It is NOT possible do make a loopback rule for applicaton with CPF !!![SOLVED]

Help for v2
#1

Now I tried it all.

THE REASON IS:

If you make a inbound loopback rule for 127.0.0.1 (or any other IP), this rule will only make sense, if you have another rule blocking all the rest. (or you will be prompted all the time and the issue is not solved too).

Ok, so far. When my app. is now trying to open a port, it doesn’t know about any remote IP, so the IP is 0.0.0.0. And for this reason, the blocking rule applies. BAMM !!

Maybe, if I put 0.0.0.0 for remote it will work, but then is 1. the logic of “remote” as stated in this forum would be wrong and 2. well, this no IP…

So, must there be rule only for opening a port ? (a 0.0.0.0 rule , lol)

#2

Ok, now I have the solutuion, !!!

If you want to allow a program for INBOUND traffic, but only for specific one, for example only to and from localhost, then some apps REQUIRE, that you have a rule, that allows:

INBOUND, IP=0.0.0.0 (!!!), the rest is any or app specific. (+ a rule that allows the WANTED stuff, eg 127.0.0.1)

This rule is ONLY for let the app first open the port, this is, when you get that “act as server” pop-up.

In the old (not beta) version, if you for example just hit “allow” in such popup, the rule for this was NOT specific for IP=0.0.0.0, but it had IP=any.
For this reason, this rule MUST interfer with an attemp to create a rule, that only let specific ips come inbound, for example 127.0.0.1 (=localhost), because this rule will allow ALL IPs, lol.

So, an EXTRA RULE JUST FOR OPEN THE PORT IS NEEDED !! (IP=0.0.0.0)

Hope this helps some not to search for hours…

Greetz

#3

FYI, starting from the CPF 2.3.3.33 , Security->Advanced->Miscellaneous->Skip loopback TCP/UDP options are there to help you to skip loopback traffic globally.

Egemen

#4

Hi,

yes, with the new version, much things are better.

But one thing is a little bit hard to understand, when your new to such things:

If an application wants to listen to the internet, it can either open a socket for a spec IP or with the wildcard 0.0.0.0.

If I, for example, want to allow a program to start to listen, but I only want to allow a spec. IP, then, I have to make a rule for 0.0.0.0, and a rule for the spec IP.
If now, with the standard options, the popup comes and says “xy wants toact as server”, eg it uses 0.0.0.0, and I hit allow, a rule for all IPs is made.
An option would be nice, to allow an app to start listen (get a wildcard socket).

So, there would be more situations I can imagine, in wich this would be hard (I have to first change the popup behavior, then let prog pop, the back…, or change rules after…).
So, it would be nice to have an option “advanced” in each popup, where you can state, if you want to tke the port, or port + IP or only protcol or, or, or.

Then another one: is it right, that the rules in app. monitor apply in order from top to bottom ? (of cos only for each app) → would be nice, if one could change the order, like in net.mon.

And: I looked to commodos reg values, there is a list for the trusted behavior (inject, OLE…), if I got that right. Would be nice, if one could have a list of them in the program, because maybe, you want to take back an “allow” again. ( I think now, I had to delete the app rules and all corresponding dll rules to have the same effect)

greetz