I use COMODO CIS at my home PC. So I have three types of Network Zone.
My original LAN (IP+MASK=range of my “local network” IPs)
My Internet connection
Lots of “friendly” nets (peering etc.), wich I connects to by my default gateway of “original LAN”. (so it is NOT Internet for me).
So It is normal to me to set 2 Network Zones:
All my “LAN” (#1 + #3)
Internet = NOT “LAN”
But #3 - I have a lots of rows in my routing table (about 50 or more), so it is very hard and takes a long time to build such list in Network Zone.
Some times our LAN build new connections to new IP-range, some of Ranges dissapear… Again it is too hard to search such modifications and edit them.
So I think, it would be great to have such option:
I create NEW Network Zone, give it a name, then in Adding Addres I wish to select a Network Adapter.
COMODO discovers all IP ranges and Nets, that routing through default gateway on this Network Adapter (it could be gathered from routing table) and adds them as Addresses in Network Zone.
May be it would be greate to have an option in Network Zone to select directly Network Adapter (Network Interface).
Or have tied Network Adapter+Net. For example:
I have LAN 10.0.0.0 255.0.0.0 - It is my home LAN on network card (Interface #1), so I made rules for this subnet
But also I have Internet connection via VPN (pptp - interface #2)
And one more connection - via VPN over Internet (TAP-Adapter - interface #3)
on IF #3 I receive IP in range 10.8.0.0 255.255.255.0
So this range is sub-range of 10.0.0.0/255.0.0.0 and rules applied to my connection #3 same as for #1
But it is totaly different “network cards” (Interfaces), so I want to be alerted such situations and want to be able to choose not only IP-range, but also Network Interface.
Such situations also may bring a lot of troubles.
Jast imagine - you have a notebook with Network card and WiFi. You edited rules for IP range, wich always on your network card (in office for example) 192.168.0.0/255.255.255.0 But now you turn on WiFi and discover free LAN on WiFi in range 192.168.0.128/255.255.255.128 In this case your applications will recieve connections over NON-SAFE WiFi because of rules for 192.168.0.0/255.255.255.0
It is realy dangerous.
I still want to see any reply in this topic.
So about 3 days ago I had a situation, that I described above with WiFi
I have LAN with IP range 192.168.0.0/24 So I called it “Local IPs” in My Network Zones.
At that day I connectd to WiFi and get IP 192.168.0.15/24 via DHCP from access point.
So many “bad guys” tried to hack me. And of course CIS let them to do that because of Rules for “Local IPs”. If CIS could understand same subnet on different Network Interface - it would be really great!
I have recently downloaded and installed Comodo CIS (3.5.x) on my laptop as a replacement for Norton which was driving me nuts with its resource hogging (especially when looking for updates). However, I cannot see how to directly replicate the SSID wifi network identification element of Norton (and other firewalls) in Comodo. Let me explain…
We have a sophisticated file-sharing (and synchronisation) set-up in our homo-office network which is pretty much central to how we work. So obviously I need to open up the ports necessary for that when connected to that network, for which purpose the My Network Zones function looks tailor made.
However, I also use my laptop in all manner of public wifi hotspots, and certainly don’t want any nasties from other hotspot customers. So then I want to lock my computer down as tight as can be.
With Norton I solved this by denoting our wireless network (defined by the SSID) as a trusted network, and everything was fine and dandy. But with Comodo I’m worried that if I define an IP address range then anyone getting such an address on any random hotspot will be able to access my computer. As it happens we have defined the IP range on our network to be a little bit more obscure than the usual 192.168.1.x, but relying on that is rather like trusting to luck, and luck never holds forever.
Looking in the My Network Zones definition screens I can see only two possible approaches:
(1) Define the trusted network by IP range (or mask)
(2) Define each trusted computer by IP address or name
Have I missed something here? Does anyone know how I can filter by network name or SSID using Comodo? If not something perhaps for the developers to think about…
At the moment, CIS is totally agnostic regarding connection methods. It is purely concerned as to whether there is a connection, regardless of the mechanism. I can see cases where it would be advantageous to block/allow based on a network name (SSID). Could you please add this to the CIS wishlist?
If your current office setup uses to DHCP to allocate addresses in a less commonly used private address range (like 172.16.X.X) then this could be defined as a trusted nework zone, leaving the more commonly used 192.168.X.X for the public hotspots.
If you do use public hotspots, I’d recommend that you look at Comodo’s Trust Connect. Trust Conect creates a secure, encrypted tunnel when using hotspots.
not sure if this is a correct setting.
but i use stealth port wizard to block all incoming connection & add allow rule (in & out) for 192.168.0.1-192.168.0.255.
Unless you have a huge network. You should be able to achieve the results
you want by -
Defining a Network Zone - “Home Net”
Then define the network by binding to MAC addresses rather than IP’s
ie. list the MAC’s of Networked Printer, Server, necessary clients with which
you want to allow sharing.
This leaves you free to run an IP based “Stealth” Global Rule Set.
If I’m out to lunch on this please advise, I’ll go back on the meds. (:TNG)
Later
Thx Bad Frogger. I suspected that might be the best option. The main, and obvious, disadvantage is that I have to remember to add in the MAC addresses of any new devices as they are added to the network. Hence, not such a good option for less techy-inclined members of the team. But my feeling thus far is that Comodo is too complex (at least in its full incarnation) for non-techy types any way.
Hi Ganda,
This is exactly what I’m trying to avoid doing, as then any hotspot which operated on the 192.168.0.x range would be a completely toxic environment for me.
BP
Given the pervasiveness of wifi and the mobility of todays computers users, this would be a great way to allow users to differentiate between environments without having to change firewall rules or NIC config.
(:AGY) This really annoys me about Comodo products, some great ideas but some times poor execution. How can this firewall be promoted to newbies when the CIS cannot separate a similar IP range over WIFI versus that IP range on a domestic LAN over the network card. Crazy!
I am not a firewall expert and do not have time to learn about intricacies of firewalls and IPs. I just about managed to configure CIS and just yesterday realised whilst using wifi in another country that I was wide open to aatack because the IP range is same as my network at home where I used the card, not wifi.
SO much for good security.
Can anyone please advise me of a free firewall, also a paid one, that can deal with this please?
allow users to differentiate between environments without having to change firewall rules or NIC config
is not new. But I’ve some words to say: in our days not only WiFi is the reason of identical IP ranges of different networks. There are also Virtual Adapters too. One example - NIC from VMware, another one - OpenVPN, and of course Microsoft PPTP VPN Adapter.
So, it will be usefull to teach firewall not only IP Ranges, MAC, but also Network Adatper.
I can, of course, solve many troubles via creating Rules based on MAC. But I don’t think it is right way.
I posted some questions earlier in other topic, so now I’ll try to place it here
I would love to see the capability to add a rule based on the ip address and the mac address of the gateway/router being used. In a corporate environment notebooks may need to be locked down a lot more when out on the road then when used in the office.
I haven’t found anything currenlty better than this for most features.
However, the more I use it, the more I see things they could
add to make things a lot easier, more powerful, etc.
Much more can be done to this great tool.
Another way to look at this problem: INSTEAD of JUST ONE
SETUP Allowing file-sharing on a laptop which also visits wifi hotspots:
Have multiple setups ie:
IF you could set things up a certain way for HOME then
SAVE IT, then set things up for HOTSPOTS and SAVE IT, etc,
then allow you to easily LOAD back in various things,
this would be one solution. It would also allow you to
copy ZONES, RULES, POLICIES, SETUPS to other machines.
Perhaps there is a way to this. I ask in this thread: https://forums.comodo.com/firewall_help/easy_way_to_copy_settings_to_another_machine-t34340.0.html
Both under Global rules and Application rules you can define source and destination address by the following parameters:
Ip address or range, IP mask, zone, Host name or Mac address.
