Understand Firewall Settings for beginner

As this is a highly focussed series of questions and answers, I would ask other forum users not to post in this topic yet, until we have reached a logical conclusion. I ask this not to exclude other users, but to hopefully eliminate confusion and remain focussed on the original questions asked. Thanks in advance


To Panic

During a default installation, the proper rules set are automatically created on the Application rules window and on the Global rules windows. They are fine as long as you don’t play with them. If you are an inexperienced user with Firewall and you want to understand what your are doing, you will want to experience with different rules and you might encounter a similar situation: get yourself locked out.


To follow this thread, a good understanding of the CSI user manual is requested. So, if you did not read it, do it now, and it will help you understand the technical definitions and the CSI setting configurations we will not explain here.


Intro:

As long as I used the default rules (see: Pics 1 and 2) in Application rules and Global rules + the default Trusted Zones, the connection to my LAN and the Internet was fine.

I have removed the Application rules under System, the Global rules, and My Trusted Zones, to see what would happen (you know, the old Pandora box syndrome) and to try editing new rules from scratch.

I could not connect either my LAN or the Internet because I had to take some action (creating proper replacement rules) but I did not know which ones. Looking at the firewall Log (see: Pic 3), I set the firewall from Safe to Learn Mode.

A new rule was created (see: Pic 4):
“C\WINDOWS\System32\svchost.exe Allow | ICMP | Out | Source: Any | Destination: Any | ICMP Detail: Any” probably to supply the missing My Trusted Zone > System> My trusted Zones LAN1 rules I had deleted, and I could lucky restore my connection.

Followed by another rules:
Firewall Alert: System, Remote 192.168.56.255 - UDP, Port: nbdgram(138) - Application rules (output): System: Allow | UDP | Out | Source Address: Any | Destination Address: Any | Source Port: Any | Destination Port: Any.

Would I try to explain any of these rules, I could not!

So, here is what we will try to define:

A Step by step method to remove automatically created rules, and to create new rules manually - either TRUSTING our Network Zones, either NOT TRUSTING them (and of course, to understand these different rules set along the way)
The CSI main modules we will use are:
A) My Trusted Zones
B) Application rules: System and Svchost.exe (rules)
C) Global rules: Zones (rules)


A few basic definition questions first:

a. Loopback Zone (automatically created in the Global Zone and System zone during installation): what is it and why do I need it? Loopback is my computer connection to himself, so why do I need to create a Zone for that?

b. When I select to Trust a Zone with the wizard, this zone will be present in the Global rules AND in the Application rules. If I decline the offer of the wizard, the Zones will only be present in the Global rules. What difference does that make? (please illustrate with 2 separate examples, so I can understand).

c. the stealth my Port wizard applies different rules in Global rules, according the selection. Example if I chose stealth my port to everyone:2 rules ICPM are created. If I run the wizard again but select My trusted network: a new rules set is cr5eated in ADDITION of the previous rules set. Do I have to delete the previous rules or keep them? Why are these 2 ICPM rules created the first time and not the second?

d. What is ICMP, when do I need it, and in what module. In other word why my computer could not communicate until a new rules (see: pic 4) was created. The way I understand ICMP is Ping. That’s not important.

e. Why svchost.exe uses UDP, how can I know when UDP is needed vs. TCP or IP?


Let’s be started:

a. Step one (removal):
I remove: Application rules > System > My trusted network LAN1
I remove: Global rules > All trusted Zone (LAN/Loopback)
I remove: My Trusted Zones > All Zone (LAN/Loopback)

b. Step two (input):
Input: My Trusted Zones > New LAN Zone (for me 192.168.11.2/255.255.255.255)

From this point on assistance is needed from an expert:

Input: Do I need to define a Loopback Zone? That’s a question
Wizard: Stealth My Port Wizard: Define a new Trusted Network > I select LAN 1? That’s a question

[attachment deleted by admin]

Before we begin, I’d like to work with IP addresses that make sense to you, in the context of the examples you’ve quoted above.

Can you please post the following details;

  1. Private IP adress of your router (NOT the internet facing address).
  2. IP address range of the PCs that make up your internal LAN

Cheers,
Ewen :slight_smile:

Router
192.168.11.1

PC1 to 4
192.168.11.2/255.255.255.0
192.168.11.3/255.255.255.0
192.168.11.4/255.255.255.0
192.168.11.5/255.255.255.0


Side note for further reference:

a. Web search about Log errors (see: Pic 3) returned the following:
68/UDP Bootstrap Protocol (BOOTP) Client; also used by Dynamic Host Configuration Protocol (DHCP)

Hey nomnex,

I"m still digesting your post and working out the best way to answer. I should be able to do more tonight on this one.

One small correction to your post.

b. Step two (input): Input: My Trusted Zones > New LAN Zone (for me 192.168.11.2/255.255.255.255)

If your router is 192.168.11.1 and your PCs are 192./168.11.2 - 192.168.11.5, then your netmasking is wrong, as it is set to allow all traffic on the 192.168.11.X subnet. To be as tight as possible, your netmask would need to be 255.255.255.250.

This might be a good time to discuss netmasks, before we trip over them later on.

What is a netmask?

A net mask is, funnily enough, a way of masking out some or all of a network. It helps in reducing the quantity of traffic travelling around all parts of the network and helps route traffic efficiently to the intended recipient (or the LAN segment the recipient is located on). A netmask is used by a filtering device (router, firewall etc.) to identify which portion of the IP address represents the network address and which portion represents the machine address.

To fully understand netmasks, you need to have a basic understanding of binary - a system of counting that only uses 0’s and 1’s. A comprehensive tutorial is beyond the scope of these forums (and this author ;)).

As an example, a figure of 255 (decimal) is expressed in binary as 11111111. This represents (starting at the left) : (1 X 128) + (1 X 64) + (1 X 32) + (1 X 16) + (1 X 8) + (1 X 4) + (1 X 2) + (1 X 1). In normal, everyday decimal notation this equates to 128 + 64 + 32 + 16 + 8 + 4 + 2 + 1 = 255.

A figure of 43 (decimal) is expressed in binary as 00101011 - (0 X 128) + (0 X 64) + (1 X 32) + (0 X 16) + (1 X 8) + (0 X 4) + (1 X 2) + (1 X 1). ) Again, in decimal this equates to 0 + 0 + 32 + 0 + 8 + 0 + 2 + 1 = 43.

What does all this have to do with netmasks?? Imagine we have a small LAN consisting of four PCs. Their IP addresses are 192.168.11.2 to 192.168.11.5. They are connected by a router whose address is 192.168.11.1. To set up a netmask that will restrict traffic to these 5 devices we have to map each of the upper and lower addresses to binary. The two resulting binary numbers are compared and where a figure does not change, this is represented by a 1. Where the figures do change they are represented by a 0. The resulting output is the derived netmask for the LAN devices.

IP ADDRESSES
Lower address = 192.168.11.1
Upper address = 192.168.11.5

BINARY EQUIVALENT
Lower address = 11000000.10101000.00001011.00000001
Upper address = 11000000.10101000.00001011.00000101

Derived netmask = 11111111.11111111.11111111.11111010

Netmask = 255.255.255.250

There. Clear as mud?? :wink:
You may never need to know this, but there is no such things as bad knowledge, just knowledge badly applied.

Cheers,
Ewen :slight_smile:

Edit : IP addresses modified from 192.168.1.X to 192.168.11.X to accurately reflect the OP’s environment.

And I will need some time to digest yours :wink:

A little precision until I get back to you, although on first reading the final IP part does not seem relevant in the mask calculation (did I stressed on first reading?) the router is 192.168.11.1 (not 192.168.1.1) and following computer 192.186.11.2-5 (not 192.168.1.2 - 5) if that makes any difference.

My router only accepts preset masks (see: pic).

Edit : My previous response has been edited to address this inaccuracy.

[attachment deleted by admin]

I’ve covered loopbacks in your other topic about protocols and communications.

https://forums.comodo.com/firewall_help/understand_protocols_and_communication_rules_for_beginners-t39866.0.html

In a nutshell, yes, you will need to have a defined loopback zone. either that, or be prepared to answer a far larger number of pop-ups. It is a valid internal connection.

Wizard: Stealth My Port Wizard: Define a new Trusted Network > I select LAN 1? That's a question

Providing you have defined LAN1 as being a range of 192.168.11.1 - 192.168.11.5 or, if using a netmask, 192.168.11.1/255.255.255.250, then yes, this would be the zone to select.

Hello,
I am totally new in the theme of Comodo firewall setting. And even reading the best tutorial are confusing me 88)

What does “Safety level Defense +” means ?
What does “Switch Installation Mode” means ?

Thanks in advance for your reply

What version of Comodo are you using?

“Safety level Defense+” is probably the same as “Defense+ Security Level”. I just checked your profile and see you are from France; I assume you are using the French interface and translating it to English.

The “Defense+ Security Level” determines how closely Defense + will monitor your computer’s activity. The higher the slider is up the more it will alert you.

Switch to Installation Mode will put CIS in Installation Mode. What is Installation Mode?

When installing a program there will be lot’s of things happening. This will produce lot’s of alerts. To prevent these alerts Installation Mode was made. In Installation Mode the installer will temporarily get a lot of rights to do things without giving alerts. After two minutes or so CIS will remind you it is in Installation Mode. When the installation is finished you can change back to the previous mode.

You can start Installation Mode from the main screen. Or when starting the installer program you can allow it to be “Installer or Updater” ( I don’t let CIS remember this). I always use the last option. I sometimes switch back from Installation Mode in the main screen.

Let us know if this is clear enough and if you have any more questions.

Hi Eric

A huge thanks for your reply (even if it was difficult to find out, I’m not used to have this kind of structure, and even the dumbest task is not intuitive for me).

I have the v. 3, so not the 2nd one.

I’ll read your answer with a rest brain…