Windows Firewall Control (WFC) by BiniSoft.org

Discussion in 'other firewalls' started by alexandrud, May 20, 2013.

  1. alexandrud

    alexandrud Developer

    Joined:
    Apr 14, 2011
    Posts:
    2,412
    Location:
    Romania
    1. While the allow rules were in place, the Connections Log still displayed new blocked connections for these ?
    2. While the profile was set to Low Filtering profile, did they connect ?
    To refresh the state of the Windows Firewall it is enough to switch the profile in WFC. This will force Windows Firewall to refresh it's state and the rules too. Once a rule is created, it is applied immediately.
     
  2. n8chavez

    n8chavez Registered Member

    Joined:
    Jul 19, 2003
    Posts:
    3,336
    Location:
    Location Unknown
    How can a "block all but...." rule be created?
     
  3. rm22

    rm22 Registered Member

    Joined:
    Oct 26, 2014
    Posts:
    357
    Location:
    Canada
    1) yes - but no popup except for the 1st time when I created the rule
    2) yes

    Great Thanks!! - i'll try changing profiles if this ever happens again. All the other rules I created (20+) were applied immediately - not sure why these 2 weren't
     
  4. Vilmalith

    Vilmalith Registered Member

    Joined:
    Nov 28, 2007
    Posts:
    68
    I've set secure rules to disable instead of delete. I've verified the rule is being created in the correct group. However, as soon as I launch the app all the rules that were set for it disappear from the Rules Panel and the app is blocked. I get a notification to allow or block. I choose allow. The rules gets added, stays there even after a reboot. As soon as I launch the app, the rule(s) are gone again. It's a free game, Warframe.

    Ended up being able to keep secure block on by creating a group named Warframe and saving the unauthorized rules to the Warframe group.
     
  5. alexandrud

    alexandrud Developer

    Joined:
    Apr 14, 2011
    Posts:
    2,412
    Location:
    Romania
    Block rules have higher precedence over allow rules in Windows Firewall, so while have a block all rule, any allow rule for the same connections will be ignored. Let's say that you are in a local LAN and you want to be able to connect only to a specific IP 192.168.0.101. You will have to define a block rule with the following ranges 1.1.1.1-192.168.0.100,192.168.0.102-255.255.255.255. In this example, the IP 192.168.0.101 will be allowed and any other IP will be blocked.
    It is possible that this game:
    1. Assumes that outbound filtering is not enabled in Windows Firewall.
    2. Deletes the rules from Windows Firewall that apply to it's own executable.
    3. Does not check if the rule is an allow rule or a block rule, so it deletes any rule anyway.
    The purpose is to ensure that the game is not blocked from connecting to the Internet. From start, the first assumption is wrong and the game behavior is also wrong. From my point of view, if a software requires an Internet connection and can't connect because of a firewall, disconnected network, etc, it should display a message and let the user to create the required firewall rules.

    I remember that a year ago I received a support email regarding an image editing software. In that case, the software refused to launch if there was any rule for it's executable file in Windows Firewall. Even if the rule was an allow rule and the program had full access to the Internet it just closed itself. When the rule was removed, it started working again, but only with outbound filtering disabled. I had no solution for that scenario because the software always wanted the user not to have any kind of firewall rules for it. It just forced the user to disable outbound filtering in Windows Firewall. I must admit, there are dubious developers and strange software.
     
  6. Alpengreis

    Alpengreis Registered Member

    Joined:
    Oct 7, 2013
    Posts:
    670
    Location:
    Switzerland
    Have you read the following already?

    https://support.citrixonline.com/en_US/Meeting/all_files/G2M090002#Configure_firewalls_comp

    https://support.zoom.us/hc/en-us/articles/202342006-Network-Firewall-Settings-for-Meeting-Connector

    For further investigating you could post at least your related outbound rules.

    HTH

    Greetings
    Alpengreis
     
  7. n8chavez

    n8chavez Registered Member

    Joined:
    Jul 19, 2003
    Posts:
    3,336
    Location:
    Location Unknown
    It doesn't sound that what I need done can be accomplished using Windows firewall, since network zones cannot be defined. I'm looking to auto block everything not going through a vpn. There are a lot of threads from a lot of VPS about this (see AirVPNs Eddie), but they never allow you to use your own rules in addition to their "block" rules.

    Can this actually be done?
     
  8. Alpengreis

    Alpengreis Registered Member

    Joined:
    Oct 7, 2013
    Posts:
    670
    Location:
    Switzerland
    1) You could create related rules for VPN with a GROUP-Name (say VPNrules for ex.).
    Create the rules that really only traffic over the VPN is allowed (restrict also the ports). So you should be able to prevent a leak if the VPN connection is lost (disconnected) - probably you will also need related block rules to realize this. It needs technical knowledge here and also a generally template is not possible (related to your VPN Provider and your personal system and preferences).

    2) Set those rules to deactivate for normal use (without VPN), else you may not connect to Internet.
    3) After connect to your VPN you can start a command line to activate those rules with the group name. Here you could make a batch file like this ...
    Code:
    @echo off
    netsh advfirewall firewall set rule group="VPNrules" new enable=yes
    quit
    This will activate your created VPN rules for the VPN session.
    If your client support batch files (event = after connect), you could start the batch automatically after connect.

    4) After disconnect from your VPN you can start a command line to deactivate those rules with the group name. Here you could make a batch file like this ...
    Code:
    @echo off
    netsh advfirewall firewall set rule group="VPNrules" new enable=no
    quit
    This will deactivate your created VPN rules for your normal use.
    If your client support batch files (event = after disconnect), you could start the batch automatically after disconnect.

    PS: It's also recommended to deactivate the IPv6, if your VPN-Provider does not support this to prevent IPv6 leak while VPN. This can be done with the additional Microsoft Tool
    "nvspbind". You could make a batch for this too with the following syntax:
    Code:
    nvspbind /d {YOUR IPv6 ADAPTER NIC-GUID} ms_tcpip6
    If your client support batch files (event = before connect), you could start the batch automatically after before connect.

    After you disconnected, reactivate the IPv6 again with ...

    Code:
    nvspbind /e {YOUR IPv6 ADAPTER NIC-GUID} ms_tcpip6
    ... integrate this in your "After-Disconnect"-Routine.


    And last but not least: you could prevent DNS leak while VPN with the following external program "DNSfix", see here ...

    https://www.dnsleaktest.com/how-to-fix-a-dns-leak.html

    integrate this also in your "PreConnect"-Routine.


    HTH
    Alpengreis
     
  9. n8chavez

    n8chavez Registered Member

    Joined:
    Jul 19, 2003
    Posts:
    3,336
    Location:
    Location Unknown

    Thanks for this. However, one thing I am concerned about is Windows firewall's inability to filter using a Mac address. If you do this that all I would need to do would be to tell it to allow the TAP address block everything else. In fact, as far as I'm aware, Windows' firewall does not even allow for IP filter (which is different than IPv4/6). In order to accomplish what I would like would be both need to exist?

    Also, viscosity can do what you suggest at least in terms of having pre-connect scripts run. But, wouldn't the fact that firewall rulesets change be insecure? Wouldn't it be better to have one rule set, and eliminate one more possibility of something going wrong?
     
  10. Alpengreis

    Alpengreis Registered Member

    Joined:
    Oct 7, 2013
    Posts:
    670
    Location:
    Switzerland
    No, I see nothing insecure here principally and it should even be possible to make the hole thing compatible with the secure rules restriction. Note: this is not another rule set! Those rules exist in the same ruleset - only the state of the rules is active/inactive! If I remember correctly the Viscosity GUI (I had used Viscosity too) runs as current user (can be restricted user) but in background runs an elevated service anyway as far as I known, so ... (would be nevertheless better than the OpenVPN GUI itself which runs direct as elevated process as far as I know).

    However: IMHO you can't realize a concept to have such rules ALWAYS activated, because after you connect to a VPN your (W)LAN address received highly probably an IP (dynamic or static) from your VPN provider. At least I PERSONALLY had not found a (senseful) solution to handle this without a special VPN rule group with rule status change (active/inactive). So direct after connecting to VPN you have to block your "non VPN LAN" to Internet, ELSE you cannot handle an VPN interrupt (LAN would be allowing then for outbound traffic, which can be not senseful) - THIS would be insecure then - at least you would have a LEAK then and if the connection is not secure (https/SSL) and you would go over WLAN, then it would be completely insecure!
    Also, I found the VPN "solutions" with their Leak-Protection often (always?) not secure enough - they were all with timer or temporary route change or something like that - the timer has ALWAYS the problem with reaction time ... the route can change (because re-lease time or so) regardless if it's dynamic or static (had made few tests with such route changes).
    So for me - where it was necessary to use VPN - I found "my way" much better and more secure.

    Then about the MAC: AFAIK MAC is not secure - MAC spoofing seems nothing special for current Script kiddies ... for me restricted MAC access MAYBE as additional thing (I had personally activated MAC filtering in my WLAN client) - but never as base or important point for security concept or so ... means: I never missed MAC filtering in Windows Firewall ...

    About IP filtering: I assume you mean Static IP Packet Filtering. MS knows this but it's "recommend that you enable either static packet filtering or Windows Firewall, but not both. Conflicts between two sets of filter rules can result in desired traffic being unexpectedly blocked." (MS Technet).

    However I should not be more technical HERE. This forum is for WFC - the fantastic GUI for Windows Firewall ... so, you have to accept the behaviour of Windows Firewall at this point. If you really need a solution with MAC, packet filtering or other not supported techniques, this is not the right place to discuss this - NO OFFENSE AGAINST YOU :)

    PS: I hope you understand enough of my english (german is my normal language) ;-)
     
  11. rm22

    rm22 Registered Member

    Joined:
    Oct 26, 2014
    Posts:
    357
    Location:
    Canada
    Thanks for trying to help, but I already had rules set correctly - the issue was that the executables were still being blocked. For some reason the WF rules were not updating - but they did eventually and everything is now working as it should.
     
  12. Alpengreis

    Alpengreis Registered Member

    Joined:
    Oct 7, 2013
    Posts:
    670
    Location:
    Switzerland
    Ok, all right!
     
  13. rm22

    rm22 Registered Member

    Joined:
    Oct 26, 2014
    Posts:
    357
    Location:
    Canada
    Is it possible possible to sort rules using multiple columns - e.g. primary sort with "group", secondary sort with "location"
     
  14. alexandrud

    alexandrud Developer

    Joined:
    Apr 14, 2011
    Posts:
    2,412
    Location:
    Romania
    Unfortunately no. I will do some research to see if I can add this functionality in WFC by using the current data grid control. 3rd party controls contain this functionality but the default data grid doesn't.
     
  15. rm22

    rm22 Registered Member

    Joined:
    Oct 26, 2014
    Posts:
    357
    Location:
    Canada
    ok - thanks! It would be a useful feature to have
     
  16. Alpengreis

    Alpengreis Registered Member

    Joined:
    Oct 7, 2013
    Posts:
    670
    Location:
    Switzerland
    +1 BTW: I made a similar suggestion already middle of 2014, see here ... www.wilderssecurity.com/threads/windows-firewall-control-4.347370/page-37#post-2386770
     
    Last edited: Jun 19, 2016
  17. minimalist13

    minimalist13 Registered Member

    Joined:
    Mar 28, 2016
    Posts:
    15
    Yeah, this was on my list of suggestions to bring up. If it is easily possible it would also be nice to then have: 1) a saved sort order and 2) a constructed column with allow, block, disabled to make that ordering easy as suggested by Alpengreis(I can't see that it would be useful as a primary sort, but it definitely would as a secondary sort).

    Then I might as well empty my list of suggestions:

    A) With a partial rule import, would it be possible to temporarily color the imported rules? That is, when rules are imported they would all have blue backgrounds(or something else) for 15 seconds(or a different time). This would make it easier to keep different computers in sync by seeing which rules were not in the imported group.

    B) Is it possible to make the create rule window non-modal? That is, when a new rule is created, currently it is impossible to have the connections panel open with the create new rule window on top of it(the rules panel comes in between). It is possibe to make a very small rules window to work around this, but then you have to remember to do that before creating the blank rule....
     
  18. mike83

    mike83 Registered Member

    Joined:
    Mar 9, 2016
    Posts:
    35
    I discovered WFC only recently and found it to suit my needs very well indeed. I like especially the ability to create temporary rules that remain only for the selected period of time.

    I activated the product yesterday and watched the YouTube video and went thru the FAQ page. Since there seems to be no User Guide available yet, I'm still a bit uncertain of some features. First I started reading thru this topic but 99 pages was too much to read in one session... so my apologies if these questions have already answered before.
    1. I understand that the Location in the rules matches to the Windows Network Location which can be set for each network interface. Do I understand correctly that for a workstation that is connected to a workgroup instead of a domain, the location "Private" equals "to Home network" and "Domain" equals to "Work network" in Windows 7 terms?
    2. Is there a practical way to copy a only a desired subset of rules from one one exported rules file to another rules file or to the currently active rules? (e.g. reset to the recommended rules but add some rules from an exported file on top of that)
    3. There are about 10 more rules in the Recommended rules set than in the default rules set. Is the reasoning behind the difference of these built-in rulesets documented somewhere?
    4. How about the disabled rules in the default and recommended rules - is there other documentation available on them besides the rule name and group? (I'm thinking of possible reasons to activate some rules that look unfamiliar to me)
    5. Is there a way to find the sequence the currently active rules have been created (e.g. latest on top of the list)?
    6. If I start using either the default or recommended rules and use Medium filtering with Medium notifications, am I expected to have any problems with any Windows features that might get silently blocked?
    7. Some questions about the "Secure rules" feature: Do I undesrstand correctly that if I activate the "Secure rules" option in the security Tab, then no other program can modify the Windows Firewall rules database?
    8. Why are there only three Authorized groups (Windows Firewall Control, Temporary Rules and Unauthorized rules) predefined when there are much more Groups defined in the default rule set and the recommended rules set?
    9. Has someone possibly developed a ruleset for blocking the Windows 10 telemetry problem, or is it considered reasonable to do anything for the telemetry problem with firewall rules? (I do know that there are special software, registry settings and local policies that can be used to control this, but I'm interested if the firewall could have some role here, too)
    Sorry for the long list. This software seems to be so great that I'm having a hard time to wait till I have learned all the features and tricks... :)

    I'd be grateful if someone knowledgeable could shed some light on these questions.
     
  19. minimalist13

    minimalist13 Registered Member

    Joined:
    Mar 28, 2016
    Posts:
    15
    I'm sure you'll get plenty of other answers.

    1. I don't have a LAN so someone else can answer.
    2. Imported rules are added to the current rules, so you need only export the rules you wish to add to the current rule set.
    3. -
    4. -
    5. Rules are created at the top of the list, so if you never sort by another column the newest will be at the top.
    6. -
    7. You are correct.
    8. -
    9. 3,4,6,8 and 9: I think most people using WFC delete all the Windows built-in rules(what you call the default rules) and start from nothing. Everyone's situation is different, you can see some of the WFC developer's comments: https://www.wilderssecurity.com/threads/windows-firewall-control-4.347370/page-85#post-2563841 and https://www.wilderssecurity.com/threads/windows-firewall-control-4.347370/page-98#post-2593515 and following. If you set up so svchost.exe has DNS and DHCP and the programs you use have access, then you can deny most other things that come up.

    If you don't want MS calling home, you probably also ought to limit your browsers to ports 80 and 443 (Firefox at least calls home on other ports) and mail to 25,110,143,465,585,993,995 plus 80 and 443 if they access the web. And don't let the flash binary access the web at all although this will break or impair some poorly constructed sites(speedtest.net).
     
    Last edited: Jun 20, 2016
  20. marzametal

    marzametal Registered Member

    Joined:
    Mar 19, 2014
    Posts:
    766
    Rule Name - Block everything when the VPN connection is inactive or drops
    Location - Domain, Enabled - Yes, Action - Block, Direction - Out, Protocol - Any, Local Address - Your IP or IP Range
    Local Port / Remote Address, Remote Port - Any

    Rule Name - allow VPN widget to connect when VPN is down
    Location - Private/Public, Enabled - Yes, Action - Allow, Direction - Out, Protocol - UDP (unless you swapped to an alternative), Local Address - Your IP & VPN IP or Ranges
    Local Port / Remote Address - Any, Remote Port - 443 (unless you swapped to an alternative)

    Then:
    1) make custom rules for DHCP in/out for VPN DHCP ranges, locking into DHCP Windows Service
    2) make custom rules for DNS (can be done, one rule per exit node OR keep them all in one rule), locking into DNS Client Windows Service
    3) make a rule for your VPN app to update exit node list (won't go into detail here because everyone is different, especially if it consists of DNSCrypt and Acrylic DNS Proxy)
    -----
    4) create a block rule (in & out) for each Protocol you do not use that is provided in the WFC Rule Dialog Box (Protocol Drop-Down List)

    Could go the extra mile...
    1) remove hard-coded addresses from dnsapi.dll
    2) use a DNS Proxy that supports wildcards, then add a rule for *microsoft* (customise the rules for browsing to Microsoft sites, only using the ones that un-break sites prevents telemetry callouts eg: "v0cdn.net"... it all comes down to how hands on you are with your system)
    eg:
    # When using support/technet/social.technet/msdn/social.msdn/www
    # 127.0.0.1 >aspnetcdn.com -ajax.aspnetcdn.com
    # 127.0.0.1 *microsoft* -support.microsoft.com -www.microsoft.com -technet.microsoft.com -social.technet.microsoft.com -msdn.microsoft.com -social.msdn.microsoft.com -c.s-microsoft.com -windows.microsoft.com -res1.windows.microsoft.com -res2.windows.microsoft.com -go.microsoft.com -download.microsoft.com -blogs.technet.microsoft.com -definitionupdates.microsoft.com -developer.microsoft.com -answers.microsoft.com -i2.answers.microsoft.com -i3.answers.microsoft.com -i.answers.microsoft.com -social.answers.microsoft.com
    # 127.0.0.1 >msecnd.net -az623152.vo.msecnd.net -az416426.vo.msecnd.net
    # 127.0.0.1 >onestore.ms -assets.onestore.ms
    # 127.0.0.1 *s-msft* -i-technet.sec.s-msft.com -i1.social.s-msft.com -i-msdn.sec.s-msft.com -i2-msdn.sec.s-msft.com
    # 127.0.0.1 >live.com -login.live.com -account.live.com
    # 127.0.0.1 >gfx.ms -auth.gfx.ms
     
  21. alexandrud

    alexandrud Developer

    Joined:
    Apr 14, 2011
    Posts:
    2,412
    Location:
    Romania
    A) A custom color for recently imported rules is not possible without large modifications in the existing code. This will not be done.
    B) The same Properties dialog is used for all scenarios: Properties, Create, Customize. It must be a modal dialog.
     
  22. minimalist13

    minimalist13 Registered Member

    Joined:
    Mar 28, 2016
    Posts:
    15
    Thanks for answering. We really appreciate your responsiveness.
     
  23. alexandrud

    alexandrud Developer

    Joined:
    Apr 14, 2011
    Posts:
    2,412
    Location:
    Romania
    1. Yes. "Private" = "Home network" and "Domain" = "Work network".
    2. Use the Export selected rules functionality. This exports an XML (WFC format) file which can be modified in any text editor (Notepad++). Once you have finished modifying it, it can be used for a new reimport. The Export all rules functionality uses a binary format from Microsoft which can not be modified.
    3. The WFC recommended rules contain a few allow rules required for some functionalities which don't work without a rule while outbound filtering (Medium Filtering profile) is enabled in Windows Firewall. The WFC recommended block rules were created based on users experience regarding the phoning home of the operating system back to Microsoft servers.
    4. Based on the features enabled or disabled in Windows, some of these rules are disabled or enabled. For example, if you enable HomeGorup, the rules with the group named HomeGroup will be enabled.
    5. The last rule added is always on top of the list. Windows Firewall API returns them in this order but there is no property that keeps the creation date. Can't provide this info in WFC because it is not stored anywhere.
    6. Yes, it is possible. Windows Firewall does not have all the required rules for all the services that it uses. Some of them are not there at all. You can enable the notifications or you can take a look at Connections Log from time to time. Until you something that is not working, there is no need to define a new rule.
    7.Secure Rules works for newly added rules. It does not monitor the existing firewall rules for changes.
    8. The group names have different names in Windows versions other than English. Anyway, they can be easily added. WFC can't assume that a group name can be found on all Windows versions.
    9. As minimalist13 already mentioned, read this post: https://www.wilderssecurity.com/threads/windows-firewall-control-4.347370/page-98#post-2593515
     
  24. alexandrud

    alexandrud Developer

    Joined:
    Apr 14, 2011
    Posts:
    2,412
    Location:
    Romania
    Windows Firewall Control v.4.8.0.0

    Change log:
    - Updated: If the Rules Panel is open and a new rule is created as a result of using the Low notification level, then the data grid is automatically refreshed to see the newly created rule.
    - Updated: The automatic refresh in Connections Log which is done when a combo box value is changed was removed. From now on, the refresh must be triggered manually.
    - Fixed: If Connections Log window is closed while performing a long running task, the service does not abort the loading. This requires additional resources while the window was already closed and there is no need for further processing.
    - Fixed: Connections Log window remains open if the service is stopped and the window was open.
    - Fixed: Notification dialog freezes in some scenarios if a program that is being blocked tries to reconnect hundreds of times per second but on different ports.
    - Fixed: After switching to editing mode in notification dialog, the ports and remote IP are updated automatically if the program retries to reconnect.
    - Fixed: Importing a full policy that was exported while High Filtering was enabled blocks WFC in High Filtering profile. Changing the profile does not help as the High Filtering profile is automatically switched back in a few seconds.
    - Fixed: Importing a full policy always switches the WFC profile to Low Filtering. The profile is now unchanged after importing a full policy file.
    - Fixed: The rule name can contain leading or trailing white spaces when created from WFC, while from WFwAS this is not allowed.

    New translation string:
    230 = Outbound rule created based on Low notification level.
    Updated translation string:
    207 = Automatically create outbound allow rules for digitally signed programs and display notifications only for unsigned programs. This applies for programs that do not have any matching enabled rules.


    Download location: http://binisoft.org/download/wfc4setup.exe
    SHA1: cc5374d7266cf9e50d260ebe59eb7f56f0a3bd28

    Best regards,
    Alexandru

    P.S.: The sort on multiple columns is not possible with the default data grid. For now this is on hold.
     
  25. NSG001

    NSG001 Registered Member

    Joined:
    Jul 14, 2006
    Posts:
    682
    Location:
    Wembley, London
    Very nice work again Alexandru :thumb:
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.