Why do we need global rules list in firewall?

You can configure outgoing and incoming connections in application rules list for any program you want and use “system” or svchost.exe processes to handle connections not asociated with other apps.

And settings applied by stealth port wizard can be written to “system” and svchost.exe rules.

Global rules are superior and override application rules.


Global rules override application rules only for incoming connections.

I don’t really see the point in global rules.

I mean let’s say you run an FTP server, so you can create allow incoming traffic on port 21 in global rules, or you can allow this port in server app rule, effect will be the same. By allowing incoming port in global rules you open it for any program instead of only ftp server program that actually needs it.

Global rules are able to override any application rule. (Test it by putting this rule on top of that list: Block IP any any any).
They are very usefull if you dont want to make specific static rules for each application again.

If you are fine with “substituting” global rules by specific application rules, you are free to do so. But the majority will have a benefit of having a global rule section.
Because in global rules you can say: Block this or that, WITHOUT having to find the processes that would be adressed by that traffic.
To be able to circumvent a feature doesnt mean, its not usefull :wink:

And btw, rules are read from top to bottom. In both lists. So dont allow on top something, that you try to block on bottom.

You dont need to create allow rules in global rules, apart from when it would be meant as an exception for a block rule there.
Thats why basically the “allow outgoing” global rule is not necessary at all :wink: . The existence of this rule is the only questionable thing with global rules :smiley:

In all cases when something is allowed to pass the global rules, the application rules “will ask”. Global rules are mainly usefull for blocking, or for the exceptions of these global blocks.

Ok I see.

But it seems global rules aren’t so “global” when it comes to allow rules.

Let’s take an ftp server and a browser for this example, if you allow incoming connections for the server in the application rules and deny all incoming connections in global rules (which is default bottom global rule after CIS install), then for incoming connections checks go like this: Global rules (blocked) - application rules aren’t checked.

Now let’s take a browser. If you block outgoing connections for the browser in the application rules and allow all outgoing connections in the global rules then … browser won’t work, because it seems, checks go like this: application rules (blocked) - global rules aren’t checked.

how so?

you just answered you own question. with regards to the browser statement. if you block an application (under application rules) it never reaches the global rules. It is blocked on that level. Global rules are more to the point and protocol based. They are absolute rules and part of what makes Comodo firewall so bad ■■■.

I just thought that global meant like a master list that overrides anything else be it incoming OR outgoing.

So tell me if I’ll ignore global rules (keep them empty) and just use application rules, will I be in any kind of disatvantage and \ or security risk?

yes it would lessen your security. Yes it is like the master list and it does override any incoming and outgoing traffic. Wrap your mind around it. The global rules are the king of the hill as far as access rights go with CIS. believe that.

I searched forums and youtube on this matter now let’s see if I got it all correctly.

Basicaly, you use application rules for outgoing connections and global rules for incoming connections, since all internet related programs need outgoing connections to work correctly, but only few of them require incoming connections to work. Now since by default all incoming connections are blocked by CIS after install you just add exceptions in the list when the program needs it, like you add “allow incoming connection on port 21” rule somewhere above “block all incoming connections” rule in the global rules… and also add some port range for PASV mode according to ftp server settings.

That makes sense. Now some questions.

Why is there the “allow all outgoing” rule in the global rules by default? Outgoing connections passes application rules first anyway.

Why does it need to check application rules for incoming connections if the connection is allowed in global rules?

Is it safe to leave ports open globally like that, like port 21?

How many programs require more then one open incoming port for correct work? In other words when you look in firewall logs, how to figure out what incoming port range program wants \ needs?

I have a feeling that some of those question answers some other questions in this post, but please explain anyway.

NO, it wouldnt (as long as there are no mistakes in application rules, of course). With an empty global rules list, you just have to deal with all sort of questions, even if they could be blocked because you dont want the traffic at all to be asked, but just blocked. Then you COULD make mistakes more often (Example: allow unrequested ingoing traffic by mistake when its asked). Thats how an empty global rule is possible leading to unsafe decisions.

Erase this rule. Its not necessary. As i said above, this is the questionable thing in global rules. Without a global block, you dont need any allow rule in global rules.

Because the application rule set is what basically a firewall on your desktop does. While the global rule set is a bit more acting like a firewall in a router. The router doesnt know the program, like the global rule doesnt know the program.
You can set global parameters in global rules, and you can make per-program-permissions in application rules. While you can have traffic without a global rule, you can not have traffic without an application rule (if set to custom mode).
Also, if you have two programs, and only one program needs ingoing traffic (very rare cases), why should the second program be allowed to answer to those traffics?
Global rules: Dont annoy with unnecessary questions about unrequested traffic, i block it global (or make exceptions if needed then).
Application rules: Safe and specific rules, for each program.

What do you need ingoing traffic for? If you “open” port 21 in global rules, you will be asked related to an application, if not allowed for it too.
If you dont use peer to peer, and if you dont run a real server, the chances are very low that you need any ingoing permissions at all ! I live without any permission for any ingoing traffic. Because requested packets can arrive after they are requested by an OUTgoing request.

Nearly no program needs an open port. DONT allow more than necessary. Thats the rule of thumb in a firewall. Try out if all your programs work as “outgoing only”. Or make rules yourself, which are more specific, but also only for outgoing.
If a program doesnt work, look in the logs, what was blocked. Thats why you should mark in block rules: Block and LOG.

Global rules: I never go out while theres a thunderstorm!
Application rules: Do you go out when theres a thunderstorm? Do you go out when theres a thunderstorm while you wear a jacket? Do you go out when theres a thunderstorm while you dont wear a jacket? What about socks? :smiley:

Never while a thunderstorm, dont ask, read the global rule! But if it just rains, i might go out with a rain suit, like you can see in application rules.

if Internet Explorer is treated as a web browser or trusted - under application rules and then you create a global rule to block all traffic on port 80, 443 and 8080 you can’t access the internet. It does not matter if you make the rule IN or OUT or IN/Out. If you don’t believe your security is less without using Global rules try this. " Delete " all your Global Rules and then run a scan with Shield’s Up at www.grc.com (select all service ports) and check your results. Then go to your firewall tab and select from the stealth ports wizard - stealth all my ports and rerun the same scan at Gibson Research. Now depending on if - and what type (and the configuration) of router your behind - Global rules may not be as important. If your connected to the internet directly with a DSL or cable modem (or most routers) then yes you need Global rules. It’s hard to attack what you can’t see. Anyway just my thoughts.

I said the same, yes.

Just tell me: What is the difference between “being protected by a global rule” and “being protected by a non-existent application rule”? In custom mode.
There is just one difference. The traffic is blocked in both cases, but if you are " protected by a non-existent application rule" only/first, you should get a question.
If you dont get a question for a shields test when you dont have any global rules, and the traffic can pass though, you should check your application rules or settings :wink:

Try your test again, with empty rule sets (application and global rules).
And maybe try these too. http://www.pcflank.com/

For clarification: There are settings which would make a “global rule to block any (unrequested) ingoing” necessary. For example, low question settings (just ask for protocoll…) which could allow ingoing without explicit requirement of specific permission (“userfriendlyness”), or “reduce questions and allow requests”. But “bad” settings are not the point of discussion. We speak about abillity of application rules. And correct useage of settings doesnt make a security difference between “non-existent application rules” or “global block rule”. If you dont interact, in both cases the traffic should be blocked.
I mentioned myself, a global rule can avoid wrong and unnecessary decisions. This would increase security. But it would not automatically lead to less security, if you dont have a global rule.