I’ve just realised that I don’t understand how Global rules and Application rules work in Comodo Firewall, and in investigating it found more unexpected behaviour which makes me question whether I actually want to use this firewall anymore.
I’m running the latest version of the standalone firewall (just updated to be sure, now running 5.4.189822.1355) in Safe Mode, since I like getting a popup dialog every time a new application on my machine tries to go on the Internet or a new someone on the Internet tries to connect to my machine.
I have an Apache web server running on my machine (192.168.2.2) and I wanted to be able to load pages from it from my iPod (192.168.2.3 - ie. on the same local network, with the subnet mask on all machines being 255.255.255.0 as you might expect. 192.168.2.1 is my home ADSL router BTW). I browse to the server on my iPod and get a popup dialog on the PC telling me that 192.168.2.3 is trying to connect to httpd.exe. I select “Allow this request” and “Remember my answer”, and then the iPod loads the page. Fine. I check to see what the firewall has ‘remembered’. It’s added an Application rule “Allow TCP In From IP In [192.168.2.3 / 255.255.255.0] To MAC Any Where Source Port Is Any And Destination Port Is Any”. Fine.
Now sometimes my iPod gets a slightly different IP from the DHCP server, like 192.168.2.4 or 192.168.2.5. And I have a couple of other laptops here that may access the main PC too. So I’m thinking, “I want all the machines in the 192.168.2.x subnet to be able to communicate without questions or restrictions from now on”, and I think that obviously I need to make some kind of ‘trusted zone’, like I seem to remember doing with older versions of this firewall on older machines. So I go to Network Zones and find that there already is a suitable zone, “Local Area Connection”, described as “IP In [192.168.2.0 / 255.255.255.0]” (that’s the IP and Mask, for Type: IPv4 Subnet Mask). Cool. I delete the httpd.exe Application rules that were created above, then go to Global Rules and create “Allow IP In/Out From In [Local Area Connection] To MAC Any Where Protocol Is Any”.
Now I expect unrestricted IP traffic between the PC and anything else on 192.168.2.x. But when I try to reload the page on the iPod, I get the same popup dialog on the PC asking me to authorize the incoming connection to httpd.exe! (Of course the page doesn’t load until I allow it, and it ‘remembers’ by making the same new Application rule described above). Makes me wonder what the point of the Global Rules are. Well… if I change that rule from ‘Allow’ to ‘Block’, then the connection is blocked without query, so they’re good for blocking things - I should rather say, I wonder what the point of ‘Allow’-type Global Rules are… if they have to be seconded by Application rules anyway.
I read the help pages a bit to try and better understand how this is supposed to work, in particular this page.
It says, “incoming traffic has to ‘pass’ any global rules first then application specific rules that may apply to the packet”, ie. both Global AND Application rules must validate. Well, that’s consistent with what I’ve experienced… not that I think it’s very useful, but never mind. Further up on that page, it quite keenly stresses the order in which the rules are checked with both this text and a diagram:
- For Outgoing connection attempts, the application rules are consulted first and then the global rules second. - For Incoming connection attempts, the global rules are consulted first and then the application rules second.
What does this order matter, if both Application and Global rulesets are checked for every packet anyway? My Global rules allow the connection, my Application rules don’t (that is, they don’t explicitly deny the connection, but they say nothing on the matter - but more on this below) - I don’t care whether the Global rules or the Application rules are checked first, if either way the Application rules cause the connection to be denied. Why even mention it? At this point I’m starting to feel like I’m wasting my time with the manual.
Doing a bit of experimentation, there seems to be a more subtle inconsistency between the Application and Global rules. I’ve seen that if I have a Global rule allowing access to/from the internal network, but no Application rule, then communication is blocked. But if I do it the other way round - that is, if I remove all Global rules pertaining to the internal network, and add an Application rule allowing access to httpd.exe from the internal network, then the iPod loads the page fine! This is not what I would have anticipated and yet I can’t find any mention of it in the manual. And even now that I think I understand what it’s doing, it’s hard to work with mentally and will probably be hard to remember, this inconsistency.
Now a seperate concern: So I’m playing around some more, and since my basic wish was to get less popups (when it comes to the internal network, at least), I try switching the firewall to Training Mode. I delete all Application and Global rules related to httpd.exe and the internal network, to start from a clean slate. I reload the page on my iPod - loads fine. I look to see what it added - an Application rule, “Allow IP In From MAC Any To MAC Any Where Protocol Is Any”. Isn’t that a bit permissive? That means that any random port-scanner halfway around the world can now load pages from my web server, right? I wonder if the setting of “IP” implies that all protocols on top of IP, like TCP, are also permitted by the rule… well, since I just loaded a webpage on my iPod, I suppose it does. Also, since the rule specifies IP, it naturally says nothing about the TCP port number, and I should mention that throughout all of this, the web server has been serving its pages on port 8001… great, so now ANYone can connect to ANY port. I may as well turn the firewall off.