From KPF to Comodo

I am going from Keripo PF 2.1.5 to Comodo and I need some help understanding how things are done differently. What I want to have in the end is just a simple small list of programs that I allow and everything should be blocked by default and logged. In KPF I could accomplish this by creating a few application allow rules and then having one rule at the end that blocked everything else and logged it. Since it processed rules in order the last rule would catch anything not specifically allowed by the previous rules.

I am having a hard time setting up the same thing with Comodo. First off I am behind on a LAN behind a router on a PC with a static IP address. My old rules were simple…

  1. Allow all traffic from 192.168.0.10 to 192.168.0.20. This covered my LAN communication.
  2. Allow port 53 to my router. That handled DNS.
  3. Allow all traffic from the specific browser on port 80 only. This handled surfing.
  4. Allow loopback for the browser only.
  5. Block everything else and log.

I tried to do something similar with Comodo but it is not working. This what I have done so far.

  1. Deleted all default stuff.
  2. Created a global LAN rule that allowed all traffic TCP&UDP in&out to 192.168.0.10 to 192.168.0.20.
  3. Created a global broadcast rule that allowed UDP both directions to 192.168.0.255 for ports 137 & 138
  4. Created an application rule allowing browser only tcp out port 80 any address.
  5. Created an application rule for browser for loopback to 127.0.0.1

Even though I already had a global rule allowing all lan traffic to the DNS server of the router (gateway) the browser still could not get out and logged an error. I had to create a specific application DNS rule for the browser. Why? Why did it not just use the global DNS rule? If I have to define a specific DNS rule for each application theny what is the point of the global rules?

I’m not an expert in the FW, but I think Global Rules defines everything that the App. Rules don’t. App. Rules override the Global Rules.

Everything else, I’m not too sure about. :slight_smile:

(Ronny might know though. He’s good with FW’s ;))

The rules are filtered like this.

Outbound Traffic - Specific Applications rule > Global rules.
Inbound Traffic - Global rules > Specific Application rule.

Remember Source and Destination addresses are relative to the direction.

So for outbound traffic your IP is source, and for inbound traffic your IP is destination.

You don’t need to make all your rules by hand, Use the Stealth Ports wizard to set up
stealth on all inbound - Global rules. And adjust for P2P or server apps as necessary.

When you run apps the app rules will be created according to how you answer the popup alerts.
You can adjust how specific or general these auto rules are created right down to the port.
Under Firewall > Firewall Behavior Settings > Alert settings and moving the slider up or down.

Later

So then from what you are both saying it still sounds like eventually the global rules are applied. If so then why does traffic fail?

For example. Lets say you create an application rule for Firefox so that it can go outbound TCP on port 80. Then you create a global rule that allows outbound port 500. My assumption would be that this global rule is allowing ANY application to go out TCP on port 500. So then if Firefox tries to go out on port 500 why does it fail? The firefox rule does not allow port 500 but the global rule does so even though the specific application rule does not match the global rule does so if it process all rules why does the traffic fail?

And again, I know that I can let the firewall learn and set itself up but I don’t want that. I want to set it up myself like I have done in the past with other firewalls. I think that I can if someone could just explain to me how this firewall works. Once I understand it I think I can make a good ruleset.

Global rules are treated completely seperate to application rules so if say you didn`t want any application to be able to connect in or out through say port 135 you would use the global rules Block IP Out from IP Any to IP Any where source port(your computer) is 135 and destination port is Any(another computer)
And Block IP In from IP Any to IP Any where source port(another computer) is 135 and destination is Any(your computer)

In your example you would need to add a rule for Firefox to be allowed to connect out on port 500,because for Outgoing connection it would look at the “Application Rule” for Firefox and would work down(seeing no Allow) hit the Block and Log rule and not even be passed onto the Global rules.

Also make sure you set the Firewall to “Custom” policy and move the Alert settings to at least High otherwise Application rules for “Safe”/whitelisted apps may be automatically created.

Matt

ps Some people have no global rules and rely solely on application rules

[attachment deleted by admin]

Thanks. I have been reading a ton of posts here and there and I think I got it now. Yes, the direction thing was throwing me off a bit. I am just about done and then I am going to post what I did here. I have a very simple set up and others like me might like it.

I do have say that while over all I think I like Comodo and I think I will be going to it, I do have one major gripe with it in comparison to Kerio. The logging. It logs violations but it does not tell you which direction the violation occurred with and, more importantly, it does not tell you which one of your rules was the one that triggered it. This could be very very helpful in trying to set your system up. If you could see which one of your rules on which side (global or application) was doing the blocking then it would be easier to figure where you are going wrong.

But I am getting there :slight_smile:

You can tell the direction by looking at source and destination addresses.

This is the Comodo rule set I worked out. I’m posting it here so that it can get a thorough going over and if it’s good then possibly others that have a similar set up might find it useful.

This rule set is only effective if you have a set up similar to mine. I have a home LAN with a few PCs behind a hardware firewall/router. Each PC on my LAN has static IP addresses and my router acts as the DNS server. My hardware firewall does most of the blocking on inbound traffic so I mostly use the software firewall for outbound and to back up the hardware firewall for inbound and to protect my PC from other PCs on my home LAN which are obviously all on this side of the hardware firewall.
I am also running Windows XP on all PCs on my LAN.

  1. I deleted/removed all preset rules and settings.

  2. Create your own Network Zone for your LAN.
    For mine I set 192.168.0.10 to 192.168.0.20 range and called it “my_lan”.

  3. Create your own port sets.
    I created the following port sets:
    HTTP with ports 80, 443. (Common for web and secure web. I created a special rule for non-standard surfing but I will get to that later.)
    Email with ports 25, 110
    LAN with ports 137 & 138 (for access to shared folders on other PCs)

  4. Create your own Predefined Firewall Policies.
    I created the following which I will describe in more detail in my next post where I detail my Application Rules:
    Browser
    Email
    System

  5. Firewall Behavior settings → Custom Policy Mode
    Alert Settings → Very High

  6. Advanced Settings
    Global Rules:
    *(First I made a rule for my LAN traffic)
    TCP & UDP - in & out - source & destination addresses are my_lan zone(defined above in #2) - any ports

*(for network) Broadcast:
UDP both directions - source is my_lan zone - destination is 192.168.0.255 - source & destination ports are predefined LAN group(defined above in #3)

*DNS:
TCP & UDP in - source address is gateway/router (192.168.0.1) - destination is this PCs IP address - source port is 53 - destination port is any.
TCP & UDP out - source address is this PC - destination is gateway/router - source port is any - destination port is 53.

*For websurfing:
TCP out - source is this PC - destination is any - source port is any - destination port is predefined HTTP group.

*Loopback:
TCP & UDP out - source is any - destination is 127.0.0.1 - any ports

*ICMP in & out - source & destination is predefined my_lan zone - all ICMP allowed.

*Last rule is a “block all and log it” rule.

Next post will be my Application Rules:
(I am only going to do a few applications here as there are just too many to list. But I think by showing what I did with a few you will get the point.)

Edit Added:
Application Rules:

For certain applications it is easier to create Predefined Firewall Policies under the advanced menu. This is where I set up mine as I stated in #4 of my previous post.

  1. Web Browser:
    *loopback:
    TCP & UDP out - source address is any - destination address is 127.0.0.1 - any port

*Regular surfing:
TCP out - source this PCs IP address - destination is any - source ports any - destination ports predefined HTTP group

*DNS:
TCP & UDP in - source address is gateway/router (192.168.0.1) - destination is this PCs IP address - source port is 53 - destination port is any.
TCP & UDP out - source address is this PC - destination is gateway/router - source port is any - destination port is 53.

*For websites with nonstandard ports:
TCP out - source this PCs IP address - destination is any - source ports any - destination ports any

  • AND CHECK THE LOG THIS RULE BOX (this way it logs any websites that use odd ports. If you don’t care about this behavior then you can just modify the regular surfing rule to allow any port and delete this rule)

*Last rule is a block everything else rule.

  1. System:
    *LAN:
    TCP & UDP in/out - source & destinations addresses is predefined my_lan group - any ports

*broadcast:
UDP out - source this PCs IP address - destination is 192.168.0.255 - port is predefined LAN group

*last rule is block everything else.

  1. C:\windows\system32\svchost.exe:
    ICMP out - source is this PCs IP - destination is predefined my_lan group
    UDP out - source is this PCs IP - destination is gateway/router - source port is any - destination port is 53
    Last rule is block everything else

As I said, I have more rules for each application but you get the idea. The rest of my application rules look more or less like the above with some tweaks for each application.

With this set up I appear to have a pretty tight PC and I never get nagged by popups asking me to approve this or that. Applications not listed fail quietly and get logged. If something is not working I check my LOG to see if it is getting blocked and then I set up the appropriate rule if needed.

Looks good to me!

You’ve adopted the method I’ve always use - build it by hand and build it as tight or as loose as your needs dictate.

Just a recommendation - a global ICMP IN should really only be allowed if you use online game servers, P2P or host an FTP server. Of course, if it’s blocked at your router, it’s effectively a LAN ICMP IN, not a global one. Personally, I don’t allow it, but it’s your choice.

Nice to see someone else rolling their own. :wink:

Ewen :slight_smile:

Thank you very much. I really appreciate your input.
Yes, as a former Kerio/Tiny user I got used to rolling my own :wink:

As far as my Global ICMP rule …
Do you mean to say that I should not have an ICMP rule that allows stuff in the Global screen, or that the ICMP rule that I have in my Global screen is too wide? If so then how would I tighten that one up?

Edit Added:
A clearer view of my rules can be seen here…
http://www.usasentinel.com/athg/cpf_rules.html

Your ICMP rule is fine - I misread the bit about “All ICMP allowed” and failed to see that you had restricted it to your LAN group. :wink:

I noticed you have separate IN and OUT rules and have not used IN/OUT as a direction in your rules. Good move. IN/OUT rules make it almost impossible to work out what is happening.

Overall, a really nice tight set of controls. Well done! Well written logically lais out post too. Good job!

Cheers,
Ewen :slight_smile:

P.S. I guess you’ll be adding CIS to your Links page? :wink: :slight_smile:

Thanks for your input. Checking over each others rules is the only way we can all be certain that we didn’t miss something. Very much appreciated. :-TU