I downloaded and installed the beta version 3.0.7.328. I’m impressed! Especially the configurability of defense+ is impressive. The Learn Safe mode works well. For the moment I can live with the bugs (such as the IP address switch). There is one thing I cannot get to work though and that is the access to the network disks. I added the home network as a zone in “My Network” but cannot get access to the network disks (access is possible when I close CFP). I don’t have this problem with version 2.4 on an XP machine.
Could anyone help me with defining the rules for getting access to network disks? I tried to find some guidelines unsuccessfully.
It sounds like you’ve taken one step on the path; now you need to take the next. v3 is a bit different than v2.4, and doesn’t (afaik) provide a Network Wizard to add that Zone as a trusted network.
You’ll need to open Firewall/Advanced/Network Security/Policy/Global Rules and use that Zone in two different rules, that you’ll want positioned at the top of the Global Rules screen (= Network Monitor in v2.4). These rules will be:
Action: Allow
Protocol: IP
Direction: In
Name: (name the rule)
Source IP: Zone
Destination IP: Any
IP Details: Any
Action: Allow
Protocol: IP
Direction: Out
Name: (name the rule)
Source IP: Any
Destination IP: Zone
IP Details: Any
Alternately, you could try using the Firewall Stealth Configuration (Firewall/Common Tasks). You’d want the first option, “I would like to be completely visible…”. Be aware that this will not replace any duplicate rules within the Global Rules section; it will simply add them again, creating duplicate rules. I haven’t done this one, so I’m sure exactly what rules it will add, if it automatically incorporates your zone, and so on.
It does work now. However, I had to remove the predefined settings for system and svchost as these rules overruled the global rules. This was not a wise decision: allowing one outbound connection for svchost led to rules allowing for everything. I plan to retest this as I may have jumped to quickly to the conclusion that it was not possible to change the rules for svchost and system.
Anyway, I know where to look now. It is a matter of experimenting and defining rules now!
Thanks again and I’m afraid I’ll be back with more questions…
Peter
I also tried the stealth function. It works exactly as you described!
I don’t think that Application Rules should “override” Global Rules; they will however work with them.
So for example, if there is a default Global Rule to Allow TCP/UDP Out, and you have an Application Rule for svchost.exe to Allow TCP/UDP Out, then yes it will be able to go anywhere and do anything (so to speak).
You would have to increase the level of detail on the svchost Application Rule to include things like Ports, IP Address, etc.
Keep playing with it; you’ll figure it out. If you’ve used 2.4 this shouldn’t be too difficult for you - the basic concepts are the same.
Sorry, my response took a while due to messed-up network adapter.
I am not used to version 2.4 as I used Outpost Firewall before. Outpost processes rules in a certain order so I assumed application rules precede global rules. Is there any info on Comodo rules processing? And: what happens in case of conflicting rules?
BTW: the out-of-the-box rules for System.exe (outgoing only template with 2 rules: 1. allow TCP/UDP outgoing requests; 2. block and log unmatching request; I couldn’t see the actual rule definition) prevent access to the network disks. After removing the rule(s) for system.exe the access works.
For more info about how CFP works, check out this compilation tutorial thread. You’re going to want to look at the Layered Rules Explanation. https://forums.comodo.com/index.php/topic,6167.0.html That should help you out. Ask any questions you need. It was written for 2.4, but it’s basically the same for v3.
And yes, the default rules will not allow you to access Networked resources. In Firewall tab, go to Common Tasks/Firewall Stealth Configuration. You want to choose the first option, “I would like to be completely visible…”. This will prompt you to select a Zone to use (that you’ve already defined), or to create a new Zone to use. When you finish that, go to Advanced/Network Security Policy/Global Rules. Delete/Remove any duplicated rules (if there are any). Then try to access network resources; it should work. IF any application rules need to change, they will automatically do so if you have left the Security Level set to Learn Safe Only.
Great info LM! Very useful. I will need some time to read and implement the rules.
W.r.t. the method you described: it does not work in 3.0.8.214 unless I change the default rules for system (based “outgoing only” predefined policy). Just deleting the predefined rule results and responding to the first request results in a “allow anything” type of rule. What works better is to change pre-defined into “custom” and allow UDP traffic with the network disks. I also had to include address x.x.x.255 in the list.
I also noticed that “allow” answers to application only put limits on the direction. The generated rule typically is “Allow IP in (or out) from IP any to IP any where protocol is any. Outpost generates very specific – customizable – rules that only allow for the specific request (including protocol, local port, remote port, etc). Hopefully Comodo will implement such an approach as well in the next version. Perhaps I should report it as a nice-to-have?
I am still confused about the order in which rules are processed. If I understand the tutorials correctly, application rules precede network/global rules for outgoing traffic. However, when I add a rule “block all outgoing traffic” as global rule (after other rules), no application is allowed to connect even if there is a specific application rule defined.
Peter, if you want more detail-specific application rules, you have to increase the Alert Frequency level (Firewall/Advanced/Behavior Settings/Alert Settings) above the default Low. IMO, they need to call it something other than Alert Frequency, as this can be somewhat confusing…
Each of these levels corresponds to a different level of detail in the associated popups and rules. This is a global setting, however, so the more detail included in the alert frequency, the more popups you’re going to get for each application… This has caused a lot of users to think the FW is not remembering rules where in fact, it is creating a new one based on each scenario.
I’m not sure about your “Block All Outgoing Traffic” scenario; if that rule is at the very bottom of the Global Rules monitor, you shouldn’t have been blocked. Did you happen to Exit and restart the firewall after creating that rule, or reboot?
It took me some time to respond as I got into trouble when I experimented a bit with the “block all outgoing traffic” global rule (at the very bottom of the global rules monitor). Restarting the firewall did not make a difference: all traffic was stopped. When I rebooted, I really got into trouble and wasn’t even able to acquire an IP-address, ran into problems with explorer, etc.
Now the freaky part starts: when I deleted the “block all” rule I could get access to internet but no access to my network disks…I had to allow all traffic for system to be able to get access (I did not do anything with the rules, as suggested by you before). Then I deleted this “allow all” rule. After restarting the firewall (just to be sure) I got access and…some rules were added, specifying IP-address, local port, remote port (great!!). You told me this would happen with an “alert-above-low” level but it did not happen before.
As I did quite some software testing when I started my career (OK, OK, a long time ago but the habits are still there), this puzzled me; I got different results from same rule sets… I am pretty sure I did things step-by-step, made notes, avoiding multiple actions in once, etc. It didn’t make sense to me. Although I could have done something wrong (I’d like to think I’m human) I’d also like to believe there must be another explanation. As I novice I’m inclined to think there are some mysterious paths in Comodo, or Windows Firewall (despite being turned off), or another program interferes. Did I overlook something?
Unfortunately I don’t know v3 like the back of my hand, just yet. Version 2.4 I know quite well; this one is new to me still.
I haven’t had any real connection problems with this one, and I’m not sure what’s going on with yours. However, we are working with a Beta product, so it’s still a bit buggy.
My suggestion at this point is to start from a clean rules slate. By this I mean to remove all the Firewall/Advanced/Network Security Policy/Global Rules. Then go to the Stealth Configuration, and select the top option, to set up some default rules for Local Area Network access (that’s the option, “I would like to be completely visible from within a trusted network.” When prompted, set up the IP range for that Zone, give it a name, etc.
Give the firewall a few minutes to implement the changes before doing anything. Then I’d suggest rebooting, and check to make sure the GLobal Rules have remained as you left them.
I decided to start from scratch and uninstalled Comodo. Since quite a few registry entries were left I decided to delete these. Wrong! A few entries related to something called Comodo Firewall Miniport. Deleting these entries basically made my network card unusable. Device manager still showed 3 types of miniports (if i recall this correctly). Uninstalling was impossible, even in safe mode. After trying several options (reinstalling card driver, etc) I had to restore the registry to a date before installing comodo. Result: entries gone, problem solved, ready for fresh start.
I reinstalled Comodo, set the alert level to very high, defined the trusted zone, used the stealth function. Result: global rules added. no access to network disks…Solution: changing the rules for system.
What’s odd after reinstalling: there are no comodo firewall miniport drivers visible anymore.
I use a separate notebook now - being a book to make notes - to keep track of what I’m doing + tracking errors/suggestions. I’ll report in the related track, OK?
The good news is: the access problem is solved! The bad news: I’m still unclear in what order rules are processed…
All the best and thanks for your time, patience, and help! (R)
Hmm, I’ve seen some other firewalls (namely, PCTools) install a driver that showed up as a miniport driver; when I updated system drivers, I was warned that it was changing the hardware configuration of the network adapter “pctools whatever the name was miniport”.
I’ve not seen that from CFP, though, afaik. I’m glad you’ve solved the problem. As far as processing order for rules, it should be pretty much the same as in v2.4. For Inbound (unsolicited) connection attempts, Global Rules will process first, then if approved Application Rules, then if approved Defense +.
For Outbound connections, the order would be Defense +, Application Rules, Global Rules.
The best way to learn it is to mess around with it a bit… create an application rule to allow a certain type of traffic, then a global rule to block that type of traffic. Just remember that with the current Beta, update timing on new rules is a bit “iffy.” Might have to play with that a bit, too…
The more you learn about the previous version (2.4) the better-equipped you’ll be for this one.
BTW, I’m closing out this topic, as it seems to have been resolved (one way or another ~ ); if you need it reopened, just PM a Moderator (please include a link back here) and we’ll be glad to do so.
- to keep track of what I’m doing + tracking errors/suggestions. I’ll report in the related track, OK?