Conditions needed to get Win Firewall to generate a blocked notification?

Discussion in 'other firewalls' started by killingtime, Sep 1, 2016.

  1. killingtime

    killingtime Registered Member

    Joined:
    Jul 27, 2016
    Posts:
    8
    Location:
    UK
    Hello,
    I have a specific question on the Win7 inbuilt firewall. I've searched this forum and googled but to no avail.
    There is a setting in the Windows firewall control panel entitled 'Notify me when Windows Firewall blocks a new program' and I would like to know how I get the firewall to generate this notification, i.e. what conditions must exist for the prompt to occur. This is just for my own understanding of the firewall and how it works.

    My system: Win7 Home Premium. Firewall profile set to Public (always). Block all connections inbound and outbound unless a specific rule exists. 'Notify me..' options enabled. Turned off all the sharing options under Network Sharing Center - Advanced Sharing Settings (e.g. file and printer sharing). Added an outbound rule for Firefox and Thunderbird. Logged on as a Standard User, not Admin. That's it.

    Here's what I've found about this setting (and FW notifications) so far;

    1. The inbuilt Win7 FW doesn't generate notifications when outbound comms are blocked. You need to scan the event viewer for that or install a 3rd party app like Binsoft Win Firewall Control. Understood.

    2. With the above system settings (block all connections inbound and outbound unless a specific rule exists) if you add an outbound *allow* FW rule for an application *and* an inbound *block* rule for the same app (so it can talk out but not receive anything back) .... the block rule doesn't work or generate a notification if the app initiates the outbound connection from the computer. Try this for a web browser and the browser works without problems. I'm led to believe that this is due to the stateful nature of the Win7 FW. If the computer initiates the outbound connection then it knows to allow comms back again. I would have thought that the block rule for the same app would override any allow - don't block rules take precedence over allow? - apparently not.

    3. The 'Notify me..' setting would be more accurately described as 'Display a notification to the user when a program is blocked from received *unsolicited* inbound connections'. The Win7 helpfile for this option reads:

    ---------

    Display a notification when a program is blocked
    Select this option to have Windows Firewall with Advanced Security display a notification to the user when a program is blocked from receiving inbound connections. The notification appears when all of the following conditions are true:

    x)This option is selected.

    x)There is no existing block or allow rule for this program. If a block rule exists, then the program is blocked without displaying the notification to the user.

    x)The program is blocked by the default behaviour of Windows Firewall.

    The user is given the option to unblock the program, as long as the user has network operator or administrator permissions. Selecting the option to unblock the program automatically creates an inbound program rule for the program that was blocked.

    ---------

    This is where I'm a bit confused. If there's no explicit allow or block rule for an app (second point above) but the FW blocks it anyway (which mine does because I'm blocking everything that doesn't have an explicit rule) how does the FW know which app the unsolicited inbound connection is destined for? It can't because there are no explicit rules for that app. So how can it generate the prompt?

    I can't see any scenario where the FW would generate a prompt.

    Could be that I'm not logged on as Admin, but that would be a weird restriction.

    Anyone know the exact conditions to get the prompt to trigger?

    Thanks.
     
  2. alexandrud

    alexandrud Developer

    Joined:
    Apr 14, 2011
    Posts:
    1,231
    Location:
    Romania
    That prompt is generated when a software wants to open a port to listen on it for inbound connections. Two examples that come to my mind are: uTorrent and Skype.
     
  3. killingtime

    killingtime Registered Member

    Joined:
    Jul 27, 2016
    Posts:
    8
    Location:
    UK
    Hi alexandrud,

    That worked. I already had Skype on my PC and after starting it I received the prompt.

    Cancelled the prompt and took a look at inbound rules; two rules had been added for Skype to block inbound comms (1 rule tcpip, 1 rule udpip). Starting Skype again resulted in no prompt and no comms - so the description in Microsoft help is correct - you only receive the prompt if there are no existing explicit rules.

    Removed the block rules and started Skype again, got the FW prompt.

    Many Thanks.
     
Loading...