Tried with a fresh install of Comodo v8.2.0.4792 on Windows 10 64-bit.
Without adding and changing any rules, and with “Filter loopback traffic” checked, this is what happens:
Alert for outgoing connections to 127.0.0.1
Alert for connections to a local port from a non-127.0.0.1 address.
NO Alert for connections from 127.0.0.1 to a local port.
For example, if Privoxy.exe is running and listening for connections on port 8118 (127.0.0.1:8118),
there will be no alert if the connecting (remote) IP address is 127.0.0.1.
(Privoxy is just an example. This is true even for applications I made myself.)
The connection(s) will be allowed without any notification or interaction.
If I am remembering correctly, this used to not be the case.
You would get alerts even for Loopback incoming connections.
Anyone else seeing this and/or know how to address it?
Remove any global rule or network rule for localhost/loopback.
You will need to make rules for the localhost.
Should work okay - I use privoxy with comodo firewall ( using custom rule set only!) and no issues.
Also third party antivirus often use a localhost proxy to monitor both local and networking connections and maybe interfere with the firewall.
Result:
Comodo still allows connections to Privoxy’s local port even when specially told not to allow a connection, as long as the address trying to connect is 127.0.0.1.
The issue isn’t that Privoxy doesn’t work. It works fine.
The issue is that there seems to be no way to block local (127.0.0.1) incoming connections.
Is the issue that when an incoming connection request is made and the source address is the localhost(1270.0.1) and the destination address is a non-localhost address, no alert is displayed? If so, can you explain the case when such network connection is made?
CIS doesn’t filter incoming connections to the loopback interface but only when applications attempt an outbound connection to the loopback interface. If you want to prevent applications from accessing the loopback interface, you would need to create a block outgoing rule with destination address 127.0.0.1 or ::1 for the application you want to block.
I must have been remembering incorrectly then.
It’s nice to know, at least, that there’s not something in my setup causing unintended behavior.
Thanks for the reply.
How is this resolved please?
Let’s say I have a proxy set to 127.0.0.1 in IE, any malware that checks for IEs proxy setting and uses that aswell can freely connect to the internet thru my proxy!! without any rule whatsoever and without even showing up in the Comodo log.
If IE is running thru my proxy its not shown as using a connection either!
That was definitely changed in a recent version. Well, recent as in I use Comodo since v5 or so. so yeah, sometime since then.
I’m 100% certain because I wouldn’t have some of my rules if every application could just freely connect to my proxy!
Try it, just delete the rules you had for lets say firefox to connect to privoxy and it will still work just fine! THAT SUCKS!
… and this can definitely not be the way a firewall is supposed to work! and it didn’t in earlier versions! so PLEASE — FIX ASAP!!!
Using CFW 5.10 (win 7 pro) with my own rule set made (basically deleted the default and created my own settings and ruleunder Custon setting).
I always see alerts for any new connection attempts for 127.0.0.1:8118.
That is sufficent for my needs and wants for a firewall.
Well, good for you, but this is “Help - CIS” and I’m using CIS v8.2.0.
You just confirmed what I said, in that older versions worked correctly and showed alerts and/or blocked connections to 127.0.0.1.
But not anymore.
I only found out today and I must say I’m pretty ■■■■■■ about it.
Would hate to ditch Comodo since I’m otherwise pretty happy with it.
Thx for your reply though!
If the firewall is in safe mode and any application that is trusted by comodo or you in the file list, then it will not generate an alert for outgoing network connections. This is why firefox or IE won’t show an alert due to being trusted. Otherwise if the application does not have a trusted rating, then you will get an alert for outgoing access including loopback connection attempts. To have comodo firewall to alert for every application that attempts to make an outgoing connection attempt, set the firewall to custom ruleset. Also if you already have a rule allowing access then no alert will be shown.
I always have and had the firewall set to custom ruleset and all the trust thingys are disabled. Basically paranoia mode if you will.
I used to have a rule for f.e firefox to allow outgoing access to 127.0.0.1:8118 and noticed today that that rule is now useless and everything is allowed to access 127.0.0.1. Removed the rule and no alert showed but firefox still worked.
I also tested chrome recently and wondered how the hell it managed to bypass the firewall without any messages or alerts popping up.
Needless to say I don’t have chrome installed anymore
Only today I realised who the real culprit was in that case!
Alert frequency is set to “very high”.
And the “Filter loopback traffic” setting is also enabled, but clearly not doing anything, or at least not what I tought it would and should do.
EDIT: do you have the latest CIS and could maybe test this, or did you already and had a different behaviour?
I think you don’t even need a proxy listening, just setting IE or any other browser to use a proxy on 127.0.0.1 on any port, should in theory produce an alert for that browser upon starting it. Could you please test it?
Also, I just created a rule to block “IP in/out any any any” for firefox and it still works just fine, connecting to my proxy on 127.0.0.1 as if there wasn’t any rule at all.
I tested out versions 5, 6, 7 and the latest 8.
Version 8 responded correctly when new attempts were made to 127.0.0.1:8118, but using my own rules, not the default settings.
I liked all the versions, but choose 5 for the simplest and straight forwardness.
Really have no need for the virtual/kiosk or sandbox or the other extras.
Firewall with straight HIPs was I only wanted - I am old school.
