How good is the Default settings of Windows Firewall?

Discussion in 'other firewalls' started by sg09, Jun 11, 2010.

Thread Status:
Not open for further replies.
  1. wat0114

    wat0114 Guest

    I wanted to make some ICMP rules on my own, even though I could just have easily gone with the Core defaults. This way better (hopefully) my knowledge on what they're all about :) I will have to go through them carefully and look for duplicates. I have already found a couple. Feel free to point out anything that looks odd. I'm certainly no expert at this and it's a long, painstaking process to create and fine-tune these rules, so mistakes and incomplete rules are possible, if not likely.
     
  2. Heimdall

    Heimdall Registered Member

    Joined:
    Jul 29, 2009
    Posts:
    185
    To some extent the rules you create for your software firewall will depend upon the capabilities of the firewall in your router. I use custom firmware, which allows me to control firewall rules via customisable iptables for both inbound and outbound access.

    With your inbound ICMPv4 rules, you seem to be allowing Network unreachable (ICMP 3 11) but not Host Unreachable (ICMP 3 1), Port Unreachable (ICMP 3 3) or Fagmentation Needed (ICMP 3 4)?

    It also seems the ICMPv6 rule allows Destination Unreachable (type 1) but you have removed the essential ICMPv6 rules. Granted, if you're not actively using IPv6 you may not notice, however, ICMPv6 is a somewhat different beast to ICMPv4 and is actually existential for proper communication over IPv6.

    Apologies if I missed something
     
  3. wat0114

    wat0114 Guest

    I created the majority of them without regard to the router's filtering, mainly because I'm more interested in a rule set for a stand-alone Win 7 fw setup.

    ICMP rules give me some of the most difficulty in understanding what is needed - even for a basic home setup without networking. I don't use ICMPv6 but decided to simply keep the ones for a basic setup, although I may have missed some. I am in the gradual process of poring over the rules and correcting mistakes I or others spot :) Tomorrow I think I will replace the current outbound rules ss with an updated one.

    No need to apologize. Thanks for pointing out any oddities.
     
  4. Heimdall

    Heimdall Registered Member

    Joined:
    Jul 29, 2009
    Posts:
    185
    Indeed, they can be a little tricky. If it were me, I'd include a rule for ICMPv4 that allows Fragmentation Needed as that can be pretty important for the correct flow of data over TCP.

    I'd also think about restoring the ICMPv6 defaults. As I mentioned in my last post, ICMPv6 is essential and even if you don't knowingly use IPv6, at least one of your applications can. uTorrent.

    uTorrent, if configured to do so, will use Teredo, which is an IPv6 transition technology, basically IPv6 over IPv4. For Teredo to work correctly, it has to be able to find Teredo relays. To do that in uses an ICMPv6 Echo request.

    By removing the defaults, you've effectively crippled some of the functionality of IPv6.
     
  5. wat0114

    wat0114 Guest

    Heimdall, thank you for your help! :) this is what I was hoping for because I knew they needed some work. Just minutes ago I had to correct my Java update rules because of the latest release. I will modify my rules according to your recommendations and replace my screenshots tomorrow am.
     
  6. henris

    henris Registered Member

    Joined:
    Jun 6, 2009
    Posts:
    17
    How to protect the firewall settings from applications such as Skype, which themselves create their own rules and add them to the firewall ?
     
  7. Heimdall

    Heimdall Registered Member

    Joined:
    Jul 29, 2009
    Posts:
    185
    I'm not sure there is an easy way of dealing with programs like Skype, apart from letting it create the rules it believes it needs, then editing them to be more in-line with what you need.

    Skype is a particular PITA but it's not impossible to lock it down. I haven't used it in a while, but I can probably knock up a rule set PDQ. if I can help, let me know.
     
  8. wat0114

    wat0114 Guest

    I agree the easiest way to deal with it.

    BTW, updated outbound rule set here in post #19...

    As recommended to me, I added the ICMPv6 Core defaults plus a custom rule for ICMP Fragmentation (there was no default available??). Also added some remote mail server ip addresses, cleaned up some other rules such as Java update program locations for jucheck.exe and jusched.exe found at: C:\Program files (x86)\Common files\Java\Jave Update
     
  9. minoka

    minoka Registered Member

    Joined:
    Nov 5, 2005
    Posts:
    50
    Thanks, wat0114!

    Heimdall,
    I would like very much to see what rules you would create for Skype.
    Is there an order by which the windows 7 firewall processes rules? I have rules for skype in another firewall and their order is critical.
     
  10. pandlouk

    pandlouk Registered Member

    Joined:
    Jul 15, 2007
    Posts:
    2,976
    http://technet.microsoft.com/en-us/library/dd421709(WS.10).aspx

    Panagiotis
     
    Last edited: Jun 16, 2010
  11. Konata Izumi

    Konata Izumi Registered Member

    Joined:
    Nov 23, 2008
    Posts:
    1,545
    I wish my Windows XP firewall work like that :(
     
  12. riolionel

    riolionel Registered Member

    Joined:
    Feb 19, 2010
    Posts:
    13
    Hello,

    I blocked successfully "check for updates" function in SIW program (just for experiment), creating a general "block all" outgoing connection rule in my Windows Firewall with advanced security (Win7 64). But I have a little problem now.

    If I try to open SIW homepage from the program itself, my firefox open that page, without that firewall can block it.

    How to block also these requests?
     
    Last edited: Jun 27, 2010
  13. pabrate

    pabrate Registered Member

    Joined:
    Jan 21, 2010
    Posts:
    685
    Yes, but if you edit those rules, they will revert back to the original ones that were created when Skype is run next time.
     
  14. Heimdall

    Heimdall Registered Member

    Joined:
    Jul 29, 2009
    Posts:
    185
    If you disable upnp in Skype, it won't.
     
  15. riolionel

    riolionel Registered Member

    Joined:
    Feb 19, 2010
    Posts:
    13
    No one knows the reply? :doubt:
     
  16. pandlouk

    pandlouk Registered Member

    Joined:
    Jul 15, 2007
    Posts:
    2,976
    You cannot block these requests with windows firewall.

    Panagiotis
     
  17. wat0114

    wat0114 Guest

    riolionel, do you mean this one?:

    http://www.gtopala.com/siw-software/updates.html

    if so, you should be able to create a rule to block that specific ip address for all programs. Hopefully I understand what you're asking because I'm not sure of the acronym SIW.
     
    Last edited by a moderator: Jul 4, 2010
  18. riolionel

    riolionel Registered Member

    Joined:
    Feb 19, 2010
    Posts:
    13
    Then how to set an ip block rule with windows firewall? I don't know a way to do it.
     
    Last edited: Jul 5, 2010
  19. wat0114

    wat0114 Guest

    Check the screenshots...

    After the 5th, hit: Next -> Next -> keep all three checkboxes enabled (Private, Domain, Public) -> Type a name for the rule, maybe: "Block remote ip SIW" -> Finish.

    Also, check out Stem's Vista (applies to Win7 too) tutorial here.
     

    Attached Files:

  20. riolionel

    riolionel Registered Member

    Joined:
    Feb 19, 2010
    Posts:
    13
    It works! About hostname rules instead is necessary to edit the hosts file, right?

    Because there isn't nothing in Windows Firewall about this aspect.

    Thank you.
     
  21. wat0114

    wat0114 Guest

    You're welcome. Sorry, I don't know about the hosts file, because I haven't used it in years.
     
  22. cqpreson

    cqpreson Registered Member

    Joined:
    May 18, 2009
    Posts:
    348
    Location:
    China
    Blocking IPs in IPsec is simpler than that in Firewall Advanced Security,I think.
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.