I am new to Comodo, but would like to use it if I can figure it out without too much trouble.
The only reason that I haven’t really used it before, is that (for me anyway) not that intuitive. Finite control is great, but if you are not careful, it won’t do what you think it is doing.
I am not an absolute novice, when it comes to networking, but I am not an expert either.
My question:
When I did the initial install, I let it detect “MY Network”, told CIS to not Trust other computers on my Network (I want to do that manually - if not for any other reason than to try an figure out how to use Comodo firewall)
I then went to the “Stealth Ports Wizard” and selected “Alert me to incoming connections and make my ports stealth on a per-case basis”
This is what it did with the settings (see pic 1-alerts.gif below)
Then I selected “Block all incoming connections and make my ports stealth for everyone”
This is what it did with the settings (see pic 2-blocked.gif below)
Why when I select “Block all…” there is a bunch of “Allow …” in the Global settings, yet when I do the “Alert me to…” settings they are all “Blocked” settings? It is this part of comodo that I have always found confusing (most likely due to my lack of understanding - but that is why I am here now).
‘Alert’ blocks certain types ICMP in, and one type of outbound ICMP (all at the host perimeter). All other IP protocol passes through the outer perimeter.
Any network connection attempts will be intercepted by System (generating an alert). If the connection attempt is app specific and the app is not running, the connection dies. For example unsolicited TCP traffic on port 80 that isn’t initiated by a browser will die without alerts.
‘Block’ allows any outbound, two kinds of ICMP in and blocks all other unsolicited IP in. Network connection attempts made to your computer are blocked. No alerts.
Remote file sharing will not be allowed with ‘blocked’. All solicited IP traffic is allowed, e.g., browser sessions, eMail, Media Player, as the connection is initiated by app. If you close the app the connection dies and inbound connections are subsequently blocked. If you’re ‘blocked’ and another PC allows file-sharing, you can access resources on that host. However, they can not access your IP address.
i wonder myself for long, why there is a “allow ip out any” rule at all in global rules.
i erase that rule, because, why should i need it? i want to make allow rules per application for outgoing in the application rules. and these outgoing traffic can go out anyway.
what is this global rule for? it doesnt restrict, and it isnt needed for allowed outgoing traffic.
IF you dont have an application rule, no traffic should happen without question.
BUT IF you dont have a global rule, you just dont have a global rule … global rules make only sense, when they restrict something, or when they make exceptions for a restricting global rule.
Outgoing traffic first goes through Application Rules. As a consequence you control outgoing traffic with application rules.
How to understand the firewall with regard to Global and Application Rules? As a basic a firewall should block all unsolicited incoming traffic and should give the ability to allow, or block, applications to access the web. Connecting to the web is what we want but we want to have control.
So, incoming traffic first sees Global Rules and then sees Application Rules. This way unsolicited traffic gets blocked right at the door.
Outgoing traffic will go through Application Rules first and then through Global Rules. Global Rules generally allow outgoing traffic (remember we want to access the web) and Application Rules controls the individual program (we want to have control over applications).
the global section would generally allow outgoing traffic (which was allowed by application rules allready) even if there is no rule at all in global rules!
the question still is: why is there an “allow ip outgoing” rule in global rules? it is not needed in global rules, because “not existing global rules” dont generate questions or blocks. So we dont need an exception for not existing blocks.
There is no difference in global rules section behaviour between: Having an allow rule for outgoing traffic, OR having no BLOCK rule for outgoing
i access the internet after i usually erase that “allow ip out any” rule under global rules.
Good observation. I am using the stealth settings and some testing showed that indeed the rule for outgoing traffic can be missed.
the question still is: why is there an "allow ip outgoing" rule in global rules? it is not needed in global rules, because "not existing global rules" dont generate questions or blocks. So we dont need an exception for not existing blocks.
There is no difference in global rules section behaviour between: Having an allow rule for outgoing traffic, OR having no BLOCK rule for outgoing ;)
i access the internet after i usually erase that “allow ip out any” rule under global rules.
Not sure why that is. Is it a bug or is it by design? Is there anybody out there still running v3.14 or v4.1 who can see how CIS behaves in this situation? May be the rule for outgoing traffic is only there for cosmetic reasons?
… global rules make only sense, when they restrict something, or when they make exceptions for a restricting global rule.