"Global Rules"

It appears to me that the Global firewall rules are not really that and do not always apply. For instance, I know for a fact that the one to block all incoming does not apply to trusted applications. Things like uTorrent and games like World of Warcraft, Steam games, and all others that require incoming connections but are in the trusted Vendors list do not produce any incoming alerts even though I have alerts turned on. They are allowed to establish and receive the connections they need in order to function properly. The default Windows firewall always requires an exception for the same files. I also don’t think that the global rule to allow all outgoing does not apply to unknown or untrusted things that are restricted by the Behavior Blocker. I get firewall alerts for such things when they attempt to connect to the internet.

How do these “Global Rules” really work? Is it only if you choose the custom alert rules for the firewall rather than the safe mode that I’m using with no rule creation for safe things?

Steam does not require ingoig rules. For example steam. It will work with “block IP IN any”.

Outgoing traffic requests ingoing packets =statefull two way firewall.
Unrequested packets need an ingoing allow rule if they have to pass. But its in rare cases like listen server or p2p with sharing.

Global rules help you to decide general things globally. One answer, global effect.
Application rules per application.

The “allow outgoing” rule in global rules can be erased without any effect.
General blocks and exclusions to them. Thats global rules.

I have Skyrim and RAGE installed and they both play through Steam and both require incoming exceptions in the default Windows firewall. So yes that says they use incoming to function correctly. The Steam client itself does not but that’s not what I meant.

Beyond that, you didn’t answer my question why “Global” rules are not always applied.

Make a “block IP OUT all” rule in global rules. On top.
It will prove you that its applied :wink:

Maybe you just can see with your own eyes:
The games run with outgoing only. Thats why the “block IP IN any” does not seem to work :wink:

This rule saves you from questions about unrequested ingoing attempts.
But it lets you play.

The games DO NOT run with outgoing only. You don’t know what you’re talking about. The launchers require the incoming connections but so do the main game files to receive data from other players and to transmit the same to them. The updaters, in particular that of WoW which uses the bit torrent technology to receive the new data also need incoming allowed. If you are using only the default Windows firewall, you have to allow incoming exceptions for the games. Any other firewall that alerts for all connection attempts will also require you to allow incoming. I know, I’ve used more than one. Any bit torrent client will definitely require incoming allowed but uTorrent now produces no CIS firewall alerts when used for the first time because it’s author is in the trusted vendors list. This happens despite the “global” rule to block all incoming. Unknown things intercepted by the Behavior Blocker also produce outgoing alerts despite the “global” rule to allow all outgoing.

The global rule “allow outgoing” is totally useless!
If there is no block rule in global rules, nothing gets blocked by global rules! So its useless to have the allow outgoing there.

Every question that you get is from application level. If you dont SET an asking rule in global rules.

If you want to see the “block IP in any” functioning, you need to use the userinterface. There is a log. Make sure that the rule has “log” enabled.

You are so convinced of your ideas, that you misinterpretate results.
“Skyrim runs. I have a rule that blocks unrelated ingoing traffic. But skyrim made a rule in windows firewall to allow ingoing traffic. So the comodo firewall “block IP IN any” rule can not work!”
No, it works, but skyrim just does not need unrequested ingoing traffic.

P2P and running an own listen server/hosting in some games. Any variations of that could need permissions for teh internet to connect to you!

Everything else, if running (like windows updates, updates, browsing, playing, watching) does not need to wait for the internet to connect. So runs with outgoing only.

Now, use the log and see. (“Log” has to be enabled for the rule)

Or very simple:
Create a rule for skyrim, put it on top of the skyrim rules in application rules:
“Block IP IN any”.

and play the game :wink:

I have no application rules other than the default ones and don’t want any for safe things. Why would I want to block something it obviously uses to run normally?

CIS is a stateful firewall, which, in very simple terms, means it keeps track of connections and knows how to act based on information it receives. For example, when you connect to a web site in your browser, you initiate an outbound connection which is evaluated against any firewall rules found, it the request is allowed, the firewall creates an entry in the ‘state table’ (depending on the protocol the type of information will differ). Later, when an inbound connection is received, the request is compared with information in the state table and if the firewall sees the connection is a reply to previous request, the connection is allowed. If the connection request is unknown, the connection is rejected. This process does not require specific inbound rules and is how the majority of SOHO firewalls function…

The execption to the above are server type processes. These are things like web servers, media servers, VoIP, p2p applications and so on. When you configure your firewall for one of these applications you typically need to explicitly allow inbound connections for the appropriate addresses, protocols and ports. For example, you want to create a web server. For this you’d need to create an inbound application rule for the server executable and depending on your configuration, you may also need a global rule to allow the protocol and port.

Certain games have p2p like attributes and for these to function fully, it’s usually necessary to allow the appropriate inbound connections that cater specifically for these attributes.

With regard to to the Global Block rule found in the Internet Security Configuration or when switching to ‘Stealth’ this will prevent all unsolicited inbound connection requests. To create exceptions, you need to create ‘allow’ rules preceding this.

It was an easy way to prove to you that skyrim runs with a “block IP in any”.

So you can see that its not a prove of the global rule not working when skyrim runs. As it does not require unrequested traffic to enter.

Wanted to make it easy :wink:

Since Skyrim is a single player game, I never understood why it needed incoming but it does produce alerts for it with other firewalls including the Windows one.

However, World of Warcraft definitely does need incoming allowed and it is allowed by CIS without any alerts. The launcher needs incoming to check for and retrieve updates.

Creating specific rules for addresses and ports for P2P applications like uTorrent is simply not feasible. You never have any idea what addresses you will be receiving data from or sending data to. The only solution for them is to allow all connections. CIS now automatically does that because the author is in the trusted vendor list and the global block incoming rule doesn’t apply. I always had to have both incoming and outgoing rules for uTorrent with any other firewall. With CIS, I have none. To put things straight, I’m not saying I want the global rules to always apply. I like how CIS is working. I’m just pointing out that they don’t act like global rules I have seen before.

All that’s needed is a single inbound rue for TCP or UDP to your torrent port.

CIS now automatically does that because the author is in the trusted vendor list and the global block incoming rule doesn't apply. I always had to have both incoming and outgoing rules for uTorrent with any other firewall. With CIS, I have none. To put things straight, I'm not saying I want the global rules to always apply. I like how CIS is working. I'm just pointing out that they don't act like global rules I have seen before.

Unfortunately, there may be a problem with CIS 6 and inbound filtering, it’s something I’m looking at currently. If nothing else, there are serious inconsistencies in behaviour, when dealing with inbound p2p connections.

If the traffic meter would be still in the mainpage, you could see at once IF there is INgoing traffic :wink: … now you have to guess and to load killswitch… :smiley:

Handy interface = profit

Can you see any ingoing connections with the rule “block IP IN any”?

i was going to say maybe it is becasue the file is in the trusted files but then checking again with the help file seems to point on a confusing turn

in behavior blocker help file look at the note

* Define exceptions for behavior blocking – Allows you to add certain file paths for being excluded from monitoring by the Behavior Blocker. The executables included in the exceptions area are allowed to run without checking of authenticity. (Default = Disabled)

Note: The files added through this interface will be exempted only from monitoring by Behavior Blocker. To exclude a file from monitoring by all the components of CIS including Antivirus, Firewall, HIPS and Behavior Blocker, add it to Trusted Files list.

in the note it says that the trusted files list exempt it from everything but in the trusted file list help files

Trusted Files Files added to the Trusted Files list are automatically given Defense+ trusted status. If an executable is unknown to the Defense+ safe list then, ordinarily, it and all its active components generate Defense+ alerts when they run.

it just say that it gives it allow ruleset/trusted rule if its a known file(tvl i guess)

and because of it im now much more confused which is it? if its the first one the note in the behavior blocker then it explains the behavior dch48 is saying

It only applies to Application rules, not Global rules. All one needs to do is start a p2p application and enable logging on the inbound IP Block Global rule. Better still, crank up wireshark and run a capture with the default rules and then with a an inbound global rule for said p2p application.

as I mentioned earlier, CIS 6 is really quite ‘iffy’ with p2p applications and inbound filtering but I need more time to pin down ‘why’ and create a bug.

Keep us posted here too.

It appears CIS is still having problems with UDP hole punching, which is what one gets when using чTP. Still looking at it…