I have been running CIS since day one and apart from changing from learning mode to Safe mode in Firewall and Defence+ I have just used the default settings apart from allowing certain trusted applications and setting Firefox and IE7 as Web Browsers.
However tonight I finally found the Guides link and followed and set them all through as described in both Firewall and Defence+. I noticed though on rebooting my PC after finishing set up that all the changes had remained apart from the “Block all incoming connections, block all my ports to everyone” rule had been changed to " “Define a new trusted network stealth my ports to everyone else”. I wondered if this is because in Network Security Policy I have allowed certain trusted applications? or is it a problem with CIS Firewall. I change it to “Block” and click finish but as soon as I reopen it has been changed back to “Define”. Can anyone tell me if this is correct or is there something wrong?.
Thanks for the reply Kail,
I tried that but it didn’t work I applied the Block rule but as soon as I reopened the stealth ports wizard it had reverted to the Define a new trusted network setting. When I followed the Firewall Guide, in setting up the My network Zones section it mentioned that there usually were two entries ie, the Loopback Zone and another called Local Area Network #1. I only had the Loopback area one in my settings and had to manually add the LAN#1 setting. When my PC resets from the Block all setting to Define a new setting. If I follow the next button in the Define a new option I then get the option to set a new or stay with existing network. Should I leave it as is ie Existing (Looped Zone) or should I create a new one from the (LAN#1) setting I created last night?.
AH!!! I see! No, those are not settings that are set & remembered. The Stealth Ports Wizard is not a setting, it is a process. You open the Wizard, check the setting you want & run it. Then the Wizard automatically creates & modifies rules based on the options set. So, in your case, since you’re crafting your own rules… you want Custom Policy Mode to stop CIS creating any for you & you never want to run the Stealth Ports Wizard. You’ve… grown out of it really.
When crafting your own rules, you probably only want to run the Wizard once, if at all. And that’s when you first start. The Wizard is very good at detecting your LAN (unless you do actually have multiple LANs, there should only be 1) & creating all the relevant rules. Other than that, you really don’t need it for anything.
Thanks again for the reply Kail,
I’m not so sure about a custom policy as I hardly understand the technicalities of PC’s being 60yrs old. I have however followed the tutorials given by Kyle and John Buchanan in their guides and have set certain rules regarding trusted applications, web browsers scvhost to outgoing only etc using common sense and can see where this is of course a custom policy. I have changed the rule in the Firewall from Safe Mode to Custom Policy mode and will just forget about the Stealth port wizard for he moment. One thing I have noticed since yesterday is that I no longer have x amount of incoming outgoing traffic and now instead have a few hundred intrusion attempts which tells me that something has changed for the better and my PC is more secure than it was. I just wish I had seen the guides prior to yesterday. Again thanks for your help and I think when the new version is released in the near future I will have a better understanding of how it works by setting these rules from day 1.
Are the intrusion attempts LAN traffic? And by that I mean, the source and/or destination IP numbers are internal IP numbers (ie. 192.168.0.1, 10.0.0.1, etc…) or LAN broadcasts (255.255.255.0, 192.168.0.255, etc…). Post a screen shot of the intrusion attempts, mask your Internet IP address if it is visible (it’s OK, to leave the others).
Also below is the CIS’s Help description for both Custom Policy Mode & Safe Mode, perhaps you may not find it to be as technical as you previously believed…
[b]Custom Policy Mode:[/b] The firewall applies ONLY the custom security configurations and network traffic policies specified by the user. New users may want to think of this as the 'Do Not Learn' setting because the firewall will not attempt to learn the behavior of any applications. Nor will it automatically create network traffic rules for those applications. You will receive alerts every time there is a connection attempt by an application - even for applications on the Comodo Safe list (unless, of course, you have specified rules and policies that instruct the firewall to trust the application's connection attempt).
If any application tries to make a connection to the outside, the firewall audits all the loaded components and checks each against the list of components already allowed or blocked. If a component is found to be blocked, the entire application is denied internet access and an alert is generated. This setting is advised for experienced firewall users that wish to maximize the visibility and control over traffic in and out of their computer.
Safe Mode: While filtering network traffic, the firewall will automatically create rules that allow all traffic for the components of applications certified as ‘Safe’ by Comodo. For non-certified new applications, you will receive an alert whenever that application attempts to access the network. Should you choose, you can grant that application internet access by choosing ‘Treat this application as a Trusted Application’ at the alert. This will deploy the predefined firewall policy ‘Trusted Application’ onto the application.
‘Train with Safe Mode’ is the recommended setting for most users - combining the highest levels of security with an easy-to-manage number of connection alerts.
But, given that you desire to make your own rules & for CIS not to subsequently meddle with them, then Custom Policy Mode is the mode for you I feel.
The issue you raise is not a bug, it is just a confusing inferface design.
I have posted on this issue several times, and so far, no changes have been made.
Others have also commented that stealth port wizard is confusing. For example:
“when I select ‘block all incoming connections - stealth my ports to everyone’ and then click finish, a window pops up that says ‘your firewall has been configured accordingly’. But when I select stealth ports wizard again, the option has been set back to ‘define a new trusted network’. In other words, the stealth port wizard does not seem to remember my selection.”
The explanation is this: the CIS program remembers your selection, but the wizard does not reflect your current ports setting…and that is one of the problems that makes the wizard confusing. In order to see your settings, you have to go to Firewall>Advanced>Network security policy>Global rules (and then you have to be a network expert to figure out the meaning of the crytpic data listed there).
The bottom line is that you should not have to guess whether your ports are set correctly. To solve this confusion: When you engage the Ports Wizard, it should tell you in simple terms what your current settings are. For example, “all your ports are currently stealthed” or “All ports are stealthed except…” (and then list the ports and whether they are open or closed). This would be a great benefit to all users and would eliminate the “ports wizard” confusion that has been raised in so many posts.
Furthermore, the wizard should run during CIS installation to make sure the user does not forget to set the ports status.
PS. You do not need to make custom rules to stealth all your ports…the wizard will do that. Just be aware that CIS DOES stealth the ports when you select this option in the wizard (even if the wizard does not reflect your choice).
Yes, I’ve only been using this program a few days and this little oddity confused me as well. I assumed the settings weren’t being remembered because the radio button kept resetting. Then it occurred to me that I could test it by checking the global security policy after choosing “stealth” and again after choosing another option. Sure enough, the global policy changed and stayed that way, it was only the radio buttons in the wizard window that not behaving as one would expect.
So I agree that this should be changed. I’m the type of user that will go through all the various menus, tabs, etc… of new software that I install to familiarize myself with it, so I had seen the global security policies settings. If other users are less inclined to try and figure out how the software works, or are just a little intimidated by it at first, or simply don’t understand what the global security policy is, this radio button behavior could cause someone to think the software isn’t operating as it should. (As it did me, and obviously others)