Hello, i’ve all my ports blocked via comodo firewall.
Except one, my remote desktop one (not default one). But i would like to add another layer of security to my remote desktop and close it except to my laptop.
I have a dinamic-dns service (no-ip), and i want to configure the firewall to “Allow in packets which come from XXX.no-ip.org at port YYYYY”, i have my laptop updating the no-ip IP, but it looks like comodo is blocking most packets (probably caching host resolution?).
My goal is to block every packet to that port except the ones coming from my laptop current IP (and others in same network but well… they are not my main concern).
Any1 knows how to do this? MAC wont work, also my laptop is inside public and secured networks (they dont prevent Remote desktop from running), so most times my laptop MAC wont come, or comodo doesnt seem to detect it
I’m not sure I fully understand what you’re trying to do, so let me try to rephrase and see if it’s what I think.
You have a no-ip domain name that points to a service running on a specific PC?
You want only the laptop and maybe a few other computers on the same network, to access the service running on the PC with the service?
You want to block everything else from connecting to the service?
I have a no-ip domain that points to a CLIENT PC. And a static-IP server which has every port blocked via comodo.
I want to only allow incoming traffic (in one port) which comes from that Client PC into the server.
Something like this:
Client which tries to connect to my server (they are in totally different networks, forget about “clients on same network thing”).
Comodo intercept packet which comes from the client and uses “global rules”.
Comodo updates myip.no-ip.org real IP (this doesnt seem to be working)
IF (ClientIP == myip.no-ip.org ← Any other way to identify my Client PC? MAC seems to dont be working) {
“Allow packet”
} else {
“Block packet”.
}
My problem is that the IP that points myip.no-ip.org can change, and comodo seems to have some kind of cache which uses over the real IP AT THIS TIME. ← This is only a guess, i cant say it exactly.
The server needs to update the it’s ip address with no-ip.org, as it changes
The firewall on the server needs to allow connections from the client, but needs to block other client connections.
I that’s correct it should be pretty straight forward, however, I’m unclear about the IP address of the client. Is it a static address or a dynamic address. If dynamic, who’s DHCP server issues the address?
In principle, it should be as simple as adding a inbound Global rule for the client computer (you said the MAC address didn’t work?) and adding Application rules for the server to update the IP address with no-ip.org.
The Global rule would look something like:
Action - Allow
Protocol - (Probably TCP)
Direction - IN
Source Address - (Some unique identifier for the client computer)
Destination Address - ANY (can use the MAC address of the server)
Source Port - (If specific use that or use ANY)
Destination Port - (The Port used by the service you wish to access)
This rule should be at the top of the list of Global rules, followed by a block rule for any other inbound attempts.
The Application rules for the DCU30.exe should allow:
Action - Allow
Protocol - UDP
Direction - OUT
Source Address - ANY (can use MAC)
Destination Address - 69.72.128.0 - 69.72.255.255
Source Port - ANY
Destination Port - 8253
Action - Allow
Protocol - TCP
Direction - OUT
Source Address - ANY (can use MAC)
Destination Address - 204.16.252.0 - 204.16.255.255
Source Port - ANY
Destination Port - 80
Action - Allow
Protocol - TCP
Direction - OUT
Source Address - ANY (can use MAC)
Destination Address - 204.16.252.0 - 204.16.255.255
Source Port - ANY
Destination Port - 443
The image its OK, but the no-ip.org one its the client, the one which has static IP its server. Also internet its between both PC, they are not in same LAN network.
DCU30.exe its no problem, i have it fully allowed on client. But when i add the rule to allow “myip.no-ip.org” in COMODO, it wont work after i change IP.
Theorically i know how to configure comodo, but its not working as expected, i suposse because the “no-ip” thing gets cached and wont update the real IP address inside comodo.
Server+CIS (Static IP) allow only Client PC access to Remote Desktop.
Right?
I think adding the host name to CIS rules won’t help here as they are only resolved at the CIS application startup, so if it changes in between it won’t “adapt” to the new DNS answer.
MAC won’t work as that’s only useful on a Layer2 Network (LAN) and can not be helpful on a Routed solution.
on MAC level all internet traffic will be coming from the routers MAC so you can’t make a difference there.
I don’t think this can be fixed by restricting the Source IP to only a single IP.
Is there a specific range where the client ip is in, you could restrict at least to that part of the ip space.