Share Your Settings

I would like to tight up my rules, but I need sthg for comparision.
Could you please share your settings, maybe I will find sthg usefull.

I have Aplication Behaviour Analysis and Component Monitor disabled.
Enable Alerts is disabled, then everything, except Allow rules, is blocked.
Network Monitor, Aplication Monitor 1, Aplication Monitor 2, Miscellaneous.

I have cable internet (ethernet), so svchost is enabled to get IP via DHCP.
I have set up my IP manually, but sometimes it changes a few times a day.
TCP/UDP Out is set to Block, I enable it, before starting Azureus (bittorent).

I solved my COMODO configuration problems as follows:
I’m on cable with D-Link FastEthernet Adapter, so I don’t need DHCP. I also disabled Windows DNS Client service (every application makes a DNS query itself and only my two ISP’s DNS servers are allowed as Destination addresses) + I also disabled a whole bunch of other useless services to such an extent, that svchost asks only access for Windows Update.

COMODO Network Monitor rules:

0. Allow TCP or UDP In or Out from NAME: paul (10.21.xx.xxx) to NAME: localhost (127.0.0.1) where source port is [Any] and destination port is [any]. (Loopback rule)

1. Allow and log UPD Out from NAME: paul (10.21.xx.xxx) to IP RANGE: xx.xxx.1.1 - xx.xxx.1.2 where source port is 1024-4999 and destination port is 53
   (DNS rule for my 2 ISP DNS servers only)

2. Allow and log TCP Out from NAME: paul (10.21.xx.xxx) to [Any] where source port is 1024-4999 and destination port is IN [21,80,443]

3. Allow and log TCP Out from NAME: paul (10.21.xx.xxx) to [forum.kaspersky.com] 212.5.80.45 where source port is 1024-4999 and destination port is 90

4. Allow and log TCP Out from NAME: paul (10.21.xx.xxx) to [news.grc.com] 4.79.142.203 where source port is 1024-4999 and destination port is 119

5. Allow and log TCP Out from NAME: paul (10.21.xx.xxx) to [RANGE] 64.12.0.0 - 64.12.255.255 where source port is 1024-4999 and destination port is 5190

6. Allow and log TCP Out from NAME: paul (10.21.xx.xxx) to [RANGE] 205.188.0.0 - 205.188.255.255 where source port is 1024-4999 and destination port is 5190

7. Allow and log TCP Out from NAME: paul (10.21.xx.xxx) to [audio-mp3.ibiblio.org] 152.46.7.128 where source port is 1024-4999 and destination port is 8000

8. Allow and log TCP Out from NAME: paul (10.21.xx.xxx) to [us.drweb.com] 209.160.33.73 where source port is 1024-4999 and destination port is 64000-65535

9. Allow and log TCP Out from NAME: paul (10.21.xx.xxx) to 81.176.67.170 - 81.176.67.172 where source port is 1024-4999 and destination port is 64000-65535

10. Allow and log TCP Out from NAME: paul (10.21.xx.xxx) to [msk1.drweb.com] 192.168.255.255 where source port is 1024-4999 and destination port is 64000-65535

11. Allow and log TCP Out from NAME: paul (10.21.xx.xxx) to [msk4.drweb.com] 83.102.130.174 - 83.102.130.178 where source port is 1024-4999 and destination port is 64000-65535

12. Allow and log ICMP Out from NAME: paul (10.21.xx.xxx) to IP [Any] where ICMP message is ECHO REQUEST.

13. Block and log TCP/UDP In or Out from IP [Any] to IP [Any] where where source ports is [Any] and destination port is [Any].

14. Block and log ICMP In or Out from IP [Any] to IP [Any] where ICMP message is [Any].

15. Block and log IP In or Out from IP [Any] to IP [Any] where IPProto is [Any].

With these rules, even if I allow something by accident on the Application level, it will be blocked (I saw it in the logs). I’m on a LAN that is highly untrusted. No Trusted Zones have been defined, not even localhost.

Of course, on Application level everything is set to very high security, I don’t consider safe what COMODO considers safe (no offense meant), and I don’t skip the loopback check. I think these are the maximum settings you can apply. Anything more is redundant and might even weaken the firewall’s protection strength. Of course, I have ‘Aplication Behaviour Analysis’ and ‘Component Monitor’ enabled (I can’t imagine security without them). ‘Enable Alerts’ is ‘On’. This only gives stress during the very first day when you have to set up all the rules for all applications…

I’ll get back to you with some Application rules. You will understand from my Netmonitor rules that they are VEEEEERY rigid. :=)

Paul Wynant
Moscow, Russia

My COMODO Application Rules:

I don’t use any real-time antivirus solution, so I don’t need any rules for that. (For people who worry: I do have my own tools, but they don’t require Internet access at all).
A2Free, Ad-aware Personal, Cpfupdate, IDServe (utility by Steve Gibson to look up information about a server), KLAgent (news utility by Kapsersky), Spybot Search&Destroy, Spyware Blaster, Super Anti-Spyware, and Winamp have the following rules:

1. Application name
   Destination: RANGE: xx.xxx.1.1 – xx.xxx.1.2 (my 2 DNS servers)
   Port: 53
   Protocol: UPD Out
   Allow
   (Local Ports were restricted by the Netmonitor rules to 1024-4999)

2. Application name
   Destination: [Any]
   Port: 80
   Protocol: TCP Out
   Allow
   (Local Ports were restricted by the Netmonitor rules to 1024-4999)

The Comodo upload utility has the following rules:

1. cpfsubmit.exe
   Destination: RANGE: xx.xxx.1.1 – xx.xxx.1.2 (my 2 DNS servers)
   Port: 53
   Protocol: UPD Out
   Allow
   (Local Ports were restricted by the Netmonitor rules to 1024-4999)

2. cpfsubmit.exe
   Destination: [Any]
   Port: 21
   Protocol: TCP Out
   Allow
   (Local Ports were restricted by the Netmonitor rules to 1024-4999)

Thunderbird is set as my default News reader. No E-mail account configured. All other mail clients I REMOVED from my computer. Thunderbird has the following rules:

1. Thunderbird.exe
   Destination: 127.0.01
   Port: 1024-4999
   Protocol: TCP In/Out
   Allow

2. Thunderbird.exe
   Destination: RANGE: xx.xxx.1.1 – xx.xxx.1.2 (my 2 DNS servers)
   Port: 53
   Protocol: UPD Out
   Allow
   (Local Ports were restricted by the Netmonitor rules to 1024-4999)

3. Thunderbird.exe
   Destination: 4.79.142.203
   Port: 119
   Protocol: TCP Out
   Allow
   (Local Ports were restricted by the Netmonitor rules to 1024-4999)
   (rule for GRC NewsGroup)

4. Thunderbird.exe
   Destination: [Any]
   Port: 443
   Protocol: TCP Out
   Allow
   (Local Ports were restricted by the Netmonitor rules to 1024-4999)
   (rule for Thunderbird’s update)

Firefox (my default browser) has the following rules:

1. Firefox.exe
   Destination: 127.0.01
   Port: 1024-4999
   Protocol: TCP In/Out
   Allow

2. Firefox.exe
   Destination: RANGE: xx.xxx.1.1 – xx.xxx.1.2 (my 2 DNS servers)
   Port: 53
   Protocol: UPD Out
   Allow
   (Local Ports were restricted by the Netmonitor rules to 1024-4999)

3. Firefox.exe
   Destination: [Any]
   Port: 80,90,443
   Protocol: TCP Out
   Allow
   (Local Ports were restricted by the Netmonitor rules to 1024-4999)

If the parent changes, the same rules are created for that parent as well.
It haven’t needed it yet with Firefox, but the Netmonitor rules provide for access to remote port 21 if I have to download something through FTP.

IE7 browser has the following rules:

1. iexplore.exe
   Destination: 127.0.01
   Port: 1024-4999
   Protocol: UDP In
   Allow

2. iexplore.exe
   Destination: RANGE: xx.xxx.1.1 – xx.xxx.1.2 (my 2 DNS servers)
   Port: 53
   Protocol: UPD Out
   Allow
   (Local Ports were restricted by the Netmonitor rules to 1024-4999)

iexplore.exe
Destination: [Any]
Port: 80,90,443
Protocol: TCP Out
Allow
(Local Ports were restricted by the Netmonitor rules to 1024-4999)

All Security Zones have been set to ‘High’!!!

Opera browser has the following rules:

1. Opera.exe
   Destination: RANGE: xx.xxx.1.1 – xx.xxx.1.2 (my 2 DNS servers)
   Port: 53
   Protocol: UPD Out
   Allow
   (Local Ports were restricted by the Netmonitor rules to 1024-4999)

2. Opera.exe
   Destination: [Any]
   Port: 80,90,443
   Protocol: TCP Out
   Allow
   (Local Ports were restricted by the Netmonitor rules to 1024-4999)

I also have a bunch of local port scanners. They all have the following rule:
Application Name
Destination: 127.0.0.1
Port: [Any]
Protocol: TCP/UDP In/Out
Allow

QIP ICQ (a very good, safe, and light ICQ Client) has the following rules:

1. qip.exe
   Destination: RANGE: xx.xxx.1.1 – xx.xxx.1.2 (my 2 DNS servers)
   Port: 53
   Protocol: UPD Out
   Allow
   (Local Ports were restricted by the Netmonitor rules to 1024-4999)

2. qip.exe
   Destination: [RANGE] 64.12.0.0 - 64.12.255.255
   Port: 5190
   Protocol: TCP Out
   Allow
   (Local Ports were restricted by the Netmonitor rules to 1024-4999)

3. qip.exe
   Destination: [RANGE] 205.188.0.0 - 205.188.255.255
   Port: 5190
   Protocol: TCP Out
   Allow
   (Local Ports were restricted by the Netmonitor rules to 1024-4999)

4. qip.exe (check for updates)
   Destination: 195.239.111.121
   Port: 80
   Protocol: TCP Out
   Allow
   (Local Ports were restricted by the Netmonitor rules to 1024-4999)

I also have rules for iTunes, but unless anyone is very eager to learn those, I won’t post them here…

For svchost (Windows Update) I’ve defined the following Destination Addresses:
64.4.0.0<->64.4.63.255 (64.4.0.0/18): update.microsoft.com
195.0.0.0<->195.255.255.255 (195.0.0.0/8): akamaitechnologies.com
207.46.0.0<->207.46.255.255 (207.46.0.0/16): update.microsoft.com
208.174.0.0<->208.175.127.255 (208.174.0.0/16 + 208.175.0.0/17): download.windowsupdate.com
208.175.160.0<->208.175.223.255 (208.175.160.0/19 + 208.175.192.0/19) : download.windowsupdate.com
212.0.0.0<->212.255.255.255 (212.0.0.0/8): download.windowsupdate.com
213.0.0.0<->213.255.255.255 (213.0.0.0/8): ?

Unless svchost asks for more, that’s as far as Microsoft can go on my computer with the questionable Internet traffic its applications generate… They are ALL BLOCKED!!!

Paul Wynant
Moscow, Russia

I updated my rules above according to the security expert p2u. Thank You for help and guidance.

You’re welcome, TheTOM_SK!
You are doing me too much honor by calling me a security expert. I’m just someone who cares.

I would encourage you and other people to, at least the first week, LOG EVERYTHING, even allowed packets, and analyze what you see. This can give you insight into many issues that might otherwise not be noticed.

Why are my rules so rigid? That is the Default Deny principle. One of the default packet rules in most firewalls is: Allow Out TCP/UDP to any Destination Address (remote address) to any remote Port. This is probably done for convenience, BUT…

I don’t use a mail client, for example. Therefore, I see no reason to allow remote port 25 (smtp) ever to be accessed by password-stealing Trojans like Pinch, which may not be noticed on the Application level, either by your anti-virus, or by your firewall. If you make the packet rules block traffic to UNNECESSARY local and remote ports and allow certain applications only to domain fields and/or addresses that are really necessary (for example 64.12.0.0 - 64.12.255.255 and 205.188.0.0 - 205.188.255.255 with destination port 5190 for ICQ), you avoid a lot of trouble, and make the task of protecting you a lot easier for your firewall.

Paul Wynant
Moscow, Russia

My first post to You Paul,

thanx for Your great explanations and examples as well in the settings for networkmonitor as in applications.
It is necessary that an example, wich describes the whole technical process of ruling applications and
networkconnections, will be in the manual. I searched a lot and I am glad to find Your example here in the forum-helped me for a very fast understanding of the comodo firewall.

(CNY)

thanx
markus
southgermany

Hi, threeeast!

Happy to hear that.

Paul Wynant
Moscow, Russia

In some rare cases DNS may use TCP instead of UDP, so it is more reliable to set “TCP and UDP” in rule 1 of COMODO Network Monitor rules. The same is applicable for all other DNS rules (port 53).