IP based via Hostname global rule

Hello, i’ve all my ports blocked via comodo firewall.

Except one, my remote desktop one (not default one). But i would like to add another layer of security to my remote desktop and close it except to my laptop.

I have a dinamic-dns service (no-ip), and i want to configure the firewall to “Allow in packets which come from XXX.no-ip.org at port YYYYY”, i have my laptop updating the no-ip IP, but it looks like comodo is blocking most packets (probably caching host resolution?).

My goal is to block every packet to that port except the ones coming from my laptop current IP (and others in same network but well… they are not my main concern).

Any1 knows how to do this? MAC wont work, also my laptop is inside public and secured networks (they dont prevent Remote desktop from running), so most times my laptop MAC wont come, or comodo doesnt seem to detect it :frowning:

I know its a little paranoic

I’m not sure I fully understand what you’re trying to do, so let me try to rephrase and see if it’s what I think.

You have a no-ip domain name that points to a service running on a specific PC?
You want only the laptop and maybe a few other computers on the same network, to access the service running on the PC with the service?
You want to block everything else from connecting to the service?

Is that about right?

Hello, its almost that.

I have a no-ip domain that points to a CLIENT PC. And a static-IP server which has every port blocked via comodo.
I want to only allow incoming traffic (in one port) which comes from that Client PC into the server.

Something like this:

Client which tries to connect to my server (they are in totally different networks, forget about “clients on same network thing”).
Comodo intercept packet which comes from the client and uses “global rules”.
Comodo updates myip.no-ip.org real IP (this doesnt seem to be working)
IF (ClientIP == myip.no-ip.org ← Any other way to identify my Client PC? MAC seems to dont be working) {
“Allow packet”
} else {
“Block packet”.

My problem is that the IP that points myip.no-ip.org can change, and comodo seems to have some kind of cache which uses over the real IP AT THIS TIME. ← This is only a guess, i cant say it exactly.

Thanks for reading,

Forgive me, I can be quite stupid at times. I’m still a little confused :embarassed:

Lets try this: (see image)

  1. The server has a name registered with no-ip.org
  2. The server needs to update the it’s ip address with no-ip.org, as it changes
  3. The firewall on the server needs to allow connections from the client, but needs to block other client connections.

I that’s correct it should be pretty straight forward, however, I’m unclear about the IP address of the client. Is it a static address or a dynamic address. If dynamic, who’s DHCP server issues the address?

In principle, it should be as simple as adding a inbound Global rule for the client computer (you said the MAC address didn’t work?) and adding Application rules for the server to update the IP address with no-ip.org.

The Global rule would look something like:

Action - Allow
Protocol - (Probably TCP)
Direction - IN
Source Address - (Some unique identifier for the client computer)
Destination Address - ANY (can use the MAC address of the server)
Source Port - (If specific use that or use ANY)
Destination Port - (The Port used by the service you wish to access)

This rule should be at the top of the list of Global rules, followed by a block rule for any other inbound attempts.

The Application rules for the DCU30.exe should allow:

Action - Allow
Protocol - UDP
Direction - OUT
Source Address - ANY (can use MAC)
Destination Address - -
Source Port - ANY
Destination Port - 8253

Action - Allow
Protocol - TCP
Direction - OUT
Source Address - ANY (can use MAC)
Destination Address - -
Source Port - ANY
Destination Port - 80

Action - Allow
Protocol - TCP
Direction - OUT
Source Address - ANY (can use MAC)
Destination Address - -
Source Port - ANY
Destination Port - 443

[attachment deleted by admin]

Its not you, its me, my english its kinda ■■■■■■.

The image its OK, but the no-ip.org one its the client, the one which has static IP its server. Also internet its between both PC, they are not in same LAN network.

DCU30.exe its no problem, i have it fully allowed on client. But when i add the rule to allow “myip.no-ip.org” in COMODO, it wont work after i change IP.

Theorically i know how to configure comodo, but its not working as expected, i suposse because the “no-ip” thing gets cached and wont update the real IP address inside comodo.

So you wish to create the following:

  • Client PC (IP dynamic, and registered at DDNS).
  • Internet
  • Server+CIS (Static IP) allow only Client PC access to Remote Desktop.

I think adding the host name to CIS rules won’t help here as they are only resolved at the CIS application startup, so if it changes in between it won’t “adapt” to the new DNS answer.

MAC won’t work as that’s only useful on a Layer2 Network (LAN) and can not be helpful on a Routed solution.
on MAC level all internet traffic will be coming from the routers MAC so you can’t make a difference there.

I don’t think this can be fixed by restricting the Source IP to only a single IP.
Is there a specific range where the client ip is in, you could restrict at least to that part of the ip space.

Yeah thats the case,

Thanks that was what was i thinking.

It would be great if something like “update DNS each X minutes” could be added, will deal with it anyways.

Thanks anyway, ill try to guess most-common ranges i use there.