Disconnect internet only


What is the best way to block all internet traffic on one of my computers while still having the home network running? The computer seems to access internet trough the home network connection (the router that creates the network is connected to internet). I seem to only be able to either block all traffic (including home network file sharing) or none of it.

Any help would be appreciated!

Are you looking for a permanent solution, or just something temporary? Also, which types of services are running on your LAN that the PC may need to access?

How do you want to do this ? using CIS or normally ?

Normally, If I were you, I simply remove/change the DNS server IP to an invalid one in LAN settings…

Permanent. I want this one computer never to connect to the internet, but still be accessible to the other computers for file sharing purposes.

To block internet only traffic, create global firewall rules blocking ports 20, 21, 22, 80 and 443 outbound. You’ll also need to create applications rules for your browser replicating the above blocked ports.

Ewen :slight_smile:

I’d take a slightly different approach to that proposed by Ewen, as it’s possible some traffic may be generated over ports not covered by those listed.

The first task is to prevent CIS from trying to perform automatic updates and also ‘cloud’ look-ups. To do this:

  1. Open the CIS control panel from the system tray
  2. Select More/Preferences
  3. under the General tab, remove the checks for ‘Automatically check for program updates’ and ‘Enable Comodo message centre’
  4. On the Update tab, remove the checks in both boxes
  5. Select the Defence+ tab
  6. Select Defence+ settings/Execution control settings
  7. Remove the checks from the third and forth boxes for ‘Cloud’ look-ups

Now we can start making some very basic firewall rules to allow LAN traffic but also prevent traffic to and from the Internet.

  1. Open the CIS control panel from the system tray
  2. Select the Firewall tab then select Firewall Behaviour Settings
  3. Move the slider from ‘Safe Mode’ to ‘Custom Policy Mode’ - select ‘OK’
  4. Select the Stealth Ports wizard
  5. Select the first option ‘Define a new trusted network and make my ports stealth for everyone else’
  6. Choose ‘I would like to trust one of my Network Zones’
  7. In the Zone name drop down box choose the name of the Network zone the represents your LAN. If you didn’t change the defaults, it will probably be called ‘Local Area Network #1

Basically, last seven steps have given you slightly more control over how the firewall generates rules and has also created some rules that allow file and printer sharing on a Windows network.

Now we need to modify the existing rules.

  1. Open the Network Security Policy tab and select Global rules
  2. There should be two rules at the top of the list the allow IP In/Out, To/From the LAN
  3. Delete all other rules
  4. Add a new rule:

Action - Block
Protocol - IP
Direction - In
Source Address - ANY
Destination Address - ANY
IP Details - ANY

  1. Place the rule below the two LAN rules.

Now select the Application Rules tab.

  1. Find the rule for the System process, it will have the same two rules we saw in Global.
  2. Remove any other rules for the System process
  3. Find the rule for Comodo Internet Security
  4. Select Edit
  5. Choose ‘Use a custom policy’
  6. Delete the existing rules
  7. Select Add

Action - Block
Protocol - IP
Direction - Out
Source Address - ANY
Destination Address - ANY
IP Details - ANY

  1. Select Apply

At this point we have Global rules configures to deal with inbound and outbound traffic for the LAN and also to block any other inbound connections. We have the System process configured to support file and printer sharing and we have block Comodo trying to make any unsolicited connections to the Internet. Now we have to configure svchost.exe to support DHCP, host DNS/Host name look-up, and other LAN related requests.

  1. Open the CIS control panel from the system tray
  2. Select Network Security Policy
  3. Select Application rules
  4. Select Add
  5. In Application path, click Select
  6. Choose Running processes
  7. Choose any svchost entry
  8. select Use Custom policy
  9. Choose Copy from
  10. Choose Another Application/System
  11. Select Apply

The two Application rules for System and svchost cover the majority of traffic that will need to be handled on the LAN, however, if you’re using Windows 7 Homegroups, or you have a need for some specifc application to connect, you will need some additional Applications rules.

[attachment deleted by admin]

Wow thank you so much for writing this MASSIVE tutorial!

I followed the steps and it seemed to work!

As a feature request it would be nice to make this process a bit more simple, but I’m happy for now just that it was possible to do!

No worries :slight_smile: If you need any further help, please don’t hesitate to ask.

Okay, after using the system describeb for several months, I decided to report perhaps a more simple way.

  1. Open network connections
  2. Open the Local area connection and go to properties
  3. Open IPv4 properties and give the computer a static IP address
  4. Cange the dns addressess to something random, for example and

This seems to block the computer from the internet while still allowing all LAN traffic normally.

Is there any possible weaknesses to this approach?

This would work for outbound requests that use “names”, but may fail if an outbound request uses an actual IP adress.

I’ve also come up with with I think is a simpler method of allowing your system LAN access while denying all other outbound access;

  1. Create a zone that defines your internal LAN (I think you already have this)
  2. Create a rule that BLOCKs all traffic (If we stopped here it would cut your system off from everything)
  3. Select the EXCEPT option in the rule creation window
  4. Enter the ZONE that defines your internal LAN

This simplified rule will allow all traffic within the ZONE you have defined while blocking all traffic to anywhere outside the zone. Of couse you would need to remove the other rules previously created.

Hopefully, if anyone can see a flaw in this method, they’ll add their $0.02 worth.

Ewen :slight_smile: