Laptop users have particular needs that vary depending upon the connection; eg: A HOME Lan environment (wired or wireless) where sharing is appropriate VS. Hotspot connections away from home where ISOLATION is manditory, and perhaps A Work environment where sharing is required BUT the subnet is totally different,
eg: 10.x.x.x vs 192.168.x.x
Can Comodo address these needs with Network Profiles to select the active rule set?
The Work vs. Home issue can be addressed with multiple Trusted Networks and duplicate
rules varied upon the T.N.
Is there any means to EXPORT / IMPORT the rule sets (network in particular)?
#2 is a help; my intent is to assist others in the cfg of the firewall.
#1 is my major need; moving from my lan to a hotspot requires reconfig and disable of sharing rules.
while I dislike Norton IS, it did handle this very nicely by recognizing the NIC address did not match
the existing rules (not sure it trapped on the Trusted Network or just what).
I move my laptop from work to home on occasion… Perhaps what I have done will work with/for you.
I have created separate Zones (Computer Work, Computer Home, Home DNS, Work DNS, Work LAN, etc). Each of those defines the IP range in question (which is always static, being behind a router in each case…). Where I need to, I take a Zone and turn it into a Trusted Network (which is needed for file sharing, ICS, network printing, etc).
Then I can set up my Network Monitor with sets of Rules for each scenario, to allow traffic as needed. The rules always stay the same; I don’t remove them, and I am able to connect in accordance with those rules. This does take some effort; it’s not a single-click solution, but it works for me. I know the “Profile” approach is in the Wishlist; I have a good degree of confidence for its inclusion to a future version.
however, it is a total export for CPF; all applications, components, and network monitoring is captured.
for my intent (changing networks), it needs to control only the Network Monitoring.
Apps and Components should be sufficient as-is or relearned on a new system per the existing
users requirements.
I have created separate Zones (Computer Work, Computer Home, Home DNS, Work DNS, Work LAN, etc). Each of those defines the IP range in question (which is always static, being behind a router in each case...). Where I need to, I take a Zone and turn it into a Trusted Network (which is needed for file sharing, ICS, network printing, etc).
this has potential – EXCEPT the use of Static IP addresses. DHCP is used for all hotspots and most
infrastructures (ie IS departments. Only servers get static addresses). Personally, I use MAC filtering
in my router and limit the trusted network to a small portion of the LAN(2-10). At home at least, I can allow a friend to connect and get access but not participate in file/print sharing and thus protect us from one another
second, a hotspot may implement any non-routed class A,B,C address and I have found that sometimes the hotspot address is a match for my lan. The MAC filtering is missing (not my router)
and I get a random IP, and the sharing is a 9/254 chance of a match if that router is using class C
192.168.0.* (my lan)
Only create Out rules, because the Inbound reply is not unsolicited. Without an In rule, no unsolicited contact will be allowed.
Then you can set the type of IP Protocol you are choosing to allow (IP if you want everything allowed Out or want to set up for ICMP etc, TCP and/or UDP if you don’t). This will look like one of the default rules, with Source and Destination of Any. If you chose IP for the protocol, you will have an option to set the specific type (ICMP, IGMP, GRE, etc); whatever you know you will need to obtain the connection from the hotspot (for your DHCP lease).
Obviously for browsing you’ll need another rule for that IP Protocol as well. Obviously as well, you can’t set up a Zone for this as you have for the others, as you can’t define the IP addresses needed. Thus, you want to limit the Connection to Outbound only. For any applications you know will need to connect Out from the hotspot, you will want Network Rules for (as needed) to define Destination Port usage (to match your Application Monitor rules for each application), IP Protocol, even IP address.
More work, I know, but it can be done. You seem to have a good knowledge of what connectivity you need, so that’s a good start. Here’s a link to a compilation of “how-to” posts taken from the forum FAQ page. Each topic has an embedded link back to the original posting, where you can ask questions as you need. There’s some good stuff there to explain network rules, CFP’s layered security, different applications, etc. https://forums.comodo.com/index.php/topic,6167.0.html
It’s easier if you open the Network Monitor to full-screen, and capture a screenshot. Save the 'shot as a jpeg, and attach to your post under Additional Options…
For Rule ID 3 and 8, I’d suggest creating separate In and Out rules there, instead of having a combined In/Out rule. Reason is, you’ve specified Ports; whether they are Destination or Source is going to switch aspects depending on direction of traffic (ie, when it’s Outbound, the Source is your computer; on Inbound, the Source is the remote computer…). IMO, it’s better to have separate rules. The other two cases it really wouldn’t matter, since those are very basic/generic rules.
For Rule ID 0, that would be redundant if you recreate the bottom Block & Log IP In, Any, Any. I would recommend adding that rule back regardless. That is your safety net; it is there to block anything that has not already been explicitly allowed. While your rules are fairly tight, it is especially important when using mobile access to keep that bottom “Block All” rule in place. If you kept your rules exactly as they are now and add that Block rule, it would be in position Rule ID 17.
You say Rule ID 5 is for hotspot access? It looks like a LAN rule…
Okay, I’m with you; that falls into the category you spoke of, the possibility that the IP could match your home LAN IP 192.x.x.x.
Here’s one way to deal with it:
Create/Add a rule in between Rule ID 4 and Rule ID 5, as: Allow TCP/UDP Out. Any, Any, Any, Destination Port 80,443. This will allow you to browse from the hotspot. When you go to the hotspot, change your LAN rule to Block instead of Allow.
That’s not as easy as Profiles, I agree, but you don’t need to completely reconfigure the firewall, either.
When editing/creating a Network rule, on either Source/Destination Port tab, there’s a box you can check to “Exclude” the following criteria. Then you can check your “Set of Ports” and throw 139,445 in there (which you may already be aware of).
If that doesn’t fit into an existing rule, you can easily add one just for that; just make sure its placement isn’t going to interfere with a necessary function (ie, on your LAN rule).
I had to add the following rule to get file sharing running both ways between to systems
allow tcp/udp in/out source {home-lan} dest {home-brdcst} source-port any dest-ports {137,161}
where {home-lan} is 192.168.0.1-…0.10
and {home-brdcst} is 192.168.0.255
I intentionally exclude the range 192.168.0.11-… 0.254 as untrusted systems, due to WiFi connection
possibilities. Using MAC filtering, I force known systems into 0.2…0.10 and thus the sharing is
viable.
Good. I saw you’ve added some suggestions to the Wishlist. Keep it up; Comodo learns from their users’ needs/requests…
If you’re satisified that your question here has been answered (if mostly by yourself…) would you Modify your original post, and add “[Resolved]” to the subject line, either before or after your original text. That way other users know there’s usable information here.
If you’re not satisfied, let me know and we’ll keep diggin’ at it…
