What is the order of rules

Firewall have 2 part of the rules,global rules and application rules,so I don’t know which rules will be first one?

Welcome to the Forum ghostbj :slight_smile:

Global Rules:- incoming first

Application Rules:- outgoing first

All rules are read from top to bottom of lists.

Dennis

Thanks Dennis2
I thinking about this answer few times, finely understand…
May I need some relax :smiley:

You forgot to mention Global rules on the way out.

Global Rules are the outter perimeter - encountered first in, and checked before leaving system.

I use Global rules to primarily screen inccoming and outbound ICMP for both source and destination and type.

The in / out nature of the Global Rules outter perimeter should be evident with the Global Rules I’ve implemented:

Modem [router] can ping NIC w/ ECHO REQUEST
Any IP can ping NIC w/ TIME EXCEEDED
Any IP can ping NIC w/ Type 11 code 1
Any IP can ping NIC w/ FRAGMENTATION NEEDED
Any type ping from any IP is BLOCKED
Any type IP protocol to NIC from [critical.IO server] blocked & logged
NIC can ping Modem [router] with PORT UNREACHEABLE
NIC can ping DNS servers with PORT UNREACHEABLE
NIC can ping [CIS Agent co.uk TCP / UDP servers] with PORT UNREACHEABLE
NIC can ping [CIS Agent FortressITX TCP / UDP servers] with PORT UNREACHEABLE
NIC can ping Modem [router] with ECHO REPLY
NIC can ping MODEM with FRAGMENTATION NEEDED
NIC can ping [CITRIX servers] with NET UNREACHEABLE
Any type ping by NIC to any IP is blocked and logged

There is a one - one match with the above rules and Windows Operating System except for the inbound & outbound blocking rules. Also Windows Operating System allows IGMP out to 224.0.0.22

My system is fat, dumb & happy and that makes me a happy camper.

They are my firewall setting(have any small hole not include?) and one bug is if I did’t log the block rules which is application rule, the log only said “(windows operation system) has been blocked”, why?

[attachment deleted by admin]

Unsure what you’re asking.

Those rules from to / any IP address:

block ping
block ping v6
block multicast
block TCP / UDP on particular port set (log the blocking)
alow any IP protocol
any IP protocol (log the blocking)

I don’t know why you’re blocking TCP / UDP on certain ports. The last rule will never get hit; the one above it lets everything in / out.

You need to understand that anything coming into your system needs expicit rule to allow (or Comodo blocks it). No Global Rules are necessary at all. They can be useful though.

Most internet traffic is IP protocol TCP and that almost always is on port 80. 90% of application rules need to hand TCP out to some IP address on port 80. Nothing can connect to the internet unless it can do that.

In order to go to an internet address, the system needs to know what it is. It looks up www.some-internet-site.com ON THE INTERNET and gets the IP address for that site. How can one get on the internet in order to get on the internet? The IP address lookup is done with IP protocol UDP to the DNS servers on port 53.

For an application to get on the internet, it needs permission for UPD out to DNS servers on port 53. You don’t worry about UDP in on port 53 because the system asked for it. ANYTHING the system doesn’t ask for gets blocked. If you don’t know the DNS server address, then UDP to ANY IP address on port 53 will do that.

After the sytem knows the IP address, it has to be able to send IP protocol TCP on port 80 to the IP address. Don’t worry about TCP in-bound on any port from any IP adress you didn’t ask for; it gets blocked automatically. Once you get to the site, the site may ask you for the ‘secret handshake’. This is usually done on port 443. Then you’ll need an extra rule for TCP out to that IP address on port 443.

If its a different IP address you’ll need two rules (one to port 80, one to port 443). If its the same IP address then you can use one rule for TCP out to that IP address using a port set for 80 & 443

90% of your TCP out will be to port 80.

Does that help?

This part is global rules only…
According to rules order and tested
If I setting like that, will can control all of the unknown connect and unknow 3rd software bug but must assort with correct application rules, one month ago a remote control virus trying a long time can’t connect to host, that is my global:)
Because I don’t believe windows can protect that build-in servers very well such as SMB SSDP and others Microsoft is too confuses to control.

Without scrutinising what is being said one comment to the Global Rules I see. When making rules for specific types of traffic make sure to make one rule for incoming and one rule for outgoing traffic. A combined rule for in and outgoing traffic usually does not work.