Allowing port access, while blocking internet access

Hi everyone,

I have some programs for VFX that get their license from a server app running on the same PC. In general using port 5053.

How can I set a rule that will only allow my programs to communicate internally system-wide, correct protocols, using the specific port needed, etc. While not giving them any access to the internet. I’m not much of an IT person, but have an understanding of the basics. I’m new to CIS and coming directly from ESET IS, which felt very similar. I’m just worried that I might have my system too open as I leave my PC on pretty much 24/7 (it’s rendering when I’m not using it at night and while away from home in the office).

If it’s not asking too much, could you show me with some images how to set it up? As sometimes my dyslexia gets the better of me. But clear steps in text would be just as great!


You can pretty much follow this guide but make the rule for the application only and use loopback zone instead.

Hi Futuretech, my terminology isn’t the best, so it’s hard to find the right things. Thanks for the link and info, checking it now.

Ok, as I have a few apps. I just add the rule to the main exe file and everything else is fine?

Source and Destination tabs: same settings.
IP details tab: is ANY.

Is this correct: Allow as it’s using the Loopback Zone? The app started fine and read my license, I’m just too cautious when it comes to security. lol

If I were to assume your main firewall mode is set to “Safe Mode” and the program in question is digitally signed, it’s probably not being blocked from the internet unless you add another rule to that same EXE saying to block everything else. It will interpret the rules top to bottom, so allow Loopback and block everything else.

If you find yourself doing this a lot, you might want to consider making a Ruleset which you can apply by name to many programs.

Thanks jljtgr! Great info moving forward. Yes, I have it in safe mode (for now at least).

So bearing in mind the order of things as you mentioned, with the port being the most important…

Or instead of specifying a single port, setting it to OUT/ANY?

Maybe this additional layer is overkill and not needed at all?

You only need a single allow out rule with only the destination address set to the loopback zone and not set as the source address, then a block all rule so that all other connections are blocked.

In other words, the first rule actually allows internet access as long as it’s only on port TCP/5053; the second rule allows only loopback on any protocol including TCP/5053. If you want to be specific in all cases, you’ll need to merge them as futuretech suggested.

Personally I never go to the lengths of preventing any application from using Loopback; I have far too many programs that use IPC that way. In the main Firewall Settings I end up unchecking “Filter loopback traffic” and setting applications as “Blocked Application”. One step up from that, I use my LAN only ruleset.

Thank you both, I’m feeling really dumb with this stuff. So is this more like it? as the program needs to communicate with the license server (so I guess its in/out?), but blocked from the internet.

But I’m not fussy about a specific port (any is fine), as long as the app is contained from the internet. Is TCP the right thing to use? Or is IP fine?

TCP is a protocol that once established, does not appear as two way communication. So, to Comodo it is outgoing, only.

This rule does what you want. And more specifically, it means that the program(anywhere in the world) can connect to the Loopback Zone using TCP/5053. Because the destination is the Loopback Zone, the source does not need to be specified(MAC Any). No packets can route into the Loopback Zone unless they originate from there, so this rule safe.

I noticed that you were creating a new ruleset in this case, but as far as I am aware, you’re only applying this to a single program. If you have multiple programs that need these rules, a ruleset makes sense to apply to those programs. If there is only one program that needs this ruleset, it’ll make more sense to apply these rules directly to the specific program in Application Rules.