Is it safe to add rules on the Global Rules Tab?

Hi, I’ve been looking for quite a while on how to open NAT for games like MW2/3 and I read in some post that incoming connections first go through Global Rules so I added the game on the Application Rules as safe and then in Global Rules Allowed the incoming connection as UDP. This change made possible to get my NAT open in-game but I’m not entirely sure if it’s safe to leave that rule on Global Rules Tab. I don’t have much experience on this but I can do my best to bring any other information needed to make my case clearer.
Thanks

first thing i should ask is, are you connected to a router? in my experience the router and/or modem will be a bigger factor when trying to open your NAT.

Yes, I am. I forwarded some ports allowing direct connection for the games and in theory everything should be working properly. The thing is that I then noticed that even when adding the game as safe in the Application Rules tab it didn’t worked and by far that was the only way of getting it to work without having the firewall completely disabled

can you post your firewall events (logs)


http://img266.imageshack.us/img266/8255/logsv.jpg

What I did to solve the problem was to allow that IP to connect. I believe it should be a better way to get it working.

The rule in Global Rules is needed as incoming traffic first goes through global rules before it goes to application rules.

Strictly speaking open a port reduces your security level somewhat. But in practice that is not a problem. I often have had ports open for file sharing without having had a problem with it.

So for example the games uses the following ports:
- Port 3074, 3078, 4079, 4380 as UDP and TCP
- Ports from 27000-27050 as UDP and TCP
Do I need to open those ports too in Global Rules too?

You need to open them in Global Rules too.

Is that safe? Does it leaves those ports permanently open?

I am quoting my reply in another topic of you:

If you have Global Rules set to Stealth (with the block rule at the bottom) then simply move the rule for the open ports to a place somewhere belows the block rule when not using the program that needs the open ports.

Ok, thanks

FWIW, here be my global rules:

Allow ICMP in from in [modem] to in [NIC] where ICMP message equals ECHO REQUEST
Allow ICMP in from MAC any to in [NIC] where ICMP message equals TIME EXCEEDED
Allow ICMP in from MAC any to in [NIC] where ICMP message equals 11.1
Allow ICMP in from MAC any to in [NIC] where ICMP message equals FRAGMENTATION NEEDED
block ICMP in from not in [modem] to MAC any where ICMP message equals ANY
Allow ICMP out from in [NIC] to in [modem] where ICMP message equals PORT UNREACHABLE
Allow ICMP out from in [NIC] to in [DNS] where ICMP message equals PORT UNREACHABLE
Allow ICMP out from in [NIC] to in [co.uk - CIS agent (TCP / UDP) ] where ICMP message equals PORT UNREACHABLE
Allow ICMP out from in [NIC] to in [FortressITX - CIS agent (TCP / UDP) ] where ICMP message equals PORT UNREACHABLE
Allow ICMP out from in [NIC] to in [comodo.com - CIS agent (TCP / UDP) ] where ICMP message equals PORT UNREACHABLE
Allow ICMP out from in [NIC] to in [modem] where ICMP message equals ECHO REPLY
Allow ICMP out from in [NIC] to in [modem] where ICMP message equals FRAGMENTATION NEED
Block and log ICMP out from MAC any to MAC any where ICMP message is any

By default CIS blocks all unsolicited inbound traffic silently. All outbound traffic generates by application and will be blocked unless specifically allowed.

Unsolicited access to system resources will generate log entries though. The first thing that’ll squawk is either SYSTEM or WINDOWS OPERATING SYSTEM (I believe its the former). That’s the gate-keeper to all system resources.

You’ll need to set up the rules necessary to establish a preliminary connection into your system. Once communicatoin has been established between the cloud and the system gatekeeper, connection attempts will subsequently made to specific system resources, e.g., applications and files/folders.

Its like having a visitor buzzing your door. You can choose to answer on the intercom “who is it” or not. This is the initial inbound connection. Once you buzz them into the building, then they want to do to a specific door. These are the apps. Specific onbound port connectoins most likely will be at the app level.