Application rule doesn't work(Not bug)

I find a issue about application rule.

If I set a port in application rule, it maybe doesn’t work.

eg, I have set Remote Port to 80 in application rule list for IE(Only set port,without modify other item), but CPF still give me a notice ask me to confirm ,and in the notice remote port is 80 also.

Is this a issue or other?

Winxp + SP2


if i am not mistaken, web requests go out on 80 (you asking for a page to load), but the response from the server may come in on another port… if so, this might explain why you are getting prompted for another rule… what port and direction is it prompting for?

The web page request doesn’t go out ON port 80, it is going TO port 80.

When you request a web page, your request is address to X.X.X.X:80 - port 80 on the web server, and your requesting packet contains your IP address and a return port which will be above port 1056. If the request was to a secure site, your request goes to X.X.X.X:443 (SSL receive port).

Hope this helps,
Ewen :slight_smile:

Yes. And CPF should not ask for replies coming from the web site once the outbound connection is allowed.


if you can show us the snapshot of the popup and the application rule you set, we can see why you get a popup.

well I was close… but I guess this is neither horse shoes, nor hand-grenades… :wink:

Thanks for the correction… now I don’t have to guess next time :smiley:


I knew IE will going to port 80 or 443 or 53,not go out on port 80 or 443 or 53,it use local port in range above 1025, and please notice that I set REMOTE PORT,I think in application rule this means a port that an application will visite when this application isn’t a server but a client if I didn’t misunderstand.

Thus for test this,I set REMOTE PORT NOT to 80-443-53 in application rule for IE,I think the function is DENY IE connecting to REMOTE HOST’s 80-443-53 port, ofcause I do this for test only, then I open IE to visite,the CPF still give me a notice.I think CPF should deny IE’s requestion otherwise notice me under this configuration.

This test in CPF 2.3 Beta.

Following is snapshot

[attachment deleted by admin]

I think you’re right. My understanding was that when an application (in this example Internet Explorer) attempted to access the internet, the application rules were checked first and, if passed, then the network rules were applied to the outgoing request.

Is this how CPF works, or have I got it the wrong way around?

Ewen :slight_smile:

I didn’t understand you.

Do you think it is normal ?


When I said “I think you’re right”, I meant that I think you’re right when you say “I think CPF should deny IE’s requestion”. I would have expected the application rule to have taken effect before the network monitor rule was ever tested, so you shouldn’t have seen the popup.

Is that clearer?

Ewen :slight_smile:

Thank you, Now I see.

Lets go step by step :

The rule says "Block if iexplore.exe connects to ports other than 80,443,53 for any direction, for any protocol.

But it does not tell CPF to allow ports 80, 443, 53. So when CPF sees, these ports, it does not know what to do and displays a popup.
The following 2 rules must exist to make CPF to act as you expect.

BLOCK TCP/UDP OUT TO ANY WHERE REMOTE PORT IS NOT IN[80, 443, 53](Please note that this rule tells CPF to block ports other than 80,443,53 but does not imply allowing traffic to those ports. With just this rule, CPF will block iexplore.exe to 8080 but will ask for 80, 443, 53)

So nothing is wrong. But since we are redesigning application rules interface to make them similar to network rules but per application based, you will have a better grasp of how it works.


Logic’s a wonderful thing - except when you deserve to be whacked in the melon with it! :wink:

Thanks, I’ll go sit in the corner, now.

Ewen :slight_smile:

I understood it.

But I think this logic method will make a diffcluty to config CFP.

If I will make IE connects to port 80 only, and I will add two rules.
My idea is how can I do when I add one rules to allow IE connects to port 80 and deny it connects to other than port 80?

This isn’t fit logic but is more useful.

You will be able to do so with the new application rules interface. Currently, you need to add 2 rules.


OK,I’m waiting next ver