Global Rules - Web Server behind/not behind a router - Novice Level

Alright, total novice here. I have read the manual, a few (million?) posts, and did some a-b-c training/settings. I knew that sooner or later the Firewall rules were going to break my balls brain. This time has come.

My configuration base:

3 PC + a print server behind a router:
a. PC1 – IP
b. PC2 – IP
c. PC3 – IP
d. Print server – IP

1 Router
a. LAN – IP
b. WAN – IP

PC3 is a web server – it is a notebook, sometimes behind a router, sometimes in the wild, connecting to open access points (I will maybe need to edit 2 configurations – profiles?)

What I want:
a. TRUST ZONE groups: for the machines behind the router (workgoup – files exchange – centralized printing - Virtual Box, etc.)
b. PC3 ONLY: is in charge of receiving incoming connection on port 80, either behind the router, either accessing open wireless points.

Starting point: Global Rules (my default settings)

a. Stealth Port Wizard: Block everyone except Trusted Zone
b. Trusted Zones

  1. LAN: An IP Address Mask: / (can you explain the part?)
  2. LAN2: An IP Address Mask: (Virtual Box)
  3. Loopack Zone: An IP Address Mask: (can you explain Loopback?)
    c. I have opened Apache IN/OUT port:80 In Network Security Policy > application rules

Incoming connection to the server: PASS with my default configuration.

Thank to Bad Frogger for his first step explanation and diagnosis about my default configuration:

But I read your post and now I see your setup and you should be OK like you have it.

The router will only route WAN to PC3.
And all the PC’s are Firewalled to trust your LAN.
Only PC3 has an APP your server “listening” the other would just drop the packets if there were any strays magically leaking from the router to them.

I’ll think on it some more. And someone else may have an idea on tightening up a little, but you should be safe as is.

My attempt to tighten the Global Rules: Default Global Rules + 2 rules (see: photo).

I have added the 3rd rule and the 4th counting form the the top
3. Allow – TCP – IN – Any – Single IP – Any – 80
4. Deny – TCP -IN – Any – Exclude (i.e. NOT the choice below) Single IP – Any – Any (big doubt here between any or port 80?)

I have no idea about the value or the mediocrity of these rules? From this point I have to rely on experienced users, not only to show me the proper rules, but especially to explain them to me in an understandable fashion. Thanks in advance.

Please move the block rule (red icon) to the bottom of the Global Rules. Comodo reads Global Rules top down. That means it starts reading the exceptions for before it executes the block rule at the bottom.

Edit: changed the sentence as it held a language glitch and was not clear enough. Thx. Bad Frogger.

It is like in the Application rules:

allow rules start from the top
deny rules go under (at the bottom of the allow rules)

Is that what you mean?

That means it starts reading the exceptions at the topfor the block rule, which is at the bottom.

There I fixed the confusing sentence.


Not always.

The fireawall rules are read from top to bottom, regardless of if they are ALLOW or BLOCK rules. As a result, any rules that are under a BLOCK rule that is blocking everything will never be read. Consequently, your global BLOCK EVERYTHING rule must be placed at the bottom of the list.

However, there may be situations where you want to block a particular activity. Where as BLOCK rule is specific (as opposed to BLOCK EVERYTHING), it needs to be ABOVE any ALLOW rule that would permit the traffic you want blocked.

As an example, say you wanted to allow traffic between the PCs in your house (HOME LAN), wanted to have a BLOCK ALL rule to prevent unsolicited intrusions and you wanted to stop poeple in your house accessing (for example) YouTube, you would need to have global rules in the following order;

  1. Block YouTube
  2. Allow HOME LAN in
  3. Allow HOME LAN out
  4. Block all

Hope this helps,
Ewen :slight_smile:

It is even clearer like that. The example also illustrates a new situation i did not think of. Thanks panic.