作者:ubuntu
转载请保留作者,谢谢合作。
本帖是为分享CFP的设置,包括:Application Monitor、Network Monitor、Component Monitor、Advanced Security Configuration 。主要面对中高级用户,新人切勿完全模范,可以在使用的过程中慢慢完全理解后,再修改默认设置。
强调一点,Comodo默认设置无论防外防内已经非常安全,如果对每个设置不熟悉的话,切勿随便修改,尤其是Network Monitor里的最后一条规则,是绝对不能删掉,并且一定要放在最后。
我下面举个例子,大家可以参考我的方式,将自己修改后的设置发上来。为了简化,假设我只用浏览器和eMail客户端及上网升级杀软,并且允许局域网文件和打印机共享。注意这个规则不是我平时使用的,主要是为了做个样板。要全面的讲解CFP的高级设置,需要等到2.4正式发布以后才可以。
严格的规则既能使你的系统更安全,也会由于设置不当,造成网络访问出现问题。所以对每个规则都要搞明白,再来设置不迟。
我是XP SP2 系统,局域网路由上网,IP地址通过DHCP分配。我关闭了DNS Client 服务,每个程序现在都通过自己来发送DNS解析,并且目标地址只能是我的两个设置好的DNS服务器IP。
我设置了4个Zone:
Internet Zone : 本机固定IP 192.168.1.100
Local Network : 本地网络 192.168.1.0-192.168.1.255
另外两个DNS IP 分别设置为DNS_server1、DNS_server2
Componet Monitor : Learn Mode
Advanced Advanced Security Configuration :
Application Behaviour Analysis
Advanced Attack Detection and Prevention -> Miscellaneous
Miscellaneous
Network Monitor :
DNS Client :
ALLOW UDP OUT FROM IP ZONE:[Internet Zone] TO IP DNS_server1 WHERE SOURCE PORT IS 1024-4999 AND DESTINATION PORT IS 53
ALLOW UDP OUT FROM IP ZONE:[Internet Zone] TO IP DNS_server2 WHERE SOURCE PORT IS 1024-4999 AND DESTINATION PORT IS 53
DHCP :
ALLOW UDP OUT FROM IP Any TO IP 255.255.255.255 WHERE SOURCE PORT IS 68 AND DESTINATION PORT IS 67
浏览器(Web Browser) :
ALLOW TCP OUT FROM IP ZONE:[Internet Zone] TO IP [Any] WHERE SOURCE PORT IS 1024-4999 AND DESTINATION PORT IS 80,443,21
邮件客户端(eMail Clients) :
ALLOW TCP OUT FROM IP ZONE:[Internet Zone] TO IP NAME:[pop.gmail.com] WHERE SOURCE PORT IS 1024-4999 AND DESTINATION PORT IS 995
ALLOW TCP OUT FROM IP ZONE:[Internet Zone] TO IP NAME:[smtp.gmail.com] WHERE SOURCE PORT IS 1024-4999 AND DESTINATION PORT IS 465
Loopback :
ALLOW TCP or UDP IN or OUT FROM Any to NAME: [localhost] (127.0.0.1) WHERE SOURCE PORT IS [Any] AND DESTINATION PORT IS [Any]
允许本地文件和打印机共享 :
ALLOW TCP or UDP IN or OUT FROM IP ZONE:[Local Network] TO IP ZONE:[Local Network] WHERE SOURCE PORT IS [Any] AND DESTINATION PORT IS 137-139
Block 几个危险的Windows端口(135,137,138,139,445) :
BLOCK TCP or UDP OUT FROM IP ZONE:[Internet Zone] TO IP [Any] WHERE SOURCE PORT IS IN [135,137,138,139,445] AND DESTINATION PORT IS [Any]
BLOCK TCP or UDP IN FROM IP [Any] TO IP ZONE:[Internet Zone] WHERE SOURCE PORT IS [Any] AND DESTINATION PORT IS IN [135,137,138,139,445]
允许本机Ping他人 :
ALLOW ICMP OUT FROM IP ZONE:[Internet Zone] TO IP [Any] WHERE ICMP MESSAGE IS ECHO REQUEST
ALLOW ICMP IN FROM IP ZONE:[Internet Zone] TO IP [Any] WHERE ICMP MESSAGE IS FRAGMENTATION NEEDED
ALLOW ICMP IN FROM IP ZONE:[Internet Zone] TO IP [Any] WHERE ICMP MESSAGE IS TIME EXCEEDED
阻止一切 :
BLOCK and LOG TCP or UDP IN or OUT FROM IP [Any] TO IP [Any] WHERE SOURCE PORT IS [Any] AND DESTINATION PORT IS [Any]
Application Monitor :

[ 本帖最后由 ubuntu 于 2007-1-6 23:07 编辑 ] |