What's this firewall alert?

Have you ran the “stealth ports wizard” LA choosing the" Block all incoming connections-stealth my ports to everyone" this should give you 4 Global Rules ending with a Block and Log.
Its confusing because on the update where it re-configured everything it only put the p2p rule in by default and didnt say anything!!

Maybe someone on your campus has an infected computer and doesn`t even know.

Cheers Matty

I shall look into that.

That’s an interesting point, maybe someone here has a computer that has become one of those “zombies”?

Anyway, maybe my new global rule (see above) will do the trick, but I shall take a look at the stealth ports wizard.

Thanks,
LA

I now remember that the alert isn’t unusual. When I installed 3.0.18.309 I didn’t have to tinker with the Stealth Ports Wizard at all because I had manually set up my Application Rules on System and I have no Global Rules at all because I like to organize everything under Application Rules.

Let’s see a screen of your Application Rules.

I tried the Stealth Ports Wizard, but it only created two “allow” rules, so I suppose I’d better stick with my only global rule (Block IP In From IP Any To IP Any Where Protocol Is Any). Shouldn’t that rule be enough to block all incoming requests without even asking me?

That’s not possible? ??? (well anything is possible, but do you have adequate protection?)

LA

[attachment deleted by admin]

Hi again, LA,

That rule is enough for incoming, not sure if you’re not broadcasting anything.
Keep the first and last from your global rules.
If there is no way to persuade you to turn on logs, maybe you can use wireshark to check outgoing.
Check these:
http://www.techzoom.net/docu-winport.asp

(run the *cmd at your own risk – it will activate some of the disabled services and close others running)

To be paranoid, you can also change MAC address, and let the campus admin know about that, if is related to your DHCP lease.
If I was in your shoes, I would try to control also DHCP broadcasting. You can use this to narrow rules for svchost or /and windows system apps.:
https://forums.comodo.com/help_for_v2/fw_howto_allow_dhcp-t9855.0.html;msg72290#msg72290
Also, Iexplorer is only a modest browser, use the predefined.

I also have a question, DHCP related: Would there be any way to teach XP about your DHCP server IP address? (instead of broadcasting to 0/255.255.255.255)

Try to give us more details, if alerts pop up again.
Gabi

Egemen finally agreed that global rules are unnecessary, just convenient for many users. See https://forums.comodo.com/empty-t17138.0.html and https://forums.comodo.com/empty-t18580.0.html for some other discussion, or do a search on “global rules”. I and many others don’t use them because they tend to cause confusion and have additional logging issues. All the global rules do is allow/disallow packets to be treated by the application rules. Inbound, you can block things from ever getting to the application rules; outbound you can prevent things allowed by the application rules from going out. :slight_smile:

Other than being very possible, as you can see from Ed’s link, CFP 3 is very flexible. You can have 2 different rulesets that produce the same security strength. Being the clean freak that you are, I know this will tempt you to follow us. There’s another reason why I stick with Application Rules, but that’s for another thread.

Back on topic, I am confused as to how you can continually receive that alert about System about to receive an incoming connection based on your App & Glob rules that already block all incoming connections. Did you recently updated your Glob rules?

I’m sure you’re right, Ed, and default rule is ASK, but I would never ever conceive not to use the last “Block In any any” rule. Especially for a firewall that considers by default that win OS files can be trusted.

Hi LA,which version of V3 are you on,i know the Stealth Ports Wizard used to give you just the 1 Block in rule,but now im sure if you choose the “Block all Incoming Connections” stealths my ports to everyone,you should get 4 rules put there.
If i run it i get this,not including the top 2

Regards Matty

ps, shouldn`t a Block IP in from IP any to IP any where protocol is any: block ICMP or any incoming request.

[attachment deleted by admin]

Yep, I wasn’t paying attention: I use “Block ICMP In/Out Any Any”.

What might normally be global rules end up in WOS. Eliminating the global block in rule avoids having to put the exceptions in the front of the global rules for p2p, active ftp, games, etc. And redundantly in the applications. Unrouted inbound are blocked by the WOS rules; specific application responses are processed normally and appear in only one place. But putting in the final global block in doesn’t harm anything, as long as users remember that it blocks their p2p, active ftp, games, etc. I put a block and log in any at the end of the application rules just in case. The global rules cause additional confusion because some users think that is the only place they need to put their rules to make applications work-the wording in the help file is a bit misleading there. :slight_smile:

[attachment deleted by admin]

Exactly – LA has only “Allow Out” rules, but let’s wait for LA to see his approach.

Hi all and thanks for your answers, I’m not at home since I’m quite ill (pneumonia). I’ll check back here when I can.

Thanks,
LA

We’ll be here, don’t worry. Just take care – FW can wait – wish you good health!

Wishing you a speedy recovery LA.

Regerds Matty

Thanks a lot :slight_smile:

I’ve read all your posts, but I can’t really see the benefits of not having global rules. To me it makes sense that global rules control all incoming traffic, and it makes sense that application rules control outgoing traffic (related to the specific application).

Don’t remember exactly then I took the advice to have only “Block IP In From IP Any To IP Any Where Protocol Is Any” as a global rule, but I haven’t got any alert since then. I no longer get those strange alerts. And that should make sense, right? All incoming things are blocked, period, unless certain applications are allowed to communicate (which some applications are, according to my application rules)? On the other hand, why are the applications even allowed to receive anything incoming, with that global rule? The actual application rules are no exception for incoming rules since they apply to outgoing traffic… ??? Intuitively I feel that even more things should be blocked with my global rule. Can’t really see why I’m even able to use FF, IE or DC++…

Thanks

LA

The absence of global rules will require enhancing the application rules with the Block Everything rule for each application. There are 2 special “applications” (System and WOS) that are tied (substituting?) to global rules that allows me to deal things at a more detailed level. This is the other reason why I don’t use global rules.

Don’t know about DC++ since I don’t know what it is, but FF & IE are browsers, which mean they don’t need incoming connections to work. In the old v2.x days, some users mistakenly believe they require incoming connections due to the alerts that were generated. But those alerts really applied to loopback connections and we know in v3 these are now dealt by Defense+.

Ah, that explains why the browsers work fine. DC++ is used for direct file sharing, but maybe it works similar to browsers. Doesn’t really matter, it works fine here anyway.

LA