I’m trying (and struggling!) to use Comodo Firewall (2.4.18.184) to control internet Connecton Sharing (ICS) on Windows 2000.
What I have is a 3G mobile Internet connection on a laptop, which is shared using Windows ICS. ICS acts as a DHCP server on 192.168.0.0/24, and a gateway and DNS proxy on 192.168.0.1.
The laptop’s ethernet port is connected to the WAN port of a wireless broadband router, which gets an IP via DHCP from the laptop, and creates its own subnet (192.168.2.0/24) which wireless clients connect to.
All of this works without a firewall, but I want to limit the type of data that the connection can be used for.
What I would like to do is block everything to start with, then allow some exceptions.
Question 1:
In particular I need to enable DHCP so the wireless can get its connection details. That’s where I’m stuck. If I give the router static IP (eg 192.168.0.50) I have managed to give wireless clients Internet access, but I can’t work out what I need to enable to allow the laptop to act as a DHCP server. Nothing gets logged, the router just times out requesting an address.
Question 2:
If I need to, am I able to block (or enable) traffic from specific wireless clients on the 192.168.2.0/24 subnet (keeping in mind that they will be seen by Comodo as NAT traffic from the router on 192.168.0.0/24)?
Question 3:
I would like to give the laptop itself unrestricted access to the Internet, and just limit the traffic through the 192.168.0.0/24 subnet. I haven’t really looked at that yet, but a pointer as to where to start would be appreciated.
I’ve been working off-line with another poster in a related topic, and what we’ve been finding is that it isn’t possible. The limitation is in the wireless NIC hardware: it doesn’t support “promiscuous mode”. DHCP uses broadcast packets, and without the promiscuous mode, those packets don’t make it across from the wireless into the wired LAN. Predefined addresses, as you’ve found, will work fine. It’s just that the DHCP server has to be on the same side of the wall. What this means, to answer your question, is that ICS can’t be used as a DHCP server for wireless clients.
There is a hack that could, maybe, allow ICS that is also a host wireless access point, to be used as a DHCP server. The hack involves changing the wireless NIC adapter settings to simulate a broadcast bridge. That’s not something that can be done when using a separate wireless router.
Details http://www.microsoft.com/windowsxp/using/networking/expert/crawford_02april22.mspx
Nope. Once thru the NAT, all devices behind the NAT appear as a single device. The packets all have the same IP address, and the same Ethernet MAC: that of the NAT interface.
If I understand you correctly, you’re wanting to give 192.168.0.0/24 access to the Internet, but not allow any Internet access to 192.168.2.0/24.
From the perspective of the laptop at 192.168.0.1, there will be wired Ethernet traffic with source addresses in both 192.168.0.0/24 and 192.168.2.0/24. To restrict the 2.0/24 traffic, you’d need a sequence of rules something like this:
allow protocol IP from 192.168.0.0/24 to 192.168.2.0/24
allow protocol IP from 192.168.2.0/24 to 192.168.0.0/24
deny&log protocol IP from 192.168.2.0/24 to any
… any other 0.0/24 rules…
default deny&log everything
That will keep all the 2.0/24 traffic talking only to 0.0/24 addresses.
It occurred to me a few minutes ago, that I was mixing configurations in my answer to Question 3.
In my answer, I was assuming the wireless router was functioning as a router and a DHCP server, and not as a NAT device.
If you disable NAT, then in your Question2, yes you can control individual clients access to the Internet by IP address. If you know their IP address. If those addresses are assigned by the wireless DHCP, then you don’t know which is which until the address is assigned. If you give a fixed static address, then you probably don’t need the DHCP service running either. In which case, you have a wireless access point running simply as a router.