Hi @ all.

I used the windows firewall for a long time but never changed the settings to block Outbound Connections cause i am not familiar with setting up the correct rules.
Now i read Stem's Poste here: http://www.wilderssecurity.com/showthread.php?t=239750&highlight=Vista+FireWall+Stem
and decide to try it again.

I set up a few rules but have some problems now so i need your help.

Thunderbird, FireFox, svchost (Windows Update) and my AntiVirus are working fine.

But the WindowsFirewall (WF) blocks some UDP connection right after startup and i want to know what it is and how to create a rule for that.
I am very disappointed not to see any file paths in the Firewall log. That makes it very hard to seperate what tries to get out!
I think it has something to do with IPv6... cause my IPv6-Addi shows up in that log.
Here we are:
-{ Quote: "#Version: 1.5
#Software: Microsoft Windows Firewall
#Time Format: Local
#Fields: date time action protocol src-ip dst-ip src-port dst-port size tcpflags tcpsyn tcpack tcpwin icmptype icmpcode info path

2009-09-14 14:52:30 ALLOW UDP fe80::4c4f:****:d046:f1c1 ff02::1:3 57136 5355 0 - - - - - - - SEND
2009-09-14 14:52:30 ALLOW UDP 192.***.0.*** 224.0.0.*** 56370 5355 0 - - - - - - - SEND
2009-09-14 14:52:30 DROP UDP fe80::4c4f:****:d046:f1c1 ff02::1:2 546 547 0 - - - - - - - SEND
2009-09-14 14:52:31 DROP UDP fe80::4c4f:****:d046:f1c1 ff02::1:2 546 547 0 - - - - - - - SEND
2009-09-14 14:52:33 DROP UDP fe80::4c4f:****:d046:f1c1 ff02::1:2 546 547 0 - - - - - - - SEND
2009-09-14 14:52:37 ALLOW UDP 192.***.0.*** 192.***.0.* 52062 53 0 - - - - - - - SEND
2009-09-14 14:52:37 DROP UDP fe80::4c4f:****:d046:f1c1 ff02::1:2 546 547 0 - - - - - - - SEND
2009-09-14 14:52:37 ALLOW TCP 192.***.0.*** 62.189.194.207 49157 80 0 - 0 0 0 - - - SEND
2009-09-14 14:52:38 ALLOW TCP 192.***.0.*** 62.189.194.207 49158 80 0 - 0 0 0 - - - SEND
2009-09-14 14:52:38 ALLOW UDP 192.***.0.*** 192.***.0.* 55809 53 0 - - - - - - - SEND
2009-09-14 14:52:45 DROP UDP fe80::4c4f:****:d046:f1c1 ff02::1:2 546 547 0 - - - - - - - SEND
2009-09-14 14:53:01 DROP UDP fe80::4c4f:****:d046:f1c1 ff02::1:2 546 547 0 - - - - - - - SEND" }-

What is allowed there?
What is dropped there and how can i allow it?

Btw.: It would be great if anyone can explain the log...

Ok. I did a system restore. Nothing worked. Secunia PSI and some other Applications wont update/work proper.
And i set up rules for each of them! ::)

That is not very cool.

Is there no tool which is able to set the rules automatically or a bit easier?? :doubt:

Hello.

-{ Quote: "What is allowed there?
What is dropped there" }-

Allowed is normal IP v4 DNS (port 53) as well as multicast IPv6 DNS (http://en.wikipedia.org/wiki/Link-local_Multicast_Name_Resolution) (port 5355). Blocked is DHCPv6 (ports 546 & 547, sorry can't find a useful link at the moment).

-{ Quote: "and how can i allow it?" }-

svchost hosts all of the above services.

-{ Quote: "Secunia PSI and some other Applications wont update/work proper." }-

Why would Secunia checker and "other apps" you mention not work properly because of this is really beyond me. I have never used PSI long enough to know its exact workarounds.

Cheers,

-{ Quote: "Ok. I did a system restore. Noting worked. Secunia PSI and some other Applications wont update/work proper.
And i set up rules for each of them! ::)

That is not very cool.

Is there no tool which is able to set the rules automatically or a bit easier?? :doubt:" }-

What service pack and av are you running? After installing sp2 on my Vista Nod32 v3 was screwing with my firewall (something about proxy), I installed v4 and everything was fine. If you block your av with win firewall will the rules work for your other programs? If so then it is your av not the firewall.

From what I have been told, you can install Vista Firewall Control Free and set all the rules with the popups and it will create the rules for you, then you can uninstall it.

Thank you for the input!

I reset the firewall and now secunia is working fine. I set up very restrictive rules for incoming and outgoing connections. Everything fine.

But do have some dropped connections in the log and would like to know what it is cause i do not want to block my operation system.

-{ Quote: "2009-09-15 08:58:32 DROP TCP 192.168.0.*** 87.248.216.** 49340 80 0 - 0 0 0 - - - SEND
2009-09-15 08:58:55 DROP UDP fe80::4c4f:****:d046:f1c1 ff02::1:2 546 547 0 - - - - - - - SEND
2009-09-15 09:01:59 DROP TCP 192.168.0.*** 64.246.4.** 49355 80 0 - 0 0 0 - - - SEND
2009-09-15 09:10:02 DROP UDP 192.168.0.* 255.255.255.*** 137 137 96 - - - - - - - RECEIVE
2009-09-15 11:24:02 DROP ICMP :: ff02::1:***:f1c1 - - 0 - - - - 135 0 - SEND
2009-09-15 09:29:17 DROP ICMP fe80::4c4f:****:d046:f1c1 ff02::16 - - 0 - - - - 143 0 - SEND
2009-09-15 11:28:04 DROP TCP 192.168.0.*** 199.7.52.** 49598 80 0 - 0 0 0 - - - SEND" }-

I blocked all IPv6 connection! Is that why i get these entries? Is that ok?

-{ Quote: "svchost hosts all of the above services." }- What do you exactly mean?

best regards!


PS: I am running Vista HP SP2 no AV Suite.

-{ Quote: "But do have some dropped connections in the log " }-
-{ Quote: "I blocked all IPv6 connection! Is that why i get these entries?" }-
Your post #5 also shows NetBIOS as being blocked (port 137 broadcast, that belongs to IPv4), so if you don't have a LAN (and I asume you don't) you should either keep these blocked with a firewall (as it is now) or stop services that enable NetBIOS. There is also some blockings on port 80 outbound, these belong probably to closed browser sessions (also on IPv4 protocol).

-{ Quote: "What do you exactly mean?" }-
Well, if you wish to allow these IPv6 comms, simply make rules for svchost on required ports. I am just not sure you should allow them, as I really doubt you're using DHCPv6.

As a bottom line, I can't see anything wrong in your logs.

Sorry, I can't comment on those ICMP blockings without some investigation, and I can't find the time at the moment. Later perhaps...

Cheers,

Thank you Nick!

I am not sure what NetBIOS is so i will keep the status quo.

What is closed browser sessions?

I dont wanna use IPv6!

-{ Quote: "As a bottom line, I can't see anything wrong in your logs." }- Cool, thank you so far.

I just want to make sure nothing importan is beeing blocked...