network policies to block some spammer or Ad server.
Maybe you'll get the same outcome if you add those IP to the %SystemRoot%\system32\drivers\etc\hosts file

I don't think hosts file modification will help him very much; his ISP seems to be at the core of the problem (we've dealt with that separately).

LM

[gibran]

I don't think hosts file modification will help him very much; his ISP seems to be at the core of the problem (we've dealt with that separately).

LM

What Where Hey! That's unfair I would like to learn about that kind of issues as well  Were is it?

Is it this? Help me stop Winnukes, SYN Flooding and IP Spoofing

[Dailyfree]

Thanks for all the chatter.

Latest reluctantly added rules now total 112. And this piece of Great Firewall just keeps informing me about unauthorized contacts with my 135-139. Anyway that's another matter altogether.

Better a slow PC than an unsafe one. That's what I say.

No, Gibran. It's not spam, but you will not understand that how I do wish it was!

Logs available on request. Password with the Guru in charge!

[gibran]

Thanks for all the chatter.

Latest reluctantly added rules now total 112. And this piece of Great Firewall just keeps informing me about unauthorized contacts with my 135-139. Anyway that's another matter altogether.

Better a slow PC than an unsafe one. That's what I say.

No, Gibran. It's not spam, but you will not understand that how I do wish it was!

Logs available on request. Password with the Guru in charge!

Yep the hosts file cannot do a thing to prevent inbound traffic.
Anyway I would like to ask few details about the rules you created:

• Are most of them IP based?
• Do the inboud traffic source IPs come from your ISP range or are those spoofed IPs?

[Dailyfree]

Yep the hosts file cannot do a thing to prevent inbound traffic.
Anyway I would like to ask few details about the rules you created:

• Are most of them IP based?
• Do the inboud traffic source IPs come from your ISP range or are those spoofed IPs?

99% of them are from my ISP range!

[Dailyfree]

For those who want to know why I have 100+ network rules, please download my logs and help me put them where they could be seen from every corner of the world!

After 60 days, the only reply that I ever got from my ISP STREAMYX (Malaysia) was " Thanking for your report" "Dynamic IP's cannot be traced" "Thank you.

All logs, e-mails and reports available from where I usually post. Any assistance would be deeply and sincerely assisted

Thanks,
Daily

[gibran]

I was not able to find your log.
By the way do you have few ports allowed for inbound traffic?
How many are there?

[hugo15]

Great thread. New to Comodo yesterday, but now think that I am beginning to understand these network controls.

[xarienne]

Hi There,

First of all, to m0ng0d, thank you so much for this guide. Very, very helpful!


Okay, on to my question:

As far as I can tell, with the exception of one rule, I pretty well have the rules set up the same as in m0ng0d's screenshots.

The exception is the last rule (see Rule #7 in attached screenshot), because I'm finding that when I have #7 set to "Block IP In or Out", it's blocking me(!!!!!). 

[e.g., When I set up everything exactly the way m0ng0d has it and then went to Firefox and tried to go to any websites, I got absolutely no reaction and I found 'Outbound Policy Violations' (attributed to Rule #7) in the Activity Log.]


Is it okay (security-wise) to leave it the way that I have it? Or is there something else I should be trying to do to get it to work the way it is in m0ng0d's screenshot?

Thanks in advance for your help.  --xarienne.


p.s. I think I have it set up the way it's described in Rule A of the very first post of this thread.

[Little Mac]

[e.g., When I set up everything exactly the way m0ng0d has it and then went to Firefox and tried to go to any websites, I got absolutely no reaction and I found 'Outbound Policy Violations' (attributed to Rule #7) in the Activity Log.]

xarienne, you don't have your rules quite like m0ng0d's wonderful tutorial, unfortunately, and it's messed you up a bit.  I'll explain.

By default, Rule ID0 would be:
Action:  Allow
Protocol:  TCP/UDP
Direction:  Out
Source IP:  Any
Destination IP:  Any
Source Port:  Any
Destination Port:  Any.

This is the rule that allows you to browse the internet, do email, etc.  It's your generic Outbound rule.

I see you have created a trusted network, and those rules now fill your Rules ID 0 & 1; this is good, and just as it should be for a trusted network.  No problem there.

What is now rule ID 2 should be the rule I described above.  However, it is instead what I would deem an unneeded/undesired rule (and already covered by Rule ID 1), which Allows TCP/UDP In from Any to Zone.

So here's what you can do to fix the situation.  Click what you currently have as Rule ID 2, described immediately above.  Delete that rule.

Right-click Rule ID 1, select Add/Add After.  Build the rule as I described the default Outbound rule earlier.  OK.

To make sure all temporary resident memory of blocks is gone, reboot your computer.  Then you should be able to browse as you desire.

Let us know how it goes...

LM

[xarienne]

Hi LM,

Thanks for the reply.

For the version of rules I posted earlier, Rule #2 was actually for my uTorrent (I had read in another thread that the Destination could be 'Any' or my trusted zone.

What I realized this afternoon as I kept tweaking the rules, was that I'd completely left out the one you mentioned.

So, I now present Version 2 (attached). [Rule #2 is for torrents; Rule #3 is the one I inadvertantly left out.]

Does this look all right?

Many thanks!  --xarienne.

[Little Mac]

xarienne,

Looks okay, as far as what I can see in the screenshot.  Your first answer will be if you can browse, since that was the big problem before.

As far Rule ID 2, for your p2p app; this is only okay IF you have defined the Destination Port (or Ports) to be used by the p2p app.  This detail we can't see in your screenshot, but it is absolutely crucial that you define those port(s) to use.  If you don't specify the port (s) in both the p2p app and the firewall, you're leaving yourself wide open.  Generally, we don't want to do that...

If you have set the port(s) to use, then all should be well ~

LM

[xarienne]

All *should* be well then.

I am surfing the "internets" with ease and I do have a single port specified both for that particular rule and within uTorrent.

Thanks so much for taking a look!

--xarienne.

[xarienne]

Okay, sorry, but here's another question. (If I should be putting this in a different forum/thread, please let me know!)

Now that I have my rules set up correctly, I notice in my Activity Log that I'm getting a LOT of these: "Outbound Policy Violation (Access Denied, ICMP = PORT UNREACHABLE)" attributed to Rule #8.

I did take care of a couple viruses last week. Should I be worried that something is still here on my computer?

Also, I'm getting the occasional Inbound Policy Violation (again, Control Rule #8), but I know from the Port indicated that it has to do with my TiVo/Network connection. Should I attempt setting up network rules to allow for that connection? (Through my TiVo box, I tried connecting to the network and it seemed to connect just fine... )

Thanks again for your help.  --xarienne.


EDIT: Last night I Google'd the NetMon messages I was getting and was lead to the correct threads in the Comodo forums that dealt with these two issues. I set up rules for them accordingly, and everything seems fine now. 

[Tags:]