I’d like to run a web server on my windows, which is accessible from public network.
How can I allow this in CIS? I fear, I will need a step by step description if it is not because of a bug…
When I disable CIS Firewall, it works, but not if it is enabled…
I’ve tried to allow any IP traffic in Global rules + allow IP traffic for the server application (tried python’s SimpleHTTPServer and nginx.exe).
I can use the web server from localhost but not from other machines.
Any idea?
Update 1: hm… it’s weird… If I change General Settings → Configuration → CIS Internet Security to CIS Proactive or Firewall, then… everything is working as I want. But what is the problem with the Internet Security configuration?
When you make global and application rules you must set the direction to In and make sure that those allow In rules are above any block rules that you may have. For your example, create an allow in rule for tcp port 80 as such: Action=Allow, Protocol=TCP, Direction=In, Source Address=Any, Destination Address=Any, Source Port=Any, Destination Port:A Single Port, Port=80 have this rule for your global rules is above any block rules and make the same rule for the server application. You can also choose A Set of Ports for Destination Port Type and select HTTP Ports.
Huhhh… it will be hard because of my poor English knowledge.
I found in the CIS manual this:
“COMODO - Proactive Security - This configuration turns CIS into the ultimate protection machine. All possible protections are activated and all critical COM interfaces and files are protected.”
I thought, if I select Proactive security, it will set to a more secure mode than Firewall or Internet security config.
But… only in the Internet security config contains a global security rule, which blocks all incoming IP traffic. (IMHO this rule could cause all of my difficulties)
And another question: why blocks this rule every incoming packet, even though I insert a rule, before this, which allows everything?
The rule, which I’ve inserted in first line of Global Rules:
Action: Allow
Protocol: IP (but tried with TCP or UDP too)
Direction: In and Out
Source address: Any Address
Destination: Any Address
IP Details: IP Protocol: Any
It had no effect, CIS continued blocking incoming packets.
At yesterday…
Now I’ve tried it again, and now it is working… It’s funny. Sometimes works, sometimes not…
You need to have a rule to allow incoming traffic in Global Rules at port 80 and a rule in Application Rules for the server application.
Make a rule in Global Rules as futuretech describes:
Action: Allow
Protocol: TCP (assuming all the traffic is with this protocol)
Direction: In
Source address: Any Address
Destination address: Any Address or if you want to be more specific MAC address or IP (in case of a fixed internal IP address)
Source Port: Any
Destination Port: 80
Make sure this rule is on top of the Global Rules. If you want the Global Rules of Internet Security go to Stealth Ports Wizard and choose block incoming connections.
Never make rule one rule for incoming and outgoing traffic like you do. It will backfire when opening ports.
Once your Global Rules are updated make an application rule for your server application. Start with the Allowed Application policy. That is easiest when testing. Once the situation is working you can tweak this rule to make it more precise.
Yes, I’ve tried to do it, but yesterday it didn’t work (or worked? ) for me. I don’t know why…
(now it is working)
But… there is a rule in Global Rules, which blocks all IP traffic in Internet Security config. It is missing from both Proactive and Firewall security config. Why?
When I use Internet Security, this rule blocks all incoming traffic, even if the firewall set to Training mode. I’d like to understand this…
There are two sets of Global Rules. The set of rules currently the default in Internet Security Configuration will alert the user for incoming traffic. The idea behind it is that it is an easy way to trust other computers on a LAN (when behind a router). The Stealth rules with the block rule at the bottom will block all incoming traffic instead of alerting the user. It boils down to preference which of the two systems of Global Rules you want to use.
Allowing all incoming traffic as you do is opening your computer completely to your LAN (assuming you are behind a router). It is not safe.
I am not familiar with using a web server. In case there are intricacies that we don’t know about it we can let the firewall log events. First use the Stealth Ports Wizard as described in my previous post to set the Stealth set of Global Rules (with the block rule at the bottom). When set go to Global Rules and change the block rule at the bottom to Block and Log.
Then make a rule in Global Rules as futuretech describes:
Action: Allow
Protocol: TCP (assuming all the traffic is with this protocol)
Direction: In
Source address: Any Address
Destination address: Any Address or if you want to be more specific MAC address or IP address (in case of a fixed internal IP address)
Source Port: Any
Destination Port: 80
Make sure this rule is on top of the Global Rules.
Then set up a rule for your server. Make a rule and choose to use custom ruleset Outgoing Only and add on top
Action: Allow
Protocol: TCP (assuming all the traffic is with this protocol)
Direction: In
Source address: Any Address
Destination address: Any Address or if you want to be more specific MAC address or IP address(in case of a fixed internal IP address)
Source Port: Any
Destination Port: 80
When done OK your way back to the main screen.
We now have two rules that incoming allow TCP traffic at port 80 and will report when other traffic is blocked. That blocking information might tell us if there is other traffic coming in that may need to be allowed as well. Hopefully the logs will create some clarity. The logs may catch a lot of chatter from other computers and router on the local network. That needs to be filtered of course.
Sorry… I’ve wrote a long answer, but while I was writing, the forum logged me out and my comment was lost… I can’t rewrite it :((
In short: it is possible that I found a little bug in CIS Firewall behavior. Changing Stealth Ports from Blocking All Incoming… to Alert… and vice versa reorders the Global Rules, putting the manually added rules to the end of the list. Using Internet Security config, the fourth line in Global Rules is a “Block all incoming traffic” and every rules which are added manually, will be behind it, and will be ignored AFAIK.
IMHO it could caused the above mentioned “sometimes work, sometimes not” effect…
Allowing all incoming traffic doesn’t seems to be a security issue: CIS will alert me every connection opened to windows’ IP address. (but will not hurt my virtual machines traffic)
I’d like to be detailed, but I can’t because the lack of English is… (The last sentence was translated by Google, I hope, it means what I want to tell you )
)