I want to set-up a purely offline server for development of a wordpress theme, so I installed XAMPP for windows, which runs Apache and MySQL.
I access my the server by going to ‘localhost’ in a web browser. Comodo doesn’t ask any questions; it works fine.
I want to make sure that this server is purely local, and that no-one on the internet or even LAN can access it. This will simplify security hugely.
How do I make this happen with Comodo?
Thank you!
Welcome to the forum.
Can you tell us which version of CIS you’re using and what settings you have for the firewall, along with you firewall Application and Global rules. The reason, depending on configuration, you may not need to do anything.
Thank you for the welcome. I’ve looked around quite a bit before, but have never needed to post.
I’m using Comodo Internet Security Premium, Product version 6.0.24710.2708.
In ‘Application Rules’ I have the following which may be relevant (there are a few more but I don’t think they are relevant, but I can post them if needed):
C:\Windows\System32\svchost.exe Outgoing Only
System Outgoing Only
Comodo Internet Security Outgoing Only
Windows Updater Applications Custom (Allow IP Out from MAC Any to MAC Any Where Procotol is ANY)
Windows System Applications Custom (Allow IP Out from MAC Any to MAC Any Where Procotol is ANY)
There is currently no rule set for XAMPP (or apache or MySQL - though I don’t know whether these are separate to XAMPP or part of one program).
Also in Global Rules:
Allow all outgoing requests if the target is in Home #2
Allow all incoming requests if the sender is in Home #2
Allow all outgoing requests if the target is in Work #1
Allow all incoming requests if the sender is in Work #1
Allow all outgoing requests if the target is in Home #1
Allow all incoming requests if the sender is in Home #1
Block ICMP Out from MAC Any to MAC Any where ICMP Message is PROTOCOL UNREACHABLE
Block ICMP In from MAC Any to MAC Any where ICMP Message is 17.0
Block ICMP In from MAC Any to MAC Any where ICMP Message is 15.0
Block ICMP In from MAC Any to MAC Any where ICMP Message is 13.0
Block ICMP In from MAC Any to MAC Any where ICMP Message is ECHO REQUEST
If you want to make sure the application is only accessible from the PC on which it’s installed, as you have Global rules that permit access from other local/work resources, you’ll need to create a rule(s) to block access, One way to do this, is to create an Application firewall rule for httpd.exe, something like:
Application Name - {your path to}\xampp\apache\bin\httpd.exe
Action - Allow
Protocol - TCP
Direction - In
Source Address - 127.0.0.1
Destination Address - Any
Source Port - Any
Destination Port - Any
Application Name - {your path to}\xampp\apache\bin\httpd.exe
Action - Block and Log
Protocol - IP
Direction - In
Source Address - Any
Destination Address - Any
IP Details - Any
Thank you so much for this solution. I have implemented it and will test it when I get my laptop to work. I posted your answer to security - Block network access to local development server - Super User, where I had previously asked a related question.
You said that I have global rules that permit access from other local/work resources. I don’t really want that, as my work network (a university network) is definitely not very secure. It is poorly administrated and there are heaps of viruses on other computers. If I wanted to change this would I change the following entries to ‘outgoing only’?
Allow all outgoing requests if the target is in Work #1
Allow all incoming requests if the sender is in Work #1
Looking at your Global rules, at some point in the past, you’ve received three ‘New Network’ alerts, which correspond to Home #1, Home #2 and Work #1. You can ascertain the IP Address ranges associated with each of these, by looking under Network Zones. It’s also worth pointing out that you’ll probably find the same rules under Application rules for the System process.
If you don’t need file and printer sharing capabilities on a particular network, you can simply delete the rules associated with the network, you can also delete the zone. However, if you do this and you reconnect to that network, you’ll receive a new network alert but you may choose what to do.
Thank you again. I will do some reading-up on these network zones so that I understand them better. If I don’t ever need printer or file sharing then I assume I could delete all of those entries (Home #1 etc.) and when asked again, just select ‘Pulbic Network’? This way I could get internet access from it but increase my security by not sharing files or folders.
Oh, and the suggestion to add that rule for the httpd.exe program worked. :-TU
If I enforce that rule then other computers on the network cannot view the page on localhost. If I do not enforce the rule then they can view it.
I really appreciate this help.
You can view the rules created from a New Network alert in two ways:
The Global rules for Home, Work etc, Will allow all inbound and outbound connections.
The Application rule equivalents (System process) only allow that process to send and receive.
This is pretty much how the firewall works in general. Global rules allow protocols and ports for any process, where as, application rules are specific for each process. For any connection to succeed, there must be an application rule, but a global rule is optional - it just depends on settings.
As far as zones are concerned, they don’t actually do anything, unless they are used as part of an application or global rule. When you receive a New Network alert, you have the option to choose, Home, Work or Public. In the case of Home and Work, a zone is created and rules are added to global and application (System process). If you choose Public, a zone is created but no rules.
Thanks for taking the time to explain that. So the zones don’t actually do anything without application or global rules, which are set-up automatically in the case of home/work networks, but not for public.
Got it!