Comodo Firewall Rules Hardening Question

Win 7 x64 SP1, Comodo 5 lastest version.

I just recently installed WIN 7 and Comodo. I am running Win 7 pretty much as installed. Have not turned off file sharing. etc. Comodo is installed in default firewall install mode, no AV installed. Running Avast 6 instead. Firewall and Defense+ set to Safe mode. Sandbox is on and Defense+ is set to Limited. I have not changed any of the Comodo default rules.

I am also running NIS 2011 on WIN XP SP3 in a dual boot setup. NIS 2011 has a number of default system rules setup. I have listed them below. Will adding all or some of these to Comodo’s System rules “harden” the default firewall configuration?

[attachment deleted by admin]

With a default installation of CIS a number of system processes, such as svchost.exe are allowed to make outbound connections without restriction. so the majority of the rules included in your attachment are already covered, however, lets break it down:

NetBIOS In UDP 138
NetBIOS Name In UDP 137
Windows File Sharing In/Out TCP/UDP 139
Win 2000 SMB In TCP/UDP 445

The rules above are handled by the System process, which in a default installation of CIS is a trusted process so even though no rules are created, it is still allowed to make these connections.

NetBIOS over TCP/IP (ports 137 to 139) are use for Windows file and printer sharing and whilst NetBIOS may be disabled on the Network Adapter, it is primarily a broadcast based mechanism and therefore constrained by devices like routers.

SMB over TCP (port 445) is also used to access shared resources but has a great scope of connectivity than NetBIOS. It too may be disabled.

EPMAP TCP In TCP 135
EPMAP UDP In/Out UDP 135

RPC/EMAP/DCOM (TCP/UDP on port 135) has a number of functions but has also been the target of a number of malware attack. It’s a good idea to block access to this port. To do so you’d need to modify the default rules. This is primarily a svchost process.

ICMPv6 In/Out ICMPv6 all

ICMPv6 is used by IPv6, so unless you’re actively using the protocol stack, in which case you will have enabled IPv6 filtering in the firewall, you can ignore it. IPv6 may also be completely disabled on Windows

UPnP Discovery In UDP 1900
SSNP In TCP 2869

UPnP/SSNP (I think that should be SSDP) are used for discovery and maintenance of devices on the network and are handled by svchost. However, the default installation of CIS doesn’t have explicit rules for handling inbound connections. In the majority of cases explicit inbound rules are not needed, as the firewall uses SPI to maintain security.

Web Services In UDP 5357 5358
Web Services Discovery In UDP 3702

Web discovery services, like UPnP/SSDP, are used to locate services offered by devices on the network. This process is handled by svchost but should be limited to the LAN, therefore the default rules should be adapted.

LLMNR-IPv6-ndp In TCP/UDP 5355

Link Local Multicast Name resolution is a bit like DNS but for local devices. It can actually be used by ipv6 and ipv4. This process is handled by svchost and also, in the case of ipv6, ipv6 filtering. This is another process that only needs local access.

Thanks for the detailed explaination!

I am most concerned about NetBIOS. I had major problems with leakage on the NetBIOS ports on my XP OS. So much so, I finally just disabled NetBIOS on my LAN connection since I am only using a single PC.

I also had problems with NetBIOS leakage when I was using Comodo 4 versions but that also could be attritable to XP.

To date on the WIN 7 OS with Comodo 5, I has seen port 139 listening on occassion.

I do have one more question. My router does not support IPv6. Should I disable that option in the Comodo firewall for that? If I disable that option, will it also stop IPv6 over IPv4 which I think I need?

If you completely disable NetBIOS on the network adapter, it will close ports 137 to 139 entirely, however, it won’t close port 445 (SMB over TCP) but there are other ways to disable this.

If your router doesn’t support ipv6 and you don’t see yourself using the protocol stack in the near future, you may as well disable it. Doing so won’t affect ipv4. To disable the stack, open a command prompt and enter the following. these are completely reversible.

netsh interface ipv6 set privacy state=disable
netsh interface ipv6 6to4 set state state=disabled
netsh interface ipv6 isatap set state state=disabled
netsh interface ipv6 set teredo disabled