How to Protect your wifi-Lan

[Guest]

[Eric Cryptid]

Attached is a pic of my router's setup, maybe that'l help everyone answer my questions.

[Triplejolt]

Your starting IP address is beyond the subnet you've set for yourself. When you employ subnetting, you need to use the IP addresses within the same subnet. Otherwise it is treated as a different network. Thats what subnetting is, you further divide the network into smaller, independent segments.
If you plan to use 192.168.1.1 with the subnetmask  255.255.255.252, your starting address has to be either 192.168.1.1 or .2

When using the mask 255.255.255.252, you only have 4 IP addresses. The rule of thumb is that the 1st and the last address can't be used, hence you only have 2 left to use for routers and computers.

You're IP scheme will look like this:
192.168.1.0 255.255.255.252 - Network ID
192.168.1.1 255.255.255.252 - Router IP address
192.168.1.2 255.255.255.252 - PC IP address
192.168.1.3 255.255.255.252 - Broadcast address

Using this scheme you're using the smallest possible subnet. For more information, look up the topic Subnetting in the Wikipedia.

Hope this answers your question

[Eric Cryptid]

That's a great help! Thanks! Got it working now!

I do have one other question at the moment... When Adding my router address as TRUSTED (Firstly creating a zone and then defining a trusted network) Due I set to Trust just 192.168.1.1 OR do I set to Trust 192.168.1.0 - 192.168.1.1

Eric

[Triplejolt]

Set trust to 192.168.1.0 255.255.255.252. That should cover both your computer and the router. When using the .0, you indicate the entire subnet (remember .0 being the ID, .1 and .2 the usable hostaddresses).
If you only want to enable trust for the router, enter .1 and the same mask.

[Raccoon]

I use my laptop on a number of different wireless networks, each with their own ip network masks.  I would like to add rules (Trusted Zones, but more specific criteria) for each one, without having to create an individual rule for each one.

Might I request that Network Control Rules include the option to select multiple Zones as Source/Destination IP when creating rules?  This would permit me to create a single rule that applies to all my "Trusted Zones".  Such as 192.168.0.*, 192.168.1.*, 10.0.0.*, 10.10.10.*, 239.255.255.0, 172.16.0.*, so on and so forth.

At present, it is only possible to select a single Zone when creating a rule.

This would be desired because I don't want to trust ALL inbound/outbound connections, only for specific services such as File/Printer sharing, games, ICMP Echo, etc.  I have created one rule for each of these and it's all nice and tidy, but I have to duplicate each of these rules for each network I use, making the rule count increase exponentially.  It would be nice to group them all together.

[panic]

The alpha version of V3 does exactly this! 

[Raccoon]

Excellent!  Now what about Zones that allow all possible IP masks/range/single/hostname that Rules do? :>

And would it be possible to have a Virtual Zone or Zone Variable called "ME" that automatically detects the machine's local IP(s)?  And it can be masked 255.255.255.255 or 255.255.255.0 or 255.255.0.0 etc

[panic]

Sort of. In CFP V3 you define a zone and then you can add multiple entries or qualifiers to that zone. For example, you can define a zone called "Trusted" and then add a series of entries fro that zone. One could be a range of IP addresses (192.168.*.0 - 192.168.*.255), another could be a netmask and a third could be a host name (don't know whether hostnames support wildcards, but I suspect they would). Once these are defined, all you need to do is to use the zone name "Trusted" in a rule and that rule is then tested against all the qualifiers you've added to the zone.

Hope this helps,
Ewen :-)

[Raccoon]

That does help, thanks.  And it confirms the first part of my last reply.

As for the second part, where Comodo recognizes the machine's own IP address(es), I would find this useful to trap inbound packets that reach my computer with a destination other than my computer's IP address.  This could detect malformed packets being flung at me or block attempts to use my computer as a gateway by unauthorized users.  This might be particularly useful in a WiFi environment where I'm running my wireless card as an accesspoint, intended only for local file sharing and not web access.

Yet another question:  Is Comodo capable of creating rules dependent on a specific device, not IP mask/zone (multiple devices can be connected to matching Zones (192.168.0.1 subnets).)?

[Triplejolt]

Could you specify what you mean by device please? A device can hold several identifiers: IP address, hostname (NetBIOS name) and MAC address. Can't think of any others at the moment

If I'm not too mistaken, I think you can employ filters for all three of them now.

As for your second question, using rule sets that filters out IP addresses _not_ directed at your computer will drop those packets. Unless someone is spoofing its source and destination address to compromise your computer. But this requires skill and an opertunity

[Raccoon]

Could you specify what you mean by device please? A device can hold several identifiers: IP address, hostname (NetBIOS name) and MAC address. Can't think of any others at the moment

If I'm not too mistaken, I think you can employ filters for all three of them now.

By device, I mean the specific hardware connection that appears in your Network Connections.  I suppose you can rule this as Mac Address, but the Device Name that appears in Network Connections would be more familiar to the user.

I know when you create a Trusted Zone, it automatically populates the name of the Zone with the name of the hardware descriptor, but only as a reference to that device's IP address (which could be identical to another device's IP address or subnet).

As for your second question, using rule sets that filters out IP addresses _not_ directed at your computer will drop those packets. Unless someone is spoofing its source and destination address to compromise your computer. But this requires skill and an opertunity

It is that skill that I wish to circumvent, and I am aware those packets would be dropped (the very purpose of a firewall).  Spoofing isn't that difficult, especially from a *nix machine, but I'm also interested in blocking network packets that intend to use my machine as a gateway... unless the IP source is a known and trusted computer, or even a computer whose user has paid me for said gateway access.

[panic]

I know when you create a Trusted Zone, it automatically populates the name of the Zone with the name of the hardware descriptor, but only as a reference to that device's IP address (which could be identical to another device's IP address or subnet).

When you create a zone, you can give it a more meaningful name than the device name. For example, I have one PC that has 7 connections, and the zone names are aligned with the purpose of the connection - "Internal LAN", "SAP Farm 4", "Activesync" etc.

It is that skill that I wish to circumvent, and I am aware those packets would be dropped (the very purpose of a firewall).  Spoofing isn't that difficult, especially from a *nix machine, but I'm also interested in blocking network packets that intend to use my machine as a gateway... unless the IP source is a known and trusted computer, or even a computer whose user has paid me for said gateway access.

You might want to look into the "Exclude" option in the rules set up. When using this, you make a BLOCK rule and specify the address/es  you want to accept, and all others are then blocked.

If you have people paying you to use your PC as a gateway (mini-ISP sort of thing), then you have a right to maintain a certain degree of control over how they connect to your PC. Maybe think about making them use a static IP range that can be explicitly catered for by a zone rule (voice of experience speaking here  ).

Cheers,
Ewen :-)

[Triplejolt]

By device, I mean the specific hardware connection that appears in your Network Connections.  I suppose you can rule this as Mac Address, but the Device Name that appears in Network Connections would be more familiar to the user.

Aha! You mean the devicename the driver presents to you.
Comodo makes "Trusted Zones" based upon the interface of your choosing, but you can't make rulesets based upon these. I don't think the TCP/IP protocol sends this kind of information on the wire. If you want to block specific hardware, you have to use MAC addresses.

Spoofing isn't that difficult, especially from a *nix machine, but I'm also interested in blocking network packets that intend to use my machine as a gateway... unless the IP source is a known and trusted computer, or even a computer whose user has paid me for said gateway access.

When I say "Spoof" I mean something other than just replacing your source address on some server. Routers too have this ability and I use it frequently to test connectivity and access-lists configurations. And I don't call this spoofing

If you want to narrow down access to your gateway, do like panic said. Allow a limited number of hosts/subnets and drop everything else. Easiest way to control access based upon IP. Same way with MAC.

[Rayster]

Hello! Newbie here 


Instead of making a new topic about Wi-Fi Lan, it is better to post all my worries here coz its in the same group.

My problem was connecting my Nintendo DS to my Wireless USB(AP) instead of LAN, at first the signal I was receiving is good but at the end the signal will disappear.

I was bothered cause I cannot go online with my game. I tried to use its Option "Allow All" and I was able to connect to Nintendo's WFC. I wonder in what configuration I will set?

I already add my Wireless USB in the "Network Monitor". What should I nee to do?

I hope anyone who is willing to help a young boy here.

[Little Mac]

Welcome to the forums, Rayster.  Please see this tutorial
http://forums.comodo.com/frequently_asked_questions_faq_for_comodo_firewall/tutorials_a_compiled_resource-t6167.0.html;msg45542#msg45542

There is a link there, next to the author's name, which will link to the original thread it is copied from.

LM

[Tags:]