-Application Rules include
System: Allow System to send requests if the Target is in Trusted Hosts … receive requests if the Sender is in Trusted Hosts.
-Global Rules include:
Allow all outgoing requests if the Target is in Trusted Hosts … if the Sender is in Trusted Hosts
In Network Zones, you have a few specific IPs defined (e.g. 192.168.111.111, 192.168.111.23 etc.), which appear in your (home) LAN and need to be available to and from your laptop. As to the above rules, they can communicate pretty much without any barriers with the laptop.
Then you take your laptop to some other place, which by some weird chance uses the same “IP scheme” as the one you use in your home (down to the latest part possible, i.e. 192.168.111.N). It’s probably safe to assume that these eventual “trusted hosts” (e.g. 192.168.111.111, 192.168.111.23 etc.) in the new network could have unobstructed access to your laptop’s “services”.
So what would be the safest course of action in such cases (apart from manually removing either the aforementioned rules or trusted hosts lists each time you leave your home network, which isn’t really practical)?
If only running Firewall I’d suggest to create a new security profile using stealth ports wizard to block all incoming traffic.
And switch to that profile once you leave home.
If you also run Defense+ this might be a bit more difficult to achieve cause you would need to duplicate all those rules also.
(Can be done but takes editing of the xml export file).
I’d prefer to ‘split’ the policies in CIS v6 to have the option to use different Firewall policies over the same Defense+ policy.
Thanks.
I have a few “lax” rules in Defense+, but the Firewall part is the main reason for using the software, so this shouldn’t be a problem. Does running the stealth ports wizard create a new profile, or should I export the current configuration into a cfgx file prior to doing it? I kinda “forgot” about the profiles a while ago (as I thought I’d never use it). As far as I can see now, there’s no “new profile” button, so I suppose it only gets created on Import?
Speaking of which, is the only possible way of renaming a profile by changing the line e.g. Name=“COMODO - Firewall Security” into something else, or is this the same as entering a new profile name on “Import As” dialog box?
If you like to derive your firewall policy from the current I’d suggest to export it and import it under a different name.
Be careful running stealth ports wizard will change your CURRENT firewall profile’s global rules.
‘Renaming’ should be done by export/import as there is no rename option in the GUI. As soon as you chose ‘Import’ you’ll get the option to give it a custom name.
Another alternative, although a bit more time consuming to setup, is to define your home LAN by MAC addresses. This renders duplicated IP addresses on external LANs redundant.
I coincidentally discovered I don’t have to list any of the hosts as trusted on the laptop at all. If the laptop’s IP is “trusted” by other computers at home, it can connect to their shared folders/drives without any hassle at all. It’s only those computers that won’t be able to connect to the laptop.
Did I miss something? I know M$ made some changes to their folders sharing protocols (esp. with their homegroup stuff), but I did still see lots of blockades of incoming ports 137 at a public wifi the other day, from various other computers around. So I guess this is the safest bet then.
I guess this is the safest and quickest workaround (i.e. not having any “trusted hosts” on the laptop).
Does running the stealth ports wizard create a new profile, or should I export the current configuration into a cfgx file prior to doing it? I kinda “forgot” about the profiles a while ago (as I thought I’d never use it). As far as I can see now, there’s no “new profile” button, so I suppose it only gets created on Import?