i’ve just uninstalled previous CFP3 and installed CFP3.0.14.276. i was about to create the global rules, and i have these default rules. what are they ???
allow IP out From IP any to IP any Where protocol is any
allow ICMP in from IP any to IP any where ICMP message is FRAGMENTATION NEEDED
allow ICMP in from IP any to IP any where ICMP message is TIME EXCEEDED
block & log IP in from IP any to IP any where protocol is any
on previous CFP i only have rules for LAN & the last rule (default rule) was block & log IP in any any any.
and now i have 3 additional default rules ??? what are they?
i’m in confusion phase #2
Ganda
edit : oh, and i installed CFP on safe mode, is it OK? coz i remember that Ragwing said we should install CFP on normal mode ?
allow IP out From IP any to IP any Where protocol is any
This one allows outbound connections.
allow ICMP in from IP any to IP any where ICMP message is FRAGMENTATION NEEDED
This one presumably solves problems with some windows updates.
allow ICMP in from IP any to IP any where ICMP message is TIME EXCEEDED
This is to make tracerouting work.
block & log IP in from IP any to IP any where protocol is any
This is the final “blocking” rule, that blocks anything not specifically allowed earlier in the list. Any allowing rules you will add later on, should be placed before this one.
This rule blocks any incoming connections not allowed earlier in the list.
That global rule won’t allow anything that isn’t explicitly allowed by an app rule or your direct answer to a popup. It doesn’t allow all out, it just makes possible that things are allowed out.
No, not really. The firewall part of Comodo has two “lines of defense”: Global Rules and Application Rules. Global Rules define what traffic is allowed in general, for any application. No application on your system can make a connection disallowed by a Global Rule. Application Rules let you further control what part of that traffic is allowed for a certain application.
So, allowing outbound connections in Global Rules is not “unsafe” in any way, since you can still control what applications have network access in Application Rules.
Sorry, I don’t understand - I haven’t first rule (allow out any) before, and I killed this rule today after do clean install v.14.276. All apps (with per app permissions) communicate just fine. So for what is this new global allow rule? I don’t want any global permissions (I’m the boss here ) but on the other hand, Comodo must know what they do. The question remains the same…
My mistake. The last rule - block & log IP in from IP any to IP any where protocol is any - actually blocks all incoming connections, not all connections altogether.
That explains why nothing changed when you deleted the first rule: outgoing connections weren’t blocked anywhere else in Global Rules, so it didn’t matter whether they were explicitly allowed or not.
Yes, but still not clear. AFAIK CFP for outgoing connections check per app rules first, then global. So if abc.exe not present in apps, “allow out any” global rule must permit abc.exe to send out my bank password without questions, right? Not right - CFP will ask me.
I just curious for what is “allow out any” global rule?
After an ultra clean install (all remaining reg. entries backed up and deleted) this is exactly
what you get. Nothing wrong here - passes leak tests and Shields Up. Also I thank Comodo
devs. for sorting out the loopback issue - everything now connects via my Proxomitron.
Great stuff !
;D how do i remember that?
i chose …advance protection something on defense+ installation, i chose no/not sure when CFP ask if i use bittorrent,emule. i can’t remember the rest of it. but the default security level was firewall -->train with safe mode
defense+ -->clean PC mode (i’ve change it to “train with safe mode”)
so it’s OK then. (:NRD) . pheeew…
oh and what about my installation? is it OK to install CFP on safe mode ? coz Ragwing said CFP will not install properly on safe mode.
I am not 100 % sure about this - but isn’t the (in this case) outgoing connection required to pass both rule sets, ergo Aplication and Global one, so that it could be allowed?
EDIT: So, if the connection passes the Aplication rule and does not (e.g. there is no such rule) the global one, it is blocked, if I understand this correctly.
For global rules, if there is no match, the action is simply to skip. All of the rules are applied from top to bottom. Hence the defaul firewall configuration always includes "Block all the remaining traffic" as the last rule to make sure the default action is block.
SNIP<<
I think it is time to explain how it works a little more.
There are 2 types of rules in 3.0. Application rules and global rules.
Application rules are used to handle all application based traffic. i.e. the traffic that applications in your computer generate.
Global rules are used to filter both the application based and non-application based traffic.
For outgoing connections, first application based rules are applied, if passed, then global rules are applied.
For incoming connections, first global rules are applied. If passed, then application based rules are applied.
If the traffic is the routed traffic, it is considered applicationless, hence only the global rules are applied. If the traffic is applicationless, there is no “application is trying to connect to the Internet” popup.
Rule handling :
Rules are applied from top to bottom. So the first rule which matches the packet is applied.
The global ruleset DOES NOT always include block all remaining traffic as the last rule. See the global rulesets in previous posts. The only default rule I have for .276 is to block echo requests, as do many other posters. I have seen other default rulesets posted that say “block all incoming.” as the last rule, depending on the setup selections, (I had that on .273 along with the ICMP fragmented packet and time exceeded allow in and an allow all out) but not a block all-which generally kills everything unless you put an “allow all out” and other similar in front of it, which kind of makes it a “BLOCK ALL NOT”-applicable to incoming TCP/UDP and the other ICMPs, IGMP. … . The applicationless stuff, per previous discussions, was sent to “system idle process” now “windows operating system”. SO: What should the default global ruleset be, as a function of firewall configuration? What needs to be added at the front to facilitate other activities like incoming ICMP, incoming UDP, ? I still just have the global “block incoming echo request” as the only rule, from the default, and have added a “block all” at the end of the application rules pending further insight. ??? Inquiring Minds Want to Know.
) but on the other hand, Comodo must know what they do. The question remains the same…