Comodo vs server apps

Hey, I’ve used CPF for some while and I kinda like it. One thing that bothers me though is when setting up, for example, an ftp-server. Even though I add the ftp-server app in “Application Monitor” and allow both inbound and outbound tcp/udp for it, I still have to open the port in “Network Monitor”. I don’t know if this is just because my ftp-server app (filezilla ftp server) is doing something strange or not, but isn’t the desired behavior that if an application, that is allowed to accept incoming connections, listens on port x, and a client connects on it, that it will be accepted? Or does Comodo have a different view on inbound traffic?

Welcome noof.

In essence, Network Monitor rules work in conjunction with Application Monitor rules. Network Monitor rules define which IP address may be connected to and from and also which ports to open or block.

Application Monitor rules define which applications are allowed to send and receive data across the connections defined by Network Monitor.

An in-depth explanation of Network Monitor rules can be found here:

How To - Understanding & Creating Network Control Rules properly

I hope this helps.

Ok, that’s what I thought was going on. So this basically means that when I want to host a multiplayer game (for example), I need to find out every port that is needed and allow them? I honestly think that this can be very confusing for some users since they might think that creating a rule that allows inbound traffic for an application will mean that inbound traffic to that application always is allowed.

If I add a “Network Control Rule” that states that “IP In/Out TCP/UDP Any …” is allowed, will I still get a popup that asks me whether I want to allow inbound traffic for a certain app? (if that isn’t allowed yet that is)

Creating a rule to allow, effectively, everything IN, is not something you really want to do, as it could let something in that you don’t want.

Finding the ports that need to be opened to allow multi-play games should be relatively straight forward, as they are generally publish by the game manufacture. You could also start here:

Please feel free to ask any questions to learn all about Computer Security.

With regard to setting up your FTP server you could also read this:

FTP server

Toggie

Thanks for your replies. First of all, I already have a linux box that I’m using as router with a very strict iptables config, so inbound traffic shouldn’t be a problem.

Is that really the case? Doesn’t the Network Control rules act as a filter before the application control rules are applied? If that’s the case, it should mean that I allow every app that is allowed to accept inbound traffic (allowed in the app. control rules that is) to accept connections.

To let something in that I don’t want to requires that I allow the app that receives the data to receive data. And since I’ve done that I want the app to be able to receive data it shouldn’t be any big deal. This works as long as I don’t have any where I only want to allow inbound traffic from my LAN (windows filesharing would be the most obvious example). That case requires more advanced app control rules.

If I may jump in quickly…

In your scenario, noof, let me give an example:

Let’s say you have a rule to Allow UDP In from any Source to any Destination, on Destination Port 5682.

There should be an rule set in the application monitor to allow application X.exe to receive traffic on port 5682.

Application X.exe should be running.

If there is no application rule to match up with the allowed incoming traffic, it will be blocked. If the matching application is not running, it will be blocked.

The easiest example of this is p2p applications; after closing the p2p app, users typically find a lot of blocked incoming traffic on their defined p2p port, until it’s known that the system is closed.

If however, you just defined a network rule to Allow UDP In, Any Source/Destination/Port, you’d be wide open, since in essence it’s not filtered.

Hope that helps,

LM

Of course :slight_smile:

Yes, but the application rules are still applied, or? Then for someone to take advantage of the open port, a malicious app must be listening for connections on my computer. And since I probably don’t allow weird apps to accept connections it won’t be a big deal, right?

My apologies for any confusion…

Creating a Network Monitor rule to allow inbound traffic on a port does not mean that port is open. While some firewalls hold the ports open in order to control responses, CFP does not. It will simply allow the traffic on that port for a matching application (ie, application monitor rule), where that application is active/running.

So, in regards to your question, not only would a malicious application have to be listening on that port, you would have to allow it (Application Monitor).

This is why CFP is #1 against leaktests. It’s not bomb-proof, but it’s darn close! :wink:

LM

Good day,

I’m currently testing CFP and I liked the idea that even though a certain port is allowed to be opened in the Network Connection Rules, if there is no program allowed to listen to that port in the Application Monitor Rules then that port will remain closed (stealthed).

Creating a Network Monitor rule to allow inbound traffic on a port does not mean that port is open. While some firewalls hold the ports open in order to control responses, CFP does not. It will simply allow the traffic on that port for a matching application (ie, application monitor rule), where that application is active/running.

Unfortunately, it seemed counter-intuitive that even though a program has been allowed to listen to a port, a rule for Network Connection Rules must still be manually created. Shouldn’t a temporary rule be automatically created (but need not be shown) in the Network Connection Rules if an authorized application is running (and removed when the application is closed)?

The only reason I see for the current setup of CFP is that a malicious program might hijack/simulate the keyboard/mouse and automatically authorize itself when the alert pops-up. Is this correct? If not (and there is no other logical reason) then can it be requested that authorized applications (to open ports) be automatically allowed to listen to them?

Regards.

… or is it CFR’s way of managing whether an authorized server application can be accessed locally only or by other computers?

logic:
Application allowed to listen to port X.
If port X not allowed in the Network Monitor Rules then server application can only accept connections locally.
But if port X is allowed in the Network Monitor Rules then server application can both accept connections locally and from other computers.

I have an Apache HTTP server running and allowing it only to accept connections in the the Application Control Rules but not opening its in the Network Monitor Rules effectively limits its accepting of connections locally.

Wouldn’t it be more intuitive if this is done thru the Application Control Rules? It would be alot easier to see w/c server applications are allowed to accept connections from the net and w/c are local-bound only.

Regards.