Dumb firewall question [Resolved]

You have a NAT hardware router, as the gateway connecting your local lan to the internet, so really all IP traffic has a local subnet IP address. How do you tell your machine’s Comodo firewall that you want to trust your local subnet, but want to restrict (not prohibit) all IP communications that go to your gateway’s IP address to be forwaded via NAT to go somewhere outside your local subnet?

I hope this makes sense, thanks.

Hello sumthinelse

I believe you will need to create a '‘New Zone’. Go to Tasks\Add\Remove\Modify a zone. Give the zone a name eg. ‘Home’ the define the iprange for your network. Generally this will be one of the reserved IP address ranges and for a small LAN, something like - is more than adequate.

Once you have created the zone go to Tasks\Define a new trusted network and select the name of the ‘zone’ you created above. It should then create two Network Monitor rules for your LAN.

That should do it but if you need some more help please don’t hesitate to ask.


Thanks Toggie,

Are you sure that trusting won’t trust everything in the internet? For example, since all IP adresses I am communicating with are encapsulated within - by the NAT, I won’t be trusting communications with, since they will be encapsulated in my local gateway’s (NAT’s) 192.xxx.xxx.xxx?

Just to clear things up slightly, is a class C IP range. Not a class B.
Class B uses 16 bits ( and contains 65536-2 addresses.
Class C uses 24 bits ( and contains 256-2 addresses.

When you configure trust for the IP range, you are only trusting addresses in that range that ends with .1 up to .254. The network 192.168.1.x is a completely different network all together and wont be trusted. It could just aswell be the network 209.195.132.x. Both are outside the current network you’re on and are thus considered to be Internet/untrusted.
This is how the IP address-schemes are implemented when using TCP/IP. If you want to trust the address or any other address range or host for that matter, you have to specify a separate rule for it.

Thanks Triplejoint. Maybe I don’t understand your post, but I think I still don’t have an answer to my question about NAT encapsulation. Let me try to state it again.

#1 I want to trust IP communications inside 192.168.1.xxx that do not contain an NAT-encapsulated address outside my 192.168.1.xxx LAN subnet,

#2 but I do not want to trust IP communications from or to 192.168.1.xxx that do contain an NAT-encapsulated address outside 192.168.1.xxx. If I look at the trace of such a frame, the IP address is within 192.168.1.xxx, but it comes from or goes to a machine outside my LAN, via NAT encapsulation.

If my rule is that I trust, will I also be trusting #2?

No sumthinelse. #1 does not apply to #2.

NAT (Network Address Translation) happens on your DSL router and is something you can’t control. It’s not an encapsulation, but a way to preserve IP addresses. call it a scheme or a feature if you will. This is achieved by “changing” your IP address every time your data pass the DSL gateway/router.

But to explain this in basic:
Your outside address differs from your inside address, which means that these two addresses are regarded as two separate network addresses. Hence trusting your LAN addresses will not trust your outside address, regardless of NAT.

Thanks again Triplejoint. That’s what I really wanted to know. (:WAV)

If, for example, tries to connect to a port that I have blocked for networks outside my lan, the NAT gateway (if I don’t have it blocked in the NAT router also) may change the IP address to its own IP address (e. g. and forward that request to my machine. There will be something inside the frame that will allow the Comodo firewall on my machine to recognize that it is being forwarded from outside my LAN, and not trust it. I’m not sure what that “something” is. Need to look closely at traces to see what the “something” is.

I’ll try to change the thread title to [RESOLVED].

Glad to be of assistance. Just for the record, it’s Triplejolt… not joint. Just wanted to clear that up before anyone would get the wrong impression here, lol :slight_smile:

Uhm… Not sure I got the entire essence in this, so I’m gonna employ some good 'ol “best judgement” here :slight_smile:
If this is your outside NAT address, blocking it in the CFP won’t do anything. This address will never reach your computer, as it is “stripped” off once it reaches the DSL router. If you block any traffic destined for this IP in the DSL router however, you will drop everything on an inbound vector. You will still allow outbound traffic though.

Nope. Once the package is clear of the DSL router, there’s no trace of NAT ever being used. And CFP won’t know if NAT is in effect when packages passes either. It will just happily allow what it’s being told to allow and pat itself on the shoulder for a “job well done”.

Thanks. Feel free to comment though. Or just tell me you want this thread closed, and I’ll lock it.

I apologize for my previous ignorance. I did what I should have done from the beginning, which was to install a protocol analyzer to see the traffic. The result was that I realized that my previous conception of NAT was backwards. I wrongly thought that the NAT translated inbound internet traffic’s source IP to that of the NAT router, but that was absolutely wrong! It just uses a single IP address on the WAN side of the gateway, not the LAN side.

Thanks Triplejolt for setting me straight. (:WAV)

One question I am puzzled about—and yes I have a small lan with address ranges of
192.168. 0. some number between 1 and 255. defined as a trusted zone. And it would be one thing to have a rather large small lan where the entire address range is actually populated with actual computers belonging to that trusted network. But the fact is that most small lans don’t have enough computers attached to even begin the touch more than maybe 10 of those possible addresses.

And in my case, using ICS as the connection means–two is the limit without extra hardware. And the host computer must have and the client computer is free to use any address between 2
and 255----which I have locked to one specific number in the range by using static client addressing.

So the question becomes—is it an exploitable hack for some remote computer to use some number
other than 1 or my given number choice?—and get recognized by comodo as in the trusted zone.
And if so—would it not be better to restrict the entire trusted range of to just the actual computers on a given lan?

It is possible to do so, and it’s called subnetting. What it does is dividing your current network into smaller ones. This is achieved by using a subnetmask to reflect this. The smallest is which gives you 2 hosts, 1 for network ID and 1 for broadcast. 4 addresses in all.

Here’s how it looks like using as an example: - Network-ID - Host 1 (DSL gateway/router) - Host 2 (your computer) - Broadcast - Network-ID (next subnet)
. - Broadcast

Next possibility is - Network-ID - Host 1 - Host 2 - Host 3 - Host 4 - Host 5 - Host 6 - Broadcast - Network-ID (next subnet)
. - Broadcast

Those are just two examples on how to subnet. You can use different sizes depending on the subnetmask. Just do a google search on the topic subnetting and you’ll get more examples.

To answer your question, no. You can’t give yourself an IP address and “hook” into others network. It doesn’t work like that, and in most cases you won’t even be able to connect to the Internet.
But feel free to experiment with subnetting and the use of private addresses. Atleast you’ll get some insight on how TCP/IP and NAT works :slight_smile:

Can I lock this topic now?
Both NAT and subnetting are explained in details in other threads :slight_smile: