Firewall rules to hide from network

[danchev 0]

Hello, 

I need help to set firewall rules to prevent other people on the internal network to be able to see one of the computers. Computer name, NetBios and manufacturer are hidden, but i can still see that there is machine with MAC address on that IP with tools like advanced ip scaner. 

[Marcos 5,235]

While I have no clue what communication you would like to block, in general you can create the desired blocking rules and put them above the default (built-in) rules after making them visible in the filter:

[danchev 0]

ICMP communication in trusted zones is disabled, so maybe ARP?

[itman 1,742]

53 minutes ago, danchev said:

but i can still see that there is machine with MAC address on that IP with tools like advanced ip scaner. 

Don't know really what you are trying to prevent here.

Arp for IPv4 and netsh for IPv6 plus ipconfig native Windows commands for example will show physical (MAC) address for all devices connected to the local subnet.

Review this article: https://nordvpn.com/blog/mac-address/?srsltid=AfmBOorS4sjk4lv8mDs5bMRMsXz81PU3H7jcyq8Urb8u1Edv4AzBNwul as to possible solutions.

[itman 1,742]

21 minutes ago, danchev said:

ICMP communication in trusted zones is disabled, so maybe ARP?

If you want to block ARP, etc. commands, just block their usage by creating a HIPS rule to prevent their startup.

[danchev 0]

1 hour ago, itman said:

Don't know really what you are trying to prevent here.

It's a long story, but yeah, I want to make it look like there is no device at that IP, if possible.

[itman 1,742]

4 hours ago, danchev said:

It's a long story, but yeah, I want to make it look like there is no device at that IP, if possible.

Do a Google search on static ARP.

Example;

Quote

arp -s 192.168.1.254 ff:ff:ff:ff:ff:ff

like that? I use this to telnet into my router to enable wake on lan (FIOS router)

https://www.reddit.com/r/HomeNetworking/comments/4cofo4/does_anyone_know_how_to_set_a_static_arp_on/

-EDIT- For a permanent fix, you need to modify the ARP table on the router if it allows this.

Edited August 14 by itman

[danchev 0]

Thanks, I will look more into it.

One more question, what is the exact purpose of the marked firewall rule in the screenshot I posted? It's unchecked, but I still get ping responses.

[itman 1,742]

5 hours ago, danchev said:

One more question, what is the exact purpose of the marked firewall rule in the screenshot I posted? It's unchecked, but I still get ping responses.

No clue at this point.

One possibility is if the echo reply is from a device on the local subnet in response to a prior echo request, the firewall auto allows it.

-EDIT- I just disabled the same two ICMP rules you did and was able to ping my router successfully. So my above assumption is correct. If you want to prevent this capability for local subnet devices, you would have to create a custom ICMP rule to do so.

Of note here is your firewall rules screen show a Profile column that doesn't exist on my Eset installation. Do you have the latest EIS version installed?

 

Edited August 15 by itman

[Swamp Yankee 7]

10 hours ago, itman said:

Of note here is your firewall rules screen show a Profile column that doesn't exist on my Eset installation. Do you have the latest EIS version installed?

@itman Right click that tool bar and you get more choices of columns

[itman 1,742]

12 hours ago, Swamp Yankee said:

@itman Right click that tool bar and you get more choices of columns

Ahh...., thanks. Never knew that option existed.

[danchev 0]

So, these two rules don't do anything. I tried most of the options for the so called trusted zone and they are hit and miss. The one above these two works as expected, if unchecked all outgoing echo request return "General failure", but I'm interested in those that block or don't allow different types of inbound requests.

Version: 16.0.26.0 here and there is no right click for less/more column options.

[itman 1,742]

11 minutes ago, danchev said:

Version: 16.0.26.0 here

You need to update your Eset installation. Current version is 17.2.17.

13 minutes ago, danchev said:

but I'm interested in those that block or don't allow different types of inbound requests.

My guess here is ping is a common local subnet connectivity diagnostic tool. As such, Eset just auto allows corresponding echo replies from local subnet devices.

[itman 1,742]

I just tried to ping my PC from the router and Eset default ICMP rules worked as expected. Eset blocked the inbound echo request. Note that I use Public profile for my Eset network connection.

The Win 10/11 firewall uses the Public profile by default. Eset network setting for Profile use by default uses the Win firewall Profile setting.

Since you are using Eset ver. 16.0 are you running Win 7? Win 7 firewall default profile setting is different than Win 10/11. As I recollect, the default firewall profile setting for Win 7 is Private. Unless Eset firewall default Profile setting to defer to Win firewall Profile is disabled, your Eset network connection Profile is being set to Private. The Eset network connection Profile when set to Private will "trust" all local subnet devices resulting in the Eset firewall allowing all inbound network traffic from those devices.

Edited August 16 by itman

[danchev 0]

You are correct, that's a Windows 7 machine. I always go to Network and sharing center and set my internet connection as Public network with all the advanced sharing settings turned off. Maybe it has reverted back for some reason ... I will check. But still, Eset option to evaluate local Windows Firewall rules, that states "In automatic mode, incoming traffic allowed  by local Windows Firewall rules is also allowed by ESET, unless there are specific ESET rules explicitly blocking the traffic." is turned on. 

Also there is no option to set Network connection profiles in that version.

[itman 1,742]

58 minutes ago, danchev said:

Also there is no option to set Network connection profiles in that version.

Refer to this: https://help.eset.com/eis/16.0/en-US/idh_config_epfw_known_networks_group.html?idh_config_epfw_known_networks_editor.html.

It's called Protection type;

Quote

Protection type—Shows if the network is set to trusted, untrusted or Use Windows setting.

Trusted equates to Win 7 firewall Private setting.

Untrusted equates to Win 7 firewall Public setting.

Use Windows setting will set Eset network connection Profile to whatever the Win 7 firewall Profile is currently set to.

[itman 1,742]

1 hour ago, danchev said:

I will check. But still, Eset option to evaluate local Windows Firewall rules, that states "In automatic mode, incoming traffic allowed  by local Windows Firewall rules is also allowed by ESET, unless there are specific ESET rules explicitly blocking the traffic." is turned on. 

That setting controls how the Eset firewall operates in regards to its handling of inbound and outbound network traffic. In "Automatic" mode, all outbound network traffic is allowed unless an existing Eset firewall rule; default or user created, prevents it.

Additionally, "Automatic" mode will by default examine existing Win 7 firewall inbound rules applicable to its current set profile and allow that inbound network traffic prior to blocking it unless this option is disabled.

Refer to above provided on-line help link for additional details.

Edited August 17 by itman