Let’s say we have a network that consists of a router with IP 192.168.0.1 1st pc with IP 192.168.0.5 (that has CIS installed) and 2nd PC with IP 192.168.0.10.
For the sake of the questions let’s say those IPs are statc.
All questions \ scenarios are from the 1st PC’s “point of view”.
If I want to, let’s say block access to and from 2nd PC, but still be able to use the internet, I just create 2 global rules “Block IP Incoming source IP 192.168.0.10 destination IP any” and “Block IP outgoing source IP any destination IP 192.168.0.10” correct?
And If I want to let’s say block outgoing connections to a certain ip that is outside local network like 50.22.11.10 I create 1 global rule “Block IP outgoing source IP any destination IP 50.22.11.10” correct? Or that won’t work becourse from 1st PC’s point of view all outgong requests go to router (192.168.0.1)? What about incoming requests?
I have tested this before. Forgive as I don’t have this on my phone to retest for you but I must ask: have you run this test yourself?
Sometimes experimentation will answer your question for you.
Take a look at this test I had done with an older version. The rules will be similar.
This might help you.
I can’t really test it myself since I don’t have a router.
I’m asking becourse when I’m cleaning prople’s PCs I usually install CIS as defence system, and some of them have routers, but since I usually work remotely I can’t really run any tests there.
So if someone has a router with 2 or more devices connected to it, it would be nice if someone could run those tests for me.
Prevents machine with CIS on it from accessing the machine with IP 192.168.0.10, yes, but still allows in internet access. CIS’s rules apply to the actions of the machine on which it is running only.
And If I want to let's say block outgoing connections to a certain ip that is outside local network like 50.22.11.10 I create 1 global rule "Block IP outgoing source IP any destination IP 50.22.11.10" correct?
Prevents machine with CIS on it from accessing that external internet IP, yes
Or that won't work becourse from 1st PC's point of view all outgong requests go to router (192.168.0.1)?
A NAT router knows to catch all requests to external internet IPs and pass them on to the external internet IP
What about incoming requests?
Incoming [b]requests[/b] from an external IP are blocked by a NAT router unless you modify standard settings in the router. This is for two reasons 1) Security 2) It does not know where on the internal network to send them. The NAT router internal settings need tro be changed if you are running an internet server on your network - typically by setting a port forwarding rule that says 'forward all requests on this port (eg http:80 for a web server to the following internal IP address'.
Incoming replies to requests made by a local device to an external IP are passed because 1) they are safer 2) a NAT router remembers the request and therefore knows where to send the reply. (Technically the reply is sent to the router’s external or internet IP, and the router translates it into an internal address)
[/quote]
I hope I don’t confuse with the reponse
So I can use CIS firewall global rules to restrict access to and \ or from other devices on local network (router network).
Also I can use them to restrict outgoing access to the internet, since router doesn’t interfiere with outgoing requests (default allow?).
As for incoming (unrequested) connections, router blocks them by default, so I need to allow them in router settings first. Did I get it right?
And one more question \ scenario.
Let’s say I’m running a FTP server on a PC with CIS behind a router… In router settings I allow incoming connections on ports 21 and some other for PASV mode, I allow the same in CIS global and Application rules… that should work right? So now, let’s say I want to block certain IP from accessing that server, I can configure it in server’s settings, but for this question let’s say I want to use CIS for that, so do I add a rule in CIS or do I have to do it in router?
“Too long didn’t read \ understand” version:
If an incoming connection was allowed in router (on certain port(s)) does CIS “see” the source IP for that connection(s), or does CIS “see” that connection as coming from the router (192.168.0.1)?
To and from the device which has CIS on it with source/destination as other computers on the network. Global does not mean it has effect on the whole network, just one machines comms with the rest of the network. That is my understanding though I have not used it like this. Ronny or EricJH may be able to confiurm for sure.
Also I can use them to restrict outgoing access to the internet, since router doesn't interfiere with outgoing requests (default allow?).
Router won't normally interfere on default settings. Obviously if your router supports bespoke firewall rules it may. Also parental control will.
As for incoming (unrequested) connections, router blocks them by default, so I need to allow them in router settings first. Did I get it right?
Yes.
And one more question \ scenario.
Let's say I'm running a FTP server on a PC with CIS behind a router..... In router settings I allow incoming connections on ports 21 and some other for PASV mode. I allow the same in CIS global and Application rules...
Yes, though not sure about PSAV. Also note that you must tell the router which local IP to send the packets to. Important to note, as you realise that both CIS global and application rules need to be taken into account in this AND in all my above statements (sorry should have been clearer). See [url=http://help.comodo.com/topic-72-1-284-3017-Global-Rules.html] here[/url] for more details. They both act as filters logically so if packets are stopped by either, they don't get through. If you are consuidering port forwarding you should either ensure v tight security on the machine you are forwarding to or restrict the internet IPs that can use the service. Again there are mods more expert than me in that area.
So now, let's say I want to block certain IP from accessing that server, I can configure it in server's settings, but for this question let's say I want to use CIS for that, so do I add a rule in CIS or do I have to do it in router?
Better to do it in the router, but you can do it in CIS. Much more secure to allow access only from certain restricted IPs - that's the facility that most routers provide, though doubtless you can find a way of doing a 'block just these IPs' rule.
"Too long didn't read \ understand" version:
If an incoming connection was allowed in router (on certain port(s)) does CIS "see" the source IP for that connection(s), or does CIS "see" that connection as coming from the router (192.168.0.1)?
CIS sees it as coming from the internet address.
All the above asssume that you are using a standard domestic NAT router.
Worth noting that possible consequences of global block rules include non-functional software on your PC (inc some aspects of the OS maybe) - that’s why they tend to be used for protocol restrictions. A more flexible alternative is application rules, which are in priority order. So you can say ‘allow windows but block all other apps’.
