IP Mask

I’d appreciate any help regarding using IP masks in CIS FW rules. The most urgent problem I have is I need to define a network zone correctly. I’ve gone through few articles but I still don’t get it.

I would like to define that all computers in my network zone has IP 10...* I already tried and and I used it for my FTP server rules but FW keeps giving me pop-ups.

This mask correctly identifies the zone to be 10...*

So there must be some other problem with the implementation of your rules.

Are your Allow rules above any general Block rules? ordering of rules matters.

Are the rules themselves logical?

What are the pop ups specifically asking for?


Thank you for fast reply, BF. There wouldn’t be a problem if I could import my firewall rules from 3.8 https://forums.comodo.com/install_setup_configuration_help/import_only_firewall_rules_from_38_to_clean_39-t39424.0.html

I think I’ve found the cause of the problem. In one of my rules I’ve mixed source and destination port. Basicly I use two rules for my FTP exe which allow all IP from my network zone (LAN) access my FTP on passive port range and on port 21. The same two rules are also in Global Rules. Now I corrected the rules and I’m waiting for someone to access my FTP to test them.

You’re welcome,

Sorry bout the import thing, progress.

Hope that rule change got you sorted.

Can we resolve this one?

Later is 10...* but you could drop three more combinations which may be useful for others :wink: For example the meaning of the following masks I tried to use in the past: (my specific IP followed by a mask)

and few of some others but useful - unlike the two above :slight_smile:

But thank you anyway for your fast reply then!

How about mask means X...* mask means X.X.. mask means X.X.X.* mask means X.X.X.X or a single IP


Like that?


So what’s the difference between
and or ?If you’ve lost your patience towards me, feel free to close the thread :wink:

I hope you don’t mind if I drop this line in the dedicated topic, where I asked the question.

Because they use the same mask and start with the same value in the first octet.

The mask says that the first octet value has to match exactly and the remaining octets value can be any value within the restrictions of 0-255

So the effective network range is the same within all the examples, the end result is the same network.

Am I making sense?


Perfect sense! Thank you again! No more questions for now :slight_smile:

Way cool :slight_smile:


I am struggling with this too:

My network range is to (I only use the last octet for my fixed ip addresses)
In Comodo I have a network zone defined as and the two standard rules that Comodo makes when it detects a network are in the global rules list (at the top!)

Still I am getting pop ups on for example for svchost, dns, System on for example

I wonder why this is, all the internal traffic as defined by the network zone should be allowed right?

Hope you can help me understand because this is driving me nuts for a long time now.

Have you used the wizard to apply that is a trusted zone?

The same rules for the trusted zone should appear for Windows system under Application Rules, as well as in Global Rules.

Is the Firewall in Safe Mode?

Do you mean by the Wizard the auto detected network when Comodo is first installed? Then the answer is yes but I manualy changed the values to afterwards.

The firewall is in Safe mode at the moment because at least the allowed connections are remembered. But I would like to have it in Custom Policy Mode and not be bothered with internal traffic, but be warned when other traffic is going on.

The Global Rules are NOT also in the Application Rules tab.

So you have the Zone defined in My Network Zones.

Run the Stealth Ports Wizard.

And choose the first option to Define a new trusted network.
on the Next page choose the first option
I would like to trust an existing My Network Zone in the drop down menu select the zone.
and Finish.

The appropriate rules should be created.

Ok, I remove all the Application and Global rules and run the wizard. Now there are two app rules called system. But again I get a alert from svchost, lsass from a internal computer.

I also tried something else:

I have added a Application Rule with the following specs:

Action: Allow
Protocol: IP
Direction: Zone (my trusted zone

Source and Destination: (my trusted zone
IP Protocal: Any

This works and it is quiet on the popups, except for and alerts.

I this a save setting, (assuming that all the computer in my own network are trusted)?

Thanks for your time!

Yes those settings are fine.

Just select Allow and remember for the few pop ups from apps that need to access loopback zone 127.etc.

You should be all right from there on.