Loopback filtering breaks when removing loppback zone [M2435]

I noticed a problem with the firewall - IPv4 loopback traffic is not filtered (for IPv6 seems to work well).

This is the serious security hole in case of a firewall rules that determine the access of particular processes to specific (by port numbers) local services listening on
I need it and for this reason I am still staying with version, where it works as it should.

The fastest way to test this case:

  1. Set the firewall settings: Custom Ruleset, Show popup alerts, Create rules for safe apps, Set alert freq level: Very High, Filter IPv6 traffic, Filter loopback traffic.
  2. Type in terminal:
    ping (no popup alert but should be)
    ping ::1 (with IPv6 ok, popup alert appears)
  3. Create a firewall rule for ping.exe with Ruleset “Blocked Application”
  4. Type in terminal and compare two results:
    ping (the rule does not work)
    ping ::1 (here is ok)

Works for me, I get alerts for both IPv4 and IPv6 ICMP requests and if I set an application rule for ping.exe to block, then ping to both IP addresses fail.

I found an additional dependency. Try to delete Loopback Zone from Network Zones and even if you re-create it identically - loopback filtering for IPv4 will no longer work.

This could be a wider problem in which Network Zones editing induces firewall destruction.

Interesting find yes, if the default loopback network zone is removed connections to loopback IPv4 are allowed.

Please, can you talk us an easy way to test if this happen in my actual configuration?

I don’t remember if I have removed or changed the loopback default… How I can check if it is working well or not?

Try it: https://forums.comodo.com/news-announcements-feedback-cis/comodo-internet-security-2020-v12227036-released-t125668.0.html;msg897572#msg897572

How long tried I today to solve the problem of TimeOut! :-[ That was the problem.

But what I don’t understand is, why didn’t I have never problems of malicious software. Is it luck? Or does comodo (as from futuretech, I think, discussed) pretend before firewall could be destructed (not finding an intruder, but prevent it). I’m very keen of having a protected PC.

Well, I have tested following your instructions. Resume about ping.exe:

1º Rule allowed only loopback zone. Ok. ::1 Blocked, no alert.

2º Rule Ping to ask me: Alert ask me for both address test to allowed it or no.

3º Rule ping Blocked. Both address were blocked, no alert.

So for me CIS is working as expected.

I don’t get at all your test… what is wrong that a process/app connect in your loopback zone? Maybe because you are using local ports dedicated to specific app?

If it is the case, you cannot make a rule by app for to loopback zone to specific port allowed or blocked?

I couldn’t find the error when I also tested ping, it didn’t work as I tried with the supplied settings.

Now that I made the new update, I can confirm it: CIS works, ping works as I want it to, with the included settings (which it didn’t before the new update for 7036) and also according to my own settings. So, the CIS world is okay again, for me.

Split posts from the release topic to create bug report topic, issue is logged in bug tracker as bug 2435.

Hello bazolo,

Thank you for reporting.
Reported to dev team for further analysis of the issue and they are working in it.Once resolved,let me inform you.

Kind Regards,

Hello bazolo & futuretech & Nilhar & prodex,

As per dev team the reported bug (Loop-back filter) issue is fixed and it will be reflect in the upcoming release.
Have a nice day!

Should be fixed in