Whilst this might be a design choice, I consider it a bug as it makes the Firewall unmanageable for my non-technical friends and family, as they can’t be expected to go into the rules list and move all the newly created rules down below the System rules each time one gets created, so they will just stay at the top above the System/LAN rules and possibly cause issues. To maintain the proper top-down flow of the rules, new rules need to be created at the end of the list.
A. The bug/issue
What you did: Set Firewall to Custom Policy. When a new program generated an Alert, clicked Allow and Remember.
What actually happened or you actually saw: The new rule was added at the top of the rules list, above my system and LAN rules.
What you expected to happen or see: The rule to be added at the bottom of the list, so that it doesn’t interfere with my system and LAN rules.
How you tried to fix it & what happened: Not possible
If its a software compatibility problem have you tried the compatibility fixes (link in format)?: N/A
Details & exact version of any software (execpt CIS) involved (with download link unless malware): N/A
Whether you can make the problem happen again, and if so exact steps to make it happen: Yes
Any other information (eg your guess regarding the cause, with reasons): Design issue
B. Files appended. (Please zip unless screenshots).
Screenshots of the Defense plus Active Processes List (Required for all issues): N/A
Screenshots illustrating the bug: N/A
Screenshots of related CIS event logs: N/A
A CIS config report or file. N/A
Crash or freeze dump file: N/A
Screenshot of More~About page. Can be used instead of typed product and AV database version. N/A
C. Your set-up
CIS version, AV database version & configuration used: Firewall Free v5.10.228257.2253
a) Have you updated (without uninstall) from from a previous version of CIS: No
b) if so, have you tried a clean reinstall (without losing settings - if not please do)?:
a) Have you imported a config from a previous version of CIS: No
b) if so, have U tried a standard config (without losing settings - if not please do)?:
Have you made any other major changes to the default config? (eg ticked ‘block all unknown requests’, other egs here.): No
Thank you for your report in standard format, which is much appreciated. There is some info missing, but lets work out what sort of issue this is first, and thus where to refer it.
I understand your confusion, but I do think there is a reason behind the behavior you describe.
For ease of management - you may wish to go back and review them every so often - CIS places rules created by alerts in a different default position in the D+ rules list from predefined rules and rules created directly by users.
Given that is the intention the questions arises which rules should be put where. The predefined rules need to be in the centre, as known items they are easily recognizable and so can serve to separate the alert-generated from the directly-user-created rules. So the questions remains, which should go at the top and which at the bottom and why?
For alert generated rules the most reasonable assumption is that, if the user says, say ‘allow’ they mean allow. Accordingly the alert-generated rules are displayed at the top of this list since rules in that position have priority. If they were added at the bottom of the list they might get over-ruled by the pre-defined rules. Then the user would be very confused - they would have told CIS to do something in an alert and it would have silently refused.
You cannot make quite the same assumption with directly created user rules. Users may intend them as part of complex rules sets in which general rules are intended to over-ride more specific rules. Accordingly, assuming they are to be separated from alert-generated rules, such rules are created at the bottom of the list, and the GUI makes it obvious they can be moved.
I suppose an alternative design solution might be to colour code these different categories. Then you could add all user-defined rules in the same place, probably at the top of the list.
Probably we need to be clear on what is desired before forwarding this as an issue or wishlist item.
I can’t say I agree that the predefined rules “need” to be in the centre to separate alert-generated rules from manually created ones. Certainly I’ve never seen another firewall do this and normally predefined/system rules sit at the top with all alert generated and manually created rules added after (which can of course be moved to wherever the user likes), which maintains a sensible order and top-down flow.
I’m not sure I understand your point regarding alert-generated “Allow” rules. Surely if there’s already a rule blocking an application, no alert will be generated for the user to “Allow” anyway?
The problem I’m mostly concerned about is with alert generated “Block” rules, whereby if e.g. I have a rule at the top of my list allowing All appplications to send/receive on the LAN and then an application tries to access the Internet, which I “Block”, this rule gets created above my All Applications rules, resulting in LAN access no longer working. This is very confusing for the non-technical users that I support, so certainly “Block” rules need to get added to the bottom.
I’ve noticed that some firewalls have an “Allow LAN traffic” checkbox which just tells the firewall to let all traffic on the LAN pass unhindered, which could help as this would eliminate the need for a rule to allow this and thus the chance of another rule being created above it, but I still imagine that allowing the firewall to create alert-generated “Block” rules at the top could result in other similar problems, so I believe it would be best to change it so that these rules are created at the bottom.
As I note, color coding may be more effective in fulfilling this purpose
I'm not sure I understand your point regarding alert-generated "Allow" rules. Surely if there's already a rule blocking an application, no alert will be generated for the user to "Allow" anyway?
I agree, but there could in principle be a pre-existing ask rule, for example one over-riding a general predefined allow rule.Though currently there is not. If there were such an ask rule, in my opinion the user would expect it to be overridden by an alert generated allow rule.
The problem I'm mostly concerned about is with alert generated "Block" rules, whereby if e.g. I have a rule at the top of my list allowing All applications to send/receive on the LAN and then an application tries to access the Internet, which I "Block", this rule gets created above my All Applications rules, resulting in LAN access no longer working. This is very confusing for the non-technical users that I support, so certainly "Block" rules need to get added to the bottom.
In theory it should only affect that application's LAN access, and that specific communication, though there is an issue that means that overly general rules can be created. Maybe this is the bug that needs addressing....
I could be wrong but I can’t imagine this is a very common scenario. If the user wanted to be asked about access, I imagine they’d use the Custom Policy (as I do) and if they specifically want to be asked every time an application attempts accesss (mainly for debugging/diagnostic purposes I imagine) and created an Ask rule for that purpose, then I doubt they’d want an allow rule to be created in response to an alert that disables this ask behaviour but would more likely want to manually edit/delete the ask rule when they’ve finished with it.
In theory it should only affect that application's LAN access, and that specific communication, though there is an issue that means that overly general rules can be created. Maybe this is the bug that needs addressing....
It does only affect that application, but that’s enough of a problem. I have created an “Allow All on LAN” rule for a purpose, then Explorer.exe tries to access the Internet, which I block, and now I can’t access my LAN shares anymore (and so on for other apps). As I said, if there was an “Ignore/Don’t Filter LAN traffic” option it wouldn’t be a problem, but there isn’t so I have to create a rule for that but it’s no good if other rules are going to get created in response to alerts that effectively disable that rule. If it’s too complicated to add such an option, just an option to “create new rules at the end” would do the trick and then users who, for whatever reason, prefer the current behaviour can leave it as it is.
I don’t agree with that. From a security viewpoint, if I had two confliciting rules (one set to ASK and the other set to ALLOW), I would expect the ASK rule to take priority.The rule with the least potential to change the system must take precedence. Do no harm and all that.
I don’t mind if you put it on the wish list, as long as that doesn’t mean it’s going to get ignored because it significantly affects the ease of use of Comodo and should be easy to fix (with an option to add rules to the bottom if it’s felt important to keep the existing behaviour for those who might prefer it)
Is there a wish list sub-forum I can post any other requests to?
EDIT: Never mind, I found it!
Has this been changed in 6.0 or is it being looked at?
I can cope with having to move rules around manually after they’re created in response to pop-ups but I can’t expect my friends and family to do so.
If it were possible to set a “Allow all on LAN” rule in Global that applies to all applications (or if there was a “Don’t filter LAN traffic” option as there is in some other firewalls) that would mean it wouldn’t matter where the pop-up rules are added, as they would always be after the Global rules. Currently the Global section doesn’t work like that though, so either it would need to be modified or a separate “Global Application Rules” section added, that is used before the “Application Rules” section.
Would be boring …