I’m using COMODO Firewall and I would like to restrict internet access to specifically chosen websites. My goal is to block all traffic except for certain websites. I achieved this for the ChatGPT website by creating a rule in Advanced Settings → Firewall → Global Rules:
Action: Allow Protocol: Any Direction: In Source address: Any Address Destination address: Host Name - chat.openai.com
While this successfully allows ChatGPT access, it also enables a few other unrelated websites. After checking their IP addresses, I believe they use the same CDN as ChatGPT.
My question: How can I configure a rule that blocks all internet traffic except for specific websites? I want only these approved sites accessible, with all others blocked.
CF Web Protection only effectively works with Firefox.
You need to either create a global Block Rule for specific website IP Address or create one for your browser in the Firewall Application rule setting
You can also block those sites either with Advanced Filtering of uBlock Origin web extension or even better, creating a block rule in Windows Firewall that blocks the IP Addresses of those websites. WF runs alongside CF.
If possible, I’d like to stick to COMODO Firewall for this. I managed to block all traffic, but I cannot find a way to allow certain websites. These websites should be allowed based on their host name, not their IP address (since their IP changes frequently).
I am new to COMODO Firewall and I’d like to know if this is possible.
You can try doing it via Website Filtering but like I’ve said, it only really works with Firefox and you’d be limited to URL wildcards.
Go into website filtering settings as described in this guide.
Got to Catagories
Create a new category
Select on that category and the click on Add Website.
Here you can add wildcards e.g. "chatGP* and it will block anything with that specific string in the URL.
EDIT: You need to then add that category into the Block Sites Rule and reboot for it to work.
Websites don’t change IP address as often as you think, some keep them for years but CF/CIS isn’t exactly designed for blocking sites besides their URL or IP Address.
So much easier just using your Adblocker like uBlock origin by enabling I am an Advanced User and Adding for example the below into my rules but experiment with it.
||chatgp^$all
Failing that, just ping the website for the IP Addresses if it starts allowing those connections.
I would like COMODO Firewall to filter traffic at the packet level, because I’d like to install it on a home network. It should block all TCP/IP packets except for those coming in and out from specific hostnames. Just the basics, nothing fancy! All other computers that connect through this router computer (with CF installed) should not be able to access the Internet, except for these specific websites (hostnames). So, it’s important I do it via the Global Rules section in the main Firewall module. I understand that it is supposed to filter traffic at the packet level. I see a full set of rules there, with allow/block filters based on protocol, direction, addresses (hosts, IPs, etc.), and ports. It looks complete to me, so there should be a way to block all traffic except traffic coming in and out from certain hosts. I can’t imagine this isn’t possible using the Firewall Global Rules.
I do not want to use a hardware router, as I also installed Fiddler on that computer. I use it as a proxy with many additional filtering rules, based on a scripting file that took me some time to write.
Comodo firewall rules based on hostname unfortunately doesn’t work as intended. Firewall rules based on hostname will affect a whole continuous IP address range from the lowest to the highest IP address range assigned to that hostname. This means that IP addresses which fall inside that range and which do not belong to that hostname are also part of the Firewall rule which is wrong.
In other words, creating a block Firewall rule based on a hostname will also block other hostnames / websites / IP addresses which you do not want.
So do not use firewall rules based on hostname, it never worked correctly and it will never be.
CISfan, what you’re describing above is exactly what I’m experiencing when trying to set up the rules.
> do not use firewall rules based on hostname, it never worked correctly and it will never be.
But why is that? Is this some kind of network limitation or something similar? I can’t imagine this being a bug…
Anyhow, does anyone know a (handy) Windows solution to filter HTTPS packets based on hostnames? Some time ago I used IPSec rules, but if I remember correctly, there was no way to filter hostnames.
Yes it is a bug in CIS firewall. CIS firewall treats a hostname as a consecutive range of IP addresses which is not right. For proper firewall hostname based rules operation CIS firewall should perform DNS lookup and build a list of IP addresses belonging only to that specific hostname but unfortunately CIS firewall doesn’t do that, it just takes the first (low) and last (high) IP address and presumes that everything in between belongs to that hostname (which again, is not right).
This issue relates to Bug No 19. The Bug list was last updated January 23rd but some bugs are present in .8012 and not in the current Beta.
The devs are working through this list ahead of the third Beta due to come out at some point soon. There appears to be less staff these days working through them as they prioritized their Xcitium Business solutions some time back but they are working through them.
I only have the sable version installed on my PC as I only production machine but I have tested out the Beta 2 a couple of times. Development has been slow and the 3rd Beta already a couple of months behind schedule so you will probably have to find a related solution such as via Windows Firewall which runs along side CF, a browser extension or you might be able to do it old school via the Hosts File. There’s also the option of Web Extensions like SiteBlock or uBlock Origin but you can even do the same via some DNS providers.
CISFan, what makes you say it will never be fixed?
In that list, I see 42 bugs and only two fixed. So I guess I would be very lucky if this bug is fixed within a year or so, am I right?
> Modify the Windows hosts file and add the websites you want to block works perfectly
I would do that if it would work, but I need COMODO Firewall to block all traffic except for some ports and hostnames. So, most of the CF rules are ‘Allow’ rules, not ‘Block’. The web traffic is routed through Fiddler (with script-based rules). The problem is that some websites (very few!) do not work well via Fiddler, and for those, I’d like to set up an ‘Allow’ rule in CF so that they are routed directly to the Internet, bypassing Fiddler.
Anyhow, this hostname filter bug (no. 19) doesn’t sound like it would require too much programming time to fix. I hope they will fix it soon…
Regarding Wireshark, yes, I tested the application a few years ago, but I chose Fiddler Classic because of its powerful scripting language. I’m not only using it to filter out websites. I also use it for other purposes such as HTML replacements, HTTP header modifications, changing cookies, etc. In summary, there’s really no limit to what a Fiddler script can do to a website.