Help with Windows Firewall and VPN

Discussion in 'other firewalls' started by kayan1, Dec 8, 2018.

  1. kayan1

    kayan1 Registered Member

    Joined:
    Dec 8, 2018
    Posts:
    15
    Location:
    US
    Hi,

    Can someone please help me with Windows Firewall?

    I was looking for a basic firewall program for outbound blocking. The only feature I needed was a notification for any new outbound connection so I could choose to allow or block.

    The free "Windows Firewall Control" (by binisoft) did what I needed. Except one problem that I need help with:

    After initial setup, the "connection log" remains mostly empty (as expected), BUT when I'm connected to a VPN, it fills up rapidly with blocked outgoing connections for svchost.exe. Even though I have previously granted full access to svchost. The VPN connection itself works fine and I can connect to the internet, but the log keeps adding new entries every second and fills to 100s of lines. It's mostly one process/program that's appearing again and again (same Process ID).
    Screenshot:

    https://i.imgur.com/ospT0E8.jpg


    The expected behavior would be for me to get a notification to allow/block the outgoing connection, but I don't get any. Even if manually allow svchost full access, these entries keep coming.

    To troubleshoot, I tried another firewall program called "Simplewall". Here I don't see similar entries on it's default setting, but I see them again if I enable "Dropped packets log". And they look like:

    12/‎8/‎2018 ‏‎9:37:27 AM,NT AUTHORITY\NETWORK SERVICE,C:\windows\system32\svchost.exe,192.168.X.X:53 (Remote),192.168.X.X:54108 (Local),udp,OpenVPN,#288909,OUT,BLOCK

    Even with this firewall I don't get any new notification asking for access. And I have already granted full access to all VPN .exe files and svchost.exe (I basically said Yes to all initial notifications to allow everything). The internet/VPN works fine, but these numerous blocked attempts keep accumulating.

    Sounds like it's something to do with "dropped packets" (and that these are not "normal" outgoing connection attempts).

    Anyone familiar with this and can help figure out what's going on?

    (Btw, I tried a third firewall called "Windows 10 Firewall Control" by sphinx software. Same phenomenon when on VPN. If I don't connect to VPN, I don't see the blocked connection entries)

    Update:
    I used "svchost viewer" to find the program behind the svchost.exe and it turns out to be "DNS Client service (dnscache)":
    https://i.imgur.com/lR5X0kg.jpg

    Does the fact that this only happens when connected to a VPN give you any clue as to what's happening? If I turn off the VPN, the connection log remains empty, but once I turn it on, it starts filling.
     
  2. NiteRanger

    NiteRanger Registered Member

    Joined:
    Nov 15, 2016
    Posts:
    550
    Location:
    Far East
    Try Binisoft WFC. You enable Notifications and notifications will show up
     
  3. kayan1

    kayan1 Registered Member

    Joined:
    Dec 8, 2018
    Posts:
    15
    Location:
    US
    That is the same program I am talking about. I do get notifications for all programs, except the situation I mentioned.

    Can anyone help?
     
  4. __Nikopol

    __Nikopol Registered Member

    Joined:
    Aug 13, 2008
    Posts:
    588
    Location:
    Germany
    Is the port in the log increasing up to 65535 as if it is a port scan?
     
  5. alexandrud

    alexandrud Developer

    Joined:
    Apr 14, 2011
    Posts:
    1,638
    Location:
    Estonia
    Do you have this firewall rule in Windows Firewall ?
    upload_2018-12-9_12-26-0.png
    And after you connect to which VPN, do you see blocked connections for this same connection ?
    Please post here a screenshot for the svchost.exe rules that you have and for the VPN software that you have created. Thank you.
     
  6. kayan1

    kayan1 Registered Member

    Joined:
    Dec 8, 2018
    Posts:
    15
    Location:
    US
    Thanks for helping. Please see here:
    https://i.imgur.com/4DbAzg7.jpg

    I can tell that it's the same connection, because they all have the same PID (so it's the same process), and I use the program "Svchost viewer" which shows "Dnscache" for that PID:
    https://i.imgur.com/lR5X0kg.jpg

    Update:

    Just now I manually created another rule for svchost to give it full access to everything:
    https://i.imgur.com/T1Jg4Vr.jpg

    But still the same thing happens.

    If I manually disable the DNS Client service (dnscache), I don't see svchost.exe in the connection log, but now it gets filled with individual program block attemps (e.g. browser .exe).
     
    Last edited: Dec 9, 2018
  7. kayan1

    kayan1 Registered Member

    Joined:
    Dec 8, 2018
    Posts:
    15
    Location:
    US
    Yes, it looks like to me. Please check here:
    https://i.imgur.com/EW0fUa0.jpg

    Also see my reply (and screenshots) above.
     
  8. alexandrud

    alexandrud Developer

    Joined:
    Apr 14, 2011
    Posts:
    1,638
    Location:
    Estonia
    You did not respond which VPN software do you use. Note that some VPN vendors overwrite Windows Firewall rules when you connect to their VPN and they restore your rules set when you disconnect. Also, some VPN vendors may disable certain functionality of the operating system in order to be able to ensure your anonymity. Ask your VPN vendor what is their relation with Windows Firewall and how they treat svchost.exe connections, if they are blocked by them when their VPN is connected. In my opinion, the problem is not Windows Firewall here and what you experience might be an expected (not wanted) behavior.
     
  9. kayan1

    kayan1 Registered Member

    Joined:
    Dec 8, 2018
    Posts:
    15
    Location:
    US
    I was trying out Vyper VPN (I said "yes" to all the VPN related notifications and popups). This is what I wanted to understand if what I've described is normal behavior or a misconfiguration.

    I was hoping someone who used VPN along with either WFC or Simplewall could share what they saw on their side.

    Simplewall does not have a connection log, but if I enable "dropped packets log", then I see similar entries. Do you know what this means?

    While you are reading this, an unrelated question:
    I was also comparing WFC (binisoft) with Simplewall. I notice a drastic difference in resource usage. WFC up to 8% CPU and 90 MB memory, but Simplewall less than 1% CPU and 8 MB memory. Overall Simple is looking better than WFC. Do you agree?

    In addition Simplewall seems to have some sort of integration with another tool called "WindowsSpyBlocker". Any thoughts on this?

    Thanks for your time.
     
  10. __Nikopol

    __Nikopol Registered Member

    Joined:
    Aug 13, 2008
    Posts:
    588
    Location:
    Germany
    I asked because I have the same 'issue'. I expect that this is what you meant.

    In my case I use Windscribe which sets a WFP rule to block other IPs, I guess. They haven't yet got back to me about what they really do with WFP. But that here is what the log says: "[firewall_controller] firewall changed with ips count : 2". Sometimes the count is 550.
    Can "ips" mean something else than IPs? It probably isn't a "Intrusion Prevention System" that's nonsense in context.
    Well, I'll see when they finally answer me. :)
     
  11. Seer

    Seer Registered Member

    Joined:
    Feb 12, 2007
    Posts:
    1,927
    Location:
    Serbia
    This may be just a way in which VPN prevents connections to your ISP DNS servers. This is a known technique to prevent DNS leaks.
    But I would certainly inquire about that, as others have suggested. Is there a user's manual you can look at?
     
  12. Seer

    Seer Registered Member

    Joined:
    Feb 12, 2007
    Posts:
    1,927
    Location:
    Serbia
  13. alexandrud

    alexandrud Developer

    Joined:
    Apr 14, 2011
    Posts:
    1,638
    Location:
    Estonia
    I don't, but the reason is because WFC is written in C# and is using .NET, while Simplewall is written in C++ and is using native code. My browser is using 800MB with 2 tabs open.
     
  14. Floyd 57

    Floyd 57 Registered Member

    Joined:
    Mar 17, 2017
    Posts:
    289
    Location:
    Europe
    Did you really think the dev of WFC is gonna say his product is inferior, LUL
     
  15. kayan1

    kayan1 Registered Member

    Joined:
    Dec 8, 2018
    Posts:
    15
    Location:
    US
    I am a newbie in this context, I don't know who is the dev of whom. I asked sincere question based on my observation in trying to find a good firewall for me.

    WFC is 1000x better than ZoneAlarm (which I also tried) because ZoneAlarm behaved like malware on my computer. Plus he seems like a knowledgeable person, and even more important, a helpful guy.
     
  16. kayan1

    kayan1 Registered Member

    Joined:
    Dec 8, 2018
    Posts:
    15
    Location:
    US
    You gave a helpful response. Thank you. Maybe it is natural behavior, and that is what I am starting to think.
     
  17. kayan1

    kayan1 Registered Member

    Joined:
    Dec 8, 2018
    Posts:
    15
    Location:
    US
    I found from the below response that you are the dev of WFC. I hope you were not offended, I just asked a naive question that came up during my testing of both programs. Just out of curiosity, what is the meaning of "using native code", and also what is the benefit of using C#/.NET (vs. C++) that offsets the higher memory usage.

    Currently I am giving the overall edge to WFC.

    On-topic question after further comparison:

    Simplewall gave me a hard time with a program called Kleopatra (which is like a GUI for gpg4win/GnuPG). The firewall notification said that it's wanting a connection to 127.0.0.1 (which I *think* is to itself). Three things happened:

    - Blocking the connection made Kleopatra hang/crash.
    - Giving it full access made the program work normally. But I don't want to do this, because the reason I'm wanting firewall is to restrict programs from unneeded internet access.
    - So then, I allowed only connection to 127.0.0.1 (which I think should apply to all ports), but I kept on getting the same 127.0.0.1 notification, but with different ports. Even if I allowed a new rule with 127.0.0.1 and port combination, it kept giving more notifications.

    BUT

    WFC worked perfectly with Kleopatra. It gave me no notification at all. And Kleopatra worked normally. The connection log for WFC doesn't show any allowed or blocked connection.

    Can you help explain the different behavior of both firewalls:
    Why is Simplewall giving notification and WFC is not?
    Why there is no log attempt in WFC?
    Why is Simplewall or Kleopatra not happy with only allowing connection to 127.0.0.1. And why Kleopatra only works (i.e. does not hang) if given full internet access, even though it is not asking to reach any other IP.
     
  18. __Nikopol

    __Nikopol Registered Member

    Joined:
    Aug 13, 2008
    Posts:
    588
    Location:
    Germany
    I'm using Kleopatra too and I have it set to allow 127.0.0.1 with any port. It works fine for me with simplewall.
    Currently Simplewall has issues with notifications not being shown or only too late. You should wait a little before you take that into consideration. Dev knows about it already, he's working on it I assume.
     
  19. kayan1

    kayan1 Registered Member

    Joined:
    Dec 8, 2018
    Posts:
    15
    Location:
    US
    Oh I am happy to know you are using both the same programs as me :)

    Can you share please how you setup "127.0.0.1 with any port", maybe a screenshot? I tried entering just 127.0.0.1 under both "Rule (Remote)" and "Rule (local)" but Kleopatra kept triggering more notifications.

    I think both Simplewall and WFC are great programs, but both gave me some problems (different ones). I don't think you can go wrong with either one, I just have to figure out how to get them to work for me.

    This forum and people here are very helpful. Thank you to both :)
     
  20. __Nikopol

    __Nikopol Registered Member

    Joined:
    Aug 13, 2008
    Posts:
    588
    Location:
    Germany
    I just clicked "create a rule for 127... address" in the notification. That was enough. Now I have an entry under "special rules apps" for kleopatra. If you don'T see that, enable under View the "enable special rules group".
    The rule is now also in settings, rules, user rules and just says 127.0.0.1 outbound all, with kleopatra being one of it's users.
     
  21. kayan1

    kayan1 Registered Member

    Joined:
    Dec 8, 2018
    Posts:
    15
    Location:
    US
    Yep, that's exactly what I did. And that is exactly what I see also: i.e., I do see it under "special rules". But I still keep getting more notifications.

    The only way I can get it to work is if I *click* the checkbox next to the special rule. But I think doing that promotes it to full access, just like if you click a box in the "blocked" section, that allows the program and moves it to allowed section. With special rule section, it does not move it to allowed section, but I think it gives it full access. Do that make sense what I explained :)
     
  22. __Nikopol

    __Nikopol Registered Member

    Joined:
    Aug 13, 2008
    Posts:
    588
    Location:
    Germany
    I actually don't know. I have it checked. I assume it is just enabling the special rule. Otherwise it would be put in allowed apps. Hm. I'll ask in the simplewall thread about it.
     
  23. alexandrud

    alexandrud Developer

    Joined:
    Apr 14, 2011
    Posts:
    1,638
    Location:
    Estonia
    Not at all :)
    Are you sure that the software really connects ? One more thing, Windows Firewall does not filter loopback connections. The ones to 127.0.0.1 (localhost) are always permitted.
    Poor software design. I remember one image editing software which did not work at all if there was a firewall rule in Windows Firewall for its own executable, not even if it was an allow rule. The developers of that software just enumerated the rules and if they found a rule for the exe, then they exited the software. They did not even bother to check if it was an allow rule or not. To use that software you always had to disable outbound filtering. They did this to ensure that their licensing system can connect online with any means when you use their software. Again, this is just poor design.
     
  24. kayan1

    kayan1 Registered Member

    Joined:
    Dec 8, 2018
    Posts:
    15
    Location:
    US
    Hello,

    After testing this, I can now confirm that checking the box in special rule section, actually gives it full access.

    You can confirm like this (this is what I did):

    - Get a test program (e.g. one that you can ask to check for an updated version, so it connects to a single IP)
    - On notification screen, enable rule for only that IP
    - A new rule will appear in "special rules" section. It will be unchecked.
    - Now test if this rule is active by asking the program to check for new version. It works, which means the rule is active.
    - In "settings -> user rules" you will see this rule. Here it is checked (means active). If you uncheck it, it will disappear from "special rules" on main screen.

    You can further confirm like this:
    - Go to "settings -> user rules" and edit the rule to a wrong IP.
    - Ask program to check new version. It fails.
    - Now in "special rules", check the box.
    - Ask program to check new version again. It works (even though the allowed IP is wrong).
    - This means checking the box in "special rule", enables full access.

    The simplewall GUI is a little non-intuitive in this case. I think it would be better to have two sections for "special rules" also (just like full access rules), one for enabled special rules and one for disabled special rules. So you can check and uncheck the same way as for full access rules.
    OR: special rules section should not have the checkbox at all. They should be enabled/disabled from "settings -> user rules".

    So what is the solution? (for programs like Kleopatra that need 127.0.0.1)

    The answer is to enable "loopback" in expert settings :)
    This is the normal behavior of Windows firewall, and that is the reason WFC was not giving notification for those connections (as I noted in previous post).

    I hope this helpful to anyone else running into same issue.
     
  25. kayan1

    kayan1 Registered Member

    Joined:
    Dec 8, 2018
    Posts:
    15
    Location:
    US
    Thank you.

    Yes, that is what I figured after lots of head scratching and frustration :)
    WFC (windows firewall) by default allows loopback connections, so no notification was appearing. In Simplewall you have to manually enable that (by default it is off).

    Once I enabled loopback on Simplewall, Kleopatra started to work perfectly just like it did with WFC.

    I do have one major issue with WFC. It's notification system is not reliable (at least on my computer):

    - I ask a program to check for new version.
    - WFC gives a notification. I select "Block for now, ask me later".
    - I check again, and WFC gives notification again. I select same option (so no permanent rule is created).
    - After some time (may one hour, 1/2 day), I check again. This time no notification from WFC.
    - And no notification for any other program.

    I believe this is a bug, because then I do this:
    - In connections log, disable logging blocked connections (which also disables notifications).
    - Then enable notifications again (from main panel).
    - Now when I ask the test program to check for updates, WFC gives a notification.
    - But again: after some time, WFC stops giving notifications. For the same program, and ALL programs.
    - (I am careful not to select "notification exceptions")
     
Loading...
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.