An Alternative to Global Rules?

[Guest]

[sded]

I have always had a little trouble undertanding the utility of global rules, and found it confusing to do things like end with a block all or block in, then put all of the exceptions in front of it as well as some in the application rules.  Probably prejudices left over from using Kerio, Sygate, Jetico, Netveda, ... in the past (I never got around to using any of the $ ones), but having a dual tier rule system was counter intuitive. 
So I eliminated all of the global rules, put the ICMP rules under Windows Operating System, verified I could use ping/tracert, and ended the application rules with a block all and log.  For applications requiring inbound connections, I only put them in the application ruleset now.  The effect of the blockall placement is to require a little more maintenance.  When I add a new program that requires the network, I need to remember to move the blockall and log so CFP3 will generate popups and an initial ruleset.  I then edit the ruleset as required, and put the Block All and Log back.  If I forget, the program gets blocked.  Then I check the log to see what it wanted, remove the block all and repeat.  I actually find it more secure, since otherwise I get a popup, and answer OK without really understanding what the program will do.
This does not, however, have any impact on some other strange things I have noticed.  DU meter, for example, has no application rules, since it's not a network program.  It will therefore block when I try to do an automatic update, unless I build a ruleset for it.  But it happily lets me go to the DU meter website anyway-presumably because it can go to the ashwebsv http loopback proxy without Comodo noticing it? 
So Comodo has provided what appears to be another viable alternative for rulemaking.  But I have not checked out all cases, so wondered if others had investigated this, or would have problems doing it this way, or would just find it more confusing and difficult?  Or are there reasons it is just less secure to do it this way?  Thanks; Ed. 

[MaratR]

Personally, I don't think that using application rules only is "less secure" in any way, when you're in Custom Policy Mode and you know what you're doing. I can't really think  of a case where using global rules would let you do something you couldn't achieve with application rules.

One thing that should be remembered, though, is that some people actually have their Firewall in Training / Train With Safe modes. You don't control every application's  behaviour in training modes. And global rules provide a convenient way to define the maximum amount of freedom your (trusted) applications can have. It's especially useful when you need to differentiate traffic by zones. For example, you can define a trusted zone (your LAN), a hostile zone (some hosts you want to block completely), and a general zone for everything else. You can then create corresponding global rules (like, allow all in/out for trusted zone, block all for hostile zone, allow outgoing only for everything else, block the rest), and just let your Firewall train, without worrying that the System or svchost.exe will receive incoming connection from someone you don't  trust. Need a P2P applications to work? Just open a certain port (allow incoming connections to it) in global rules and the Firewall will learn the rest when you run the application. So in training modes global rules become the main method of traffic control.

[Coolio10]

Interesting idea. I guess removing global rules means it will act like p2p mode. All incoming connections now handled by application based rules?

[Tags:]