Local network question

I’m using the latest and greatest version of Comodo on two pcs at home. When I first installed, it detected the local network and I allowed full access between any of the pcs on this network

Soon we will be having a guest staying with us and I will most likely allow this person to connect to the network for internet access. I would like to disallow any new pcs access to the pcs on the network already. How can I use the firewall to do this?


Go to Firewall → Firewall Security Policy → Networks Zones and edit the zone of your LAN to your likings. CIS will then apply the changes you made in Global Rules and the rule for System.

I have tried to make the change there but it doesn’t seem to have any effect.

I went to where you edit the address, before the change it was using an ip mask, which was the address of the pc.

I changed that to using a range of ip addresses, the range I added only included the modem/router and 1 of the pcs (trying to lock out the second pc)

After the change, I still had access to the second pc and vice versa.

Can you show me screenshot of your Global Rules? Also run Diagnostics under More and see what that brings and says.

The diagnostics utility did not find any problems.
I’m not sure how to post the screen capture.

How to post a screenshot?

To copy a screenshot of the active window push alt+print screen to copy the active window to the clipboard (pushing print screen will copy the complete window to the clipboard not just the active window). The window is now copied to the clipboard. Paste the image in any image editing program, Paint, Paint.net, the Gimp etc. Use the “crop” function to resize the canvas to size of the image. Now save the file as 32 bits png image.

At the forum push the reply button. Or when using the Quick reply type some text and push the preview button.

Underneath the text box click on Additional options. Push the Choose button and navigate to the file and select it. When you want to post more images click on the more attachments link.

When done typing push the Post or Preview button.

Global rules

[attachment deleted by admin]

Can you show me a screenshot of the Mordor network definition?

Here you go.


[attachment deleted by admin]

I also need to see the application rule for System. I forgot to ask, sorry about that.

its defined as a Windows System Application, which has these settings

[attachment deleted by admin]

I meant the firewall rule for System under Firewall Security Policy → Application Rules.

Sorry, is this what you are looking for?

[attachment deleted by admin]

Thank you for posting the screenshot. We found the cause of your problem. System handles the network traffic and since you made it a trusted application it will allow all traffic.

Change the rule first delete it. Then run the Stealth Ports Wizard and make Mordor trusted network. That should do the trick.

Using the Stealth Ports Wizard will adapt both Global Rules and the rule for System.

Ok great, I hate to be a pain but I’m trying to lock this down as best as I can.
After I did what you recommended, I get the following pop-up, I allowed it as outgoing, I’m guessing I answered trusted in the past.

Thanks for your help.

[attachment deleted by admin]

We are almost there. Remove the rule “Allow UDP out from MA…” in the rule for System and it should be working. Please report back your results.

When I remove that rule, I get the pop up from system after after about 5 minutes.

Can you post a screenshot of the alert?

Its the last set of screenshots, I answered “outgoing only”

Disable NetBIOS over TCP in local network TCP/IP configuration.

Also, based on how you’ve defined Mordor ensure that the new PC is assigned IP address 192.168.2.[1-255] (it puts the second PC on its own subnet).

Or you could make Mordor network explicitely & (without mask), or use range.

Or you can make Mordor network to be / & / (you’d have to change one PC’s IP address to Since you can’t assign network address ( to PC, you have to use two subnets.

Easiest way of doing it would be to make Mordor a range - (that way you wouldn’t have to change any of the PC’s IP addresses). The question becomes, what about router or modem? Although that’s usually it could be So you still need two IP address for PC. You could make a network ID / mask like this then: /

Since the network address ( and broadcast address ( are unuseable, the new PC could use IP address (which would be on a different subnet). That PC could then access the modem / router (, but if you’re using ICS, and the modem is plugged into one of the two PC’s, then what?