Applications rules ignored & Cannot change application order [resolved]

Hi,

On occasion, the firewall will forget that I have a rule set and give me an alert. This usually happens after I wake up the computer from hibernate.

And example:

I have a rule set to allow the following:

firefox.exe (ignore parent) [ ALLOW TCP/UDP OUTBOUND, Any port, Any Address]

I’m not the type to get particular about spicific ports for applications I deem trustworthy.

The above rule seems to me that it should allow firefox all of the outbound traffic it wants. For the most part, it works fine.

On occasion (as mentioned, usually just after waking up the computer) firefox.exe will ask for TCP 80 (HTTP) outbound when the above rule should have allowed it. Usually in order to get the messages to go away, I have to add a new rule, or manually set the above rule to BLOCK and then back to ALLOW again. This usually corrects it.

It’s an annoyance, but I’m wondering if anyone else had the same problem.

The second problem I’m having is that there does not seem to be a way to change the order of the application rules. This is normally not a problem, since the firewall seems to be able to guess the correct order most of the time. Unfortunately, it doesn’t get it right all of the time. Sometimes blanket block rules are placed in a higher priority than individual port allowance rules.

Is there any way to override this?

Cheers,
-PW

Check this thread first:

Any further questions, feel free. You’ll see this is a friendly forum. Welcome.

Hi there,
I haven’t really thought about your first question (and no answer to that seems to immediatly pop up in my head), however, this might be an interesting link concerning your second question, though this person’s problem was that a blanket allow rule was placed in a higher priority than an individual port block rule.
https://forums.comodo.com/index.php/topic,8452.0.html

Hope that helps.
Cheers,
grampa.

I’ll back that up. (:WAV)

Just to complete grampa, Panic’s reply on his link can be done the other way around, blocking except some ports that are allowed.
Thanks Grampa. (B)

Pedro, you’re link helped. I was missing the part about invisible applications. Thanks a million.

For my second problem, I’m not sure that second link applies. Allow me to elaborate.

I can change the priorities (hierarchy) of the network access rules just fine. The problem is that there is no way to change it manually in the applications access rules. This seems to be handled automatically.

Here is an example of two rules I might use:

program.exe [BLOCK, IN/OUT, TCP/UDP, All addresses, All ports]
program.exe [ALLOW, OUT, TCP, All addresses, 80]

The first rule would override the second rule, resulting in all traffic being blocked. The second rule to allow outbound TCP 80 gets totally ignored. Now if I reverse the order of the rules as follows…

program.exe [ALLOW, OUT, TCP, All addresses, 80]
program.exe [BLOCK, IN/OUT, TCP/UDP, All addresses, All ports]

… it will block all traffic except outbound TCP 80, which would be allowed. The exact same rules, in a different order, makes all the difference. This is very useful in the network access rules, but the application rules section hierarchy seems to be automated.

My problem is that the automated hierarchy doesn’t always work as desired. Usually it gets it right, but every now and then it will get stuck in the wrong order, and I have to delete all the rules and start again to fix it. It can get annoying. My question was if there was any better way to approach this.

I hope that clarifies my problem a bit more. Thank you for all your help so far.

Cheers,
-PW

Edit: I have been playing around with rule exclusions. Unfortunately, this doesn’t appear to cover all circumstances, not to mention it can get convoluted. It would be nice to be able to reliably define different firewall provisions as actual individual rules, and not just exclusions in one giant amalgamated rule.

Maybe I’m being too particular.

Hi again,
I may be a bit daft, but I still think that link provides an answer to your question.

1. Rules in the AM are not ordered hierarchically!
2. For whatever reasons, thus, CPF sometimes doesn’t seem to get the “order” correctly.
   Consequently, an easy way to circumvent the problem is NOT to create 1 general and 1 specific rule
   BUT
   to create 1 general rule indicating the Exception with the aid of the “EXCLUDE” function, as it is described in panic’s or my answer to the question in the above posted link.

Just try it.
If you need a taylormade rule for your problem just post what you want and you’ll get a custom built rule.

You see, this is a friendly forum ;D

However, if I was once again to stupid to understand your question, please forgive me.
You now, at a certain age ones brains don’t function as they should ;D
Cheers,
grampa.

There appears to be a bug with AM rules in that if you edit/add a couple of existing ones, the order suddenly changes. This is only noticeable if you have 2 AM rules that start with the same letter. We all know they are alphabetically sorted, but somewhere in this forum I’ve read that they are ordered from top to bottom, with top having the highest priority (like NM rules are).

I understand and can see how that link might apply. I didn’t catch the part where application rules are not ordered by heirarchy, although in my own observation they do appear to behave that way.

I’ve modified my rule set to use exceptions.

Soya appears to be correct in that the rule orders appear to be alphabetical, and randomly change order. The problem is, at least in my observation, the hierarchy system appears to be in place for AM as well. Either way, I think I understand how it works now.

It would be nice if the AM interface behavior corresponded with the NM interface. This might cut down on the learning curve a bit. Going from the NM system of individual rules in hierarchy to the AM system of single amalgamated rules is a little unintuitive. Just a simple user suggestion.

You’re right. These are very friendly forums. You’ve all been immensely helpful.

Thanks again!

Cheers,
-PW

P.S. Mods can consider this resolved.

Ok! (V)

I don’t recall it in the wishlist, but you can post it there to have AM rules ordered like NM rules, whereby greater control over them is allowed.