help configuring comodo firewall 5

hey all,
i just installed comodo5 firewall(just the firewall portion) and I was looking for some help with configuring the software. i used zonealarm in the past and didn’t have any problems with it. i liked how i could flag any network i connected to as “trusted” or “untrusted”

this is for my personal laptop that i pretty much bring everywhere including work.

i tend to classify the networks i connect to into 3 groups:

1. trusted - home
   I have a test Win2k3/2k8 AD domain controller(named serverA) which my laptop is joined to that domain. So pretty much all communication between this computer and my laptop should be allowed and not hindered. i created a network zone in comodo called “home”. in this zone all i have is “serverA.test.local” and serverA’s mac address. pretty much this zone is fully trusted. I have other computers in the house that i do NOT want included in this subnet(192.168.10.1). so i didn’t add the classC subnet to this zone

2. semi - trusted - home network
   this consists of pretty much all other computers on my home network(192.168.10.x). i like the ability to copy files from my laptop to all other workstations. always allow outbound from my laptop to any in my home network. but i block any incoming from the workstations, in case one of the workstations get infected with something

3. untrusted - work network/starbucks/friends house
   these networks i dont trust at all and i want to block ANY incoming traffic from these networks. i use a number of applications that require network connections so i usually just allow all outbound traffic.

i can see that category #2 is a lil bit tough to setup sometimes since its a hybrid of #1 and #3. if #2 isn’t possible, i’d be ok with not having it. i got use to it with zonealarm. with zonealarm i had to pretty much combine #1 and #2 as fully trusted networks.

i could bring my laptop anywhere and connect to via wifi or ethernet and set the zone to untrusted and just start surfing. if i was at home, it remembered the settings and everything.

i had comodo 4 and when i upgraded to 5 it wiped out all my custom rules and what not. i thought i had a pretty decent ruleset.

what does the network zones tab display? looks like it displays any network i’ve attached to and “saved”, but doesn’t show like trusted/untrusted. it just looks like a list of subnets i’ve attached to.

i’ve also had reservations about adding the 192.168.10.x subnet as a fully trusted zone, only cuz what if i goto a friends house and he has a 192.168.10.x subnet that i connect to. i certainly dont trust any of his stuff. so i might just scrap the #2 idea if its too difficult.

is there a manual for comodo5 or maybe for comodo4 that i can read up on? i looked on the forums today and didn’t find any. i remember there was a pretty comprehensive manual for version 4.

like what does the “Blocked Zones” tab do? whats the purpose? if its a blocked network why would i want to even physically connect to it. are entries in this tab automatically banned ?

i run bitdefender pro 2011, superantispyware with the active scanner piece, malwarebytes for another on demand scanner. win7 64bit 4gb of memory. basic stuff.

im not a networking pro or anything so i bet the manual will be over my head as well but at least i can try to read it lol

im not even gonna get into defense+. hehe that stuff is super confusing to me with all the sandboxing and what not. looks like i have a huge list of “trusted” files that i never had before though.

is there a way to do this with comodo? any help is greatly appreciated. thanks all.

The “failing point” is that you can’t in the same time allow a part of the 192.168.0.X subnet when you are at home and block the same when you are with your “untrusted friend”, moerover not knowing what ip of this same subnet he uses or not.

Wouldn’t the solution rely on authorizations not from some ip or another, but from MAC adresses themselves, either in global or individual firewall rules?

hey,
yeah i understand the issue, thats why im ok with dropping the whole subnet issue.

how do i go about setting up #1? and how do i go about setting up #3 so that all networks(except #1) are untrusted?

can i just use the “stealth ports wizard” or will i have to create manual rules?

also, lets say i goto a friends house and i connect to their network and comodo comes up with “found new network” dialog box. what should i do there? i know i dont want to trust it, do i just click “close” ?

can i just use the "stealth ports wizard" or will i have to create manual rules?

I am not confident to stealth port wizard when speaking of lan so, yes, i would make manual rules (application ones, not global), but it's a little work, and each time i speak of that, and again today, the person i answer to throws me out because he wants to run cis from automatic and non alerted rules.

how do i go about setting up #1?

I don't know anything about domains, whether you run them from 2k3/2k8 or whatever server platform, but only about workgroup lans: what i say is therefore maybe totally irrelevant. I am not sure either of your configuration, i assume you have 2 subnets you don't want to speak to each other, e.g. 192.168.0.1-192.168.0.255 and 192.168.10.1-192.168.10.255. -set your firewall to proactive, the firewall to advanced, set alert frequency to very high and check everything but ics, create if absent svchost and system rules (should be asked within your own lan), set to custom. -create a network zone lan1 (first preceeding range) and a network zone lan2 (the second one) and a port rule called netbios (137-139 or, if you don't want to be alerted by explorer when browsing a lan computer, 135-139). -write the following firewall rules: -svchost: allow tcp or udp, both, from (lan1) to (lan1), source port any, dest port any. If you want to enforce the interdiction, follow by the same rule blocking lan2. -system: -allow tcp or udp, in, from (lan1) to (lan1), source port any, dest port (netbios) -write the same rule for tcp or udp in (note thet gathering these two rules into a single one does not have the same signification; we do not want netbios to be the only ports, and low system ports in the 1000 range also are involved). same comment if you explicitly want to block (lan2). Depending on what you do, you might be alerted by some other applications, and of course by explorer (tcp out dest port 135 from the source computer to the dest computer)

how do i go about setting up #3 so that all networks(except #1) are untrusted?

Not speaking of friends house, rule 3 is useless in conjunction of rule 1, rule 1 alone is enough.

also, lets say i goto a friends house and i connect to their network and comodo comes up with "found new network" dialog box. what should i do there? i know i dont want to trust it, do i just click "close" ?

In the "plus" tab, "preferences", uncheck the discovery of new networks. But it does not resolve the most probable situation of a friend also running a 192.168.0.n segment (192.168.10.n is less probable, but would result in a hassle changing your ip affectations, and is not 100% certain). In such a situation, workgroup also fails: if you don't have the same that your friend, no one shall communicate, and you could try such a solution, but you maybe would be thrown out of his router, and therefore of any connexion.

I see there no other solution that replacing trusted ip by trusted MAC, but it’s a hassle if you have a great number of lan computers, as no such thing as a MAC range exists: it would lead you to create a lan zone per MAC adress… and to reproduce the firewall rules i talked of as many times as there are allowed MAC adresses.

At a friend’s house, the issue is that you are not supposed to know his MAC adress and the one of his router, as to block the first and allow the second.

An alternative, i didn’t test it, would be to write 2 cis configuartions, assuming that when imported a configuration totally overwrites the other (and does not add both):
write a configuration for home, export.
write another one where every firewall rule i talked of is set to ask instead of block or allow, export under another name.
When moving the laptop to a friend’s house, import configuration 2: if any communication occurs, you now know the ip your friend uses, and are able to block it.

yeah. i figured that i’d have to setup very specific rules for my three scenarios.

ty