Tutorials - A Compiled Resource

There are a large number of “tutorial” postings here in the forums, regarding common firewall questions.

It has been requested that such a thread exist, where users don’t have to sift through various questions and responses to get the info they need; thus, this thread will be your “one-stop-shop” for these nuggets.

It is locked to prevent resulting questions from being posted here; you may post those in a new or other relevant (already existing) topic. Almost all of these can be found in their original threads here: FAQs/Threads - Read Me First In addition, each topic has an embedded link in the title (next to the author’s name) to the original post, where you can post relevant questions.

Here are links to each topic within this thread, in order:
Installation, Computer Terminology, Network Rules, WiFi Security, Gaming, P2P Rules, ActiveSync, Remote Access, Windows Media, Proxy Setup, IRC, Nintendo, XBox, Layered Rules, Network Rules Defined, Security Settings, “Set & Forget” Setup, Capturing Screenshots

The compilation of this topic begins on February 6, 2007, and will continue to grow as needed. If you come across a topic that you think should be included, please PM me, or another Moderator or Administrator.

LM

CPF v2.x Installation - Step by Step. By Little Mac

There are a lot of questions answered or avoided entirely by using the following steps when you initially install and set up CPF.

Even if you are familiar with firewalls, CPF has a layered approach to security that is very different; using these steps will get you a working firewall, internet connection, and full security. If you try to create your own custom setup and rules from the ground up, you may unintentionally reduce CPF’s functionality, lose your internet connection, block applications, open your system up to hackers, and just generally give yourself a string of headaches. After you’ve used CPF for a while and get it all figured out, if you want to reinstall using your own custom settings, be my guest ~ but for now, it’s best to follow these steps:

1. Uninstall any previous third-party (non-OEM) firewall; if you have WinXP, turn OFF Windows Firewall. Reboot.

1a. If you have a dedicated HIPS program running, I recommend turning it off temporarily while you install and set up CPF. It may block some components and not warn you, thus causing conflicts and improper installation. You can reactivate it once you have CPF up and running.

2. Install CPF. Use Automatic - do not choose Manual/Advanced install. Follow the prompts. Reboot.

2a. When you open CPF after reboot, you are prompted to Activate. If you are on a LAN or behind a Router, you may have some difficulties connecting to Activate CPF. You can skip it until later, if you want; it will not impact functionality of CPF. (Note: As of v.2.3.6.81, you will now have 6 network rules)

3. If you are on a LAN, are using one computer to share internet connection, or are behind a router, run the Network Wizard (if these do not apply, you can skip this step). Go to Security/Tasks/Define a New Trusted Network (lower left). Follow the prompts. Reboot when finished. (Note: As of v.2.3.6.81, you will now have 8 network rules)

4. Run the Applications Wizard. Go to Security/Tasks/Scan for Known Applications. Follow the prompts. Reboot when finished.

CPF is now fully functional for the majority of users, and is fully secure.

I realize a lot of people want to create their own rules, and “tighten” things up. In order to do so effectively, you need to understand CPF, and how it works.

At the base of CPF is the Network Monitor - it controls how all applications are allowed to connect to the internet; everything occurs within the context of these rules.

Next in line is the Application Monitor - this defines what applications are allowed to connect (or not connect; you can block applications here as well), in the context of the Network Rules.

Finally comes the Component Monitor - this loads & approves all components within each application; it’s CPF’s way of saying, when you start an application, “Okay, all these pieces of the application check out; they’re good to go.” The Component Monitor will be a large list; the more Applications you have, the larger it will be. You can block components here if you want, or remove components altogether - just be sure to click “OK” after making your changes (by default, Component Monitor is set to “Learn”; do not change it to “On” until you’ve run the majority of your applications, or you will get a lot of popups).

That said, read m0ng0d’s post on Network Control Rules, Here. This will help you understand how to work with these rules better, when you do your tweaking.

If you use any P2P applications, or do online gaming, you will need to create special rules to allow the necessary ports, etc.

Here are a list of links to FAQs; read through these as well, for specific issues like the P2P, gaming, WIFI LAN, etc.

While following these installation steps will provide you the “out of the box” security that Comodo is already famous for, please be aware that this does not mean you won’t have any problems. This is the case with any and all computers, along with any and all software; there are a lot of variables involved, and some combinations of configurations just don’t play well together. That’s where this Forum, and Comodo’s Support site, are invaluable. Use the Advanced Search feature to narrow your results to the Firewall, to look for similar problems. If you have questions that aren’t answered, or need clarification, just ask; someone will be glad to help (Note: the Moderators are not Comodo employees, but volunteer users). When posting a new topic, please keep the Subject line concise and accurate to describe the problem (for example, “CPF blocks IE7” rather than, “Help! It doesn’t work!”).

Welcome to your new Comodo Personal Firewall ~ Happy Hunting!

Installation Video Tutorial - by AOwl

Here is a video guide for a basic install of Comodo Firewall Pro.
If you are new to Comodo this should hopefully help you.
Go to Nordic Nature - Home
and click the “noob” install guide link.

Good luck!

Remote Installation by pandlouk

Remote installation of CFP (through Remote Desktop, VPN, etc) can be done and it is quit easy to do it.

Here are the steps to take:

1. Install CFP with the default settings
2. IMPORTANT Uncheck Restart the computer at the final step and select finish
3. Import the setting from the AllowAll.reg included in the AllowAll.zip file that is attached at the end of my post.
4. Reboot the machine and you will see that CFP will start in Allow All mode.

This way you can remotely reconnect to the computer after reboot and complete the configuration of the firewall.

Hope it helps,
Panagiotis

ps. Here is the registry entry that is included in the reg.

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\Software\Comodo]

[HKEY_LOCAL_MACHINE\SYSTEM\Software\Comodo\Personal Firewall]
“SecurityLevel”=dword:00000002

Moderator’s Note: The referenced attachment (AllowAll.zip) can be found on pandlouk’s original post.

CFP v3 Installation - Step by Step by Little Mac

There are a lot of questions answered or avoided entirely by using the following steps when you initially install and set up CFP v3.

For those users familiar with CFP 2.x, this version of the firewall should be a breath of fresh air. Gone are the days of endless OLE Automation and other Application Behavior Analysis alerts. Wink

Section 1: Preparing for Installation

1a. Uninstall any previous third-party (non-OEM) firewall; if you have WinXP, turn OFF Windows Firewall. Reboot. In general, I recommend uninstalling in SafeMode to avoid driver and service conflicts that may otherwise occur.

1b. If you have a dedicated HIPS program running, I recommend turning it off temporarily while you install and set up CFP v3 (I would include registry protection applications in this category as well). It may block some components and not warn you, thus causing conflicts and improper installation. You can reactivate it once you have CPF up and running.

1c. If you have an active/real-time antivirus or antispyware applications running, I recommend turning these off (completely disable all real-time function) temporarily while you install CFP v3. Although they should not conflict directly, the load on the system may result in installation problems.

Section 2: Installing Firewall and Defense+ (HIPS module). During installation, you have the option to install both FW and HIPS, or just FW. We’re going through a “basic” installation of both. We’re not choosing any “advanced” options such as allowing inbound connections (for p2p, file/print sharing, ICS), custom configurations, etc. There are other tutorials geared toward these things, which can be accomplished later on.

2a. Install CFP. For you visual types, I have captured screenshots for every step of the way. Rather than post 12 screenshots, I’ve attached a PDF file of this tutorial with all screenshots contained therein. So to see the screenies in context, please download and read through that. The first one simply reflects the need for step 1a.

2b. The next picture simply starts the Installer. Obvious, yes?

2c. The EULA. Read it, run EULALyzer on it, etc. If you don’t agree with it, don’t install the product… By the way, if you click “I Decline” you won’t be able to install. I wouldn’t mention any of this except there are have been questions in the past about EULAs. Basically you just need to be aware that if you don’t agree, don’t install. If you install, you’re agreeing to the EULA. A note about Comodo’s EULA – the language in it is chosen to protect Comodo, and does not mean that you cannot install the application on more than one computer. Comodo would appreciate you doing a separate download for each installation, as this helps them track the usage, but Melih has stated more than once that it’s not mandatory; it’s to protect them against people redistributing the software in a manner not approved by Comodo.

2d. Where to install? It’s best to choose the default location. If you go with a custom filepath for the installation, it might cause problems (not saying it will, just that it may).

2e. The start of the Configuration Wizard. This is where our options will start showing up.

2f. Like I said, we’re doing both FW and HIPS, so we’ll take the top option. Just choosing “Basic Firewall” means that the HIPS won’t be installed, you won’t have protection against trojans, keyloggers, leaktests, etc (all the things a HIPS module would do). Even though you install HIPS now, you can still disable it later; for those who only want to install the FW, you can still enable the HIPS module later on, as it will be there.

2g. This next option is where we enable the built-in, fully digitally signed and encrypted safelist (or whitelist). This is a list of applications which Comodo has fully analyzed in their labs and is known to be safe and legitimate. Comodo creates a digital cryptographic signature for the application, and placed in their encrypted safelist. When an application on the computer runs, it is matched against this list; if the cryptographic signature is an exact match, the program is allowed to continue; if it doesn’t match, you will be given an alert in accordance with your security settings, so that you can take appropriate action. If the application has been tampered with, or merely has the same name as a known application, it won’t match. As of mid-January 2008, there are more than 1 million signed applications in Comodo’s safelist database, and it continues to grow based on user submissions (please do use the Submission feature to send more apps to Comodo for analysis, even if you consider/know them to be safe).

This safelist is one of the strong features of v3, and is there to make using a powerful HIPS as easy as possible. You may choose not to use the safelist, but you will have 1000 popups a minute (or maybe more…)!

2h. If you use ICS, p2p applications, or file/print sharing (such as on a corporate LAN), you need to allow unsolicited inbound connections. Since we’re doing a “basic” setup here, we’re choosing “No, I don’t”; there are tutorials for ICS, p2p applications, and so on here in the forums to help you set it up later on – don’t worry about not being able to get it going if you skip the step here.

2i. Here’s another place we’re going with “basic” rather than a custom setup. This is the best way starting out, as you can still refine your settings as you go. If you were to choose Custom Settings here you’d be given more options (and it would be quite easy for you to lock the HIPS module down way too tight to be easily used.

2j. Now you’re done, and just need to reboot! Yay!

3. After rebooting, CFP v3 will start with Windows. Firewall will be set to “Train with Safe Mode” which means that the safelist discussed earlier will be used to allow known applications to access the internet as needed (including Windows updates, etc). Defense+ (HIPS) will be set to “Clean PC Mode” which presumes that every application (executable) on your machine is safe (not to be confused with the safelist, which is a different thing). This is fine, since you shouldn’t be installing the FW if your computer isn’t “clean” anyway. However, this means that if you have proof of concept applications already on your machine (such as leaktests) and run them, they will be allowed! In order to test v3 against such things, you must change to Train with Safe Mode before running them.

3a. Shortly after logging into Windows, you get the following popup from CFP, that it has detected a new network, and provides options to either be visible to the network (you will need this for corporate LAN and/or file/print sharing), or not have CFP tell you when new networks are detected. It states that you may close the window to skip it. I will tell you that you have to at least click OK (without choosing anything) or this will reappear every time the FW starts.

You may tell it not to detect networks, but that is actually a security feature – if someone physically added a 2nd network card, or wormed their way into your wireless network and started changing things, attempted to subvert your system by running a virtual network adapter, etc, this will help you be warned. So just a quick explanation about that.

4. Installation Mode. On v3’s Summary page, toward the bottom in the Defense+ section you will see a line that says, “Switch to Installation Mode”, right next to an icon commonly used for installation packages. Before you install any new application, click this to switch modes. This allows v3 to monitor the installation process so that the HIPS won’t interfere with the install, but still protect your machine from other unrelated processes running which shouldn’t be.

When you do this and run the installation package, you will first get an alert that explorer.exe is accessing the installation executable; you may respond with Allow (but not Remember). The next alert will be that the installation executable is attempting to run (and access something); select in the dropdown to “Treat as an Installer” but not Remember (see screenshot). This will allow the installation to occur several levels deep (such as a completion after reboot, as some applications do). But if something new unrelated to the installation attempts to run, v3 will alert you.

5. While following these installation steps will provide you the “out of the box” security that Comodo is already famous for, please be aware that this does not mean you won’t have any problems. This is the case with any and all computers, along with any and all software; there are a lot of variables involved, and some combinations of configurations just don’t play well together. That’s where this Forum, and Comodo’s Support site, are invaluable. Use the Advanced Search feature to narrow your results to the Firewall, to look for similar problems. If you have questions that aren’t answered, or need clarification, just ask; someone will be glad to help (Note: the Moderators are not Comodo employees, but volunteer users). When posting a new topic, please keep the Subject line concise and accurate to describe the problem (for example, “CPF blocks IE7” rather than, “Help! It doesn’t work!”). Also please look, and post, in the v3 section of the firewall boards, as 2.4 is still an active supported application; if you post in the wrong area, it will confuse the matter and interfere with our ability to answer your question.

Welcome to your new Comodo Firewall Pro v3 ~ Happy Hunting!

Detailed Explanation of Internet and Networking Terminology. By panic

INTERNET AND NETWORKING TERMINOLOGY FOR BEGINNERS

As you go through these forums, you may have come across some terms that you don’t understand.This overview is designed to take some of the mystique out of these terms and explain them in a way a beginner can understand (hopefully).

Wherever possible, I’ll try and explain these terms and concepts using the analogy of the phone system. If you’re a teenager - it’s a given, but I am assuming that the rest of you know how to use a phone.

The explanations aren’t of a technical nature. They’re more designed to explain the concept, rather than the nuts and bolts. Sort of like - “Look - car go vroom!”, rather than “I think the gearing ratio is a little too high to sustain the torque through the optimum powerband of the motor.”

There’s a fair bit of reading here, but please don’t be intimidated - it’s pretty much laid out how I explained this type of stuff to my mum, and she got it, so there’s hope for every one of you. Wink

THE BIG STUFF

NETWORK
A network is simply a collection of devices that are connected to each other and can make themselves (and their resources) available to other devices that are connected. Printers, scanners, computers, switches, routers - individually these things are just what they are, but when they are connected correctly, they can form a network.

In a telephone sense, a phone handset is just that - great fun to press the buttons but can’t do much on it’s own. Plug it in to a phone socket and the usefulness of the phone extends way beyond just pressing buttons. In this case the phone is part of the network, the local phone exchange and the rest of the phone companies wires and stuff completes the network. And the phone on the other end of the line, of course.

LAN (Local Area Network)
A Local Area Network (LAN) is exactly what it’s name implies - a network that has strictly defined, local boundaries and the resources connected to that network can’t see beyond it’s boundaries.

In a phone sense, this would be like a set of intercoms in your house. Each intercom can connect to and talk to the other intercoms in the house, but they can’t connect to the phone system and talk to anyone outside your house.

INTERNET
Ah, the internet. How would we have wasted so many hours without it?

The internet, as a whole, is just an extremely big number of networks that have a series of connections between them and allow communications to pass from one network to the other. The term “Internet” actually means “Internetwork”.

In a phone sense, the internet is the global phone system that allows you in your home to call anyone, anywhere else in the world, providing they have a phone that can accept calls from the global phone system.

HARDWARE - THE STUFF YOU PLUG CABLES INTO

NIC (Network Interface Card)
To connect to a network, you have to have a Network Interface Card (NIC). This is either a separate card installed in your PC or integrated into the motherboard (the biggest thing with chips on it) in your PC. Each NIC contains a unique address known as the MAC address. That’s right - EVERY NIC ever made in the world has a unique address. This is one of the ways that serves to differentiate one network connected device from another network connected device. It is the critical bit that sends and receives the data across the network you are connected to. It sends music, pictures, words etc. in the form of electronic “dots and dashes” across the network.

In a phone sense, the NIC is the phone handset. It is what connects your data (your voice) to your network (your phone service). Just as your phone transmits an electronic representation of your voice across the phone service, the NIC transmits an electronic representation of your data across the network.

HUB
A hub is a small box with several computer cable connections in it. It allows several computers to be connected together. When you send data to another device through a hub, the data is sent to every device connected to the same hub and it is rejected by those devices the data isn’t intended for and accepted by the device is it intended for. How does it know who it’s intended for? We’ll get to that in a minute.

In a phone sense, a hub is like a box that allows a simultaneous broadcast to all the other intercoms at the same time. Only the intended recipient would listen to the actual message (like that’s ever going to happen - we all love gossip! LOL)

SWITCH
A switch is like a hub with brains. When each device that is connected to it is turned on, the switch makes a note of its MAC address. When it receives a chunk of data from someone on the network, it looks at the address of the intended recipient, checks its table of what device is connected to what swich connection and sends the data only to that recipient. This is where hubs and switches differ. A hub sends it to everyone but only one accepts. A switch sends it to the intended recipient only.

In a phone sense, this would be like an intercom that had buttons on it that you could press to connect to a particular intercom in your house, rather than sending a broadcast message to everyone (Oh well, there goes the gossip.)

ROUTER
Remember how we said a LAN had strictly defined boundaries that constrained the devices on your network? As always, there is an exception to this rule. A router is a device that can connect to two networks simultaneously. A common example of this is where you have a router installed at your house to enable connection to the internet. Computers on your LAN connect to the router (most routers have a built in switch) and the router connects to the internet. The router accepts data from your LAN intended for the internet, does a bit of fiddling and fudging with addresses and sends your request to the internet. When it gets a response back from the internet, it fiddles and fudges again and forwards the response back to the PC that originally requested it. Millions of times a second. Good thing we only have to use it, not understand it!

In a phone sense, a router is like a switchboard in your works office. The switch part of the router is like the switchboard connecting two internal extensions. The router part of the router is like when an internal extension dials an outside number. The switchboard receives the outgoing call, opens a connection to the outside phone system and passes the connection though.

CAT5 / CAT5e / CAT6
These are different types of computer cables. They all do the same thing - allow data to be transmitted along them. The numbers simply refer to their highest possible transmission speed.

In a phone sense, it’s a cable. What did you expect me to say?

THE NITTY GRITTY (OR PART THEREOF)

IP ADDRESS
Remember how NICs have a unique MAC address (Aren’t we getting good at acronyms? Get used to it - they just don’t stop in computer speak. LOL). This MAC address identifies the actual piece of hardware in your computer. To identify your computer in relation to the other computers on your LAN, an IP (Internetwork Protocol - we’ll get to protocols in a second) address is applied to the computer. Windows does a good job of assigning IP addresses automatically. Most of the time you won’t have to worry about the IP address of your PC. An IP address consists of four segments of numbers. You may have seen something like 192.168.1.1. This is an IP address. There are several classes of IP addresses. 192.168.1.1 is an example of a private address. This type of address is used on LANS and not on the internet. A router, sort of, has two NICs in it - one has a private address for your LAN, the other has an address assigned to it by your ISP and allows the router to connect to the internet. This is how it acts as a bridge between the two networks (your home network and the intenet).

In a phone sense, the IP address is like your internal extension number. It serves to differentiate between one extension and another.

I know that I’ve used the phone extension analogy before, but I’m running out of “phone” type ideas.

PROTOCOL
A protocol is a defined standard of data packaging and transmission for a given type of communication. Whew! In a nutshell - protocols are “dialects” for particular types of connections that determine the syntax two devices are going to use for a particular connection. IP is a protocol, ICMP, TCP and UDP are other common protocols.

PORT
The IP “stack” (as the IP connection bit is called) talks to the NIC and listens to the NIC to send and receive data, but it’s a bit cleverer than just being able to talk and listen to one conversation at a time. It can handle multiple inbound and outbound conversations at the same time, and it does this through what it calls ports. These are sort of like channels on a TV. You’ve got one TV set (I did tell you I was running short of phone analogies.), but it can receive and display multiple channels.

There are standard ports for different types of data. Web pages are sent from port 80 on the web server, FTP (File Transfer Protocol) uses port 21, sending email (called SMTP - Simple Mail Transport Protocol) uses port 25, receiving email (called POP - you may have already heard the expression POP mail account or POP3) uses port 110. There are over a thousand standard ports (1056, in fact) as well as many thousands of other ports that your PC will use to receive data. Luckily, this is transparent to your use of the PC.

I can’t imagine a witty phone analogy for this, so I won’t.

DNS
DNS stands for Domain Name Services and a DNS server resolves a domain name into an IP address. Every server on the internet has an IP address and this is the address that is used to send and receive data. “But how come we type in www.google.com, and we get google.com? How come we don’t have to know the IP address of the google server?”

When you request www.google.com in your browser, the request for google’s home page is sent initially to your ISP’s DNS server. The server receives your request for google.com and looks it up in its list. If it has the IP address for google.com, it inserts the IP address into your data request and forwards it to the internet. This is how the words you type get converted into the IP address of what you are looking for.

In a phone sense, this would be like you ringing your switchboard at work and asking them to put you through to XYZ Company, as you don’t know their phone number. The switchboard operator would then look up XYZ’s phone number and connect you. DNS servers don’t care how many times you ask to be connected to someone, rather than typing an IP address yourself. Switchboard operators are another matter.

FIREWALL
A firewall is a piece of software or hardware that sits in between you and the internet/LAN and controls the flow of data to and from your PC based upon a defined set of rules. These rules are designed to allow legitimate communications but to block bad communications getting into and leaving your PC.

Comodo Personal Firewall is an example, par excellence, of what is called a personal firewall. It is called a personal firewall because it is a software firewall loaded on a single PC (which may or may not be on a network) and is designed to monitor and control the flow of data in and out of that one PC. A hardware firewall would typically be in between an entire network and an intenet connected router and is designed to monitor and control the data going to or from all of the PCs on the network.

In a phone sense, a personal firewall is sort of like call screening, but automatically disconnecting the people you’ve already told the phone you don’t want to talk to. A hardware firewall is like the switchboard operator.

I hope this information is clear enough, without getting too bogged down with detail.

If there are any other PC, internet or computer technology terms you would like explained, please send me an IM on this forum, and I’ll add it to this listing.

Detailed Explanation of Network Monitor Rules. By m0ng0d.

If you’re like me, your experience with software firewalls has primarily been an application is trying to receive/send some form of communication… do you wish to allow it?.. we say yes/no, choose whether it should remember our answer, and life continues until the next prompt.

Not that there is anything wrong with that experience, that was the norm for our beloved firewalls of old… until one day we realize that the product(s) we’ve stuck with (or flipped between) hasn’t been updated for months/years, or is a resource hog, etc… and found ourselves searching for, finding, and installing Comodo Personal Firewall (CPF).

We open up CPF for the first time, see an Application Monitor, and get all excited like we found our comfort zone once again. And for the most part, we are right, but here is where our education begins, as Application Control Rules don’t operate alone… they require Network Control Rules (within the Network Monitor) to set the stage for all communication flow. (I think I have read this referred to as Traffic Shaping.)

Now we can bring a quick end to our education by using the Add a trusted zone Wizard (within Tasks) which will help create some core rules to let some basic communication flow in/out of our PC… but where is the fun in that? And what would we have learned?

(if you are interested in the learning curve I went through, check out https://forums.comodo.com/index.php/topic,1102.0.html)

So let’s start the education!

Now before we jump into Network Control Rule creation, let’s get the Rules Terminology straight.

Network Control Rule’s Terminology

Rule ID - sets the order Rules are applied. A communication attempt starts at the top of the Network Control Rules (ID 0), and works it’s way down through the Rules (unless stopped/blocked) until it finds a Rule that allows the comminication (unless blocked before it hits that Rule).

Action/Permission - when a communication attempt occurs, do we want to Allow or Block it?

Protocol - “A convention or standard that controls or enables the connection, communication, and data transfer between two computing endpoints.” Or more simply put, the type of communication (i.e. IP, TCP, UDP, etc…) Communication protocol - Wikipedia

Port - TCP and UDP protocols typically use ports to map data to a particular process running on a computer. As an example, a server used for sending and receiving email may provide both an SMTP and a POP3 service; these will be handled by different server processes, and the port number will be used to determine which data is associated with which process. Port (computer networking) - Wikipedia

Direction: Communication requests can hit our PC whether we’ve asked for it or not

* Inbound Rule - defines unrequested inbound communication (for the selected Protocol)... like hackers probing our ports, or a friend on our LAN trying to join the FPS/RTS game we are hosting.
* Outbound Rule - defines requested inbound communication (for the selected Protocol)... like opening IE, "requesting" google to load, and receiving the inbound homepage

Source IP - who made the request for communication (IP address or Range/Zone)

Remote IP - who is responding to a request for communication, or is the expected responder (IP address or Range/Zone)

*** For more verbose terminology definitions for these and other things, please refer to Ewen’s Internet and Networking Terminology for Beginners ***

One of the most important observations on the definitions above (other than the heirarchy of the Rules set by the Rule ID) is that both InBound Rules and OutBound Rules both control information comming into our PC. InBound Rules deal with incoming information/communication we didn’t ask to happen (but may want to happen), while OutBound Rules deal with incoming information/communication we asked to happen.

Ok, assuming that my definitions are well in hand, let’s start putting some of them together; specifically showing how Source and Remote relate to Inbound Rules and OutBound Rules.

Source

* InBound Rules use Source to define who is trying to send our PC information.  Like another PC on our LAN, or a hacker sitting in his/her mom's basement on some other continent. Smiley
* OutBound Rules will always have a Source of our PC (whether we specifically set its IP address, its subnet / Zone, or use Any)... when we launch IE to browse Google, it is us on our PC making the request to open the webpage.

Remote

* InBound Rules will always have a Remote of our PC (whether we specifically set its IP address, its subnet / Zone, or use Any)... whether its another PC on our LAN looking for Shares/Printers or to join a game hosted on our PC, or the hacker in his/her mom's basement, ourt PC is the expected responder.
* OutBound Rules use Remote to define who is the expected responder to our request for communication/information... the rule needs to know we are expecting google to respond to our request to load the google homepage.

On with some Rules!

Alright, I think we have enough to try creating our first Network Control Rules. So let’s think about what we want, then try using the building blocks of the Rules (our terminology definitions) we’ve looked at to create a rule for it.

Rule A
Where should we start? How about keeping that hacker, probing for ports, off our PC? Good plan! I like how you think. Smiley

I want to… Block attempts by an hacker (outside my network/PC) from reaching my PC, regardless of what protocol they try use.

Using the Rule building blocks: (after selecting to Add a new Rule)
Action: Block (we want to make a rule to stop the hacker) (I also suggest checking the “create an alert if this rule is fired” option so that attempts [good or bad] blocked by this rule are logged)
Protocol/Direction: IP In (The hackers communication attempt will be one we didn’t request to occur)
Source IP: Any (I know what your thinking… we said we wanted to stop communication from outside our network, and Any would also mean the LAN!! Good observation. We’ll need another rule to fix that by allowing the LAN communication before it hits this Block All catch rule… so let’s make that rule next [Rule B])
Remote IP: Any (remember, InBound Rules will always have a Remote of our PC [whether we specifically set its IP address, its subnet / Zone, or use Any])
IP Protocol: Any (regardless of what protocol they try and use. Did you notice when you selected Any from the dropdown list here all the protocol types Any covers?)

And there is our First Network Control Rule!

Rule B
So we discovered that Rule A was pretty agressive and even Blocked our LAN. But remember what we learned about Rule ID’s and the order Rules are applied? If we put a new Rule (Rule B) before Rule A that Allows other PC’s on our LAN to send communication requests, we should be Ok, right? Right. Wink

And what if you aren’t on a LAN? Then this rule means nothing to you.

Note: Now before we get started on this Rule, I want to mention something useful that we’ll want to make sure we have set. I don’t know about you, but I don’t want to have to type the IP addresses (or ranges) for the PC’s on my netweork when I’m defining Rules, so unless you have a [LAN] or [Home Network] Zone defined, please do that now by switching to the Tasks tab, and pressing the Add a New Zone button… give it a name and a start/end range. Good!

I want to… Allow all requests for communication from other PC’s on my LAN to my PC

Using the Rule building blocks: (now we could select to Add a new Rule and move it above Rule A, or you could right-click Rule A… Add Rule… Add Before [either way works])
Action: Allow (we want to make a rule to let the other LAN PC’s make requests to us)
Protocol/Direction: IP In (The LAN communication attempt will be one we didn’t request to occur, but we expect that)
Source IP: Zone: [LAN] (Any PC on our LAN can now send our PC information/requests)
Remote IP: Any (remember, InBound Rules will always have a Remote of our PC [whether we specifically set its IP address, its subnet / Zone, or use Any])
IP Protocol: Any (All request/communication types [similar to Rule A, except this time we are Allowing])

And there is our Second Network Control Rule!

Rule C
So far we have set the way we want CPF to handle incoming communication to our PC that wasn’t requested by us. So I guess our next rule should take care of incoming replies to requests we made for communication, like to support our IE/Firefox requests for webpages, or us trying to join a friend who is hosting a LAN game.

I want to… Allow responses to come back to my PC from anywhere (the Web or the LAN) that were requested from my PC.

Using the Rule building blocks: (just as with Rule B, we could select to Add a new Rule and move it above Rule A, or you could right-click Rule A… Add Rule… Add Before [either way works])
Action: Allow (we want to make a rule to let our PC receive a response to a request it made)
Protocol/Direction: IP Out (We are starting a request that will return a response)
Source IP: Any (remember, OutBound Rules will always have a Source of our PC [whether we specifically set its IP address, its subnet / Zone, or use Any])
Remote IP: Any (let the responder to our request come from anywhere, LAN or Web)
IP Protocol: Any (All request/communication types [similar to Rule B])

And there is our Third Network Control Rule!

Rule D
Now sometimes a response to our communication request is going to come in on a diferent port. Take Bittorrent for example, we request a file and the download starts on a predetermined/configured TCP/UDP port, i.e. 6881 by default. For each file we want to download simultaneously, we need a new TCP/UDP port, i.e. to download 4 we would need 4 ports… 6881, 6882, 6883, & 6884. Similar to opening the ports on our Firewalls/Routers (without the need for forwarding, as the communication is already comming into our PC).

I want to… Allow requests for incoming TCP/UDP communication (on ports 6881, 6882, 6883, & 6884) from any PC on the web to my PC

Using the Rule building blocks: (just as with Rule B, we could select to Add a new Rule and move it above Rule A, or you could right-click Rule A… Add Rule… Add Before [either way works])
Action: Allow (we want to make a rule to let requests be made)
Protocol/Direction: TCP/UDP In (Even though we asked to dowload a file [feels outbound], the response is coming back on a different port than our request; therefore, it is going to look like the remote PC is trying to request in inbound communication)
Source IP: Any (Let the request come from anywhere… somewhere on the web in this case)
Remote IP: Zone: [LAN] (remember, InBound Rules will always have a Remote of our PC [whether we specifically set its IP address, its subnet / Zone, or use Any])
Source Port: Any (we don’t care what port it left the remote PC on in this case)
Remote Port: A set of ports [6881,6882,6883,6884] (we only want to allow the remote PC to sent to the ports we configured Bittorrent to use)

And there is our Fourth Network Control Rule!

Hopefully this has been enough combinations to give you the basis for thinking of new Network Control Rules you may need to define.

Editor’s Note: This tutorial was written for an older version of Comodo Personal Firewall. Some of the wording is different in current versions, but the principles are the same. Don’t get thrown off if you what you see in Comodo Firewall Pro is not exactly the same…

How to Protect your WiFi LAN. By pandlouk

Now that more and more people buy wifi-dsl-routes the security risks for the users grow.

Last month I have read an article at an italian magazine about this. The giornalist that wrote it had made a test at Milano in Italy to see if the Wifi-lans of the users are protected.
The results were that over 1000 wifi-lans they tried to get access at, they succeded on more than 85%, which is pretty impressive. A lot of people put wifi-dsl-routers but don’t really have a clue of the risks of the wireless networks.

The great difference of a cable-Lan and a Wifi-Lan is that on a cable-lan someone can get access by fisically connecting to the network with a cable and for doing this must have access at your enviroment. At the other side on a Wifi-Lan someone can get access on your network and at your internet connection by distance; and this can be very risky!!!

How can we protect our wifi-Lans?

1. The first thing to do is to change the default username and password at the router. A stronge password is required. By this we can be sure that none will have access on our routers settings.

2. Make another password, that will be needed by every computer or machine, that needs to get access at the network. This password must be even stronger than the first one. Prefer a WPA (or better WPA2) key and not WEP, it is much safer. Better use a 128bit encryption which means that your password have to be 13 caracters long. Be sure not to use yours or your family members names.( these will be the first that people who know you will use to get access)

3. On Comodo Personal Firewall instead of adding your entire network range as a trusted zone add only the IP adress of your wifi-router as trusted. By this, even if someone succedds in getting in your wifi-network, he won’t have access at your computer and your personal documents. Wink

4. If you want to have access on other computers or machines at your network give them a permanent (static) IP adress (this can be done by the routers lan settings) and add these IP adresses as trusted in your CPF.

ps. It can be a little annoying doing all these, but remember it has to be done only once and it will maximize your protection. Grin

edit: 04/02/07 (d/m/y)
It is wise to restrict also the range of the computers that you want to connect at the same time at your lan. This one depends from the “subnet mask” of your network (LAN settings).
If you want to connect:

1. 1 pc change it to 255.255.255.252
2. 5 pcs change it to 255.255.255.248
3. 13 pcs change it to 255.255.255.240
4. 29 pcs change it to 255.255.255.224
5. 61 pcs change it to 255.255.255.192
6. 125 pcs change it to 255.255.255.128
7. 253 pcs leave it as it is 255.255.255.0

Online Games Tutorial. By pandlouk.

This is a mini tuttorial on how to enable online gaming with CPF 2.2.0.11 and later future versions

First you have to open the ports your game uses for communicating with internet. For doing so go at the under the “network monitor” tab of the CPF and add the following rule:

Action = Allow
Protocol = TCP or UDP
Direction = In
Source IP = Any
Remote IP = your IP adress (you can also use “Any”, if you are using a modem and not a router; by this you won’t have to change the IP address every time you connect in internet )
Source port = Any
Remote port = “A set of ports” (= the ports your game uses for the TCP and UDP connections)

After that remember to move this rule up, over the default rule “Block IP in”. (CPF “reads/applicates” the rules from the top to the bottom)

*If you are still having trouble connecting, then you must go at the “Application monitor” tab, select the executable of the game, and click with the right button of the mouse and select “edit”.
Then check the following two boxes at the application rule “Miscellanous”:
“Allow invisible connection attemps”
“Skip advanced security checks”

Now your game should be able to connect in internet without any problems

Compilation of specific game rules. By panic.

Editor’s Note: This one is a “work in progress.” I’m posting a link here for you to keep your eye on. Once Ewen says it’s ready, I’ll post the compilation here.

EMule & Bittorrent. By pandlouk.

EMULE
A mini tuttorial of how to open ports for emule
First you must go at the “Network Monitor” panel.
There you should click with the right button of the mouse and choose “Add rule”->“add”
at the new window that appear you should put the following rules:

1. Rule for TCP protocol

Action = Allow
Protocol = TCP
Direction = In
Source IP = Any
Destination IP = your computer IP adress (you can also use “Any”, if you are using a modem and not a router; by this you won’t have to change the IP address every time you connect in internet )
Source port = Any
Destination port = the port your Emule uses for the TCP connections

2. Rule for UDP protocol

Action = Allow
Protocol = UDP
Direction = In
Source IP = Any
Destination IP = your IP adress (or “Any” )
Source port = Any
Destination port =the port your Emule uses for the UDP connections

Bittorent
A mini tuttorial of how to open ports for bittorent and similar p2p programs
Go at the “Network Monitor” panel and add the following rule

Rule for TCP/UDP protocol

Action = Allow
Protocol = TCP or UDP
Direction = In
Source IP = Any
Destination IP = your computer IP adress (or “Any” )
Source port = Any
Destination port = the port your bittorent program uses for the TCP/UDP connections

You must move the rules up, over the default rule “Block IP in”. ( CPF “reads/applicates” the rules from the top to the bottom)

ps. Remember that for CPF “Source IP” is the adress of the computer which sends the data and “Destination IP” is the computer that receives them. When your computer sends data is consindered Source, when receives them is consindered Destination.

by pandlouk

edit (27/10/2006)
For using the search in Kad you must disable the feature “Do protocol analysis”
IMPORTANT
you will have to disable the UPnP option from the program you use if you want this guide to work properly. If you don’t disable it you will have NAT problems.

example for azureus:
Azureus->Tools → Options → Plugins → UPnP
There uncheck “Enable UPnP”

EMule & BitComet. By ubuntu

eMule Network control rules

1 set eMule use TCP Port:4662,UDP Port:4672 in eMule
2 CPF–>Network Monitor Add 2 rules

ALLOW TCP IN FROM IP [Any] TO IP [Any] WHERE SOURCE PORT IS [Any] AND DESTINATION PORT IS 4662

ALLOW UDP IN FROM IP [Any] TO IP [Any] WHERE SOURCE PORT IS [Any] AND DESTINATION PORT IS 4672

You can change Any to your static ip like 192.168.1.2

Bitcomet Network control rules

1. Set your Bitcomet or other BT client 's listening port. example : 54321

2. CPF–>Network Monitor Add 1 rules

ALLOW TCP/UDP IN FROM IP [Any] TO IP [Any] WHERE SOURCE PORT IS [Any] AND DESTINATION PORT IS 54321

You can change Any to your static ip like 192.168.1.2

Remember to add these rules before the blocking rule(BLOCK IP IN FROM IP ANY TO IP ANY WHERE IPPROTO IS ANY). Because the network rules are searched from top to bottom.

Hopefully to help someone else in the future.

A further note from ubuntu (regarding some settings within the p2p app):

1. run utorrent , in Options → Preference → Connections
   untick “Random port each time utorrent starts”
   untick “Enable UPnP port mapping”

2. Add Network rule for utorrent (the port must equal to Listening port in utorrent)

3. run utorrent , in Options → Speed Guide
   Click “Test if port is forwarded properly”

KCeasy. By pandlouk.

KCeasy is one of the best filesharing programs.
It connects to the Ares, Gnutella, OpenFT (and with a plugin, at the Fasttrack) networks. It is far better than bearshare, limewire, morpheus, kazaa, imesh and a lot others P2P programs. It is lighter than Shareaza because it can be used also with very slow internet connections as gprs, 33kb, 56kb.
And the best of all is very fast, and it’s free and open source.

You can download it from
http://www.kceasy.com/

If you want to add the option to connect at the Fasttrack network (the one that Kazaa and Imesh use) download and install the plugin from

Remember to adjust the “maximum number of sources per download” from 4 to 8. More than 8 can cause a lot of problems even for very fast connections.

And now lets explain what rules we should use under the “network monitor” tab of the CPF.

Rules for TCP/UDP protocol

Rule 1 (Gnutella network)

Action = Allow
Protocol = TCP or UDP
Direction = In
Source IP = Any
Destination IP = your IP adress (or “Any” )
Source port = Any
Destination port = 6346

Rule 2 (Ares network)

Action = Allow
Protocol = TCP or UDP
Direction = In
Source IP = Any
Destination IP = your IP adress (or “Any” )
Source port = Any
Destination port = 59049

Rule 3 (OpenFT network)*

Action = Allow
Protocol = TCP or UDP
Direction = In
Source IP = Any
Destination IP = your IP adress (or “Any” )
Source port = Any
Destination port = A port range → Start Port = 1215, End Port = 1216

Rule 4 (Fasttrack network)*

Action = Allow
Protocol = TCP or UDP
Direction = In
Source IP = Any
Destination IP = your IP adress (or “Any” )
Source port = Any
Destination port = 1214

*If you want you can use e merged rule of the above 3 and 4. This should be like this

*Merged rule 3-4 (OpenFT and Fasttrack networks)

Action = Allow
Protocol = TCP or UDP
Direction = In
Source IP = Any
Destination IP = your IP adress (or “Any” )
Source port = Any
Destination port = A port range → Start Port = 1214, End Port = 1216

ps. After creating the rules remember to move the rules up, over the default rule “Block IP in”. (CPF “reads/applicates” the rules from the top to the bottom)

DC++. By pandlouk.

A mini tutorial of how to open ports for DC++.

First thing you must configure your DC++ client:
Go at the “connection settings” tab of the DC++ ;
there select “firewall with manual port forwarding”

Ports → TCP = a single port x (between 1025 and 32000)
→ UDP = a single port y (between 1025 and 32000)

External/Wan IP = your routers external IP (if you use a normal dsl modem leave it blank)

Know you are ready to configure CPF. Go at the “Network Monitor” panel.
There you should click with the right button of the mouse and choose “Add rule”->“add”
at the new window that appear you should put the following rules:

1. Rule for TCP protocol

Action = Allow
Protocol = TCP
Direction = In
Source IP = Any
Destination IP = your computers internal IP adress (you can also use “Any”, if you are using a modem and not a router; by this you won’t have to change the IP address every time you connect in internet )
Source port = Any
Destination port = x (same with the TCP port used at DC++)

2. Rule for UDP protocol

Action = Allow
Protocol = UDP
Direction = In
Source IP = Any
Destination IP = your computers internal IP adress (or “Any” )
Source port = Any
Destination port = y (same with the UDP port used at DC++)

Then move this rules up, above the default “block IP in” rule. Now DC++ and similar direct connect clients will connect without any problems.

IMPORTANT
you will have to disable the UPnP option from the program you use if you want this guide to work properly. If you don’t disable it you will have NAT problems.

DC++ by vladas_It

I use Apex DC++ 1.0.0B2 http://www.apexdc.net/ together with Comodo personal firewall 2.4

I spent several hours, trying to figure out why search doesn’t work. It worked only when I switched it to passive mode in Advanced Apex DC++ settings (“Always use passive mode for search”).

But I found the configuration which works for me. I used tutorial https://forums.comodo.com/index.php/topic,6167.msg45504.html#msg45504 (Mod’s Note: just thought I’d leave this here for grins…)

Apex DC++ Connections settings:

1. Firewall with manual IP forwarding
2. TCP port x
3. UDP port y (differs from x)
4. External/Wan IP blank
5. Checkbox “Don’t allow hub/UPnP to override” unchecked.
6. Checkbox “Update IP on startup” unchecked.

Comodo firewall settings:
Network monitor rules: Mod’s note: These are the same as pandlouk’s above…

Application monitor:
Application ApexDC.exe

10.TCP or UDP In
Action = Allow
Protocol = TCP or UDP
Direction = In
Source IP = Any
Destination IP = Any
Source port = Any
Destination port = Any

11.TCP or UDP Out
Action = Allow
Protocol = TCP or UDP
Direction = Out
Source IP = Any
Destination IP = Any
Source port = Any
Destination port = Any

12. IMPORTANT. Switch off advanced security checks for ApexDC++ in “Miscellaneous” section of Application rule. Without this change search doesn’t work. Firewall blocks search results as UDP flood. Check this in Activity logs.
    Checkbox “Skip advanced security checks” is checked.

13.Restart ApexDC++
Moderator’s Note: Although virtually identical to the previous tutorial, it is included as there is some additional information as well; the identical stuff has been dropped.

You will note that these are all very similar; thus, they may be easily modified to fit the specific application you are using, such as Bearshare, BitTornado, etc.

ActiveSync Network Rules. by egemen.

It seems activeSYNC needs some local ports(5721/990) to be allowed.

What you need to do is:

1- Go to “Security->Nework Montitor”,
2- Right click on the first rule(Rule Id = 0)
3- Select Add Rule->Add Before
4- Action “Allow”, Protocol “TCP”, Direction “In”
5- Source IP : “Single IP” = “169.254.2.1”,
6- Remote IP : “Any”
6- Source Port : “Any”
8- Remote Port : “Any”
9- Click Ok button.

Now your first network control rule must be : Allow TCP IN FROM IP 169.254.2.1 to IP ANY WHERE SOURCE PORT IS ANY AND REMOTE PORT IS ANY

This should solve your ActiveSYNC problem. IF not please paste your logs and a screenshot of network control rules screen again.

Editor’s Note: The “Source IP” above is shown as a specific IP; this will be the IP address that your PDA/Palm/etc uses.

ActiveSync Network Rules. By pandlouk.

For activesync create a new rule at “Network Monitor” OF CPF:

Action = Allow
Protocol = TCP
Direction = In
Source IP = Your trusted Zone (if it not works use “Any” )
Remote IP = Any
Source port = Any
Remote port = “A set of ports” = 990,999,5678,5721,26675

and move it over the “block” rules. Wink

for more information visit
http://www.microsoft.com/windowsmobile/help/activesync/default.mspx

Virtual Private Network (VPN). By m0ng0d

There is a default setting on the MS VPN connections to put all internet traffic through the VPN… which is why you feel your internet connection stopped working… unless changed, all traffic flows through the VPN wich you do not have rules set to enable traffic through yet (I imagine).

Although I have not yet tried to setup my VPN connection to my new office… I can imagine that you would need to:
A) Setup a new Zone for the IP address range of the network you are VPN’ing to
B) duplicate a set of network rules (from your current Home Network) for your new “Office” Zone

This of course also assumes that your IP range and your “office” IP range are not the same (i.e. 192.168.1.X)… if that is not the case, you may be using an IP address already in use, and that will kill your hopes of a connection.

EDIT
I just checked this FAQ section and found another user did something very similar to what I’ve sugested to get his VPN to work… https://forums.comodo.com/index.php/topic,806.0.html

Windows Media Connect. By pandlouk.

A mini tutorial of how to open ports for Windows Media Connect
First you must go at the “Network Monitor” panel.
There you should click with the right button of the mouse and choose “Add rule”->“add”
at the new window that appear you should put the following 2 rules:

1. Rule for TCP protocol

Action = Allow
Protocol = TCP
Direction = In
Source IP = Any
Remote IP = your IP adress (you can also use “Any”, if you are using a modem and not a router; by this you won’t have to change the IP address every time you connect in internet )
Source port = Any
Remote port = “A set of ports” = 2869,10243

2. Rule for UDP protocol

Action = Allow
Protocol = UDP
Direction = In
Source IP = Any
Remote IP = your IP adress (or “Any” )
Source port = Any
Remote port = “A set of ports” = 1900,10280,10281,10282,10283,10284

ps. After creating the rules remember to move the rules up, over the default rule “Block IP in”.

Windows Media Encoder. By pandlouk

You are welcome.

You need to create the following rule:

Action = Allow
Protocol = TCP
Direction = In
Source IP = Any
Remote IP = your computer IP adress (you can also use “Any”, if you are using a modem and not a router; by this you won’t have to change the IP address every time you connect in internet )
Source port = Any
Remote port = 8090

Then move the rule up, over the default rule “Block IP in”. ( CPF “reads/applicates” the rules from the top to the bottom)

give it a try and tell me if it worked Wink

ps. For CPF “Source IP” is the adress of the computer which sends the data and “Remote IP” is the computer that receives them. When your computer sends data is consindered Source, when receives them is consindered Remote.

Proxy settings/setup. By panic.

This is a long one, but please read through this completely to make sure you understand the overall process.

To make sure my reply makes sense, we’ll make the following assumptions;

1. The IP address of the first NIC in the desktop is dedicated to your internet connection
2. The IP address of the second NIC in the desktop is 192.168.1.1
3. The IP address of the NIC in the laptop is 192.168.1.2
4. Your LAN is correctly established through the idiot-sourced switch
5. You have correctly set up proxy / internet sharing software for the 192.168.X.X subnet
6. CPF has been installed on the laptop
7. Your internet connection is not active until CPF is installed and configured on the desktop

If these assumptions are correct, you should do the following;

1. INSTALL CPF ON THE DESKTOP! Do you only have a lock on your back door? Wink
2. Configure CPF on the desktop first, as it is the entry/exit point to the internet
3. Configure CPF on the laptop
4. Activate the internet connection on the desktop
5. Test internet connection from the desktop
6. Test internet connection from the laptop
7. Continue testing to make sure the connection doesn’t drop out

Once CPF is installed on the desktop, the first thing you should do is to use the Zone Wizard to define the zone that is your LAN.

The zone wizard will detect the two network cards in your desktop. MAKE SURE that you define the zone that applies to the NIC that is connected to your LAN (192.168.1.1) and not the one that is connected to the internet.

STEP 1
You should define the start address of the zone as 192.168.1.1 and the end address of the zone as 192.168.1.255. This will allow you to add computers to your LAN, without having to change the zone settings. You should give this zone a meaningful name, like Home LAN, so it is readily identifiable in any rules you manually create that use it.

STEP 2
The next step is to add this zone as a trusted zone. This will create network monitor rules that will allow traffic across the machines that make up your LAN.

You can check what rules have been created in the Network Monitor section of CPF.

STEP 1 and STEP 2 should now be repeated on the laptop. Please note that on the laptop, it should only find a single NIC with an address of 192.168.1.2 and this is the NIC that will be used as the basis of LAN zone. You can give the zone on the laptop the same name, as the zone names are local to the machine CPF is running on. The default rules created by the wizard allow for all ports outbound on the local LAN, so the port designation for the proxy shouldn’t matter.

You should now test things like access to shared folders and network printing (assuming that these are set up, of course).

If these work correctly, activate the internet connection on the desktop PC and test connectivity.

You should receive popups from CPF as each new application attempts to access the outside network (internet).

If everything is hunky-dory on the desktop, repeat the internet tests on the laptop. You will get the popups again, as CPF is local to the machine it is running on - its a PERSONAL firewall not a LAN firewall, after all.

Keep both PCs running to test the connectivity problem. If the internet connection drops out on the laptop, the first thing that should be done is to check whether the intenet is still connected on the desktop, as the laptops internet connection is merely an extension of the desktop PCs intenet connection.

If it is still running on the dekstop and not on the laptop, AND the configuration of CPF is identical on both machines, logically there is always the chance that its the proxy software stopping access and not the firewall. I’m not saying that CPF can’t be at fault, but the proxy software is another link in the chain and must be examined.

To test the theory, you could install the internet connection and the proxy on the laptop and then reverse the configuration so the desktop is connecting via the laptop. If the same failed condition is reached with the laptop still working and the desktop now stopped, the proxy software is still the common element and the CPF configuration can reasonably be ruled out. Not entirely, but reasonably.

Please go through the FAQs on setting up the network rules and the rules for specific applications. There’s some really good hints ‘n’ tips in there, and they’ve been created by CPF users based on real world problems.

As previously stated, the proxy should be absolutely immaterial to the firewall on the laptop. CPF is only concerned with the validity and legitimacy of the inbound and outbound connections on the machine it’s running on.

I realise that this is a LOOOONG posting, but it is in your best interests to get your head around the basic concepts of how CPF, and a personal firewall in general, works.

mIRC tutorial. by pandlouk.

A mini tutorial of how to open ports for mirc.

First thing you must configure your mirc client:
Go at the “tools” → “options” of the mirc.
On the new tab that appears select “connect” → “options”
There under the box “default port = 6667” is an “Advanced” feature; select it.

Now you must see a smaller window named “Advanced”-“port range for connections”. This is the important part, here you will say which port mirc should use for downloading/uploading:
Ports: “First” = X (the first port you intend to use)
“Last” = Y (the last port you intend to use)
Leave “Randomize ports” unchecked
If you are behind a router you must check “Bind sockets to IP adress” and in that box you must put your routers external IP

ps. You can use the same port for X and Y if you want to use unly one port ( 10 ports should be more than enough)
examples: X= 2050 and Y= 2050 for one port
X= 2050 and Y= 2060 for ten ports

Now you are ready to configure CPF. Go at the “Network Monitor” panel.
There you should click with the right button of the mouse and choose “Add rule”->“add”
at the new window that appear you should put the following rule:

Rule for TCP/UDP protocol (DC++ downloads)

Action = Allow
Protocol = TCP/UDP
Direction = In
Source IP = Any
Remote IP = your computers internal IP adress (you can also use “Any”, if you are using a modem and not a router; by this you won’t have to change the IP address every time you connect in internet )
Source port = Any
Remote port = “a single port”= X (if X=Y) (same with the port used at mirc)
or
Remote port = “A port range” = “Start Port” = X
“End Port” = Y (same with the ports used at mirc)

Then move this rule up, above the default “block IP in” rule.

Nintendo WiFi tutorial. By Justin1278.

This is a tutorial on how to configure Comodo Firewall so it will allow you to connect to Nintendo Wifi.

Please follow the below steps, if you are confused or something is not accurate please feel free to PM me.

1. Go to Network Monitor and create a new rule.
2. Make the Protocol TCP and the Direction In
   2a. Go to Destination Port and add the following ports 80,443,28910, 29900, 29901, 29920
3. Click Ok
4. Move that rule all the way to the top (ID 0)
5. Click Add to create a new rule.
   5a. Make the Protocol UPD and the Direction In
6. Click Ok and move this rule to the top (ID 0)
   6b. NOTE: This will force the TCP In Rule to go to ID 1
7. Then move the rule TCP/UPD Out to ID 2 (if you do not have that rule then continue to step 8-9)7a. You now have Nintendo Wifi capability but to be secure whenever you are not using Nintendo Wifi I recommend that you edit the UPD In Rule’s direction to Block, and when you are playing on Wifi to edit the UPD In Rule’s Direction to Allow. Your all set, go have fun!

Continued
8. Create a TCP/UPD Out Rule
9. Set it to ID 2

XBox Live tutorial. By pandlouk.

Xbox 360 Live Tutorial

If you use your pc as a gateway for xbox 360 and want to connect to xbox Live follow these instructions:

First define your trusted zone. For doing this go at “Security”->Define a New Trusted Network"

Then create a network rule. Go at “Network Monitor”, select “Add rule” and create the following rules:

Rule 1:

Action = Allow
Protocol = UDP
Direction = In
Source IP = Any
Destination IP = Any
Source port = Any
Destination port = 88

Rule 2:

Action = Allow
Protocol = TCP or UDP
Direction = In
Source IP = Any
Destination IP = Any
Source port = Any
Destination port = 3074

After that move those two rules up, over the default “Block rule”

Explanation of CFP’s layered rules. By Little Mac

Comodo’s firewall has a layered rules approach to security, which has a tendency to cause confusion with users unfamiliar to this approach. Network Rules are new to many people, as most firewalls don’t seem to have separate rules. If an application is allowed, it’s allowed, period. Turns out, most firewalls have a much lower level of security than CPF… ;D

Here’s a little explanation of how CPF rules work:

Everything communicates in the context of the Network Rules. The Network Rules filter from the top down; if traffic is not explicitly allowed In or Out, it will be stopped by the bottom block rule (meaning, there has to be a rule prior to the bottom block rule, that specifically addresses the type of traffic, in order for it to be allowed). On the inverse side, traffic is blocked either explicitly or implicitly (meaning, a “block” rule will specifically mention a type of traffic - explicit, or it will be blocked because it hasn’t been specifically allowed - implicit).

Example: Let’s say you do not have a Net Rule to allow IGMP (multicast) protocol traffic (this is true with the default rules). Windows Messenger tries to use IGMP to access the net. CPF filters through the rules, but cannot find IGMP explicitly allowed; thus, it is implicitly blocked by the “Block Any” rule at the bottom. Let’s say you wanted to easily identify IGMP traffic, so you create a Block & Log IGMP rule above the bottom rule. Now CPF will explicitly block IGMP traffic.

This brings us to the next area - Application Rules. The Application Monitor contains Applications which are allowed (or blocked) from connecting. Even if we allow an Application to connect, it does so within the context of the Network Rules. So, to use our Messenger example from above, we may allow Messenger within the App Monitor. Then, it tries to use IGMP protocol, which is not allowed by our Network Rules. The connection will be blocked. Even tho Messenger is allowed, IGMP is not. Another aspect of the App Rules is that Comodo allows you to identify a “Parent” application; such as your browser using explorer.exe as its Parent; kind of like your browser using another core application to actually connect with. Thus, you may need multiple rules for one application. For example, Firefox (as a browser) may have a rule with firefox.exe as both Application and Parent; it may have a second rule with firefox.exe as the App and explorer.exe as the Parent. If you click a link within your email, the email client will become the Parent to the browser.

Next we have Application Behavior Analysis. This can be found under Security/Advanced, and is also known as ABA (gotta love those initials…). This module monitors various types of activities that are carried out somewhat “behind the scenes” by applications, and in some cases, their components. A number of these activities will create alerts only if both applications are not in the encrypted Safelist (provided the user has the Safelist enabled, which it is by default). These (such as the COM/OLE Automation) are perfectly normal, and occur because of the way applications communicate internally. While considered safe if both applications are known to the user, CFP does not differentiate (aside from the Safelist) between good or bad applications (ie, malware), and these types of activities may be exploited by malware in an attempt to access the internet. Thus, if both applications are known, it is considered safe to Allow; if either (or both) are not known, further investigation may be required. If you Deny or Allow without checking “Remember” the response is set for that session only; if Remember is checked, a rule will be created. Generally after a single Deny (this will result in the connected application, such as your browser, to be denied internet access), closing and reopening one or both applications will suffice to restore connectivity; in some cases a reboot is more effective.

Final area - Component Monitor. Component Monitor loads all “components” - .dll and .api files, etc that are used by an Application, and verifies their authenticity and relationship to the application. These components are not what is connecting to the net; when they are marked as “allowed” it is so that the application can use them as it connects to the net. Sometimes these components are shared resources between different applications. If an application updates, it may cause this “library” of components to change, and cause a popup alert (whereby you can view and approve these components directly). It is generally considered best to leave the Component Monitor set to Learn after install, for several weeks; or until the majority (if not all) internet-connecting programs have been run with available modules/plugins, etc, so that popups are minimized. Once it has been set to “On” popups will be generated for each new/changed component.

Application Behavior Analysis and Component Monitor combined form the Advanced Security Analysis Monitor, which is truly the final state in our filtering/layering scenario. The flow of traffic thru these layers of security can briefly be described as follows:

• Incoming Connections

1- Network monitor applies filtering; if successful it passes to application monitor
2- Application monitor checks the target application, if allowed it passes to
3- Advanced security analysis monitor

if these 3 steps are passed, application receives the connection.

• Outgoing connections

The order changes :

1- Application monitor
2- Advanced security monitor
3- Network monitor

This last section is taken from Egemen’s post here: https://forums.comodo.com/index.php/topic,725.msg4663.html#msg4663

Default Network Rules (created by “Automatic” installation). By pandlouk.

Here are the rules that are automatically created by CFP during the installation.

Rule #0
Action = Allow
Protocol = TCP or UDP
Direction = Out
Source IP = Any
Destination IP = Any
Source Port = Any
Destination Port = Any

Rule #1
Action = Allow
Protocol = ICMP
Direction = Out
Source IP = Any
Destination IP = Any
ICMP Details = ICMP Echo Request

Rule #2
Action = Allow
Protocol = ICMP
Direction = In
Source IP = Any
Destination IP = Any
ICMP Details = ICMP Fragmentation Needed

Rule #3
Action = Allow
Protocol = ICMP
Direction = In
Source IP = Any
Destination IP = Any
ICMP Details = ICMP Time Exceeded

Rule #4
Action = Allow
Protocol = IP
Direction = Out
Source IP = Any
Destination IP = Any
IP Details = GRE

Rule #5
Action = Block (create an alert if this rule is fired)
Protocol = IP
Direction = In/Out
Source IP = Any
Destination IP = Any
IP Details = Any

Interpreting Default Rules By Little Mac

ID 0 Allows your computer to connect Outbound, as explained by m0ng0d
ID 1 Allows your computer to use Ping utilities Outbound (ping, traceroute, etc)
ID 2 Will Allow a message from the user’s router to the computer that fragmentation is needed on an IP datagram; it is a subset of a Destination Unreachable message
ID3 Will Allow a message from the user’s router that an IP datagram was discarded due to it taking too long to reach destination or to be recompiled if fragmented; commonly used by traceroute to identify gateways
ID 4 Generic Routing Encapsulation has to do with IP tunneling and Virtual Private Networks; this rule Allows the computer Outbound connection using this protocol.
ID 5 This is your safety net; it must remain in the lowest/last position. It will Block all traffic (whether In or Out) that has not previously been explicitly or implicitly Allowed. If you add any rules below this rule, they will be blocked.

Using individual IP addresses. By pandlouk.

Instead of using the secure zone you can create copies of rules for individual IPs. This is highly recommended for users with wifi networks
For example:
If you have a network with 1 router(IP= x.x.x.1) and 3 pc (IP pc1 = x.x.x.12, IP pc2 = x.x.x.120, pc3 = y.y.y.15) you should create the following rules (at the example we configure CFP on pc1):

Rule #0
Action = Allow
Protocol = IP
Direction = Out
Source IP = pc1
Destination IP = router
IP details = Any

Rule #1
Action = Allow
Protocol = IP
Direction = In
Source IP = router
Destination IP = pc1
IP details = Any

Rule #3
Action = Allow
Protocol = IP
Direction = Out
Source IP = pc1
Destination IP = pc2
IP details = Any

Rule #4
Action = Allow
Protocol = IP
Direction = In
Source IP = pc2
Destination IP = pc1
IP details = Any

Rule #5
Action = Allow
Protocol = IP
Direction = Out
Source IP = pc1
Destination IP = pc3
IP details = Any

Rule #6
Action = Allow
Protocol = IP
Direction = In
Source IP = pc3
Destination IP = pc1
IP details = Any

Rule #7 (serves for finding the other 2 pcs by searching their name)
Action = Allow
Protocol = UDP
Direction = In
Source IP = broadcast adress of the router
Destination IP = pc1
Source Port = Any
Destination Port = Any

ps. For finding the brodcast adress of the router you can use:

1. A simple subnet calculator like this one http://net.apollo.lv/subnet.php
2. or with Advanced Subnet Calculator a free program a little more difficult to understand. http://www.softpedia.com/get/Network-Tools/Misc-Networking-Tools/Advanced-Subnet-Calculator.shtml
   
   [url=https://forums.comodo.com/index.php/topic,5340.msg39469.html#msg39469]Filesharing/p2p[/url]. By pandlouk.

There are programs that need to accept incoming connections for fuction properly. A classic example are the filesharing applications like emule, azureus, utorrent, etc.

Lets use Emule and azureus as examples:

For Emule

1. Rule for TCP protocol

Action = Allow
Protocol = TCP
Direction = In
Source IP = Any
Destination IP = Any
Source port = Any
Destination port = TCP port of emule

2. Rule for UDP protocol

Action = Allow
Protocol = UDP
Direction = In
Source IP = Any
Destination IP = Any
Source port = Any
Destination port = UDP port of emule

For Azureus

Rule for TCP/UDP protocol
Action = Allow
Protocol = TCP or UDP
Direction = In
Source IP = Any
Destination IP = Any
Source port = Any
Destination port = TCP/UDP port of azureus

You should move these rules over the default Block IP IN/OUT

Blocking Rules. By pandlouk.

Since CFP has statefull inspection of the packets there are two rules for blocking IPs; 1 for blocking outgoing connections and 1 for blocking incoming connections.

1.Blocking outgoing connections
(this rule will prevent your computer to initiate a connection with a banned IP)

Action = Block
Protocol = TCP or UDP
Direction = Out
Source IP = Any
Destination IP = The IP you want to block
Source port = Any
Destination port = Any

2.Blocking incoming connections
(this rule will prevent a banned IP to initiate a connection with your computer)

Action = Block
Protocol = TCP or UDP
Direction = In
Source IP = The IP you want to block
Destination IP = Any
Source port = Any
Destination port = Any

You should move these rules above all the other rules for working properly

ps.If you want to ban someone in p2p you will need the second rule.
If you want to prevent any comunication with a banned IP both rules are needed

Blocking websites by URL. By panic.

I just did a quick test and you can block a site by name.

The rule parameters are as follows;

Action : Block
Direction : In/Out
Source : Your LAN Zone or individual IP
Remote - Host : www.something_or_other.com
Protocol : Any

To make this rule work, I had to move it ABOVE the default ALLOW-IN-ZONE-ANY-ANY rule. If it was below this rule in the list the named site would not be blocked because it would be a valid response to an originating request. If the BLOCK rule is moved above the default rule, only the named site is blocked, other sites can still be accessed.

Tightening Firewall Rules by p2u

I solved my COMODO configuration problems as follows:
I’m on cable with D-Link FastEthernet Adapter, so I don’t need DHCP. I also disabled Windows DNS Client service (every application makes a DNS query itself and only my two ISP’s DNS servers are allowed as Destination addresses) + I also disabled a whole bunch of other useless services to such an extent, that svchost asks only access for Windows Update.

COMODO Network Monitor rules:

0. Allow TCP or UDP In or Out from NAME: paul (10.21.xx.xxx) to NAME: localhost (127.0.0.1) where source port is [Any] and destination port is [any]. (Loopback rule)

1. Allow and log UPD Out from NAME: paul (10.21.xx.xxx) to IP RANGE: xx.xxx.1.1 - xx.xxx.1.2 where source port is 1024-4999 and destination port is 53
   (DNS rule for my 2 ISP DNS servers only)

2. Allow and log TCP Out from NAME: paul (10.21.xx.xxx) to [Any] where source port is 1024-4999 and destination port is IN [21,80,443]

3. Allow and log TCP Out from NAME: paul (10.21.xx.xxx) to [forum.kaspersky.com] 212.5.80.45 where source port is 1024-4999 and destination port is 90

4. Allow and log TCP Out from NAME: paul (10.21.xx.xxx) to [news.grc.com] 4.79.142.203 where source port is 1024-4999 and destination port is 119

5. Allow and log TCP Out from NAME: paul (10.21.xx.xxx) to [RANGE] 64.12.0.0 - 64.12.255.255 where source port is 1024-4999 and destination port is 5190

6. Allow and log TCP Out from NAME: paul (10.21.xx.xxx) to [RANGE] 205.188.0.0 - 205.188.255.255 where source port is 1024-4999 and destination port is 5190

7. Allow and log TCP Out from NAME: paul (10.21.xx.xxx) to [audio-mp3.ibiblio.org] 152.46.7.128 where source port is 1024-4999 and destination port is 8000

8. Allow and log TCP Out from NAME: paul (10.21.xx.xxx) to [us.drweb.com] 209.160.33.73 where source port is 1024-4999 and destination port is 64000-65535

9. Allow and log TCP Out from NAME: paul (10.21.xx.xxx) to 81.176.67.170 - 81.176.67.172 where source port is 1024-4999 and destination port is 64000-65535

10. Allow and log TCP Out from NAME: paul (10.21.xx.xxx) to [msk1.drweb.com] 192.168.255.255 where source port is 1024-4999 and destination port is 64000-65535

11. Allow and log TCP Out from NAME: paul (10.21.xx.xxx) to [msk4.drweb.com] 83.102.130.174 - 83.102.130.178 where source port is 1024-4999 and destination port is 64000-65535

12. Allow and log ICMP Out from NAME: paul (10.21.xx.xxx) to IP [Any] where ICMP message is ECHO REQUEST.

13. Block and log TCP/UDP In or Out from IP [Any] to IP [Any] where where source ports is [Any] and destination port is [Any].

14. Block and log ICMP In or Out from IP [Any] to IP [Any] where ICMP message is [Any].

15. Block and log IP In or Out from IP [Any] to IP [Any] where IPProto is [Any].

With these rules, even if I allow something by accident on the Application level, it will be blocked (I saw it in the logs). I’m on a LAN that is highly untrusted. No Trusted Zones have been defined, not even localhost.

Of course, on Application level everything is set to very high security, I don’t consider safe what COMODO considers safe (no offense meant), and I don’t skip the loopback check. I think these are the maximum settings you can apply. Anything more is redundant and might even weaken the firewall’s protection strength. Of course, I have ‘Aplication Behaviour Analysis’ and ‘Component Monitor’ enabled (I can’t imagine security without them). ‘Enable Alerts’ is ‘On’. This only gives stress during the very first day when you have to set up all the rules for all applications…

Set and Forget Setup by Little Mac

If you want a “set and forget” firewall, here’s the basic “how to” ~

Install with Automatic - do not select the “Advanced” install (this requires manual configuration and will likely cause you headaches down the road). Note: Be sure to turn off/disable any Active/Real-Time security applications - antivirus, antispyware, HIPS, etc prior to installing or uninstalling, as they are likely to conflict and cause problems.

After reboot, Go to Security/Advanced/Miscellaneous, and move the Alert Frequency from Low to Very Low (this will make sure you only get one prompt per application); be sure to leave “Do not show alerts for applications certified by Comodo” checked. Then go to Security/Tasks/Scan for Known Applications. Follow the prompts, reboot when finished.

If you are using MS’s Internet Connection Sharing (ICS - you have multiple “client” computers connected to the internet thru one “host” computer), or if you are using File or Print Sharing behind a router, you will want to run the Network Wizard. Go to Security/Tasks/Create a Zone to set up a Zone to encompass your computers/printer, etc (where-ever you need to share access); the defaults should work, although they’re a broad range. Then go to Security/Tasks/Define a New Trusted Network; use the Zone you’ve created. This will add two rule to the top of the Network Monitor, in positions Rule ID 0 & 1. One will Allow IP Out from Any to Zone, the next will Allow IP In from Zone to Any.

That should be all you need. Please don’t feel like you need to “tweak” the network rules if you don’t have a good grasp of how they work; since this defines how everything communicates.

If you have some specialized applications (games, p2p, etc), you may need some specific application and network rules. Other than that, probably no less than 90% of your stuff should run with no more than a popup. Any time you get a popup for an application that needs to connect, just click the box for “Remember” and then Allow (provided you want it to connect); this will create an Application Monitor rule for it, and you shouldn’t be bothered again unless something changes (see Application Behavior Analysis).

With Application Behavior Analysis turned on, you may get alerts about an application somehow interacting with another, even after one of those applications has been closed. This is normal, as it’s due to the way Windows operates. The general rule of thumb is that if you recognize both applications it is safe to Allow. It’s when you don’t know both apps that you should be concerned, and Deny (then start finding out what’s going on). If both applications are on Comodo’s safelist, you won’t see these alerts.

Note: By using Very Low for Alert Frequency, this decreases the level of detail for each popup and associated Application Rule to application-only. No Direction, Port, Protocol, or IP info is included. Thus, if you create a custom rule for an application to include any of this additional detail, it will be overwritten (or an additional rule created) the first time you respond to any popup concerning that application - such as if it updates. This new rule will be very general, where your previous was more specific. If you want to continue to use something more specific, you will have to edit the rule; once edited (until the next change), the FW should accept and utilize your details for that application.

Screenshots - Capturing and Posting by gordon

How to take a screenshot, upload it to a image-host &
post it on a Board ( like Comodo’s Forum )

Sometimes a picture says more than a thousand words. Screenshots can be a great
help when describing a problem with for example Your network-rules .

Taking the screenshot :

First : You should get a specialized program to take screenshots because
it is much more flexible than the built-in Windows " PrtScn " request
that only allows you to take a picture of the entire screen and by default uses
a inferior file-format. Using a screen-shot program you can control exactly what to
capture and the file-format ( quality )to save it in.

I highly recommend the FREE program " FastStone Capture " available for
free legal download here : FastStone Screen Capture - The Best Screen Capture Software
Here is a screenshot showing You what it looks like :

http://img248.imageshack.us/img248/4420/fscapturescreenshotwi2.gif

You can change the default hotkeys, save-directory, file-format and other options
by clicking " Settings "

To take a screenshot of your network-rules, simply open " Network monitor "
so it is the active window and press " Shift + PrtScn " .
This will take the screenshot and open the image in " FastStone editor ", a basic image-editor.
Edit the image if You like, then save it ( to somewhere You can remember )
You should save in either “PNG” (best quality), “GIF” or “JPEG” (smaller file-size, acceptable quality)
if you want to post the image on a board .
Never use the " BMP " format for on-line display, most boards wont show BMP .

Uploading your screenshot to a free image-hosting service :

A image-hosting service allows you to upload a image (or images) to a server
and generates a URL (address) for each image.
You then provide the URL in your forum-post and the image is displayed in your post.
Or You could give the URL to friends/family and they could see Your holiday-pics by entering the URL
in their browser… As you can see image-hosting can be used for many things …
There are many different free hosting-services to choose from, these are just a few of them :

http://www.thesighost.com/

You will need to register an account with most hosting-services.

Imageshack is quite easy to use, provides " clickable thumbnails " ,
has a tool-bar for IE-users and there is a great FireFox extension named " ImageBot "
https://addons.mozilla.org/firefox/1174/

Posting Your image :

Just write the post and insert ( copy&paste ) the URL for the image .
The URL’s are usually pre-formatted so You don’t need to click " insert image "
You can tell if the URL is pre-formatted by making sure it looks something like this :

urltoyourimage 

Remember to use the " preview post " function that most boards offer .
If your image doesn’t show in the preview it’s usually because the formatting of the URL is wrong,
most common problem is missing the [image] bb-code or that it’s doubled …

Some boards may have rules for image-posting, always read the board-rules first !
Remember that images require bandwidth : Try to keep the file-size as small as possible
and image size at max. 640x480 or use clickable thumbnails for large images …

Attaching in Comodo Forums by Little Mac

Also, with Comodo’s forums, you are not limited to including the images in your post; you may attach the files to your post under Additional Options. In this way you don’t need web-hosting; you can do a direct upload to the forum.

Additional Options is shown in bold red text under the textbox of each post you do (see attached screenshot); when you click that, it will provide a box where you can browse to your locally-saved file; if you need to upload more than one, click the “(more attachments)” for each attachment (see 2nd screenshot).

Moderator’s Note: Please see original topic linked above for the posted screenshots; I didn’t think they needed to take up space twice…

Using MS Paint by Toggie

If you don’t wish to install an additional program to capture screen shots, you can easily use the PrintScreen function in Windows:

To capture the whole screen, simply press the PrintScrn button (just right of the F12 key)

This will create an image of everything on the entire screen. It then copies that image to the Windows clipboard.

Next, Go to the Start Menu/Run and type mspaint [press enter]
In mspaint, select Edit and then paste. (you can also use <ctrl + v>) You should see the image of your screen in the main window. At this point, you could edit the image, before saving.
Select the File menu, then ‘Save As’
Give the file a name and from the ‘Save as type’, choose PNG
You now have a screen capture.

To select only the active window using this method, press the key with PrintScrn.