Local Area Network
IP in [your network IP Mask (eg 10.0.0.0/255.0.0.0)]
IP 0.0.0.0
IP 255.255.255.255
Internet-wide Multicast
IP in 224.0.1.0-238.255.255.255
Special & Local Multicast
IP in 224.0.0.0-224.0.0.255
IP in 239.0.0.0-239.255.255.255
Firewall\Advanced\Predefined Firewall Policies
LAN
Allow IP In From In [Local Area Network] To IP Any Where Protocol Is Any
Allow IP Out From IP Any To In [Local Area Network] Where Protocol Is Any
Allow IP Out From IP Any To In [Special & Local Multicast] Where Protocol Is Any
Block and Log All Unmatching Requests
LAN & Outgoing
Allow IP In From In [Local Area Network] To IP Any Where Protocol Is Any
Allow IP Out From IP Any To In [Local Area Network] Where Protocol Is Any
Allow IP Out From IP Any To In [Special & Local Multicast] Where Protocol Is Any
Allow TCP or UDP Outgoing Requests
Block and Log All Unmatching Requests
Web Browsers with FTP capabilities
Allow Outgoing TCP Requests
Allow Outgoing DNS Requests
Block and Log All Unmatching Requests
Allow TCP In From IP Any to IP Any Where Source Port ANY And Destination Port Is In [Incoming TCP]
Allow UDP In From IP Any to IP Any Where Source Port ANY And Destination Port Is In [Incoming UDP]
Allow TCP In from Any IP to Any IP where Source Port is 20 and Destination Port is ANY (To enable FTP CLIENT Firewall Policy)
Block and Log TCP or UDP Out From IP Any to IP Any Where Source Port is In [Netbios & DCOM] And Destination Port Is ANY
Allow and Log TCP or UDP Out From IP Any to IP Any Where Source Port Is In [Privileged Ports] And Destination Port Is Any
Allow TCP or UDP Out From IP Any to IP Any Where Source Port Is Not In [Privileged Ports] And Destination Port Is Any
Allow IP out from Any IP to Any IP where the protocol is GRE (Needed for PPTP)
Allow ICMP Out From From IP Any to IP Any Where ICMP Message Is ECHO REQUEST
Allow ICMP In From From IP Any to IP Any Where ICMP Message Is ECHO REPLY
Allow ICMP In From From IP Any to IP Any Where ICMP Message Is TIME EXCEEDED
Allow ICMP In From From IP Any to IP Any Where ICMP Message Is PORT UNREACHABLE
Allow ICMP In From From IP Any to IP Any Where ICMP Message Is FRAGMENTATION NEEDED
Block and Log IP In/Out From From IP Any to IP Any
Last Step Should be to use Firewall\Common Tasks\Firewall Stealth Configuration and Choose “Define a New trusted network” and allow [Local Area Network] and [Special & Local Multicast]
NOTE: When you add your private IP range to your [Local Area Network] Zone don’t forget to add Your Network Address (usually ending with .0) and Broadcast Address (usually ending with .255) Using IP Masks or IP Ranges
eg: Network Address: 10.0.0.0, Broadcast Address: 10.255.255.255
IP Mask 10.0.0.0/255.0.0.0
IP Range 10.0.0.0-10.255.255.255
I really don’t care if it works with that rule set. The default policy needs to be enhanced so that
tracert works out of the box. Especially since it is a white listed application. If this is a workaround, ok,
but it should not be up to the user to start adding rules so that standard system components will work with the firewall.
This problem is another one of those works for some and doesn’t work for me situations In my case it does not work correctly on my XP Pro-SP2 system.
I am not able to try it out at the moment as I have too many other things to be doing just now but I will try it later on.
But I think this emphasises the point I was trying to make. Just look at all the steps a normal user would have to take just to get tracert to work. If they come to the example scenario I gave, then what normal everyday user who just want’s to do a tracert at the request of their ISP is going to want to go through all that ?
I know the answer as I have a lot of friends who’s computer expertese is switching it on, browsing the net and then switching it off again.
If I was to suggest that they follow all these instructions just to do a simple tracert, then I can quite confidently say that Comodo Firewall 3 would be off their computer faster than you could say uninstall.
I just find it odd and bizarre that such a basic function takes all these steps to function properly. ???
[Vista Ultimate] Tracert works out of the box for me, but I still think even programs with default settings need to added to the Policies when activated for those of us who might want to change the settings. I presume we can override the default settings with explicit adds to the Policies-is that true, Comodo?
Actually ping and tracert are handled by
Allow ICMP Out From From IP Any to IP Any Where ICMP Message Is ECHO REQUEST
Allow ICMP In From From IP Any to IP Any Where ICMP Message Is ECHO REPLY
Allow ICMP In From From IP Any to IP Any Where ICMP Message Is TIME EXCEEDED
But I can only partly agree with you. The fact is we don’t have any specifics about different installation-created ruleset.
During installation V3 settings change depending on the answers users chose.
I really cannot tell if another ruleset support ping or tracert but you have to admit that these are Support related tools.
On a sidenote I’m trying to gather enough consensus for this in order to make troubleshooting and rulesharing easier.
I believe that this forum should be addressed as a feature of comodo products and not as a separate entity. This mean that forum related enhancements and tools should be addressed with the same level of efforts/priorities.
As security is a delicate matter is better to provide a cradle to nurture member training and awareness rather that addressing some aspects in one place. For examle another long desired CFP Wish is a way to create rules from log entries. This can make things a lot easier but what about untrained users that will blindly allow eveything to remove blocked entries in the log?
There is no tools that can protect users without any intervention so sharing knowledge and experience for me is the only long term solution.
sorry for butting in, but these rule sets are all well and good for all those lucky people who seem to have PHDs in firewalls, but what about the rest of us. i am confused,frustrated, and have lost all confidence, i have no idea if i am protected or not. im sure this is a powerful program,and is forging ahead, but its well and turly left me and, judging by your forum, lots of others behind. USER FRIENDLY IT IS NOT. techdunce ???
That why I asked this some time ago. This is my latest post.
Anyway if you are suggesting that exist a software that allow even inexperienced user to configure it I need an example to look at.
I guess that windows xp firewall could be one of these but it is simply because it doesn’t grant any protection at all.
well, im back to ver 2.4 set to custom and all is fine. id be the first to admit, i really do need to start investigating the innerworkings of firewalls, and their many functions.but this upgrade left me behind. techdunce
Hope I don’t get flamed for this suggestion but I haven’t used tracert since I came across PingPlotter.
There is a free version which does everything tracert does and has a nice GUI, and you can save as many web addresses to ping as you like in the menu. Just double-click the one you want to ping.
It can be found here…
You need to track down the free version though.
It’s the bottom line of the page in that link.
It worked first time with CFPv3 by just ‘allowing’ it.
Just a quick FWIW on this tracert issue. I am using Windows XPSP2 with CFP 3.0.13.268. I added one small rule at the top of the Global set, namely, “Allow ICMP IN From IP ANY to IP ANY Where ICMP Message is TIME EXCEEDED”; the default rule is used with the Application (tracert). This works. The Application rule allows all outbound items, whatever the protocol or addresses. The Global rule allows the incoming TIME EXCEEDED. More complicated rule sets add nothing additional for this application.
Firewall wise V3 is pretty much like V2. Maybe the only thing that is different is that you have few processes that were hidden by that Allow traffic for applications certified by comodo.
So you can configure V3 firewall like you did with V2 (this time you get port sets and predefined policies to make your life easier, plus you can log application traffic too)
I guess the most noisy alerts came from file protection and registry protection. But something can be done.
Anyway if you would like and you are willing to install V3 on another pc I can reply your questions about the differences and how to mimic old V2 functionality (if possible).
So you can later write a FAQ about this topic :-*
thanks for that gibran, but if nothing else, this has shown me just how little i know about firewalls. i dont have another pc, but will stick with ver 2.4 for now and brush up my very limited knowledge on the subject.but, genuine thanks, techdunce
For tracert, the application rule provides the outbound requirements. It allows tracert to use any protocol to any external address; that covers the need for ICMP echo requests. The Global rule allows only ICMP 11 (Time exceeded) to enter for tracert or any other application. Posting screenshots just doesn’t seem necessary.
I guess so as I can test that myself. That is just to provide enough information to member reading this topic.
Using no global rules you don’t even need to allow ICMP Time exceeded so I guess you have at least an inbound IP deny after that rule.
Who will write that faq then?
Anyway some members are planning a V3 userguide to cover all the topics any user should know. So you’ll update to v3 soon
I agree and I have verified that adding this single rule gives me a tracert that functions normally. IMHO this rule should be part of the default rules.
Beats me why tracert works out of the box for Vista as reported by some.
A revamped old 2.4 ruleset it may be but it’s not something that had to be created or edited by the user who was using Comodo v2.4. It worked staright out of the box without the need to start playing around with any settings.
IMHO that is the way it should be. I may of course be in the minority to have that view, but have that view I do. No problem with your view on this though as I’m sure you have none with mine. (:WIN)
However can I give you a story of my brother who visited me last night.
I asked him if he had installed the new version of Comodo. He had not done so yet (naturally that earned him a thick ear). I showed him this thread and explained to him that to get tracert to work he may have to go through all this just to run this simple task. I won’t repeat his answer here as it’s a family friendly forum. But needless to say Comodo 3 is not going on his PC.
So that’s one potential user lost already. Which is a shame really.
Forgot to add that I got it working by making a rule in Global Rules to allow ICMP in/out as suggested by jasper2408 earlier in the thread.
The default policy needs to be enhanced so that
