I have 2 nics in my computer: one, wich gets it’s IP aadress from dhcp server is for internet connection and second, wich has static IP for secure LAN.
How to set up Comodo so, that between these different NICs will be absolutely no connection.
In other words: all internet activity is blocked in NIC2, but the LAN activity is allowed… :THNK
You could do this providing the two NICs IP addresses are on different subnets. Assuming that,
INTERNET NIC :
Create the normal internet enabling rules for the internet NIC and add a rule that blocks all traffic from the subnet that is used on your LAN.
LAN NIC :
Create a set of rules that allow traffic in and out to your LAN subnet and add a rule that blocks all traffic from the subnet that is used on your Internet connection.
If the two NICs get addresses in the same range (e.g. 192.168.X.X or 10.1.X.X or 172.16.X.X) then you would need to ensure that the statically assigned addresses are separated from the DHCP assigned ones (e.g. DHCP range = 192.168.1.1-127 STATIC range : 192.168.1.128-255). If they are separated, you could define two trusted zones which will create appropriate rules as outlined above, with the exception of the rule to block the other NIC. This would need to be created manually.
If the statically assigned and DHCP assigned addresses are intermixed, you will need to create individual rules, as CPF as no method of defining a zone of non-consecutive addresses.
(From DHCP server; IP range 192.168.1.64 - 192.168.1.253)
Do you mean one rule with bidirectional rule or two separated rules, one for IN and one for OUT?
Wich subnet should be source and wich target? Or this is not important?
If i make rule(s) with zones (Internet NIC and LAN NIC), are results same as subnets?
And can you explain me that (rule) direction thing: it is less confusing, when one of source or destination is in local PC and another somewhere in internet. But if they both (2 subnets / zones) are in the same PC?
And last thing: These rules in the list. Wich have higher priority than another? These, wich are above other rules?
And how can i check, that these rules are working? I mean from another computer from my lan. The traffic between them is invisible…
In summary, your PC has two NICs with the following IP parameters;
LAN (NIC 1)
Statically assigned LAN IP address : 192.168.1.13
Netmask : 255.255.255.224
Gateway : 192.168.1.14
INTERNET (NIC 2)
DHCP assigned IP range : 192.168.1.64 - 192.168.1.253
Netmask : 255.255.255.0
Gateway : 192.168.1.254
To manually create a zone, click on SECURITY - TASKS - ADD/REMOVE/MODIFY A ZONE.
To allow LAN traffic via NIC 1, you could create a zone with the following parameters;
Zone Name : LAN
Start Range : 192.168.1.1
End Range : 22.214.171.124
To allow INTERNET traffic via NIC 2, you could create a zone with the following parameters;
Zone Name : INTERNET
Start Range : 192.168.1.64
End Range : 192.168.1.254
Once these two zones are created, we need to set them as trusted to create the Network Monitor rules. Click on SECURITY - TASKS - DEFINE A NEW TRUSTED NETWORK. Click NEXT and then select one of the two zones we have just created. Follow the instructions through the rest of the wizard and by the end, it will have added two rules for that zone to the Network Monitor. Repeat these steps for the other zone we created. By the end of the process, we will have an additional four Network Monitor rules, but we may be deleting one of these (as explained below).
These four rules achieve the following;
The IN rule for the LAN zone allows unsolicited inbound traffic from IPs in the range 192.168.1.1 - 192.168.1.14. Your systems responses to these unsolicited inbound requests are automatically allowed, so we don’t need to create a separate response rule.
2.The OUT rule for the LAN zone allows outbound requests from your PC to IP addresses in the range 192.168.1.1 - 192.168.1.14.
3.The OUT rule for the INTERNET zone allows outbound requests from your PC to IP addresses in the range 192.168.1.64 - 192.168.1.254. As the returning data is being sent in response to a valid request from us, it is automatically accepted. Therefore we do not need to make a corresponding IN rule.
The IN rule for the INTERNET zone should be deleted if you are not running any form of a server that needs to be accessible from the internet. If you are running some form of a server, then the rule should be tightened to restrict access to the specific ports your server software requires.
If anyone can spot anything wrong with this approach, or if there is a better way to achieve the desired outcome, please jump in and correct where necessary.