A little frustrated here, I apologize in advance…
I don’t think I’ve ever encountered a more backwards product than Comodo’s CIS suite, particularly the firewall module.
I have high confidence that I am using the correct approach to allow an application through Comodo Firewall for both incoming and outgoing traffic, yet it simply does not work.
So, here is the situation:
I have Filezilla Server running, but I can’t connect to it because Comod Firewall is blocking incoming connections, so far there is no problem.
Instead of specifying a number of ports to support passive-mode, I decided to go with the more convenient approach and created a firewall rule for the entire process of Filezilla Server, here is what I did:
Add the app: Firewall > Application Rules > Add > Browse > Running Processes > FileZilla Server.exe (C:\Program Files (x86)\FileZilla Server\FileZilla Server.exe)
1.2. Use a Custom Ruleset
1.2.1. Action: Allow
1.2.2. Protocol: IP
1.2.3. Direction: In or Out
1.2.4. Source/Destination/IP Details: Any
I used the IP protocol on purpose just to rule out any kind of weird possibility on that front, but it still won’t allow the application to receive incoming connections.
If I invert the action to “Block” instead and also activate the logging option it will not log any incoming connection attempt.
I know that there isn’t anything more to it, or at least shouldn’t, but the ■■■■ firewall still blocks incoming connections.
If I manually add a rule for the ports it will work out of the box, so my question really is what’s this worthless “Application Rules” for if it doesn’t work?!
A couple of things before ending:
The process is correctly identified and it’s path is also correct;
I’ve restarted the process after creating the rule, just in case, but the result is the same;
Nothing else but Comodo FW is blocking the app’s connections.
If someone finds any fault in my configuration of the rule, please, I’m all ears.
Unlike Application rules, which are applied to and triggered by traffic relating to a specific application, Global Rules are applied to all traffic traveling in and out of your computer.
Comodo Firewall analyzes every packet of data in and out of your PC using combination of Application and Global Rules.
For Outgoing connection attempts, the application rules are consulted first and then the global rules second.
For Incoming connection attempts, the global rules are consulted first and then the application rules second.
Any incoming unsolicited request is handled first by the firewalls Global Rules. Assuming your FZ server has a static address, you can create an inbound global rule to handle the PASV traffic. At worst, you would then have a single ALLOW prompt for the FZ app.
Thanks for the reply.
Nonetheless, it’s quite confusing and unpractical the way this works… I’m thinking I would be better off with Windows’ embedded firewall, at least in terms of applications’ rules.
Maybe it makes sense on some level, but I always assumed that a blocking rule, be it a global rule or an application rule, would always override an allowing rule that conflicted with the former.
Thanks to your explanation I now understand why it doesn’t work, but I still don’t get what you tried to explain in your quote above.
The machine has a static IP address in this particular case, but I prefer to not go with that assumption for general purposes.
How would I create an inbound rule for PASV traffic? Wouldn’t that just be a generic global rule where I would have to specify the specific ports used by the app? If that’s the case then I will probably ditch Comodo’s FW in favor of Windows’.
As for the worst case, what do you mean to have a single ALLOW prompt for the FZ app?
The reason I assumed that your server had a static IP was simply because that makes it so much simpler to set up port forwarding on the router which must be in place before any local FW rules could take effect. If the port forwarding on the router is not in place it doesn’t really matter what the local FW rules are because the packets will never get past the router. Not all routers have the capacity to port forward based off internal hostname and DHCP assigned IPs can and do change. Ergo, I always recommend (assume was possibly a poor choice of words) that servers have a static IP address to facilitate port forwarding.
How would I create an inbound rule for PASV traffic? Wouldn't that just be a generic global rule where I would have to specify the specific ports used by the app? If that's the case then I will probably ditch Comodo's FW in favor of Windows'.
That’s exactly what it would be -a global port-specific, IP address-centric rule - same as on any/every firewall. Windows Firewall is pretty good, but my personal preference (in terms of the granular control allowed and the additional functionality - like the sandboxing) is Comodo. But ultimately it’s your choice how you strengthen your PC.
As for the worst case, what do you mean to have a single ALLOW prompt for the FZ app?
If we were starting from a clean PC with no FZ specific rules established, if you then set up a global inbound rule for FZ it would allow inbound packets. When your FZ server initiated a connection(as opposed to an external party initiating a connection to your FZ server), - i.e. FTP’ing a file from your FZ server to another server - then Comodo would pop-up an alert asking if the local FZ app was allowed to communicate beyond the local system. If you were using the Trusted Vendor listing, you would never even see this prompt.
Good luck working out which firewall to use. My preference is still Comodo, but pick whichever one works best for you and your environment.
