first off, excellent work to the Devs for a really great app - I love well coded, light-weight software that does what it says it does. And looks nice.
I have some questions, which has sort of been answered by many diff. posts here, so I would like to seek clarification on the Firewall side of things…
My understanding of how things work is this:
Global Rules are used when there is no application specific rule that matches, or if the global rule is more restrictive.
e.g. If I have uTorrent running and have application specific rules for it, then those rules will be evaluated if all the global rules are met as well.
Which are evaluated first, global or app specific?
Application Rules are only evaluated if the application is actually running. If it isn’t, then the global rules are evaluated, and if nothing matches no traffic is allowed.
Is the “Deny all, and log” type rule required ? i.e. does it explicitly need to be declared for an allow ruleset, or is it implicit that if something’s not met any allow rules, and there are no further rules to evaluate, it will be denied, just not logged ?
For outbound connections (contolled from your side), app rules are checked first, global rules afterwards. For inbound (controlled from a remote location), global rules are checked first, then app ones. In both cases both sets must have an allowing rule each for the traffic to pass.
If there is no “deny everything else” at the end: as for the app rules you’ll be asked, unless your firewall is in “train with safe mode” and the app is recognized as safe by CFP’s database, then the allowing rule will be learnt automatically; as for global rules I’m not so sure but I think there is an implicit “deny anything else” rule at the bottom, but again not sure.
This is one thing that does confuse me a little. Why are global rules evaulated in opposite order depending on in or out traffic?
I think this is very unintuitave. In any other app I’ve used, global rules are a “default” setting if there are not more specific rules. It seems to me that application rules should always override global rules.
Otherwise, how would you allow incoming FTP connections to an FTP server, without basically allowing it for every program?
The FTP traffic is an outbound, since you requested it. Inbound traffic is used in peer to peer programs, and in port scanning (basically an attack on your computer). That’s why is necessary to have it blocked by the last “block all” rule. And when you use peer to peer software, you have to “punch a hole” in your firewall by opening a dedicated port.
@japo - agreed, it’s not immediately intuitive. RE the FTP thing though, to allow FTP traffic inbound to a server would simply mean creating an app rule allowing the FTP tcp ports through to the internal ip/machine. This would assume that there’s already a global rule that’s got allow all on the LAN which you probably have anyway after the initial setup.
This works because the traffic is probably being fwd’d from your router’s internal interface, which is on the LAN.
Can anyone clarify my question #2?
2. Application Rules are only evaluated if the application is actually running. If it isn't, then the global rules are evaluated, and if nothing matches no traffic is allowed.
Well, it sounds like if I’m running an FTP server, I basically need a global “Allow All” for it to work right. This seems stupid to me, with Outpost, I can have block all as default, but then for my FTP server program, I can allow incoming FTP to just that.
It seems to replicate this with Comodo, I have to have
Global Allow all incoming FTP traffic and ports
App for FTP server allow incoming FTP and ports and outgoing FTP and ports
Deny incoming FTP for every other application?
You don’t need any global rules at all-I don’t have any. For FTP servers, the simplest solution is to use active FTP. Then the server only needs to allow inbound on port 21, outbound on port 20, reverse for client. If you want to use passive ftp, the server does need to open up a variety of high ports as well as port 21 for inbound connections, although most FTP clients/servers allow the range to be restricted. Just don’t have an “allow/tcp/in/…” for the restricted range in the rules for any of your other applications. I use a block all and log at the end of each application ruleset and as the last application rule just to get a log and see if something unusual is happening, and I put the rules normally thought of as global in the Windows Operating System application set-see attached. Sometimes it is easier to use global rules, but I haven’t needed to yet. They are a convenience, not a necessity. And they can get you into the do/undo to support the applications, especially for inbound connections. As far as applications not running, there is nothing then to generate an outbound connection request. And if the server program is not online there is nothing listening to accept an inbound connection request. CFP3 should do well for you. There are some other FTP discussions at https://forums.comodo.com/help_for_v3/ftp_client_ruleset-t16811.0.html .
