My understanding of the order of processing rules is:
- Incoming Connections
1- Network monitor applies filtering if success it passes to application monitor
2- Application monitor checks the target application, if allowed passes to
3- Advanced security analysis monitor(component monitor + application behavior analysis)
- Outgoing connections
1- Application monitor
2- Advanced security monitor
3- Network monitor
However, that does not make sense in light of something I am experiencing:
I use bittorrent and 3 of the external ips have triggered the “ACK FIN RST is an invalid TCP flag combination” on Incoming connection and blocked that connection according to alerts.
I subsequently made 3 network rules to block all incoming/outgoing TCP/UDP packets for any source or dest ports and for source ip used respectively the identified external IP. Restarted Comodo.
Rules are in place by it is still being blocked by the invalid TCP flag rule rather than the network rule that I created.
As such there seems to be some ‘rules’ applied on incoming connections prior to the processing of network rules then application rules then advanced rules.
Further background: I have two nics, one has 3 VLANs on it the other is the local network which has several IP addresses on it multihomed, none related to the VLANs obviously.
Could someone please expand on what exactly these would be? Or is there something buggy?
Also is there a way to do one or all of the following in this or new beta etc:
- Select and copy information from the activity - log - details area
- Select a log alert and create a rule based on that log automatically to block the IP Address?
- Somehow create a rule that will automatically put the external ip address into some block list if it shows up with defined hacking activity eg: Invalid TCP flag rules? And subsequently be able to view a list of banned ip’s which includes info such as whois info, then select to unban, ban network range etc.
Thanks for your help