As probably quite a number of you guys, I’m trying to find an alternative to Kerio 2.1.5. It serverd me well for a couple of years now, but I’ve had to remove it due to a BSDO caused by its fwdrv.sys driver.
So… I’m taking a look at Comodo, and am stuck at the dicotomy between Application Monitor and Network Monitor:
Adding an application in Application Monitor isn’t enough to let an application connect out, much less have remote users connect to this application. It’s painful to have to add every single rule in NM, especially for P2P like eMule or VoIP applications
AM has a Destination column, but no Source, although it lets us choose In/Out as direction
If we have to create rules in Network Monitor, what’s the point of adding applications in Application Monitor?
Is there a one-click solution to just tell Comodo to allow an application to TX/RX packets, instead of adding it in AM, and creating the relevant rules in NM?
Went through the CHM/PDF, but didn’t find an explanation as to the reason for Application Monitor
For instance, the first time I launch eMule, a dialog pops up asking me whether I want eMule to run as a server, and add it to the list of application in Application Monitor (Allow TCP/UDP In/Out). Good
But if I don’t also create the following rules in Network Monitor, eMule won’t work:
TCP In 4662
UDP In 4672
TCP Out 443
TCP Out 4242
So… what’s the point of Application Monitor if we still have to add the required rules in Network Monitor? Makes no sense to me.
Probably is an adverb describing an uncertainty, meaning you’re not sure. It’s only a matter of time and learning, as with all new things or software. Experts have to start somewhere, too.
I have used both Kerio 2.x and 4.x, so I know which one is actually harder to me: Kerio. It’s a rule-based firewall, and its users tends to like to learn everything about it.
CFP is indeed intimidating at first glance, that I remember. But once you’ve grasped the concepts you’ll be surprised how easy it is and operates. Most of the default rules are sufficient for the average user and there aren’t too many things to change in the settings. If you ever need help or questions this forum will be your answer!
In my own terms, Application Monitor (AM) is the first barrier that CFP checks before it reaches Network Monitor (NM). Any program not on the AM ruleset or in CFP’s safelist (like Internet Explorer, svchost, and other trusted Microsoft files) is not granted any internet access.
Example: You have Opera browser trying to connect to the internet. It’s neither on your AM list nor in the safelist yet, so you receive an AM alert. If you deny it internet access then it won’t be able to connect or attempt to connect until you restart the program, and if you clicked the Remember option on the alert it’ll appear in the AM list.
Thanks for the message. I was refering to non-techies like my mum: when a new application is installed/updated and Kerio pops up, it’s already hard enough to explain to users what it means and whether they should allow/disallow the action, but Comodo seems just too much for them.
However, since it’s 1) supported, 2) free, I’m willing to give it a longer look.
The first thing that stopped me was: Even if an app is listed as OK in the Application Monitor, as long as there aren’t ad hoc rules in the Network Monitor, Comodo won’t let packets through. So, what’s the point of AM really?
Most users regard Application Monitor as the first safe guard. It’s the place that defines which applications are allowed internet access or not, whereas Network Monitor (you can never separate the 2 when trying to explaining either 1 ;)) defines how those applications interact with the internet.
NM has the final decision on whether internet is denied or granted access and it’s global - applies to any application. AM is application-specific. I hope the picture is becoming clearer…
Wait until version 3 releases - it’ll be even better. I have yet to try out the beta.
It’s beginning to make sense, although there’s several things that aren’t right in 2.x IMHO (can name a rule, can drag/drop them, having to go back and forth between Activity > Logs and Security > Network Monitors since Comodo doesn’t display a pop up to warn that a connection was silently dropped, etc.) Besides, I find the overall interface too full: I would remove the first page altogether Hopefully the GUI has been redone in release 3.
BTW, am I correct in thinking that it’s safe to keep the “Allow all TCP/UDP In/Out” before the catch all “Block & Log All” since any application that tries to connect out but isn’t listed in the Application Monitor will raise an alarm?
Otherwise, having to add a rule in NM is truly a pain when using eg. eMule, as each remote peers uses a different IP + port.
Not many are interested in receiving alerts for every dropped connection as that will be way too many. That’s what the log is there for. But you can probably put in the wishlist. I’ve seen both ends of the opinion spectrum on the GUI. I’m actually with you on the main interface having too much. Yes, CFP 3’s GUI is quite different and will be skinnable.
You mean Allow all TCP/UDP Out (without the In part) that’s at the very top of Network Monitor? If that’s the rule you’re referring then your thinking is correct. At first I was also surprised and thought, “How can Comodo set up the default rules to be this unsafe?!”. To be more accurate, if you left the default option “Do not show any alerts for applications certified by COMODO” on, then any of those safelisted programs will bypass Application Monitor (but won’t be shown in there) and CFP will go directly to the second safeguard of Network Monitor.
That’s a different subject. P2P is one of the programs that will require you to open and allow incoming port(s) to work.
You mean [b]Allow all TCP/UDP Out[/b] (without the [b]In[/b] part) that's at the very top of Network Monitor?
No, I removed that one… and added a In/Out just before the last, Block All line because of all the failed outgoing connections to peers when running eMule.
To be more accurate, if you left the default option "Do not show any alerts for applications certified by COMODO" on, then any of those safelisted programs will bypass Application Monitor (but won't be shown in there) and CFP will go directly to the second safeguard of Network Monitor.
That's a different subject. P2P is one of the programs that will require you to open and allow incoming port(s) to work.
I’ll read up on that part, to make sure I’m not opening a huge security hole just to avoid all those errors with eMule.
OK, I’ll check that post to see how to have Comodo allow any eMule-related outgoing connections, since remote peers can use any IP port to communication with my computer.
