I am having a problem trying to manage traffic to my installation of Microsoft SQL Server 2019.
I have created the following Application Rule - it is the first rule in the list:
The application in the rule is: “C:\Program Files\Microsoft SQL Server\MSSQL15.MSSQLSERVER\MSSQL\Binn\sqlservr.exe”
The only rule I have for this application is “Block and Log TCP or UDP In/Out from MAC Any To Mac Any Where Source Port Is Any and Destination Port Is Any”
As I understand this rule it should effectively block (and log) all traffic to (and from) SQL Server.
It does nothing. All traffic to the software is allowed and there are no entries in the COMODO firewall log.
My environment is Windows 10 Pro OS build 19045.2364 (latest and up to date) with COMODO Internet Security Premium 18.104.22.16812.
I actively use and manage my firewall rules; I believe I understand COMODO Firewall well (up till now!)
What am I missing?
“Block and Log IP In/Out from MAC Any To Mac Any Where Protocol Is Any”
I tried blocking and logging all incoming IP as an application rule - to no avail.
I then created a global rule blocking and logging all incoming TCP on ports 1433 - 1434 (these are the only ports allowed by SQL Server). Nothing here as well.
For all intents and purposes it appears as though SQL Server is bypassing COMODO firewall…! I admit I am completely baffled.
ZorKas, you mention checking the PID. Is there something inside COMODO which would allow me to link to a PID?
Comodo acts on the declared interface in network zones
Check in the CIS configuration panel which network zones are identified
Check in connections managed by CIS > Firewall > See connections
To accurately determine the inputs / outputs of the network card I advise you to use the following program (free and portable)
Launch the program and check the connections, do the analysis
Deduce if SQL program is connecting outside
I’m running an installation of MS SQL Server 2019 (latest build; however, build irrelevant).
Windows 10 Pro OS build 19045.2364 (x64) with COMODO Internet Security Premium 22.214.171.12412 (up to date definitions).
The intent is to control incoming connections to SQL Server.
A. THE BUG/ISSUE
This issue is easily reproduced, as follows:
(1) I created a global rule to block incoming as follows:
Block and Log TCP or UDP In From MAC Any To MAC Any Where Source Port Is Any and Destination Port Is In [1433 - 1434]
This is the first rule listed in global rules.
(2) I then start client software to connect to database server via TCP. I’m running a package named Valentina Studio 12. Software connects to server without any issue. Attached image is screenshot of NirSoft Currports showing open connection from client software to server (shown underlined). However, I am also able to test this using other tools (such as SQL Server Management Studio) with the same results.
It was my expectation that the connection would FAIL.
B. YOUR SETUP
Prior to this I performed a complete uninstall/reinstall of CIS. I am only running Antivirus (stateful) and Firewall (custom ruleset). Other changes to configuration should not be relevant here.
This is not a VM.
There is no other security software installed.
Windows firewall disabled.
I am closing this thread as I have reposted as a bug here: https://forums.comodo.com/
Thank you for reporting.
We will check and update you.
From your attached image (CCurports)
SQL server connects in local loop on your PC in IPV4
192.168.0.26 with port 1433
Also in IPV6 starting with fe80:: so local loopback
Control from the Windows CMD command in administrator mode the information of your network card
Deduce whether they are local or external connections
for info: Configure a Server to Listen on a Specific TCP Port - SQL Server | Microsoft Learn
Global rules are really meant to allow or block remote hosts to access services listening on your system. So your global block rule will prevent external and remote connections from accessing the SQL server. Therefore the application rule is not needed and only serves to block the SQL server from making outbound connection requests. As zorkas stated the established connections are local and internal connections, if you want to block local applications from accessing the server, then you would need to create a block outgoing application rule for the applications.
Posts by ZorKas and futuretech were key - thank you both for your insights.