ZoneAlarm Like Functionality

Is there a way to allow an application to act as a server (i.e., listen to and accept connections) and allow requests from the local computer but not from the Internet? In ZoneAlarm, this can be achieved by setting a program’s “Server” settings to allow “Trusted” and block “Internet”, whereby the “Trusted” zone contains the loopback address (

I installed Comodo over the weekend but couldn’t find a way to do this. As a software developer, I need this functionality. Thanks in advance for any help and comments.

I’m just curios, as recent ZA user and got fed with it’s just about “turtle speed with web surfing” even as I went to logit pension places etc…and then removed ZA completely include registry cleanups, and then got very happy with CFP 2.4 and its monitoring speed, and “seems not monitoring at all when I surf to my financial webs, are you still ok with ZA performance???
Just curios, might be you knew how to “bend this animal”, I meant ZA.
Me personally being with ZA installed for more then 6 month and eating it’s garbage, I would like to see ZA company out of business, as fair back payment just like that.



If you’re running CFP 2.4, create a zone for the 127.0.0.X subnet and set this zone as trusted. This will add two rules to the Network Monitor. Now, go to the Application Monitor rule and add a rule for your application that references the zone we created for the loopback network. Reboot (this is only to ensure that the new rules are read and implemented - you can simply wait a couple a minutes, but a reboot is better and it’s only a once-off) and you should be right to go.

Let us know how this works out.
Ewen :slight_smile:

Ewen, thanks for your answer! How do I properly set the Application Control Rule though? In my scenario, I want to expose my custom port only to my trusted zone but not the Internet. The Application Control Rule form has tabs for the destination IP & port but that doesn’t seem to apply here. My application accepts connections and doesn’t initiate them, so there isn’t a destination. In ZoneAlarm, each program has settings per zone for “Access” (initiates connections) and “Server” (accepts connections). In CFP 2.4, it seems there are only settings pertinent to initiating connections. Please advise.

Greg, I currently use the free edition of ZoneAlarm and think its performance is excellent. I have also used an older version of ZoneAlarm Pro (more than 1 year old), and it did seem to significantly slow down the system. I don’t know if the latest version is any better. I haven’t tried the ZoneAlarm suite (includes antivirus, etc.) either, so I don’t know how that performs. I just need very basic firewall functionality, so the free ZoneAlarm is adequate for me. Of course, I’m now exploring Comodo!

Sorry, I forgot to mention that inbound rules are set only in the Network Monitor. Create a zone for the local loopback subnet and then create a Network Monitor rule to allow IN/OUT to/from this zone.

Ewen :slight_smile:


im not sure its clever to set loopback as trusted zone, since any windows service can than act to outside easily.

you must always imho block or allow after loopback.

might we rethink the problem and get a better conclusion.


PS: theorie, you make a rule for app, ip (trusted zone ((your adaptor name))) should do it, of course work it better out

of course you need delete any app instances above, and have the rule first.

then switch on again learnmode for inetaccess, (might a little bug)

I might be wrong (and if so, I’ve been wrong for decades) but isn’t the local loopback range (127.0.0.X) non-routable outside the PC, similar to other private IP address ranges.

Ewen :slight_smile:


might a misunderstanding, windows services, near the whole system communicates via loopback internally and can route a ip (grin at least your own ip).
so you might loose control if make it a trusted zone, which means all activity is bypassed the firewall?

(eg. hd access is done via loopback internally)

so i might wouldnt do that, but im open for impressions.


yes with an “if”, no with a “but”. :wink:

If route.exe is placed in the protected files list, the firewall will prevent the addition of any static routing to the IP table.

Thanks for reminiding me about that, you’ve stirred the grey cells into action. You’ve raised an interesting point as to whether any malware has attempted that sort of route table manipulation.

Anybody ever seen/heard of this?

Mike, am I correct in thinking that if route.exe was added to the protected file listing this would prevent the vulnerability you’re referring to? Or is there a better to way to prevent it?

Ewen :slight_smile:


how are you connected, to a router and your ip is already trusted zone?

does the router if have a firewall?

you see my point on all this “ip translation points” …


PS: i think you can make some loopback changes in “advanced miscancellous”.

and its might to understand that loopback is some controlled trusted intern network?

It doesn’t really matter how you are connected, router or modem is immaterial. The 127.0.0.X local loopback IS solely your PC and doesn’t give a tinkers cuss about how or whether you’re connected at all.

Calls to and from the 127 subnet are non-routable outside that address space.

Ewen :slight_smile:


ewen you seem fix with it.

what happens if clear your routing table, and make a self whois.

does windows tcp autotranslate your ip?

if so … its reverse possible, as i understand manuals.

correct me if im wrong


PS: else you could never remote start a service, its enough to have the ip

loopback and your ip is same … as i did understand things