I have a question concerning comodo firewall configurations, which is:
Is it obligatory to use “global rules”? Do I HAVE TO use them to have firewall up, running and filtering? Is it not enough to use only “application rules”?
I think with “application rules” I can achieve nearly the same effect (if I select “All Applications”) as with “global rules”. Moreover I find it to be more transparent to have all rules in one window/tab. That’s why I want to use only “Application Rules”…
So if it is not obligatory to use global rules, how can I turn them off? Simply delete all rules from “Global Rules” tab, and to leave that field completely empty? I think its not that easy.
In program-help, there is a following info: “Therefore, outgoing traffic has to ‘pass’ both the application rule then any global rules before it is allowed out of your system. Similarly, incoming traffic has to ‘pass’ any global rules first then application specific rules that may apply to the packet.”
Now, if I understand it correctly (but I’m not sure, my english ist far from being perfect), traffic must pass any application rule which allows it, and then any global rule, which allows this traffic (I think this is called logical AND, both conditions must be fullfilled). IF it is so, I would define this single global rule:
Allow IP In/Out From IP Any To IP Any Where Protocol Is Any
This way, “Global Rules” would actually allow all traffic to pass without filtering. The only filtering would be then done in “Application Rules”. At least I hope…
Is my assumption right? Do I understand this “Application/Global Rules” concept correctly?
No, you don’t need global rules at all. They are provided as a convenience to the user, but basically act as the gateway in and out of the applicaion rules. Several of the rules you see for unrouted inputs like ping will end up under the artificial application “windows operating system”, but you can see what application is logging a block and either put a block with no log or an allow rule in as necessary. I have no global rules.
The default action for global rules is Allow. If there are no global rules it will behave as Allow IP In/Out From IP any To IP Any where protocol is any.
You shouldn’t use “All applications” as Global rules. You can use it to block traffic without prompt for all programs like the global rules but you shouldn’t use it to allow traffic as it will be allowed without prompt for all programs (unless that’s what you want).
Here are my “system rules” as an example of what to do if you don’t have global rules. Good idea to have a block and log all at the end of WOS at least, and I added a block all in at the end of the application rules just in case I accidentally try to add something at the end. And yeah, being missing is sort of like allowing everything.
If it is so (when I do not want to use global rules, all I have to do is to delete all of them, and leave global rules field empty) then I think program-help might be a little confusing. It says: “Therefore, outgoing traffic has to ‘pass’ both the application rule then any global rules before it is allowed out of your system…”
If I understand it correctly, there must be both an application rule and a global rule which allows this certain traffic. But if I delete all global rules, there will be none, traffic can not pass through any global rule, and it should not be allowed to leave my computer.
But what ggf31416 wrote might explain this situation: “…The default action for global rules is Allow. If there are no global rules it will behave as Allow IP In/Out From IP any To IP Any where protocol is any…”
But imho, this is very-very bad idea, to have default global rule (i.e. when there are no rules defined) as “allow all”. I think any good firewall should use “block all” as default policy. In other words, what is not explicitelly allowed, should be automaticaly blocked…
Help may be a bit confusing, but this just means that if the application rules allow something and the global rules block it, it doesn’t go. The “any global rules” applies only if there are applicable rules.
If you use block all as a default global rule, nothing will ever happen. The global rules are evaluated first on inbound, last on outbound, and nothing will get through. There is no “default action for global rules”. They either apply to a connection or they don’t. And if they don’t exist, they don’t apply.
Blocking what is not explicitily allowed occurs in the application rules, although usually you get asked instead of blocked. You can put a block all rule at the end of the applications if you prefer that new requests without existing rules get blocked instead of asked.
BTW, Egeman, the lead architect and developer for CFP3, agrees that it is OK to not use the global rules and does not compromise security. And the experience of those of us without them validates that CFP3 works fine and is just as configurable. But you are free to use the global rules if you find them convenient-many don’t.
OK, I don’t know much about CFP architecture, but using Global rules and Application rules is supposed to give you 2 layers of filtering traffic. At least that’s what I hope.
I have System, WOS, svchost, explorer and all other Win system and updatedr applications blocked both in D+ (not to access loopback and perform DNS queries), and blocked also in Application rules.
And everything works just fine.
What do you exactly understand by WOS (is it the kernel, is it explorer, is it System – what files / processes)? - sorry if the question sounds like I’m confused, but I’d like to understand this better.
D+ doesn’t help much, just logs when explorer is trying to perform DNS queries, but luckily the FW blocks it.
I’m not recommending it to anyone, but my approach is: whitelisting wherever possible (as oppose to blacklisting).
Exactly what is in WOS is indeed a mystery. It handles the unrouted traffic not directed for a specific application, plus seems to control a bunch of outbound traffic for odds and ends like tracert and ping if you don’t call them out explicitly. Plus some implicit functions like DHCP. Doesn’t appear at all in D+. It started out being called “System Idle Process” in early CFP version, but that was even more confusing. It is recognized by the fact that there is a lot of blocked traffic in and out logged unless you make rules to either allow or block and not log. And as a place to put stuff that might otherwise appear in the global rules. And sometimes provides a few surprises. A good place to end with a block and log all.
This is exactly the information I did not find in help: IF there are global rules, they apply. IF there are NO global rules, then filtering using global rules is NOT active (only filtering by application rules is active). Thank you for explanation…
So I will delete all global rules, define my application rules for those applications allowed to make connection to internet, and at the very end of application rules I will put one more, blocking all connections for all (remaining) applications.
The effect of the block (and be sure to log) all at the end of the application rules does add a little effort, which you need to be aware of. Instead of new applications asking you, and letting you decide on the fly what to do with a new application, it is blocked and gives you a record of what it was trying to do over the network. You can either erase the block and log temporarily and run it again, selecting allow when you get the popups, or change the blocks to allow rules and move them ahead of the block and log. Or decide you don’t wan’t the application to do these things and make whatever rules you desire. I usually edit the blocks to be more specific rules to allow and move the new rules to where they will be executed. An alternative is to just block all in at the end of the application rules, so applications that only require outbound connections ask you and you can allow them, but those that want inbound connections are blocked and give you some time to think about them.
Thank you both, Ed and goodbrazer for your answers;
(I know where WOS is and how to add it both in D+ and FW, but my poor English prevented me from making me understood)
Not that SimonSim is happy with the answer, I won’t go on with the issue.
I’ll just try to briefly explain what I’ve tried to point out yesterday:
Global rules and WOS rules can’t be equivalent since I have mine (EDIT:WOS) blocked and I can run everything.
Maybe SimonSim is experienced, but a new user is only one click away from answering wrong to a FW question. It’s not your case (Ed and goodbrazer) but think that someone might run a server – or at least having admin shares not disabled. If he/she picks the wrong answer, has 50-50 chances to be turned into a zombie.
If it’s unrouted traffic, unsolicited or not handled by another application, why do you need it? I run also p2p but I’m not ping-ing others.
Looking at Ed’ s WOS rules: you must be very confident about those DNS servers, to allow IP Any Any… Unless you’re running them, I may suggest you to narrow that a little, like:
Allow UTP out from Any to [DNS] where source is in [1024-4999] and dest is 53/ Block unmatching.
And that is handled in the above rule, “Win updater group”, by svchost.
Similar, you can narrow DHCP requests, I think.
It would be great to hear more of your opinions. (maybe in a new topic?)
Which do you have blocked-global or WOS? You can actually start by erasing all of the global rules and all of the WOS rules and see what shows up as blocked in the log. You do need to put a block and log all at the end of the WOS rules to eliminate unrouted and system traffic you don’t specifically allow, since there is not a later application rule. They are only equivalent in that sense. All global rules do is allow/disallow traffic with the application rules. Since the automatic global rules can start out with nothing but blocking ping, they must not be very necessary anyway.
The WOS rules I use have mostly grown from examining the logs of what is blocked by CFP3. Probably CFP3 has evolved a bit, but my rules haven’t. Because of the “block and log” at the end of the WOS rules I needed to add some things like the ICMP allow rules there for ping and tracert.
As far as the unrouted traffic, things like DHCP broadcast show up a lot as blocked by WOS unless you make a rule for it. And desination unreachable and …
The DNS servers are the ones at my ISP-I don’t allow arbitrary DNS servers through DHCP/DSL. I could cut them down a bit, but I am lazy and just treat them as trusted. Besides the UDP traffic, there are also the ICMP unreachables and some other traffic occasionally, so I made one pair of rules instead of several. It turns out that the Win Updater group doesn’t handle all of the DNS traffic, and on my system it also shows up as part of WOS. And other systems show svchost doing it directly. Instead of trying to figure out what CFP3 is doing, I just allowed it. Similarly for DHCP, since I could certainly restrict the ports, but sometimes other related messages show up (like SSDP discovery 1900) and sometimes they don’t. So my WOS rules are a rather lazy consolidation of lots of things. In a sense WOS is a way to work around some of the CFP3 firewall rule inconsistencies.
And the global rules probably seemed like a good idea at the time, but generally cause confusion because of needing all the global exceptions that need to repeat the various application rules if you use a global block. And the need to have the application rules even if you have global rules for an application. And the rather vague explanation in the help file that we re-explain often in the forum.
Unfortunately, I can’t – my logs turn into a sniffer when I’m trying to log the last Global rule. I cannot post-it here, but I’m sending you a PM to see what logs I do get in 1 minute.
We’re doing all this mambo-jumbo trying to narrow, and fine tune FW behavior, but if would have been much easier if rules got an identifier that would be shown also in logs.
It the id would be shown, repeating rules in 2 places wouldn’t be such a pain.
Thanks for the detailed answer.