Puzzled over CPF prompts and rules.

I always find CPF’s Application Monitor and Network Monitor to be a little
problematic when it comes to creating custom rules.

For one, why are we prompted for inbound TCP/UDP traffic, when there is no rule
in the Network Monitor permitting TCP/UDP inbound traffic? From my understanding, if we
were to delete the rule for outbound TCP/UDP, we would have no internet connection.
Why doesn’t it work the same way for inbound traffic.

Second, Why is CPF also prompting us to make rules for programs that are only listening
for packets?

Third, why are my custom rules, that were working perfectly, get removed from the
application monitor at startup?

Fourth, why isn’t all of the portscans and leak tests logged, when I tried (and Passed)
them? There was one log event for a portscan when I went to check my weather at
www.weather.com in IE, but nothing was logged from portscans that I initiated myself in IE.

edited: the portscan detected was from an IP nearly identical to mine, while visiting the weather site.

Please help me understand if this is the way CPF is intended to be, or if they are known
bugs that will be fixed in time, as I really want to enjoy CPF like the rest of you.

Anyways, Right now I am experimenting with running an older version kerio, with the latest version,
of CPF (2.3.6.81) at the same time. Turns out that after I made provisions in each firewall
for both firewalls to run, I have no conflicts between the two of them, and I still pass
all of the leak tests. I figure for now, I will get all of the benefits of Comodo’s advanced
features, and also get the custom packet filtering that I want through kerio. It’s been a
week since I began doing this, and it’s working well, but it’s only an experiment until another
release of CPF.

Thanks
jb

I think the decision was made during the initial beta-testing as a consensus of all users that the most often required traffic is outbound. For maximum security it’s a good principle to leave out what is not needed. If someone wants to allow INBOUND traffic, he/she should create a rule him/herself. I see your point that part of the application prompt should be to warn the user first that he/she should make a packet rule to make the application rule work…

There are certain security issues with services “only listening for packets”. Especially Windows services of this kind are often attacked/exploited, even with a good firewall running.

Is it possible that you forgot to check ‘Remember my answer for this application’ before you clicked ‘Allow’ or ‘Block’?

  1. There may be different reasons for this: you may be scanning your ISP’s router instead of your own computer when you scan online. Do the following: Start - Run - Type cmd.exe
    Now type ipconfig/all in the command line. There you will see your real current ip-address. Compare that to the address you scan on-line. They might be different!
  2. As I wrote, you use two firewalls simultaneously (that is, if you have disabled the in-built Windows Firewall, otherwise you would be running three): COMODO and an older version of Kerio. One of those will block incoming packets, and of course the other won’t have to do anything, and you will see nothing in your logs.

Paul Wynant
Moscow, Russia

Hello and Thanks.
I only started using both firewalls at the same time, after I
gave up on trying to make my own rules in Comodo’s Application Monitor.
But for the sake of the questions I have, I uninstalled Kerio now and
I am using CPF and with the Windows firewall turned off.

Next, I deleted every rule in the application monitor
and turned up the alert frequency to high, so I can start
making rules applications for directions, protocols, and ports.

After restarting, and I am being prompted many many times.
Now when I look into the Application Monitor, I see way too
many unnecessary ports being listed, and I haven’t even used the internet yet.
38 new rules are in place for a proxy web filter called Proxomitron.
80,8080,443(tcp out)
53 (udp out)
Then there is 34 various listening ports. (1047 - 1427)
Comodo has these listed as TCP Out.

Here is me attempting to make a custom rule:
If I make a rule Such as: Proxomitron TCP Out Ports 80,8080,443 Allowed
And Also make the following rule: Proxomitron TCP Out Any Port Blocked
CPF will swap the rules so that I have no connections through Proxomitron,
Which means no internet for IE.

If I try to block a listening port, or any traffic port, the program will not
work at all. Same applies to other applications that listen, like Avast’s web
and mail scanners.

If I lower the alert frequency to medium, and don’t bother making custom rules,
everything is fine (if used as a yes or no firewall), but the minute I try to edit
one of them, my connection is killed, or my rule is lost at startup.

Anyways this is what started my idea about using 2 firewalls a week ago.

About my IP being correct while testing:
From Shields Up:
cpe-00-00-00-00.woh.res.rr.com (or 00.00.00.00) ← Not real of course.
The IP listed wasn’t even close to my IP, but the server is correct.

Your right, the reason I see no logs for port scans
is because I am port scanning my ISP. That explains the no logging problem,
and possibly the network rules problem.

Thanks for the help, you helped narrow down most of the trouble.
James.

PS.
Am I the only person having a problem making Kerio like rules?

Probably not. You might want to have a look at this thread:

If you have trouble setting up your Net Monitor rules, just let us know.

Paul Wynant
Moscow, Russia

Thank you very much for the link.
The information you shared concerning Network and Application Rules
is very well written, and is going to be very useful to me and for many other people.
I appreciate your time and efforts it took for you to write and explain this.
I will give this a try, probably tommorrow, when there is more time to do this.
ty.
James

You are welcome, jb1971. Would you mind telling me what version of Kerio you have? For me version 2.1.5 has always been my favorite. You will understand from my rules that I come from there…
(:WIN)

One difference with Kerio is the following:
For Inbound traffic, the Destination IP and Destination port are YOURS!!! Remember that…

Paul Wynant
Moscow, Russia

Hi P2U,
My favorite Kerio is v2.1.5 too. I also have Tiny PF v2.0.9 and v2.0.15A, just in case Kerio becomes crippled in the future.

“One difference with Kerio is the following:
For Inbound traffic the Destination IP and Destination port are YOURS!!! Remember that…”

I will keep that in mind when I make up some new rules.

Thanks
James.

Hi P2U,
I made a set of network rules according to the way you had yours set up, and it is working pretty good. For some odd reason this pc requires DNS, Bootps, and bootpc, so I had to keep modifying the rules a bit to get back online. Anyways, it’s working good now. :BNC

I also had the listening ports problem taken care of:
https://forums.comodo.com/index.php/topic,4017.0.html :THNK

Anyways, I didn’t want to keep you wondering if I got the problems sorted out or not.
Thanks again
James.