Help with rules for a server

Comodo Internet Security - CIS Firewall Help - CIS
1

Hi everyone,

Please, help me with rules for a server. I tried a lot of rules, but I always have my TS/RDP connection blocked (and all other incoming connection) (my server is a remote server) and I need to open a support ticket asking for disable Comodo to have my access back.

What I need:

  • Permit incoming access from any ip to a list of ports: web, ftp, mail, dns
  • Permit access from 2 sources (one IP and one dns name) to this ports: RDP and SQLServer
  • Block all other incoming access

What I must setup in Application Rules? What I must setup in Global Rules? Can I setup only Global Rules and nothing in Application Rules and get firewall works as needed?

Please help me. I’m going bald!

Thank you in advance!

2

You will need to set both Application rules and Global rules:

For Global rules you will need to allow inbound traffic on various ports to support your needs. The rule would look something like:

Action - Allow
Protocol - TCP or UDP (depends which protocol the service uses)
Direction - IN
Source Address - ANY or you can specify a specific ip address for a single PC or service
Destination Address - ANY or the MAC address of the server
Source Port - ANY
Destination Port - the port used by the service

Default ports (If you have changed the default ports you will need to amend these in your rules)

Web server you need to allow TCP IN on ports 80 and 443
FTP server TCP IN port 21
Mail Server - TCP IN
POP = 110
POP with TLS = 995
IMAP = 143
IMAP with TLS = 993
MSSQLSERVER - TCP IN 1433
MSSQLSERVER - UDP IN 1434
RDP - TCP IN 3389

For application rules you will need to confure each service to accept inbound connections using the protocols and ports listed above.

3

Radaghast,

thank you for the reply. I did that in my tries, but I have a little difficulty in understand the relation between Global Rules (I know this is global and is evaluated first than Applicantion Rules in incoming connections) and Application Rules, and between Application Rules and Applications.

  1. I think if I define a global rule that Allow all incoming for a specific IP, why can I must define a rule to allow a specific app? Ex: I allow all incoming from my IP, why I must define a rule to svchost:3389 to grant access?

  2. I use IIS, IIS uses inetinfo and w3wp process. I defined as trusted that 2 process. Why I can´t connect on port 80? Why I must define a rule to System?

In the side of that, I don´t know how is the priority in rules evaluation. Let´s assume that rules:

  1. allow incoming all ip on port 80
  2. allow incoming all ip on port 110
  3. block all incoming for all ip

If I try to access a webpage on that box, my connection will be granted or denied? Or to have access I must define the rules upsidedown like that:

  1. block all incoming for all ip
  2. allow incoming all ip on port 80
  3. allow incoming all ip on port 110?

Please, help me!

Thank you again!

4

Global rules simply open the door for something to be allowed in, but once something gets in, it needs somewhere to go. In other words, when you open a port in Global rules, data is allowed ingress to the PC, however, there needs to be a process listening on that port in Application rules to actually do something with the data.

2) I use IIS, IIS uses inetinfo and w3wp process. I defined as trusted that 2 process. Why I can´t connect on port 80? Why I must define a rule to System?

I’d need to see your rules and firewall log entries to help answer that.

In the side of that, I don´t know how is the priority in rules evaluation. Let´s assume that rules:
  1. allow incoming all ip on port 80
  2. allow incoming all ip on port 110
  3. block all incoming for all ip

If I try to access a webpage on that box, my connection will be granted or denied? Or to have access I must define the rules upsidedown like that:

  1. block all incoming for all ip
  2. allow incoming all ip on port 80
  3. allow incoming all ip on port 110?

Please, help me!

Thank you again!

Both Application rules and Global rules are hierarchical, that is the rules are processed from the top down. Therefore, you should place your allow rules before your block rules.

5

Thank you!

Attached follow screenshots of my current configurations. The AppRules I’ve cleaned up and allowed some Apps asked by CF. Actually CF is disabled, because I can’t lost access this days, a new project was deployed this week.
But I need to get CF working properly because everyday the server receives a lot of connections trying to login on SQLServer and RDP services.

Help me, please!

Thank you in advance!

[attachment deleted by admin]

6

First things first. You do know that CIS is not supported on the server platform?

You make no mention of which mail server your using or which specific services you require, as each will have their own requirements. Also, is this a publicly accessible server, or just available to other LAN clients? If it’s publicly accessible, I’d seriously suggest you take some time to create specific rules to support the services you need to host. Using generic rules like trusted or allowing everything in and out is not a good idea.

With regard to Application rules, you’ll need to change the rules for the System process, which you currently have blocked and you really should loose the rules for Windows System Applications and Windows Updater Applications, as these rules have crossover with defined rules for the System process and svchost.exe.

As I mentioned in my earlier post, you will need to create both Application rules and Global rules to support each service, for example DNS.

To allow the DNS server service to function correctly (do you do zone transfers?) you will need a Global rule:

Action - Allow
Protocol - TCP and UDP
Direction - IN
Source Address - what ever is appropriate here
Destination Address - ANY or better, use the MAC address of the server
Source Port - ANY
Destination Port - 53

It would be even better to create two separate rules, one for TCP and oner for UDP, but that’s your choice.

To complement this Global rule, we’ll need an equivalent Application rule:

Application name: C:\Windows\System32\dns.exe
Action - Allow
Protocol - TCP and UDP
Direction - IN
Source Address - what ever is appropriate here
Destination Address - ANY or better, use the MAC address of the server
Source Port - ANY
Destination Port - 53

Action - Allow
Protocol - TCP and UDP
Direction - OUT
Source Address - ANY or better, use the MAC address of the server
Destination Address - ANY
Source Port - 53
Destination Port - ANY

A similar process will be needed for Internet Information Services. I’m assuming you’re using both the web services and the ftp services?

The Global rule(s) for HTTP and HTTPS would look something like:

Action - Allow
Protocol - TCP
Direction - IN
Source Address - what ever is appropriate here
Destination Address - ANY or better, use the MAC address of the server
Source Port - ANY
Destination Port 80 (to support SSL add port 443. If you need other ports create a port set)

The Application rule(s) to complement this would look something like:

Application name: System
Action - Allow
Protocol - TCP
Direction - IN
Source Address - what ever is appropriate here
Destination Address - ANY or better, use the MAC address of the server
Source Port - ANY
Destination Port - 80 (to support SSL add port 443. If you need other ports create a port set)

For FTP your global rule would be something like:

Action - Allow
Protocol - TCP
Direction - IN
Source Address - what ever is appropriate here
Destination Address - ANY or better, use the MAC address of the server
Source Port - ANY
Destination Port - 21 (if you need sftp you’ll need to add port 990)

The Application rule(s) to complement this would look something like:

Application name: Svchost.exe
Action - Allow
Protocol - TCP
Direction - IN
Source Address - what ever is appropriate here
Destination Address - ANY or better, use the MAC address of the server
Source Port - ANY
Destination Port - 21 (if you need sftp you’ll need to add port 990)

Action - Allow
Protocol - TCP
Direction - OUT
Source Address - what ever is appropriate here
Destination Address - ANY or better, use the MAC address of the server
Source Port - 20
Destination Port - ANY

Action - Allow
Protocol - TCP
Direction - OUT
Source Address - what ever is appropriate here
Destination Address - ANY or better, use the MAC address of the server
Source Port - 989
Destination Port - ANY

If you need to support passive ftp you’ll need to adjust the ports accordingly.

For RDP/Terminal srvices your Global rule will be something like:

Action - Allow
Protocol - TCP
Direction - IN
Source Address - what ever is appropriate here
Destination Address - ANY or better, use the MAC address of the server
Source Port - ANY
Destination Port - 3389

And your complementary Application rule:

Application name: Svchost.exe
Action - Allow
Protocol - TCP
Direction - IN
Source Address - what ever is appropriate here
Destination Address - ANY or better, use the MAC address of the server
Source Port - ANY
Destination Port - 3389

With MSSQL you’ll have to decide if you’re using a static port or dynamic ports, as the rules will be different. There may also be some additional rules depending on which of the SQL services you use and to what use the Database put.

Basically, repeat the process outlined above for each service you wish to use, substituting the appropriate process name, protocols and port numbers, where appropriate.

7

Radaghast,

thank you very much! You helped me a lot. I know that is not supported, but I know too that CF works fine and coming soon I’ll switch to ESM.

The only thing I still have trouble understanding is why when I release the IIS I have to create a rule for the system, when I release the RDP have to release the svchost.

But you helped me a lot!

One last question. Which service/process should I stop to regain access to server if I have my access blocked by accident, but unable to stop services on the same?

8

Like a lot of services that run under Windows, the Remote Desktop Service or Termservice is a hosted process. Basically it’s service is loaded by svchost and not as an independent service, the same is true for the FTP service FTPSVC, hence connections are made to svchost.exe

The Web services listener http.sys is a kernel mode process, as such it runs under the System process, which maintains the majority of the kernel mode system threads.

But you helped me a lot!

One last question. Which service/process should I stop to regain access to server if I have my access blocked by accident, but unable to stop services on the same?

That would really depend on how access has been blocked. Are you referring to something being blocked by CIS, or something happening in Windows?

9

Blocked by CIS. I ask this because sometimes I make some configuration that block my RDP access, but I still have access via my web host manager, that let me stop services and processes.

10

If you’re blocking access to terminal services in the firewall, you will need to open Network Security and remove the block manually, assuming the block originated from an Alert to which you chose remember.

If you’ve set the rules for svchost correctly, there should be no reason for RDP access to be come blocked.