another Windows Firewall Control?

Discussion in 'other firewalls' started by moontan, Feb 15, 2011.

Thread Status:
Not open for further replies.
  1. alexandrud

    alexandrud Developer

    Joined:
    Apr 14, 2011
    Posts:
    2,413
    Location:
    Romania
    Updated to version 3.0

    √ Improved: the activation process was changed to make the activation easier.
    √ Improved: the procedure used to force reset the a lost password, used to lock the program configuration.
    √ Fixed: incomplete path recognition, when the installation was executed from a standard user account.
    √ Fixed: duplicate system tray icon after restarting the program.
    √ Updated: End User License Agreement.

    IMPORTANT NOTICE: Due the new activation process, if you use an old version and you updated to the new version, you must activate the program again using a new activation code. If you are a registered user, please log in to your account on our website and get a new activation code. Thank you for your understanding.

    Also, please check out tthe other program that I have created, USB Flash Drives Control. I have updated this one too.

    Thank you all for your support. :D
     
  2. Brummelchen

    Brummelchen Registered Member

    Joined:
    Jan 3, 2009
    Posts:
    5,871
    why is the service "dns client" needed?
    any other tool here incl windows itself works without!
     
  3. alexandrud

    alexandrud Developer

    Joined:
    Apr 14, 2011
    Posts:
    2,413
    Location:
    Romania
    Already answered on the previous page. Check the post 255.

    This service resolves and caches DNS names, allowing the system to communicate with canonical names rather than strictly by IP address. DNS is the reason that you can, in a Web browser, type https://www.wilderssecurity.com rather than having to remember that http://xxx.xxx.xxx.xxx is the site’s IP address.

    If you stop this service, you will disable your computer’s ability to resolve names to IP addresses, basically rendering Web browsing all but impossible. Unless you have every website you will ever visit in your hosts file or know the IP Address of every website off the top of your head or have it stored somehwere, there really wouldn't be a benefit to disable this Windows service.
     
    Last edited: Sep 17, 2011
  4. wat0114

    wat0114 Guest

    Actually with outbound control firewall it's possible to create a UDP rule to remote/local port 53 for all web facing apps like the browser and even restrict it to the ISP's DNS server addresses.
     
  5. Brummelchen

    Brummelchen Registered Member

    Joined:
    Jan 3, 2009
    Posts:
    5,871
    @alexandrud

    i know what it is for - but i never missed it - since winxp.
    my dns requests are answered by the router so i set it up in my connection.
    nevertheless my hosts file is working proper and due its very large the dns
    service may lag my system so its turned off.
    so i can user wfc without dns service? or are the rules wrong without?

    (i always had third party firewalls)
     
  6. Broadway

    Broadway Registered Member

    Joined:
    Aug 16, 2011
    Posts:
    211
    As far as I noticed you will need DNS-Service being enabled if you intend to specify your rules, i.e. to allow or block either tcp or udp and specific local and/or remote ports.
    With DNS-Service disabled you will always be notified about port 53 UDP DNS-lookup, so you will be limited to allow/block ALL=ANY ports/protocols.
    So it is a matter of fine-tuning your FW-rules.
     
  7. Brummelchen

    Brummelchen Registered Member

    Joined:
    Jan 3, 2009
    Posts:
    5,871
    so wfc has limitations (windows firewall may also) in comparison with other firewalls!?
    funny so both uses the WFP - WFP tells me IP and Port wether dns is on or off.
     
  8. wat0114

    wat0114 Guest

    It's not that cumbersome at all. As I alluded to in post #279, one would simply have to create a fw rule: out/in, UDP, remote/local port 53, remote ip DNS server which will either be your ISP's DNS server ip addresses or your router's LAN-side ip address (eg: 192.168.1.254) if your router has DNS Relay enabled, for all applications that connect to the Internet. Your browsers, email, media player, for example.

    You would not need the rule any longer for svchost - DNS Client.

    This approach requires a bit more work because the rule would have to apply to all web-facing applications that can't be restricted to only a few ip addresses, but some people prefer this approach because of the inherent danger of some malware that hijacks the svchost process.
     
  9. Broadway

    Broadway Registered Member

    Joined:
    Aug 16, 2011
    Posts:
    211
    Do you really think it is that easy?
    If you really create a rule such as Allow IE to 192.168.1.254, port 53, udp you will never know about the actual remote IP and port that is adressed by the local program. Or am I misunderstanding sth?
     
  10. Broadway

    Broadway Registered Member

    Joined:
    Aug 16, 2011
    Posts:
    211
    Alex, when hitting "Download" on http://www.binisoft.org/usbc.php wfc.exe will be downloaded.
     
  11. Phant0m

    Phant0m Registered Member

    Joined:
    Jun 7, 2003
    Posts:
    3,726
    Location:
    Canada
    Windows DNS-Client service if stopped isn’t going to prevent name lookups and ultimately rendering impossible to connect to named addresses, disabling DNS Client only stops Windows names caching and cause each client application detected by Firewalls doing the lookups instead. And most client applications don’t do DNS Caching hence putting the unnecessary strain on their DNS servers and experiencing delays.


     
  12. Phant0m

    Phant0m Registered Member

    Joined:
    Jun 7, 2003
    Posts:
    3,726
    Location:
    Canada
    With Windows DNS-Client service disabled, Firewalls should see clients making instead the name lookups every time, unless you have a feature ‘always remember’. Normally your with two ISP DNS servers (a primary and secondary) but can have more, also if you with Router or Switch it could very well be used instead to do names lookups

    PC > Router or Switch > ISP Primary & Secondary DNS servers

     
  13. Phant0m

    Phant0m Registered Member

    Joined:
    Jun 7, 2003
    Posts:
    3,726
    Location:
    Canada
    But WFP won’t show named addresses, with DNS Client disabled instead, it’ll only show IP address information unless WFP does its own DNS lookups.

     
  14. Phant0m

    Phant0m Registered Member

    Joined:
    Jun 7, 2003
    Posts:
    3,726
    Location:
    Canada
    If you don’t allow IE to-do names lookups, when Windows DNS-Client is disabled, you won’t make connections to named addresses like www.yahoo.com or www.google.com ... The IP addresses its trying to lookup don’t show for source or destination IP information, the names lookups uses ISP DNS servers, Switch or Router LAN IP.

     
  15. alexandrud

    alexandrud Developer

    Joined:
    Apr 14, 2011
    Posts:
    2,413
    Location:
    Romania

    Fixed. I have mistyped one "u" with "w".
     
  16. wat0114

    wat0114 Guest

    Just for demo purposes I've disabled win7 fw for this example:

    DNS Client service stopped.

    The screenshot shows that chrome.exe is now connecting to my router's LAN-side interface, UDP port 53 for the dns lookups. In this case the router is using "DNS Relay" which simply transfers the information back-and-forth from the router's WAN-side interface which is connected to my ISP's DNS server(s). If it was a direct internet connection from my pc to my ISP through only a modem, then the ip address would be that of my ISP's DNS server.
     

    Attached Files:

  17. Broadway

    Broadway Registered Member

    Joined:
    Aug 16, 2011
    Posts:
    211
    True for the Windows firewall! But any third party firewall would not report your router's or ISP's DNS on port 53 but the target IP and the target port chrome.exe was intended to connect with.
    All I wanted to say is that you should enable DNS-Service with Windows Firewall and wfc in order to know about those target information. For example maybe you want to allow chrome.exe to connect to target port 80 and 443 but not to specific other target ports which numbers you don't know. In this case you have to set specific rules for chrome.exe. Allowing chrome.exe udp, port 53, Router's DNS won't help you in this case.

    If you don't need or want this specific information for specific rules leave DNS-Service disabled.
     
    Last edited: Sep 19, 2011
  18. Brummelchen

    Brummelchen Registered Member

    Joined:
    Jan 3, 2009
    Posts:
    5,871
    definitely wrong - here - i already wrote that all dns request are bound on my router.
    i remember such behavior on xp with jetico firewall long ago - reason i dropped it.
    i never thought about any relation if there were any.

    @Broadway - agree. i never really noticed such difference. using W7FC i did not
    remind that cause it is not important for me. experienced with Outpost and OA
    i gave programs a "zone" which includes several rules. its a rough adjustment, no more.
    i cannot waste time exploring all outbound traffic, i need to trust a program (in a wide range)
    or not - then drop.
     
  19. Broadway

    Broadway Registered Member

    Joined:
    Aug 16, 2011
    Posts:
    211
    Alex, I've got another question related to the learning mode.

    I found out that allowing a program to access to a specific remote port means an automatical block to all other ports.
    Example: I set up a rule allowing IE to connect to TCP Port 80. And nothing else.
    As far as port 80 is concerned all TCP connections are allowed now.
    When I now try to connect to TCP Port 443 this connection is blocked without another window popping up and asking me to allow TCP Port 443 with IE.

    Is "learning mode" restricted to one rule per program?

    Can "learning mode" be modified/changed so that extending existing rules will be possible, for example adding port-numbers?
     
  20. wat0114

    wat0114 Guest

    Not sure I quite understand you, but yes, actually the firewall can report these (if it's set up to alert on or log them) connection attempts whether they be to the router or ISP. There is nothing unusual or out of the ordinary about this "behaviour" when DNS Client is disabled; instead of DNS Client connecting to the domain name servers, it's now the web-facing applications that do so. That's all there is to it. As I mentioned earlier, the only reason why some people want to do this is because they can now disable that svchost-spawned service DNS Client, as they see it as a potential malware vector.
     
  21. alexandrud

    alexandrud Developer

    Joined:
    Apr 14, 2011
    Posts:
    2,413
    Location:
    Romania
    Well, Windows Firewall rules are created for the executable path which is trying to connect, meaning that a rule created for "C:\Program Files\Internet Explorer\iexplore.exe" and one for "C:\Program Files (x86)\Internet Explorer\iexplore.exe " are two different rules. You can also define a duplicate rule for the same executable file, but only the most restrictive of them will be active in the same time, while the other one will be ignored. This is not a good aproach because you can easily lost track of your rules.

    WFC ignores requests for applications that you already defined a rule, because it assumes that while a program has a rule, you don't want to bother you with the same executable file again, the check is made by the path of the executable file.

    You can use the rules window to set ports and protocols for the rules you have created, but again, WFC will assume that you have tuned manually your rules and you know what you are doing. That's why, if you set wrong ports, it can't show you notifications again about that program because from the point of view of WFC there is already a rule defined for that executable file.

    Also, when you create a rule for the first time it will be created by default for all ports.

    Let's assume that you use chrome.exe and WFC was created in the way you have suggested.

    1. chrome.exe tries to connect on port 1024 -> notification -> you create a rule for port 1024.
    2. meanwhile chrome.exe was trying to connect on port 1025 -> notification -> let's create a rule also for port 1025.
    3. meanwhile chrome.exe was trying to connect on port 1026 -> notification -> let's create a rule also for port 1026.
    .....
    7. after a few attempt chrome.exe will pause and will try to connect again only when you press on the refresh button.

    The result ? 6-7 notifications about the same program in a few seconds, because any program will try to switch ports if the connection is not successfull, and it would be really annoying for the user. You can see this behaviour if you follow the security log. This is the reason why I have created WFC in this way and not in the other one. Because it is based on the Windows Firewall, which has some drawbacks, which WFC must handle.
     
  22. wat0114

    wat0114 Guest

    Just for information, a nice set of remote TCP ports for web browser apps can be:

    80,443,554,1935,1755

    optionally in addition to those:

    81-82, 8080
     
  23. Phant0m

    Phant0m Registered Member

    Joined:
    Jun 7, 2003
    Posts:
    3,726
    Location:
    Canada
    Not wrong, you are misunderstanding me.

    If your firewall is blocking IE (Internet Explorer) DNS-Lookups, and of course Windows DNS-Client service is disabled, you aren’t going to connect to named addresses in Internet Explorer unless you using HOSTs file and that named address has a valid IP.

     
  24. Brummelchen

    Brummelchen Registered Member

    Joined:
    Jan 3, 2009
    Posts:
    5,871
    i dont use ie - but i think you mean the ie-engine (triton).
    (any ie based browser liek avant, maxthon aso. work flawlessly
    win updates are working also fine)


    all programs have access to my routers ip Port 53 for dns request - and they do.
    my other browsers same otherwise they wont connect.

    the only issue may wasting time cause the dns service would answer much faster than my router or the next dns server here.
    there is no really need for that service. in some cases with a bigger hosts file it may consume lots of cpu power. i work like that since early times of winxp without any issue.
     
  25. Phant0m

    Phant0m Registered Member

    Joined:
    Jun 7, 2003
    Posts:
    3,726
    Location:
    Canada
    Apology accepted.

    And No, I meant Internet Explorer, I wasn’t writing a novel. Internet Explorer is being a example, but any alternative browser sharing IE-Engine applies though.

    Fact remains, if DNS-Lookups are blocked by your firewall, and it isn’t already cached or it depends on Windows DNS-Client and its service is stopped, you won’t be making a connection to named addresses unless HOSTs file contains valid IPs to these named addresses, period! And anyways I was in response to Broadway, didn’t you see me quoting this person’s post?
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.