dumb firewall policies question

[Guest]

[vekarppe]

Hello. I have to say I'm really satisfied with COMODO Firewall Pro. I haven't faced any problems so far; it installed nicely and is running smoothly. Defense+ is also extremely handy, though I probably don't need that strong defence. Still, thank you so much! This is excellent.

I have dumb question concerning firewall policies. In my last firewall, I used to use simply rule that allowed all outcoming traffic, without any notifications, and blocked all incoming traffic, unless otherwise specified. I find it good for me. So, how I cand do this in CFP?

- Veikko

[lobster]

Just go to Firewall > Advanced > Network Security Policy > Global Rules  - add your rules there manually or simply use the stealth ports wizard (Firewall > common tasks) to automatically create rules for you ( the one at the bottom "Block all incoming connections - Stealth my ports to everone" creates rules similar to what you are descibing), then go to the Network security policy > global rules to check them out.

[vekarppe]

Thank you! :-)

[vekarppe]

I just noticed something...

Here is my present global rules



Then I made a specific rule for Skype. It's treat as "Trusted Application" (allow ALL requests). But this doesn't work. It seems that global rules cancel specific rules.

[panic]

I just noticed something...

Here is my present global rules



Then I made a specific rule for Skype. It's treat as "Trusted Application" (allow ALL requests). But this doesn't work. It seems that global rules cancel specific rules.

G'day,

If you have a close look at your psoted screenshot, you'll see that thet blocked Skype entries are for an INBOUND request and your firewall does not have any rules to allow this type of traffic in.

In a nutshell,

OUTBOUND - a data exchange is initiated on your PC to a remote PC
INBOUND - a data exchange is initiated on a remote PC to your PC

OUTBOUND access is determined by the firewall checking first the application rules and then the network rules.
INBOUND access is determined by the firewall first checking the network rules and then the application rules.

OUTBOUND -> APPICATION RULE -> NETWORK RULE
INBOUND -> NETWORK RULE -> APPLICATION RULE

If your Skype configuration requires a dedicated port for inbound traffic (i.e. for when people are rining you), you will need to make a network rule to allow this inbound unsolicited traffic.

Hope this helps,
Ewen :-)

[vekarppe]

That makes sense. But, actually, I don't know does it matter if it keep blocking that. Let it be so unless problems occur. Thanks.

[panic]

OK. Until you dig deeper, you can ring others on Skype but other won't be able to ring you cause your firewall is blocking inbound unsolicited requests (like incoming phone calls).

Ewen :-)

[Hikertrash]

I recently downloaded Skype and found this on the help page...


Skype needs unrestricted outgoing TCP connections to some TCP ports. If you fail to connect to the Skype network, it is likely that your firewall is blocking these and you need to open up some outgoing TCP connections. Note that this is about outgoing connections, not incoming connections. In most firewalls, you have to specify a destination port or port range to open. There are four options for Skype to work:

    * Ideally, outgoing TCP connections to all ports (1.65535) should be opened. This option results in Skype working most reliably. This is only necessary for your Skype connection to be able to connect to the Skype network and will not make your network any less secure.
    * If the above is not possible, open up outgoing TCP connections to port 443. This will only work if you are using Skype version 0.97 and above.
    * If the above does not solve the problem, open up outgoing TCP connections to port 80. Some firewalls restrict traffic to port 80 to HTTP protocol, and in this case Skype can not use it since Skype does not use HTTP. In some firewalls it is possible to open up all traffic to port 80, not just HTTP, and in this case Skype will work.
    * If the above is not possible, Skype versions 0.97 and above can use a HTTPS/SSL proxy. In order to do that, you have to configure the proxy address in Internet Explorer options. Skype will then be able to use it as well.
    * Please use our problem reporting form to report details of all instances when you have experienced a problem with Skype and a firewall.

For more information on using Skype securely in a company setting, please visit the security resource center.


If I set it as a trusted app will I have to add any global rules?  Or is there a simple rule I can set?  (still a little confused on how to write them)

Here's my global rule...

[ei4ia]

If I set it as a trusted app will I have to add any global rules?  Or is there a simple rule I can set?  (still a little confused on how to write them)

Skype works fine without special global rules  or "trusted" access (see pics)

[Hikertrash]

Skype works fine without special global rules  or "trusted" access (see pics)

I was just looking at... Skype connections

It said: allow port 6xxxx for incoming connections and 80 & 443 as alternate connections.  How would I write a rule for that?

Also, why are my global rules as they are (originally configured for p2p) , should I change them?

TIA

[vekarppe]

I have read the help file trying to understand how these rules works. Security level is now set to "Training Mode," what suppress all alerts. The global rules are same as above. If I'm right, the firewall allows now all outgoing traffic and block all incoming. Right? But what if I wanna make some exceptions only to specific programs.

[Tags:]