关于comodo防火墙global rule的疑惑，附上自己理解，大家指点（已解决）

tossball

打磨贴的global rule规则（已解决，自己理解错误，忘了看协议类型）

疑惑如图中所说。
自己对global rule架构的理解，规则顺序依次如下:

自己认为打磨贴中的Global Rule应为：
阻止“危险”端口的出站
Block And Log TCP OR UDP Out From IP Any To IP Any Where Source Port Is In [Dangerous Ports] And Destination Port Is Any
全局允许出站
allow IP OUT FROM IP ANY TO IP ANY WHERE PROTROL IS ANY（此条规则过于宽松）
允许局域网入站
Allow All Incoming Requests If The Sender Is In [Local Area Network]
Allow All Incoming Requests If The Sender Is In [Special & Local Multicast]
允许P2P 入站
Allow TCP In From IP Any To IP Any Where Source Port Is In [Dynamic Ports 1025-65535] And Destination Port Is In [P2P TCP In]
Allow UDP In From IP Any To IP Any Where Source Port Is In [Dynamic Ports 1025-65535] And Destination Port Is In [P2P UDP In]
允许主动FTP入站
Allow TCP In From IP Any To IP Any Where Source Port Is 20 And Destination Port Is In [Dynamic Ports 1025-65535]
Allow ICMP Out From IP Any to IP Any Where ICMP Message Is ECHO REQUEST
允许 ICMP Ping 他人
Allow ICMP In From IP Any to IP Any Where ICMP Message Is ECHO REPLY
允许 ICMP Ping 他人
Allow ICMP In From IP Any to IP Any Where ICMP Message Is TIME EXCEEDED
允许 ICMP 追踪路由
Allow ICMP In From IP Any to IP Any Where ICMP Message Is PORT UNREACHABLE
允许 ICMP 端口不可达
Allow ICMP In From IP Any to IP Any Where ICMP Message Is FRAGMENTATION NEEDED
允许 ICMP需要分片

Block And Log IP In From IP Any To IP Any Where Protocol Is Any
阻止一切入站请求

[ 本帖最后由 tossball 于 2009-1-3 01:31 编辑 ]

Mr.Z

圖片看不到

秘书

图片为百度....

楼主换一下连接

tossball

已经吧图片换了，百度不支持外链，晕

Mr.Z

我不明白..既然樓主認為上面已經允許了,下面block了沒有意義,那為甚麼自己的理解中又有最後一條block?

tossball

我是认为block out没有意义，block in肯定是需要的啊

打磨贴是Block And Log IP In/Out From IP Any To IP Any Where Protocol Is Any
我的是Block And Log IP In From IP Any To IP Any Where Protocol Is Any

抓抓

原帖由 tossball 于 2009-1-3 00:22 发表
我是认为block out没有意义，block in肯定是需要的啊

打磨贴是Block And Log IP In/Out From IP Any To IP Any Where Protocol Is Any
我的是Block And Log IP In From IP Any To IP Any Where Protocol Is Any

每一条规则都有它的意义，，block out是为防止恶意出站链接。。。

用什么规则，关键是要按照自己的需要设置。。。不需要的就block，，需要时才allow。。。。

伯夷叔齐

原帖由 tossball 于 2009-1-3 00:22 发表
我是认为block out没有意义，block in肯定是需要的啊

打磨贴是Block And Log IP In/Out From IP Any To IP Any Where Protocol Is Any
我的是Block And Log IP In From IP Any To IP Any Where Protocol Is Any

Block And Log IP In/Out From IP Any To IP Any Where Protocol Is Any————上面是否有一些允许规则？？如果有，那么这些规则就由上到下进行逐一匹配，这条阻止规则将阻止不掉上面的允许规则。

tossball

自己搞糊涂了

一直以为打磨贴中
Allow And Log TCP OR UDP Out From IP Any To IP Any Where Source Port Is In [Privileged Ports] And Destination Port Is Any
Allow TCP OR UDP Out From IP Any To IP Any Where Source Port Is In [Dynamic Ports 1025-65535] And Destination Port Is Any
跟
allow IP OUT FROM IP ANY TO IP ANY WHERE PROTROL IS ANY
是等价的，忘了看协议类型，以至于会有上面的疑惑，打磨贴的规则没有任何错误！