Author Topic: Allowing port access, while blocking internet access  (Read 347 times)

Offline SarahJones

  • Newbie
  • *
  • Posts: 14
Allowing port access, while blocking internet access
« on: June 07, 2019, 08:34:23 AM »
Hi everyone,

I have some programs for VFX that get their license from a server app running on the same PC. In general using port 5053.

How can I set a rule that will only allow my programs to communicate internally system-wide, correct protocols, using the specific port needed, etc. While not giving them any access to the internet. I'm not much of an IT person, but have an understanding of the basics. I'm new to CIS and coming directly from ESET IS, which felt very similar. I'm just worried that I might have my system too open as I leave my PC on pretty much 24/7 (it's rendering when I'm not using it at night and while away from home in the office).

If it's not asking too much, could you show me with some images how to set it up? As sometimes my dyslexia gets the better of me. But clear steps in text would be just as great!

Thanks.
« Last Edit: June 07, 2019, 08:40:52 AM by SarahJones »

Offline futuretech

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 4285
Re: Allowing port access, while blocking internet access
« Reply #1 on: June 08, 2019, 10:41:51 AM »
You can pretty much follow this guide but make the rule for the application only and use loopback zone instead.
« Last Edit: June 08, 2019, 02:00:22 PM by futuretech »

Offline SarahJones

  • Newbie
  • *
  • Posts: 14
Re: Allowing port access, while blocking internet access
« Reply #2 on: June 08, 2019, 03:51:51 PM »
Hi Futuretech, my terminology isn't the best, so it's hard to find the right things. Thanks for the link and info, checking it now.

EDIT:
Ok, as I have a few apps. I just add the rule to the main exe file and everything else is fine?


Source and Destination tabs: same settings.
IP details tab: is ANY.

Is this correct: Allow as it's using the Loopback Zone? The app started fine and read my license, I'm just too cautious when it comes to security. lol
« Last Edit: June 08, 2019, 04:16:01 PM by SarahJones »

Offline jljtgr

  • Comodo Family Member
  • ***
  • Posts: 72
Re: Allowing port access, while blocking internet access
« Reply #3 on: June 08, 2019, 11:09:09 PM »
If I were to assume your main firewall mode is set to "Safe Mode" and the program in question is digitally signed, it's probably not being blocked from the internet unless you add another rule to that same EXE saying to block everything else.  It will interpret the rules top to bottom, so allow Loopback and block everything else.

If you find yourself doing this a lot, you might want to consider making a Ruleset which you can apply by name to many programs.

Offline SarahJones

  • Newbie
  • *
  • Posts: 14
Re: Allowing port access, while blocking internet access
« Reply #4 on: June 09, 2019, 10:14:08 AM »
Thanks jljtgr! Great info moving forward. Yes, I have it in safe mode (for now at least).

So bearing in mind the order of things as you mentioned, with the port being the most important...



Or instead of specifying a single port, setting it to OUT/ANY?

Maybe this additional layer is overkill and not needed at all?
« Last Edit: June 09, 2019, 10:29:43 AM by SarahJones »

Offline futuretech

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 4285
Re: Allowing port access, while blocking internet access
« Reply #5 on: June 09, 2019, 10:55:33 AM »
You only need a single allow out rule with only the destination address set to the loopback zone and not set as the source address, then a block all rule so that all other connections are blocked.

Offline jljtgr

  • Comodo Family Member
  • ***
  • Posts: 72
Re: Allowing port access, while blocking internet access
« Reply #6 on: June 09, 2019, 03:36:07 PM »
In other words, the first rule actually allows internet access as long as it's only on port TCP/5053; the second rule allows only loopback on any protocol including TCP/5053.  If you want to be specific in all cases, you'll need to merge them as futuretech suggested.

Personally I never go to the lengths of preventing any application from using Loopback; I have far too many programs that use IPC that way.  In the main Firewall Settings I end up unchecking "Filter loopback traffic" and setting applications as "Blocked Application".  One step up from that, I use my LAN only ruleset.


Offline SarahJones

  • Newbie
  • *
  • Posts: 14
Re: Allowing port access, while blocking internet access
« Reply #7 on: June 09, 2019, 06:12:29 PM »
You only need a single allow out rule with only the destination address set to the loopback zone and not set as the source address, then a block all rule so that all other connections are blocked.
Thank you both, I'm feeling really dumb with this stuff. So is this more like it? as the program needs to communicate with the license server (so I guess its in/out?), but blocked from the internet.



But I'm not fussy about a specific port (any is fine), as long as the app is contained from the internet. Is TCP the right thing to use? Or is IP fine?
« Last Edit: June 09, 2019, 06:28:16 PM by SarahJones »

Offline jljtgr

  • Comodo Family Member
  • ***
  • Posts: 72
Re: Allowing port access, while blocking internet access
« Reply #8 on: June 09, 2019, 07:25:38 PM »
TCP is a protocol that once established, does not appear as two way communication.  So, to Comodo it is outgoing, only.

This rule does what you want.  And more specifically, it means that the program(anywhere in the world) can connect to the Loopback Zone using TCP/5053.  Because the destination is the Loopback Zone, the source does not need to be specified(MAC Any).  No packets can route into the Loopback Zone unless they originate from there, so this rule safe.

I noticed that you were creating a new ruleset in this case, but as far as I am aware, you're only applying this to a single program.  If you have multiple programs that need these rules, a ruleset makes sense to apply to those programs.  If there is only one program that needs this ruleset, it'll make more sense to apply these rules directly to the specific program in Application Rules.

 

Free Endpoint Protection
Seo4Smf 2.0 © SmfMod.Com Smf Destek