Windows Firewall Control (WFC) by BiniSoft.org

Discussion in 'other firewalls' started by alexandrud, May 20, 2013.

  1. Shamshi Adad

    Shamshi Adad Registered Member

    Joined:
    Mar 16, 2016
    Posts:
    40
    Location:
    Eastern Shore of Maryland, USA
    Hi rm22. When customizing (or creating a new rule during a Block Notification) a rule to make the Remote IP "LocalSubnet" the "Location" check box needs to be checked.for "Private" and in the "Remote IP" text box you type in "LocalSubnet" (no quotes).

    ps: correction, the Location can be Public, and the rule of adding a comma and more IPs applies. LIke: LocalSubnet,fe80::/64,ff02:1 etc.

    Peace. Alan
     
    Last edited: May 4, 2016
  2. Shamshi Adad

    Shamshi Adad Registered Member

    Joined:
    Mar 16, 2016
    Posts:
    40
    Location:
    Eastern Shore of Maryland, USA
    Hi again, rm22. There are a number of sites that offer guides to "Hardening" a windows pc.
    I've used blackviper.com since the days of Windows 2000. http://www.blackviper.com/ He has guides for win2000 thru Win10 in all versions, on spreadsheets.
    And recently I discovered Harden Windows 10. They're extreme!!! http://hardenwindows10forsecurity.com/

    For record keeping, I've copied both sites guides on both my Win10Pro machines and "highlight" the guide entries that I employ. AND back up both guides to a thumbdrive.

    Peace. Alan
     
  3. Alpengreis

    Alpengreis Registered Member

    Joined:
    Oct 7, 2013
    Posts:
    670
    Location:
    Switzerland
    Location has nothing to do directly with IPs, Location is a defined NETWORK (-CONNECTION).

    Examples:
    - If you define your HOME NETWORK = PRIVATE, rules with Location = Private ("All" too of course) have a relation.
    - If you define your PUBLIC WLAN CONNECTION = PUBLIC, rules with Location = Public ("All" too of course) have a relation.
    - If you define your WORK PLACE NETWORK = DOMAIN, rules with Location = Domain ("All" too of course) have a relation.

    Rules with combos are possible too ("Location = Private, Domain" for example).
     
  4. Shamshi Adad

    Shamshi Adad Registered Member

    Joined:
    Mar 16, 2016
    Posts:
    40
    Location:
    Eastern Shore of Maryland, USA
    My Bad, you exactly right. But would you care to affirm my point about where and how to input "LocalSubnet" since that was one of his issues... while you rip me up?

    It was a senior moment. I happened to see default Windows System rules in row, all Private and all LocalSubnet. So I made a test rule and then posted. THEN I looked at more rules and saw more LocalSubnet rules that were Public, Domain and ALL. WITH multiple IPs along with LocalSubnet. My heart was in the right place, man.

    Peace, Alan
     
    Last edited: May 4, 2016
  5. Shamshi Adad

    Shamshi Adad Registered Member

    Joined:
    Mar 16, 2016
    Posts:
    40
    Location:
    Eastern Shore of Maryland, USA
    Care to reconsider that atypical point now? lol

    Peace. Alan
     
  6. rm22

    rm22 Registered Member

    Joined:
    Oct 26, 2014
    Posts:
    357
    Location:
    Canada
    thanks for the replies - LocalSubnet can be entered manually during a block notification as Alexandrud pointed out - not sure why i didn't try that - must have also been having a senior moment :)
    thanks for the OS hardening links - blackviper is one of the ones i use as well
     
    Last edited: May 5, 2016
  7. rm22

    rm22 Registered Member

    Joined:
    Oct 26, 2014
    Posts:
    357
    Location:
    Canada
    I've put WFC on some PC's I share with people far less geeky then myself so to avoid any need for user interaction I've set Notifications to 'Low' and set 'generic' outbound rules for Windows and Apps (Inbound rules still default). My understanding is "file path" is sufficient to block most malware anyway so this should still provide a significant improvement to not having any outbound rules - correct? Anyone else set WFC this way?
     
  8. Alpengreis

    Alpengreis Registered Member

    Joined:
    Oct 7, 2013
    Posts:
    670
    Location:
    Switzerland
    No worry :)

    First of all, you are very welcome here and my intention was NOT to annoy you - my intention was only to demonstrate this technical context. because it's important to know ...

    Even if I - for example - connect at Home to a VPN, I will receive IP(s) outside of my normal Local IPs (get direct from my VPN Provider) and those external IPs are then my LocalSubnet. Because I have defined my Home Network as Private Location and the VPN as Public, my Location will change from Private to Public after the connect to VPN.

    And YES, if a user will define LocalSubnet while he create a rule, he can just WRITE this text as you described!

    I hope I explained all right with my poor english ;-)

    Have a nice time!
     
  9. alexandrud

    alexandrud Developer

    Joined:
    Apr 14, 2011
    Posts:
    2,411
    Location:
    Romania
    Low notification level will automatically create outbound rules for all digitally signed programs that generate blocked connections entries and which don't have a rule. This may include unwanted programs too. Use Low notification level as a Learning Mode for a limited period of time, not always. For users that don't know much about firewalls and their purpose I would create some rules for their browser, messenger, etc, and I would disable the notifications entirely. This kind of users would allow anything if they are asked. I can include here my parents too. :)
     
  10. Shamshi Adad

    Shamshi Adad Registered Member

    Joined:
    Mar 16, 2016
    Posts:
    40
    Location:
    Eastern Shore of Maryland, USA
    Thanks Alpengreis. You're a nice person and I was a little unsure. btw your English is perfect from what I've seen.

    Peace. Alan
     
  11. JRCATES

    JRCATES Registered Member

    Joined:
    Apr 7, 2005
    Posts:
    1,205
    Location:
    USA
    Doesn't this kind of defeat the purpose, though? For people who don't know much about firewalls, asking them to "create rules" sounds more difficult and advanced than simple "out of the box" settings/instructions. Most people wouldn't have the first clue how to "set rules", and what they should even set the rules to or for!
     
  12. rm22

    rm22 Registered Member

    Joined:
    Oct 26, 2014
    Posts:
    357
    Location:
    Canada
    right - that works as long as they don't know enough to install they're own Apps :) Is there really enough malware digitally signed for this to be much of an issue?
     
  13. rm22

    rm22 Registered Member

    Joined:
    Oct 26, 2014
    Posts:
    357
    Location:
    Canada
    i think the idea is to create all required rules for the non-tech user first using whatever means you prefer and then essentially lock the rules by turning Notifications off - then turn them loose... and check the logs for blocks periodically
     
  14. JRCATES

    JRCATES Registered Member

    Joined:
    Apr 7, 2005
    Posts:
    1,205
    Location:
    USA
    Right...but think about what you just wrote:

    "create all required rules for the non-tech user first"

    Asking "non-tech users that don't know much about firewalls" to "CREATE RULES"!?

    That's what I meant about "defeating the purpose". It's not like "non-tech users who don't know much about firewalls" are going to even know HOW to create rules, let alone know WHICH RULES to create!

    Maybe alexandrud has an online tutorial or web page dedicated to showing what rules should be created for what software, and how they are written, etc., but my guess is that isn't something that anybody has readily available.
     
  15. rm22

    rm22 Registered Member

    Joined:
    Oct 26, 2014
    Posts:
    357
    Location:
    Canada
    No - you misunderstood - the non-tech users are not setting anything. Myself & Alexandrud were talking about setting up WFC for them
     
  16. JRCATES

    JRCATES Registered Member

    Joined:
    Apr 7, 2005
    Posts:
    1,205
    Location:
    USA
    Sorry for the confusion.

    I understand that the two of you are having a personal conversation to help you best configure this for your friends, family, and people who's PC's you're putting it on, but I'm asking for myself (and others).

    When you said that you put WFC on some PC's.....and to avoid any need for user interaction you set Notifications to 'Low' and set 'generic' outbound rules for Windows and Apps (Inbound rules still default)....that is simple enough, and easy enough for a novice to understand.

    But then, alexandrud replied "Low notification level will automatically create outbound rules for all digitally signed programs that generate blocked connections entries and which don't have a rule. This may include unwanted programs too. Use Low notification level as a Learning Mode for a limited period of time, not always. For users that don't know much about firewalls and their purpose I would create some rules for their browser, messenger, etc, and I would disable the notifications entirely. This kind of users would allow anything if they are asked. I can include here my parents too."

    I realize that he was responding directly to you, telling you what to do this to help the people who you are setting this up for.....but that's why I replied that it defeats the purpose for others (I should have included this)....because I'm looking at it from a novice point of view, wanting to know what a novice like myself and others would need to do. The reason why I said that it defeats the purpose is because "creating rules" makes it too complicated for a novice to understand. And that's why I said that perhaps there should be an online tutorial or web page dedicated to beginners showing what rules should be created for what software, and how they are written, etc.

    Basically, I'm interested in this piece of software, but I'm definitely NOT a "firewall expert", and am just wanting to know how to best to be able to correctly install and configure/set up Windows Firewall Control.

    Hope that clarifies it a little better.
     
  17. khanyash

    khanyash Registered Member

    Joined:
    Apr 4, 2011
    Posts:
    2,428
    A new user of WFC here
    Win 10 64

    For some programs, first connection attempt doesn't work i.e -
    Medium Level - Programs first connection attempt doesn't work...you get WFC alert & selecting allow...then the connection works.
    Low Level i.e Signed is auto-allowed - Even for Signed programs, some programs first connection attempt fails & trying again works.
    This is little annoying.

    T - on the alerts T means temp allow/block.
    I think instead of 2 big bars for allow/block & T at the end for temp...better would be bars divided into 2 i.e Always Allow & Allow Temp, Always Block & Block Temp.

    I was trying it. So was deleting rules for the programs & retrying programs.
    At one time I deleted few of my programs rules & ran the programs again but didn't got any alerts & connections were allowed but rules section those programs didn't appeared. I tried few times with same results. Exited WFC & tried again & this time worked correctly i.e got the alerts.
    It happened for only that time. I tried few times again & WFC worked fine. So dont know what happened that time?
     
  18. alexandrud

    alexandrud Developer

    Joined:
    Apr 14, 2011
    Posts:
    2,411
    Location:
    Romania
    Indeed my response was for rm22 regarding the use of Low notification level. For novice users and for other users too, that understand what means to block or allow a program and which can understand the difference between a legitimate software (firefox.exe) or strange software (gjx73hm4.exe) it depends. If you trust a software you allow it. Preferably you create an allow rule that allows all connections of it as long as you trust the software. If you don't trust a software or maybe you are not interested in software updates for it then you create block rules for them. Having customized rules for specific ports, protocols, etc, should be interesting only if you are an advanced user and you know what to customize. Even so, having this kind of customized rules does not improve the security at all. It is a matter of personal taste. Trust -> Allow, Not Trust -> Block to keep things simple.
    On the first attempt the connection is blocked and WFC creates the rule. The connection is already blocked, not paused. The program must retry the connection now that it has the rule. This is how the notification system works. See here for more info.
    Too many large buttons and the translated strings are bigger in other languages than English. It looks too crowded.
    Maybe the profile was not Medium Filtering ? For example, when you restore a full policy or when you restore Windows Firewall default rules, the profile is switched automatically to Low Filtering profile. The notifications work only when Medium Filtering profile is used.
     
    Last edited: May 6, 2016
  19. rm22

    rm22 Registered Member

    Joined:
    Oct 26, 2014
    Posts:
    357
    Location:
    Canada
    ok - quick search shows there's lots - so, yes - not a good idea to leave WFC in 'Low' notification level long term

    Just to be clear - I assume you're referring to Apps here and so for "svchost.exe & 'System' use default Windows Firewall rules. What about Windows executables that don't have a default rule such as - dashost, rundll32, wshost, wsqmsons.....
     
  20. marzametal

    marzametal Registered Member

    Joined:
    Mar 19, 2014
    Posts:
    766
    For months I have had vulnerables strapped to outbound block rules; these vulnerables range from rundll32, dllhost, conhost, regsvr32, cmd, explorer, msiexec, just to name a few, in both x86 and x64 form. I have also included svchost (the 64bit version). I haven't run into issues, and have noticed some calling out... but once in a blue moon.

    Recently, I went as far as to include most of the vulnerables found by @hjlbx here and here and here. This is where it gets tricky...

    As the developer of this software, I doubt @alexandrud should be bothered with creating these rules, as they are only for the advanced user. Even some of us who call ourselves advanced are bombarded with such things, and overwhelmed for that matter (classic example: earlier today my overly-hardened Firefox settings prevented saving files from MEGA... had to use Shadow Mode to test-run Chrome and Iron and to my satisfaction, I decided to track down the offending Firefox setting instead, which I did).

    In closing before I get off track and rant, the developers role here is only to make things work. The rules on the other hand, apart from the default ones... are on the users' shoulders and theirs only. Keep it simple man... remember the dramas caused by the introduction of Secure Rules; rules were lost on reboot/upgrade! That was an easy fix, couple of ticks and there ya' go... imagine the s**tstorm produced by hardened rules on a novice's PC who doesn't run backups/restores because "they wanted to try stuff out"...
     
  21. khanyash

    khanyash Registered Member

    Joined:
    Apr 4, 2011
    Posts:
    2,428
    I do think instead of T at the end...Allow Always & Allow Temp would be more visible & good...May be make the alert little bigger...just a suggestion/wish.

    And why the alert mention Allow & Allow Always both?
    i.e -
    Allow
    Allow Always

    I had checked the filtering & it was on Medium...Anyway as I mentioned happened that time & further with more tries couldn't reproduce it.
     
  22. ExtremeGamerBR

    ExtremeGamerBR Registered Member

    Joined:
    Aug 3, 2010
    Posts:
    1,351
    Someone uses WFC with Shadow Defender? Where permissions and settings are stored in WFC, for me to create exceptions?
     
  23. alexandrud

    alexandrud Developer

    Joined:
    Apr 14, 2011
    Posts:
    2,411
    Location:
    Romania
    It depends. Personally I always block these.
    Allow and Allow Always. Always suggests that the rule is permanent and the allow is not made only that time. If you think these are repetitive you can use the translation file and modify these strings to a better version that you like.
    WFC settings are saved in Windows Registry and the firewall rules are kept by Windows Firewall also in Windows Registry.
     
  24. rm22

    rm22 Registered Member

    Joined:
    Oct 26, 2014
    Posts:
    357
    Location:
    Canada
    ok, thanks - good to know I might be able to block these without breaking things

    I wasn't intending to suggest he should - just looking for feedback since I haven't been able to find any good references/articles on setting rules. I think the most useful thing to see would be sample sets of rules for varying levels of restriction from loose to lock down - along with discussion of effectiveness & potential issues. Anyone know where I'd find something like this?
     
  25. Alpengreis

    Alpengreis Registered Member

    Joined:
    Oct 7, 2013
    Posts:
    670
    Location:
    Switzerland
    @alexandrud

    1) Bug-Report: Connections Log not protected while WFC is locked
    Because the new implementation with Connections Log window, this window is not protected while WFC is locked with a password - so it's possible even to create rules from there ...

    2) Small suggestion
    Nevertheless we have the new Connections Log as single window, it would be cool to have the possibility to load the Rule Manager window from there and vice versa with the mouse. I mean from this part ...

    wfc.JPG

    Maybe would be a short thing to implement?

    Have a nice week!

    Alpengreis
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.