Firewall Rules

Comodo Internet Security - CIS Firewall Help - CIS
#1

Hi

I have some questions…

I whent on wiki Internet Protocol version 4 - Wikipedia
Then i did definie all theese zones
to calculate the zones i did use IP Calculator / IP Subnetting

so i did zones like…
192.168.0.0/16 Private network - [TCPIP: 192.168.0.0] [Subnet Mask: 255.255.0.0]
and so on…

i guess this means not that they are allowed or not, but definied

now my question: is this correct?
or should i make the zones like…
[TCPIP: 192.168.0.1] [Subnet Mask: 255.255.0.0] instead of
[TCPIP: 192.168.0.0] [Subnet Mask: 255.255.0.0]
or better the IP range from…
192.168.0.0 to 192.168.255.255 or from
192.168.0.1 to 192.168.255.255 ?

I have a modem>wireless router>laptop’s + pc’s + network printer

in my network (LAN) i would like to allow everything but not from outside namely from the internet

So i have also applyed some Global Rules…

Allow all
IP
In/Out
Source 192.168.0.0/16 Private network - [TCPIP: 192.168.0.0] [Subnet Mask: 255.255.0.0]
Destination 192.168.0.0/16 Private network - [TCPIP: 192.168.0.0] [Subnet Mask: 255.255.0.0]

now i guess that all comming from this zone or going to this zone is permited
is this correct?

After that i did a blocking rule below for a port set [135 - 139 + 445]
so now should all be allowed on LAN but netBIOS from outside should get blocked
is this correct?

Now i did also some rules for system and svchost…

Allow
TCP/UDP
Out
Source Address any
Destination Address name-server-1-of-isp
Source Port any
Destination Port 53

and the same for the other name servers

and…

Allow
TCP/UDP
Out
Source Address any
Destination Address 255.255.255.255
Source Port any
Destination Port 67

So now the internet should be accessable (as it seems to be now)
but i should not be accessable from the internet
is this correct?

Now i also also ask my self what i shall do with the loopback zone?
i think its maybe the best to allow all IP in and out for 127.0.0.0/8 and 169.254.0.0/16 or am i wrong?
would tis be correct?

and have i to do some special settings on 0.0.0.0 and 255.255.255.255 ?
until now i allow all out for 255.255.255.255 on port 67 but only for system and svchost
shall i make this globaly? or shall i keep this per application?
and whats about 0.0.0.0?

did i all correct?
or is every thing wrong?
and what shall i do also? any suggestions?

thans a lot in advance :slight_smile:

#2
so i did zones like... 192.168.0.0/16 Private network - [TCPIP: 192.168.0.0] [Subnet Mask: 255.255.0.0] and so on...

Creating an address space that large is unnecessary. By using those values (192.168.0.0 -255.255.0.0) you are effectively allowing for a network(s) containing 65000+ hosts!

In domestic situations such as the home of in small offices it’s recommended to use

192.168.0.0
255.255.255.0

Which would allow for 254 hosts. Even this may be many more than required in such circumstances. I’s very easy to bring these values down to accurately define the required number of hosts and also allow for some growth. For example:

192.168.0.0
255.255.255.248

Would give you 6 hosts

192.168.0.1 - 192.168.0.6

192.168.0.0
255.255.255.240

Would give you 14 hosts. etc.

Allow all IP In/Out Source 192.168.0.0/16 Private network - [TCPIP: 192.168.0.0] [Subnet Mask: 255.255.0.0] Destination 192.168.0.0/16 Private network - [TCPIP: 192.168.0.0] [Subnet Mask: 255.255.0.0]

now i guess that all comming from this zone or going to this zone is permited
is this correct?

There’s an option in the firewall to do this for you, if I remember correctly, it’s under the stealth ports tab.

You could also do it manually by creating a zone containing your trusted address space and then adding rules to Application and Global. For example:

Allow IP OUT
Source Address = ANY (You can try adding ZONE here too)
Destination Address = [Zone]
IP Details = ANY

Allow IP IN
Source Address = [Zone]
Destination Address = ANY (You can try adding ZONE here too)
IP Details = ANY
[/quote]
That should be fine for blocking NetBIOS/SMB/RPC IN but don’t forget to block these OUT as well. Do that in Application Rules, under the System object.

Now i did also some rules for system and svchost...

Looks fine.

Now i also also ask my self what i shall do with the loopback zone? i think its maybe the best to allow all IP in and out for 127.0.0.0/8 and 169.254.0.0/16 or am i wrong? would tis be correct?

loopback should already be in your Zone file

127.0.0.1
255.0.0.0

APIPA is only needed if you fail DHCP from time to time, but if one PC on your net fallsback to using APIPA and the others don’t, you will loos communication.

169.254.0.1
169.254.255.254

Netmask is 255.255.0.0

You shouldn’t need to do anything with these. If an application makes use of loopback and you have have your firewall settings set accordingly, you should receive a prompt.

and have i to do some special settings on 0.0.0.0 and 255.255.255.255 ?

Nothing special is required for these addresses, if you have svchost configured to find a DHCP server, you’re good to go.

and whats about 0.0.0.0?

0.0.0.0. is typically referred to as the default route, for example, if you have a web server listening on 2 subnets it can be configured to listen on the default route, so it will listen for requests from both subnets.

Don’t forget to consider the other default rules, they may need adjusting.

#3

OK…

i did now configure the router to be reachable over 192.168.0.1
i told him to use the subnetmask 255.255.255.240
as i calculated (and you confirmed) this will give me 14 possible hosts in the Local Area
i told him to give the IP’s between 192.168.0.2 and 192.168.0.14 automaticaly out to the clients (as he likes)

now i configured two network zones

LAN
tcpip 192.168.0.0
subnetmask 255.255.255.240

LoopBack
tcpip 127.0.0.0
subnetmask 255.0.0.0

until here all seems to be clear :slight_smile:
before i thoght i just do a zone with all private addresses
but after your posting i thoght it maybe makes sence to keep the range low
maybe the firewall have to check all the numbers, so it will check faster on only 14 numbers :slight_smile:

now i have global rules…

allow
ip
in/out
from zone LAN
to zone LAN

allow
ip
in/out
from zone LoopBack
to zone LoopBack

after that i have two rules which are blocking the portset 135-139,445
i did one rule for incoming requests of 135-139,445 (protecting me from my neighbours)
and one for outgoing requests of 135-139,445 (protecting my neighbours rom me)

now my question here is can i open outgoing requests on 135-139,445 (so that i can spy on my neighbours) without a risk at my side :smiley: ?

and i have some application rules…

one is for all applications…
Allow
IP
in/out
Zone: LAN

and this is for svchost AND system the same…
Allow
tcp/udp
out
From any to DNS.server
Destination Port: 53

Allow
tcp/udp
out
From any to 255.255.255.255
Destination Port: 67

so now all LAN trafic should be allowed
and system as also svchost can acces the DNS server’s on port 53
and they can brodcast over 255.255.255.255 at port 67

now my main question is does this rules make sence?
i mean, do i have to apply this rules on system and svchost? or only one of them?
and is 255.255.255.255 a unnessesary risk or maybe good in the case of some thing :slight_smile: ?

and again this 0.0.0.0
i would like to configure that (it sounds interessting)…
how can i do this? which port shall i use for that?
just to learn a bit about this 0.0.0.0 :wink:

and last but not least…
i did proof all the predefinied rules
most of them have lost the “Loopback zone” since i renamed it to “LoopBack”
so i did all the corrections on them

now i thoght i can do a allways ask rule on all the zones that i have exept the LAN and LoopBack so that i can see if something trys to connect with a special zone
this is not nessesary or maybe extremly wise but i thoght its maybe interessting to learn about what is going on… if something is going on :wink:
this just as additional info about my plan :smiley:

is everything correct as i did?
any suggestions?
any cool hints tipps and tricks?
:smiley:

thanks in advance :wink:

#4
allow ip in/out from zone LoopBack to zone LoopBack

You don’t need that.

after that i have two rules which are blocking the portset 135-139,445 i did one rule for incoming requests of 135-139,445 (protecting me from my neighbours) and one for outgoing requests of 135-139,445 (protecting my neighbours rom me)

now my question here is can i open outgoing requests on 135-139,445 (so that i can spy on my neighbours) without a risk at my side Cheesy ?

The Global rule to block NetBIOS etc. IN is fine, but if you want to control the data on these services OUT use Application Rules on the System object.

Allow tcp/udp out From any to 255.255.255.255 Destination Port: 67

You only need UDP for DHCP.

now my main question is does this rules make sence? i mean, do i have to apply this rules on system and svchost? or only one of them? and is 255.255.255.255 a unnessesary risk or maybe good in the case of some thing Smiley ?

Create the DHCP rule under scvhost. You need to allow this or you will fail to obtain an IP address from your DHCP server. It’s an outbound broadcast, so it’s fine. Any replies will be handled by the firewall SPI and be directed internally or dropped.

and again this 0.0.0.0

There really is nothing to configure in the firewall for this. Take a look at this:

http://www.rfc-editor.org/rfc/rfc3330.txt

It’s good information.

and last but not least... i did proof all the predefinied rules most of them have lost the "Loopback zone" since i renamed it to "LoopBack" so i did all the corrections on them

As I remember, the predefined rules do support loopback. There should be nothing you need to do unless you are using your own rules.

is everything correct as i did? any suggestions? any cool hints tipps and tricks?

Without seeing your complete rule sets for Application and Global, it’s hard to know. Regardless of which firewall you use, if you wish to create custom rules, you have to have some understanding of how these things work and you have to test and log, test and log.

Have fun

#5

Yes sure :smiley:
Thanks a lot :wink:

so now i have some settings which seems to work…
i mean i get a IP and i can access the internet :smiley:

here is my hardware setup…

[Cable-Modem with dynamic IP]
^
[Router serving dynamic IP’s]
^^^^^
[Network-Printer] [Network-Storage] [PC1 over wireless] [Laptop1 over wireless] [Laptop2 over wireless]

the local network settings are as following…

Address:   192.168.0.0           11000000.10101000.00000000.0000 0000
Netmask:   255.255.255.240 = 28  11111111.11111111.11111111.1111 0000
Wildcard:  0.0.0.15              00000000.00000000.00000000.0000 1111
=>
Network:   192.168.0.0/28        11000000.10101000.00000000.0000 0000 (Class C)
Broadcast: 192.168.0.15          11000000.10101000.00000000.0000 1111
HostMin:   192.168.0.1           11000000.10101000.00000000.0000 0001
HostMax:   192.168.0.14          11000000.10101000.00000000.0000 1110
Hosts/Net: 14                    (Private Internet)

The router gets his IP automaticaly (and i guess his DNS settings too) from the cableModem or in other words from my internet provider.
now the router is serving dynamic IP’s to all his clients and provides him self as a DNS server.

in a client PC when i go to my wireless adapter > status > details i see…

DHCP server: 192.168.0.1
DNS server: 192.168.0.1

So i decided to bypass the router DNS function and use the manual DNS settings under network connections > wireless adapter > internet protocol TCP/IP > Properties > advanced > DNS
I added all four DNS servers from my internet provider and at the buttom i also added the DNS address from my router for just in the case of what ever.
i thoght in that way the router has less to work and maybe it will save me a microsecond of time :smiley:
(a tutorial on that is found here SG :: Router Configuration Guide )

Now i would like that all traffic in my local area network (LAN) is allowed
this means that netBIOS, Remote, File and Folder sharing, and what ever is permited, but only if it comes from a PC in my LAN and never if it comes from the internet!
but in the other hand i would like that my own requests on such dangerous services to the internet will be permited, so that i can “see” into the “internet” but that the “internet” cant “see”/spy me :slight_smile:

And i did fool around with all the standart setings of the comodo firewall
so i have to do them now all manualy :stuck_out_tongue:

I did rename all the zones by comodo…

and i added a bunch of zones by my own manualy
to setup all possible zones i did use a reference from wiki found at Internet Protocol version 4 - Wikipedia
and 3. Summary Table found at http://www.rfc-editor.org/rfc/rfc3330.txt
to convert the zones properly i did use the IP calculator at IP Calculator / IP Subnetting

to setup the zones means not that they are permited or restricted, they are just definied at this point.

the next i did was to define a port set for “evil”-ports and named it [EVILPORTS]…

Remote Procedure Call (RPC) (TCP/UDP: 135)
PROFILE Naming System (TCP/UDP: 136)
NETBIOS Name Service (TCP/UDP: 137)
NETBIOS Datagram Service (TCP/UDP: 138)
NETBIOS Session Service (TCP/UDP: 139)
MS Networking access (TCP/UDP: 445)

as i got it from IT Service Management (ITSM) | Information and FAQs from Wiki Comodo

Both application rules and global rules are consulted when the firewall is determining whether or not to allow or block a connection attempt. For Outgoing connection attempts, the application rules are consulted first then the global rules. For Incoming connection attempts, the global rules are consulted first then application specific rules.

and rules are applyed from up to down (first rule to last rule) as i guess
in example…
if i allow all and then deny some-thing, some-thing will never get blocked
if i deny some-thing and then allow all, some-thing will get blocked an all other things will be allowed
right?

… now i have some global rules…

block ICMP from IP any to IP any where ICMP message is protocol unreachable
block ICMP from IP any to IP any where ICMP message is 17.0
block ICMP from IP any to IP any where ICMP message is 15.0
block ICMP from IP any to IP any where ICMP message is 13.0
block ICMP from IP any to IP any where ICMP message is echo request

now i added some global rules to it looks like…

Allow IP In/Out from in [LAN] to in [LAN] where protocol is any
Allow IP In/Out from in [Loop] to in [Loop] where protocol is any
Block TCP or UDP In from NOT In [LAN] To IP any where source port is any and destination port is in [EVILPORTS]
Block TCP or UDP In from NOT In [LAN] To IP any where source port is in [EVILPORTS] and destination port is any

block ICMP from IP any to IP any where ICMP message is protocol unreachable
block ICMP from IP any to IP any where ICMP message is 17.0
block ICMP from IP any to IP any where ICMP message is 15.0
block ICMP from IP any to IP any where ICMP message is 13.0
block ICMP from IP any to IP any where ICMP message is echo request

so i think now all the LAN traffic is permited
as also the Loopback traffic
and all access trough evil ports from the internet to my PC is blocked

Under application rules i did also some rules…

All Applications
Allow IP In/Out from in [LAN] to in [LAN] where protocol is any
Allow IP In/Out from in [Loop] to in [Loop] where protocol is any

since i have basicaly the same rule for all applications as i allready have globaly i guess this rule is not needed anymore, i think this rule has to be in the global section or for all applications in the application section but not in both sections.
is this right?

the other question is if this rule is good or not?
i did read about this allowing all traffic on LAN rule some where in this forum
but now i ask my self what happens if one PC is maybe infected or attaked, if someone gains control over one PC in the LAN, he will maybe be able to invade any PC in the LAN through one infected PC
is this right?

now i also added some special zones like…

DNS (all my DNS server provided by my internet provider + my LAN brodcast address)
LAN (TCPIP Netmask for my LAN)
Loop (TCPIP Netmask for 127.0.0.0/8)
LocalHost (Local host name)
Internet Clock (All time servers in use by IP)
MS-Update (All microsoft update server IP's hat did occour)

on svchost i have now the rule…

Allow TCP or UDP Out from in [LocalHost] to in [DNS] where source port is any destination port is 53
Allow TCP or UDP Out from in [LocalHost] to IP 255.255.255.255 where source port is any destination port is 67
Allow TCP or UDP Out from in [LocalHost] to in [LAN] where source port is any destination port is 67
Allow TCP Out from in [LocalHost] to in [MS-Update] where source port is any destination port is in [HTTP Ports]
Allow TCP or UDP Out from in [LocalHost] to in [Internet Clock] where source port is any destination port is 123
Ask

and on system…

Allow TCP or UDP Out from in [LocalHost] to IP any where source port is in [EVILPORTS] and destination port is in [EVILPORTS]
Ask

for DHCP and Internet-Time i need only UDP but somewhere on this forum i did read that DHCP will try on TCP if UDP fails, and the NTP seems to work the same way as i guess after reading about port 123 on this site Port 123 (tcp/udp) :: SpeedGuide

so are theese rules now looking fine?
is it too much or too less?
is some thing missing?
or something totaly wrong?

additional i maybe can mentoy two tools which i found while all my research which maybe can be interessting to some people who wanna shut down the port 135 and 445 completely
GRC | DCOMbobulator   (135)
GRC | Shoot The Messenger   (445)

thanks a lot in advance :smiley: