Seriously Interested in Comodo Firewall. Please help me understand some things.

Hi.

I’ve just recently installed Comodo Free Firewall. Exploring Windows 10 firewall options, Comodo happens to be my first stop.

I’m just looking for a firewall but the extra protection(s) that Comodo offers are bonuses, and to be later explored further.

I’m use to rule-based software firewalls, and the extended configurability, and detailed logging. I’m not a fan of being limited in anyway.

I’ve been looking for some more recent facts, information on the Comodo Firewall capabilities. I’m not having much luck, so I thought I’ll poster instead.

I’ll start by inquiring about the products stateful abilities. How is Comodo in regards to Stateful packet filtering? I’ll assume it does have? I see no toggle support. I also see no loggings indicating stateful mechanism in-place.

Is the stateful filtering only for outgoing connections, or is it bi-directional design?

Is there pseudo-stateful tracking of connectionless protocols like UDP and ‘some’ ICMP states? If so, also bi-directional design?

How do I have extended logging capabilities?

Thank you in advanced for your responses.

Yes comodo and any other firewall made in the last 10+ years is a SPI firewall. There is no option to disable such support and will remain in SPI mode at all times when the firewall is enabled. Stateful packet inspection is applied in both packet direction for outgoing and incoming connections and is applied to both the transport layer protocols TCP and UDP, and internet layer protocols such as ICMP and IGMP. It is also possible to enable SPI filtering for data link layer protocols such as ARP when you set enable anti-ARP spoofing setting the in advanced firewall settings option window. To enable logging, you can add/edit firewall rules to log an event when the rule is processed and all criteria of the rule is met. For information on creating firewall rules see this help section Application Rules, Firewall Protection, Best Firewall | Internet Security

Thanks for the response. Yes, you would think that any firewall made in the last 10 years would be SPI capable. Uncertainty exists because I couldn’t find any official reference to Comodo Firewall SPI protection.

Where can I read about Comodo Firewall SPI implementation? Surely there must be something available?!?

There’s so many questions I have about Comodo SPI implementation, It would be nice to have answers too.

Having a good look at Comodo Firewall component, the rules creations and criteria matching isn’t up to pair with what I’m use to working with. Will come back to that later on.

There may be ICMP state tracking in CPF, however there should be an additional feature for users to toggle with per application bases to allow specified set of healthy error-reportings from remote services that are already in state table. Some applications but not limited to … like peer-to-peer applications do much better when they are allowed to accept healthy ICMP error messages like types 3, 4, 11, 12.

You shouldn’t have to anymore, to have only an single option, to allow incoming ICMP types from all sources.

The global feature ‘Block fragmented IP traffic’ should be made to be bypassed for certain applications, for such applications like peer-to-peer software that its performance can become crippled when denying fragmentation.

Pasting IP addresses into Comodo PF IP fields are problematic and annoying. When pasting IP addresses, Comodo IP fields are expecting to process four sets of numbers, each be consistent of three characters in length. Try copying and pasting the IP address 1.2.3.4 …you’ll see what I mean.

There should be support to permit disabling of rules, and sub-rules instead of requiring to delete and re-create.

For logging details, it would be nice to know what application sub-rule triggered the logging. Instead of a person to be speculating. Also we should be able to see MAC addresses along with IP addresses.

Would be nice to be-able to copy IP addresses, ports and the entire line information on the Log screen.

On View Connections screen when page is exceeded, and I’m scrolled, the screen content is jumping all over. Would be nice to toggle with the screen automatic refreshing.

I do like Comodo, hopefully improving Comodo Firewall component is still being sought-out.

P.S: When I mentioned extended logging capabilities, you hadn’t understood what I meant.

Hmmm… Comodo Personal Firewall only filters IPv4, IPv6, ARP at Link layer? The rest is unfiltered and passed by Comodo protection? As for ARP, we should be-able to make also our own ARP filtering rules.

I know of no official document which describes the firewall in such detail. It is not something I looked for or would look for.

Having a good look at Comodo Firewall component, the rules creations and criteria matching isn't up to pair with what I'm use to working with. Will come back to that later on.

There may be ICMP state tracking in CPF, however there should be an additional feature for users to toggle with per application bases to allow specified set of healthy error-reportings from remote services that are already in state table. Some applications but not limited to … like peer-to-peer applications do much better when they are allowed to accept healthy ICMP error messages like types 3, 4, 11, 12.

You shouldn’t have to anymore, to have only an single option, to allow incoming ICMP types from all sources.

You can fine tune ICMP traffic in both Global Rules and Application Rules.

The global feature 'Block fragmented IP traffic' should be made to be bypassed for certain applications, for such applications like peer-to-peer software that its performance can become crippled when denying fragmentation.

You can post a wish for this in [url=https://forums.comodo.com/wishlist-cis-b131.0/]Wishlist - CIS[/url].

Pasting IP addresses into Comodo PF IP fields are problematic and annoying. When pasting IP addresses, Comodo IP fields are expecting to process four sets of numbers, each be consistent of three characters in length. Try copying and pasting the IP address 1.2.3.4 ...you'll see what I mean.

That is annoying and like there has been made a wish for this. If there is a wish you can vote for it.

There should be support to permit disabling of rules, and sub-rules instead of requiring to delete and re-create.

As a workaround you could make a [url=https://help.comodo.com/topic-72-1-623-7740-Firewall-Rule-Sets.html]ruleset[/url] which can be easily applied. Or when using the Global Rules with stealth settings (with the block rule at the bottom) simply move a rule underneath the block rule.

For logging details, it would be nice to know what application sub-rule triggered the logging. Instead of a person to be speculating. Also we should be able to see MAC addresses along with IP addresses.

Would be nice to be-able to copy IP addresses, ports and the entire line information on the Log screen.

On View Connections screen when page is exceeded, and I’m scrolled, the screen content is jumping all over. Would be nice to toggle with the screen automatic refreshing.

I do like Comodo, hopefully improving Comodo Firewall component is still being sought-out.

P.S: When I mentioned extended logging capabilities, you hadn’t understood what I meant.

I see various wishes you could submit in Wishlist - CIS. 8)

Edit: fixed broken quote. Eric

Hi EricJH.

Thank you for your reply.

Documentation detailing Comodo’s SPI implementation would re-assure people like me that it wasn’t half-baked implementation. I’m not really confident with some of Comodo’s ways, for instance the handling ability of pasted IP addresses into IP address fields.

I’ve never before seen IP addresses being shown with Comodo’s format showing all three characters necessary for every octet. All of the computer IPv4 addresses returns on Windows always shows the usual way. For instance 127.0.0.1, not 127.000.000.001 … and all the IPv4 addresses shown on the web always shown the usual way. Therefore why complicate matters by changing the format. I’m seeing 192.168.1.1, not seeing 192.168.001.001, I’m seeing 224.0.0.22, not seeing 224.000.000.022.

Therefore as you have said, It have already been Wished for. I’m not able to find this topic, it must have been rejected. This doesn’t make me confident in Comodo’s feature wishing process, so I think wishing for things is fruitless. I think only fraction of people that uses Comodo visits the board. Only fraction of those who registered I bet, participates with Wishing and doing votes.

Yes, you can fine tune ICMP traffic in both Global Rules and Application Rules. Impossible when dealing with peer-to-peer type applications. It’s not right to be required to allow from all sources. With the already existing SPI, it shouldn’t be difficult to tweak to allow user-specified set of ICMP types to be returned back from ’ known ’ sources.

To disable a rule, I’ve been moving the rule below the master block rule. It works but isn’t convenient by any means.

Please don’t take me wrong, I do think Comodo is nice. I do however believe Comodo still isn’t designed to be user-friendly. You saw what you’ve classed as possible wishes, and those were things I strongly believe in. Those aren’t even difficult to implement, but it takes a willing developer. The developer finally decides the path he / she wants to take for his project. Convenience shouldn’t be something to frown upon. (:NRD)

What can I say? You’re a definite power user. (:NRD)

As far as Comodo’s firewall goes, it is world known as the best firewall there is for your computer. That alone should reassure you and everyone else concerning its reliability and strength.

Best firewall according to what organizations? Yes Comodo is very appealing especially since there is a free edition, … and people loves free. However not just that, there are some nice qualities with Comodo Firewall. You can have 99 out of 100 people use Comodo and really like. However that 1 who knows little something about firewalls find some things concerning. One chooses to either change or continue to use but lowering there expectations. Considering Comodo few good qualities, I can see how people can lower there expectations. I personally prefer not to change or lower my expectations.

VPN is highly regarded to protecting personal identity and location. In recent days two “critical” “VPN” “vulnerabilities” which can lead to an ISP IP address leak for clients of VPN services. It was two things that should have been incredibly obvious.

You say I should be reassured based Comodo Firewall status of being the “world known” “best firewall”. -
I have personally seen application-based software firewalls in the past implement half-baked features, in the name of performance and simplicity. SPI happened to be one of those things. I don’t see why Comodo Firewall SPI implementations has to be sooo mysteries!

I can’t really say I’m reassured based on my own observations of the CPF ways-of-doing things.

I believe ‘Filtering IPv6 traffic’ feature was unchecked by default. That means IPv6 traffic has free pass for traversing.

• ‘Block fragmented IP traffic’ feature is disabled by default. That’s okay to be disabled by default. The problem I see comes from the almost impossible to use feature due to the implementation design. I proposed one tweak. However I have seen it implemented successfully, and was usable while still offering this protection. How that works, fragmented packet allowed or blocked according to the rule that applied to the first packet.
• No filtering for other EtherTypes besides IPv4, IPv6, and ARP… that I can see. ‘Enable anti-ARP spoofing’ feature however no real ARP configurability exists.)

…
…

• The frustrating IP pasting issue that still exists years later.

If you are that concerned why don’t you test the effectiveness of the SPI implementation of CIS yourself? That’s the only sure way of finding out its capabilities is to confirm it works as it is supposed to.

I can't really say I'm reassured based on my own observations of the CPF ways-of-doing things.

I believe ‘Filtering IPv6 traffic’ feature was unchecked by default. That means IPv6 traffic has free pass for traversing.

A wish is already in the tracker about this very issue, whether or not it gets implemented is up to comodo.

- 'Block fragmented IP traffic' feature is disabled by default. That's okay to be disabled by default. The problem I see comes from the almost impossible to use feature due to the implementation design. I proposed one tweak. However I have seen it implemented successfully, and was usable while still offering this protection. How that works, fragmented packet allowed or blocked according to the rule that applied to the first packet.

Fragmented IP packets is not a good idea to let through as there have been vulnerabilities in the way packets where being re-assembled on the receiving host and the possibility that fragmented packets make take a different route/path along the way and due to this the chance for packets to be received out of order. Blocking fragmented IP packets is really a defense against an old problem with old firewalls where it was possible to bypass the firewall and access an open port that would otherwise have been filtered off from being accessed. Fragmentation is the result of packets being too big for the MTU size of a given network link and so it isn't normal to send/receive fragmented traffic as OS networking stacks make sure to send packets that don't exceed the MTU of a given connection.

- No filtering for other EtherTypes besides IPv4, IPv6, and ARP.. that I can see. 'Enable anti-ARP spoofing' feature however no real ARP configurability exists.)

It is highly unlikely that home users use and therefore need filtering support of other ethertype protocols other than those listed and I doubt many other 3rd party software firewalls support other ethertypes either. For ARP what kind of filtering capability do you want other than protecting the ARP cache from being poisoned from a MitM attack that comodo provides? It is possible to have firewall rules based on source/destination MAC address so theirs that.

- The frustrating IP pasting issue that still exists years later.

Already a known bug which I admit would be nice to fix but its of low priority bug that really doesn't adversely affect firewall operation.

I was expecting as much… for an response on here. Not everyone is fortunate and able to live on here and mess around. However, I expect nothing more than ignorance from you … based on your response here.

There is a idiom to be used here… Ignorance is bliss! I prefer NOT to be ignorant, ignorance can lead to your derriere being bitten.

Anyways the CPF SPI protection should be explicitly declared to how its protecting us, and I expect nothing short from a company who suppose to have our best interests at heart. Mysteriousness even after inquiries doesn’t look good.

A wish is already in the tracker about this very issue, whether or not it gets implemented is up to comodo.

Wishing to have CPF ‘Filtering IPv6 traffic’ feature enabled by default shouldn’t even need to be made in the first place. Makes me wonder who the heck is actually developing Comodo.

Fragmented IP packets is not a good idea to let through as there have been vulnerabilities in the way packets where being re-assembled on the receiving host and the possibility that fragmented packets make take a different route/path along the way and due to this the chance for packets to be received out of order. Blocking fragmented IP packets is really a defense against an old problem with old firewalls where it was possible to bypass the firewall and access an open port that would otherwise have been filtered off from being accessed. Fragmentation is the result of packets being too big for the MTU size of a given network link and so it isn't normal to send/receive fragmented traffic as OS networking stacks make sure to send packets that don't exceed the MTU of a given connection.

If you think that blocking ALL fragmented packets in general is a good solution… If you think that fragmented packets are evil occurrences… you are, so very, very mistaken. You’d be very short sighted, that’s for sure.

Tell me how many times it has been advised by someone on here, to have the person disable the CPF ‘Block fragmented IP traffic’ feature?

I’m not going to get to technical here but let me tell you this. My MTU setting for my connection is with the maximum size. That CPF feature cannot be used with multiple software I use. This feature is useless! Nothing more than useless implemented protection.

I’ve giving a tweak suggestion, I’ve also detailed longtime-running successful implementation besides. CPF component is the component giving least amount of attention it seems.

The rules should be giving much finer control over-all, one being able to permit or deny based on MF and DF flags. I should be-able to have, or create protection against malformed/bad characteristics such as 1) Invalid fragmentation flags/offset, 2) First fragment too small, 3) IP fragment out of boundary, 4) IP fragment offset too small … instead of resorting to blocking all fragmentation! Freaking ridiculous to say the least!

It is highly unlikely that home users use and therefore need filtering support of other ethertype protocols other than those listed and I doubt many other 3rd party software firewalls support other ethertypes either. For ARP what kind of filtering capability do you want other than protecting the ARP cache from being poisoned from a MitM attack that comodo provides?

Filtering of other EtherTypes was possible since the very beginning. ConSeal PC Firewall the very first personal firewall, and had this support. Look ‘n’ Stop, CHX-I are some more. I’ve seen a few, can’t remember em right-off.

It is possible to have firewall rules based on source/destination MAC address so theirs that.

Yes firewall rules based on source/destination MAC address, however tied to IP protocols… so no… not that.

Already a known bug which I admit would be nice to fix but its of low priority bug that really doesn't adversely affect firewall operation.

Low priority my derriere!!! That is by far the worst bug I’ve seen! This issue could have been addressed without much effort. Yes … programmatically speaking! To have such frustrations to exists for year(S) is simply pathetic. Unconsidered to leave this drag on for as long as it have. Convenience should be taken more seriously, it is important too!

You are quite free to complain about Comodo applications as much as you like.

Sorry insulting members or Staff is not allowed under any circumstances, please read the Forum policy before you post again.

Do not reply to this post if you require further advice on this after reading the Forum Policy please PM me.

Thank you

Dennis