I’m looking for a way do get an alert about an app wanting to access the localhost/127.0.0.1 AND another alert about direct internet access. When I allow one, I don’t want it to automatically allow the other. When I go to the Alert Settings, there’s an easy way to differentiate between TCP and UDP on alert but no easy way to differentiate between localhost and non-localhost. Currently if I grant access to 127.0.0.1 on alert, then that program is free to have direct internet access as well. The only way I’ve found to do it is to disable alerts for loopback requests altogether. Then when I get a prompt about internet access, I know if I allow or deny it, it won’t affect access to the localhost.
This is probably good enough for me, because I generally have no problem granting any access to the localhost. The problem arises when I’m using a program like Proxomitron that’s listening on the localhost and that I’ve granted access to the internet. This generally isn’t a problem with well-behaved (non-malware) programs that I just want to prevent from leaking. But malware might exploit a proxy like Proxomitron and gain internet access without my knowledge.
I used to use Zonealarm in the past, but I switched to Comodo because of more granular controls, better leaktest performance, and a lighter footprint. But Zonealarm would allow me to differentiate between localhost and direct internet on alert without having to create any rules. This isn’t a deal-breaker, but I personally preferred Zonealarm’s alerts. I personally don’t care about differentiating between TCP and UDP with alerts, so I set my alert frequency to low.
Also, I don’t want to differentiate between all IP addresses, only between 127.0.0.1 and everything else. That’s why I don’t set my alert frequency to “very high”.
So, in summary, what I would like to see is something I can click in “Alert Settings” that allows me to receive alerts about BOTH localhost and direct internet access. Allowing one wouldn’t automatically allow the other. This option should be clickable regardless of what the alert frequency is set to.
If there’s another way to do it already available, then please excuse my rant. I’ve seen other posts on Wilders about this very issue (not specifically about Comodo but firewalls in general).
Create a network zone “My Computer” containing the two ip addresses 127.0.0.1 and 0.0.0.0
Create a predefined firewall policy “Local application” containing the rules
Allow IP IN/OUT from ZONE: MY COMPUTER to ZONE: MY COMPUTER, protocol ANY
Ask IP IN/OUT from ANY to ANY, protocol ANY
Assign this policy to your application instead of creating automatic rules and you’ll be asked again if it tries to connect to anywhere else.
You can also set up an “All but local connections policy” this way, but I think it isn’t very useful if you’ll get asked to allow a local connection if the application is allowed to connect to the Internet…
Thank you for your response. If I’m understanding you correctly, you’re stating that I should add this as a rule for every application that I want to apply it to. Actually, I already had a predefined policy very similar to that prior to deciding to disable alerts for loopback requests altogether. Without the alerts for loopback requests, then my understanding is that the rules you have provided will always apply to every application, so there is no reason to explicitly state them. If I ever re-enable the loopback alerts, I will certainly add that predefined policy again.
My question was actually about creating a global rule so that I’m asked for every application about both localhost and direct internet. I don’t want to create a new rule for every application just for that purpose. For most applications, I won’t want to create rules at all. I’m happy to be asked every time by default about both localhost and direct internet.
To that end, I think there should be an option just below “Enable alerts for loopback requests”. It could be named something like “Alert to both loopback and non-loopback requests”. This option should be grayed out when “Enable alerts for loopback requests” is not checked. But when “Enable alerts” is checked, then you should have the option to be alerted to both loopback and non-loopback requests. In that way you don’t automatically grant direct internet access to a program that you only wanted to have loopback access.
Believe me, I was fooled by this when I switched from Zonealarm to Comodo. I thought that by granting loopback access, I would still be prompted about any further access attempts. It took me a while to figure out I was totally mistaken, and I’m no slouch.
I hope my request is clear. I know my sentiments are echoed by many others. As always, I’m welcome to suggestions about how to accomplish this on current versions of Comodo, short of creating a rule that I have to apply manually to every application I trust. I prefer no rules at all (except for global rules, which I’m fine with), just on the fly decisions using alerts and prompts.
Your request is clear to me. But it’s not possible with clicking a simple option in CIS at the moment.
You can:
disable the alerts for loopback request, as you’ve done at the moment, to be only prompted for a connection to different machines
enable the alerts for loopback requests, set the alert level to very high, to get alerted for each different address
enable the alerts for loopack requests, use a lower alert level and my proposal
wait for someone else having another idea
If you define the proposed policy for all applications, you’ll get the same result as if you ignore loopback requests. This wasn’t what I meant.
It’s meant to work this way:
If an application tries to connect to another machine and you like to allow the request, check remember, simply allow it and a rule will be created to allow local and network connections (according to your alert level)
If an application tries to connect to your machine, check remember, but instead simply allowing this request, select the predefined policy. This way, in future, all local connections will be allowed, but you’ll be prompted again if the application tries to connect to a different machine
– If you allow this further attempt and remember is checked, the predefined rule will be changed to a custom rule allowing local and other connections
– If you block this request and remember is checked, the predefined rule will be changed to a custom rule allowing local and blocking all other connections
– If you uncheck remember, you’ll be asked again…
If you also like it the other way round, you need to create another predefined policy, which will allow connections to other machines, but asks for loopback requests. Then in the first point, instead of allowing the request, select this predefined policy, to be asked again for a local connection.
It’s a question of what rule will be created if you click allow. My proposal is, instead of let CIS create the rule according to the alert level (which doesn’t fit your needs in any case), use the predefined policy, which basically tells CIS instead of automatically creating rules, to use the already defined rules.
Okay, I got it. It works. Thank you. I made one small modification though. I used only one rule for the predefined policy in instead of two.
I used just this:
Allow TCP Or UDP Out From IP Any To In [Loopback Zone] Where Source Port Is Any And Destination Port Is Any.
This is essentially equivalent to your first rule. I entirely left out the second rule (the Ask rule) because when I put in an Ask rule, I was asked about every single IP address (when I didn’t check remember). But when I left out the Ask rule, I was only asked once about localhost and once about direct internet (whether I check remember or not).
I called this preset rule “My Computer” as you suggested, then when a new app requests internet access, I just click “Treat this application as… ‘My Computer’”. I get asked about localhost first then direct internet. For my purposes, any program that I allow direct internet access is automatically granted localhost access as well, but not vice versa.
Thanks again. That was a good idea. Although I made some slight changes, I think I followed your basic concept.
Oh, sorry - my alert level is “very high”, so I didn’t notice any difference, because I’ll get asked on any new connection in both cases.
I simply posted the content of my rules, which work fine for me (and do pretty the same as you wanted).
Just to let you know, I created a second firewall preset policy.
My first preset has one rule, as I described earlier. It’s for allowing outgoing IP to the loopback zone.
My second preset policy also has one rule:
Allow IP In From In [Loopback Zone] to IP Any Where Protocol is Any
This is to cover incominig requests from the loopback zone, so that I’m not automatically granting direct internet access for incoming request. It’s rare, but I guess it’s possible. So, I think I just broke up your preset into two that basically fulfill the same function.
