Network Monitor rules explanation please...

Ok, i don’t have a slightest clue why are there those rules because they don’t make any sence at all.

TCP/IP allow rule is completelly useless as TCP/IP is allowed anyway. I also don’t see reason to use blocking of IP protocol as it just maks everything worse on all ends.
Plus whats the difference between blocking IP (ICMP packets) and blocking just ICMP (Any type).
They look the same to me and they also do the same job.

Hi Reizor,
you mean the rules of the latest beta?

Yes if we can put it that way. Though they were available in v2.2 too if i remember, just not set by default.

Is it really so hard to explain Comodo’s decision to use exactly this setup?
Coz i don’t have slightest idea why to allow ICMP Echo Request and then block IP completelly.
It’s just bad for applications. It’s better to remove IP altogether and replace it with block inbound ICMP Echo Reply. Firewall remains to be in stealth mode while compatibility with programs and performance is heavily improved.
I also don’t understand the reason for rule TCP/UDP in/out allowed as it’s allowed anyway even if this rule doesn’t even exist…

egemen explains some them here.

Ok, thx for these two. I still neeed info for other ones. Because i made my owen rules which are imo better than default ones (and much more compatible too) unless explained exactly why is better to use default ones…

My Rules:

First two are known from description you provided.
3rd rule gives you ability to ping others while 4th rule prevents others from pinging you (assuming rules are applied top to bottom, because i don’t understand what they meant in Help file).
Judging by tests this provides perfect stealth for global and separate ports while maintains compatibility with eMule.

hi guys, first post - I’m liking the new beta
still confused about some of these rules tho!

can somebody explain the combination of these 2 rules…

Allow TCP/UDP OUT from IP [Any] to IP [Any] where source port is [Any] and remote port is [Any]


Block & Log IP IN or OUT from IP [Any] to IP [Any] where IPPROTO is ANY

in particular, why the need for the 1st rule? wouldn’t this open up the firewall to all outgoing traffic?
I tried to remove that TCP/UDP rule, but then the latter rule blocks outgoing traffic, even if the application attempting the traffic is explicitly Allowed

a simple explanation of how these rules are used in conjunction with application rules would help a lot - or a reference to an existing post if already explained

I’m thinking it must work something like this:-

  • if an app wants to send a packet, the app must be approved in the App Monitor list AND THEN the packet must ALSO satisfy the Network Monitor rules, before it can be sent
  • if a packet comes in, the packet must FIRST satisfy the Network Monitor rules - however, if no app is running to service the port requested, the packet is still stealthed by the firewall (e.g. for BitTorrent ports, where BitTorrent client is not running)
  • if an app wants to be able to receive ANY packets, it must have an IN rule allowing that behaviour

Where is your “Block IP” in rule?

Yes this is the way CPF checks the traffic.

I’ve removed Block IP because it’s pain in the rear for bunch of programs and replaced it with Block ICMP Echo Request. They pretty much do teh same except ICMP only is much more compatible.
Thats why i’m asking whats so good or beter about IP thingie to have it there instead just block any pings at your doorway, rendering your PC invisible.

They are not the same. With your rule how can you be sure if an UDP or TCP or IGMP packet won’t arrive at your pc?

And how can you be with IP rule? You can’t just block all IP traffic as it would mean complete traffic block. There are other parts that do the filtering of TCP and UDP including advanced packet filter engine. Network Monitor is not an active thing, it’s completelly passive and works just for stuff thats strictly spcified. If it’s not it’ll pass it. For example TCP packets. Network Monitor just can’t decide what TCP packet is good and which bad. But it can block everything on TCP port 80 if you specify so.

Yes you can, and this is what this rule does.

There are other parts that do the filtering of TCP and UDP including advanced packet filter engine.
"Network monitor" is part of the "Advanced packet filter engine" or viceversa. If you disable Network monitor the advance packet filter engine is also disabled. (I have tested it, but I'll wait for a confermation from egemen)
Network Monitor is not an active thing, it's completelly passive and works just for stuff thats strictly spcified. If it's not it'll pass it. For example TCP packets. Network Monitor just can't decide what TCP packet is good and which bad. But it can block everything on TCP port 80 if you specify so.
Wrong, for a "block IP rule" every packet, specific or not will be blocked ( with the option "Secure against trojan/unknown protocols" enabled.

You practically change CPF into a sort of Kerio :slight_smile:
Network rules are read from top to bottom. IF you dont put the BLOCK IP IN/OUT rule, if CPF does not find any mathing rule, it will simply pass it by default. With your rules, you are not stealth against tests like

Allow TCP/UDP Out simply means you can connect to outside with TCP/UDP(without BLOCK IP IN/OUT rule specifiying this rule is meaningless).
Allow ICMP out Echo request allows you to be able to ping other hosts.

BLOCK IP IN/OUT will block everything which does not match the rules before it. Without this rule, if there is no match, packets wont be blocked. So assume someone tries to connect to your PC on port 80, CPF will gracefully allow this attempt with your current rule configuration. Think of this rule as default behavior of CPF when no matching rule is found.

With your rules, you are not stealth against tests like


My “new” rules appear to be just fine plus it works great with eMule. Though thanks for explanation of “IP” rule.

Ewen did a tutorial about the setting up the rules remember? It’s at
It’s a step by step tutorial on how to do it and it explains everything. It’s going to be updated for the latest Beta release but not sure if he’s updated it yet. Follow his tutorial and you can’ t fail!

You are stealthed. And this means that someone who does not know that your pc exists at your IP adress won’t even bother to attack you.

But what happens with the ones that know that your computer exists at your IP adress? If someone can see you at emule he knows you are there, stealthed or not stealthed.

Give at a talented person some time and he will eventually penatrate your system. This can happen with the default rules also (there is not a 100% safe pc). With no “block & log IP in” rule who is going to warn you that some strange activity takes place?

But this has to do with the type and the level of protection one wants. CPF is great because people can play with it. But please don’t use statements as :

I agree, it works and it stealths but loosens the secusity level.
Stealthing is one type of the protection measures but not the only one and for sure not the most important. ( I was the first to ask at the wishlist to add stealthing at “allow in” rules)

Eh like someone gives a sh** about me. I’m just an user, not an corporate network system.
My IP is dymanic so no one can be sure that i’m really on the other end. You can’t be 100% hidden as in that case no one could communicate with you. All i care is that basic probing won’t show my PC and that you can’t proble spcific ports. Everything else is taken care off by packet filter.


May I ask a quick question :). So if you have an application which listens on a port, you have to create a network rule allowing this connection and place it before the “block all” rule (so this would allow any application to connect to this port). The way I see the network monitor rules is that all applications have outbound access by default but not inbound.

Being a Kerio user myself, I’m finding it hard to understand why application and network monitor rules are required. Within Kerio, you are either prompted for outbound or inbound connections with non-existant ports being dropped. Hope that makes sense.


No, ports are always opened for applications that are already allowed on Application Monitor page.
Network Monitor is for global fine tunning of packet filtering (mostly useful for ICMP but you can as well control other stuff). Per application stuff is controled on Application Monitor page under each application profile.