Hello. Yesterday, I saw a post by a Comodo user(I don’t know when he/she posted it) the user stated that he/she changed all of the predefined policy rules from allow to ask because it had something to do with being able to see everything that happens in the firewall. I am trying to find it, but so far, I haven’t had any luck. Did that post get deleted?
Edit: I found the post I was looking for. I guess it’s not version 5.8 after all.
if you’re using Custom Policy mode ‘Ask’ rules are superfluous. Also if your Alert frequency settings are set to Low or Very low and your using safe mode, using ‘Ask’ is not much use.
First, what do you mean by superficous? Also, you said Ask is not much use. Is that for the firewall safe mode or the defense plus in safe mode because the firewall itself is in custom policy mode.
Superfluous = unnecessary. If you’re using the firewall in custom policy mode, it will ask you when something wants to connect, so you don’t need additional ‘ask’ rules.
If you’re using the firewall in safe mode, applications on the safe list will be allowed and no rules will be created, unless you also place a check in the box for ‘Create rules for safe applications’ In this context, ‘ask’ rules play no part. Although, once the rule has been created, providing it’s not completely generic - described below - you could add an ‘Ask’ rule.
If you have the firewall in custom policy mode with alert frequency set to low, the first time an application is run, a generic rule will be created that allows the application to to make any outbound connection to anywhere using any protocol, again, ‘ask’ rules won’t be much use.
well from what I can tell. by setting up all the rules to ask policy mode, it will let me access the internet and doesn’t give me any problems. If I set up the firewall using alerts set to very high. it would give me lots of popups and even if I allowed everything, my internet would sometimes not work out good. If the ask rules aren’t any good, then I will go back and redo everything as I had it. If I keep the alerts set to very high, should I start over from scratch because when I have everything to ask right now and I have the alerts set to very high, I’m not getting that many popus as I would before I did this. I don’t want to overload the firewall with custom rules, so should I not check the option to remember my answer?
Can you give me an example of the changes you’ve made to the pre-defined policies, maybe a screenshot or two.
I can’t give you a screenshot because after my last response to you, I switched back to the default settings. I can describe what I did though. I went into the firewall network settings. Went through the list and changed every allow to ask and then checked the box that said log if the rule is fired. then I changed it back from ask to allow and unticked the box that said log if the rule is fired.
Ok, making use of the pre-defined rules will cover you for certain applications, what do you do about applications for which no pre-defined policy exits?
Taking the existing individual pre-defined policies, there’s certainly no harm making a change to ‘Ask’ but you only need to do that for the existing block rule in the policy and then only for some of the policies. For example, changing the block rule to an ask rule, in the pre-defined browser policy, may be useful, as the default ports defined by the rule are quite limited. In contrast, there’s no point making the same change to the ‘Trusted Application’ policy, because it’s already allowing all inbound and outbound connections.
see, but I don’t feel safe with the trusted applications because it allows both incoming and outgoing request. What would happen if I did that and then a piece of malware found its way into my program, with the trusted outgoing rule, it’s possible that the malware could go to the internet.
Also, if I go into Network Security Policy and delete all the custom rules I made for applications, how can I reset all of them without overloading the firewall? it seems like, I can keep clicking on allow for my browser programs and they work for me without me having to add them to my firewall and I don’t feel safe using the predefined policies because I was told that gives the applications more freedoms then they should have.
I’m not advocating the use of the Trusted Policy, it’s certainly not something, personally, I would ever use. I’m just pointing out, that adding an ask rule to something like the trusted policy, is a complete waste of time, because there’s nothing further to be answered.
Also, if I go into Network Security Policy and delete all the custom rules I made for applications, how can I reset all of them without overloading the firewall?
Why would you need to remove all the custom rules you’ve created? As for overloading the firewall, I currently have ~360 individual rules in my firewall policy and that’s a reduction from my earlier configurations. So I’m not sure what you think may happen?
it seems like, I can keep clicking on allow for my browser programs and they work for me without me having to add them to my firewall and I don't feel safe using the predefined policies because I was told that gives the applications more freedoms then they should have.
You’ve lost me. I thought you’d modified the the pre-defined rules to ask? Now you’re saying you don’t use them because you don’t trust them?
If you’re not happy using one of the pre-defined rules, why don’t you create your own. if you’re not sure what rules are needed for a given application, you can always ask.
thanks so much for your patience with me and answering all the questions that I have. So, do you mean by making my own rules, I’m gong to use this for example.
Firewall alerts are set to high in custom policy mode. After I allow everything that needs to be allowed, I just go in there and change all those rules to ask correct?
For example, changing the block rule to an ask rule, in the pre-defined browser policy, may be useful, as the default ports defined by the rule are quite limited.
What do you mean by this? It seems that there are certainly endless ways to configure this firewall to max security, but could you tell me the one way that is the very best because if there are 100 ways to configure for max secure, I just want the 1 way out of all of them that is the very best one.
Not quite. As I mentioned earlier, if you’re using Custom Policy mode, you don’t need to add ‘Ask’ rules, because Custom policy mode is already designed to ask about connections for which no rule exists. If, however, you feel more confident adding an additional rule, then just add it as a single rule for the application overall. You don’t need to make every rule an ask rule. For example:
Application Name - Browser.exe
Action - Allow
Protocol - TCP
Direction - Out
Source Address - Any
Destination Address - Any
Source Port - Any
Destination Port - 80
Action - Ask and Log
Protocol - TCP or UDP
Direction - Out
Source Address - Any
Destination Address - Any
Source Port - Any
Destination Port - Any
What do you mean by this? It seems that there are certainly endless ways to configure this firewall to max security, but could you tell me the one way that is the very best because if there are 100 ways to configure for max secure, I just want the 1 way out of all of them that is the very best one.
There’s no single answer to this question, as it depends on an individuals networking knowledge and their willingness to manually create rules. The only advice I would offer is, always use the principle of least privilege. You’ve already mentioned this in an earlier post and it’s a policy worth following. For example, you want your browser to access the Internet, what rules do you really need. In reality all the browser needs is three rules:
Allow TCP Out Any Any Any Port 80
Allow TCP Out Any Any Any Port 443
Block Everything else
So, why give the browser ‘trusted’ status - Allow everything in and out to/from anywhere’ Obviously, if you use your browser for services other than accessing web sites, you’d need to add additional rules, but always keep in mind the idea that less is better.