Custom rules being ignored

I downloaded COMODO a couple of days back and I love the features of the program and I would really like to use it if it wasn’t for the fact that I just can’t get my custom rules working. I have read lots on this forum about how the rules work in COMODO, but still I can’t make it work. Either I’m being really dumb, or there is some other problem.

Please see the below list of the rules I have created (both application and global). Is there any reson why COMODO would continue to block every application / port /IP that i have specifically allowed? I will admit that I deleted all the preset rules that were in COMODO after the install (I wanted to completely build my own custom rules). Are any of these pre-configured rules essential for running COMODO?

I am running COMODO in custom policy mode and with these rules in place EVERYTHING appears to be blocked (I cannot even connect to my router)

Any help would be appreciated

Rules:

Application Rules
iexplore.exe :- (rules taken from predefined Web Browser rule)
Allow Access to Loopback Zone
Allow Outgoing HTTP Requests
Allow Outgoing DNS Requests
Block and Log all Unmatching Requests

svchost.exe :-
Allow UDP out from PC1 to [Home Network] Where Source Port is Any Destination Port is 1900
Allow UDP out from PC1 to [Home Network] Where Source Port is Any Destination Port is 53
Allow UDP out from PC1 to [Home Network] Where Source Port is Any Destination Port is 5355
Allow UDP out from PC1 to [Home Network] Where Source Port is Any Destination Port is 3702
Allow UDP out from PC1 to [Home Network] Where Source Port is Any Destination Port is 67
Allow UDP out from PC1 to [Home Network] Where Source Port is Any Destination Port is 138
Allow UDP out from PC1 to [Home Network] Where Source Port is Any Destination Port is 137

Global Rules
Allow UDP out from PC1 to [Home Network] Where Source Port is Any Destination Port is 1900
Allow UDP out from PC1 to [Home Network] Where Source Port is Any Destination Port is 53
Allow UDP out from PC1 to [Home Network] Where Source Port is Any Destination Port is 5355
Allow UDP out from PC1 to [Home Network] Where Source Port is Any Destination Port is 3702
Allow UDP out from PC1 to [Home Network] Where Source Port is Any Destination Port is 67
Allow UDP out from PC1 to [Home Network] Where Source Port is Any Destination Port is 138
Allow UDP out from PC1 to [Home Network] Where Source Port is Any Destination Port is 137
Allow TCP out from PC1 to IP Anywhere Source Port Is Any Destination Port is 80
Allow IP out from PC1 to in [Loopback Zone] Where Protocol is Any

I think you are missing a few rules on iexplorer. You can actually use the Predefined Policy: Web Browser

My Svchost is set to allow Any IP Out.

My Global rules are just Block ICMP…

I have IE and FF set as web browser by using the predefined rules. I have scvhost,exeploer.exe and system set to Outgoing only. My only global rule is the one for P2P “echo block”.

According to these rules, the only application you have allowed to access the internet is Internet Explorer. Is this really all your rules-or are there other block rules? Does anything appear in your firewall log? Your global rules are unnecessary, but shouldn’t do any harm. What does your outgoing dns request rule for ie say? What does your http rule say? You should be getting popups for most of your other attempts. Your router access from IE is something like http://192.168.1.1? And you get what, “page cannot be accessed”? And something in the log?

Yes, that is right. IE is currently the only application allowed out on the internet. This is simply because I am starting from the very basics and havn’t set everything up yet. However I believe my rules should be enough to allow a connection to my LAN and for IE to view web pages.

There are no other rules blocking any traffic. The rules I posted are all I have. The rules for IE, are the rules from the Web Browser predefined policy, so it is allowed outgoing tcp on port 80, 8080, 443 and udp on 53. The other rules simply allow DNS, upnp, netBIOS, etc out onto my Lan. This should be the basics that I need to obtain a connection to my lan, however with custom policy mode enabled, I can’t even get a connection. In case you are wondering, Home Network is a custom zone (yes I like to customise!) containing my lan’s IP range, my router’s ip (192.168.1.1) and a bunch of multicast / broadcast addresses such as 192.168.1.255, 255.255.255.255, etc.

My logs show nothing being blocked. The global rules are there as an experiment as I read that traffic must pass the application rules AND the global rules to be allowed out. My problem is that I will still get pop-ups for things such as svchost connecting to 192.168.1.1 on udp port 53, even though I have rules that explicitly allow this. Port 53 is an example, I also get pop-ups for any of the other apps / ports I have allowed.

It seems as though COMODO just can’t see (or is ignoring) the rules I have in place and thinks “Oh, I can’t see any rules explicitly allowing or blocking this traffic, so I better ask the user”. I’m not bothered about getting pop-ups for traffic I havn’t allowed, but it’s quite frustrating when I still get pop ups for all the traffic that I have allowed.

I don’t want to allow svchost outgoing to anywhere as some of you suggested, simply because you never know what is running under svchost. As far as I’m aware, allowing svc host out to my lan on the ports I have listed should be sufficient.

Sorry if this post is a bit long, but hopefully it makes a bit of sense.

I appreciate you guys helping me.

Hmm I seem to have resolved this by allowing and IE and svchost full access to everything temporarily and then re-applying my restrictive rules.

Any idea why this would happen?

Also is there any way to recreate the Block and Log all ‘Unmatching’ traffic rule that is applied to the Web Browser policy by default? I want to create some similar predefined policies that log anything that isn’t allowed by the rule

Thanks

Hi scifi76,

If you wish to create your own rule which ends in the Block and Log all unmatching requests you need to use the copy from drop down,select custom rule,click copy from and choose outgoing only,this gives you the 2 rules but in the Custom format.Next edit the top rule to what you want or add your own rules.

Matty

ps maybe your computer hadnt got its IP from your router via DHCP

Did a reboot and COMODO started blocking all my ‘allowed’ traffic again! ARRRGGH!

Edit: DHCP works on port 67 which is one of the ports I had allowed. But even so I don’t think my PC was able to be assigned an IP, due to COMODO ignoring the allow rule.

For your IE rules, do you allow DNS requests to go to any iP? How do you have PC1 defined? Some UDP can come from any non-privileged port, others are restricted to specific ports. Do you have a DNS server on your LAN?

I only allow DNS requests to my router (192.168.1.1) as it offers a DNS lookup service. I will try allowing DNS out to anywhere on the internet to see if that helps any

PC1 is just the hostname of my PC. So for the IE DNS rule I’m currently saying, Allow PC1 to make UDP requests to 192.168.1.1 from any port to remote port 53.

I will try allowing DNS to anywhere and post back with the results. However I’m tempted to believe that my rules are correct as I had it all working after deleting and re-creating my rules, but then when I rebooted the PC the problem came back…

BTW… What action does COMODO take when I hit Cancel on a pop-up?

CFP3 seems to remember what you did for the length of a session in some cases, so that you need to reboot for new rules to take over. Also, when IE does a DNS lookup it may use the IP of the DNS server that you got from your ISP when you brought up your internet link. Or do you designate your DNS as 192.168.1.1 when you set up your NIC? If you want to restrict the DNS space, make a zone consisting of the DNS servers you want to allow and allow that zone port 53 as a destination, as well as entering them into your NIC.

I do not designate 192.168.1.1 as my DNS in the NIC settings, it is simply set to auto-detect. When I do ipconfig /all it lists 192.168.1.1 as the DNS server.

This is why I have only allowed DNS to 192.168.1.1

Edit: I have now allowed DNS requests on port 53 to any IP for IE, svchost and system. The problem still persists

If I disable the firewall, connect my NIC to the network and then change the firewall mode to Custom Policy, things seem to be working correctly (although It may be allowing all traffic). Disconnecting and Reconnecting my NIC while the firewall is in Custom Policy mode causes the pop-ups to appear.

EDIT: First let’s try something simple. Put a “block and log all” as your last application rule to see if something else is trying to get out. Should get a popup already, but ? Also check your D+ log-what mode is D+ in?

If you want to see what is really happening at your NIC, download a copy of Wireshark and look at the traffic. You should be able to see the DHCP setup, as well as DNS traffic in both directions when you bring up your network. Sounds like your router is handling the traffic OK; don’t know where the responses are being blocked. I have attached a Wireshark log of a typical netword startup in case you haven’t used it before. Another thing to try is setting your source IP to any-just haven’t seen a lot of reports from users with the hostname option. May need to explicitly allow responses if SPI doesn’t recognize it? BTW, did you turn CFP off and on again after changing the DNS request setup?

[attachment deleted by admin]

Comodo is a default deny firewall.
This means that all actions will be denied unless you allow them.
Therefore the requested action will be denied when you hit cancel.

Regards,
Mike

WOW Finally I think I have figured it out! Well actually credit goes to sded for the help.

I changed the Source from PC1 to Any on my rules and it all started working. This is fine as I know the source for outgoing traffic should always be my PC. Not sure if this is a potential bug though?

Out of intereted I put a log rule on all the apps / ports I was trying to allow and I noticed that when the Source for the rule was set to PC1, COMODO blocked the traffic because it was coming from fictional addresses such as 0.0.0.0

I’m not sure if that means anything to anyone else. I’m just please to finally be able to use the great software the way I want.

Also I’d like to say that the support you guys are giving is outstanding! If only all software was supported as good as COMODO.

Thanks again.

Glad you got it working. Actually it sounds like you found two bugs:

  1. Your host name should have included 0.0.0.0 and localhost, otherwise it doesn’t seem very useful-don’t know what it does include, since you can have multiple NICs active and the computer itself doesn’t have a normal IP address, just the NICs do. The Wireshark log attachment shows how all this stuff is used in the setup.
  2. You aren’t blocking anything after IE, so you should have gotten a popup asking to OK the broadcast from 0.0.0.0 that is part of every DHCP setup. And other requests involving 0.0.0.0. Maybe related to 1)?
    You can submit a bug report using the directions at https://forums.comodo.com/bug_reports/read_how_to_submit_bugreports_v21_read_this_if_you_want_them_fixed-t14969.0.html . Reference this thread in the report, and add any details you can. Or maybe you are the last user to give up on host name. :wink:

I am happy to give up on source host names for now, but I will submit a bug report as well as I would like to see it resolved and help out as much as I can.