Since a lot members get confused with the Network rules I decided to create this topic to gather the various rules in one place.
Here are the rules that are automatically created by CFP during the installation.
Rule #0
Action = Allow
Protocol = TCP or UDP
Direction = Out
Source IP = Any
Destination IP = Any
Source Port = Any
Destination Port = Any
Rule #1
Action = Allow
Protocol = ICMP
Direction = Out
Source IP = Any
Destination IP = Any
ICMP Details = ICMP Echo Request
Rule #2
Action = Allow
Protocol = ICMP
Direction = In
Source IP = Any
Destination IP = Any
ICMP Details = ICMP Fragmentation Needed
Rule #3
Action = Allow
Protocol = ICMP
Direction = In
Source IP = Any
Destination IP = Any
ICMP Details = ICMP Time Exceeded
Rule #4
Action = Allow
Protocol = IP
Direction = Out
Source IP = Any
Destination IP = Any
IP Details = GRE
Rule #5
Action = Block (create an alert if this rule is fired)
Protocol = IP
Direction = In/Out
Source IP = Any
Destination IP = Any
IP Details = Any
[attachment deleted by admin]
Instead of using the secure zone you can create copies of rules for individual IPs. This is highly recommended for users with wifi networks
For example:
If you have a network with 1 router(IP= x.x.x.1) and 3 pc (IP pc1 = x.x.x.12, IP pc2 = x.x.x.120, pc3 = y.y.y.15) you should create the following rules (at the example we configure CFP on pc1):
Rule #0
Action = Allow
Protocol = IP
Direction = Out
Source IP = pc1
Destination IP = router
IP details = Any
Rule #1
Action = Allow
Protocol = IP
Direction = In
Source IP = router
Destination IP = pc1
IP details = Any
Rule #3
Action = Allow
Protocol = IP
Direction = Out
Source IP = pc1
Destination IP = pc2
IP details = Any
Rule #4
Action = Allow
Protocol = IP
Direction = In
Source IP = pc2
Destination IP = pc1
IP details = Any
Rule #5
Action = Allow
Protocol = IP
Direction = Out
Source IP = pc1
Destination IP = pc3
IP details = Any
Rule #6
Action = Allow
Protocol = IP
Direction = In
Source IP = pc3
Destination IP = pc1
IP details = Any
Rule #7 (serves for finding the other 2 pcs by searching their name)
Action = Allow
Protocol = UDP
Direction = In
Source IP = broadcast adress of the router
Destination IP = pc1
Source Port = Any
Destination Port = Any
ps. For finding the brodcast adress of the router you can use:
- A simple subnet calculator like this one http://net.apollo.lv/subnet.php
- or with Advanced Subnet Calculator a free program a little more difficult to understand. http://www.softpedia.com/get/Network-Tools/Misc-Networking-Tools/Advanced-Subnet-Calculator.shtml
[attachment deleted by admin]
There are programs that need to accept incoming connections for fuction properly. A classic example are the filesharing applications like emule, azureus, utorrent, etc.
Lets use Emule and azureus as examples:
For Emule
- Rule for TCP protocol
Action = Allow
Protocol = TCP
Direction = In
Source IP = Any
Destination IP = Any
Source port = Any
Destination port = TCP port of emule
- Rule for UDP protocol
Action = Allow
Protocol = UDP
Direction = In
Source IP = Any
Destination IP = Any
Source port = Any
Destination port = UDP port of emule
For Azureus
Rule for TCP/UDP protocol
Action = Allow
Protocol = TCP or UDP
Direction = In
Source IP = Any
Destination IP = Any
Source port = Any
Destination port = TCP/UDP port of azureus
You should move these rules over the default Block IP IN/OUT
[attachment deleted by admin]
Since CFP has statefull inspection of the packets there are two rules for blocking IPs; 1 for blocking outgoing connections and 1 for blocking incoming connections.
1.Blocking outgoing connections
(this rule will prevent your computer to initiate a connection with a banned IP)
Action = Block
Protocol = TCP or UDP
Direction = Out
Source IP = Any
Destination IP = The IP you want to block
Source port = Any
Destination port = Any
2.Blocking incoming connections
(this rule will prevent a banned IP to initiate a connection with your computer)
Action = Block
Protocol = TCP or UDP
Direction = In
Source IP = The IP you want to block
Destination IP = Any
Source port = Any
Destination port = Any
You should move these rules above all the other rules for working properly
ps.If you want to ban someone in p2p you will need the second rule.
If you want to prevent any comunication with a banned IP both rules are needed
[attachment deleted by admin]
Here is an image of all the above rules together.
[attachment deleted by admin]
Great work Pandlouk!
(just delete my post if it’s in the way of your rules…)
Sweet pandlouk, very nice. I wouldn’t ruin your FAQ. 
Edit: Don’t mess with my posts Kail! ;D
Hehe. (:SHY)
Thanks AOwL but it cannot compare with your noob guide.
ps. anyone can post here. I had locked it temporary for being able to put those rules one after another without interaptions
Newbie here (:WAV)
I installed Comodo on 2 of my computers last night and promptly lost my home network (Internet still worked on both computers tho)
I stumbled my way through the menus and found this last option you put in the message…
As soon as I deleted that rule from both computers I found my computers would talk to each other again…
Please tell me I haven’t done something very wrong… (:SHY)
Welcome to the forum
You have done something very wrong… shame on you…
Put that back immediately!
Have you made a trusted zone/network? (security/tasks)
Ooopppsss (:SHY)
Will copy the line from this thread in an attempt to put it back again…
Trusted Zone??? - Ummm all I done is install the program, I chose the automatic thing on install, so thought that would set things up…
I think I might uninstall the firewall from both computers and then reinstall it again, that way anything I touched will be gone, then I can look for the trusted zone thing (:LGH)
Thank you very much for your reply (:CLP)
You can use the wizard for the trusted zone, or you can built a more Restricted Secure Zone https://forums.comodo.com/index.php/topic,5340.msg39466.html#msg39466 ,which is more secure for wifi connections
Thanks for the reply, much appreciated…
As I said above I going to uninstall and then reinstall, that way things will be back to the way they are, then I will try that wizard to see if I can get my computers talking again…
I presume there is a way to have it setup to allow a port range (eg: 192.168..) in it, as I have noticed in the past that sometimes the IP addresses of my computers change.
Anyway, will give it a go and see what happens (I not too technical, cause at 52yrs old my brain takes a while to figure things out)
Well thank you both for your help, I reinstalled the firewall on both computers, ran that Wizard and now have my computers talking to each other again…
Wizard was really easy to do, wasn’t as bad as I though it would be… Very straight forward…
Since you people around here so friendly and helpful, methinks I will uninstall avg and install your antivirus as well 
Hi Panlouk
Thanks for the rules. I have also read M0ng0d article on network rules with no joy in solving my problem.
I have just installed CPF on my desktop and have been attempting a setup to enable ad-hoc wireless connection from my laptop using the trusted zone wizard. With CPF set to ‘allow all’ the wireless network adapters communicate and the laptop is assigned a 192.168.0.x IP address and am able to surf the net. Putting CPF back to ‘custom’ still enables internet connection. Great.
My problem is getting the wireless adapters to communicate while CPF is in the normal custom mode. The desktop wireless adaptor is manually configured to 192.168.0.1 etc but the laptop gets no communication and defaults to the 169.254.x.x IP address.
I have put the desktop wireless adapter in the trusted zone with the 192.168.0.0/255 range and left the ethernet adapter in the internet zone. I assume that is correct.
My rules seem to agree with what has been written so I assume I am missing something obvious.
Any help appreciated (R)
Hi and welcome at the forums (:HUG)
- Can you please add an image of your network rules or describe them?
- Have you tried to disable Do protocol analysis? Sometimes interfears and block some dchp packets.
Hi Pandlouk ;D
I think I should have attached a jpg ok for the rules. I tried the Do Protocol Analysis + reboot suggestion but still no luck.
Over to you.
[attachment deleted by admin]
Pandoulk,
I’ve setup my rules 0 and 1 for my specific IP Address as you suggested instead of a zone but I’m getting lots of inbound blocked logs. Here’s what I’m getting:
Date/Time :2007-05-20 09:19:49
Severity :Medium
Reporter :Network Monitor
Description: Inbound Policy Violation (Access Denied, IP = 192.168.1.1, Port = snmptrap(162))Protocol: UDP IncomingSource: 192.168.1.1:4002 Destination: 192.168.1.255:snmptrap(162)
Reason: Network Control Rule ID = 7
Date/Time :2007-05-20 09:18:39
Severity :Medium
Repo€rter :Network Monitor
Description: Inbound Policy Violation (Access Denied, IP = 192.168.1.1, Port = snmptrap(162))
Protocol: UDP Incoming
Source: 192.168.1.1:3999 Destination: 192.168.1.255:snmptrap(162)
Reason: Network Control Rule ID = 7
I’ve also added a pic of my network rules.
Help?!
[attachment deleted by admin]
Issue of mine RESOLVED! I did as suggested in the “Protect your Wi-Fi LAN” part of the FAQs. I had tried and successfully changed my IP to 192.168.1.2 and Subnet to 255.255.255.252 previously (a few weeks back) but went back to what I had previously because I thought it was causing my connection problems and only recently found out that it was Comodo BOClean related. Since removing BOClean - waiting until the next version is released in a couple of weeks. It seems to be working fine. I did have to reboot my router twice but all is up and running nicely. I’ve been online for awhile now and don’t seem to be getting the alerts I had before just back to the occasional OUTBOUND IPGM alert (see my post in the HELP Forums there’s a security Hotfix related to that!) I don’t seem to get those alerts having installd the hotfix! :BNC
Thanks everyone…
(:CLP)
A further question…
Should, for added security put the IP of my Laptop and the IP of my router in place of [Any] for all the other rules besides just the first couple???