How do I define rules that prevent any part of my system (operating system and all applications) (except one allowed outgoing connection) from going out onto a client LAN through a remote dialup maintenance connection. The zone rules don’t seem to apply since they seem to be based on whether the destination address is in the zone, not whether the system routes traffic through the zone to the final destination. The clients that I dial into for maintenance purposes complain that my machine does DNS requests etc on their LAN and routes traffic through the dialup and through their LAN to the internet while I am dialed up. I want to prevent all traffic (except one outbound) on the dialup connection and allow all traffic that is routed in or out on my LAN.
Now that’s a tough one. Don’t think Comodo can help you out here. You see, to determine whether some particular traffic matches it’s rules, a firewall examines the contents of the packets’/segments’ headers. There is no information about how the packet is being routed in it’s header. You won’t see an address of the default gateway, or of the next-hop router there.
You would only see this information on the link level (the router’s MAC in Ethernet frame’s header, for example). Comodo does have some link-level control, letting you specify the destination MAC as a rule criterion. But if you’re dialing in, some sort of point-to-point protocol (or tunnel) is probably being used, which Comodo doesn’t seem to bother with. Even if you used Ethernet, there is no way (that I know of) to make Comodo examine both the link-level header (destination MAC) and the IP header (destination IP), and make a desicion based on both of them. Which is exactly what you require.
You could try this:
-
Dial-in.
-
See what the default gateway is. Do a “route print” and look form something like this:
0.0.0.0 0.0.0.0 89.218.107.243 89.218.107.243 1
-
Delete the default gateway entry from the routing table. Something like “route delete 0.0.0.0” or “route delete 0.0.0.0 0.0.0.0 89.218.107.243 89.218.107.243 1”.
-
Create a new routing entry to route the traffic to your client’s LAN via the default gateway you noted earlier. Something like “route add 89.218.0.0 mask 255.255.0.0 89.218.107.243 metric 1 if 89.218.107.243”, where 89.218.0.0/255.255.0.0 is your client’s subnet, and 89.218.107.243 is the gateway you saw before.
This way you will tell you PC to only route traffic sent to your client’s LAN via their dial-in gateway. By the way, I’m not really sure on the comman-line syntax here, so RTFM please. 