Docs about bottom default rule in firewall

[Guest]

[LamerDrv]

In help there is good picture in "Global Rules" topic. And help states that outgoing traffic must pass "application rules" then "global rules".
In "Application Rules" topic help states: "If there is no corresponding network control rule, then the connection is automatically blocked until a rule is created"
But in "Global Rules" topic there isn't description firewall behaviour in case when there is no corresponding network control rule.

As far as I can understand for outgoing traffic if application rules list have "allowed traffic" rule list and there is no corresponding rule in global rules list then traffic ALLOWED.

It looks like that application rules list has invisible bottom rule for BLOCK all traffic
and
global rules list has invisible bottom rule for ALLOW all traffic.

Am I right? What about ingoing traffic? Same?
If I missed something in docs, point me to info please.
If help really some unclear about this, I hope it will be improved.

[clockwork]

global rules have no effect if they are not there.
when a global rule IS there, it is stronger than the application rules, because it is global valid!

with global rules you can for example "block all (unrequested-)ingoing traffic". so you dont have to make this rule for each application again.

[LamerDrv]

[img]

when a global rule IS there, it is stronger than the application rules, because it is global valid!

Yes and no  . For example, let see outgoing http traffic in browser. If there is global rule "Allow all traffic", but no application rule "Allow http" for the browser, then the connection is blocked. (I.e. "allow" global rule exists, but traffic is blocked).

with global rules you can for example "block all (unrequested-)ingoing traffic".

Yes. But situation is different for ingoing and outgoing traffic.

As far as I understand firewall algorithm for outgoing traffic filtration:
1) searching app rule for traffic
1a) if no found any rule or  then traffic is blocked else
1b) if found "block rule" then traffic is blocked else
1c) if found "allow rule" then
      {
        2) searching global rule
        2a) if no found any rule then traffic is allowed (this different from step 1a)  else
        2b) if found "block rule" then traffic is blocked else
        2c) if found "allow rule" then traffic is allowed.
       }

I only want to say that help some incomplete about interaction global and application rules (step 2a is not clear from help).
This behavior quite different from other firewalls. For example in Outpost global rules and application rules make up single list. And that list is scanned from top to bottom for first appropriating rule. And after first appropriating rule was found, scanning of the list is aborted. In such case global rule ("allowing" or "blocking") fully overrides (cancels) any app rules.

I like comodo algorithm for scanning rule lists. But for complete understanding of this algorithm I had to carry out some experiments with rules.
May be it is helpful include in docs (in "Global Rules" topic) phrase:
"If there is no corresponding network control rule in global list, then the connection is allowed until a rule is created" or something like.


P.S: sorry for my English.

[clockwork]

i see, you have an understanding about this

as i said "global rules are stronger", i meant that it can block ALLOWED things in application rules, and that it is global valid.

but to allow some traffic, it NEEDS an application rule first. maybe wasnt clear enough in that case.

if you want to use global rules, you will create global blocks, and then you make exceptions. there is no need to make a global allow rule, because "no global rule= no effect".

the best use for the global rules is to block pings, and to block ingoing ip(means all Protocolls) any any.
if you find a rule there after using the stealth port wizard setting 3 (hide me from everyone), "allow ip out", you can erase it, because, as we saw, in global rules is no need for "allow", when there is no block rule allready.

[LamerDrv]

In my searching in docs, I try to decide specific task.

Here is my situation:
I have stable setup - I use "Custom Policy and all "allow" and "block" rules for my applications are there.
But sometimes I run new app (which is blocked because for this app there is no app rule). For allow this new app I need to know what ports it uses.
And in this point I want to use Firewall Events window for learn what ports that app try to use. (Sure if I need to know what ports app using, I can search help for this app. But sometimes help is absent  )

I.e. I was trying create rule for "logging all implicitly blocked outgoing traffic" (I understand that permanent using that rule overflows the log).

In my first try I have created "block and log" global rule ... and my internet goes down
I was some confused - according to help info, application rules are scanned first and I have "allowed" application rules, but all connections down.
Before further experiments I have tried find solution in help, but I can't  . And I had to carry out some experiments for find solution.

[clockwork]

hm, maybe for both of us english is not the main language.

i dont see, do you have still a problem or not?

when you only use specific OUTgoing rules (for applications), you dont need to know the ports... because all the traffic is produced by the application, as it was programmed. it will not connect other ports. and you dont need ingoing rules at all, so restriction for ports is usually not needed.
"block ip in any any" global rule avoids everyone unasked to connect without permission!

in my old firewall i had to make INgoing rules and OUTgoing rules. in that firewall it was usefull to make the INgoing rules as specific as possible. (there was no global rules section, so i had for example to set a "block all the rest rule" under all aplication rules, to avoid questions that are not needed, for example unrequested ingoing traffic).
but in a modern firewall you just need OUTgoing rules, which allow intentional traffic that requests ingoing packets which are allowed to come in then (like it was wanted).

[LamerDrv]

i dont see, do you have still a problem or not?

No, unfortunately, I don't.
I searching a way to log any traffic except explicitly allowed.
While i writing this message, I found solution  .
Just add application rule to bottom application rules list:
- Application Path: "All applications" with network access rule "Block and Log IP out from any to any...".

[clockwork]

hm, i dont need to make a setting for get "blocked outgoing requests" logged. i look in the log, and there i see if something was blocked, or asked.
if i needed such a rule, i would use the same as you made . but it would be like with my prehistoric firewall... if you start a new application, you would not get a question window. you would have to look in the log and then to disable the rule, to get the question. or you have to make manual searches for the application to make then a rule for it.... too much additional work, for no adding of benfit in a modern firewall.
are you sure that you need it to get that logging effect? test it with a program that tries to get internet access, and dont answer the question. i am sure in the log would stand something about that anyway, without an extra rule.


i can suggest to make "selfmade rules for blocking" logged. so you can see if something doesnt work because of one of your rules.

the log has a fix amount of largeness. i think its now 20mb? before it was 2mb. logs are there to be filled with important things. i dont log "allowed things", because seeing them would not give a benefit.

[LamerDrv]

if you start a new application, you would not get a question window. you would have to look in the log and then to disable the rule, to get the question. or you have to make manual searches for the application to make then a rule for it.... too much additional work, for no adding of benfit in a modern firewall.

 
I switch off "Enable alerts for TCP request", "Enable alerts for UDP request", "Enable alerts for ICMP request" and "Enable alerts for loopback request" settings because I hate popup windows  .

And I don't like rules that firewall creating based on my answers in popup window.
For example, I run some specific app and there is no appropriating "predefined policy" for this app. If "Enable alerts for TCP request" is on then I will have to select "Allow this request" in "Firewall Alert" window. Then firewall create bunch of rules "Allow TCP Out From MAC Any To <specific IP>...". And I will have to delete all those rules except one and change specific IP to Any.

As a rule, I read manual for application and create rules manually.
But sometime manual is absent (or I too lazy to search manual right now  ). In that case I will activate my "disable and log" super-rule and see Log and then create rule based on info from log (commonly I will interest only destination port numbers).

[LamerDrv]

 
Hmm, may be I was wrong about "Firewall Alert" window.
I set "Alert Frequency level" to "Very High". But if set this setting to "High" value then firewall create quite acceptable rule.

I still think

it is helpful include in docs (in "Global Rules" topic) phrase:
"If there is no corresponding network control rule in global list, then the connection is allowed until a rule is created" or something like.

[clockwork]

ok, your way is different then mine. you know, why i want to have the question window? because i dont have to search the application path in comodo to make a rule.

btw, you can make your own predefined rules....

your suggestion about the help section:
it should be made clear that ONLY existing global rules have an effect. the word "allow" would mislead the user.
while on the other hand, not existing application rules lead to a block or question.
global rules can override the effect of application rules.

[LamerDrv]

global rules can override the effect of application rules.

This statement is unconditional right for other firewalls.

But in Comodo this statement is right only for incoming traffic - global rules is scan first, then app rules.
For outgoing traffic applications rules override effect of global rules - because application rules is scan first, then global rules.

I try put it my suggestion in another words.
Commonly docs for other firewalls state what decision is made by firewall if rules list doesn't contain explicit rule.

Comodo help state

"Outgoing traffic has to 'pass' both the application rule then any global rules before it is allowed out of your system. Similarly, incoming traffic has to 'pass' any global rules first then application specific rules that may apply to the packet."

Comodo help state that traffic doesn't 'pass' application rules list if this list doesn't contains corresponding rule (

"If there is no corresponding network control rule, then the connection is automatically blocked"

).
But Comodo help doesn't state that traffic 'pass' global rules if there is no corresponding rule in global rules (exactly this moment misleads me).

And for doesn't mislead a user we should just enumerate firewall decisions for all 4 variants in help :
1) there is corresponding app rule and there is corresponding global rule
2) there is corresponding app rule and there is no corresponding global rule
3) there is no corresponding  app rule and there is corresponding global rule
4) there is no corresponding app rule and there is no corresponding global rule
for incoming and outgoing traffic.

[clockwork]

you say: "But in Comodo this statement is right only for incoming traffic - global rules is scan first, then app rules."

easy test: make a global rule "block ip OUT any any".... you will see that global rules can override any application rule in effect (with any test scenario).

global rules are the "global master" (if no rule in global rules= no master). application rules are the rules that make actions possible in the first place. the global master is able to forbid these actions.

you can use global rules for general blockings of un-needed things, making exceptions of allowed things, block ports, block protocolls.... all the stuff that you dont want to set for each application again, and to avoid to have a need for a "bottomline block all rule" in application rules.
its a feature, not a point to become mad off
use it as you want.
the "scan direction" says nothing about the power. if global rules are asked first or second is not important. what they tell is the global law

IMPORTANT is allways the position of a rule anywhere in the firewall! top rules are valid first. keep that in mind.

[LamerDrv]

you say: "But in Comodo this statement is right only for incoming traffic - global rules is scan first, then app rules."

easy test: make a global rule "block ip OUT any any".... you will see that global rules can override any application rule in effect (with any test scenario).

Yes of course, if one rules list "allows" traffic and other rule list "blocks" traffic then traffic will be blocked.
Hence, "blocking" rule have more priority than "allowing" rule (not important where from this blocking rule comes  - from global or application rules list).

Another easy test: create the application rule "block ip OUT any any" for svchost.exe (or better for "all applications") ... and you can't override this by "allow" global rule 

If we have different understanding of docs then there is ambiguity in docs. 

Yes, documentation gives the examples of using global rules ("Global Rules are mainly, but not exclusively, used to filter incoming traffic for protocols other than TCP or UDP").
But for more complex scenario a user needs to know exactly behaviour of firewall engine about scanning rule lists. And it is particular significant because Comodo behaviour some different from other firewalls.

In my scenario with logging I try to rely upon

if global rules are asked first or second is not important. what they tell is the global law

and I add global rule "allow and log". But this hasn't worked for outgoing traffic, because my app rules list hasn't corresponding "allow" rule.

[clockwork]

application rules initiate(!) an action.
global rules can block this inititated action. we dont need to discuss this things. your example of trying to allow a "block" application rule with an "allow" global rule is far away from what i said.
BECAUSE when its about outgoing, application rules are scanned first. and whenever a first scanned rule says "block" it is blocked right there, totally logic.
i have to accurate my sentence about "scanning direction says nothing about the power": if the first scanned rule says "block", a block happens, no other layer is reached.
---------------------
 ("and I add global rule "allow and log". But this hasn't worked for outgoing traffic, because my app rules list hasn't corresponding "allow" rule.")
YES,OF COURSE: what traffic should go out, when there is no "allow" rule in applications? your firewall will be save even without any global rule! application rules do the job. global rules can avoid questions and make exceptions. but every outgoing attempt is allowed by you, or blocked by default with the layer "application rules". a default blocked attempt (unanswered=blocked) would appear in the logs normally, because it has produced a firewall question.
if you make a global rule "allow and log IProtocolls any any OUTGOING", you should see your log filled with regular traffic. but thats useless.

the main point is our language. i dont see where your problem is, or what you try to achieve for a security adding with a certain setting.
i got a "picture" about global rules as i saw them first. and until now my understanding was proven right by the effects that i saw. i didnt read the help files to understand the program. i read them in the case that i missed a feature

[Tags:]