Have a router, ok to disable network control rules?

I find that any time I add a rule in the network control rules, I also have to add the same information into my router’s built in firewall. Is it OK to disable the network control rules, or are they offering some other protection that I may not know about?

Whatever your router’s built-in firewall functionality cant catch, Comodo will!

Bogus info will pass from you router destined to your pc but Comodo will block it and inform you about it!

So if you were to close 1 of 2 fw down you better deactivate your routers one and noit Comodo. :slight_smile:

Well, it’s a bit of trouble to keep the two synced, but that’s ok. If comodo is doing something the hardware firewall cant (and I’m thinking outgoing traffic here…), I’ll just keep them both enabled.

Thats the best thing to do, which i also do!

Also note that Comodo dont only help you with outgoing traffic which Router allows by default since it considers it its master comman\d to connect to some host, because it has no knowledge of the users applications, but also with inbound traffic…identifying for example flood attacks, port scans and other stuff passign through your router which isnt so intelligent as Comodo.

I know this because i see in Comodo’s Logs various attacks which Comodo explain to me what is was whiel the routers didnt see it.

If Router knew about that attacks then it would have never brough to Comodo’s attention sicne the router would have blocked it…which he didnt. :slight_smile:

ps. So now that iam thinking of it let the mod tell us is there a reason to kepp routers firewall enabled since Comodo can handle everything even better? :slight_smile: ?!

I would personally leave both in place, since a multilayered security solution ALWAYS is better than a single layer one.

Besides, you might want to allow some traffic on your local lan, but not through the gateway of your lan.

The “keeping them in sync” question is one I really don’t understand, as I would never ever have those two rulesets totally identical.

Unless the border router is using hardware filtering, or has a LOT of cpu, you will want to keep the rules there as simple as possible, to avoid the router adding latency to your network traffic. Keep the rules there as simple as:

Anti-spoofing filtering
Block all RFC1918 traffic from leaving your local net.
Block all SMB traffic from being emitted from your local net.

Do the advanced stuff on the individual hosts. That way you have a lot more finegrained control over what you are doing.


Can you be a little more specific about the “layers” security?

The filter in your router provides one “layer” of security. The personal firewall on your pc adds another. Having these as separate layers, gives you more finegrained control.

Similarily you wear several layers of clothes, instead of one thick garment, for exactly the same reason: Control of your environment.

The main reason for keeping several layers of firewalling, is that if a bug exists in ONE of the security products, it’s not likely to exist in all of them, thus if one layer fails, you still have some security.

A router firewall does not replace the personal firewall on your machine, it adds another layer of protection.



Hardware firewalls (like your router) are great at stopping unwanted incomming stuff. But, they cannot really control outbound stuff (mainly because they have no idea what generated the outbound communication). This is where CPF comes in. CPF is very aware of all running applications & all their outbound communication attempts.

I think this is what layering means, in your case.

Yes, i wonder why the dont make hardware firewalls that are aware of all running apps… but now that i think it over the tcp/udp packets arent sepcifying anywhere neither in header or their data port which app send themselves. So even if the router did had a list of well known apps the packes by their nature would not reveal the sending app.

I dont kow if you would agree.

Correct nikos,

In a nutshell, your Pc and your router are effectively two separate computers connected by some means. Neither is cognizant of what software is running on the other, only what data is streaming to or from each other.

Hope this helps,
ewen :slight_smile:

Glad youa gree panic…

Only thing to change this is by re-constructing the tcp header part of ip packet and add a field that its value would be filled by the name of the sending app.

Maybe we should propose that to the designers of TCP/IP :slight_smile:

Oh great, so the next “sasser” worm will have a “firefox.exe” ip header? (:KWL)

I doubt anyone would ever trust such headers on security platforms.



Thats an issue :slight_smile:

Gotta agree with svein - it would open up a whole new can of worms (pun intended). I can’t imagine the mess application spoofing would cause.

ewen :slight_smile: