Port Forwarding

Clopyright · October 9, 2009, 6:38pm

Hello guys! I just installed Comodo Firewall and i have some problems with port forwarding. Taking a look in the forum i saw a topic instructing creating several rules for uTorrent. What i do not understand is why to create so many rules for just one port…Can you give me an example for creating a rule for a program for lets say 2 ports like e-mule? I took a look in portforward.com but the guides are for an older version of Comodo.

rhgtyink · October 9, 2009, 7:10pm

Hi Clopyright,

Welcome to the forums,
Basically the most important thing is to create a GLOBAL RULE to allow incoming traffic.
Open the GUI, Firewall, Advanced, Network Security Policy and switch to the Global Rules tab.

Now Add a rule
Allow (+Log if you like)
TCP/UDP
IN
Source ANY
Source Port ANY
Destination ANY
Destination Port = Range ports 1000 - 1002 (example).

Apply the rule and make sure it’s the first rule all other rules should be below this one.

Only other thing you then have to check if you have allowed e-mule on the application tab to allow this incoming traffic also

Apply again and it should work.

Clopyright · October 9, 2009, 7:40pm

Thanks for the reply mate. This Global Rule isn’t going to allow traffic on all ports? I want to open ports for certain programms. I opened the e-Mule ports but i was getting constantly many alerts for many other ports. The 2 ports i open for e-mule (or any other program) go to Global Rules or in the previous page?If i want to open a port for WoW lets say the pattern is the following?

Action:Allow
Protocol: TCO and UDP
Diewction:In/Out
Source Address:Any
Destination address:Any
Source Port:Any Destination Port: wow port (3724)

Where do i put that? In Global Rules tab or in the previous one (Network Security Policy)?

rhgtyink · October 9, 2009, 7:59pm

Global rules have no understanding of applications, let’s say you open port 80 on global rules, you will get an alert for the application you have port 80 on running (normally a web server). So you would end up with 2 rules

for global rules to open up port 80 to “any” application that would happen to be listening on this port.
application rule for let’s say Apache web server listening for incoming traffic on port 80.

So for incoming traffic it always takes to rules.

On your WoW rule if it’s only incoming traffic set the direction to IN.
See this as traffic that is coming FROM the Internet TO your PC.

Clopyright · October 9, 2009, 8:50pm

So i open 2 rules for each program?one in Global Tab and the other in Network Security Policy? Why that uTorrent guide gives 6 rules?

rhgtyink · October 10, 2009, 11:55am

Almost, you create 2 rules for each port (group/range) you wish to allow incoming traffic to.
One to allow it in to your system Globally and One to allow it to access the application.

Outgoing traffic is normally only alerted on application level because the global rule allows the outgoing traffic if it matches the application rule first, the check order is located in the help file.

The torrent guide has different directions for different ports so that causes more rules to be created…

Clopyright · October 10, 2009, 3:04pm

So that means that if i have the port 123456 for uTorrent i create one rule in Global tab and onother one for the same port in Network Security Policy right? if the program has 2 ports i open 4 and so on right?

rhgtyink · October 10, 2009, 7:16pm

yes that’s correct, but actually you open the same port twice but that’s just a minor detail…

Clopyright · October 10, 2009, 8:46pm

When i opened the e-mule ports why did Comodo asked me access for many other e-mule ports? I admit that i opoened the ports only in Network Security Policy tab… :-\

rhgtyink · October 11, 2009, 12:21pm

Those are probably the Outgoing ports, in the previous messages we focused on Incoming traffic but e-mule also needs to access all the other hosts and they are all running on different ports so i’d set that traffic for:

Allow
TCP or UDP
Out
Source ANY
Source port range 1024 - 65535
Destination ANY
Destination port range 1024 - 65535

On the Applications rules for the e-mule application, that should take away the alerts.

Clopyright · October 11, 2009, 10:29pm

What if i put that rule in Global tab to apply for all the applications i use? So to sum up i create 3 rules. 2 in application tab (1 incoming,1 outcoming) and one in Global Tab (incoming),right?

rhgtyink · October 12, 2009, 12:02pm

I don’t think this would work, the system will still alert you for this traffic because it can’t find existing rules for the application…

Clopyright · October 12, 2009, 7:25pm

So the following rule

Allow
TCP or UDP
Out
Source ANY
Source port range 1024 - 65535
Destination ANY
Destination port range 1024 - 65535

should be applied for every application,right?

rhgtyink · October 12, 2009, 7:48pm

Most applications don’t need such a broad range of ports, if you like to keep it strict.

Normally the firewall alerts for an application and defaults to an outgoing rule

Allow
IP
ANY
ANY

In general a browser needs port 80 for http and 443 for https.
You can chose the create an IP ANY ANY rule if your fine with the fact that your browser can then connect to any server on any port, personally i’d like to get an alert if my browser try’s to connect on a non default port.

Clopyright · October 13, 2009, 11:48am

So to sum up. E-Mule for example has to ports. Lets say TCP:12345 and UDP:67890
i create the rules in the Application policy in that form

Allow (+Log if you like)
TCP/UDP
IN
Source ANY
Source Port ANY
Destination ANY
Destination Port = 12345

Allow (+Log if you like)
TCP/UDP
IN
Source ANY
Source Port ANY
Destination ANY
Destination Port 67890

After that i create the same rules in Global Tabs,right? And that’s all?

rhgtyink · October 13, 2009, 12:04pm

Well almost you have to watch the direction the traffic is going, if you use E-Mule with these ports than make the setup like this.

Application tab:
Emule.exe
Allow IP OUT ANY ANY
Allow TCP IN ANY ANY ANY Dst Port = 12345
Allow UDP IN ANY ANY ANY Dst Port = 67890

Global tab:
Allow TCP IN ANY ANY ANY Dst Port = 12345
Allow UDP IN ANY ANY ANY Dst Port = 67890

This will allow ALL traffic OUTGOING for emule so it can access all other hosts no mater what port they use.
This will allow Only Incoming traffic to TCP 12345 and UDP 67890.

Clopyright · October 13, 2009, 12:58pm

Allow IP OUT ANY ANY

This line should be entered to all the p2p programs? Or in every programm i use? WoW, etc…

rhgtyink · October 13, 2009, 1:09pm

Depends a bit on how you would like to keep “control” over those applications.
P2P program’s use way to much outbound ports so it’s of no use to restrict them, i don’t know WOW but maybe it only needs a few ports, then you can create rules for those, and if you don’t care about WOW having access to all ports outgoing then you can always set it to IP OUT ANY ANY.

But as IP OUT ANY ANY is the CIS default if you allow an application outgoing traffic that should not be a problem as long as you know what the consequences are

Clopyright · October 13, 2009, 1:21pm

So it’s better to put the IP only in p2p programs right?

rhgtyink · October 13, 2009, 1:25pm

My personal preferences… Yes.