What is the best network rules for a stand alone computer

Hi everyone. Firstly thanks for a great firewall.
My computer is not part of a LAN. I’m connected to internet thru a cable modem via an ethernet adapter. Currently using the default network rules. As I am not very good with the rules, I wonder if the default rules are the best rules for my computer. Any suggestions for better rules?
Thanks
Hilmi

Welcome to the forums, Hilmi (:WAV)

With your setup, the default rules are certainly fine, and secure. If you’re not using any special applications that require special rules (such as online gaming, p2p apps, instant messenging, etc) you may only need two rules:

Rule 0 to Allow Out
Rule 1 to Block In

Before you try to make any changes to the existing rule structure, I very highly recommend that you read this most excellent tutorial on Network Control Rules by m0ng0d: https://forums.comodo.com/index.php/topic,1125.0.html to gain a better understanding of how they work. He will walk you through the creation of those two basic rules, right in the beginning. This was written for a previous version of CPF, so some of the rules language is different; however the concept is the same.

Keep in mind that with CPF, all applications (allowed by the Application Monitor) only connect to the internet within the context of the Network Monitor rules.

If you have any further questions, don’t be afraid to ask!

LM

I agree with Little Mac that the default rules are fine.
If you want more control, you can raise the alert frequency level slider to high or very high, and uncheck “do not show alerts for apps certified by Comodo” in security/advanced/misc.
You will now get a lot of popups, but the rules that are created are more “tight”.
You probably have to go in to application monitor to “generalize” the rules a bit, so you wont get, let’s say a popup for every IP on every website you visit.
The good thing is that you will learn a lot, and the popups will be less frequent after a while.
Good luck.

Thanks for the replies. I will leave it to run with the default rules.
I read mongod’s notes. Great but no mention of ICMP rules.
Just for curiosity, could anyone explain what those 6 default rules do. Please pardon my ignorance.

Also, I use SpyWall and Nod32. So far I did not have any problems running all three.
SpyWall does have a browser firewall. Just wonder if this will have any conflicts with comodo.

Many Thanks

hilmi,

m0ng0d may not have discussed the building of ICMP rules, but by default you should have some. The default rules should look like this:

ID Permission Protocol Source Destination Criteria
0 Allow TCP/UDP Out Any Any
1 Allow ICMP Out Any Any Where icmp message is echo request
2 Allow ICMP In Any Any Where icmp message is fragmentation needed
3 Allow ICMP In Any Any Where icmp message is time exceeded
4 Allow IP Out Any Any Where IPPROTO is GRE
5 Block (+log) IP In/Out Any Any Where IPPROTO is ANY

The top one (Rule ID 0) allows you to communicate Outbound; browse, download, etc.

The next three address ICMP and allow some specific types of ICMP communication that are frequently needed by users.

The fifth rule (ID 4) allows outbound GRE (Generic Routing Encapsulation) communication. This is used in IP tunneling (such as with a Virtual Private Network, or VPN).

The final rule (ID 5) blocks anything that was not previously allowed (since the rules filter from the top).

Top and bottom rules are pretty obvious; that’s primarily what m0ng0d discussed. The other four rules have been found to be necessary in a large number (if not majority) of computer/software configurations. Thus, Comodo includes those by default, so that the user doesn’t have to create them (since it was shown that many would have to…).

Depending on the needs of your specific software, etc, you may have the need for more (or even less) rules. I personally do not use even that many.

Hope that helps answer your question…

LM

Thanks LM.

Earlier I mentioned that I use SpyWall anti-spyware and did not notice any conflicts. But I was wrong. Today while scanning with SpyWall, I noticed that it totally skips scanning dll files. I deactivated comodo and ran it again, it was all OK. It only skips dlls when comodo is activated.

Any ideas?

To add to the SpyWall problem, I noticed c:\Program Files\SpyWall\temp.dat is in the component monitor list. A dat file here looked strange to me!!!

Hilmi

The SpyWall scanning thing may be related to the way that CPF monitors “its” applications; ie, the apps that access the internet ~ CPF’s ABA monitors those in kind of a “HIPS” sort of way, to make sure nothing is getting hijacked, etc (it’s part of the security). In some fairly rare cases, this interferes with an application’s purpose/activities. But completing a resident scan; I don’t know, that seems a little odd. You might go to SpyWall’s entry in CPF’s Application Monitor, and under the Miscellaneous tab for that Rule (if you Edit), check the box for “Skip Advanced Security Checks.” Then stop CPF and restart it (ie, from the context menu in the systray icon, choose “Exit”), or just reboot. See if that makes a difference. If it doesn’t, you might file a ticket with Support, here: http://support.comodo.com/

If the DAT file is showing up in CPF’s Component Monitor, then it’s apparently loading with SpyWall. Spywall is what has titled it “temp.dat,” so although that might seem weird, that’s not a CPF thing. I wouldn’t be too surprised to see a DAT file there, although that would be the first I’ve heard…

LM

I tried your suggestion of skipping advanced security checks to no avail, so I submitted a ticket.
If you wish I’ll let you know when I receive a reply.

Thanks buddy for your kindness.

Enjoy your day

Hilmi

One other thing I thought of, hilmi…

Go to Security/Advanced/Application Behavior Analysis, uncheck the top box for “Monitor Inter-Process Memory Modifications.” Then OK. Stop/Restart the Firewall (or just reboot computer).

If you can run the scan then, that at least gives you a culprit. Leaving that aspect of ABA disabled obviously reduces the security of CPF, but at least you’d know…

LM

LM, I did what you said, it did not matter. But, I noticed something that I have not before.
If I run the scan with browser open, no problems,that is, it scans the dll files. But without the browser open it does not. That’s probably what I did when I switched off the CPF. So, whether CPF activated or not, as long as the browser is not open it won’t scan the dll files. I will raise the issue with trlokom to see if the problem? lies with them. I have to let support know about this as I have sent them a ticket.

Okay, I guess that could make sense, if it’s specifically a “browser” firewall. :THNK

With the ticket you’ve submitted to Comodo, you can log back in to the Support site, and view your submitted tickets. When you do that, it will show the flow of conversation back and forth, and allow you to submit more responses, or even additional unrequested information such as your discovery here.

LM

The following site does explain ICMP types and codes and filtering for firewalls which made me understand the ICMP rules better. Suggested for novice like me.

http://www.daemon.be/maarten/icmpfilter.html#notes

Hilmi

Good, I’m glad your learning curve is increasing. :BNC There’s a lot this firewall can do; the more you know, the more it will do for you. Just depends how deep you want to dig.

The default rules are great, and are designed to work for most users. Some like to have things as tight as a drum, and that can be done, too.

LM

“tight as a drum”… :o