Comodo Firewall - Web Browser rule (hardened)

The only way you can do this is with a firewall that allows specifying domain names for destination addresses. Same problem that people run into when trying to create a svchost.exe to connect only to Microsoft servers for Win Updates.

Have you tried a Robtex lookup to find all IPs associated with your bank's domain name?

 

I was envisioning something just like that itman. Didn't know such a thing existed. I think EVERY FW should have the ability to handle rules by domain like that. There are scenarios where I too wished for such functionality.

I'd be handy for people that want to use a browser exclusively for sensitive things like online banking, purchasing, etc... and nothing else. With no addons/plugins. And another/regular browser for everything else. To be able to whitelist just their bank, and sites you regularly buy from and block the rest.

 

I'm not familiar with Comodo, but thought I'll add something here since I had to revisit some of my old rules.
Some firewalls (mine Sunbelt and Kerio) do make a distinction between localhost 127.0.0.1 and zero octet 0.0.0.0, primarily on the local source port. IE(v8 ) on XP does use zero octet IP.
ZoneAlarm always did and loudly, and IIRC, Outpost FW did as well.
Take a look at my logs posted in
https://www.wilderssecurity.com/showthread.php?t=342090
where you can clearly see packets going out of zero octet to 127.0.0.1 and in order to be handled, local host group of IPs has to include zero octet.
It much depends on the browser, how/when a firewall sees things, and how/what it logs, I presume.

 

Me too
Some firewalls permit CDIR addressing, but it still requires a bunch. I think Outpost allowed hostnames. I can do ranges but it's still an impractical pain.

 

I do same except:
If you do use a localhost proxy, such as exist in NOD32, Avira, Avast, global allow for loopback poses one potential problem - that of an unwanted app trying to get out via another, allowed tunnel, the proxy port. I guess unlikely, but possible.
So the advices I've read and use was to allow loopback to all ports EXCEPT local proxy, force browsers and updaters to use the proxy port, allow all ports for IE or WMP cache, for instance, block all other application from the proxy port.
I'm most likely not saying it right, so here are some old, old, things I just dusted off from backups:
Kerio rules for avast proxies (applies really to any local proxy and any firewall (?))
http://www.dslreports.com/forum/remark,13064195
and this, fine, writeup about, as well as rules for proxy or no proxy setup
http://www.dslreports.com/forum/remark,6642367
CrazyM - see first section, at the end
https://www.wilderssecurity.com/showthread.php?t=4413
Paranoid2000 - search for "Allow Loopback"
http://www.outpostfirewall.com/forum/showthread.php?s=&threadid=9858
Long ago I followed a trip to AuditMyPC for Opera and NOD32 proxy port 30606 as logged in Kerio. These days, it all looks the same with Avast.
Perhaps it'll be of some use to somebody.

 

Sounds like this product is made for you.

https://www.quarri.com/products/protect_on_q/poq-overview

 

Could potentially be more than one, even. The key words there are "global allow"... I would never put such a rule in place. Loopback isn't a one size fits all thing. Different apps utilize it in different ways. It's important to treat each case as an isolated incident and use it in a manner that suits each one. Research and see exactly how/why that particular app is using it, if it's needed/useful, and set a rule accordingly... in some cases it may be a block rule.

I know the one that I illustrated here suits Firefox. I'm honestly not sure if it does IE or Chrome. I know that both work fine with it that way, but not sure how those browsers handle loopback exactly. So people using other browsers may want to look into that and see if perhaps they want to modify the loopback rule to better suit their situation. The HTTP(S) & DNS rules on the other hand I'm certain are sound regardless of the browser being used... as is the logic of adding a Block Rule at the bottom. I do this with every rule actually. And it becomes even more useful when I'm using OpenVPN and swap my VPN Network Zone in there for my LAN for the Source Dest., to prevent leakage.

And thanks for the link there itman... I appreciate the participation in this thread period. I think we helped educate a lot of people here as to how to set more granular/hardened FW rules... especially for the most common/dangerous attack vector (the browser).

 

Norton Internet Security cretainly has it's faults; especially this latest version. But loopback is not one of them . NIS for years has controlled loopback internally. Hence, no need to fret over loopback in your firewall rules.