Help with understanding global rules

Can somebody please help me understand how the global rules work in V3?
Currently I have only one rule in my “Global Rules” set which was there by default upon installation - “Block and log ICMP in from IP any to IP any where ICMP message is ECHO REQUEST”.
As far as I can understand from reading the help files the default behaviour if no rule is present is to “Block” until a rule is created, and also that any inbound traffic must pass the Global rules before getting to the application rules.
What I don’t undestand is that all my applications are working perfectly without any global allow rules having been created. For example I have uTorrent working perfectly with only application rules configured - shouldn’t I have needed to create a global allow rule for incoming TCP/UDP connections to the port I have set up to listen for incoming connections in uTorrent? When I was using V2.4 I needed to set up network control rules as well as application rules.
In fact I’m a little confused as to how any traffic is allowed in or out of my PC without any global rules (apart from the echo request block rule).
I must point out that everything is working perfectly - I am not actually having any problems getting apps to work…I just don’t understand the point of the global rules when I don’t seem to actually need any…
Here is a pic of my current global rule “set” - please let me know if I have anything important missing.

[attachment deleted by admin]

joining the author and awaiting an answer :-))

EDIT it seems that CFP is working with “default-allow”, which is strange… I too have no global allow rules… Except the network ones (LAN and Parallels Workstation Virtual NIC).


The default Global network rule on my system is “Block and Log IP In from Any To Any Where Protocol is Any”. This prevents all unsolicited access to my system from outside [in a sense, this is overkill since I am behind a NAT router/modem which does the same thing] and this is what the default intends. The rule in your list merely blocks incoming ping requests and all other traffic is allowed: do you really want this?

I should add that I have added one rule to the Global list; this allows unsolicited incoming ICMP 11 (Time Exceeded) so that tracert will operate properly.

but how can you even browse the web with the rule that blockes out everything?.. ???

Mine are the same as pudelin and i can browse ok.This way only asked for packets are allowed through and they must come through application monitor rules first.

Regards Matty.

from what i read on this forum i thought a packet is being filtered by global rules first… and even if that’s not true - just a minute ago i added a rule that bocks everything and placed it in the bottom of the global ruleset… It simply cut out my connection… Why?


an outgoing packet is being filtered app rules → global rules.
incoming packet is being filtered global rules → app rules.

something is wrong with my CFP… global block blocks EVERYTHING. even the traffic that was previously allowed by app rules.

EDIT2 do you have the ONLY rule to block everything?.. or do you have also some allow rules?

The Global rules are applied first on unsolicited incoming packets, that is, on packets that are not replies to outgoing requests. So, what you want is to block all of these (just like the Windows Firewall does!) except for allowing any necessary exceptions. Web browsing is not a problem here, since that always starts on my system and related incoming packets are expected; the application rules are applied first here.

As noted in my earlier post, I allow one exception in the global rules for unsolicited incoming ICMP 11 packets; this allows tracert (traceroute) to work properly.

Burillo: what was your global rule that “blocked everything”? I repeat mine here:
“Block and Log IP In from Any To Any Where Protocol is Any”
This rule is last in the Global list, as it was by default when I installed CFP3 a week or two ago.

I did not have any of these global rules by default on install - I wonder if it is because I chose the option to notify on incoming connection attempts instead of blocking while installing CPF (there is a dialogue asking if you frequently use P2P software on the setup wizard when installing).
I have just installed the new version ( and it has set up exactly the same way eg. the only global rule is “Block ICMP from IP any to IP any where ICMP message is ECHO REQUEST” so from this I gather that this must be the correct setup for global rules when using P2P software on your PC (I hope).
PS when leak testing using this setup CPF V3 has so far passed all the tests I’ve tried.

The global rule described by pudelin(same as mine) will block anything that your computer has not asked for,if you open an application and it connects to the net that line of data is then open and traffic can flow either way(only traffic relating to that application) anything not asked for will be stoped by global rules.If the line is broken i.e. the application is closed traffic from outside is halted at global rules.

Its a bit like bouncers on the door at a night club being told, only allow people through wearing green because there on the list and are expected, and they know people in green are from a place thats been asked to attend.Anyone else your not coming in >:( you haven`t been asked for.When the clubs full (application stoped) the doors are shut.

Sorry for the analogy i know its lame regards Matty :■■■■

OK i got it now :-))) thanx)))

Ok I’m giving this global block rule a try (with an allow rule for uTorrent port of course) and so far so good…strange that this rule was not there by default on install though - I’ve installed on 4 PC’s so far and none of them have had this rule (block IP in from any to any where protocol is any) included by default.

well firewall blocks unsolicited traffic automatically. If you place the rule - it will block. If you don’t - the firewall will keep adding to it’s “blocked intrusion attempts”.

Found the answer as to why some of us have different global rules than others by default - it was to do with the initial setup wizard. The info was under the stealth ports wizard help, instead of global rules help.
The ECHO REQUEST rule is the correct rule if you use P2P software - and the Block any incoming from any to any if protocol is any rule if you don’t use P2P.
Check out the help info in the screen shot fom the help for the stealth ports wizard and the global rules it applies…

[attachment deleted by admin]

lobster, to specifically answer your question…

uTorrent is working, but probably not optimally. Your light probably stays yellow as opposed to turning green. This doesn’t make uTorrent not work, just not “share” as much which gives you the low id, and probably slower downloads (as you’re not contributing as much as possible).

Global rules are like the old Network Rules… they help to shape the traffic that you want to be allowed or denied. For incoming packets, the Global rules are checked first. If nothing is in the global list to permit the traffic, it is stopped.

Realistically, unless you are serving content… like hosting your own web-page, or a game server… or or on a network where you want to share files/printers and such… you don’t need incoming rules.

When we browse the internet, or download a file… we make the request, hence an outbound communication that comodo will allow the response to come back… allowing the file to be downloaded, or web page to be displayed.

Ummm…no, the incoming connection indicator on my uTorrent is always green and my up and downloads are practically using all my available bandwidth (256Kb/s d/l 128kb/s upload). I’ve been using torrents for quite a long time and understand when things are not configured correctly - I definitely would know if I was unable to accept incoming connections. That is what was puzzeling me! First off when I configured CFP I added a global rule to allow incoming connections from any IP to my IP from any port to my uTorrent port, but after checking into it a bit more I found that I could still recieve incoming connections (i.e my uTorrent port was opened and forwarded correctly) even without any global rules except for the default one mentioned in my first post (Block and log ICMP from any IP to any IP where ICMP message is ECHO REQUEST).
As I pointed out in my last post - it seems that this is actually the correct setup by default on a system which uses P2P software (different to the configuration in V2.4) as this is the global rule added by the setup wizard and stealth ports wizard (alert me to incoming connections - stealth my ports on a per case basis) + everything works as it should and it passes all the firewall leak tests I’ve thrown at it!

[attachment deleted by admin]

Ah ha… well that’s why everything seems to work!

Your block rule is next to useless… it only blocks ICMP In.

My block rule states… Block IP In from IP Any to IP Any Where Protocol is Any.

Put that rule on the bottom of your list, and suddenly you will need to “poke holes” by adding port specific rules above it.

Your rule basically allows any and every incoming communication, except for ICMP (which i think is basically a Ping).

Take a look at my rules… I use 2 [LAN] rules as I am on a home network, but notice the Utorrent rule above the Block All Rule. Good stuff!!

[attachment deleted by admin]

But this is the DEFAULT setup!!! And it passes all leak tests I have tried! If this is not a secure setup then why is it configured this way out of the box? ???

I think you made a choice in your installation… the choice was “Do you want to allow incoming communication?” and you said yes… hence your global rules doesn’t block them.

As far as I know… Leak tests are outbound activities… like hijacking your browser… nothing to do with incoming network rules.

Yes I did make that choice during installation (as I said in an earlier post), are you saying that the setup that results from clicking on this selection during install is insecure and should be modified from the default?

I don’t believe that it would be insecure. You have to remember that the total rule is the network (global) rule + the application rule.

So you shaped you network to always allow inbound, but your application rules still need to be honored… and only the ones allowing inbound will result in something being delivered.

What I’m trying to say is… each “mode” has it’s place. The mode you chose (because it was the easiest to allow uTorrent) has a net affect that you aren’t expecting.

If you want full control of your incoming traffic, you cannot use “easy incoming” mode; therefore, should change your block rule to more match mine. Then the firewall behavior you are expecting/comfortable with will reveal itself.