Windows Firewall Control (WFC) by BiniSoft.org

Discussion in 'other firewalls' started by alexandrud, May 20, 2013.

  1. alexandrud

    alexandrud Developer

    Joined:
    Apr 14, 2011
    Posts:
    2,412
    Location:
    Romania
    And with this version everything is fine ?
     
  2. popescu

    popescu Registered Member

    Joined:
    Sep 1, 2018
    Posts:
    259
    Location:
    Canada
    So far yes.

    I found the reason why I couldn't sign in automatically on my VPN servers and why no no notifications from WFC for "System" access.

    When you click on your "networks" icon a big pop up will open; now . when you select a server and click "connect" the connection will time out after a while , without any notification from WFC about the need to allow something.
    In fact THERE IS a notification , but is under the VPN servers list and not visible. If somehow you close the server list you can see the notification for "system"


    After one day:

    With "Secure rules" enabled and "disable unauthorized rules" rules are still created and allowed till you reboot the PC. After the reboot , rules are disabled.
     
    Last edited: Nov 11, 2019
  3. alexandrud

    alexandrud Developer

    Joined:
    Apr 14, 2011
    Posts:
    2,412
    Location:
    Romania
    Below is an extract from the user manual that I am preparing for the next WFC release. Are these fine ? Please note that these are local defined keyboard shortcuts which apply if the Notification Dialog has the focus.

    The following keyboard shortcuts are available in Notification Dialog:
    CTRL + N
    Switch to the next notification.
    CTRL + B
    Switch to the previous notification.
    CTRL + SHIFT + A
    Create a generic allow rule for the current displayed notification.
    CTRL + SHIFT + Q
    Create a generic block rule for the current displayed notification.
    CTRL + ALT + A
    Create a temporary allow rule that expires on WFC restart, for the current displayed notification.
    CTRL + ALT + Q
    Create a temporary block rule that expires on WFC restart, for the current displayed notification.
    CTRL + SHIFT + E
    Add the file name from the displayed notification in the Notifications exceptions list.
     
  4. AmigaBoy

    AmigaBoy Registered Member

    Joined:
    Sep 12, 2015
    Posts:
    205
    Lovely, thank you! Please also consider shortcuts for Secure Rules/Secure Profile.
     
  5. popescu

    popescu Registered Member

    Joined:
    Sep 1, 2018
    Posts:
    259
    Location:
    Canada
    In which order are the rules processed?...

    So if I have a rule for "application.exe" "Allow" out unrestricted and few lines down a rule for "application.exe."
    "Block" port 443 Ip x.x.x.x , what will happen?
     
  6. aldist

    aldist Registered Member

    Joined:
    Nov 8, 2017
    Posts:
    1,103
    Location:
    Lunar module
    In the "native" Windows firewall, and, therefore, in Windows Firewall Control, the order of the rules (above, below) does not matter, but the blocking rule takes prioritet over the allowing rule.
    Therefore, in your case, the application will be allowed everything except connections on port 443.
     
  7. popescu

    popescu Registered Member

    Joined:
    Sep 1, 2018
    Posts:
    259
    Location:
    Canada
    Thanks!
     
  8. AmigaBoy

    AmigaBoy Registered Member

    Joined:
    Sep 12, 2015
    Posts:
    205
    Every now and then, Secure Profile gets disabled on its own. Confirmed it several times. I believe this happens after certain Windows updates - even regular updates, not just "feature" W10 updates.

    Perhaps you could consider adding a notification/warning when this happens.
     
  9. alexandrud

    alexandrud Developer

    Joined:
    Apr 14, 2011
    Posts:
    2,412
    Location:
    Romania
    I will keep an eye on this. A notification would be unnecessarily. I am thinking of enforcing this setting at each startup or something else. The user wants it enabled.
     
  10. DavidXanatos

    DavidXanatos Developer

    Joined:
    Sep 6, 2006
    Posts:
    2,319
    Location:
    Viena
    These auditing policy settings may get change also by 3rd party tools, for example my task explorer has a feature to monitor for blocked connection attempts, wouldn't it be smart enough to backup the auditing state before changing it that would be an issue. Other tools may not be so considerate.

    I would recommend to check and re apply the required auditpol settings on every start of the service.
     
  11. edon

    edon Registered Member

    Joined:
    Feb 3, 2019
    Posts:
    2
    Location:
    kosovo
    Why when i show my Main Panel or choose to Allow or Block app in WFC i have lags some seconds :) (sorry for english) ?
     
  12. popescu

    popescu Registered Member

    Joined:
    Sep 1, 2018
    Posts:
    259
    Location:
    Canada
    WHOIS

    Hello,

    If I try to find out the IP associated to sirius.mwbsys.com I get:

    3.223.15.132
    18.208.99.88
    34.236.221.208
    54.236.152.62

    But if I try a reverse DNS to any of the IPs from above , I get (see for the last one only)

    ec2-54-236-152-62.compute-1.amazonaws.com

    So, in a firewall, if I want to see who is behind an IP, is impossible to get any valuable info, all of them will point to amazon servers.

    How can I find out the domain behind an IP?

    Thanks!
     
  13. JNicoll23

    JNicoll23 Registered Member

    Joined:
    Oct 24, 2009
    Posts:
    48
    Location:
    Scotland
    There may be hundreds (more?) of domains all served by a single server - that's what happens at most of the companies who host many small websites. When eg an http GET request is sent to that server it specifies the domain from which a particular file/resource should be retrieved, and the webserver translates that into the path to wherever the server keeps the file concerned.

    That leaves aside the issue of load balancing etc where a single domain maps to a single IP address but behind that there may be many servers.
     
  14. popescu

    popescu Registered Member

    Joined:
    Sep 1, 2018
    Posts:
    259
    Location:
    Canada

    My question was about WFC ability to identify the domain behind an IP

    If i press the mouse right click (Whois) for an IP, I get the server name rather than the domain name. This doesn't help me in making a decision Allow or Block

    I need to go above and beyond, do extensive research to find out who is behind that particular IP.

    This is a practical approach. Having a firewall with FQDN would be ideal, also would allow you to block dynamic IPs by domain.
     
  15. JNicoll23

    JNicoll23 Registered Member

    Joined:
    Oct 24, 2009
    Posts:
    48
    Location:
    Scotland
    I know. But you keep saying /the/ domain name, implying you think there is just one for each IP address. A single IP may host hundreds of different domains. Even if you were given a list of them how would you use that?

    For example the server at: 109.203.107.124 is owned by Eukhost Ltd, a hosting company in the UK. According to http://whois.domaintools.com/109.203.107.124 there are currently 212 websites hosted on that server.
     
  16. aldist

    aldist Registered Member

    Joined:
    Nov 8, 2017
    Posts:
    1,103
    Location:
    Lunar module
    "Native" Windows firewall, and, therefore, Windows Firewall Control cannot resolve IP addresses to domain names. For example, Agnitum Outpost Firewall can do it.
     
  17. JNicoll23

    JNicoll23 Registered Member

    Joined:
    Oct 24, 2009
    Posts:
    48
    Location:
    Scotland
    But what does Agnitum actually tell you? The name of the server? That: 109.203.107.124 is host32.theukhost.net ? What use is that? It doesn't tell you what any of the domains hosted there are, and it certainly doesn't tell you which of those domains something on your machine has ever tried to reach.
     
  18. DavidXanatos

    DavidXanatos Developer

    Joined:
    Sep 6, 2006
    Posts:
    2,319
    Location:
    Viena
    Indeed the "Native" Windows firewall can not implement rules based on domain names.

    But there are ways to capture and display the domain names a application requested in the UI so that when you see a prompt to allow connections you see the domain the application queried and got the logged blocked IP address for. I have added such capability to my privacy tool. And it works quite well.

    The issue is primarily when one would want to prevent a certain process from accessing a particular domain while allowing other processes the access.
     
  19. popescu

    popescu Registered Member

    Joined:
    Sep 1, 2018
    Posts:
    259
    Location:
    Canada
    If WFC cannot resolve IP addresses to domain names (even with right click moue Whois) then is a lost battle; we just blindly allow or block access to internet without any information...

    I do not know how is done, but I used PC Tools Firewall Plus on a Win 7 PC ans I will get exactly the domain name (something related to malwarebytes in this case) from the amazon server.
    Using Whois from WFC I get only the generic server name (amazon)
     
  20. Alpengreis

    Alpengreis Registered Member

    Joined:
    Oct 7, 2013
    Posts:
    670
    Location:
    Switzerland
    @popescu

    I understand your wish and it can be sensefully to have a possibility to block hostnames but related to Windows Firewall ...

    IMHO 1): to resolve IP addresses to domain names is anyway not always possible. It's possible only IF someone has configured a reverse zone file, which is not always the case.
    IMHO 2): even if you would be successful. You would perhaps receive 100 different hostnames for ONE IP. And then, what would you do with all those names? And you would have no idea, WHICH was the origin hostname ...
    Also if you receive ONE hostname only: hostname-example1.com = IP XY is NOT always the same vice versa - so it can be that you will receive IP XY = other-hostname.ch for example, which can be very confusing as you can see below now ...

    Example with DNSDataView from NirSoft (https://www.nirsoft.net/):

    Result for hostname wiki.hetzner.de is the following:
    wfc-1.PNG
    This means hostname wiki.hetzner.de = IP 85.10.215.232
    And I GAVE wiki.hetzner.de as search input!

    But then, I try a IP Reverse Looking with that IP 85.10.215.232 with the result:
    wfc-2.PNG
    This means IP 85.10.215.232 = hostname dediextern.your-server.de

    3) How should WFC handle that? WFC is a GUI for Windows Firewall only - and Windows Firewall can't handle hostnames ...

    However: personally my primary security software F-Secure (which uses the Windows Firewall) adds an additional module which is able to block hostnames for browsing (including https). This is then - for me - a good combo.
     
    Last edited: Nov 26, 2019
  21. DavidXanatos

    DavidXanatos Developer

    Joined:
    Sep 6, 2006
    Posts:
    2,319
    Location:
    Viena
    Reverse DNS is indeed garbage.

    What you need to do is to monitor the DNS queries run on the system and than correlate what you see with the IP addressed you see in the firewall log.

    Depending on the mechanism you use to monitor the DNS queries you can not just get a global view but in fact also the pid of the process running the particular query resulting in a high level of reliability.

    So what you get is really just the domain name that a process queried to obtain a particular IP Address
    and not all the domains that may point to that address, the only ambiguity you get with such an approach is when a application requests multiple domains that all resolve to the same IP address.
     
  22. JNicoll23

    JNicoll23 Registered Member

    Joined:
    Oct 24, 2009
    Posts:
    48
    Location:
    Scotland
    NirSoft's DNSQuerySniffer might help. See: https://www.nirsoft.net/utils/dns_query_sniffer.html

    But be aware that tools like that work by intercepting all your inbound and outbound traffic, so they can extract the DNS queries and responses.

    Also, for browsers, Emsisoft have a browser extension that checks the safety of the domain you attempt to fetch resources from. Lots of vendors have something similar, but other vendors' extensions work by sending to their server the details of the domains you are browsing, which you may regard as a privacy problem. Emsisoft have a different approach which leaks less information about what you are doing. Use of the extension does not need you to be an Emsisoft customer. See: https://blog.emsisoft.com/en/32517/new-in-2018-12-safe-web-browsing-with-emsisoft-browser-security/
     
  23. DavidXanatos

    DavidXanatos Developer

    Joined:
    Sep 6, 2006
    Posts:
    2,319
    Location:
    Viena
    Nice tool indeed, but there are easier and less intrusive (no capture driver) ways to achieve a similar result. Eider by regularly dumping the system DNS cache or by using windows's Event Tracking mechanism, the later even provides the ID of the process running the query.
     
  24. JNicoll23

    JNicoll23 Registered Member

    Joined:
    Oct 24, 2009
    Posts:
    48
    Location:
    Scotland
    Ah, I'd forgotten one could dump the DNS cache. It's easy, eg: C:\>ipconfig /displaydns > %TEMP%\mydsnlist.txt (which one could do every so often with a scheduled task). The output would be easy to parse, as it looks like

    C:\>ipconfig /displaydns

    Windows IP Configuration

    wilderssecurity.com
    ----------------------------------------
    Record Name . . . . . : wilderssecurity.com
    Record Type . . . . . : 28
    Time To Live . . . . : 163
    Data Length . . . . . : 16
    Section . . . . . . . : Answer
    AAAA Record . . . . . : 2600:3c00::f03c:91ff:fe92:3446


    wilderssecurity.com
    ----------------------------------------
    Record Name . . . . . : wilderssecurity.com
    Record Type . . . . . : 1
    Time To Live . . . . : 163
    Data Length . . . . . : 4
    Section . . . . . . . : Answer
    A (Host) Record . . . : 45.33.17.126


    safebrowsing.googleapis.com
    ----------------------------------------
    Record Name . . . . . : safebrowsing.googleapis.com
    Record Type . . . . . : 28
    Time To Live . . . . : 39
    Data Length . . . . . : 16
    Section . . . . . . . : Answer
    AAAA Record . . . . . : 2a00:1450:4009:814::200a


    mf4.xiph.org
    ----------------------------------------
    Record Name . . . . . : mf4.xiph.org
    ...
    ...

    So... easy for anyone who can program a little.

    Here (Win8.1) it doesn't look as if my event logs contain DNS info already; I'd have to turn that on (which I can't be bothered to find out how to do). I did find: https://docs.microsoft.com/en-us/pr...ows-server-2012-r2-and-2012/dn800669(v=ws.11) but that looks more as if it is aimed at someone running a DNS server (presumably on an intranet)?
     
  25. DavidXanatos

    DavidXanatos Developer

    Joined:
    Sep 6, 2006
    Posts:
    2,319
    Location:
    Viena
    yea or you just query use the API in dnsapi.dll so no need to spawn a separate process.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.