Creating outbound rules for the Windows 7 Firewall

Yes, they do change all the time, so I just keep updating the remote ip addresses with cidr masks.

 

Where do you find these? Google search and MS site hardly give the latest addresses. Thanks

 

Search the firewall logs, right after Windows Update fails to connect, then check that IP in a service such as -https://dshield.org, and among other info, you'll get the CIDR mask.

It can be a "boring" task, though.

 

Right, as m00nbl00d explains, if you can enable logging in your Windows version as referenced in post #11 this thread.

 

Has anyone noticed for apps that require both inbound and outbound access (ie, Skype, Bittorrent, etc), if you were to delete only the inbound rule, but leave the outbound rule intact, that u no longer receive a W7 FW inbound "pop-up" notification when you launch the app that needs inbound access? Events Viewer does show multiple instances of "Audit Failure" as inbound connections were blocked for the specific app, but there is no inbound connection pop-up, which I think is strange.

If you deleted both the inbound and oubound rule, then launched the app, the inbound pop-up does work. But there's no inbound pop-up if you deleted the inbound rule only and left the outbound rule.

Is this normal Windows 7 Firewall Behavior? Its almost as if W7 Firewall assumes that you want the inbound connection blocked because the inbound rule does not exist.

ps. using WFC with W7 Firewall.

 

Actually, I didn't notice that before I'm not sure if it's because the outbound rule negates the inbound alert by design, maybe because a solicited outbound connection allows inbound traffic after being established? Just guessing.

 

The first time I had noticed it was yesterday - Thanks for confirming that its not just something that happens on my end. It must be normal W7 FW behaviour. However, inbound traffic is not allowed once the inbound rule is deleted - Events Viewer illustrates this with its blocked inbound events. This seems to be a W7 FW design flaw.

I only decided to experiment because I noticed there were new inbound rules created for three different AVG 2013 processes. I had never received a W7 FW pop-up alerting me if I wanted to allow these processes. I did however previously create outbound rules for those three processes and many more. So I was wondering if AVG could possibly have privilages to create these inbound rules itself, or I thought maybe W7 FW realised that a corresponding outbound rule existed so it allowed AVG to create the necessary inbound rules. I'm also suspecting that it could have happened during a major program update (ie, AVG 2012 to AVG 2013).

I've created outbound rules for 23 different AVG processes/files in total, however I didn't think any of them would also need inbound access. I'm guessing anti-virus apps are just a little more complex these days as many of them also have a "cloud" component, hence the need for inbound rules as well. Maybe? Is it normal for other AV apps to need inbound FW access?

Has anyone else experienced similar scenario's with a security app creating its own W7 FW rules? Is this possible?

Cheers,

 

It is possible that a program can create a new rule in Windows Firewall. Either inbound or outbound. But this program would need administrative privileges. Also, for an antivirus, there is no reason why it should connect to your computer. You connect and download new definitions. For this task, an outbound rule is needed. I don't know any reason why AVG should need inbound access to your computer. Even in Cloud. For Cloud there are dedicated servers, you don't share resources from your own PC. By default, Windows Firewall does not create inbound rules for an application just because it detected an outbound rule for it. This is a wrong assumption. Inbound access is needed only for server applications. If you use a server mail, for example.

 

Alexandru, Thank You for your thorough explanation You're a Legend

 

Some AVs use localhost connections. Norton AV/NIS is one of them. Block these and your crippling your AV.

If a firewall is "stateful", it only needs outbound connections. It will allow the inbound connection corresponding to previous outbound connection. Most retail firewalls are not fully stateful. To be fully stateful, they would have to attach an "id" to every outbound packet and match that "id" to every inbound packet. Many retail firewall monitor ports only and totally ignore packet activity.