Custom Rules: Only want Block Out but Allow IP out Automatically Added!?

I set a custom rule for an application to block outgoing traffic to an IP, e.g. 12.345.678.912 (not the actual IP that I used):
“Block TCP or UDP Out From MAC Any To IP 12.345.678.912 Where Source Port Is Any Destination Port Is Any”

After clicking OK and then reopening to check the rule, this was the only rule that I had. However, after rebooting the PC, another rule had been automatically added by Comodo so that I now had:

“Allow IP Out From MAC Any To MAC Any Where Protocol is Any”
“Block TCP or UDP Out From MAC Any To IP 12.345.678.912 Where Source Port Is Any Destination Port Is Any”

Why was
“Allow IP Out From MAC Any To MAC Any Where Protocol is Any” added?
It would appear that the rules conflict now so that the traffic is not blocked?
(does the rule order matter in this case?)

I don’t know why that is but 12.345.678.912 is not a valid IP address.

As I said above, that was just an example and not the address I actually used.
Why does Comodo add this Rule? In fact, it appears that all my applications have this rule [created by Comodo].
BTW, not sure if relevant, but I am running Comodo in Training mode (but never get asked what to do with a new application)

Do you mean it adds the rule when you answer alerts? If so then you probably have “alert frequency” too low, that setting decides what rule will be created when answering a firewall alert.

Also I’m sorry for any misunderstandings, at the moment I wrote the first post I was drunk and bow when writing this I’m hungover, so my apologies if I’m misunderstanding.

You just answered you own question here. When in training mode Comodo will assumed the PC is clean and has no malware therefore all actions are permissible. This mode is used for training Comodo generally after the computer is first setup/formatted and not recommended for long term use. The created rules granularity is controlled by the alert frequency level. By default is it set to lowest to generate the fewest number of alerts. Also rules are processed from the top down.

I see. I have used the wrong mode for a long time!
When setting it to safe mode; will I only get alerts for applications w/o any custom application rules (assuming that they are not on the safe list)?
When I get an alert, and I respond, will that create application rules?
In the example above, when something is allowed and then blocked, does that mean that it will be blocked? If I reverse the order (blocked and then allowed) would that then be allowed…? Not sure I understand the logic if the two rules are contradictory…?

Sorry for not noticing that you had it in training mode, my fault.

In ‘safe mode’ you will get alerts for unknown applications, meaning that you won’t get alerts for trusted applications, as I think you’ve already realized. If a certain application already has custom rules, then if those custom rules answer what the application wants to do then you won’t get an alert and CIS will use the custom rules, if the rules do not answer what the application wants to do (and global rules doesn’t either) then you will be shown an alert.

Also worth noting is that by default CIS will have global rules that allow all outgoing traffic, I would personally suggest getting rid of these, but that’s just me. Also I would make sure that “Do NOT show popup alerts” in firewall settings is DISABLED. Keep in mind these are just my suggestions, if you want CIS set up in another way than I’m suggesting then that’s fine too.

Depends, in the alert you will see a checkbox at the bottom that says something among the lines of “Remember my answer”, if that is ticked then CIS will create an application rule for the specific application (the rule created will depend on Alert Frequency level, the lower the vaguer and broader, the higher the more specific and… narrower(?)) however if the checkbox is NOT ticked then CIS will apply a temporary session rule which will also depend on Alert Frequency.

when you have the rules:

“Allow IP Out From MAC Any To MAC Any Where Protocol is Any”
“Block TCP or UDP Out From MAC Any To IP 12.345.678.912 Where Source Port Is Any Destination Port Is Any”

In that order, then CIS will give priority to the highest rule on the list (as in place in the list, top of the list = highest priority and bottom of the list = lowest priority) So in this case above, it would allow all outgoing traffic, if you flipped the rule around so it’s in this order:

“Block TCP or UDP Out From MAC Any To IP 12.345.678.912 Where Source Port Is Any Destination Port Is Any”
“Allow IP Out From MAC Any To MAC Any Where Protocol is Any”

Then it would block all traffic that is “TCP or UDP Out From MAC Any To IP 12.345.678.912 Where Source Port Is Any Destination Port Is Any” and then it would allow all other outgoing traffic.

Hope that helps, again I apologize about the previous misunderstanding on my part.

Sanya, Thank you for your thorough explanations.

I checked my global rules (which I have not modified), but the only Allowed rules that I have are:
Allow All Outgoing Requests If The Target Is In [Home #1]
Allow All Outgoing Requests If The Target Is In [Home #2]
Allow All Incoming Requests If The Sender Is In [Home #1]
Allow All Incoming Requests If The Sender Is In [Home #2] (I have 2 identical rules like that; why are they duplicated?)
(I also have some Block rules)

I assume that those rules are OK as they only allow local network communications?
I wonder why I don’t have the general outgoing rules that you refer to?

Those look fine, maybe my information is outdated, been a while since I had a clean configuration.