Firewall: Full Access to LAN, notifications for Internet access

Comodo Internet Security - CIS Firewall Help - CIS
#1

Hi,
I have been using Comodo Firewall und now CIS for many years, but still have no good solution for this (yes, I searched for a long time):

I would like to have full access to and be fully accessible from my LAN, while getting popup alerts whenever an application tries to connect to the Internet.

So I created a global rule: Allow IP In/out From MyZone to MyZone IP Protocol: any.
MyZone is set to the IP-Range 192.168.3.1 to .255, which is my LAN.

However, I still get popup alerts for LAN connections, for example svchost.exe trying to TCP connect to 192.168.3.2 (my gateway) Port 5431, or svchost connecting via ICMP to 192.168.3.2. If I try to open a network share on one of my other computers, I get an alert that svchost is connecting to 192.168.3.49 on, for example, port 80.
How come that these still appear? The destination is within MyZone, so it should be allowed by the global rule. Or is this the wrong way to grant LAN access?

While in this forum there is a guide describing how to set up a system with full access to LAN and no access to the Internet, there is non for the (slightly) more important scenario that you want to have full LAN access and application-based Internet access.

I would be very grateful for any help. This has been bothering me for years and until now I always ended up by declaring the applications as trusted, which I don’t want to do anymore.

Best Regards,
guti

#2

Hi Guti,

I’ll move this post to the Firewall Help board.

I think you can get this to work as follows, open Network Security Policy and add “All Applications” within this “All applications” you can allow your local LAN access for All Applications, make sure this rule is moved all the way to the top.

You should now be able to remove all the seperate LAN rules for the other applications…

#3

Yes, this seems to work (if it doesn’t, I will comment here again), thanx a lot.

I do find it somewhat confusing, though. One would expect that such a rule needs to be put under “Global Rules”, and maybe it would be good if there was an easer way to create this (e.g. a question/wizard at installation), since most people I know need exactly this: Trust the local network, but get alerts for every app that wants to connect to the Internet.

#4

Hi Guti,

I agree a few nice wizards would be good, but if you read the help file on Firewall Tasks Overview, Advanced Tasks, Network Security policy there is a diagram on how traffic is handled.

Outgoing traffic has to match the application rules first hence the alert is handled on the application rule in this case…