I used to use Sygate. There, it was possible, to have most programs run as only “act as client”.
For example IE and Outlook Express. Why don’t they work with Commodo FW, if I just allow them to connect to the internet and refuse to allow to “act as server” ?
BTW: In rules, when I take “incoming”, is the meaning of “rwemote IP” still the “outside” IP, or this then my IP. See, I mean wich logic is there behind. And is this the same in the global rules ?
( I ask, because I read the tutorial for set up C FW fir eMule, where I got to put in MY IP as REMOTE IP !!)
The remote IP and remote port tabs can also be your local IP or local port. Confused ???. I was to start with :). I think these descriptions are going to be changed in a future version. These rules depend on direction and the tab titles can be a little confusing.
Ok, I read a little more and found, that in NETWORK-RULES, its so, that for direction “out”, my computer (or LAN) is source, and for dir. “in”, my computer is remote, right ? This is logical.
This means, that “direction” is meant as who INITIATED the transfer. I can follow.
Now for APPLICATION-RULES:
Is it right, that they apply only to traffic, that has ALREADY passed the network-rules, e.g. the network-rules appley first ?
In network-rules, I can select “in” and “out” too. Is this meant in the exact SAME way, it’s meant in NETWORK-RULES, e.g. as WHO INITIATED the traffic ?
In my newly installed CPF, there are two global (=network) rules predefined. One to block all incoming, e.g. NOT requested traffic. And one to allow all outgoing traffic. Now, why is there this rule to allow all incomig ? Isn’t it right, that all traffic, that is not blocked by one of the network rules, is passed to the application rules ? Or is all skipped, that is not explicitly allowed by a network rule ?
Or a “global” question: if absolutly no rule apply, wether network nor application, what happens ?
why does Internet Explorer need, that I grant “act as server” ?
In Sygate for example, I could just let it “act as client”.
I think I’m still confused… is this becuse some DNS requests that maybe Sygate granted access with a global “hidden” rule ?? Or something like that ?
I can’t understand, why IE must have sever status, e.g. take NOT requested data.
AND, if this allowing of “act as server” would let IE do this, why doesn’t this work for eMule e.g., as eMule will listen on defined ports too, wich CPF is asking about ?
I hope I can make clear my things. I’m not too good in english, so sorry.
I did some more testing, and it is the fact, that, if I only allow “Out” for IE in the application rule, it wont work. BTW: I have disabled “auto approve safe apps”.
So, is the “act as server” or “IN” in application rules meant as NOT requested traffic ? Or what ?
And, if the “block all IP” rule from network monitor rules just blocks all UNrequested traffic already, why can there be a difference between if I let “IN” in the application rules or not ???
The "act as server " is a MUST for all apps that need loopback coonections, eg connections to 127.0.0.1, e.g. to the same computer they are running on… (IE, Outlook Express…)
THIS, would be VERY VERY IMPORTANT to have explained in the DOKU.
I was now searching 3 hours… >:(
ahh, in the next release it will all change… hope then it will be easier to understand.
I think this hole concept of rules should be a little worked over, at a minimum an EXTRA button for loopback MUST be.
This scenario is sooo often: I want an app. to ONLY act as client, but sure allow loopback, so I really dont want all the apps set to “act as server”, so I have to allow localhost for ALL apps explicitly ???
A lot of things have been fixed in the latest beta which is being released as stable and available from the main download page next week. The simplest way to set up you rules is to use the “Automatic Settings” when you install CPF and then just going to Security>>Tasks and adding your LAN as a trusted Zone. That’ll set up all the network rules you’ll need. As far as Acting as server, I’m afraid I’ve not come across that one.
As EricEgan mentioned, I would wait untill next week when 2.3 is released (I think you will find it alot easier to use ). You could if you wanted, try the latest beta (2.3.3.33) untill then. I haven’t come across any major problems. If you choose too, you will then need to uninstall this version before installing the final version of 2.3.
