installed ics, only fw.
Choosed custom policy mode.
I just want to prevent “anything” to connect on the outbound port 25 to any other computer than gateway.
- dropped all applications rules
- unchecked all checkboxes asking what to do for unknow programs
- added global rules:
block from any computer, any protocol to exclude:[gateway] on outbound port 25
then allow from any computer to any computer on tcp/udp protocol and port
then allow from any computer to any computer on ip protocol
When I apply rules, everything is blocked (even a ping to a gateway).
do I have to add application rules ? For each exe? why why why why? If an application rule is needed, why is a global rule available?
Welcome to the forums.
The block rule must be the last in the list. The rules on top have higher priority (e.g. if you put a block ALL rules over an allow rule, everything will still be blocked because it reads the rules from top to bottom).
Also, did you create the [Gateway] network in “My Networks Zones” and then use that as the exclusion?
Can you post a screen shot of the rules if you are able to?
first block rule for port 25.
then other rules to allow all (what is not blocked above).
the gateway is defined as a simple ip 192.168.1.1.
[attachment deleted by admin]
So have you tried moving the block rule to the bottom?
yes, no change.
Furthermore, if I understood correctly, he reads rules from top to bottom.
- It would be an error to allow before checking if it has to be blocked.
- Even if the “allow all” rule is first, no network traffic is allowed.
So just to clarify, do you want to block any incoming connections to your PC’s port 25 and/or block any outgoing connections from your PC that try to use port 25 (a.k.a all simple mail transfer connections)?
I wouldn’t exclude, far too elaborate for a rule.
Why not: tcp/udp, out (and in if you wish), source adress LAN zone, destination adress 192.168.1.1, port 25, allow (where LAN zone is defined as 192.168.1.1-192.168.1.255),
immediately followed by the same rule, any source, any adress, port 25, deny and log?
If you need 2 allowing rules for port 25 in your LAN, one in and the other out, safer to make two, as it allows you to specify LAN adress as the only allowed one as dest in the first instance, and source in the second.
Your two following rules make no sense: you should definitely not have such large allowing global rules, and you should at least limit them to BOTH source and dest in your LAN zone.
FäɀïØ™: I just want to block LAN workstations to spam by connecting using protocol smtp to outbound port 25 on internet servers
brucine: when I typed exclude, I mean the ‘negating’ checkbox, so exclude smtp to any other address than 192.168.1.1.
I don’t understand what you tell: I have one global rule excluding a communication on a specific rule (25), and 2 rules allowing everything. These rules are ignored! As soon as I activate firewall, everything is blocked!
Even removing the allow rules (as suggested) (so only one rule for blocking port 25) blocks all: ping www.yahoo.com gives
Ping request could not find host www.yahoo.com. Please check the name and try ag
=> So the dns (192.168.1.1) can not be accessed.
ping 192.168.1.1 also doesn’t work.
According to me, local strategy and global rules just doesn’t work!
I didn’t suggest to make the thing work by removing the allow rules: i only said they are useless if below a blocking rule, and very dangerous if not.
I am only suggesting that your “double exclusion” rule as far as we can see it (not everything from a screen capture) is either miswrited, either misinterpreted by CIS.
First make sure that the culprit is not a personal rule: allow your blocking global rule; if the network now works, the culprit is your global rule.
Try to replace it by one where you allow out to port 25 as long as the source ip is one of your lan computers (local zone) and the dest ip your gateway: what happens? (if it works, it is now time to write the same rule below, replacing lan computers and gateway by any ip, keeping port 25, and blocking).
I tried 2 rules: allow port 25 and block port 25
=> Ping 192.168.1.1 doesn’t work (and ping is not port 25).
I tried no rule
=> Ping 192.168.1.1 doesn’t work.
I tried one rule: allow from all to all on icmp
=> Ping 192.168.1.1 doesn’t work
I tried a second rule: allow from all to all on tcp/udp in or out
=> Ping 192.168.1.1 doesn’t work
as soon as policy is activated: it has the same effect than removing the network wire, no matter what rules are.
- if I allow ping.exe in applications rules: ping works
- if I allow ping.exe in applications rules and prevent icmp in global rules: ping is blocked
- if I remove ping.exe from applications rules and allow icmp in global rules: ping is blocked
So I have to allow all types of programs (executables, applications, important files, folders, …) from the application rules BEFORE to use the global rules.
Global rules are applied only on applications allowed, and not independantly of the application. :-TD So these rules are not really “global”.
"Comodo Firewall analyses every packet of data in and out of your PC using combination of Application and Global Rules.
For Outgoing connection attempts, the application rules are consulted first and then the global rules second.
For Incoming connection attempts, the global rules are consulted first and then the application rules second.
Therefore, outgoing traffic has to ‘pass’ both the application rule then any global rules before it is allowed out of your system. Similarly, incoming traffic has to ‘pass’ any global rules first then application specific rules that may apply to the packet.
Global Rules are mainly, but not exclusively, used to filter incoming traffic for protocols other than TCP or UDP."
[attachment deleted by admin]
Yes, and if no application rule at all it is refused without checking global rules!
I suppose that you don’t want to deny port 25 to whatever hacking that could be done through this port, but only to, if not a single one, probably very few applications?
For port 25 to transport legitimate (or spam) messages, your lan users need whatever appropriate (and limited?) software is installed on their computers (mail client, telnet…); isn’t it possible in these conditions to write application rules for these softwares?
I have myself restricted rules for my mail client (only isp ip and 2 appropriate pop/smtp ports), but i am not sure to understand your gateway thing: mail does need to connect to your internet mail server, unless you have a lan mail server and if so, doesn’t such a lan server restrict mail as enforced by yourself as an administrator?
here is a problem we are facing.
We have a dsl router, fix IP.
Behind this router we have our own e-mail server (win sbs 2003) having 2 lan cards: one connected to the router (wan) and one connected to the lan.
The workstations are connected on the lan.
One (or more) workstations were infected by viruses, these viruses connect on smtp to outside (internet)servers (not to our mail server). Local antiviruses on workstations didn’t detect / prevent anything. But the only address visible by the recipient of the mail is the wan ip of our mail server, so our mail server got blacklisted without being infected.
As several antiviruses (nod 32, kaspersky, …) didn’t detect the threat (perhaps unknown), I want to install a firewall blocking any outbound smtp connections from workstations (they have a local mail server, so they don’t need to open any smtp connection from workstation as it is the server’s job). That’s it.
But your firewall tells: you have to know which exe to block.
If I knew the exe, I would delete it and no need for firewall.
Putting such a firewall in place on any workstation will prevent the problem to occur again in the future (other viruses, …), if application doesn’t have to be specified. Clear?
It would be interesting to know what your lan users did to get virus via smtp… (it is not a usual protocol for the end user outside of mail itself, and you say that mail is only dedicated to your mail server).
One might think of using third-party mail clients, or visiting “rogued” websites…, shortly speaking, not very professionnal behavior.
Assuming the said mail server is secured, i can’t be of much help since, if my mail client is “server able”, i only use it on 2 workstations and have no use for lan mail delivery: i cannot test what you report.
This being said, and if you still fail selectively blocking a port in CIS, we have to remember that CIS is not a “port firewall”, and that this kind of situation would maybe be better handled by such a software.
I have no recent experience, but if you have to use a firewall only for basic port threats, maybe the outdated, but port specific kerio 2.1.5 would do the job, allowing whatever behavior for a said port (single or multi-application, ip range…).
my users didn’t get virus via smtp… they got an e-card with an exe, they of course launched the exe that installed lots of spywares, and these spywares opened smtp connections with outside servers, so the pc became a zombie spambot.
The good procedure is not to block smtp (next time, the malware shall express itself in some other way…) but to keep the malware to be installed and launched.
Assuming, i am sorry for some rudeness, that the end users are dumb enough to launch whatever unsollicited executable:
-isn’t the mail client set so as to “quarantine” attachments and only read plain text by default?
-wouldn’t a CIS firewall AND defense+ (and why not, if the users don’t know what they are doing, whatever AV, CIS or third-party) keep them or at least warn them not to launch an unknown exe?
If not, and if no “general briefing” is able to do the job, my idea is that no software but human brain is valuable when speaking of computer security…