Blocking IPs Tutorial

Since CFP has statefull inspection of the packets there are two rules for blocking IPs; 1 for blocking outgoing connections and 1 for blocking incoming connections.

1.Blocking outgoing connections
(this rule will prevent your computer to initiate a connection with a banned IP)

Action = Block
Protocol = TCP or UDP
Direction = Out
Source IP = Any
Destination IP = The IP you want to block
Source port = Any
Destination port = Any

2.Blocking incoming connections
(this rule will prevent a banned IP to initiate a connection with your computer)

Action = Block
Protocol = TCP or UDP
Direction = In
Source IP = The IP you want to block
Destination IP = Any
Source port = Any
Destination port = Any

If you want to ban someone in p2p you will need the second rule.
If you want to prevent any comunication with a banned IP both rules are needed

hope it helps,

Great idea - this should help a lot of people :slight_smile:

Just to clarify, do these block rules need to appear below any allow rules? Or doesn’t it matter?

If you are blocking specific IPs they need to appear ABOVE any allow rule that would permit the specificed IPs traffic.

Ewen :slight_smile:

Good stuff. Thanks for clearing that up

If you want to completely ban an IP address, using any protocol, instead of using the TCP or UCP, specify IP, then just put in the offending IP address.

Instead of making 2 diffrent rules cant you just combine them into one rule with the direction bieng in/out?

No you can’t, as for inbound rules, the other party is the source, for outbound rules the other party is the destination.

You can’t put the same address in for source and destination as the firewall would then test if the one chunk of data was coming from X and going to X and as the data (assuming it was incoming) was coming from X but going to your IP, it would fail the block test and the data would then possibly be passed by one of the other firewall rules.

Hope this helps,
Ewen :slight_smile:

Is there a limit to how many rules Comodo can handle
and does resource-usage increase with more rules ?
I want to block about hundred ranges both in/out, should I use a third-party IP-blocker for that ?

Yes Pandlouk, how do you get out of this? ;D

Just use PeerGuardian Thats what I use and I’v had no problem with it,
I’v been using it for yrs. I use it on xp, I’m not sure if it works on vista tho.

oope I fotgot the e its

can also download from sourceForge:

Although I recommend PeerGuardian as a solid/stable app, I recommend against using someone else’s pre-defined blocklist ~~ esp the list(s) distributed via

that is BAD advice :
first, the story you link to is kinda old.
the internal kindergarden-affairs of and/or methlabs (what a name ! )
have no bearing whatsoever on the blocklists themselves ,
ALL the lists generally available are made and maintained by BISS (bluetack)
everybody else are just leaching them .

second, it sounds like you are suggesting that people should make their own lists from scratch ?.
WHY ? somebody has already done the research and blacklisted DoD, Halliburton, MAFIAA, M$
and all the other corporate crooks. Do you realise how many IP’s there are that have NOTHING
to do trying to connect to your machine ? good luck researching them on your own …

I’d agree with Gordon, PG2 is blocking as of today 739.142.241 IP’s…

With regard to the blocklists, the “bearing whatsoever” is this:
Nowadays, most links to download copies of the project-maintained lists are broken
The principal owner, or one of the principlal owners, of “methlabs” is steering people to with the intent of SELLING subscription access to the updated blocklists.

Someone else brought up PeerGuardian, so I felt compelled to post a caveat regarding the “pre-built” blocklists in circulation

Although I recommend PeerGuardian as a solid/stable app, I recommend against using someone else's pre-defined blocklist ~~ esp the list(s) distributed via

I advised against using a pre-defined blocklist.
Yes, I’m ABSOLUTELY recommending building your own list from scratch one IP at a time, rather than pursuing the alternative of cluttering the Comodo firewall ruleset.

Yes, I’m ABSOLUTELY recommending against use of the pre-built lists – they are just plain silly (to the point of being unusable). Most websites reside on shared servers, and in that hosting environment, most domains share IPs. You need to be EXTREMELY selective when choosing which IPs to block, else you wind up cutting off yer nose to spite yer face.

I don’t use P2P filesharing apps, and have no opinion as to which IPs reflect those of “corporate crooks”, but I sure as hell would disagree that the blocklists are “well-researched”. The list designers are truly misguided / paranoid / overzealous; here’s a single f’rinstance (among many):

Apparently due to the author(s) zeal toward blocking “Time Warner Communications”, one of the blocklist entries – a single line – has the effect of blocking 13,000+ websites hosted by (largely colo boxes racked in) the Portland, Oregon TWC datacenter.

More like “ill-conceived” IMO

You can’t take PG2 out of context. I don’t think it’s for browsing… not with the lists.
And you can choose what kind of lists you want.

Myself, i use no IP-blocker. Specially not going to build my own list, i have better things to do.

Close to a necro-bump but anyway:
If the banes bans are only for browsing the HOSTS Manager would be the better way imho.
It’s listed under free tools here:,1731.0.html
(A Bluetack-product as well)

Most block lists software have the option to white list any address you want. This combination ensures that you are able to reach the site you want to. Personally I think these lists are a good and time saving idea as opposed to creating your own. And it’s nothing new either. In the beginning days of spam, net blocks where used to cut off entire ranges to punish a Spam host. Sometimes innocent users where locked out from sending/receiving email by this. But it worked fine to prevent these hosts from housing spammers.

Just for your information, you can set up PG to run as a service. This way, it’ll work on a limited user account too. :wink: