Having searched this forum and been reading a lot of very helpfull posts, i have a pretty good idea of what i need to enter in the Comodo Firewall Network Control Rules.
But since i´m still learning about firewall security, i would like some advice because i´m not 100% sure i have understod everything correctly.

I have 3 pc´s connected to a switch and the switch connected to router.

Router: 10.0.0.1 Pc1: 10.0.0.2 PC2:10.0.0.3 PC3:10.0.0.4

All 3 pc´s needs to be able to connect to internet.
PC1 og PC3 must be able to connect with each other and share files.
PC2 must NEVER be able to connect to PC1 or PC3.
PC3 needs to run P2P

After reading : “How To - Understanding & Creating Network Control Rules properly” & “Tutorials - A Compiled Resource” , i think this is what i need:

PC1:

block rules:

Action Protocol Direction Source IP Destination IP Source port Destination port

0 Block TCP or UDP Out Any 10.0.0.3 Any Any

1 Block TCP or UDP In 10.0.0.3 Any Any Any

Secure Zone with individual IP´s:

Action Protocol Direction Source IP Destination IP IP details

2 Allow IP Out 10.0.0.2 10.0.0.1 Any

3 Allow IP In 10.0.0.1 10.0.0.2 Any

4 Allow IP Out 10.0.0.2 10.0.0.4 Any

5 Allow IP In 10.0.0.4 10.0.0.2 Any

Default network control rules :

6 Allow TCP/UDP Out Any Any Where source port is [Any] and destination port is [Any]

7 Allow ICMP Out Any Any Where ICMP message is echo request

8 Allow ICMP In Any Any Where ICMP message is fragmentation needed

9 Allow ICMP In Any Any Where ICMP message is time exceeded

10 Allow IP Out Any Any Where ipproto is gre

11 Block&Log IP In/Out Any Any Where ipproto is Any

PC3:

block rules:

Action Protocol Direction Source IP Destination IP Source port Destination port

0 Block TCP or UDP Out Any 10.0.0.3 Any Any

1 Block TCP or UDP In 10.0.0.3 Any Any Any

Secure Zone with individual IP´s:

Action Protocol Direction Source IP Destination IP IP details

2 Allow IP Out 10.0.0.4 10.0.0.1 Any

3 Allow IP In 10.0.0.1 10.0.0.4 Any

4 Allow IP Out 10.0.0.4 10.0.0.2 Any

5 Allow IP In 10.0.0.2 10.0.0.4 Any

Default network control rules :

6 Allow TCP/UDP Out Any Any Where source port is [Any] and destination port is [Any]

7 Allow ICMP Out Any Any Where ICMP message is echo request

8 Allow ICMP In Any Any Where ICMP message is fragmentation needed

9 Allow ICMP In Any Any Where ICMP message is time exceeded

10 Allow IP Out Any Any Where ipproto is gre

P2P rules :

Action Protocol Direction Source IP Destination IP Source port Destination port

11 Allow TCP In Any 10.0.0.4 Any xxxx (TCP port)

12 Allow UDP In Any 10.0.0.4 Any yyyy (UDP port)

Default Block Rule :

13 Block&Log IP In/Out Any Any Where ipproto is Any

A: Would this be right ?? PC2 not allowed any access to PC1 and PC3. PC1 and PC3 can share files.

B: Are rules 2 and 3 nessasary ?? Now i only have the six default rules and can use the internet. So why does the router need to have rules ??

C: Should anything be added or deleted to get even better security ??

D: In the topic : “Tutorials - A Compiled Resource” / “Tightening Firewall Rules”, I see 3 block rules at the bottom of the Network Monitor rules.
Would it add to my safety if i added these instead of just the standard block rule ?

the 3 block rules i talk about are :

 Block and log TCP/UDP In or Out from IP [Any] to IP [Any] where where source ports is [Any] and destination port is [Any].

 Block and log ICMP In or Out from IP [Any] to IP [Any] where ICMP message is [Any].

 Block and log IP In or Out from IP [Any] to IP [Any] where IPProto is [Any].

A lot of questions, but hope that someone can help ???

hmmm…Well I’m not all that good with the network rules but I’ll tell you something that would wrk.

Create two VLANs in your switch. And put pc1 and pc3 to a subnet and pc2 to a diffrent subnet.
And configure the router to act as a proxy server. Configure one port of your switch as the default Gateway.

why ICMP is blocked is it can be used to carry out Ping attacks. So normally firewalls block icmp traffic.
when icmp is blocked ppl try to carry out tcp ping attacks.

this is how it works. When a packet wants to go through a firewall it checks with the firewall (in a router ACL) rules. This is done from top to bottom. When it gets the go from a rule it stops checking and act according to the rule.

the ones at the end are default deny rules. If the application doesn’t find a rule that allows it to connect these default deny rules will block them. these are at the bottom since, had they been at the top no application would be able to connect. If these were not there all applications will be able to connect to the internet.

Hope this helps you…

Thank you for your answer.
Unfortunaly i can´t use your solution.
My switch is of the unmanaged kind and my router can´t be configured very much (by choice of my ISP)
Only real options in router is port-forward and turn DHCP on/off.

But i would still like some advice about my network control rules, if anyone could tell if they are safe or not.

MMNC, you’re moving in the right direction.

I’ll start with the last thing first. Those additional “tightening” rules are user-specific to block certain things, and choose to either log or not log. I have some extra ones myself, for specific traffic that might otherwise be allowed, or to not log items that will otherwise always be in the log. Your rules to block PC2 would be akin to this concept. The bottom Block & Log All IP In/Out rule will catch everything not already allowed by the preceding rules.

Now on to the others…

It would make it all a lot easier if you re-ordered the configuration of computers, in reference to the IP assignment. If you set the IP of each computer to be static (thru Network Connections) instead of dynamic (assigned by router) then you can set them so that PC2 becomes PC3 (in IP order). As such you would have:
Router: 10.0.0.1, PC1: 10.0.0.2, PC2: 10.0.0.3, PC3: 10.0.0.4

Your Zone would be 10.0.0.1 thru 10.0.0.3. Then you use that Zone to create your trusted Network (all this is under Security/Tasks) which will be default create two rules. The first will be to Allow IP Out from Any to Zone, the second will Allow IP In from Zone to Any.

That’s a start to it. As far as safety, I did not immediately see any problems with the rules you have. It’s just a little “clunky” as far as arrangement goes.

For the p2p rules, it looks like the way you have it layed out is a bit off…

You have identified the computer as the Source IP and Source Port on an Inbound connection. For an inbound connection, for p2p applications, your computer is the Destination on both IP and Port. The source would be “Any” for both those aspects of the rule.

LM

OK, then i don´t need those extra block-rules at the end. The default block rule should be enough to stop everything not allowed in any prior rules.

How about the PC2 block-rules. they should block anything to and from PC2, right?

Regarding the order of IP´s, i already use static IP assignment. Just old habit with this setup. I will change it as you suggested and use the Zone.
Just don´t understand why my router needs to be included in the rules/Zone?
On a fresh installation af Comodo, with no rules about router, i can still access the internet.
Would a Zone of 10.0.0.2 to 10.0.0.3 be enough ?

The P2P rules is actually already as you say they should be. Source set to Any, and Destination set to IP of PC3.
It´s just hard to see, because i wrote the rules i notepad first and used copy/paste when i wrote the questions in here. And then it didn´t line up the way it was supposed to. Sorry !!

Thank you very much for your answers.

MMNC.

If you redo the static IPs so that the ones you want to communicate with each other are sequential, then with “PC2” outside that Zone, you don’t need to create a rule to block PC2. Since it would not be explicitly allowed to communicate with the other two machines, it would by default be blocked.

You can try the Zone without the router IP and see if it works. It’s not so much connecting to the internet, as to each other. Most users seem to need that as part of the equation; however, you may not. If it doesn’t work, just add it back in…

Ok on the p2p rules. I wondered if you might’ve copy/pasted it, but didn’t want to assume… ;D

LM

Looks like i only need 8 rules on PC1 and 10 rules on PC2(former PC3)
Pc1: 2 zone + 6 default and PC2: 2 zone + 2 P2P + 6 default.
A lot cleaner and easier.

Little Mac - you have been very helpfull.

(Re-wrote first post of this topic, so that rules line up and can be read without any confusion.
Should have checked preview before posting)

Much cleaner, neater, yes. That’s what we’re striving for! ;D

thanks for editing the first post; that’ll make it easier for others’ to follow (altho’ I’ll look like a fool for questioning it… - oh well, won’t be the first time, that’s for sure, nor the last!).

Be sure to test everything, to make sure it’s all working, and let me know. If you have any blips with it, we can work thru them. If it’s all good, let us know that, too. Then we’ll mark the topic resolved for other users’ benefit.

LM

BTW, I’m glad to help.

Finally worked thru testing the different suggestions in this topic.

First post does NOT work. (the one where i allow pc1 and pc3 to communicate thru setting up the four rules with individual ip´s)

Then tried adding a rule to allow broadcast traffic on both pc1 and pc3. Still dosen´t work.

In both cases, log just get filled up with blocked connection attempts from pc1 to pc3 and vice versa.
Can´t figure out why, since the rules should be right. They are as suggested by “pandlouk” in the Tutorial.
Maybe it´s because my router and my switch are two units and not integrated ??
Or maybe Comodo just handles connections in different manners, when you use the secure zone that “pandlouk” writes about instead of the trusted zone made by the wizard in Comodo/Tasks?

Then i altered the static ip´s. Pc2 became pc3.

Made a zone of router, pc1 and pc2 and ran the Trusted Network Wizard on both pc´s
Viola, everything worked.
However i noticed a lot of connections to and from the router, that i could not figure out what was.
Remember when i used Sygate Pro firewall, it would very often have problems figuring out where from a connection originated. Sometimes it would see it as comming from 10.0.0.1 instead of its real ip. External ip´s would be seen as internal ip´s.
Thats why i don´t fell safe allowing the ip of my router. (Not to compare the two firewalls, just a bad experince)

So i deleted the Zone and Trusted network rules, and made a zone of just pc1 and pc2 and ran the Trusted Network Wizard again with just those two ip´s.
Now on Pc1 i have 2 rules with a zone of 10.0.0.2 to 10.0.0.3 and the 6 default rules.
On Pc2 i have 2 rules with a zone of 10.0.0.2 to 10.0.0.3, the 2 P2P rules and the 6 default rules.
Everything works perfect!!
Both pc´s can access internet. Both pc´s can connect to each other and share files. P2P programs works 100%. Pc3 shows up in log as blocked.

I guess topic can be marked resolved.

Only one question left. About the block rules i had in first post, that should block pc3.
If i was to block something completly, would it be better to use “IP” instead of “TCP or UDP” ??
Something like this:

Action Protocol Direction Source IP Destination IP Source port Destination port

Block IP Out Any x.x.x.x Any Any

Block IP In x.x.x.x Any Any Any

That’s right! That way ALL traffic protocols will be blocked. If you don’t want the entries showing up in the logs, you can also uncheck the box “create an alert when this rule is fired” on those rules. That way you’ll keep the clutter out of your log.

If your connections are working fine without including the router in the trusted network then hallelujah! Not a problem there; keep on truckin’ with it! p2p working is great, too.

All in all, MMNC, it looks to me like you’re getting a good grip on the flow of the rules.

LM