I am doing some testing with Comodo and found something that makes no sense to me. Hopefully someone will be able to help me out. I created a single global firewall rule. This rule allows all IP traffic from any source address to a network zone that I created using any protocol. I tried pinging a computer within the network zone and I received an alert dialog saying that ping.exe is trying to access the remote computer with ICMP. This confused me so I changed the rule from the network zone to the specific IP address of the computer and got the same results. As I understand it, when you have a global rule to allow IP traffic, you should not receive an alert dialog. So, I changed the rule to block traffic and it blocked the ping as I would expect it to. Could someone please explain why this global rule is producing an alert dialog?
The Firewall can apply rules only to specific applications (Application Rules) or can apply rules regardless (Global Rules).
For Incoming Connections, Global Rules are enforced first. If the incoming connection is allowed, then corresponding Application Rules will be enforced.
For Outgoing Connections, Application Rules are enforced first. If the outgoing connection is allowed, then Global Rules will be enforced.
If the traffic is not generated by an application (eg. routed traffic) only Global Rules are enforced.
Thanks for the reply.
I understand the order in which the rules are applied. In this case, I have a single global rule for testing. This rule is configured as follows:
Action: Allow
Protocol: IP
Direction: In/Out
Source Address: Any
Destination Address: 192.168.1.125
IP Details: Any
As I understand it, this should allow all IP traffic to the above address. For this test, my Applciation Rules section is completely blank. So the only rule that exists is the global rule. So, when I ping 192.168.1.125, this request should be allowed by the global rule. But instead of getting a ping reply, I get an alert saying that ping.exe is trying to connect to the internet. The alert gives the IP address of 192.168.1.125. It gives me the option of allowing the request, blocking the request, or the treat this application as option along with the option to remember.
If I change the rule to block IP traffic the this address, all network traffic is blocked as expected.
Are you saying that I am required to have an application rule and that the global rule, even though it allows network traffic to the system, will not allow access from all apps?
Yes. Even if there is a global rule an application rule is needed.
Usually global rules are used to outline a general form of protection that can be finetuned using application rules.
I have not tested this but it should be possible to obtain the behaviour you described creating an * application rule with ALLOW IP from source any to Destination any where protocol is any.
I would like to advise you against this though.
I have found a pain-free solution to an alert.
Simply check the “Remember” box and click Allow. This creates an application rule so you wont be asked again.
THEN EDIT Network Security Policy - then you can see exactly what the new rule permits, and then you can restrict to simply “PING” or whatever you wish. You can also reduce the “windows of opportunity” in the Global rules. As you make these changes you can also test and if you cannot ping or whatever, backtrack a bit.
Personal example :-
I had a vague idea that Outlook Express was actually called “minime” or some such stupid name, but could not be bothered to research and manually create a rule - I just waited for the Alert, clicked Remember and Allow, and automatically Comodo created a rule naming the stupid name, and permitting “Any IP Out”. A simple Edit of this new rule then corrected this to the pre-defined “Email Client”.
Regards
Alan
Sorry I didn’t understand you wanted to have alerts only displayed once I edited my previous to strike out the only (untested) way I thought to allow application level connection and avoid alerts thus relying on global rules.
As you found out using “Remember my answer” is the way to go. You can also increase the number of alerts and the details of generated rules using Firewall behaviour settings\Alert settings