Reading the Network Control Rules properly

Frequently Asked Questions (FAQ) for Comodo firewa
1

NOTE:

  • If you want to read throught my process of discovery (including my misconceptions)… continue reading this thread from this first post.
  • Or, jump to end result which was the cretion of a How To - Understanding & Creating Network Control Rules properly in another thread [url]https://forums.comodo.com/index.php/topic,1125.0.html[/url]

And now I start my quest for understanding…

I’ve been looking at the Network Rules created by the Wizards, and the rule I added to support bittorent communication.

Bouncing between the Rules and reading the Description at the bottom, doesn’t seem to vibe (in my mind). So the issue is either my understanding, or the presentation of the “english” description.

Probably the first issue is understanding Source/Remote as they relate to In/Out -bound communication… is it correct to say:

  • On an Inbound Rule, SOURCE is the “external”/FROM PC/range trying to communicate with my PC/range

  • On an Inbound Rule, REMOTE is the “destination”/TO PC/range communication is allowed to

  • On an Outbound Rule, SOURCE is the “destination”/TO PC/range communication is allowed to

  • On an Outbound Rule, REMOTE is the “external”/FROM PC/range trying to communicate with my PC/range

If the above is correct, then the Description needs to “flip” its To/From just as the external/destination flipped between in/out above.

Example 1: (OutBound)
Permission: Allow, Protocol: IP Out, Source: Any, Remote: ZONE [Home Network], Criteria: Any
Description: ALLOW IP OUT FROM IP [Any] TO IP ZONE: [Home Network] WHERE IPROTO IS ANY ← looks good

Example 2: (InBound)
Permission: Allow, Protocol: IP In, Source: ZONE [Home Network], Remote: Any, Criteria: Any
Description: ALLOW IP IN FROM IP ZONE [Home Network] TO IP [Any] WHERE IPROTO IS ANY ← looks wrong
shouldn’t it say…
Description: ALLOW IP IN TO IP ZONE [Home Network] FROM IP [Any] WHERE IPROTO IS ANY

… knowledge is power (over one’s security)!
(L)

P.S. I should indicate that my observations were made with CPF BETA 2.3.1.20.

2

Hey mongod,

The easiest way to get your head around this is to start examining a each rule with who started the IP conversation.

Regardless of inbound or outbound, SOURCE asked for something from someone, somewhere. REMOTE replied to this request.

In the case of an outbound request (where, for example, your browser is asking for a web page) :

SOURCE is you - you started things by requesting a web page
REMOTE is the web site - they are responding to your request

In the case of an inbound request (where, for example, another PC on your LAN wants to access your Network Places) :

SOURCE is the other PC - they started things by requesting your Network Places
REMOTE is you - they are responding to your request

Comodo have possibly shot themselves in the foot with their terminology. Most other places refer to this type of scenario are SOURCE and DESTINATION. Alternatively, another common naming scheme is LOCAL and REMOTE. I personally feel that SOURCE and DESTINATION is the easiest way to describe what is happening.

Hope this helps.
Ewen :slight_smile:

3

Thanks Ewen.

It does sound like I am/was on the right track if I read your post correctly.

So am I right in my example 2? That the English description is currently “wrong”?

Permission: Allow, Protocol: IP In, Source: ZONE [Home Network], Remote: Any, Criteria: Any

should say…
Description: ALLOW IP IN TO IP ZONE [Home Network] FROM IP [Any] WHERE IPROTO IS ANY

4

I don’t think it’s wrong.

THIS IS FOR INBOUND TRAFFIC AS THE REMOTE (DESTINATION) IS YOU
Example 1:
Permission: Allow, Protocol: IP Out, Source: Any, Remote: ZONE [Home Network], Criteria: Any
Description: ALLOW IP OUT FROM IP [Any] TO IP ZONE: [Home Network] WHERE IPROTO IS ANY

THIS IS FOR OUTBOUND TRAFFIC AS THE SOURCE (DESTINATION) IS YOU
Example 2:
Permission: Allow, Protocol: IP In, Source: ZONE [Home Network], Remote: Any, Criteria: Any
Description: ALLOW IP IN FROM IP ZONE [Home Network] TO IP [Any] WHERE IPROTO IS ANY
shouldn’t it say…
Description: ALLOW IP IN TO IP ZONE [Home Network] FROM IP [Any] WHERE IPROTO IS ANY

Clearer? It can take a while for this to sink in, but once you get your brain around the basic concepts, it’s not too hard. Hang in there. :wink:

Ewen :slight_smile:

5

I can see where the confusion comes in. I just had a good read of the “Description” text, and it’s not that clear, is it? :smiley:

I usually focus on the rule itself, not the description, and now I’m glad that I do.

Rather than reading the description that someoone has decided relates to each rule, try parsing the rule itself. If you’ve been able to become confused between your understanding of the rule and the supplied description, maybe your understanding of the rule is correct and the description leaves a little to be desired.

Have another ■■■■■ - you’re nearly there.

Ewen :slight_smile:

6

Ok, I’m with you so far (i think)… now which verbiage below matches what should be interpretted?

  • ALLOW IP IN FROM IP ZONE [Home Network] TO IP [Any] WHERE IPROTO IS ANY
  • ALLOW IP IN TO IP ZONE [Home Network] FROM IP [Any] WHERE IPROTO IS ANY
7

The first one is the correct :smiley:

8

Woah, i didn’t notice the labels got switched on the examples in Ewen’s response… I had assumed they were copies of my own… ooops… let me reread and post back.

9

Hey, we have been posting so often that i missed this reply… you must have been writting it as I was mine…

I think this is what I wanted to hear… It wasn’t the Rule that was giving me the problem, it was the Description… as a popellor-head in training, I was looking for the Description to solidify my understanding of the Rule… and that caused my disconnect when the 2 didn’t match in my eyes ;D

So let’s ask the question again…

Should a Rule of…
Permission: Allow, Protocol: IP In, Source: ZONE [Home Network], Remote: Any, Criteria: Any

Have an English read description of…
ALLOW IP IN TO IP ZONE [Home Network] FROM IP [Any] WHERE IPROTO IS ANY

10

No is an english read description of :
ALLOW IP IN TO IP [Any] FROM IP ZONE [Home Network] WHERE IPROTO IS ANY

ps. the explanetion of the above is the following:
This rule tells CPF to let inbound connections that are initiated from your trsusted zone to any IP

11

oh…
hmmm…

So…

  • Source = Scope of origination of the “packet” (who made the request),
  • Remote = Scope of where the “packet” is currently returning/coming from (who is replying to the request),
  • And In/Out are always from the perspective of my PC?

So if I change the Rule up a bit to something like…
Permission: Allow, Protocol: IP In, Source: ZONE [Home Network], Remote: ZONE [Home Network], Criteria: Any

Does this mean … Allow incomming IP commincation to My PC, where the commication started within My Network, and is comming to My PC from within My Network??

:slight_smile:

If so… I think my last grey area here is the concept of Any when used as Source and RemoteAny would be more straight forward on a router I think… but when CPF is meant to be scoped down to protect my PC (as opposed to an entire network)… wouldn’t Any sometimes represent my PC?

  • Inbound, Source: Any ← This would mean from anywhere, Lan or Wan
  • Inbound, Remote: Any ← This would mean from anywhere, Lan or Wan
  • Outbound, Source: Any ← This would mean from My PC
  • Outbound, Remote: Any ← hmmm… not sure here, would depend what Source was set to maybe?

Understanding this would help to round off the outbound Rule, that I now feel i understood incorrectly…

Permission: Allow, Protocol: IP Out, Source: Any, Remote: ZONE [Home Network], Criteria: Any
Description: ALLOW IP OUT FROM IP [Any] TO IP ZONE: [Home Network] WHERE IPROTO IS ANY
Really Means: Allow Outbound IP communication from My PC, to my Home Network, originating from Anywhere (which really would be… originating from My PC)?

Many thanks in advance, especially for your patience with this old dog trying to expand his mind. :wink:

(J)

Edit:
I’m really starting to hope I’ve got it… as my bittorrent rule i just copied from the Faqs, now makes sense to me…

Permission: Allow, Protocol: TCP/UDP In, Source: Any, Remote: ZONE [Home Network], Source Port: Any, Remote Port: 46881,46882
Description: ALLOW TCP or UDP IN FROM IP [Any] TO IP ZONE: [Home Network] WHERE SOURCE PORT IS ANY AND REMOTE PORT IS IN [46881,46882]
Really Means: Allow Inbound TCP/UDP communication to my PC, from Anywhere (including the internet), originating from My Home Network/PC on ports 46881 & 46882

(B)

12

For source and remote you are right.
But for in/out your guess is wrong. It is not perspective of your pc!

In is for describing an inbound connection
Outis for describing an inbound connection

13

ERRORdivide by zero detectedmental crash imminent :wink:

so…

  • an inbound rule is based on “unrequested” inbound communication?
  • an outbound rule deals with the inbound result of a “requested” (i.e. outbound) communication?

hmmm… so…

  • The Source of an Outbound rule should always imply my PC, whether its IP is set, its subnet is set , or Any is selected? If it was set to anything else, I guess it would be a broken/invalid OutBound rule?
  • The Remote of an Inbound rule should always imply my PC, whether its IP is set, its subnet is set , or Any is selected? If it was set to anything else, I guess it would be a broken/invalid InBound rule?

Ewen, I think the wisdom in your first post is starting to sink in now with pandlouk’s fine brain surgery. My issues in some cases are lack of knowledge, but a giant part of it I think is the brainwashing reversal of the past “lazy, 2 choice” products.

Keep me on the straight and narrow Ewen & pandlouk… I hope I’m getting there!! I’ll keep making attempts to flex the brain muscles, and you keep driving home the lesson.

(V)

14

Correct :smiley:

hmmm... so the Source of an Outbound rule should always imply my PC, whether its IP is set, its subnet is set , or Any is selected? If it was set to anything else, I guess it would be a broken/invalid OutBound rule?
Correct again. That is why the default allow OUT rule is there. ;D
15

awesome pandlouk!!

(I was editing my post as you were posting, made an inbound observation that I hope is also correct)

Ok, now to edit all the posts that showed how wrong I was… ;D :wink:

Is this post coherant enough for someone needing the same “brain surgery” to read, or should I try test my (hopefully) newfound wisdom with a summary post that you & Ewen (hopefully) give the thumbs up to?

16

Go for it! Then you can handle the next posting on “How do these rules work?”. LOL

17

Don’t delete/modify the above posts. It will help the others to understand better. Just make another one with the right settings.

And you are ready to make a guide like “creating and understanding the rules of N.M”

good job ;D ;D ;D

18

I’m not getting too excited; yet… as I still have one more chance to say something wrong :smiley:

I’m not touching a thing, if anything I’ll add a “skip to the real answer” link onto the first post of this thread so people can choose to wade through my mistakes… or jump to the answer at the end of this thread ;D

19

Congratulations Daniel. Please raise your table tray and return your seats to the upright position. You are are cleared for landing in Propellor-head Land. :wink:

Well done! Now about ICMP and BGP protocol filtering and sniffing …

ewen :slight_smile:

20

Doh! And here I thought I could rest on my laurels for at least a week… breaks over eh?

(B)