1.If something is not listed in global rules, will it use default deny or allow? (Noticed ICMP blocks are gone from CIS 3.14)
2.What is the Allow Any IP rule? Why is it used?
3.If CIS4 allows every outgoing request how can I change that to a more secure option?
Thank You.
EDIT: Can someone explain to me why the ICMP allow rules are used. I do not think they are of any use as my system works perfectly well and my router blocks all ICMP packets.
Uncalled for incoming traffic will first see Global Rules and then Application Rules. With the default Global Rules all incoming traffic gets blocked unless an exception is made in Global Rules.Then it gets handled by Application Rules.
Outgoing traffic will first go through Application Rules and then through Global Rules. The basic here is that we want outgoing traffic in general (we want to connect to the web); so the Global Rule for outgoing traffic is allow. Controlling outgoing traffic is done with Application Rules.
ok what if I changed the predefined security policy OUTGOING ONLY ‘’ look at the attachment’’
with proactive configuration, then I think I’ll be notified if any ‘‘unknown’’ application tries to connect to the internet < which is the safest , right ???
You wouldn’t need that rule when in Proactive; that doesn’t mean it wouldn’t work though. Simply switching the Firewall Behaviour Settings to Custom Policy mode will alert for each program, including the safelisted ones, wanting to access the web.
Remember the basic that outgoing traffic gets handled by Application Rules.
No that sounds too many alert from Firewall …!! since i’m going to have also alerts from the safe application and then we go back to 3.14 in which my index finger got tired of clicking ’ allow ’ .However , with this configuration only unknown application is alerted which is the most important thing here … < as far as I could see…? isn’t it ?
Knk2006. To have the desired v3.14 behaviour you need to do as follows:
disable sandbox
remove the All applications rule in the list of Application rules. Or switch to the Proactive Security configuration
if you want the old Global Rules of the v3.14 Internet Security configuration you need to run the Stealth Ports Wizard and choose “Alert me to incoming connections - stealth my ports on a per-case basis”
I did some testing today with the last option and on my system and you don’t get alerted for incoming traffic. I don’t know if that is by design or a bug.
That is answered in the second point of what I replied to Knk2006 in this post.
who said that I want the 3.14 back 88)>> then why would I upgrade anyway ? :a0 I was just asking if my configuration will alert me for any in/out connection established by unknown program … After I tested a couple of malicious software it seems that it works perfectly as I supposed so …
p.s. how can I receive updates for safe application if I haven’t installed the anti virus ? are they downloaded automatically or what exactly ?
What people may have forgotten (or never knew) is that COMODO has always had 2 layers in the firewall:
application “network access” rules
global “traffic shaping” rules
Traffic rules take president… If you remove all “Global Rules” except for one that blocked all IP In/Out, it wouldn’t matter how many application rules you set to allow access… they will not communicate… period.
A Global Rule that is set to Allow IP In/Out means that no “traffic shaping” (limits/restrictions) were enabled. What this does is put the burden on the application rules to make the restrictions. This patterns other software firewalls that use only application rules and don’t even attempt to “shape traffic”.
Would I use a global Allow IP In/Out rule? No. Would this be a setting I would call a bug? Also, no.
But… for those that don’t understand this “traffic” layer, disabling it like this also eliminates it from causing them grief when trying to figure out application rules that don’t/won’t work (without the traffic being allowed as a companion setting).
That would be true but CIS only has a block and log all incoming IP at the bottom (not block and log in and out going traffic). Removing the other ones still allows outgoing traffic if the application rule allows.
Neither is there a Allow All IP In/Out in the Global Rules; only an Allow All IP Out rule.