LAN setup using DHCP and hostnames

I agree with those requesting more detailed information/examples on setup and use. I’ve looked at the flash tutorial (nicely done BTW), but it doesn’t exactly work for me…

I’m using a DSL modem/router with NAT that assigns IPs to my home LAN PCs using DHCP. It was configured by the phone company and the LAN IPs change dramatically from time to time, so I’ve been using hostnames (w/ZA till now). I need to share printers and selected folders (using XP SP2), and don’t want anyone outside the LAN to be able to see them. Any help setting this up would be appreciated! (I’d rather not have to switch to static IPs, unless it is a significant security boost.)

Finally, one concern with full trusted status within the LAN is if one of my less sophisticated users (who shall go unnamed) falls prey to (installs) malware that tries to infect the other machines. Can the setup just allow the necessary sharing without opening the floodgates?

Thanks,
Bruce

Additional Info: Setting up hostname network rules showed bogus IP addresses for all nodes except the computer running CPF–until I used the zone wizard to setup a zone for the entire network. I then got connectivity (and valid IPs), but why should that have been necessary? I guess my questions still stand.

G’day,

Firstly welcome to the forums.

Thanks. There will be some more on different topics shortly.

I'm using a DSL modem/router with NAT that assigns IPs to my home LAN PCs using DHCP. It was configured by the phone company and the LAN IPs change dramatically from time to time

The router should assign internal LAN IPs based upon a declared range - generally 192.168.X.X. While the individual IPs may change, you should still be able to define a zone as being from 192.168.0.0 to 192.168.255.255. The 192.168 range is a declared private address range that is non routable over the internet and is the one most commonly used. The alternative private address range is 172.16.X.X. If your router is hopping between these two ranges, you could define two zones, the one described above and the second from 172.16.0.0 to 172.16.255.255.

(I'd rather not have to switch to static IPs, unless it is a significant security boost.)

Any particular reason why you don’t want to have static IPs? I alwys find it handy to be able to tell from the logs which particular unnamed in my household is causing stuff. Yes, teenagers are like viruses - universally spread over the globe and no better in any one particular corner. LOL

Finally, one concern with full trusted status within the LAN is if one of my less sophisticated users (who shall go unnamed) falls prey to (installs) malware that tries to infect the other machines. Can the setup just allow the necessary sharing without opening the floodgates?

You could tighten the default zone rule by changing ANY port to a range of ports 138 - 139.

Additional Info: Setting up hostname network rules showed bogus IP addresses for all nodes except the computer running CPF--until I used the zone wizard to setup a zone for the entire network. I then got connectivity (and valid IPs), but why should that have been necessary? I guess my questions still stand.

The zone wizard seems to work by detecting the IP in use on the PC running CPF and creating an all encompassing rule for all IPs within that subnet. Why should that have been necessary? To make sure that all devices on the same subnet as the PC running CPF can send/receive data to/from the PC running CPF.

You are ensuring that all PCs behind the router are running CPF, aren’t you?

Again, welcome to the forums.

Ewen :slight_smile:
(WCF3)

Ewen,

Thanks for your quick and detailed reply. You’re pretty active on this forum. Do you have a day job :slight_smile: (or is it at Comodo)? Seriously, I’m grateful for your help.

You mentioned defining a couple of broad non-routable ranges. Since these would include the router’s LAN-side address, would that make me more vulnerable to internet traffic coming through it, or are only the endpoint IPs important? Come to think of it, why does the computer need to be told the IP of the router in the first place (assuming static IP for a moment)? Can’t it figure it out automatically during the connection process (pardon my ignorance of the details)?

You make a good point there. Funny you should guess what I was referring to :D! On second thought, if I do use hostnames, won’t they show in the logs, thus identifying the source? The other reason I thought about staying with DHCP is that if I switch to static IPs, don’t I then have to specify (to WinXP) the default gateway IP (which can change)?

The zone wizard seems to work by detecting the IP in use on the PC running CPF and creating an all encompassing rule for all IPs within that subnet. Why should that have been necessary? To make sure that all devices on the same subnet as the PC running CPF can send/receive data to/from the PC running CPF.
I agree with you about what the wizard does, the rules it creates are simple and easy to understand. But why wouldn't the analogous rules I created using hostnames not work on their own, without a "kick-start" from the rules created by the wizard? It wasn't necessary under ZA (free version). Also, it shouldn't matter that I'm only testing CPF on one machine right now, should it?

Additional question: The dialog for the zone wizard implies that you should be able to see available network resources without creating the local zone (just that you can’t share your resources without such a zone and rules). I couldn’t see anything on the network without these. Can you clear this up?

Thanks,
Bruce

NP. Yes, I’ve got a day job and no, it’s not at Comodo. I do SAP security for a Government agency, but I enjoy helping out on this forum. Comodo are creating great products for the right reasons. Their software has helped me, so it only seems fair to help out here.

You mentioned defining a couple of broad non-routable ranges. Since these would include the router's LAN-side address, would that make me more vulnerable to internet traffic coming through it, or are only the endpoint IPs important?

No, you aren’t any more vulnerable. The non routable addresses I mentioned CANNOT come from the internet. These address ranges are only for internal LAN usage.

Come to think of it, why does the computer need to be told the IP of the router in the first place (assuming static IP for a moment)? Can't it figure it out automatically during the connection process (pardon my ignorance of the details)?

The firewall needs to know the address of the router because the traffic coming from the other PCs in your LAN gets to your PC via the router. This is why it’s best to define a zone that includes all the IPs in the subnet your LAN is using.

You make a good point there. Funny you should guess what I was referring to :D! On second thought, if I do use hostnames, won't they show in the logs, thus identifying the source? The other reason I thought about staying with DHCP is that if I switch to static IPs, don't I then have to specify (to WinXP) the default gateway IP (which can change)?

The internal address of your router on your network IS the internet gateway for your network. This should not change. My home network has PCs with IP addresses from 192.168.1.1 to 192.168.1.100. The routers address is 192.168.1.254. This “254” address is the one entered as the gateway in the properties of the network connection.

Also, it shouldn't matter that I'm only testing CPF on one machine right now, should it?
  1. Your PC is protected from the internet by CPF
  2. You have configured CPF to allow all traffic from the internal LAN to your PC
  3. Your “unnamed one” is inside your internal LAN and is unportected by CPF

What makes you think his unprotected PC isn’t already sending ■■■■ across the LAN, even as we speak? Me, I would have put CPF on his PC first. A network consists of separate objects - each of these separate objects needs to be protected. A network mandates that the ssecurity that is applied to one Pc on the LAN be replicated on the other PCs on the same LAN.

Consistency and constancy. These are some of the fundamental aims of network security.

Additional question: The dialog for the zone wizard implies that you should be able to see available network resources without creating the local zone (just that you can't share *your* resources without such a zone and rules). I couldn't see anything on the network without these. Can you clear this up?

Stuffed if I know? LOL.
I used the rule - it worked - I stopped looking. Call me lazy and you’d be right. :wink:

Thanks,
Bruce

Ewen,

I can sympathize with being a pragmatist. We don’t have unlimited time for this.

Do you know offhand whether hostnames will show in the logs (I’ve been to lazy to try to test this)?

I understand what you’re saying about the router’s IP = gateway IP, but mine has changed from time to time (I’m pretty sure), as the phone company evidently has some control over the locally assigned DHCP addresses (and ranges). I’ll check with them to see if this is really true, or if my [biological] memory is faulty.

I think you misunderstood me about testing CPF on one machine. I’ve been running ZA on all the machines in my network, and just replaced it with CPF on one machine for testing. The others are still running ZA. I realize that all endpoints need security (w/o an external h/w firewall).

Finally, and most important: when I tested using only hostname rules for my trusted machines, initially I found that with CPF I could only see my other machines after I had “kickstarted” it by temporarily using the wizard to create network-wide IP-based rules, which I later deleted. After that, it seemed to see all but one of my machines. Related, I took a couple of them down, reset the router, and brought them up in a different order to force different IP assignments (via DHCP). No more kickstarting was required, but it appears that it took a restart on the CPF machine to get it to see the machines with the (now swapped) IP addresses. A 4th machine that was sitting idle with ZA saw every machine on the network with no special action. Do you know if there are any hostname based configuration problems? Maybe this should be directed to egemen?

Thanks,
Bruce