If you have to create a network rule to allow incoming packets to a specific port to run a torrent client, that port will always be open even if the client is closed!
So why can’t an application rule be sufficient enough? Or why can’t a network rule be fired when the corresponding application rule is fired? In otherwords why can’t comodo see that an application has launched, and then activate the firewall rule ONLY when the program is running?
And on top of that having to create a global network rule is a security risk because any packet can enter the computer even if it’s not associated with the application. When using application rules, won’t the firewall block the packet if it wasn’t asked for by the application?
Let’s say I’m downloading a torrent. The tracker says that computer ip 78.123.45.XX has the file. The firewall then allows that IP adress because the client told it to expect packet from that IP. Meanwhile hacker at 24.566.54.XX decides to scan the port I’m using and he is allowed to enter because of the global network rule being enforced. But isn’t an application rule much safer because a hacker can’t get into the computer unless the application rule allows it?
CPF and many other personal firewalls implement the same multi layer protection concept. If a port is opened via a network rule, it means that the port can be scanned and accessed from the outside. However, the application layer limits this access depending on the protocol allowed in.
The example you gave about the bit torrent tracker is not accurate, because traffic is allowed in based on port number and not IP address (provided that the firewall is configured optimally).
The bottom line is that a firewall inbound rule is not less safe than the applications and network traffic allowed to go thru. In other words: a malicious attacker would have to exploit vulnerabilities in the application itself (e.g Azureus, uTorrent, etc …) or the bit torrent protocol stack itself. And in that case, no firewall would help, you’d have to go to HIPS and beyond …
Allowing a port within the network monitor does not make the port open UNLESS there is an authorised application currently running that will utilise that port. If there is not an application running, then the port is stealthed.
This is Comodo’s implementation of adaptive stealthing.
