I have a small server program that we use to telegraph via the internet. We use port 80 (TCP) and port 7890 (UDP) for communications. I am new to COMODO and don’t know where to hit the hammer.
Can someone tell me, step by step, how to set COMODO so I can get this server back up and running. I previously had used a competitive product and had it working with it.
Thank you.
Keith LeBaron
You need to make one or two Global Rules for the incoming traffic. Not sure what ports are for incoming with this application so I will explain taking port 80 TCP for incoming traffic.
Go to Firewall → Advanced → Network Security Policy → Global rules → Add →
Action: Allow
Protocol: TCP
Direction: In
Description: Rule for TCP port 80
Source Address: Any
Destination Address: show a way of selecting your computer (MAC address, IP address…etc…)
Source Port: Any
Destination Port: 80
When done make sure the new rule is somewhere above the basic block rule (with the red icon). When needed move it up.
For further reference notice that CIS speaks of Destination and Source. As a consequence Destination and Source for incoming traffic are the opposite of Destination and Source for outgoing traffic.
With the Global Rules in place you need to make an application rule. Easiest is to make it Trusted. You can also make custom rules for your applications. Since you seem not quite a beginner I give you these pages with tutorials that can be of help:
https://forums.comodo.com/help_for_v3/faqs_common_issues_solutions_threads-t21180.0.html
https://forums.comodo.com/help/faqsthreads_read_me_first-t9364.0.html
Good luck and let us know how things go.
Hi Eric,
Thanks a million for the straight forward approach to solving my problem! It worked out just great.
And you are right. I am not a beginner. I began with a Honeywell 316, 16 bit, core memory machine in 1970. However, at age 75, I no longer can keep pace!
Again, thanks for the quick solution to my problem.
Keith
Darn, you go back a long way… in 1970 I only turned 2 years old… (:NRD)
Hi there Eric,
I have just read this POST and have tried to use it to set up a program called HamSphere to access these ports and I quote
“Make sure that your firewall allow TCP/UDP traffic on port 8000-8007 and all UDP ports inbound (1-65535)
Start the EXE file.”
So I set up the Global Rules similar to what you have told Keith and to no avail…Hamsphere is a Java program and I have tried to set up rules to allow the Java.exe and the Hamsphere.exe to go through these ports but that didn’t work either…
The only way I can get the Hamsphere to work is to disable the CIS Firewall Security Level… this of course is not the right thing to do…
So I too am wondering if you could walk me through similar to what you did with Keith…
Your help will be very much appreciated …
Mike
What happens when you make java.exe and hamsphere.exe a trusted program in both Firewall and Defense +? The application rules for the firewall are on the other tab under Network Security Policy. The application rules for D+ can be found under Defense + → Advanced → Computer Security Policy.
Hi Eric,
Thanks for your reply and question…
I did as you have said and still no sound… I can see I am transmitting as the bar increases as I speak , but there is no sound until I disable the Firewall Security Level…
Can you explain the terms Source Port and Destination Port ?? the TCP/UDP settings say allow on 8000-8007 , so do I put those settings in the Source Port or the Destination Port… ?
And same with the 1-65535 UDP settings, do I put these settings into the Source Port or the Destination Port…?
Sorry for sounding thick but multable choice answers get me confused…
Mike
Speaking for the situation of incoming traffic from the web to your computer. The source port is the port through which the site on the web sends the information. For incoming traffic it needs to be set to Any.
The destination ports are the ports 8000-8007 TCP/UDP and UDP ports 1-65535 in this case. As there is some overlap in the two conditions I limit the first rule to open for TCP ports 8000-8007. (Note that having so many ports open on both your router and firewall is at least a bit risky).
Go to Firewall → Advanced → Network Security Policy → Global Rules → Add → and fill in the following
To open the ports TCP 8000-8007
Firewall → Advanced → Network Security policy → Global Rules → Add → fill in the following:
Action: Allow
Protocol: TCP
Direction: In
Description: Incoming Port TCP Hamsphere
Source address: Any
Destination Address: Choose MAC or Single IP address (only when it is fixed) or Host Name
Source Port: Any
Destination Port: 8000-8007
Then push Apply → Ok.
To open the port UDP 1-65535
Firewall → Advanced → Network Security policy → Global Rules → Add → fill in the following:
Action: Allow
Protocol: UDP
Direction: In
Description: Incoming Ports UDP Hamsphere
Source address: Any
Destination Address: Choose MAC or Single IP address (only when it is fixed) or Host Name
Source Port: Any
Destination Port: 1-65535
Then push Apply → Ok.
When done make sure these rules are above the basic block rule (red icon).
I am in the learning process using CSI. I am browsing a few threads of solved cases for a better understanding.
Question:
a. […]You need to make an application rules = I am clear with that (e.g. Apache server rules set in/out).
b. Why a GLOBAL RULE is ALSO needed as explained in this post in addition of the application rules?
Thanks
That is how CIS works. Incoming traffic will first go through the Global Rules, which will open a port for example, and will then go through Application Rules. Outgoing traffic is going the other way around.
Do you mean by that if I open a port > Network Security Policy > Application Rules, the communication will not go through because I did not create a Global Rule?
My understanding about inbound connections after reading the manual is as follow:
a. Global Rules applied first.
b. Application Rules second.
c. IF NO global rule are present, only the Application Rules are applied.
In attempt to clarify the preceding I have created 2 test rules in Application Rules
Apache Inbound
Action: IN
Proto: TCP
Direction: any
Source Add: any
Dest Add: any
Source Port: any
Dest Port: 80
Apach Outbound
Action: Out
Proto: TCP
Direction: any
Source Add: any
Dest Add: any
Source Port: 80
Dest Port: any
It is premature for me to discuss the value of these rules yet. But with these rules and no Global rule, it seems I can access the site (test: http://www.websitepulse.com/help/testtools.website-test.html). I need some clarification. Thanks.
Do you mean by that if I open a port > Network Security Policy > Application Rules, the communication will not go through because I did not create a Global Rule?That is correct.
You now have to add a Global Rule for incoming traffic on port 80 TCP.
You can tighten up the Application Rules. Define for the incoming trafic your destination address and for the outgoing traffic the source address.
The reason you can access that site is that Global Rules allow outgoing traffic. So first the Application Rules will allow outgoing traffic and the Global Rules allow. For incoming traffic there is no open port defined in the Global Rules so any traffic that is not an answer to outgoing request will not be processed.
sorry, I did not explain myself clearly.
I am the server.
The web site address I referred was a site to test my site connection since I have nobody to test my connection outside the LAN (i.e. inbound connection)
I pm you my DNS address for privacy.
This is the default Apache index page ‘it works’
I have no Global Rule as explained, only 2 application rules IN/OUT
Do you mind trying accessing my site, confirm and return on the thread to sort this out for me.
Thanks
I’d like to have an answer. I understand EricJH explanation, but I want to make sure Global rules are mandatory to allow an incoming connection. Topic: Incoming connection on a web server port:80
This is my configuration:
Router port open 80
Global Rules: Trusted LAN (only)
Application Rules: IN and OUT rules for Apache on port 80
I self-tested my DNS address with a online tool test and the message was: OK site accessed (without any specific Global rule on port 80)
I have send the DNS to EricJH for a real test (the site is open when I am online only, so I will modify my profile accordingly) but did not get reply. If any COMODO Moderator (or a trustful person) agrees to give me a hand, I will PM my DNS for a simple connection test and wait for a message back: access OK/Failed.
Sorry to bother, but I am not yet confident with the rules set and I don’t have friends or relatives to help connecting outside my LAN. Thanks.
PS: if anyone happens to know a link where we can self-test a website and actually see the pages on the browser, I would be glad to know the link. The online “test your site” web sites I found where only about speed and connection.
Hi nomnex,
Check your PM’s.
Later
Thanks to Bad Frogger, connection test was successful without Global Rules. Work in progress.
My understanding so far:
Application/Global rules can be used independently with in/out connections.
Global rules: IF they exist, they will be applied FIRST with incoming connections.
If no global rule are present, the Application rules ONLY will be applied with in/out connections.
Confirmation anyone?
Confirmed.
But seems to be a rather open policy to have no incoming filtering.
But from behind a router/NAT firewall on a secure LAN.
I don’t see a big problem offhand.
Later
Great I do progress with your help. Is it the reason the connection passed without global rules:
Router forward port 80 to server IP (IP of the trusted zone) > Trusted zone IS in my global rules (stealth port to Everyone except to trusted zone) > Apache port are open in/ou 80 = connection passes
If so, EricJH/you were right from the security perspective (sure, since you have the experience).
[the rest of the post has been deleted by the author.]
[b][b]EDIT: I have opened a new thread about this topic, since it becomes a bit specific and it could be long lasting. Thanks to join me there https://forums.comodo.com/firewall_help/global_rules_web_server_behindnot_behind_a_router_novice_level-t39042.0.html;new#new[/b][/b]