I have my LAN, and people from wifi and wired on my LAN.
I do not want to trust my LAN, because my roomies can give out the wifi key, and/or plug on a cable (physical access)
I see there’s a trusted zone thing with Comodo, which works fine.
But what if I want to have a set of IPs as “Trusted Roomies”, for example 10.1.1.1 and 10.1.1.2 and everything else can be denied. These IPs are statically assigned by my router, so I know they won’t change since they’re bound to MAC addr.
Does comodo have such a feature, if yes, please help in pointing me to the right direction as my searches on the forum were all vain.
What you’re looking for is exactly what you’ve already found - zones. You can create a zone that covers just the IPs you have assigned to your roomies (Start range : 10.1.1.1 - End range : 10.1.1.X). Create this zone and set it as a trusted zone.
If you really want to tighten your access, you can adjust the rules so that it excludes all IPs other than those specifically named. This is done in the network monitor rules, selecting “Exclude”. In a nutshell, you would create a BLOCK rule, select EXCLUDE, and then name the IP addreses that you want to have access. Any other IP address is then BLOCKED, the named IP addresses are ALLOWED.
Thank you for taking the time to reply to me. And maybe I didn’t get your answer correctly, in which case, apologies.
My question was looking for something like an option in the “Define Trusted Network”, that would let me add a set of IPs to a trusted level, intra, or extra. Just like the “set of ports” we can add in the nrules.
Currently, my router gives out dhcp ips in the range of 10.1.1.10 → 10.1.1.20.
However, only my 2 laptops and 1 other roommates laptop is what I trust. Namely, *.10, *.11, *.12
Everything else, although in my LAN, I don’t trust.
Now, what you say seems fine to me, but that also leads me to think (and please tell me if I’m wrong heh) that when you say BLOCK, it blocks world. And allows only the specified IPs. Something like a whitelist.
Which means, it might block internet for me.
I haven’t tried your suggestion yet, but I’d definitely like it if you could help me out further and/or clear my doubts.
Once again, thank you very much. To you, and to Melih and his associates for coming out with an amazing suite of freeware produts.
Router autoassigns IP address in the range 10.1.1.10-10.1.1.20
If these assumptions are correct, then there is a fairly easy way to achieve what you want, providing your router allows you to bind a specific DHCP assigned IP address to a specific MAC address.
When you define a zone, define the start address as 10.1.1.1 and the end address as 10.1.1.12. This will allow the trusted devices to access each other and the net. All you have to do then is to work out how you want to handle other addresses.
If you don’t trust IPs above 10.1.1.12, why don’t you just adjust your routers DHCP assignment pool downwards from 20 to 12? This would seem to be the simplest solution.
If you really want to make things harder for roomies to pinch bandwidth (which I’m assuming is the issue), change the IP of the router and the trusted devices to a different subnet, something like 172.16.43. 85,86,87 and 88, and redefine the zone accordingly. If someone is just trying out your LAN at the simplest level, they’re going to start at the most common default addresses for the router - 192.168.1.1 or 10.0.0.1 or 10.1.1.1. Changing the IPs isn’t worlds best security, and won’t stop a determined hacker, but it can deter or delay a casual bandwidth thief.
The other thing you can do is to disable SSID broadcast and DHCP altogether and statically assign IPs on the trusted laptops and PCs, and associate those statically assigned IPs with their respective MAC addresses in the router. This cuts down extraneous broadcast chatter from the router and prohibits someone just coming near the router to 1) detect the SSID (which can still be sniffed, but not by casual BW thiefs) and 2) be alocated an IP address which is acceptable to the router.
No, zones are used to allow traffic from complete subnets or from consecutively numbered ranges of addresses within the one subnet, but not from non-consecutive addresses, to the exclusion of all others, within the one subnet.
The only way I can think of achieving what you want is to create three separate zones, one for each IP that you trust. If you are going to go that way, you don’t even have to create a zone, just create rules to cater for traffic to and from the individual IPs.
Unfortunately not. With inbound rules (where your trusted roomies are attempting to contact your PC over the LAN), before an unsolicited contact can be accepted, it must meet the criteria of a Network monitor rule that all allows the traffic in. CFP runs off the “all are guilty until proven innocent” style of thinking. Until there is a rule that explicitly allows the traffic in, it ain’t coming in.
The rules, however are not hard to make. Open CFP and click on SECURITY - NETWORK MONITOR - ADD and then set up a rule with the following parameters;
Action : ALLOW
Direction : IN
Protocol : TCP/UDP (This should be sufficient)
Source IP : A trusted IP address goes here
Destination IP : ANY (This actually means “This PC”)
Source Port : ANY
Destination Port : ANY
You should repeat these steps for each trusted device on your LAN, not forgetting that your router and other networked devices, like print servers, count too. You could get fussy and create separate IN and OUT rules. This makes it a bit easier if you have to troubleshoot.