Is there a firewall that handles svchost properly?

Depends.

See:

http://www.geocities.com/yosponge/fw/kexpl1.html

http://www.dslreports.com/faq/3301

I use outbound only, dialup, Win2K (see image below)

On my laptop with WinXP, the application is Svchost.


EDIT: I see you've solved it already.


-rich
________________
~~Be ALERT!!! ~~

 

I don't know how that's working unless there's another rule somewhere permitting inbound DHCP responses. I'm betting that even the rule you DO have is being ignored and DHCP both directions is getting through another way. Both of the links you gave above have rules for DHCP in both directions. The second even had another rule for broadcast in addition to the bidirectional rule I specified.

If I were you I'd take a close look at my rules to make sure there aren't any holes that need plugging.

 

There is more to this than I realise. Yes the DNS rule is for any application. If I make it specific then it will not work for that program, so I assume that duplicates of that rule have to be made. I guess that services.exe is one that needs a DNS rule to be set. Disabling the svchost rule had no effect.

This is probably why in Netveda and I think LnS ask several times about services when setting the rule

 

To test, I put the DHCP rule at the top and put a block-all-inbound next, and nothing tries to get in except DNS port 53.

It's been so long since I set up those rules, I went back to my notes to check, and see that I created my own little tutorial by starting with *no* rules and letting Kerio prompt me for my system-wide rules, and I ended up with just two: the DHCP rule as I posted above, and an In-Out DNS rule which I customized for Port 53 and my two DNS servers.

I specified the application for these rules: My Win2K system uses Services.exe, and my XP system uses svchost.exe.

regards,

-rich
________________
~~Be ALERT!!! ~~

 

Very odd! Do me a favour: type "ipconfig /all" at a command prompt and tell me what it says beside "Dhcp Enabled".

To get this thread back on topic, I'd still like to know if there's a firewall that handles svshost as I described. I've been able to tighten up my svchost Kerio rules a bit. I turned off the svchost DHCP rule, as I'm using static IPs for all desktop machines here. I disabled the Windows DNS Client service as suggested in the Outpost guide pointed to by profhsg. This allowed me to turn off the svchost DNS rule in Kerio. As a side-effect I now have to specify a DNS rule for every application that requires access. It sounds a bit annoying, but it's in keeping with my desire for an application firewall. I want all these things specified per application. I've left the NTP rule in place as it's appropriately restricted and relatively harmless (!).

So that leaves only the HTTP rule. For the moment I've turned it off as well in order to collect IPs to add to the custom set. It looks like they're too diverse to infer a single Microsoft netblock.

Thanks all for the suggestions and help. Interesting discussion so far. I'd like final resolution on the DHCP issue, however.

 

Should DHCP be enabled? Mine currently is not. I think at the time it was thought better not to, but cannot remember the thinking now

 

Well of course the answer is: it depends. Is your computer a laptop? If so, does it connect to various networks, wireless or otherwise (home, work, coffee shop)? If so, then using DHCP is wise as you won't have to keep changing your network settings every time you change location. If it's a desktop machine, is it connected directly to the 'net (i.e. a wire right to your cable/DSL box, or direct connection to the modem)? If so then you'll need DHCP as no ISPs these days give out static IPs. If your machine is behind some sort of gateway (wired/wireless router) you have a choice either way as they usually have built-in DNS/DHCP servers. Being behind one of these routers I've chosen to use static IPs (no DHCP) on my internal wired network. The machines aren't going anywhere so I can set up the networking once and forget it. But it's just as valid to use DHCP in this case. It's up to you.

But that's the only time you really have a choice. I'd probably go with DHCP if I weren't such a contol freak.

 

PPP adapter xxxxxx:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : WAN (PPP/SLIP) Interface
Physical Address. . . . . . . . . : 00-53-xxxxxxxxxxx
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : xx.xx.xx.xxx
Subnet Mask . . . . . . . . . . . : 255.255.255.255
Default Gateway . . . . . . . . . : xx.xx.xx.xxx
DNS Servers . . . . . . . . . . . : xxx.xxxx1
........................................xxx.xxxxx2
NetBIOS over Tcpip. . . . . . . . : Disabled


-rich
________________
~~Be ALERT!!! ~~

 

Well that explains it then! You're not even using DHCP so no requests/responses are being issued. That's why you can be missing rules in your firewall and still have everything functioning properly. In this case you don't even need that one DHCP rule you DO have in Kerio. Your machine shouldn't be broadcasting for a lease if it isn't using DHCP.

Glad to find out I'm not going crazy (well, not over this, anyway. Odd subnet mask! For a 192.168.x.x private network it's normally something more like 255.255.255.0. If you're using a 10.x.x.x private network (e.g. Apple AirPort) it's usually something like 255.0.0.0. Yours says that all bits of the IP are network specifiers, leaving no room for host numbers. I don't know what effect this might have on your network, but it's obviously not catastrophic as you seem to be getting along fine as is.

 

I don't understand the technical points of DHCP, so that's why, rather than copying someone else's rules (everyone has his own ideas), I just let Kerio prompt me for what it needs, and I ended up with the two rules I described above, and I've never had a problem with connecting.


-rich
________________
~~Be ALERT!!! ~~

 

Thanks - that explains it.

It is on a 2 machine LAN both connecting to a router, and contrary to you am on a static IP.

 

Is there an easier way of doing this? If we're talking solely about Windows updates - the only reason I would want svchost to connect to Microsoft - isn't there a standard list of IPs to use? As a post in this thread suggests:

 

Unfortunately if you want to go to the extent of locking down svchost.exe/services.exe in this manner it will involve establishing an accurate list of IP's. What will complicate it is the fact MS will use multiple servers outside of their own to deploy updates (ie. Akamai Technologies) which could vary for users and make defining a reliable list difficult.

From the IP ranges in your quote, only two belong to MS.

207.46.0.0 - 207.46.255.255 - corrected range

Code:

OrgName:    Microsoft Corp 
OrgID:      MSFT
Address:    One Microsoft Way
City:       Redmond
StateProv:  WA
PostalCode: 98052
Country:    US

NetRange:   207.46.0.0 - 207.46.255.255 
CIDR:       207.46.0.0/16 
NetName:    MICROSOFT-GLOBAL-NET
NetHandle:  NET-207-46-0-0-1

64.4.0.0 - 64.4.63.255 - corrected range

Code:

OrgName:    MS Hotmail 
OrgID:      MSHOTM
Address:    One Microsoft Way
City:       Redmond
StateProv:  WA
PostalCode: 98052
Country:    US

NetRange:   64.4.0.0 - 64.4.63.255 
CIDR:       64.4.0.0/18 
NetName:    HOTMAIL
NetHandle:  NET-64-4-0-0-1

Not sure if this range would be involved in Windows/Microsoft Update.

If you do not want to go to this extent, you can always permit these services outbound connections with less restrictive rules.

Regards,

CrazyM

 

Thanks. I wonder if it's worth the effort. What I've been doing up to now is blocking outbound TCP for svchost, toggling it to permit whenever I get an alert for Windows update. It works, but it isn't pretty, and I think I'll just permit it to all addresses on remote ports 80 and 443, and live with the (slight?) risk.


On that risk: Rmus, you say

And then immediately after that:

Why does it not seem wise? What dangers are there, other than trojans?

 

It's just based on what I learned about services and protocols.

In a post subsequent to mine, CrazyM wrote:

-------------------------------
Unfortunately there is no magic bullet or right answer for all.
What may meet my requirements could be totally unsuitable for you.
This is something we each need to define and implement.
-------------------------------

In hindsight, I wouldn't have made that statement regarding that rule #3 which you refer to, since it was based on how I implement rules from what I learned about services and protocols.

In this thread, for every suggestion w/good reason, someone else counters with a reason to do the opposite.

Users will "define and implement" in their own way.

It may be useful to suggest where to find information about specifics -- in this case, services and protocols -- but the decision has to be made by the user.

At least, that's where my thinking is at the moment.

regards,

-rich
________________
~~Be ALERT!!! ~~

 

Now this isn't strictly an answer to the question, but sometimes changing the problem to one that is more easily solved (with the tools at hand) is a viable way forward (until the tools evolve)....

One option that nobody has mentioned is the ability to "roll your own" svchost instance and move services into that, but this is not something that should be done on an important machine due to the potential for something going wrong (either now or in the future)

As long as you don't mind wasting a little bit more memory it can work, but its definitely not for the faint hearted and has the potential to break with future windows updates/patches

I moved the wuauserv and BITS services into their own svchost instance so I could have some more control (at a process level) of the access granted. Before this is useful you need to have security programs that will allow you to control program access by executable name and command line arguments

What I have done has worked for me (so far) and when it breaks (which it probably will) I will probably have to restore a registry backup or do some tinkering in the recovery console... so its not something to just rush off and do because it sounds like a good idea (unless you know how to recover as well)

Seeing as you need to know how to recover there is not much point outlining the exact changes I made, but they started at under the key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost and I also made a change in HKLM\SYSTEM\CurrentControlSet\Services\BITS and HKLM\SYSTEM\CurrentControlSet\Services\wuauserv

Once again I would like to emphasise that if you are considering doing this you need to have a way of recovering should it go wrong either initially or down the track and remember that I did this for testing purposes on a workstation that I use for testing (and general use)

Regards