This is probably so simple I am not seeing it - how do I tell Comodo Firewall to block all traffic which is not listed in my Network Security Policy? Firewall Security Level of “Custom Policy” seems to almost provide what I want, except that “You will get alerted every time there is a connection attempt by an application unless your policy contains rules to trust the connection”. I don’t want to “get alerted” - I want that application blocked! (Essentially, I want to provide a whitelist of applications in my rulelist and then block everything else unconditionally.)
Thanks. Is this what you are suggesting? Firewall Tasks → Define a New Blocked Application → Select → File Groups → All applications. But if I understand it correctly, it would lead to creation of many new rules for every unapproved application, wouldn’t it? I was hoping for a catch-all “block everything else”, which is common with other firewalls. But it seems CIS only uses the “ask about everything else” and “accept everything else”, depending on which Firewall Behavior Setting I use. Correct?
The method Valentin proposes is correct. However, you will need to add a final block rule to each rule set, in addition to an overall block rule. (see image)
For the final block, create a rule for the ‘All Applications’ group with parameters that block and, if desired, log and place it as the last item in Application Rules. This will silently block all unauthorised outbound connectivity
Action - Block (Log if desired)
Protocol - IP
Direction - Out
Source Address - ANY
Destination Address - ANY
IP Details - ANY
An alternative approach would be to add an outbound block rule to Global rules. Personally, I find the former approach easier to manage at the individual rule level.
By my understanding the OP was asking about outbound traffic, not inbound. The OP also mentioned using Custom Policy mode.
As for the rules, that depends how you have yours created. if you use simple allow everything to everywhere type rules, then that application will be allowed to to whatever it wishes, whenever it wishes and you will likely never see another alert.
If, on the other hand, you have limited rules, which allow an application to connect, for example on certain ports only, then one would create a rule to allow the desired connection. followed by a rule to block any additional connectivity.
Whilst the above works for an individual application, it does not stop new/other applications asking for connectivity. This is something the OP required. To achieve this, in addition to an individual block rule for each application, an overall block will be required, hence my advice.
Well, I don’t want to be asked about any traffic. But given how the rules work, outbound is the more difficult to tackle with CIS.
As for the rules, that depends how you have yours created. if you use simple allow everything to everywhere type rules, then that application will be allowed to to whatever it wishes, whenever it wishes and you will likely never see another alert.
No, I use rules of the "only allow as little as possible, or even less" variety.
You assume that I am at the computer at the time the question is asked. You further assume that the number of applications I want to block is relatively small compared to the number of applications I want to allow. Both assumptions are incorrect.
if the program is safe and trustable, a "allow outgoing" rule would be safe .
No, that is not true. I have a whole lot of programs which are "safe and trustable" and I *still* want to block them, simply because they have no business communicating and for this reason alone I won't let them communicate. I don't care if they want to look up new versions or notify me of fixed bugs - if I wanted them to communicate, I would give them an "allow" rule.
where should your program learn bad behaviour from?
Bugs, for example. If a program can't communicate, it won't be influenced by buffer overflows in a poorly written communication layer, for example. I have to take that risk with applications that e.g. download data from the internet, but there is no reason why I should risk it with applications which don't need the internet to function.
outgoing only rules are much more safe, especially when you trust your programs.
I don't. That sums my position, I think :-)
do you trust your firewall by the way?
Not until I get to know it well. I don't trust CIS yet. But I am trying to understand it well enough to trust it.
you never allow games (outgoing only)?
I don't play games anymore, and those few that I do play don't need internet connection.
I should have said, “more difficult to tackle using intuition alone”.
I didn’t try it yet, but I am sure it will work - it really is quite obvious, as soon as someone points it out
