Understanding how Comodo Firewall Rules work

Comodo’s firewall has a layered rules approach to security, which has a tendency to cause confusion with users unfamiliar to this approach. Network Rules are new to many people, as most firewalls don’t seem to have separate rules. If an application is allowed, it’s allowed, period. Turns out, most firewalls have a much lower level of security than CPF… ;D

Here’s a little explanation of how CPF rules work:

Everything communicates in the context of the Network Rules. The Network Rules filter from the top down; if traffic is not explicitly allowed In or Out, it will be stopped by the bottom block rule (meaning, there has to be a rule prior to the bottom block rule, that specifically addresses the type of traffic, in order for it to be allowed). On the inverse side, traffic is blocked either explicitly or implicitly (meaning, a “block” rule will specifically mention a type of traffic - explicit, or it will be blocked because it hasn’t been specifically allowed - implicit).

Example: Let’s say you do not have a Net Rule to allow IGMP (multicast) protocol traffic (this is true with the default rules). Windows Messenger tries to use IGMP to access the net. CPF filters through the rules, but cannot find IGMP explicitly allowed; thus, it is implicitly blocked by the “Block Any” rule at the bottom. Let’s say you wanted to easily identify IGMP traffic, so you create a Block & Log IGMP rule above the bottom rule. Now CPF will explicitly block IGMP traffic.

This brings us to the next area - Application Rules. The Application Monitor contains Applications which are allowed (or blocked) from connecting. Even if we allow an Application to connect, it does so within the context of the Network Rules. So, to use our Messenger example from above, we may allow Messenger within the App Monitor. Then, it tries to use IGMP protocol, which is not allowed by our Network Rules. The connection will be blocked. Even tho Messenger is allowed, IGMP is not. Another aspect of the App Rules is that Comodo allows you to identify a “Parent” application; such as your browser using explorer.exe as its Parent; kind of like your browser using another core application to actually connect with. Thus, you may need multiple rules for one application. For example, Firefox (as a browser) may have a rule with firefox.exe as both Application and Parent; it may have a second rule with firefox.exe as the App and explorer.exe as the Parent. If you click a link within your email, the email client will become the Parent to the browser.

Next we have Application Behavior Analysis. This can be found under Security/Advanced, and is also known as ABA (gotta love those initials…). This module monitors various types of activities that are carried out somewhat “behind the scenes” by applications, and in some cases, their components. A number of these activities will create alerts only if both applications are not in the encrypted Safelist (provided the user has the Safelist enabled, which it is by default). These (such as the COM/OLE Automation) are perfectly normal, and occur because of the way applications communicate internally. While considered safe if both applications are known to the user, CFP does not differentiate (aside from the Safelist) between good or bad applications (ie, malware), and these types of activities may be exploited by malware in an attempt to access the internet. Thus, if both applications are known, it is considered safe to Allow; if either (or both) are not known, further investigation may be required. If you Deny or Allow without checking “Remember” the response is set for that session only; if Remember is checked, a rule will be created. Generally after a single Deny (this will result in the connected application, such as your browser, to be denied internet access), closing and reopening one or both applications will suffice to restore connectivity; in some cases a reboot is more effective.

Final area - Component Monitor. Component Monitor loads all “components” - .dll and .api files, etc that are used by an Application, and verifies their authenticity and relationship to the application. These components are not what is connecting to the net; when they are marked as “allowed” it is so that the application can use them as it connects to the net. Sometimes these components are shared resources between different applications. If an application updates, it may cause this “library” of components to change, and cause a popup alert (whereby you can view and approve these components directly). It is generally considered best to leave the Component Monitor set to Learn after install, for several weeks; or until the majority (if not all) internet-connecting programs have been run with available modules/plugins, etc, so that popups are minimized. Once it has been set to “On” popups will be generated for each new/changed component.

Application Behavior Analysis and Component Monitor combined form the Advanced Security Analysis Monitor, which is truly the final state in our filtering/layering scenario. The flow of traffic thru these layers of security can briefly be described as follows:

• Incoming Connections

1- Network monitor applies filtering; if successful it passes to application monitor
2- Application monitor checks the target application, if allowed it passes to
3- Advanced security analysis monitor

if these 3 steps are passed, application receives the connection.

• Outgoing connections

The order changes :

1- Application monitor
2- Advanced security monitor
3- Network monitor

This last section is taken from Egemen’s post here: https://forums.comodo.com/index.php/topic,725.msg4663.html#msg4663

can you help me i installed comodo and i use aol i’m having difficulty setting the tcp udp network connections for internet explorer to access the windows update site it connects but then a error pagecomes up saying on the infor there that firewall misconfigured i cannot understand it why this fault as i accepted all aol connections in applications and set up to block incoming ip under number 1 and allow tcp and udp of all connection and ports ect as number 0 i confused please help

dragoneye,

In CFP, will you open the Network Monitor to full-screen, capture a screenshot. Save the screenshot as an image file (jpg, gif, png) and attach to your post under “Additional Options.”

If you can also capture and post a screenshot of the error message you’re receiving from the Windows Update site, that will help.

LM

[Error number: 0x80072EFD]
The website has encountered a problem and cannot display the page you are trying to view. The options provided below might help you solve the problem.
For self-help options:

Frequently Asked Questions

Find Solutions

Windows Update Newsgroup
For assisted support options:

Microsoft Online Assisted Support (no-cost for Windows Update issues)

Read more about steps you can take to resolve this problem (error number 0x80072EFD) yourself.

i could not save the page as a image jpg file so i copied the error infor here for you as it comes to this page of error infor on the windows web site
i wasn’t sure at first how to get screenshot as it only says to save in internet explorer as save as you can only save web page as html ok thanks dragoneye

There is info here from MS on that error message: http://support.microsoft.com/kb/836941; there is a download you can do, that will automate the process, or you can follow the step-by-step instructions. If you’re not excited about digging in by hand, I recommend trying their automated download “guided help” and using that.

I also read on another forum that a user found after trying many solutions, that his NIC (network interface card) was bad.

The only real possibility for CFP to have blocked you, is if you blocked svchost.exe (check your Application Monitor for such an entry). HOwever, if you have done that, you most likely will not be able to connect to the internet at all - so it’s probably not that.

To update from the Windows website, you still have to have BITS (background intelligent transfer service) running, and set to at least Manual. This is a Windows Service. If you go to Start/Run and type in “services.msc” it will open the interface, and you can very the status of BITS.

Here’s a little tutorial on capturing screenshots: https://forums.comodo.com/index.php/topic,6770.0.html You may find that helpful.

LM

I have a restrictive set of network rules, which deny all packets that are not specifically allowed. (Vital stuff like ICMP and DNS are allowed.)

Now, I trust application app.exe to perform all network activity it needs. I add the relevant application rule. But when I launch app.exe, it can’t operate, because the network rules restrict it. That’s how Comodo’s rules work.

Let’s say app.exe uses port 8081, but I don’t want to allow any OTHER application use this port. How is it possible? (I don’t know what ports and IPs app.exe uses and I don’t want to care: I trust it.)

You have a bit of a conundrum here, dali_bude (heh! good thing I’m not dyslexic). If you’re going to crank down your Network rules regarding Outbound traffic protocols/ports, then you’re going to have to specify Application rules be specific to the same level (which means you have to know…).

This is part of why one of the default NetMon rules is to Allow TCP/UDP Out Any Any Any Any. This allows you to surf, get email, etc, because none of these require an unsolicited Inbound connection. If you don’t want an application connecting, you can control it in AppMon; you can also control what Destination Ports it is allowed to connect to, while still having that default NetMon rule.

I’ll give you one work-around possibility that might meet your requirements (but still requires the more permissive Outbound NetMon rule). Let’s say you want to control your browser (we’ll call browser.exe) and how it connects. Gotta have UDP Out Ports 80,443,53, right? So you create a rule this way:
Application: Browser.exe
Parent: Learn
Apply the following:
Action: Block (yes, that’s right)
Protocol: TCP/UDP (or just UDP)
Direction: Out
Destination IP: Any
Destination Port: A set of ports: 53,80,443 (no space after comma) - now go check the “Exclude” box that is accessible in this tab.

OK.

Now all outbound traffic for this app is blocked EXCEPT the traffic you choose to allow.

Another way (if you don’t care how this app connects) is to set it as a Trusted application. You can do this in Security/Tasks. You can also edit the App rule and instead of “Apply the following” choose “Allow all activities.”

I dont’ think that answers your question, but I hope it’s a start. We’ll keep drilling down on it.

LM

This is part of why one of the default NetMon rules is to Allow TCP/UDP Out Any Any Any Any. This allows you to surf, get email, etc, because none of these require an unsolicited Inbound connection. If you don't want an application connecting, you can control it in AppMon; you can also control what Destination Ports it is allowed to connect to, while still having that default NetMon rule.

Okay. So allowing arbitrary outbound traffic is not UNsafe, because the firewall will block:

• unknown processes which will try to UDP my passwords out;
• malicious code (exe or dll) that will do it via some system process like svchost.exe.

Then, if my app.exe only initiates connections, that’s fine. But what if my app.exe also accepts incoming connections? For example, it’s an instant messenger. It listens to port 12345. I allow incoming messages to port 12345 in the network rules. This gives ALL the programs the opportunity to listen to 12345. That’s unsafe (at least, technically).

True, it would. IF you were authorize all other programs to listen on that port. You have a few options there.

1. Select an uncommon, high-numbered port (such as 48329) that is not otherwise commonly utilized by processes, services, or other applications. This is probably the most user-friendly.
2. Edit all application rules to eliminate unnecessary Inbound authorization (ie, Word doesn’t need In, and only rarely Out) to only those apps that need it.
3. Edit all application rules to separate In and Out controls, and specify the destination ports for those inbound rules.

Obviously, you can combine all these options in various ways, and tighten it up to the point of insanity. You should not need Inbound rules for any apps except those that have to “listen” such as p2p, IM, etc (browser, email, etc should not need that aspect; they get the inbound based on the returning outbound request).

LM

Hallo dear COMODO-Administrators and COMODO-freaks (:WAV)

Last weekend I’d to add some rules into the Network Monitor. Generally it seems to function all fine now !! (:WIN)
But the great problem I now have / or at least think to have ? is, that – while creating new rules – I did change [while overwriting !] 1 origin (already in Network Monitor registered) “blocking” = NOT-ALLOW-rule into another one “blocking” = NOT-ALLOW-rule. So the origin function of the origin installed rule is no more the same-one. And I fear that this rule plays an important role for secure Internet-surfing ! (:AGY)
The Firewall very fine would be clearer anyway while giving warning-signs before changing / overwriting any rule !

Could anyone please be so kind to tell me step by step how to get back again the origin “NOT-ALLOW”-rule ???

Thanks in advance very much - yours

“Kumpel” (:WAV)

Kumpel,

In this thread:
https://forums.comodo.com/index.php/topic,6167.0.html there is a post about the “Network Rules Defined.” This lists the rules that are part of a default installation. I think you are referring to what would originally be Rule ID 5 (as listed in that post); it need to be in the very bottom/last/lowest position, as the traffic is filtered from the top (and you don’t want it blocked prematurely).

Short and quick, that rule is:
Action: Block (and log - create an alert if this rule is fired)
Protocol: IP
Direction: In/Out
Source IP: Any
Destination IP: Any
IP Details: Any

You can build it in place by right-click the last rule, select Add/Add After. You can also simply click the Add button, build the rule, then Move it up or down as needed.

LM

wow, you guys are doing a great job of attempting to explain how to operate this program. Unfortunately, some of our old minds just can’t comprehend all this without going back to school and going over and over and over this. I’ve found that when I want to do something on the net and when Comodo blocks it sometimes and not others, I just close the program and proceed… then reopen Comodo. I’ve even tried allowing all applications completely and it still blocks them sometimes, not to mention defeats the purpose of having a firewall I guess. I’ve used expensive firewalls in the past and do not recall having this much trouble trying to understand it. The price is good, however.
I upgraded to V3 on my other maching, and it seems to just allow everything, which worries me. It used to prompt me for when Real Player & Windows Media Player constantly wanted to access the net for no reason, now it doesn’t. So, I guess I’m stuck with this older version.

Not sure if there is an easier one to use or not.
Tim

Tim,

v3 is working off of an encrypted safelist of known files/executables. At the present, Comodo has roughly 1 million files populating that list. Applications on that list are still monitored for suspicious activity, but normal actions are allowed automatically, so as to “smooth” things out for the user (because most folks don’t want all the popups that 2.4 gives). For those that do want popups, Defense + can be set to a higher level (such as Paranoid Mode), and the Firewall Alert Frequency can be cranked up as well. The Security Levels for both sides of this application drive how it operates. At any rate, there isn’t any reason to be concerned over the “quietness” of v3.

For 2.4, it sounds like your issues stem from various “Application Behavior Analysis” (ABA) alerts; that’s the only real scenario in which CFP will seem to ignore your rules and block things. What you describe as your “workaround” would be the appropriate way to clear the temporary rules created by a Block without Remember scenario. To make a decisive call on it, we’d need more detailed information relating to specific event(s) - screenshots of the alerts, log extracts, etc.

LM

Actually, unless I read it wrong, 2.4 is CPF.exe instead of CFP.exe as you referred. I upgraded to V3 on my desktop, (1.0.0.1 the file properties says) and my machine often has difficulty finding the program file to open it. Sometimes it does, but often it crashes and says windows can’t find the file CPF.exe.
Actually, the program file is CFP.exe.
Tim

Yes, you are correct, Tim. 2.4’s GUI is CPF.exe, 3.0 is CFP.exe. Internal references may be incorrect, as it’s an easy oversight in the coding. This should not have any impact other than cosmetic.

Situation is, during v2’s progress, the name changed from Comodo Personal Firewall (CPF) to Comodo Firewall Pro (CFP). Even though the software name changed, the GUI executable was not renamed until v3. When using multiple versions and providing support accordingly, we sometimes intermix the .exe references; the app’s internal references may be mixed as well.

Please consider them to be interchangeable…

LM

Would you explain me - how Comodo Personal Firewall will be operate in this situation

1. In the Application Control for SomeApplication.exe exist rule Allow TCP or UDP In/Out
   SomeApplication.exe tries to initiate TCP Outcoming connection on port 3456
2. In the Network Monitor No rule for allow TCP outgoing connection on port 3456 and No blocking rule for the connection (and No last All block rule)

Will be SomeApplication.exe blocked?

P.S. Comodo Personal Firewall 2.4
P.P.S. Sorry for my English

Hi CragHack, welcome to the forum.

If you don’t have a rule in NM to allow communication OUT for port 3456 (or a more general allow all rule), it should be blocked

OK!
If in NM no allowing rule, than connection will be blocked
i.e no need create last all-blocking rule?

How can you review your trusted applications?

(I could not find how to start a new topic - no button found))

Hi Roomies,

I just install a new version of CFP.3v and I see that some of my TRUSTED application are waiting for my review and I don’t know what to do next or how they got there. Here is a picture of my summary proactive defense.

Thank you :THNK

[attachment deleted by admin]