CFP 3: application rules vs global rules - how does that work???? [Resolved]

Hello everyonne!

To be honest, I just came from v2.4 and I now tried for 3 whole days to get my computer to work with v3 as it did with v2.4.

My biggest problem is that I do not understand the difference between an application rule (AR) and a global rule (GR). Normally I would assume, a GR overrides an AR, but that does not seem to function.
Vice versa does not work, too.

A short example:
I set up GR for cfosspeed (traffic shaping program) - not working.
I set up AR - not working.
I set up AR AND GR - working, but doen’t make sense to me.

What is the mutual influence of AR and GR? Why don’t I have to set a GR to allow IP traffic, why don’t I have to set a GR for blocking IP traffic?
Setting up rules was much easier in v2.4.

To keep it straight: I just don’t want to allow ALL in- and/or outbound traffic to an application - that’s what’s done if one is using the “safe” option within the firewall. I want to use the “custom” policy with fitting sets of rules - cfosspeed does not need to talk other protocols/targets as I tell it.

Is there somewhere around a good explanation of how to set up rules and how they interact?

I would be so ■■■■ grateful… :-*

Oh, just to mention it: I read the manual, I surfed the forums. I found some information, but only fragments, not enough to really undertand - just enough to assume…

Thanks in advance,
Frankster

I don’t use global rules but will try to explain them anyway. :slight_smile:
For incoming connection requests, the global rules are evaluated first, top to bottom, and if the request is not blocked it is passed to the application rules for further action. There it can be blocked, allowed, or ask you what to do depending on your rules there.
For outbound connection requests, the application rules are evaluated first, based on the application, and again it can be allowed, blocked, or ask you what to do if there is no definite rule. If it is not blocked it is passed to the global rules for final evaluation as to whether to block or allow.

[ at ]sded: Ok, thanks & understood so far. That means, that you have a block rule at the end of every AR?

And further more, if you don’t use GRs does thet mean, you don’t have a single GR? None? Empty?
Strange, since that means that only AR are applied and incoming traffic is floating freely until blocked by an AR.

On the other hand, it wouldn’t make sense then to add an GR for outbound traffic - I saw lots of people doing exactly that. Are they all failing?

Question: How does you AR & GR look? Can you provide a screenshot?
What about the separation of incoming/outbound traffic concerning AR and GR?

tia, Frankster

I just forgot to ask: is it safe to work without a GR? How is traffic blocked if not by a GR? Only by a AR?
Is it possible to use only GR? How is outbound traffic checked if only GR are used?

I don’t understand the kind how CFP 3 is working and how the rules are interacting… :cry:

And I cant’ get cFosspeed to work - which is indeed a bit ■■■■■■ (see my posts regarding that, they are sticky).

cFosspeed needs TCP/UDP from host to www.cfos.de, ICMP In Echo Request from www.cfos.de and ICMP Out Echo Reply from host.
I couldn’t get it to work properly with single AR or single GR, only with the same AR and GR. Strange, indeed…

Anyway, CFP3 had several crashes, excusing itself for the inconvinience and a following restart of the computer.
Never had such negative experience with 2.4.
I installed without defense+ (disabled) but with leaking protection. Stealth ports setting is in the middle option (don’t remember the option).

Bump

I don’t use global rules at all and it is perfectly safe. Opening of ARs is attached. Final AR is a block and log for all inbound; outbounds not on the list generate an “ask”. Without the final block and log, inbound would generate an ask" also.

[attachment deleted by admin]

[ at ]sded: Thanks… :wink:

As far as I can see (and as far as I understand), not using any GR is working ok, though not perfectly safe.
Inbound traffic has to pass GR first, then AR comes into play. “Block all incoming connections”-setting would create a “Block And Log | IP | In | From Any IP Address | To Any IP Address | Where Protocol is Any”-rule - that would be perfectly safe.Not using any GR results in having inbound traffic (such as attacks) coming in without a problem.
Btw: the manual recommends to use the “Block all incoming connections”-setting…

You ought to notice, that the firewall logs are empty concerning unwanted inbound traffic…

Or am I wrong?

I took a closer look at all the switches from v3.0 and saw, that using the “Custom policy”-setting (in opposite to the “Safe policy”-setting) means, that traffic gets interrupted if ANY block-rule matches. That explains my experience to have all rules set in AR and GR all the same.

As far as I understand now, I would create AR for applications with a block rule at their end and use the “Block all incoming connections”-GR. That ought to be veeery safe… 88)

Anyway, I wonder if that works with “Custom policy”-setting… :o

Thanks again,
Frankster

PS: There are still more questions than answers… anyone???

Not having global rules is perfectly safe, per Egeman and other experts. See https://forums.comodo.com/empty-t20880.0.html , for example. The unrouted traffic ends up being directed to Windows Operating System (not a real application) where it can be blocked or blocked and logged. Unless you have an application rule to allow the incoming traffic, you will be asked what to do with it. Or have it blocked by the final application rules in my case. I use custom policy mode since the rules Comodo makes usually need to be edited anyway to my satisfaction. But until you understand how packet filter rules work in Comodo, going to stealth port wizard and stealthing the ports works fine. You just need to add exceptions in your global rules to allow inbound you really use, like games, P2P, active FTP, … that worn’t work otherwise as you have discovered. Global rules are a convenience for a lot of users, but not a necessity and more of an annoyance to experienced users of packet filters. :slight_smile:

Indeed. If it wasn’t safe, I wouldn’t have put it in the FAQ’s | Common Issues & Solutions | Threads:

[b]Advanced Ruleset To Replace Global Rules[/b] https://forums.comodo.com/index.php/topic,18580.0.html

Thanks Soya, I did a search for that thread and couldn’r find it. Guess I haven’t checked the FAQs often enough. (:CLP)

Well, thanks to both of you. O0

I just read in a few other threads, also from sded ;), that WOS is essential for applying network control. In addition, I found the relationship between AR & GR explained (to some degree).

Problem was for me, that WOS never ever (I installed a few times on a fresh Win XP - thank Ghost!) showed up in my configuration. I found out how to activate it (Running process blah blah).

So, I’ll give it another try… ;D

It’s hard to convince me - but only until I understand fully. :wink:

PS: I found out there are a few parameters to start CFP with, but I didn’t found out how to minimize diskspace for the installation. It’s a major hog when it comes to space, not the installation directly, but the amount of files is horrible, imho.
Is there a way to get rid of the help files and the backup data?

Use global rules if you feel more comfortable. Many just find it a PITA to look both places every time you do a setup.
Don’t know what you consider a lot of disk. The firewall is 16.5MB, and the .chm you could remove is 3MB. The repair folder is 25.8MB and the virus scanner is 8MB. Not much of a dent in a mult-GB hard drive. If you want to move the .chm and repair folder to an offline drive, you should be able to. If you don’t use the virus scanner, you can move the signatures folder offline too.

The disk usage issue is !ot!, but let me summarize: if you delete almost any CFP file, come the time when you run the internal updater or auto-update, CFP will re-download them.

@sded: thanks for the info. I’ll test without any GR except for the self-created from the stealth-manager. So far I discovered it’s working - I just had a few anomalies regarding in/out traffic and a few crashes/no responds of the firewall. That confuses me a little, but I still investigate this. Until now, I think v2.4 is more stable (on my machine, in my environment).

@soyabeaner: thanks for the info and the valuable reminder of being off topic - asking a 2nd question within in a post should not automatically be considerd off-topic, since it was just so easy to answer it.
There are a lot of posts from alot of people (including you) who just only say “good”, “great”, “thats cool”, and so on - they are perhaps not off-topic, but nonetheless redundant, time- and space-consuming. :wink:

v2.4 has 8 MB in size, v3.0 has over 60 MB in size. That’s impressing… Hopefully the next stable returns to a smaller footprint, or at least to a stable version like 2.4 was… :-\

Anyway, I think this thread can be closed. Thanks again!

It may be a small question, but this forum isn’t exactly small. I’ve seen many that jump in and cause the momentum to shift drastically before 88). Plus, there’s already one dedicated to the disk usage issue:
https://forums.comodo.com/bug_reports/disc_useage_not_50_mbytes_as_claimed_but_63_mbytes_up_to_another_847_mbytes-t22846.0.html

Thread closed :-*