Comodo rules creation pain

Hi,


I have been testing comodo for a while now but I still can't figure out how to tigthen up the rules.


For example. I would like an application to connect only to a certain ip and block it if it tries to connect to any other ip..All I could do, in comodo, is launch the app, check the ips it was connecting to and manually block access to all those ips and move the rule up on top of the other rules.This however results in complete net block for all other apps that were trying to connect to the ips I blocked.


I created a rule in the application monitor specifying the ip and port, yet when I restart my pc the rule is gone. So basically if your app tries to call home and u dont want it to, then this app will not access the net at all.

I was used to outpost were u could specify the ips u wanted the application to connect to and then hit"block most". that did the trick ..in outpost..

What I like about outpost is that you decide what/where you application will go and outpost ill block the rest.

It seems to me that in comodo u have to do it the other way round.

I have posted about this on their forum.It didnt help tho

Any ideas how to fix this ?


Thanks

 

First.
You can block an app and specify a single IP or rannge and click the "exclude" box. That will block everything except the IP(s) you want.
Second.
If it's a "trusted" app, you wont get so many popups for it.
The best way to go if you want "tighter" security with Comodo, you have to go to security/advanced/misc, and uncheck "do not show alerts for apps certified by Comodo".
In the same place, you should raise the "alert frequency level" slider to the top.
Now you might delete you application rules for the app you want to control where it connects.
To be sure, rebooot your PC before you start to allow/block all popups...

 

Thank you very much Nature !!!!

 

Hi,

I have tried what nature suggested but I must be doing something wrong because my app is being blocked by comodo...

"First.
You can block an app and specify a single IP or rannge and click the "exclude" box. That will block everything except the IP(s) you want."


Ok I did that but it was still being blocked.I checked the logs and noticed that my app was first trying to connect to my isp instead of connecting directly to the ip it should have.

I have an adsl connection and I have only one pc.I think I read on the comodo forum that if u have only one machine and ur on adsl you do not need a trusted zone so I never created one so far.

I did create a trusted zone now to see if it would help.No joy.

I have no clue as to what I am doing wrong :-(

Any help appreciated

 

I had similar problem, I tried to allow WMP to connect only to a few IPs with streaming radio and block the rest, but it took me a few days to get it. Then I have realised, that all I have to do is to allow what I need and disable Alerts (it is simpler), it is like Block Most in Outpost.

I have no pops, I also disabled ABA & CC, and I allow Alerts only temporary to get new rules.
I posted my rules in the topic Share Your Settings, you might find something interesting there.

 

Any idea what rules are used in those leaktests? I mean which options are enabled/disabled etc.


-MikeNAS

 

Hi MikeNAS,

you need to establish a set of network rules for Comodo, especially if you want to use Very High "Alert frequency Level", which I recommend for optimal security. Your application rules will be based on and restricted by the parameters of these rules. However, you can still restrict chosen applications to single remote ip's and ports, if desired. I have a ss of my yet-to-be-completed network rules so far. They could be used as a general guideline, but please note that your local/remote ip's will no doubt be different. I'm behind a router with dns relay enabled, so I use it's gateway ip of 192.168.0.1, for instance, as the remote dns address. Hope this helps.

 

Corrected DHCP rules.

 

Sorry, disregard last SS

 

I found Comodo's use of source and destination nowhere near as convenient as kerio's local and remote. Rather confusing too

So destination can be either remote or local port/address depending if the packet being filtered byt he network rule is for outgoing or incoming connection?

 

"First.
You can block an app and specify a single IP or rannge and click the "exclude" box. That will block everything except the IP(s) you want."


Any of you could try the suggestion above ? I have tried that and it does not work.It only works if I *allow* all tcp/udp in and out leave Ip to any but add a port say 80.


If I block the application comodo will block it even if I enter an exclude ip

 

What are your configuration settings at? You need to have the "Alert frequency level" set to max and disable "Automatically create rules for known applications" (something along those lines; I'm not @ home to verify). In other words, you need to configure Comodo to "Paranoid" level in order to afford maximum control over your application rules. Also, when you install Comodo do not scan for known applications. Make sure none of the "Skip TCP or UDP loopback rules" are enabled. Maybe post some screenshots of your settings.

 

Hi,

I now have set alert frequency level to max. but could not find
"Automatically create rules for known applications".

"Skip TCP or UDP loopback rules" are unticked.

Unfortunately when I installed comodo I did scan for known applications.

Now, I get more popups and even if I click "remember" I get those same popups again.


I tried blocking an app and excluded an ip.it asks me if I want to allow access even if I had the rules set

> You need to have the "Alert frequency level" set to max and disable "Automatically create rules for known applications" (something along those lines; I'm not @ home to verify). In other words, you need to configure Comodo to "Paranoid" level in order to afford maximum control over your application rules. Also, when you install Comodo do not scan for known applications. Make sure none of the "Skip TCP or UDP loopback rules" are enabled. Maybe post some screenshots of your settings.[/QUOTE]

 

Probably what is happening is you are getting similar pop-ups for the same apps, for example:

iexplorer.exe wants access from: source ip xx.xx.xx.xx (your machines NIC) source port 1202 to: destination xx.xx.xx.xx on destination port 80, with explorer.exe acting as parent. So you click allow and remember...but, alas, it does not stop there. You immediately get another one:

iexplorer.exe wants access from: source ip xx.xx.xx.xx (your machines NIC) source port 1203 to: destination xx.xx.xx.xx on destination port 80, with explorer.exe acting as parent. So you click allow and remember...but, alas, it does not stop there. You immediately get another one:

iexplorer.exe wants access from: source ip xx.xx.xx.xx (your machines NIC) source port 1204 to: destination xx.xx.xx.xx on destination port 80, with explorer.exe acting as parent.

And then you may also get something like: iexplorer.exe wants access from: source ip xx.xx.xx.xx (your machines NIC) source port 1203 to: destination xx.xx.xx.xx on destination port 443, with explorer.exe acting as parent. You can - and no doubt will - also see different parent apps trying to launch iexplorer.exe. There are several different possibilities.

...you see what I mean? Comodo when set up in strictest mode is extremely particular, though not to the extent of Jetico 2.0, but particular nonetheless.

This is why instead of clicking allow/remember continuously, it is best to simply close the app you are getting pop-ups on, then go into Comodo and setup the rule properly for it.

Take IE for example. You might setup a http rule as: Allow, TCP, Out, source ip=(your machine's ip 192.168.0.10 for example) destination ip=Any, or an individual one(s) if you like, source port=1024-5000, destination port=80. The parent app for this rule might be explore.exe.You may need an exact rule as above if another parent app such as outlook.exe acts as a parent to iexplore.exe.

So, there is a lot of work in the beginning getting all your rules set up just the way you want them when you want this kind of full control, so time and effort is the price you pay for the first little while. However, you can really lock down your application's network access using these settings, as well as learn something in the process.

There is so much to say but little time to say it all Just as an aside, the source port range of 1024-5000 is already set up in the Network rules, so you really don't have to repeat it for the application rules. I do, because it helps me retain it better in my poor memory and because I'm a glutton for punishment In other words, you could just select Any for your application's source ports because they will be restricted by the range you may have already set up in your Network rules, such as I have done. it's entirely up to you.

Please just remember to setup your Network rules first, then work on getting rules set up for your individual apps next, usually done "on the fly" as they are being used. Also, if Comodo has already set up rules for some of you apps, check them and tighten them up to tailor your needs, as required.

Finally, I don't know your level of network knowledge. Mine is pretty basic, but it does help to understand the bare basics of ports, ip addresses, protocols, direction and local (source in Comodo's case) and remote (destination in Comodo's case).

Sorry, i never said it would be as easy as going with the minimum alert frequency level and other "automatic" settings in Comodo, but a lot more work is required to lock down your applications. It is well worth it IMHO.

When I get home later and find some time, I will post some application rule examples. I have just recently gone back to using Comodo again on my experimental imaged drive, so it is taking me some time to get my "ducks in a row"

 

Just think of it as if you are going to the beach (OUT). Well then the beach is your destination.
When you are going home (IN), your home is the destination.

LOL! Hope that this make sense...

 

You are very safe with default rules. The only one you have to make something to pass, is the wallbreaker 1, 2, and 4 test. You have to raise the alert frequency level slider to very high.
I tried the Coat test with the latest beta of Comodo firewall, and it passed.

 

Some application rules, as promised. Note how it is possible to specify individual ip(s) and/or port(s). Also, it is only possible to specify local ports for loopback rules on your apps. The local port range is covered in the Network Rules portion of Comodo.