Safe Mode + Trusted/Untrusted File + Global Rules

Please explain to me something…

why I receive alarm message for incoming traffic (trusted exe) from local safe zone when in Global Rules I have a rule to allow incoming traffic from local safe zone ?

firewall is set to “safe mode”
2 rules in global rules:

ALLOW PROTOCOL IP (ANY) INCOMING IF SOURCE “HOUSE#1”
ALLOW PROTOCOL IP (ANY) OUTGOING IF DESTINATION “HOUSE#1”

definition of “HOUSE#1”

IPv4 MASK
010.032.064.000
255.255.255.192

and then I got traffic alert about trusted app that want to receive incoming connection from “another device” (and that another device is in local trusted safe zone…)

details of alert:

APPLICATION
“C:\Windows\System32\svchost.exe”

DIRECTION
incoming

PROTOCOL
udp

SOURCE IP

10.32.64.1 (router, gateway to the internet)

DESTINATION IP

10.32.64.11 (local host with COMODO installed)

PORTS are irrelevant here yes?


Why global rule is omitted/ignored here ? BUG maybe ?

Couple months ago had similar problem… with not working global rules… but with outgoing traffic to local safe zone and untrusted file (wrote here about it but no help…)

For me it is not clear enough in manual how Global Rules and “Trusted/Untrusted” files are working when “Safe Mode” is in use (I’m guessing “Custom Ruleset Mode” is totally free of such deliberations :slight_smile: )

EXAMPLE:

what should happen when:

Trusted File, Incoming Connection FROM Safe Network Zone, Firewall in Safe Mode, Destination IP and Source IP in The same Safe Network Zone ?

Incoming traffic first goes through Global Rules and then through Application Rules. You need to make a rule for svchost.exe to allow for the incoming traffic. When the rule is done make sure it is somewhere above the rule for Windows System Applications.

Please explain me why I need to set up incoming rule for svchost.exe in apps rule set list? One global rule should do the thing :o Why global rule is not working ???

When global rule for allowing incoming traffic is in use, then firewall still parse application rule set ??? Always I thought that after firewall will match any single rule (global or app) it stops for searching another rules…

It’s how the firewall is build. You can read more about it here: Global Rules, Firewall Protection, Best Firewall, Network Connection - COMODO .

When global rule for allowing incoming traffic is in use, then firewall still parse application rule set ??? Always I thought that after firewall will match any single rule (global or app) it stops for searching another rules...
After you made a Global Rule to allow for incoming traffic you need to make an Application Rule for the application that will receive the incoming traffic.

Svchost.exe is part of Windows System Applications group. It is best to make a separate rule for svchost.exe. The firewall will parse rules top-down. Therefor you need to make sure that the rule for svchost.exe is somewhere above the rule of Windows System Applications group.

OK OK now I understand… always are parsed two lists of rules App and Global… even when at least one rule from global or app list is in use…

so why I do not get entry in log when I set logging for global incoming rule for local safe zone which definition I posted earlier ??? it looks like global incoming rule IS REALLY OMITTED in my situation… (is this behavior is produced by “trusted file + safe mode” ?) or maybe can’t be logged ? bug ?

i think I should see in log something like “app = Windows Operating System” and correct destination IP adress… but nothing I see

the only way to see that connection in logs is to set logging for rule in app list for svchost.exe