Windows Firewall Control (WFC) by BiniSoft.org

it is possible to implement a drag and drop for rules easy sorting ?
or maybe ad a column with editable time of creation or rule id
or even possibility to remember last column sorting selected

in Win10 UWP app Microsoft naming/group scheme is hard to manage
maybe some sort of script name decoding is possible

ps:
It seems that in future major release of W10 M$ will change svchost launching scheme !hallelujah!

 

This sounds good. Do you have a source? Thanks.

 

Me too. Source please.

 

https://blogs.windows.com/windowsex...eview-build-14942-for-pc/#TkRuOeF6J0QYFr8z.97

 

Thank you. Yes and that change brings a lot of advantages as I could read.

 

Very interesting. Thanks.

 

Hi,
Great software. Totally worth donating for even without the extra features. Thank you for your work.

Couple questions:

1. In the Rules panel, it'd be nice to be able to sort by multiple columns (eg, sort by Group and then sort by Name). Has this even been addressed?

2. When specifying interface types, can it become any more specific?

In my case, because I use a wireless connection, and the TUN/TAP interface falls under a Local Area Network, I can create rules to only allow connections when connected to the VPN. However, if I were to use a wired connection, or just wanted to limit a program to some other arbitrary interface, I'm not sure of a way to do so.

I've looked into the native Windows firewall control panel and don't remember seeing a way to, say, for example, allow a connection on Local Area Network 1 but not Local Area Network 2, so if this is more of a Windows issue than a WFC issue, no worries.

 

It is possible to add support for drag and drop for reordering the rules visually, but this can't be persisted because a Windows Firewall rule has no index property. The same applies for a creation time column or rule id. These extra properties don't exist and WFC can't add them.

The last sorting is not remembered on purpose. Each time the window is closed the sorting is lost. You must sort again on the column that you want when you reopen the Rules Panel. The reason is this: the last rule added is always added on top of the list. If there is a sorting active, this last rule will not be on top. Many users create new rules from the notification dialog and then they go to Rules Panel to check it. If there is a sorting active you must search for the rule. Because I do not want to receive many support emails with the subject "my rule does not appear in Rules Panel", the sorting is not saved.

Sounds like a good idea but I am not a fan of such a change. This will add an extra layer of complexity in WFC which will also impact the performance.

1. Multiple sorting is already supported. Just click the first column and Shift-Click the other columns. However, the results might not be always what you'd expect because of the way the data is stored and converted to be visually displayed.
2. No, Windows Firewall supports only those 3 values.

When you use a VPN, you usually have a totally different IP address than you have on your local network. You can use this difference to define different rules.

 

1. Oh, neat. I can see how it's a bit strange. Glad it's there, though.
2. Got it.
Thanks for the quick response.

 

i guess that you use right now someting like "netsh advfirewall firewall show rule name=all verbose" to phrase and display rules maybe in future versions you can switch to to phrasing WFP
with something like this "netsh WFP Show state" or wfp api to gain access to advances rules properties like rule id,app package SID (for win 10 apps),wfp layers, etc
With wfp you can create advanced rules like ALE layers filtering,mac address filtering,icmp types .

 

WFC uses Windows Firewall API to read the firewall rules. There is no netsh call for this.

Regarding the extra properties:

App Package SID, ICMP Types - They can be set from WFwAS. The purpose of WFC is not to replicate all the functionality that is available in WFwAS. The aim of WFC is to provide a simpler way to configure a firewall rule. Some properties are not very common and will not be modified by the users anyway. For really advanced users who want to create very specific rules, there is always WFwAS available.
Rule ID - Windows Firewall rules have no such property as rule id. If you saw this anywhere, please let us know.
MAC Address Filtering - Windows Filtering Platform supports this functionality starting with Windows 8, but, Windows Firewall does not support blocking/allowing by MAC Address.
WFP Layers - They can be accessed through C++ if you plan to build your own firewall. WFC is just a front end written in C#.

Note that Windows Firewall Control is a controller for existing Windows Firewall, not a firewall by itself based on Windows Filtering Platform.

 

To the developer,

I am experiencing a strange bug.
I enable the startup option.
But after a few re-starts, WFC will no longer launch at startup. So I have to manually launch it.
Then when I check the "Options" section, I see that "Start Automatically At User Logon" has been unchecked without my input.

Version: WFC 4.9.2.0
Device: Lenovo Miix 700
Operating System: Windows 10 Pro
Program environment: Clean environment. Very few programs installed. Some basic software (Exe Radar, MalwareBytes, Microsoft Office).

 

@paulescobar

This is highly probably NOT a bug and has nothing to do with WFC. You can have this behaviour (or similar) even with other programs too (I have experience with that).

Please make a forum search and see the other postings and the tips there ... maybe it's even in the FAQ on binisoft.org (I have not enough time to search) ...

PS: If the hints are NOT successful, you could try to de- and reinstall WFC ... (had this behaviour solved with that methode on my system) ...

GOOD LUCK!

 

See my answer from here: https://www.wilderssecurity.com/threads/windows-firewall-control-4.347370/page-103#post-2606596
Make sure that Exe Radar, MBAM, Windows Defender don't block the execution of wfc.exe.

 

Alex or anyone who may know --

What's the technical explanation of what's happening when WFC pops a notification for an outbound connection? Where along the chain is that connection being paused/held?

Why I'm wondering:

When WFC pops an outbound notification for some program, I would love the ability to see inside that connection's contents. I'm wondering if it'd be possible -- after an WFC notification pops up -- to open something like Wireshark or Fiddler, and then temporarily allowing the connection to capture its contents by Wireshark/Fiddler.

Does anyone know if anything like this is possible? (i.e., if Wireshark/Fiddler weren't running at the time of the connection attempt)

 

Press F1 in any WFC window to open the user manual and go to the following topic: User interface > Main Panel > Notifications > How does the notifications system work?

"Windows Firewall Control doesn't do any packet filtering to inspect the network traffic. This is done by Windows Filtering Platform. Each time a network packet is dropped, Windows Firewall generates a new event in the Security event log of the system. Windows Firewall Control is subscribed to these events and based on the existing firewall rules it decides if a new notification should be displayed or not. This is done by searching through the existing firewall rules to see if there is a rule that matches the blocked connection that was recorded in the Security event log. The events about a blocked outbound connection are raised after the connection is blocked. This means that a notification dialog is displayed for an already blocked connection, not for a paused connection, therefore the notification dialog can't have an Allow for now and ask me later option. After creating an allow rule, the program that was blocked must retry the connection in order to connect based on the newly created allow rule."

 

Ah, makes sense. Thanks. In your opinion, is what I'm asking for feasible (with other possible software/firewall options)?

 

Does WFC allow one to block incoming traffic to Edge ? Or to any of the self-repairing firewall rules that MS thinks should be always active ?

 

Yes, it is possible.

You can enable Secure Rules and those "self-repairing rules" will be automatically removed by WFC. You can read in the user manual how Secure Rules work.

 

That would be nice if it were integrated into wfc somehow ,maybe in the form of packet logging like the old sygate firewall.

 

Sorry but no! WFC should remain a GUI for WFwAS and nothing else, please no inflate unnecessarily with other things. You can take another program for that.

Greetings.

Alpengreis
Maintainer of WFC DE-Translation file

 

It is my observation that adding continuous network inspection, deep-packet analysis, extended logging and such will add very little, if nothing, that is practical or really improve overall security - but instead only put an unneeded load on the system.

Extended logging is rarely reviewed during an actual or suspected infection; it is almost always only used "after the fact" - as a post-infection, forensic tool. As a practical matter of security, that is too little, too late.

I can understand how some might think that they need such features or that they would be beneficial, but once people actually use them they generally determine for themselves that they are not needed.

You can ask @alexandrud about that...

 

Personally I like to look at packet logs on occasions . Sygates could be turned on or off ,with negligible system load,and depth of logging was also an option.I'm not sure why you are relating packet logging to overall security.Its for information ..nothing else.I don't need to ask alexander as I'm sure it wont ever be on wfc development list...however that doesn't stop it being on my wishlist.

 

I'm new to WFC and have a couple of questions -

1. There is a default rule set up for wfc.exe to connect outbound to port 80 for updates. I have the automatic checks for updates disabled. In my blocked connection log, I'm seeing a number of entries for wfc.exe trying to connect to port 80 of a number of IP addresses (not the same address as the updater rule). What is wfc.exe trying to connect to the internet for if it isn't for updates? If it needs to connect for some reason, shouldn't there have been default rules set up for it?

2. There is a default rule set up WFC - File and Printer Sharing (Spooler-Out) to allow spoolsv.exe outbound for Any protocol on LocalSubnet for Domain,Private. My local net is 10.1.1.x. I'm getting a blocked connection in the log for spoolsv.exe UDP outbound from address 10.1.1.65 to address 10.1.1.2 port 161. Obviously I can add a new rule to allow this, but I don't understand why the default rule already there doesn't allow it.

Thanks.

 

You use the original WFC program and you checked the Hash for the download, right? Then see here:

https://www.wilderssecurity.com/threads/windows-firewall-control-4.347370/page-62#post-2477577

Just a short analyse: have you block rule(s) in use which affects that? Because block rule have higher priority than allow rules. If you a registered user: Do you receive notifications popups for those connection attempts?

Greetings.

Alpengreis
Maintainer of WFC DE-Translation file