Initially the rule contained both source and destination ports to be 67-68, however I discovered that this creates an “AND” condition where the traffic must be Source = [67,68] AND Destination = [67,68]. Sometimes I see DHCP traffic with a random high-port source so I changed Source to be ALL.
I’ll write a second rule such that source = 67, 68 is blocked.
I tried using the “port set” feature but that didn’t seem to work for me either.
Abou the VPN, I don’t really have VPN users per-se. The purpose of the VPN is to create a virtual LAN over the internet between several sites, allowing all hosts (exceptions are handled locally) at every site to be peers.
All hosts are on the 192.168.0.0/16 network. Each site uses it’s own /24 subnet (Site A is 192.168.2.0/24, and site B is 192.168.3.0/24), however this is a “gentleman’s subnet” as the hosts are actually configured with a /16 subnet so that they can all communicate.
Well I’ve managed to answer my own question here. Yes the logs will reflect outgoing connections. The reason I’m not seeing my Telnet traffic out as blocked is because the application rule for Telnet supercedes the Global rule to block traffic on those ports, which I also understand is normal for Comodo.
Unfortunately this means I have no way to test the global rule for blocking outbound traffic on those ports because any means by which I would try would fall under application rules to deny or allow and action on that before the global rules ever come in to play.
I can’t find it, but is there any way to have Comodo ignore all application rules while still applying global rules?
You can try to create an application rule for WOS Windows Operating System,
Open firewall policy, click Add, Select running process “Windows Operating System” and set some app rules for 67/68 with logging, maybe you can use that to see if it logs more then the previous solutions…
There are some firewalling exceptions for Windows Operating Systems traffic that is called a pseudo process.
Because of the dst 255.255.255.255 stuff it could be it’s not logging/blocking it.