Which Rules Dominate?

Do the applications rules dominate for outgoing and network for incoming packets in 2.4?

Where is there more info on the sequence of rule precedence?


No unknown application is able to pass an outgoing connection to internet without getting asked by Application Monitor. If there is a block, then Network Monitor rules are not considered.
If the connection is allowed by an application rule then Network Monitor rules are considered to see if it passes or blocks that connection separate from AppMon. So it is 2 phase pass in most cases and really simple to understand I think if you think about it.

For incoming connections the Network Monitor rules are considered first. You should understand though that even if no ports are opened in NM rules, if stateful packet filtering notices that a solicited connection is incoming, it is allowed.

Thanks again, it is a matter of wording then probably the way I think is just different.

I was thinking that the reason Stem told me to use the network blocking is as you say it has veto power if the application rule blocks it it doesn’t need vetoing but if application rules are allowing or just missing the network block veto will stop the outbound.

Tell me more when you have time about the solicited incoming stateful packets. What application/process does that? I have an alphashield hw firewall does that impact the example?

THanks again

There is only so little you can do with network monitor rules. It is all in the application rules. When we consider outgoing connections I mean.

You could get some hints though what to do to restrict network rules with with kerio 2.1.5 rules by BlitzenZeus. I have implemented a few into my network rules, like NetBios block and Windows services block. For logging purposes, but since as of now Comodo does not allow naming of rules or turning them on/off it is in my opinion quite pointless to go to any deep lenghts in network rules to try to make logs any clearer…
You could restrict also with making Assign DHCP server and DHCP broadcast rules. And also those Primary DNS server and Secondary DNS server rules. Note that the IP should be replaced by your DHCP and DNS1 and DNS2 servers.

Solicited connections are a “some sort of reply” for your outgoing connections. Used with instant messengers and other progs without the need to open any incoming ports. Could be also used for things like svchost.exe dhcp rule. One thing to know when inspecting those BZ rules is that kerio 2.1.5 has no pseudo stateful packet inspection in udp. So some incoming is not needed to specify with Comodo unlike it is needed with kerio 2.1.5.

Unfortunately I am no hardware firewall expert, since I dont even have a router. So cannot answer your last question regarding that.


[attachment deleted by admin]


Look for the tutorial/explanation on Comodo’s Layered Rules in this thread:


You may find that helpful, as all communication/traffic attempts flow through three different filtering/approval stages (monitors) both for Inbound and Outbound traffic.

As for SPI, I’m not sure exactly what you’re looking for there. Comodo FW has a Stateful Packet Inspection engine built in; unlike some other software firewalls, it is a full SPI engine (similar to what would be found in a hardware firewall). This is part of the Advanced Attack Detection & Prevention - Do Protocol Analysis, Block Fragmented Datagrams, etc… I’ve not seen it run into conflicts with hardware SPI (such as from a router) that I’m immediately aware of. Sometimes, hardware can change the header information due to NAT requirements, and I guess it’s possible this could cause problems, but it’s not something I can point to as a guaranteed problem.