Windows Firewall Control (WFC) by BiniSoft.org

Discussion in 'other firewalls' started by alexandrud, May 20, 2013.

  1. Shamshi Adad

    Shamshi Adad Registered Member

    Joined:
    Mar 16, 2016
    Posts:
    40
    Location:
    Eastern Shore of Maryland, USA
    I think it would be a nice improvement. I'm one of those who uses the Connection Logs aLOT!
    And the Rules Lists.
    Peace. Alan
     
    Last edited: Jun 7, 2016
  2. Alpengreis

    Alpengreis Registered Member

    Joined:
    Oct 7, 2013
    Posts:
    670
    Location:
    Switzerland
    Problem with default whois service:

    I receive often (or even always?) the following message
    Sorry, the text which ist strike through now should NOT be posted here! My fault!
    Hmm, I not. I finde the triggering right after a change is the better way.
     
    Last edited: Jun 8, 2016
  3. Shamshi Adad

    Shamshi Adad Registered Member

    Joined:
    Mar 16, 2016
    Posts:
    40
    Location:
    Eastern Shore of Maryland, USA
    Oh yes. I agree with you on that, but I seem to do a lot of clicking to go from In to Out and Blocked to Allowed Connection logs and In and Out Rules lists.
    But you are right on that point.
    Peace. Alan
     
    Last edited: Jun 7, 2016
  4. alexandrud

    alexandrud Developer

    Joined:
    Apr 14, 2011
    Posts:
    2,413
    Location:
    Romania
    Combo boxes are easier to extend with new entries. If I will add a new filter in the future, then the radio buttons will take more and more space.
    Not a nice way if you have a large Security log. Currently I have it set to 300MB and indeed, switching from all inbound allowed to all outbound blocked will trigger the loading of the data twice. For such a log with more than 400.000 entries, this takes several minutes. For this reason, I think that the solution that I proposed will be better.
    Thank you for sharing these resources.
    Let's see:
    - Windows Firewall rules can't be defined for host names, only for IP addresses or for IP ranges.
    - In Windows 10, even if you change the hosts file, some Microsoft host names are hard coded and the hosts file will be avoided anyway. Having a custom hosts file to avoid Microsoft phoning home does nothing.
    - There are some good Windows Registry tweaks in the links you have posted which can be applied separately. I don't think these registry tweaks should be part of WFC. WFC is a Windows Firewall enhancement, not a Microsoft anti-telemetry tool.

    Now, what can be done:
    - Based on those host names (v10.vortex-win.data.microsoft.com, etc) we can find their corresponding IP addresses or IP ranges. The current WFC recommended block rules can be updated to include these IP ranges too. These will be useful when Low Filtering profile is used. This has one flaw. The server IPs of these hosts can change and this means this list must be checked/updated frequently, which is not a nice task.
    - But, if we use Medium Filtering profile, having these block rules defined has sense only if we have a rule for svchost.exe which allows all outbound connections. This kind of firewall rule is in my opinion not a good idea. Indeed, with a very customized block rule we can block some of these connections.

    On my machine I only have these outbound rules for svchost.exe. As you can see, they are very specific. Having only these rules for svchost.exe, the outbound connection attempts to Microsoft servers are blocked by default because there is no rule to allow them and with Medium Filtering profile, each program without an explicit allow rule is by default blocked.
    upload_2016-6-8_18-16-9.png

    Instead of having all kind of tweak, hacks, special rules, etc. in WFC regarding the Microsoft telemetry, it is a good idea to not allow all connections of svchost.exe. As I said, I don't want to transform WFC into an anti-telemetry tool.

    Please share your thoughts about this. Best regards.
     
  5. guest

    guest Guest

    @alexandrud
    Thanks for your answer, I think I agree now with you that the best strategy then is to only allow certain connections (the ones you have showed, maybe more?)
    But then I/we would have to run wfc in High FIltering and I think is not very user friendly. What about an option to make the svhost process only to work with High filtering and the rest of the process in medium (or the default mode stablish by the user)? this would alow to lockdown svhost and work in popup mode with the rest of the process.

    All the windows telemetry goes through svhost?
    Are you sure that with those 3 rules you are not bloking windows traffic that is not telemtry?
     
  6. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    4,796
    Location:
    .
    Me neither, you should never transform WFC into it. Otherwise you could create a complete apart new tool for that but nothing to do with WFC.
     
  7. chrcol

    chrcol Registered Member

    Joined:
    Apr 19, 2006
    Posts:
    982
    Location:
    UK
    grabbed it and donated an hour ago, wow I been missing on a great little app.

    I was using windows firewall notifier which was dodgy at best of times, but then it completely went crazy earlier when having to deal with battle.net doing updates, so gave this a try, donated and is great.

    I also respect that you are not greedy with your donation policy, so I may donate some more next month also.

    I agree on the above comments also, keep WFC for what it is, a lightweight easy to use front end for windows firewall.

    Just one little issue to report.

    After I activated and enabled notifications, I clicked the check for updates expecting a notification but nothing appeared, it is notifying fine for all other software. So had to use the shell integration menu to allow wfc.exe access to the internet.
     
  8. minimalist13

    minimalist13 Registered Member

    Joined:
    Mar 28, 2016
    Posts:
    15
    I agree as well. As far as svchost.exe, I am not on a local network so I don't allow SSDP, but I do have two additional allow rules: 1) W32Time service (UDP on port 123, included in WFC suggested rules) and 2) DHCPv6 (UDP on port 546-7).
     
  9. guest

    guest Guest

    We are talking about adding a new mode and maybe new rules for svhost. It can be use for many things, it has many applications, not only to avoid telemetry, and it doesn't require to add a new feature that an advanced firewall would't have.

    This mode can be called Restricted mode and have a list where you add the processes that will work in "high filtering" mode, the rest of the processes will work in ""medium filtering mode. I think this is totally a feature related with a firewall.

    It's like having different policies for different group of apps
     
    Last edited by a moderator: Jun 9, 2016
  10. alexandrud

    alexandrud Developer

    Joined:
    Apr 14, 2011
    Posts:
    2,413
    Location:
    Romania
    The purpose of High Filtering is to block all network connections so that you don't have to disable your network adapter, unplug network cable or disconnect the WiFi connection. Think about it as an offline mode. High Filtering profile is achieved by creating two generic (apply to all) block rules named High Filtering - Block inbound connections and High Filtering - Block outbound connections. These two special rules are removed automatically when the High Filtering profile is changed to a different profile. So, while High Filtering Profile is enabled, all programs are blocked and we can't set some special allow rules because block rules have higher precedence and will overwrite any allow rules.

    The notifications system is based on the Security log which logs all connections. There is no way to define a rule to exclude a process (svchost.exe) or to include it. The logging is made for all or nothing.

    All Microsoft Windows services use svchost.exe to connect to the network/Internet, so basically, all telemetry goes through svchost.exe. Those three rules are allow rules so they are not blocking anything. Depending on which services/features from Windows you use, it may be possible to be required to allow more than that. My example suits my needs.
    WFC will not display notifications for wfc.exe. However, the blocked connection can be seen in Connections Log.
    A firewall rule that allows WFC updater is included in the WFC recommended rules and looks like this.
    upload_2016-6-9_11-28-23.png
    WFC connects only to the binisoft.org and checks the binisoft.org/update.xml file to see if a new version is available. If there are any other connection attempts of wfc.exe they are because of the digital signature checking and are triggered externally, not from WFC code.
    See my previous answer to see why this is not possible. Is there any particular scenario that doesn't work for you so that you want to allow svchost.exe while using High Filtering mode ?

    If you need to allow LAN traffic while using the High Filtering profile, check the answer from here: http://www.binisoft.org/faq2.php#profiles
     
  11. guest

    guest Guest

    Ok I might mix high filtering mode with the mode of another firewall, if HF block everything it should be call block everything, lock traffic or something like that IMHO.

    I'm talking about a mode on which only the programs allowed in the rules have access to internet, any other connection is blocked, no popups.

    The idea is to have different filtering modes for a different set of apps, in addition to different notification levels
     
  12. alexandrud

    alexandrud Developer

    Joined:
    Apr 14, 2011
    Posts:
    2,413
    Location:
    Romania
    This already exists. Medium Filtering profile will allow only the programs that have an allow rule and any other programs are by default blocked. The notifications are optional and can be turned off.
    It is not possible in Windows Firewall to have different modes/zones like: gaming mode, browsing mode, etc. To achieve something similar you can have different rules in specific groups and based on your needs you can disable or enable the entire group. But this must be done manually from the Rules Manager or through some batch files that will call something like this: netsh advfirewall firewall set rule group="CustomGroupName" new enable=Yes
     
  13. chrcol

    chrcol Registered Member

    Joined:
    Apr 19, 2006
    Posts:
    982
    Location:
    UK
    Some more feedback, can you please add ipv6 support to the ip whois feature?

    I noticed it tries to send the ip in ipv4 format to the browser.
     
  14. alexandrud

    alexandrud Developer

    Joined:
    Apr 14, 2011
    Posts:
    2,413
    Location:
    Romania
    The IP used is the same IP that is displayed in WFC. If the IP is IPv4 then IPv4 will be used, if the IP is IPv6 then the IPv6 will be used. There is no conversion. Do I miss something or did you miss something ?
     
  15. Alpengreis

    Alpengreis Registered Member

    Joined:
    Oct 7, 2013
    Posts:
    670
    Location:
    Switzerland
    Ok, I see the point. All right!

    I agree 100 % with this statement!
     
    Last edited: Jun 9, 2016
  16. chrcol

    chrcol Registered Member

    Joined:
    Apr 19, 2006
    Posts:
    982
    Location:
    UK
    when it sends the ip to the browser, it is incomplete.

    if I get another ipv6 notification will do some screenshots for you to look at. :)
     
  17. Shamshi Adad

    Shamshi Adad Registered Member

    Joined:
    Mar 16, 2016
    Posts:
    40
    Location:
    Eastern Shore of Maryland, USA
    Hi chrcol. I just did 6 ipv6 who.is queries in a row and they all worked. In the WFC Control Panel I have "who.is" selected as the provider in the Tools section.
    Peace. Alan
     
  18. chrcol

    chrcol Registered Member

    Joined:
    Apr 19, 2006
    Posts:
    982
    Location:
    UK
    ok so the provider might have been the problem?
     
  19. alexandrud

    alexandrud Developer

    Joined:
    Apr 14, 2011
    Posts:
    2,413
    Location:
    Romania
    Please make a screenshot with the notification to see the IPv6 that you receive and the URL that is sent to the web browser. The provider should not make any difference.
     
    Last edited: Jun 9, 2016
  20. Vilmalith

    Vilmalith Registered Member

    Joined:
    Nov 28, 2007
    Posts:
    68
    I'm having an issue where I cannot get a game to stick, in this case Warframe. Regardless of if I manually create an allow rule, right click and allow from the connections log, hit allow on the popup or right click the app to allow. I can see the allow rule show up in the Rules Panel. But the next time I launch the app the rule is gone and the app is blocked.

    Ok, so this only seems to be an issue if I have the secure rules option checked.
     
  21. alexandrud

    alexandrud Developer

    Joined:
    Apr 14, 2011
    Posts:
    2,413
    Location:
    Romania
    Set the Secure Rules to disable unwanted rules instead of deleting them so that you can review them. Make sure that you create the rule in an allowed group name.
     
  22. Special

    Special Registered Member

    Joined:
    Mar 23, 2016
    Posts:
    454
    Location:
    .
    I know I'm posting this here which will probably net me some biased answers, but this one looks promising.

    I'm in need of a new Firewall, I need to move away from COMODO because their HIPS, even when disabled, causes problems for me in Windows 10, this is a shame because I really love their Firewall, I just wish I could get it standalone.

    Anyway my main condition is that I want, by default everything blocked, all inbound (does anyone even allow this? I guess if your torrent.) and all outbound connections, with pop up notifications to let me decide whether to give it access or not. TinyWall seems great to me but it does not do notifications, so that's out. This one seems to, but I guess the questions that are left is how is the usability of it and just how good is Microsoft's Firewall, I don't trust them all that much, I do plan on blocking system processes for privacy, like Explorer.exe and SearchUI.exe, stuff that should have no need for internet, and Microsoft has built their OS to basically ignore things like Host files, so why should I bevieve MS's firewall from not doing the same.

    Anyway people here are more experience then me on this, I would love to hear their thoughts on the security of this firewall (MS) and this frontend. Also what can I expect from making this switch away from COMODO, is there anything COMODO does that this will not.

    Fake Edit: I'd also like to hear of the negatives and limitations of Windows Firewall (I'm not familiar with it) but I do always hear it's UI is terrible and is it still true that Windows Firewall can be controlled by any application with sufficient privileges, if so what a garbage, useless program, I'll look elsewhere then (Hopefully WFC prevents this.).
     
    Last edited: Jun 13, 2016
  23. chrcol

    chrcol Registered Member

    Joined:
    Apr 19, 2006
    Posts:
    982
    Location:
    UK
    This app can do default all blocked if you wish. Windows firewall even on its own can do that.

    WFC adds a feature for authorised groups which I believe should achieve what you want in hardening the rule creation permissions, so another program if added a rule not in that group, the rule would be disabled.

    The windows firewall gui isnt terrible in my view, but its not super user friendly and the main weakness is lack of notifications on outbound filtering, you will get notifications in the donation version of this program.
     
  24. Shamshi Adad

    Shamshi Adad Registered Member

    Joined:
    Mar 16, 2016
    Posts:
    40
    Location:
    Eastern Shore of Maryland, USA
    Hi Special. The website www.Binisoft.org explains a LOT about WFC4.
    And there's a GREAT video at https://www.youtube.com/watch?v=Wpsnf_pbGMM about WFC4.
    Peace. Alan
     
  25. rm22

    rm22 Registered Member

    Joined:
    Oct 26, 2014
    Posts:
    357
    Location:
    Canada
    I just had an odd experience.... just installed WFC on another PC & was testing all the Apps to make sure all the needed outbound rules were set. But when I tested 2 Web meeting Apps - "Citrix GotoMeeting" and "Zoom Meeting".- both were blocked outbound even though they had generic outbound 'allow' rules. I tried creating new generic rules from the WFC Connection Log - tried allowing the exact blocked entry - nothing worked.

    Then after an hour of experimenting - suddenly both Apps starting launching fine - the 2 generic 'allow' rules started working & there hasn't been any more blocks since...

    So it seems for some reason these 2 FW rules were not being updated while about 20 others had been... anyone have an explanation as to what might have happened and how in the future I can force the rules to update...
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.