Stealth Ports Wizard behaviour differs from manual. What do the rules mean?

In the User Guide for Comodo 2011, it says that if you choose “Block all incomng connections and make my ports stealth for everyone”, then all that happens is that one rule is added to the “Global Rules” “Block and log IP In From Any IP address To Any IP address where Protocol is Any”. This seems pretty self-explanitory - it blocks all incoming connections.

When I choose this option, however, the behaviour is different. It adds 4 Global Rules:

Allow IP Out From MAC Any To MAC Any Where Protocol is Any
Allow ICMP In From MAC Any To MAC Any Where ICMP Message is FRAGMENTATION NEEDED
Allow ICMP In From MAC Any To MAC Any Where ICMP Message is TIME EXCEEDED
Block IP In From MAC Any To MAC Any Where Protocol is Any

I have a few questions.

  1. In the Block rule, why is “Any IP Address” in the manual replaced with “MAC Any” in the program, and is there any difference? (Surely all connections are made using a MAC and IP Address)
  2. What is the purpose of the ICMP rules (and why weren’t they mentioned in the manual)?
  3. What is the purpose of the Allow IP Out rule. Is it allowing all outgoing connections? What does it have to do with stealthing ports?

Thank you.

Surely all connections are made using a MAC and IP Address
No. The MAC item is something precursive for IPv6 support. You most certainly don't use MAC permissions over the internet, and not so often over an intranet.
2) What is the purpose of the ICMP rules (and why weren't they mentioned in the manual)?
The proper internet operation supposes these 2 rules to be enforced, wherever a "stealth port" gadget exists or not. http://www.networksorcery.com/enp/protocol/icmp.htm
3) What is the purpose of the Allow IP Out rule. Is it allowing all outgoing connections? What does it have to do with stealthing ports?
Yes, Nothing: CIS allows as default everything outbound allowed, whereas on my point of view it should not. Customize your firewall policy to the highest level and paranoïd mode if you want to be alerted of outgoing connections.

The logic of CIS is that outgoing traffic is handled by Application Rules. Outgoing traffic first goes through Application Rules and then through Global Rules.

Then why is Comodo doing it?

The proper internet operation supposes these 2 rules to be enforced, wherever a "stealth port" gadget exists or not. http://www.networksorcery.com/enp/protocol/icmp.htm
So, why are these rules not always there, but only added when stealthing ports?
Yes, Nothing: CIS allows as default everything outbound allowed, whereas on my point of view it should not. Customize your firewall policy to the highest level and paranoïd mode if you want to be alerted of outgoing connections.
I'm not sure what you mean by this. I have it set to Custom Policy, is that what you mean? Only higher option is Block All. I have the alert settings at the highest option, although this will probably be unneccesary once I've fixed my problems with CIS. (https://forums.comodo.com/firewall-help-cis/files-are-being-downloaded-but-comodo-says-no-connections-t66895.0.html)

I had read that in the manual, it’s the “then” that confuses me.

But anyway I don’t see how that relates to stealthed ports. If it’s necessary, why isn’t that rule always there, and if it isn’t necessary, why is it added when ports are stealthed?

Thank you.

The answer made to you:

The logic of CIS is that outgoing traffic is handled by Application Rules. Outgoing traffic first goes through Application Rules and then through Global Rules.
is the general CIS logic (it's the opposite with inbound rules) but makes no sense if the first global rule is:
Allow IP Out From MAC Any To MAC Any Where Protocol is Any
By definition, everything out is allowed in these conditions despite your application rules: i would delete such a rule (and my idea is that you should only have ICMP global rules), but you do like you want.

Concerning other points:

Then why is Comodo doing it?
So, why are these rules not always there, but only added when stealthing ports?
I don't know, i am not a Comodo developper, altough i suppose that some Ipv6 options shall be present before Ipv6 is generalized. The important thing is confusion on a LAN between MAC and IP but, in most usual situations, assigning whatever communicating device on your LAN not its MAC adress, but a static local IP (i.e. denying DHCP) should be enough, and you should not have to use any MAC adress (note that whatever rule from MAC to MAC indeed accepts IP entries).