How to get Windows Firewall to successfully block ports?

Discussion in 'other firewalls' started by Thelps, Apr 5, 2018.

  1. Thelps

    Thelps Registered Member

    Joined:
    Apr 1, 2012
    Posts:
    26
    Hi all, thanks for your attention! :)

    Just ran a network portscan using nmap by targeting my loopback address.

    It seems that, despite explicitly blocking a certain port in the UDP protocol in both inbound and outbound directions, nmap still reports those ports as open|filtered.

    Shouldn't they appear, when firewalled, as closed?

    Am I doing something wrong? Something of a beginner at this...
     
  2. Der Alte

    Der Alte Registered Member

    Joined:
    Apr 4, 2012
    Posts:
    118
  3. Brummelchen

    Brummelchen Registered Member

    Joined:
    Jan 3, 2009
    Posts:
    2,491
    nmap is fake. blocking ports without any reason is wrong. if there is nothing listening behind windows never will answer, dropped dead. (same for the pointless grc shields up scan - this crap make people panic without reason) if some is using a router or a modern modem those will drop packets which are not expected. nmap is sending from inside to outside and this behavior ofc must fail because this is valid - you need to test from outside to inside and as i tried to explain this is pointless for windows being uptodate.
     
  4. reasonablePrivacy

    reasonablePrivacy Registered Member

    Joined:
    Oct 7, 2017
    Posts:
    341
    Location:
    Member state of European Union
    It's good practice to close not needed ports. Especially on Windows, because some services listening on ports are not needed for some users (case-by-case basis), but disabling them seems to make Windows less stable, so the less intrusive means to harden Windows settings is to block on firewall.

    But yes - behavior from the outside can be different than from inside OS.

    Back to question. It seems that Nmap can not exactly tell why it is not getting response, because of how UDP protocol works, and it can not show anything more unambigious than open|filtered.
     
  5. Thelps

    Thelps Registered Member

    Joined:
    Apr 1, 2012
    Posts:
    26
    @Brummelchen: could you please PM me/'Start a conversation' with me? There's some things I'd like to mention outside of the public thread. Forum won't let me 'start a conversation' with you.

    @reasonablePrivacy: I still have this ongoing problem with Firewalled (read: blocked) ports. My aim is, of course, total privacy. It reduces liabilities to myself.

    The Firewall isn't effectively blocking any of the 'open | filtered' ports, from what I can tell. Further ideas on how to confirm whether it's doing its job effectively (perhaps checking some OS files?) would be appreciated.

    I'd assume it interfaces with the NIC drivers and blocks the communications on the specified port (or specified protocols in the case of more precise Firewall rules) at the bottleneck. There shouldn't really be anything that can override that functionality when configured correctly, especially if you identify any OS software 'backdoors' that may or may not exist.

    See what I'm getting at?
     
  6. reasonablePrivacy

    reasonablePrivacy Registered Member

    Joined:
    Oct 7, 2017
    Posts:
    341
    Location:
    Member state of European Union
    Just execute some server listening on the blocked UDP port. It can be as simple as netcat. Using second computer try to connect to that server on that port.
     
  7. Brummelchen

    Brummelchen Registered Member

    Joined:
    Jan 3, 2009
    Posts:
    2,491
    conversation is not welcome thus not enabled.
    important windows system operations override all other windows mechanism, in special windows update, overrides hosts file and any proxy settings.
    windows has no backdoors. and the gap for port 138/139 (dns) is closed (patch 3100465)
    who ever told you or what ever you read was pure BS. forget closing ports and let windows do the rest.
    never change a running system and never when you are not aware of the consequences.
     
  8. syrinx

    syrinx Registered Member

    Joined:
    Apr 7, 2014
    Posts:
    366
    That's the problem, your test is flawed. The Windows Firewall does not filter loopback even though the Base Filtering Engine/Windows Filtering Platform is perfectly capable of doing so.

    You could either test from a different machine to get accurate results or try a solution which does filter loopback instead.

    While I haven't tested it myself I believe that the simplewall firewall is both capable of using the wfp without the windows firewall and free/opensource so it could be an option if you really feel the need to filter loopback. There are of course others that are also capable but most are part of larger solutions such as AVs.
     
    Last edited: Apr 6, 2018
  9. Thelps

    Thelps Registered Member

    Joined:
    Apr 1, 2012
    Posts:
    26
    @Brummelchen: So how is my network activity being monitored (this is my abiding suspicion)? I'm very much here to learn and have the complementary reading materials and am putting the hours of study in. This isn't just some guy looking for 'The Answer'. This has been a project of mine for some years now.

    As far as portscaning my network from another network, how could I do so safely, without triggering any Firewalls, IDSes/IPSes etc? I was considering an Internet Cafe but am concerned they'll log my activity and I'm fairly well-known in my local area anyway. Would prefer to keep this 'work' private, otherwise a knowing person could undo or work-around my efforts.

    Ideas very appreciated.
     
  10. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    8,493
    Location:
    Slovenia, EU
    One option is to use your mobile as hotspot and connect your computer to it using WiFi. That way you'll get external IP to scan from. Of course your mobile data will be used during this process.
     
  11. Thelps

    Thelps Registered Member

    Joined:
    Apr 1, 2012
    Posts:
    26
    These are interesting ideas.

    Portscans are still indicating open ports, however.

    I have a few explicitly blocked in the Firewall that are still showing as open (not open | filtered).

    Further ideas as to the cause?
     
  12. King Grub

    King Grub Registered Member

    Joined:
    Sep 12, 2006
    Posts:
    815
    You have a router? If you do, you're scanning the router and the Windows firewall won't be involved at all.
     
  13. TairikuOkami

    TairikuOkami Registered Member

    Joined:
    Oct 10, 2005
    Posts:
    2,968
    Location:
    Slovakia
    Local portscans consider listening ports and loopbacks as opened ports.

    Technically listening ports are opened, but when blocked in a firewall, not opened to the outside.
     
  14. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    2,148
    Location:
    Canada
    Hello @Thelps,

    first question: what is your operating system?
     
  15. Thelps

    Thelps Registered Member

    Joined:
    Apr 1, 2012
    Posts:
    26
    @wat0114
    Running Windows 10 on the target machine.

    @King Grub
    Surely if I scan the Router's IP my portscan has to pass through the scanning machine's firewall? And if I scan using the loopback address the loopback scan passes through the firewall also, and as such is covered by its rules?
     
  16. Brummelchen

    Brummelchen Registered Member

    Joined:
    Jan 3, 2009
    Posts:
    2,491
    if a router has no destination for an incoming package its dropped. that dont concern listening services but those are either LAN-only or have been started by user or program. conclusion (again) forget this pointless action, do us the favour, it is leading to nowhere and only creates new questions the deeper you want to dive into it. you need to read much more basics about networking as it is possible for us to explain, this would blow this topic extremely.

    about loopback - PLEASE read (2)
    https://www.webopedia.com/TERM/L/loopback.html
    or
    https://www.juniper.net/documentati...nterface-security-loopback-understanding.html

    as i wrote you need much more basics. or you trust us. you can go the hard way - on your own, or the short one with us.
    if you feel paranoid, go to a doctor.
     
  17. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    2,148
    Location:
    Canada
    Okay I was curious. So why are you scanning your target machine's loopback address? That makes no sense to me. Why not simply scan its network IP address? All you should really be most interested in is whether or not Windows 10 firewall will block port scans.

    Is your source machine (the one running nmap) on the same network as your target machine? If so are they both connected through your router?
     
    Last edited: Apr 15, 2018
  18. Thelps

    Thelps Registered Member

    Joined:
    Apr 1, 2012
    Posts:
    26
    The source machine and the target machine are one and the same. That's why I was using the loopback: to cause the machine to portscan itself. It seems I misunderstood the purpose of the loopback address.

    I've also used the source machine to scan my router. Unfortunately, this router is the default one supplied by my ISP and, for their own security and support purposes, they have configured it to be very difficult to configure by the end user, so as to ensure a minimum number of user-misconfigurations.

    I will eventually scan a target machine from a source machine via the router. Both machines will be local to the office location. Would that class them as on the same LAN given they interface via a router?
     
  19. Brummelchen

    Brummelchen Registered Member

    Joined:
    Jan 3, 2009
    Posts:
    2,491
    nothing personal but most users are too stupid to do this in a proper way.

    concerning your tests - testing is only usefull when complete from outside, not the same lan, not the same line. there exists establishments to test that out in a professional manner you cant perform.
     
  20. Mister X

    Mister X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    3,158
    Location:
    Mexico
    Talking about NOT personal stuff, some are too stupid to use uppercase keys.
     
  21. reasonablePrivacy

    reasonablePrivacy Registered Member

    Joined:
    Oct 7, 2017
    Posts:
    341
    Location:
    Member state of European Union
    Why "not the same lan"? I don't trust my router completely (unfortunately it has vendor-specific proprietary firmware), so I want to be protected by firewall against my router. I also sometimes take my laptop with me to other town and connect to other LAN not owned nor managed by me.
     
  22. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    2,148
    Location:
    Canada
    @Thelps

    there should be no problems reliably probing your target machine from a source machine on the same LAN. All you would have to do is probe its IP address assigned to it by the router, assuming it's the DHCP device.
     
  23. Thelps

    Thelps Registered Member

    Joined:
    Apr 1, 2012
    Posts:
    26
    Getting conflicting advice here, but I'll try both methods.

    The portscans seem reasonably accurate just using the loopback (tried it with various applications opening a range of ports due to their activity and portscan catches the open ports). It's also correctly identifying the non-port-standard applications running on those ports (although it might be that the portscan software recognises those apps due to their signatures being hardcoded into the portscan software).

    I'll proceed with a true 'external' scan, and compare the results, as soon as possible.

    Thanks for all your help so far.
     
  24. reasonablePrivacy

    reasonablePrivacy Registered Member

    Joined:
    Oct 7, 2017
    Posts:
    341
    Location:
    Member state of European Union
    I also think loopback scan is bad.
    Scanning from LAN using second computer should be ok. It is purpose of firewall to secure connection to untrusted network and LAN may or may not be that untrusted network.
     
    Last edited: Apr 17, 2018 at 4:06 AM
  25. Thelps

    Thelps Registered Member

    Joined:
    Apr 1, 2012
    Posts:
    26
    Just to add to yourself and the above:

    Apparently 127.0.0.1 does an internal loopback, but specifying the word "loopback"/"localhost" (for example in a 'ping loopback' context) simulates an external scan (due to computer name resolution). You can confirm this on your own networks.

    The more you know...
     
Loading...