Network Rules for Applications

Help for v2
#1

Is there a way to define a rule for an application similar in syntax to the way network rules are defined? For example, if I wanted a rule chain for application “foo.exe”:

foo.exe : allow IP out from IP [Any] to IP [Any] where ipproto is any
foo.exe : allow IP in from IP x.x.x.x to IP [Any] where ipproto is any
foo.exe : block IP in from IP [Any] to IP [Any] where ipproto is any

The goal being I want the host at IP x.x.x.x to be able to make inbound connections to my computer to the application foo.exe, but I want to block everyone else. I also want for foo.exe to be able to talk out to anyone. I used to use ZoneAlarm, and they way I would accomplish this in ZA would be to put x.x.x.x in the trusted zone and allow foo.exe to act as a server for the trusted zone but block it for everyone else.

The application rules I have defined now are:

foo.exe : destination [Any] - port [Any] - TCP/UDP out - allow
foo.exe : destination [Any] - port [Any] - UDP in - allow (needed for DNS?)
foo.exe : destination x.x.x.x - port [Any] - TCP in - allow
foo.exe : destination [Any] - port [Any] - TCP in - block

These don’t seem to be doing what I am trying to do. First of all, it looks like the order of the rules gets changed every time I add/edit a rule for the application, so the rules listed above don’t always stay in that order (I’m not even sure if order matters for application rules).

Any help would be greatly appreciated. Thanks!

Application Monitor Rules Hierarchy
#2

Hi flarp, welcome to the forums :slight_smile:

To some extent, it depends where the host you wish to allow access to your PC resides. That is, either locally (on your LAN) or remotely (the Internet)

If the host is local, then the trusted zone approach will also work under cfp, albeit with some differences. If, however, the host is coming in over the Internet, a slightly different approach may be better.

Essentially, if the latter, you would need to create a Network Monitor rule to allow that specific host inbound connectivity, something like:

Allow & Log
Protocol: TCP or UDP In
Source IP: The host
Destination IP: Your PC
Source Port: The port used by the host
Destination Port: The port being connected to at your PC

You would also have to make sure there is an Application Monitor rule that corresponds to the NM rule:

foo.exe - Dest (the host) - Port (the port being connected to) - TCP/UDP In - Allow.

That gives you an idea, please feel free to ask more questions.

Toggie

#3

Hey flarp,
welcome to the forums (:WAV)

No, it does not. Only network control rules are parsed in a hierarchical order.

Yes, you can do that. However, you should take the following into account:

One thing to note, in regards to the Alert Frequency...

By default, AF is set to Low; this will provide only details of Application, and Direction of traffic (ie, Out or In). If you leave it there, and create a rule in the Application Monitor that contains more information detail (such as Protocol or Port), the next time you check “Remember” and click Allow for that application on a popup alert, the detailed rule you created will be overwritten by a more generic rule, as the rules are written based on your AF level. If you want more detail, you have to increase the AF level, as grampa and pandlouk have noted.


Here’s the link (you might want to read the entire thread):
https://forums.comodo.com/index.php/topic,8704.msg63183.html#msg63183

For example, if I wanted a rule chain for application "foo.exe":

foo.exe : allow IP out from IP [Any] to IP [Any] where ipproto is any
foo.exe : allow IP in from IP x.x.x.x to IP [Any] where ipproto is any
foo.exe : block IP in from IP [Any] to IP [Any] where ipproto is any

The goal being I want the host at IP x.x.x.x to be able to make inbound connections to my computer to the application foo.exe, but I want to block everyone else. I also want for foo.exe to be able to talk out to anyone. I used to use ZoneAlarm, and they way I would accomplish this in ZA would be to put x.x.x.x in the trusted zone and allow foo.exe to act as a server for the trusted zone but block it for everyone else.

The application rules I have defined now are:

foo.exe : destination [Any] - port [Any] - TCP/UDP out - allow
foo.exe : destination [Any] - port [Any] - UDP in - allow (needed for DNS?)
foo.exe : destination x.x.x.x - port [Any] - TCP in - allow
foo.exe : destination [Any] - port [Any] - TCP in - block


As the rules in AM are not ordered hierachically it’s always better to create a rule using the exclude function than to create a general rule blocking all plus a specific rule allowing a specific IP-address.
I’d suggest you try the following rules (delete the others):
a. General
b. Destination IP
c. Destination Port

Rule 1 for foo.exe:
a. allow TCP/UDP out
b. any
c. any
This will allow foo.exe to talk out to anyone

Rule 2 for foo.exe:
a. block TCP/UDP in
b. EXCLUDE single IP (the IP of the host you want to allow to make inbound connections to your computer)
c. specify a port if you like or select “any”

I don’t think you’ll need the extra “UDP in” rule for DNS but I’m not sure.
Perhaps we’ll have to work on your network control rules as well, as they are more important than app. control rules. If your ACRs conflict with your NCRS, your NCRS will “win”!!!

Cheers,
grampa.

Whoops, sorry Toggie, I was a little late. Consider my post “not there”. :-\

Reading your post I get the impression I’ve got a lot more to learn.
flarp,
please forgive me if I posted nonsense. :-[

#4

grampa

I don't think you'll need the extra "UDP in" rule for DNS but I'm not sure.

It shouldn’t be necessary for individual DNS rules in AM, unless one has disabled the DNS Client Service. In which case, every application will have to have specific DNS rules defined.

Whoops, sorry Toggie, I was a little late. Consider my post "not there"

LOL grampa, if you have some thing to contribute, get stuck in :slight_smile: the more info the better. A good reply btw :slight_smile:

#5

Hey Toggie, (see, I got your name right - no more TRoggies ;D)

A good reply btw :)
Just for learning: Would these rules work or is it nonsense ??? (and don't spare me - I can take it ;)) This question also goes to you flarp! That goes without sayin ;) Cheers, grampa.
#6

Thanks for the replies. I tried enabling the DNS client service, and that got rid of the need for the “UDP In” rules. The application rules, however, don’t seem to be matching correctly. It’s very possible I’m missing something simple…

For example, let’s take the Apache web server app… I have it the web server itself configured to bind to an IP address and listen on a specific port (80). I only want the web server accessible from my local LAN though (192.168.10.0/24).

I define a zone “Home” with range 192.168.10.0 - 255 and make it a “Trusted” zone. This creates the corresponding network rules:

  • allow ip out from ip [any] to ip zone:[home] where ipproto is any
  • allow ip in from ip zone:[home] to ip any where ipproto is any

Now, I create the following application rules:

  • apache.exe - dest = any, port = 1024-65535, prot = tcp out, perm = allow
  • apache.exe - dest = zone:[home], port = 80, prot = tcp in, perm = allow

The above does not work. When I start Apache, Comodo pops up a message saying apache.exe is trying to act as a server. If I check “remember” and click “Allow”, it replaces my “tcp in” rule with a generic allow-everything rule (dest = [any], port = [any], prot = tcp/udp in/out). If I click “deny” in the pop-up, then the inbound connection attempts show up as “inbound policy violation” errors in the logs.

As suggested, I changed the inbound rule to:

  • apache.exe - dest = not in zone:[home], port = 80, prot = tcp in, perm = block

With that, I get the same error (prompts me when I start up Apache, and behavior is the same depending on what choices I select).

If I create a rule:

  • apache.exe - dest = [any], port = [any], prot = tcp in/out, perm = allow

Then it works, but it also makes it reachable from anywhere (I was able to connect from a machine not on my local LAN). This is also the rule that is automatically generated if I select “remember” and click “allow” when it prompts me upon loading the application.

[edit] … forgot to mention… When defining the application, I select “skip parent check”, and under the “miscellaneous” tab, I leave all three options unchecked.[/edit]

Before, when I had the DNS client service in Windows disabled, I also would get notices for both the DNS request and reply packets, which is why I had the UDP rules earlier. Those are gone now.

Thanks for your help!

#7

Hi flarp, a couple of tips that may help when creating rules.

  1. Make sure logging is enabled for all components
  2. Set the Alert Frequency to Very High

The entries in the log can help you to identify problem areas, as can monitoring the connections window when starting an application.

Setting the Alert Frequency (cfp/Security/Advanced/Musc/Configure/Alert frequency) to Very High will generate pop-ups for virtually every connection attempt. When you click allow + remember you will get individual entries in AM for IP and Port. You can then use these entries to build the rules you need.

Give it a go, but if you still need some help, you know where we are :slight_smile: