Optimizing CFW Application and component settings

Hi Toggie et al:

I have had CFW running for a few weeks now in learning mode. So I think it is about time to turn it off. My 7 original goals were:

"…a FW that has the following features

(1) No hidden call homes to mother ship on the FW software itself
(2) Ability to detect other software calling home as well and then allow me to block that ip and ranges of ip’s and the site itself
(3) Doesn’t force or try to force me to set the router/Lan to trusted as ZA did
(4) Control by applications as to which have access to internet and those that don’t.
(5) Doesn’t force me to create expert rules at first try!
(6) Gives complete logs of in and out blocks that can be used for further checking
(6.1) Responsive user support and user forum
(7) Updates to product as required

No doubt I’ve left out NB items but as I’m behind a H/W FW and a router my main concern is outbound packets!"

I think I have learned quite a bit about 1,2,3,6,6.1 forum anyway, and 7.

What I still need to work on is 4 and 5 which may be related?

Here are some more questions:

What should users expect when turning off learning mode? Do we have to do anything or decide something?

The applications and components almost all seem to have allow, except for a few games I have blocked. Is that normal?

How should a user proceed to tighten up settings when some of the applications and particularly the components have meaningless names? Do I have to google each one? Or is there a method/list of block able applications?

I read somewhere that blocking ip addresses as I have been doing in CFW is really futile since the applications access rules come first in checking and if they allowed access to the internet the network block rules have zero effect

Is that correct?

Thank you in advance for your help.

I read somewhere that blocking ip addresses as I have been doing in CFW is really futile since the applications access rules come first in checking and if they allowed access to the internet the network block rules have zero effect
Not zero effect. Only app rules (that I somehow got lost today) are considered first with outgoing connections. If you block something in network rules it will be blocked as far as I know. Think of network rules more like a mask with outgoing connections. Not that important, but still usefull in the cases you want block something "globally".

With incoming connections network monitor rules are most important.
Regarding to component monitor … I never will put Comodo out of learning mode in that.

Escalader,

I think most of those can be answered in this thread: https://forums.comodo.com/index.php/topic,6167.0.html. Look for explanation of layered rules, creating tighter security rules…

Yes, from Learn Mode all Components will be set to Allow. Sorry, there’s no easy way to determine what you want (component-wise) to allow or not; you’ll have to research. Keep in mind, the components don’t necessarily have direct access; they access thru the browser (or other application). If they change,you will be alerted.

Once you change Component MOnitor to On, you will get popup alerts for every component addition or change (or the first usage of a component already installed). It will have a button to View Libraries, wherein you can see which components are being included. If you select to Block those components at that point, it will block your internet connection. You will have to reload your browser (or whatever application you’re using), and then it should work, with those being blocked. You may lose some functionality (whatever the component was supposed to do) by this, though.

And no, blocking IPs is NOT futile; it is highly effective. With the layered rules (see the tutorial), if ANY section fails the test, CFP will block it (there will be no alert to user if the block is coming from Network Monitor; it will just be blocked).

Hope this helps,

LM

It does help, Mac ty. I have turned of learning mode, ( no not me the CFW! ;D).

I’m reading in the tutorial which for vendor forum is a really good idea. On the Beta version when released to the masses ( me) will the tutorial be updated? That is just as NB as the new software.

One really dumb question I have is on ports. Can a port have only 1 direction? ie 80 ? My guess is yes, as my ISP uses 1 for incoming email and another for outgoing?

Correct. When we refer to port 80 for browsing (for example), that is the Destination port, or port at the website-end of the connection. The local port (ie, for the Outgoing connection) will be different (very different, most likely). To carry out example over to email, the standard POP/SMTP accounts use ports 25 and 110; 110 is used for the POP3 (incoming), 25 for the SMTP (outgoing) mail; these are both the remote connection point/Destination/endpoint to your email client’s request. Again, the local port on your machine will be very different.

So most of the time in Application rules, you are defining a Destination (remote) port for an Out rule. The primary caveat to that would be for p2p applications, where you would be adding an In rule; thus the “Destination” would be the local port for the inbound connection.

Generally the same is true for Network Monitor.

LM

LM!
Thanks, Okay, is there any way to identify all possible the destination ports in say a range?

My ISP asks that my email client be set to POP3 for incoming and use port 110 and for outgoing use 587.

Can I use that data to make a restrictive rule as I don’t want any other application other than
MS Outlook to send email anywhere?

Here’s what you’re probably going to want to do, to tighten that up.

You will set your rule for Outlook in the Application Monitor, to specify those two ports under Destination Port, as a Set of Ports (the rule is for Outbound; that’s all you need for it). You’ll input those in Destination Port: A set of ports: 110,587 (no space after the comma)

Then in the Network Monitor, you want to create two rules. They will both need to come in above the default Allow TCP/UDP Out, Any Source/Destination/Port (or any other rule that is “loose” or “general” enough to allow the traffic). So you can right-click and Add/Add Before, or Add where-ever and use the Move Up button to reposition them. The rules flow from the top down, so keep that in mind.

For the sake of this example, we’ll just put them in positions Rule ID 0 & 1 (which probably wouldn’t hurt, anyway, but that’s up to you).

Rule ID 0 will be:

Action: Allow
Protocol: TCP/UDP
Direction: Out
Source IP: Any (or your IP)
Destination IP: your email server’s IP address (which should be static)
Source Port: Any
Destination Port: A set of ports: 110,587 (no space after the comma)

Rule ID 1 will be:

Action: Block
Protocol: TCP/UDP
Direction: Out
Source IP: Any (or your IP)
Destination IP: Any
Source Port: Any
Destination Port: A set of Ports: 110,587

To really tighten it up, make sure your Alert Frequency (security/advanced/miscellaneous) is at High; this will make sure that information on Ports are included in the popup alerts, and thus in the Application rules. This way, you will get an alert for any other application that might try to communicate to one of these remote/destination ports. Be forewarned, this will give you a lot more alerts than at a lower level of detail, and it may seem like they’re all the same…

Even without that, though, you should be fine. The flow of the Network rules is such that traffic outbound to your email server on those ports is allowed. Traffic not set for that IP on those ports will pass that rule and be cut off at the pass by the very next rule, which is set to block those same ports. The order here is very important, as you can see. This is also why you don’t want a rule to Allow TCP/UDP Out to Any IP on Any Port preceding these two rules; it would allow the connection before it could be properly filtered.

LM

LM:

Thanks:

I just contacted my ISP and got the following:

for incoming port 110 they use 206.190.36.17, should I add the ip to the application rule?
for outgoing port 587 they use 206.190.36.18, should I add the ip to an application rule?

The application monitor has 2 entries 1 for FF the other for IE?

I’m worried I will treat the ISP given as in as my out, so which ip’s do I put in rule 0 and rule 1?

They also said these were the only ip’s used for my service, does that mean I can block the rest of the WWW? I think not since they just send me to whereever from those base ip’s right?

There’s not much point in putting IP address in Application rule, IMO, Unless you have alert frequency at Very High (which then references every single IP address you go to when surfing…too many alerts! )… With AF any lower, the IP won’t matter, cuz CFP isn’t referencing it.

For the Network Monitor rules, you can (in the Destination IP field), set it for a Range of IP: 206.190.36.17 - 206.190.36.38. Then set the ports as I mentioned previously. For the block rule, don’t include the IP addresses, just the ports.

So for the example I gave you, Rule ID 0 will be:

Action: Allow
Protocol: TCP/UDP
Direction: Out
Source IP: Any
Destination IP: A Range of IP: 206.190.36.17 - 206.190.36.18
Source Port: Any
Destination Port: A set of Ports: 110,587

Leave Rule ID 1 just as I gave before.

Your Application (Outlook) is defined/allowed to create an Outbound connection to Any website (IP address) on those two specified ports (destination ports). Since the AppMon rule for Outlook does not contain a specified IP addy, it will pass inspection of Rule ID 0, and will be able to contact that website (which is specified within Outlook itself). Even if another application (say Outlook Express) were to gain internet access and somehow want to utilize those same ports to send and/or receive some special/secret email (wherein you would get an alert because of an unauthorized application), it will be implicitly stopped by the NetMon rule ID 1; it’s using those ports, but not that website… thus it will be blocked.

Oh, I just read you don’t have an Application monitor rule for Outlook. That’s easy enough to add. Open Application Monitor, click the button to Add a new rule. Browse for the Application Outllook.exe. Should be in c:\program files\office\office11\outlook.exe (or something like that - you can always right-click your desktop icon for it, select Properties, and check the Start In and Path information to find where it is, then browse in the rule creation window). Parent you can set to Learn; that should work (it’s probably explorer.exe, or will be). So you’ll build the rule to look like this:

Application: Outlook.exe
Parent: Learn
Action: Allow
Protocol: TCP/UDP
Direction: Out
Destination IP: Any
Destination Port: A set of ports: 110,587
Miscellaneous: (leave it blank)

That’s it. FYI, if you look at the two FF rules, you’ll probably see one has a parent of explorer.exe, the other firefox.exe.

LM

There's not much point in putting IP address in Application rule, IMO, Unless you have alert frequency at Very High (which then references every single IP address you go to when surfing...too many alerts! )
Yes, too many alerts, but only if you dont go and EDIT the made rules. Edit for port 80 and 443 to allow all IP addresses for the browser rule. Email servers mostly stays the same when using an email client with ISP mail account, at least in my case. So it is not necessary to allow other IP's.

What is a bother with Comodo is that you have to use very high alert level to be able to specify localhost access and only that. Some programs like my ATI display drivers CLI.exe need to listen that address, even though it is not connecting to internet.

Most people will just give up and use high level alert setting. With very high level of alert settings it is a bother when starting a new internet connecting app, that for sure. But takes only a little time to edit the rules.

That said I still cannot figure out why my app rules were lost after the current latest windows security patch update. I lost some faith in Comodo too there :frowning:
Brings also to my mind that there is no possibility to export/import rules except with some script, but not with the user interface of CFP 2.x. That is better with current alpha 3.0?

JarmoP,

v3 will address much of this, in various ways, including custom rules. It also has a built-in import/export feature for rules.

LM