Can I get a second opinion on my Network Rules? [Resolved]

Help for v2
1

I just reinstalled Comodo v2.4 and i wanted to get a second opinion on my network rules, any thoughts/comments would be appreciated.

Action : Allow
Protocol : IP
Direction : In/Out
Source : RANGE: 192.168.212.1 - 192.168.212.4
Destination : RANGE: 192.168.212.1 - 192.168.212.4

Action : Allow
Protocol : TCP/UDP
Direction : In/Out
Source : Any
Destination : Port 40000 (uTorrent)

Action : Allow
Protocol : TCP/UDP
Direction : Out
Source : Any
Destination : Any

Action : Allow
Protocol : TCP/UDP
Direction : In/Out
Source : Any
Destination : Port 445,137,138,139,53,80,8080

Action : Allow
Protocol : ICMP
Direction : Out
Source : Any
Destination : Any
ICMP Details: ECHO REQUEST

Action : Allow
Protocol : ICMP
Direction : In
Source : Any
Destination : Any
ICMP Details : FRAGMENTATION NEEDED

Action : Allow
Protocol : ICMP
Direction : In
Source : Any
Destination : Any
ICMP Details : TIME EXCEEDED

Action : Allow
Protocol : ICMP
Direction : In
Source : Any
Destination : Any
ICMP Details : ANY

Action : Allow
Protocol : IP
Direction : Out
Source : Any
Destination : Any
IP Details : GRE

Action : Block
Protocol : TCP/UDP
Direction : In/Out
Source : Any
Destination : Port 1024-1030

Action : Block
Protocol : TCP/UDP
Direction : In/Out
Source : Any
Destination : Port 1433-1434

Action : Block & Log
Protocol : IP
Direction : In/Out
Source : Any
Destination : Any

What you guys think about them.

2

  • 1.

    3.
    Action : Allow
    Protocol : TCP/UDP
    Direction : In/Out
    Source : Any
    Destination : Port 445,137,138,139,53,80,8080

    This rule is dangerous, as it allows netbios (Windows networking) from Any ip address. You already have rule #0 that allows your other pcs/LAN to communicate. I suggest you remove this rule ASAP or modify it (see 3 below)

  • 2. Rules 5&6 are redundant, because rule 7 allows any ICMP in.
    As far as allowing ICMP in, it is debatable how secure this is.

3. There is no rule to allow outbound traffic to port 443 (HTTPS) or 21(FTP). You could modify rule #3 so that the direction is OUT only instead of IN/OUT and adding port 443 or any other port you may need., e.g:

Action : Allow
Protocol : TCP/UDP
Direction : Out
Source : Any
Destination : Port 445,137,138,139,53,80,8080

However, if you go this route, i.e, specifying which outbound ports are allowed, you’ll have a hard time getting bittorent to work.

3

Rules 5 & 6 just because those were the default one I didn’t want to delete them yet,

I made rule 3 because I was getting alot of incoming alerts for those ports, I thought it would allow them by default but no.

I’m not allowing only those ports so shouldn’t uTorrent work fine?

4

Here’s the thing…

Source and Destination will reverse, depending on which way the traffic is flowing - In, or Out. In Network Monitor, it is always best to keep In and Out to separate rules to better control traffic.

Also, in CFP you ONLY need In Network rules for unsolicited inbound traffic (such as your p2p application). Browsing, email, etc, the resultant Inbound connection is a result/response to your Outbound request; it does not require an In rule. This is why CFP has a default rule to Allow TCP/UDP Out, Any Source/Destination IP or Port.

My recommendation is to keep that default Outbound rule (in position Rule ID 0) to facilitate your ability to use the internet.

As far as allowing things that are showing as blocked continually in your logs - my rule of thumb is that if I have no problem connecting, I do not need to allow that traffic. Then I will create a rule to Block without logging, so my logs won’t be full of it. Especially if you have a router or are on a LAN, you will Always see system-generated entries for ports 137, 138, 445. Unless absolutely necessary as part of a LAN’s connection, you do not want to allow these Inbound access as they are all associated with various Windows vulnerabilities (since Windows is constantly trying to allow inbound connections to occur).

Keep in mind, too, that the local (source) port for Outbound connections is not going to be the same as the remote (destination) port for the connection (except in the case of DHCP on 67 & 68). For example, to browse the net, your browser connects to remote port 80 (or 443 if encrypted); the local port is probably more like 1080 or somesuch. The inverse is also true. This is part of the reason for having separate In and Out rules.

You may find it helpful to read the tutorial on network rules, in this thread.
https://forums.comodo.com/index.php/topic,6167.0.html

LM

5

Im not sure what you mean about rule 0 as I made that one and its for my LAN,

What you think about port 80/8080 should I make a rule for that In/Out?

6

Okay, looks like your Rule ID 2 is what you need there, and it’s fine to have that following your LAN rule.

Unless you’re webhosting, you don’t need any Network rule which would Allow Inbound connections to port 80.

Unless you’re using a local proxy server, you don’t need any Network rule which would Allow Outbound connection to port 8080. If you are using a local proxy, you need to bind that Outbound (ONLY - NO Inbound rules, please!) rule to both port and IP address (typically the 127.0.0.1 loopback).

I cannot stress enough, you do not need ANY inbound network rules to do your normal day-to-day browsing, email, etc. Only Outbound.

Local Area Network, webhosting/serving and certain applications like p2p, will require Inbound connections. Unless you are doing those, creating Inbound rules simply opens up your security needlessly.

LM

7

Thanks for the help Little Mac ive get a much more secure firewall now I believe.

(L)

8

No problem; glad to help. I’ll mark the topic as resolved and close it. If you have further questions about your network rules, just PM a Moderator (any one will do) with a link back here and we’ll be glad to reopen it for you. If you’re unsure how to find this thread again, you can find/access all your posts thru your Profile.

LM