How to define rules for Firefox

Hello All!

i am trying to lock down an internet workstation here in the office; basically we want to limit the access to certain websites using Firefox – no other activities such as FTP, YM, Skype, etc will be allowed.

It seems that CFP 3.0 can’t seem to recognize Firefox properly; any access i make using Firefox gets lumped into the “System Idle Process”. While there is a workaround for this(i.e. just apply the rules to System Idle Process), i find it inconvenient, especially if i would like to enable other apps(which may be lumped into the System Idle Process again)

Can anyone suggest a better way? The other firewall packages seem to detect Firefox better(no malice intended, just stating a fact (:AGL)

thanks!

dunno, my firefox is detecting ok… maybe you should try manually adding firefox to the rules list… Or maybe you are using a localhost proxy? (like Proxomitron or whatever)

Hi badkuk, welcome to the forums.

Would you mind explaining why you believe System Idle Processes are linked to firefox rules.

Also what rules do you have for firefox. There is a predefined rule for web browsers.

To badkuk,

hmm i just installed firefox yesterday, the first pop up it allows you to set it: treat application as a Web Browser and tick the remember me box, second alert box i ticked treat application as install/updater with the remember me ticked again.

so firefox for me allows downloads but anysite that has a cam it blocks and log as an intrusion in the firewall even log. not sure what else it will block. but i’m still learning about the security policies lol. basically set as a web browser firefox blocks certain type of connections, video and maybe some audio too. which might be what your after with skype the others not sure but choose web browser policy for web browser it should have for 4 custom allow Rules box then each you can edit to how you want and the 5th is a block all IP rule

Sorry if that ain’t much help, I’m still learning myself ;D

  1. Are you using a virus scanner or other software that acts as a proxy for http? Firefox should be generating popups as mentioned above if you have it setup to directly access the internet.
  2. As you probably have seen, In Comodo you can set up a zone consisting of the IP addresses of the sites you want to allow, allow the capabilities you want Firefox to have, block other programs and Firefox capabilities, and then password protect the settings.
  3. If you edit the Web Browser defaults mentioned above to log the actions and remove DNS and FTP, restrict http to your approved zone, and assign them to Firefox, you can start to get a feel for how to use Comodo to support you.

https://forums.comodo.com/help_for_v3/how_to_i_allow_the_accuradio_plugin_in_firefox_to_play_music-t17291.0.html;msg118501

This is a ■■■■ good post and guide by AnotherOne i found it helped me understand how to create my own set of rules I needed for firefox for a cam site and it worked ;D

by the same token following that guys, guide as an example for firefox you can create seperate and add additional polcies for Firefox such as a one to block all ingoing/outgoing connections from FTP, YM, Skype, etc.

Which is exactly what you asked and wanted :wink:

Agreed - it’s a ■■■■ good post by AnotherOne and clearly lays out the easy way to trouble shoot connection issues - check the logs, read and interpret the blockage and create a rule that allows that which is blocked. Using this same method, you can clear up most, if not all, connection hiccups.

Great post anotherOne! Keep it up!

Ewen :slight_smile:

Yeah all his fault blame him (:AGY) he’s turned me into a Freak (:AGY)
https://forums.comodo.com/help_for_v3/shareaza-t17398.0.html ← :o

lmao… ;D

if you get a chance would you like to look at that umm block rule i created for shareaza i know what i was trying to do, but am still testing it out lol :smiley:

Looks OK Ron, clever use of the EXCLUDE function in a block rule to allow a single access port. You’re getting the hang of it. :wink:

Once caveat though, your block rule bocks all ports from 1057 - 65535, with the exception of the Shareaza port. This modified block rule should be the second last rule, just above the catch-all block rule. This is in case you have any other valid applications (like Skype) that accept incoming unsolicited connections. Your modified block rule would kill the incoming connection, even if it was legit. Of course you would need to have a valid ALLOW rule somewhere further up the list to allow the connection.

Ewen :slight_smile:

Thanks.

that block rule i made for shareaza doesn’t quite work right :-\ a bit too complex it didn’t seem to bother Shareaza though, was still downloading and performing searches with it while trying out that block rule stuff lol. I’ll leave it as it is and try it with another app probably hehe.

and thanks for mentioning that above stuff. I was trying to figure out what you meant then I went back to that shareaza guide and i moved that new allow rule to inbetween the custom allow rule and the standard block rule, no more alerts now ;D its strange that the order of the rules even if they don’t seem to have any linear logical order to them can cause block & log intrusion events or none at all. weird some 8)

I’ll stick with the simple rules for now and follow any more posts AnotherOne makes about creating them lol

hmm. btw, that block rule i made and try was just for shareaza, i would have thought no other app would be effected, unless It was a block rule i made in the global rules.
I could be wrong i don’t know, but doesn’t any network custom policy rule for any app apply and effect only that app and no other application.

I will probably try that block with exceptions rule i made with Shareaza as the test subject haha, and see if it effects any other app or closes off them ports to them.

for now though i will just try to learn as much as I can (B)

I just assumed that you were talking about a network rule, not an application rule, as you hadn’t mentioned the .EXE files name. If its concerning an inbound, unsolicited request (like a Shareaza peer contacting you for a download), then there simply must be a network rule somewhere to allow the request in. This is because inbound requests are first checked against the network rules and, only if it satisfies one of the rules, then checked against the application rules before a route between the source and destination is permitted.

Hey panic,

yeah i meant for just an application Shareaza.exe in Network Security Policy.
the reason i tried to tinker with the custom rules for it after setting it how shareaza’s site says to set it for comodo, is that alot of connections seem to get blocked, for instance it seems anyone not using port 6346 on shareaza i can’t download from thats with the customs policy that shareaza’s site itself says to use with comodo firewall.

I’m sure there is a way around that, i just can’t figure out what it is lol. btw whats the purpose of setting a custom rule for shareaza in the firewall? just wondering because shareaza has custom settings too and is already set to only use port 6346.

I have a lot to learn just to understand the basics of networking and custom policy rules I think :frowning: