Firewall overriding predefined policy

I have predefined policies set up for several programs. When I first use those programs, comodo ask me if I want to allow them to connect to the net in a popup. After clicking allow and remember answer two “allow any” rules are added to my policies, effectively overriding them. Is there a way to stop this?

I believe raising your alert level to “High” or “Very High” will cause more specific Application rules (Port or Port & Address) to be generated. You may then want to look at the generated rules and consolidate them. For example after seeing a lot of Destination address 127.0.0.1 rules consolidate to

Loopback rule — IP Out, Src:Any, Dest:127.0.0.1, SrcPort:1024-4999, DestPort:Any.

Another example after seeing a lot of UDP Out DestPort 53 rules:

DNS rule – UDP Out, Src:Any, Dest:Any, SrcPort:1024-4999, DestPort:53

Birdman

But this happens to rules I copied from the FAQ section(torrents, hamachi, …) Even the default Email Client rule gets changed. As long as I click allow the “allow any” rules gets added. Are you saying that I need to examine the traffic case by case to figure out just what ports the program is using? The impression I got from your reply is that my rules are not broad enough to cover all the traffic generated by the program so the firewall asked me about permission.

What is your firewall alert level set at ? If it is set to Low and you Allow you’ll end up with a general rule being added like IP Out, Any, Any, Any, Any. A setting of Medium will distinguish between UDP and TCP i.e. add a UDP Out rule if you already have a TCP Out rule. A High setting will further distinguish based on port(s) e.g. if you have a rule for Src Port 1400 it will add for Src Port 1401, even if all other fields (except addresses) are the same e.g. TCP Out. A Very High setting further distinguishes based on address(es).

Another thought is (I hate to ask) are you clicking “Apply” after adding, editing or deleting rules ? I only bring it up because I’ve been known to miss this one after a heavy editing session (and a ■■■■ or two).

No I’m saying (after getting the alert level right - High or Very High)) you’ll get some very specific rules added by Allowing. You can then examine the rules that are added in order to consolidate them (e.g. group by direction, traffic type (UDP/TCP), port range and/or address range) into fewer rules.

Birdman

Also double check to make sure you are in Custom Policy Mode (vs Train with Safe Mode).

Birdman

Looks like I’m in Train with safe mode. I just raised it to custom policy mode and hopefully that will work. thanks for the help