Let’s say that for a certain application, you have 2 rules that contradict:
How would Comodo handle such contradictory rules? Does the order in which the rules of the application are arranged (top to bottom) matter?
Comodo Firewall applies rules on a per packet basis and applies the first rule that matches that packet type to be filtered (see Understanding Network Control Rules for more information). If there are a number of rules in the list relating to a packet type then one nearer the top of the list is applied.
Essentially, Application and global rules are read from the top down.
What does that mean? Does it mean:
If 2 rules contradict, only the one closer to the top of the application will take effect. The other one rule is completely nullified.
If 2 rules contradict, the one closer to the top of the application takes full effect. The other one still takes effect, but only insofar as it doesn’t contradict the top one.
Some other possibility I haven’t listed?
If the block all outgoing traffic comes first then that would nullify the second rule that allows traffic to one address only.
What if the rule that allows traffic to one IP only comes first, and the rule that blocks all outgoing traffic comes second?
In this example (as in any example) the first rule that satisfies the outbound request is used and any subsequent rules are never implemented. Therefore, the application in question would be allowed outbound access to the single IP address.
Because the first applicable rule is applied to the applications request, the applications request has been satisfied and there is therefore no need to check further if there is a second or even a third rule for that application.
Regardless of whether they are ALLOW or BLOCK rules, whichever rule that meets the apps request that is closest to the top of the rules list is used to the exclusion of any subsequent rules.
Cheers,
Ewen 
Thanks. That was very helpful information. I don’t suppose there’s a way to exclude all IPs connecting in except, say, 20 IPs? I was hoping that contradictory rules worked in a different way so I could do that, but it looks like I can’t.
Right now, if I add the 20 IPs as allowed IPs, Comodo will still ask me if I want to allow other IPs that try to connect in, and if I check the box to remember my decision, Comodo decides to make a contradictory rule to block all IPs, when in fact I still want 20 exceptions.
If I try to make an “exclude” rule that denies everything except the 20 IPs, I can only exclude an IP or an IP range, but not 20 individual IPs. At the same time, if I make 20 different exclude rules, only the first one will take effect.
Is there a way for me to allow 20 IPs to connect in, exclude all other IPs, and never have to be asked about it again?
You would have to make a Global Rule that will block outgoing traffic expect addresses in a Network Zone. Please see attached image for reference.
[attachment deleted by admin]
What if I want to block all incoming (not outgoing) traffic except incoming traffic from those 20 IPs?
Off topic: I didn’t post 1 second ago. Why is it saying that? I couldn’t post earlier because of this error message.
Same thing, create a Network zone that contains the IP addresses you wish to allow, create a Global rule that uses the network zone you’ve created, directly followed by another rule that blocks everything else.
I want to thank everyone who replied. Creating a network zone allowed me to do what I wanted to do. I never realized Comodo Firewall was capable of such power.
But the process of creating a network zone brings up another question: normally, when Comodo detects a network zone, you get a popup notification with two check boxes (I think the first one allows you to choose whether other computers on the network can access your computer, and the second one allows you to choose whether to be notified when Comodo detects more networks). How exactly can I change these settings for networks that I create myself? There is no such popup because the network wasn’t detected.
The alert dialogue you’re referring to (image) appears when CIS detects a new network connection and f allowed, creates a zone with the address space of the new connection. in other words, your PC has to be physically connected to a network with an unknown address range for the alert to occur.
[attachment deleted by admin]
Sorry? What do you mean by “creates a zone with the address space of the new connection”? I want to define a set of IP addresses with the restriction of the first checkbox that you showed in your screenshot, because while I want to allow incoming connections for certain purposes, I also wish to restrict it (e.g. not allow file sharing). What does it mean to be fully accessible to other PCs in the network, and is there any way I can set this for network zones that I make myself?
Any given IP address belongs to a network, which can be identified by it’s subnet mask. For example, lets say you’re behind a router and your LAN is using one of the reserved IP address blocks, provided for private networks eg. 192.168.1.0/255.255.255.0. When you install CIS, it detects the IP address of the PC as 192.168.1.25 with a subnet mask of 255.255.255.0, so it creates a Network Zone, identified by what ever name you choose to use, say LAN, with the the IP address and mask mentioned above. The address space, in this context, identifies all of the addresses within you subnet, which is:
192.168.1.(any number between 1 and 254)
The reason for this is, the subnet mast tells us which part of the IP address is the network and which part is an address of a device on that network. In this case 192.168.1 is the network identifier.
I want to define a set of IP addresses with the restriction of the first checkbox that you showed in your screenshot, because while I want to allow incoming connections for certain purposes, I also wish to restrict it (e.g. not allow file sharing).
That’s not how this dialogue works. To achieve your goal, create a Network zone and add the IP addresses you wish to allow. Once done you can use the newly created zone as part of an Application or Global rule. For example, to allow connections to be made to IP addresses identified by your zone and to be blocked elsewhere, you could create a Global rule:
Action - Allow
Protocol - TCP
Direction Out
Source Address - ANY
Destination Address - Your Network zone
Source Port - ANY
Destination Port - ANY
Follow this with another rule:
Action - Block
Protocol - TCP
Direction Out
Source Address - ANY
Destination Address - ANY
Source Port - ANY
Destination Port - ANY
Obviously, you can modify the details to suit your particular requirements.
What does it mean to be fully accessible to other PCs in the network
Checking this box basically configures the firewall to allow file and printer sharing on Microsoft networks. It does this by creating two Application rules for the System process and two Global rules (images). The rules simply allow IP in and out, from and to, devices on your network. using the above example, that would be any device with an IP address between 192.168.1.1 and 192.168.1.254 with a subnet mask of 255.255.255.0
and is there any way I can set this for network zones that I make myself?
It’s not designed for that purpose, if you wish to use your own Network zones, you will need to incorporate them in the rules you create.
[attachment deleted by admin]
So basically the network zones that aren’t detected (the ones that I create myself) have no effect no matter what IPs I add to the zone until I make either an application rule or a global rule that uses the zone, correct?
By the way, the two example global rules you provided in your post (not the screenshots) seem to contradict. How can they exist together and both work?
And is there a way to specify that I would like those 20 IPs in a network zone to be allowed for one application only and blocked for all other applications? There is no “all applications except”, and I can’t simply make a rule for every application because new ones ask for Internet access all the time.
Correct - defining a zone is just building a thing. Using that zone in a rule is actually doing something with the thing you have built.
By the way, the two example global rules you provided in your post (not the screenshots) seem to contradict. How can they exist together and both work?
Easily explained … the first one
Action - Allow Protocol - TCP Direction Out Source Address - ANY Destination Address - Your Network zone Source Port - ANY Destination Port - ANY
ALLOWs outbound access to specific IP addresses, whereas the second one
Action - Block Protocol - TCP Direction Out Source Address - ANY Destination Address - ANY Source Port - ANY Destination Port - ANY
BLOCKs outbound access to all IP addresses.
Providing you place these rules IN THIS ORDER, the following will happen;
When you attempt access to a site that is not in the defined network zone, CIS will apply the first rule and it will fail as the requested site is not in the named zone. It will then apply the second rule and, as you’re attempting to access ANY IP address this rule “fits” so the access will be blocked.
If, on the other hand, you attempt to access a site that is in the defined zone, CIS will apply the first rule and it will succeed as the requested site is in the named zone. Since the requested IP address is in the defined zone, the rule succeeds and the outbound access if allowed. As a rule has been satisfied, CIS stops looking at the rule list and it will never get to the second rule.
Hope this helps,
Ewen
For rules explicit to individual processes, Application rules must be used. There are a couple of ways to achieve what you need, In either case, you should be running the firewall in Custom Policy mode Consideration should also be given to increasing the Alert Frequency Level
The first option is the easiest, but would not be my preferred way of doing things. Essentially, in this method you’ll create a rule for the process that needs to be allowed to access the defined IP addresses, directly followed by another rule for the All Applications Pre Defined policy.
When creating these rules, remember that rules are processed from the top down.
The first rule is virtually identical to the Global rule I created earlier, the main difference being the association of an individual process, with the rule. For this example we’ll use firefox.
Application Name: firefox.exe
Action - Allow
Protocol - TCP
Direction Out
Source Address - ANY
Destination Address - Your Network zone
Source Port - ANY
Destination Port - ANY
Followed by the rule that will prevent any other process accessing IP addresses in your defined zone:
Application Name: All Applications. (see image}
Action - Block
Protocol - TCP
Direction Out
Source Address - ANY
Destination Address - Your Network Zone
Source Port - ANY
Destination Port - ANY
These two rules would be placed first in the Application rules section of the firewall, all other rules would be placed below the ‘All Applications’ rule. As before, these are very basic examples that you will need to modify to suit your specific requirements.
The second way of meeting your requirements, will be by creating rules for every application. This obviously requires a little more effort but also provides greater control. In this scenario, it won’t matter in which order the rules are placed in Application rules, as each is self-contained. It’s also important to make sure the ‘Alert frequency settings’ are increased, otherwise it’s possible that a generic allow rule may be created. For this example we’ll use firefox and Internet explorer:
Application Name: firefox.exe
Action - Allow
Protocol - TCP
Direction Out
Source Address - ANY
Destination Address - Your Network zone
Source Port - ANY
Destination Port - 80
Application Name: Internet explorer.exe
Action - Allow
Protocol - TCP
Direction Out
Source Address - ANY
Destination Address - Not in Your Network zone (see image)
Source Port - ANY
Destination Port - 80
Whilst the aforementioned scenario will work, you have to ensure the rule is applied to whichever ports are being used for the connection, for example, if the web site uses port 80 for HTTP and 443 for HTTPS, you will have to make sure the ‘Not in’ rule is applied to both. Alternatively, use a Port Set
Another way of doing the same thing, is by creating an explicit block rule for those processes that shouldn’t be allowed to make the connection:
Application Name: firefox.exe
Action - Allow
Protocol - TCP
Direction Out
Source Address - ANY
Destination Address - Your Network zone
Source Port - ANY
Destination Port - 80
Application Name: Internet explorer.exe
Action - Block
Protocol - TCP
Direction Out
Source Address - ANY
Destination Address - Your Network zone
Source Port - ANY
Destination Port - 80
Application Name: Internet explorer.exe
Action - Allow
Protocol - TCP
Direction Out
Source Address - ANY
Destination Address - ANY
Source Port - ANY
Destination Port - 80
Remember, the order of the individual rules within a given process block, is important. For this to work, the block rule must be placed above the allow rule, for Internet Explorer.
[attachment deleted by admin]
Thanks. I think panic’s last post perfectly illustrates why I asked about the behavior of seemingly contradictory rules. Based on what panic said, in certain situations, having these “contradictory” rules works because Comodo doesn’t read all the rules at once; instead, it only reads the rules from top to bottom, which gives you a chance to apply some very unique settings.
i think it would help a lot, when in the window would be a hint about that.
because, if you dont know it, you can make mistakes. even though the rules for themself would have met the conditions, but not their position.
also in this case its important to mention, that new rules often are placed above older ones. EVEN above the block rules. and if now one of the allowed programs would use for example IExplorer, while IExplorer is blocked by a rule on its own below, IExplorer would be allowed as “part” of the new program.
to give an example: old steam used IExplorer. worked fine even with a block rule for IExplorer! (question was: “STEAM tries to connect to port 80 ect”. no word about IExplorer. BUT when you blocked steam from reaching port 80, there was the IExplorer page which tells you what to do to reach unreacheable pages.)
logic would say, never place a new allow rule above of older block rules per default. most people dont change the positions after.