How Do I: Trust Nothing, Disable Safe-List, Require Permission for All Traffic

How do I configure Comodo firewall to essentially disable the safe-list and automatically trusting of applications, automatically trust nothing, and make it where I have to approve all outgoing and incoming communications for each application?

Mainly I don’t want anything to have the ability to communicate via outgoing or incoming methods without my express approval, including any type of safe-list applications or whatever.

What I’ve found gives me good control over network and computer security is setting the security level for all Comodo components to ‘safe’.

Firewall settings
uncheck create rules for safe applications.
Keep alert on screen for 999 seconds

Alert settings: high
Uncheck ‘computer is ICS computer’
uncheck 'monitor NDIS protocol other than TCP/UDP
all other options are checked

Defense+
Image execution level: normal
detect shellcode injection cheked

Keep alert on screen for 999 seconds
Trust applications digitally signed by Trusted Software vndors (all other options unchecked)

Monitored settings: all items set

sandbox
enabled
all options checked
all alerts enabled
Keep alert on screen for 999 seconds

■■■■ away all items in network seurity policy
■■■■ away all global rules
■■■■ away all network zones

Create network zones:
local_0 - 0.0.0.0
local_127 - 127.0.0.1
NIC
modem
DNS

add global rules:
allow ICMP in from in [modem] to in [NIC] where ICMP message is ECHO REQUEST
allow ICMP in from IP any to in [NIC] where ICMP message is FRAG NEEDED
block ICMP in from not in [modem] to IP any where ICMP message is any
allow ICMP out from in [NIC] to in [modem] where ICMP message is PORT UNREACHABLE
allow ICMP out from in [NIC] to in [modem] where ICMP message is ECHO REPLY
allow ICMP out from in [NIC] to in [modem] where ICMP message is FRAG NEEDED
block and log ICMP out from IP any to IP any where ICMP message is any

■■■■ away in Defense+:
My Safe File list
Trusted Sofware Vendor list
Pending list

Read the ‘system & SVCHost thread’ and configure accordingly.

Ensure that access rights for all apps in Defense+ computer security are set to ‘ask’ for every access control method specified.

NOTHING will run on your system and no action will be performed w/out your approval. It may take 15 minutes to launch an app because of the volume of approvals necessary, but you’ll have total control. Once the app is running, each and every action will propmt an alert, e.g., Interprocess Memory Access, Windows/WinEvent Hooks, Device Driver Installations, Process Terminations, Windows Messages, COM interfaces, creation / deletion of files and folders, direct access to monitor, keyboard, HDD (device itself) , etc. When I say NOTHING, that means absolutelyu NOTHING will occur without your approval.

If an app wants to make a network connection, check ‘allow’ and ‘remember this’. A network rule will be created in ‘network security policy’. Change the rule to be 'ask and log IP in/out source IP any dest IP any IP protocol any. That should be the last rule for any app in ‘network security policy’. That way if you create a zone for that app, allow the app access to that zone, and a new IP comes up, you’ll get pestered again. Manually put the IP into the proper zone (create a new one if appropriate) and create another rule granting access to that zone. If all that’s needed is adding the new IP to a pre-existing zone (modify a pre-exiting range, or create a subnet mask), you won’t have to change the existing firewall ruleset - since you’re maintaining that via zone axccess. This will allow you to maintain connections to approved IP addresses by app as appropriate. Use of zones makes establishing firewall rules easy in that you don’t always have to specify the same IP address repeatedly, e.g. for the NIC, router, gateway, modem, etc…

Remember to uncheck the ‘remember this’ option for the next network connection attempt by the same app. Only use it to create the initial network security entry, otherwise it puts a universal ‘allow all any’ rule at the top. Rules are interpreted in the order in which they’re encountered - top to bottom - rules you add go at the bottom (drag 'em up), rules Comodo puts in get put at the top.

Find and bookmark on the interwebs a site that does ‘reverse DNS lookup’. This’ll allow you to ascertain the domain name for any IP address; maintain your zones accordingly. As long as you have the rule ‘ask & log’ for any IP protocol that falls through the rule set, you can lookup the connection attempt in the firewall log.

Set the firewall to ‘custom security policy’ and make sure you remove all entries under application rules for network security policy.

Thanks for that great reply! I will follow these rules, but have a couple of questions:

What’s the purpose of local_0? Should this be your LAN subnet, e.g. 192.168.0.0? (I have four Win7 on my local LAN, all off a switch, DSL modem on same switch)

Should NIC and modem be set you your NIC/modem IP address? Will the zone break if DHCP changes it’s IP address?

I have not been able to figure out how to control solicited inbound requests. E.g. If I set iexplore.exe as a web browser, a couple of outbound rules are associated with it. I don’t see any rules that define what traffic can come back to iexplore.exe. Does the FW allow any & all traffic to come back to the app?

How do you set up inbound rules for applications you may not trust yet? E.g. if I allow spy.exe to go out to the Internet, how do I control the traffic that comes back to it?

Thanks!