Global rules have no effect (CPF v3.0.20.320., x32, XP SP2)

I’ve had the exact same problem with v3.0.19.318 on XP Pro, which has ICS enabled to allow me to use Xbox Live.

The Global Rules seem to have no effect and I see that UDP traffic from (Xbox360) to 192.168.01:53 (PC) (Application: C:\Windows\system32\svchost.exe) is Blocked.

Only adding an “All Applications” set of rules to allow incoming and outgoing traffic on my LAN allows Xbox Live to connect. Unfortunately, it still has the effect of causing the test to report NAT as “moderate” whereas with CFP disabled it reports as “Open”, so something still needs tweaking to fix this.

Hi and welcome,

First of all, upgrade to 3.0.20 version.

Create rule for svchost.exe under application rules to accept incoming UDP traffic from Xbox, make sure this rule goes before any block rule.
And, if you use Global Rules, create rule to allow incoming UDP traffic from Xbox, make sure this rule goes before block ip/in/any rule (or similar).


OK, I’ll upgrade but the release notes don’t mention fixing any bugs with Global Rules so I’m not confident it will make any difference.

If I’ve got Global Rules allowing all IP traffic on my LAN, surely I shouldn’t have to add extra rules?

In v3.0.19.318 I can’t easily add a new entry for svchost.exe as there’s already one there using the predefined policy “Web Browser”, so I added the rule to that policy (I see that policy is also used for Internet Explorer, so I hope that it’s not a problem doing this). I also had to add another rule to allow my PC to connect using UDP from port 67, so I decided to just add one rule that allows UDP In/Out with my LAN zone as source. Even with this rule, the Xbox360 still reports NAT as moderate.

Trying the exact same rule as a Global Rule instead doesn’t work, so Global Rules are definitely not working in this version.

Just to confuse things, there’s a lot of Blocked Events in the log associated with “Windows Operating System” but I can’t find a Block rule with log enabled that could be responsible for these. On top of this, the svchost.exe rule that allows traffic on the LAN has got log enabled but this isn’t generating the events it should be. The only event it shows is to It doesn’t even show the traffic from the Xbox to PC port 53 that was being blocked before and which was partly the reason I needed this rule.

I’ll let you know how I get on with v3.0.20

OK, this is what I’ve found with v3.0.20.320.

Global rules still don’t work. The only way to get Xbox Live working is to add a rule allowing UDP In/Out with my Lan Zone as source for svchost.exe under the Applications rules but that still causes it to report NAT as “Moderate”.

It’s still only logging the one event I mentioned in my last post against svchost.exe.

With the firewall enabled, the 2nd to last Xbox Live test (just named XboxLive) takes twice as long to complete as it does with the firewall disabled. It also causes the last test (NAT) to report as Moderate, whereas it reports Open with the firewall disabled.

Hope that’s of some help.

Do you still have these after trying to connect? What exactly log tells about “Windows Operating System”?

Not exactly sure what you mean. How would trying to connect have any effect on events already in the log?

Anyway, the events associated with WOS are all mostly UDP, from random Source IPs on random ports, trying to connect to my port 52353, 62624 or one try to 1027. There were also a few incoming ICMP type 8 events blocked which the log shows as Code(0) under destination.

I’ve tried to setup Global Rules to allow access to my LAN, both using the Stealth Ports wizard and manually but they might as well not be there because they have no effect whatsoever.

Defense+ was disabled. I tried the different Firewall modes. I also tried disabling all the options in Miscellaneous to no effect. Only with the firewall disabled did LAN access work.

I’ve installed v2.4 instead now and the same rules in Network Monitor allow my Xbox1 to browse my PC.

I tested with Xbox Live on my Xbox360 and browsing my PC files from my Xbox1.

Other security software: AVG Free v7.5.519

What global rules are you using? What application rules do they support? Do you get any messages in the log. The way to think of global rules is that they do nothing but allow or deny access to application rules. If you want an application to do or not do something, the rules need to be there. Global rules are evaluated first for incoming connections, and can prevent or allow the incoming requests from getting to the application rules. They are evaluated last on outbound requests, and can prevent or allow an outbound request generated by the application rules. With this in mind, please tell us about your application rules and global rules.

OK, it seems I misunderstood how Global Rules work then.

In my defence, when I used the Stealth Ports wizard to setup a Trusted Zone, I assumed that it would create rules that actually do something (allow all traffic in the Trusted Zone) rather than just create two rules that I didn’t really need.

Defining a Trusted Network in v2.4 adds the same rules to the top of the Network Control Rules, but they actually have an effect there and don’t just act as a valve before the Application Control Rules.

So is it the case that the option to set up a Trusted Zone that ignores the rules has been removed from v3?

A trusted zone works fine, but only allows all traffic on the LAN defined by the trusted zone. Things still need to be evaluated against application rules to decide whether to allow or block connections to an application. Sorry, I never used Comodo 2.4 so can’t compare to what it does. But it is still a big advantage to have the trusted zone, since then you see all the traffic instead of it being blocked elsewhere. :slight_smile:

Yeah but it doesn’t actually allow anything as far as I could tell because you also need an Application Rule for svchost.exe, another one for system and so on, so you might as well just not bother with using Global Rules and the Trusted Zone just seems to be a defined group of addresses that you can refer to with rules but doesn’t have any special significance over any other Zone you might set up.

Personally, I think it’s a big omission not to have a simple way to faciliitate LAN traffic. Other firewalls I’ve tried besides CPF v2.4 have this feature and I find v3 just too complicated without it. ???

I don’t use any global rules because of the way they work. Others find them a convenient way to deal with global issues like blocking unrouted traffic and all inbound. You can do most of the global rule functions by adding them to the “Windows Operating System” application. If you don’t have any global rules, the application rules just chew on all the requests and allow/disallow. See for another recent discussion of the subject. :slight_smile: