Couple of questions


I have couple of questions regarding the latest firewall version 3.x which I was forced to install yesterday. I say forced because I have been Kerio 2.15 user till now. Unfortunately Kerio doesn’t work in XP x64 and there are not so many alternatives in the 64bit world.

  1. There are the two rules lists. One for applications and one for global rules. I understand that a packet must pass both one them independently.

As an example, let’s consider DNS, I made a global rule:

[ALLOW] [local (source) ANY] [remote (dest) ANY (port 53)] [UDP] [OUTgoing]

Unless I create the same rule for svchost.exe in the app tab it is not going to work, right?

  1. Zones, I created a green zone using either an IP range or net+netmask and selected the zone in one rule. The rule didn’t fire up. The rule was correct, the zone was correct. I changed the rule and instead of the zone I specified directly an IP range in the rule. The same range as in the zone and suddenly the rule started to work. Is it a bug?

  2. Sometimes I can’t change the rules, I have to delete them and create again.

  3. Is it possible to simply disable one or more rules? I guess the only is to use the predefined rules. Deleting and creating is not really an option for testing purposes.

  4. In the event browser, is it possible to see which rule actually triggered the messege? I see only what was blocked or allowed but I have no idea which rule is to blame.

  5. Can anyone post here or PM me working set of real-world rules? Preferably hand-made not auto-learned so that I can see how to set them up properly in comodo.

  6. For the HIPS, what should be the predefined setting for most of the applications? Trusted? Does it influence the firewall in any way?

Thanks in advance


G’day and welcome to the forums.

Pull up a chair, this is a long one …

Re. your point 1, DNS outbound requests will work if you have an Application Policy to cover it. It doesn’t require a Global Policy as well.

Re. your point 2, I’ve never had a problem with zones, other than my own stupidity creating broken rules. This, I believe is known as “dumbage” - damage caused by an idiot). I suspect that there is a slight (handful of seconds) lag when a new zone is defined. I make a habit of rebooting if I have made major changes to the firewall,just to ensure the new config is initialised.

Re. your point 3, I know you can’t rename a zone and have the new zone replace the old name in any previously created rules that used the old name. This is a PITA and has been around for a while. It’s almost passing “bug” status and gaining “charming quirk” status. :wink: Hopefully, one day, they’ll fix it.

Re. your point 4, you currently can’t just disable a rule, although this has been previously requested and added to the wishlist. Comodo are exceptionally responsive to user suggestions, so feel free to reinforce this in the Wishlist topic.

Re. your point 5, no but this is a good idea. Please add this to the Wishlist as well.

Re. your point 6, as follows are my “hand rolled” Global rules

Action : ALLOW
Protocol : IP
Direction : OUT
Description : HOME LAN zone outbound
Source Address : ANY (In CFP speak, this is your PC)
Destination Address : ZONE - HOME LAN (Previously defined to include IPs only from home network)
IP Details : ANY

Action : ALLOW
Protocol : IP
Direction : IN
Description : HOME LAN zone inbound
Source Address : ZONE - HOME LAN (See above)
Destination Address : ANY (In CFP speak, this is your PC)
IP Details : ANY

Action : ALLOW
Protocol : IP
Direction : OUT
Description : ACTIVESYNC zone outbound
Source Address : ANY (See above)
Destination Address : ZONE - ACTIVESYNC (Previously defined to include IP only from PDAs)
IP Details : ANY

Action : ALLOW
Protocol : IP
Direction : IN
Description : ACTIVESYNC zone inbound
Source Address : ZONE - ACTIVESYNC (See above)
Destination Address : ANY (See Above)
IP Details : ANY

Action : BLOCK (Logging activated)
Protocol : ICMP
Direction : IN
Description : Detect inbound ICMP
Source Address : (EXCLUDE selected)ZONE - HOME LAN (See above)
Destination Address : ANY (See Above)


Rules 0 and 1 allow communication between local LAN nodes, providing the application requesting the outbound or inbound access has an Application Policy that allows it.

Rules 2 and 3 allow communication between the local PC and a connected Windows Mobile PC (this zone (ACTIVESYNC) has addresses in the 169.254.2.X range and the zone is defined accordingly), providing the application requesting the outbound or inbound access has an Application Policy that allows it.

Rule 4 blocks and logs all ICMP ECHO REPLY REQUESTED packets, except for those originating in the HOME LAN zone.

That’s it as far as my Global Policies go. Note that there are no inbound rules, other than the local LAN ones, except for the BLOCK with EXCLUDE one. When I need to run an app that can accept an inbound connection, I load a config that contains that rule. When I no longer require the inbound rule, I drop that config and load my standard one (The import, export and management of configs are done in CFP - MISCELLANEOUS - MANAGE MY CONFIGURATIONS).

A little tip for configs - importing a config doesn’t make it active. To make it active, you need to choose the newly imported config using the SELECT button. All of your currently imported configs are listed under SELECT, so this makes it very easy to switch between configs.

The key to tight control really lies in the Application Policies.

If you are using CFP out of the box, the firewall will prompt for access whenever an application attempts inbound or outbound comms. How tight the auto created rule is depends on the level selected in Firewall Behaviour Settings (CFP - FIREWALL - ADVANCED - FIREWALL BEHAVIOUR SETTINGS - ALERT SETTINGS). Setting this to VERY HIGH will produce an application specific rule that specifies Direction, Protocol, Source/Destination Address and Requested Port. Lower settings produce correspondingly looser rules.

Re. your point 7, the HIPS (Defense+) pre-defined rules for specific topics (Web Browser etc.) are reasonably tight, but Trusted Application pretty much grants open slather rights. If you want to do it the hard way, you can create your own pre-defined application types. For example, I have an application type of SAP, which allows access on ports 3200-3299, 21490, 1432 and 11980. This allows the SAPGui outbound access, an inbound local service connection and a SAP install modification to be done.

It’s really up to you how to define them. If you trust your apps, let them be trusted. If you want to hand roll everything, you can.

Sorry this is so long, but I hope this helps your migration from Kerio to CFP.

Hope all this helps,
Ewen :slight_smile:

Hi Ewen,

thanks for your welcome and for your reply. I’m sorry for my late reply too. I see this board is pretty busy, finding my post on 2nd page :slight_smile:

I’ll go through your post thoroughly tomorrow and post back.


NP. Hope my ramblings help.

Ewen :slight_smile:

Yep I found your post very useful. Check out your ■■■.