And now for the Global Rules.
Your machine is running as an Internet facing ICS host, which gives you a different kind of rule structure from the usual Windows setup. You have to provide services and connections for another machine, while keeping that machine safe. You have to provide DHCP address assignments, provide Internet accessible services, and still have a usable machine. Not an easy combination.
I’ll start with the basic structure of rules for an ICS machine, and note places where other rules will be added later on. This will make it easier to understand what the rules are, and so make it easier to change them later, as needed.
This adds one network zone to your existing definitions: Multicast, defined as 18.104.22.168/240.0.0.0. It covers that special purpose LAN-only broadcast address space.
A reminder, that CFP processes Global Rules in sequence, first match wins.
Here’s the proposed ICS ruleset:
 Allow UDP In/Out From IP Any To IP [255.255.255.255] Where Source port is [67-68] and Destination port is [67-68]
 Allow IP In/Out From Zone [Local Area Network #1] To Zone [Local Area Network #1] Where protocol is any
 Allow IP In/Out From Zone [Local Area Network #1] To Zone [Multicast] where protocol is any
 Block TCP Or UDP In/Out From IP Any To IP Any Where Source Port Is Any And Destination Port Is In [Problematicos]
 Allow TCP or UDP Out From Zone [Local Area Network #1] To IP Any where Source Port is any and Destination Port is any
 Allow ICMP Out From Zone [Local Area Network #1] To IP Any where ICMPmessage is any
 Block IP Out From Zone [Local Area Network #1] To IP Any where protocol is any
 Hamachi rules go here
 Allow ICMP In From IP Any To IP Any where ICMPmessage is PortUnreachable
 Allow ICMP In From IP Any To IP Any where ICMPmessage is HostUnreachable
 Allow ICMP In From IP Any To IP Any where ICMPmessage is TimeExceeded
 Allow ICMP In From IP Any To IP Any where ICMPmessage is FragmentationNeeded
 Allow ICMP In From IP Any To IP Any where ICMPmessage is NetUnreachable
 inbound Internet accessible port rules go here
 Block&Log IP In From IP Any to IP Any where protocol is any
Now, to explain what this proposed ruleset is trying to do:
The rule 0, is a DHCP rule. Because your machine is an ICS host, providing dynamic addresses, you’ve got to make sure that the address request packets get thru the rules. Putting this rule first does that.
Rules 1 and 2, allow your LAN (your machine, and the other machine) to talk to each other, using whatever protocols and addressing they need. And, by restricting to be ‘from your LAN’, the ruleset is tightened up considerably.
Rule 3, is the Netbios/Windows networking blocking rule. Only your LAN should have access to those Netbios ports.
Rules 4,5,6 allow your LAN to talk outbound to the Internet. Note that rule 6 is a blocking rule. There are a lot of other Internet protocols. This blocking rule makes sure than only the allowed TCP, UDP, and ICMP protocols are used.
Rules 8 thru 12, are allowing ICMP error messages to come in from the Internet. These may be coming to your machine, or to the other machine. CFP is limited in how it handles ICMP traffic, in that it doesn’t really have a selective ‘any’ on the ICMP types. So it is necessary to list them, one by one. These 5 rules cover the most common error conditions encountered on the Internet.
Rule 14, is the universal blocking rule. Anything not explicitly allowed is blocked here. You’ll need to watch your CFP log to find out if you need to change the rules.
Note that with this basic ruleset, you are ‘fully stealthed’ to the Internet. Your machine and the other machine on your LAN can get out to the Internet, but nothing from the Internet can contact any machine on your LAN.
Since this proposed basic ruleset doesn’t have any rules allowing Internet accessible servers, then some additional rules are needed. I’m marked the placeholder where the rules should go. In your earlier postings, you had an Apache server running on port 6060 and 6080. Using that as an example, you would have these two rules:
[13.1] Allow TCP In From IP Any To IP [192.168.0.1] where Source Port is any and Destination Port is 6060
[13.2] Allow TCP In From IP Any To IP [192.168.0.1] where Source Port is any and Destination Port is 6080
Your ICS host machine IP address is always 192.168.0.1, and since that is where the Apache server is running (and nowhere else on your LAN), that is your rule destination address. The destination port is where the server is listening. The direction ‘In’ means that CFP is exposing this IP address and port to the Internet.
I don’t have any experience with Hamachi, so my attempt at workable rules may not be workable. But, here goes:
[7.1] Block TCP In From IP Any to Zone [Mi Hamachi] where Source Port is any and Destination port is 6060
[7.2] Allow IP In/Out From Zone [Mi Hamachi] To Zone [Mi Hamachi] where protocol is any
[7.3] Block IP In/Out From Zone [Mi Hamachi] To IP Any where protocol is any
[7.4] Block IP In/Out From IP Any to Zone [Mi Hamachi] where protocol is any
I’m following the basic rule structure for VPN connections in these Hamachi rules. The intent is to keep Hamachi traffic within the Hamachi address space, and keep non-Hamachi traffic out. This will not keep Hamachi traffic from accessing your machine, as servers on your machine will attach themselves to your machine’s Hamachi address. If, for example, you don’t want your Apache web server accessible in the Hamachi address space, you will need to protect the port, per example of rule 7.1.
When you get all the details worked out, you’ll have a very extensive ruleset. ;D