Baffling me - Network ports question

Sorry for being stupid. I just don’t get this (being a former ZA user)…

From what I have read on this forum and in the help files you have to allow traffic through the network rules before it can then be used by an allowed application. Right?

So how then is it that my MSN Messenger is working despite the incoming ports (443?) NOT being opened in the Network rules (it IS allowed in the Apps list) ?

And another question… am I right in thinking the ports opened in the Network rules are not in any way related to the allowed Applications. IOW once a port is opened any allowed app could use it, so I could put all my ports req’d to be open into a single Network rule? And surely the whole purpose of the Network rules is useless because any old hacker/spyware/trojan will just try to use ports that it knows are open for other commonly used legit apps. So an extra level of complexity is added but for no real extra security benefit?

Please enlighten me.

G’day hotttroc,

If you check in SECURITY - ADVANCED - MISCELLANEOUS, I think you’ll find “Do not show alerts for applications certified by Comodo” is checked. This is why MSN Messenger can get out without a corresponding application monitor alert.

To explain a bit better, imagine we have two applications, X and Y. Both of these can access the internet and use ports 1234 and 5678 respectively. Application X is a known safe application, certified by Comodo in the firewall’s internal safelist. Application Y, on the other hand, isn’t in the safelist.

The first time you start application X after installing the firewall, the firewall checks the application against its safelist and, since it is found to be safe, is allowed external access. No application monitor rule is created but it does appear in the CONNECTIONS list.

When you start application Y, the firewall again checks its safelist and, since application Y doesn’t appear, displays a pop-up that app Y was attempting internet access. Clicking REMEMBER and ALLOW creates an application monitor rule for Y. The tightness of the application monitor rule depends on the “Alert Level Frequency” setting found in SECURITY - ADVANCED - MISCELLANEOUS.

The reason that MSN Messenger was able to accept incoming connections is because the firewall is smart enough to recognise incoming data that is in response to a valid, authorised outbound connection. The firewall blocks UNSOLICITED incoming requests, but allows incoming requests that are in response to a connection that started on your system.

CFP IS different to ZA and a lot of other firewalls out there. I genuinely believe that it is worth perservering with, as it gives you a greater degree of control over what is happening on your system. This is not to say that ZA is bad, just that, IMHO, CFP is better - way better.

As a side note, you don’t need to worry about ports being left open or being used by another application while an apporved application has that port open. CFP uses a method called Adaptive Stealthing - the port is only open when there is an approved application running and actively using that port. When it’s not running, the port is stealthed. If a second application tries to use a port that is currently assigned to another application, you’ll get another pop-up. If it’s a piece of malware, simply click BLOCK and REMEMBER, and then go and hunt it down, set your laser printer to “Stun” and give it both barrells. :wink:

Hope this helps,
Ewen :slight_smile:

G’day. Thank you for your very informative answer. I already understood about the certified applications in the Apps Monitor but I didn’t understand how it got past the Network Monitor rules. So you are saying the firewall automatically opens the right incoming ports for requests that are in response to a connection that started on my system even though the ports are not open in the Network rules?
Clearly it is cleverer than I thought. So the Network rules are only really there for apps you have on your system that are acting as server apps, passively listening for connections? I can’t imagine why anyone would otherwise open ports for unsolicited connections?