problem setting up the fw

hi, i’m having trouble figuring out what in my fw settings blockes the connection to the internet, through web browsers and other programs added in the “application rules” settings as trused or allowed to communicate. when i turn off comodo fw connections work.
my goal is to block all the in/out connections that are not specied not to be blocked. i’m only allowing subnet of the dhcp server (, 2 gateways ( and the authentification. dhcp is also dns. i also considered that it might be hapeening cose of blocking the loopback address by default, but when disabling the fw for a moment to let it loopback, connections remain blocked (after the fw is enabled).
when in lan my address is when through wan my actual address is lan address, but same happens for wan also.
i think it might be cose of the global rules overrulling the application rules. but i’m not sure about that, cose then there would not be any point in setting any app rules at all (and the possiblity of setting them is there, so… :).
screenshots of my settings are in attachments. all viewed on them is all that has something to do with the lan and wan addresses. thanks for any help. ig

[attachment deleted by admin]

The first thing you need to do is create some valid zones, remove all the existing Global block rules and then think about recreating those that are necessary:

WAN Direct 1 - makes little sense, as is an invalid address. Even if the range were valid, you’d be allowing several hundred thousand addresses.

WAN Direct 2 - Likewise meeds to be removed, as they two address ranges are completely different. Also, the 95 address is a valid routable Internet address, whereas the 172 address is a reserved non routable private address range.

WAN Direct 3 - Has an invalid subnet mask, the largest value permitted is, which gives two subnets.

WAN IP - Not sure what this is for?

LAN 1 - Has an invalid address.

LAN 2 - Is using two completely different IP addresses ranges and is therefore invalid.

LAN 3 - Is invalid for the same reason as WAN Direct 3.

what you are saying makes sence. but why does the fw let me set up addresses that are invalid? also what does it matter if two address ranges are different, i only want to allow what’s neccessary (dns/dhcp, gateways,loopback and the ? network authentification?) and block everything else (the whole ip range not used) and only go through allowed programs with custom policy.

The only address range you need to be concerned about is the one that supports your LAN. Looking at the information you’ve presented, you appear to be behind a router and the address range employed is: to this range has a subnet mask of

Assuming your router is also the DHCP/DNS server the address is covered by the range above, likewise, the router will also be the gateway.

Very simplistically, when you request a web page in a browser, a request is sent to the router from your PC, lets say it has an IP address of When this request reaches the router, the information is stored and the request is passed to the external interface, where the 192 address is replaced by the 95 address and forwarded to the Internet. When the response is received by the router, it finds out which PC on the LAN made the request and then sends the response using the 192 address.

The WAN address, which I assume is is on the external router interface and is therefore not governed by CIS firewall.

You can set-up a trusted network by using the first option of the Stealth Ports Wizard. Simply run the wizard and choose ‘LAN IP’ as the Zone Name.

As I said, you need to remove virtually all of the existing Global rules, including the rules that use - as these are also invalid. Once you’ve removed the invalid zones and the Global rules, run the Stealth Ports Wizard and see where you are with things. You can always come and ask more questions about the best way to do things.

oh, now i get it. so what i was trying to achieve is already done by the router. i’ll just google if the router acts by itself or just forwards what is sent (if the lan address is sent in the packet (i guess not)). so now i’ll have to focus on the second line of defence - monitoring and manually blocking unwanted ips. thanks for your help.

You should NOT set uTorrent as a trusted application.

Follow these rules (they are from 2007 but still work)…

or maybe Radaghast has a better/easier suggestion.