Necessary rules for Windows Firewall (block all outbound)

Discussion in 'other firewalls' started by Tintifax, Aug 25, 2013.

Thread Status:
Not open for further replies.
  1. Tintifax

    Tintifax Registered Member

    Joined:
    Aug 25, 2013
    Posts:
    6
    Hi!
    I use Windows 7 Professional 32 Bit with the Windows Firewall and Avast Free Antivirus.
    I set the Firewall to whitelist mode (block all outbound) and deactivated all the built-in exception rules.
    Now I'm playing around with Windows Firewall Notifier, TCPView and Process Monitor to set all the rules that are necessary manually.
    I'm doing this not because I'm paranoid but because I want to know what's going on and how stuff works.

    When I set up the first rules I encountered some porblems:
    The only built-in rules that I activated is "core networking - DNS and DHCP" and I created a new rule for Firefox, TCP 80 and 443 to be able to surf the web.
    The interesting thing is that no DNS request worked (neither in Firefox, nor in the command prompt with i.e. nslookup).
    The built-in rule for DNS does not work!!! Tested this on a second Computer with Windows 7. Is that a known bug?
    So I created a rule for DNS manually and then everything worked as expected, I could surf the web.
    The next thing I checked was ICMPv4 (Ping, tracert, etc. did of course not work).
    I searched for a built-in rule that would enable ICMPv4, but couldn't find it!
    Is there no built-in rule for something important like ICMPv4?!
    (I couldn't even find a built-in rule for Windows Update, btw).
    It's no problem to create these rules manually, I just wonder why there are no pre-defined rules for such essential things.

    After having set up these rules everything works fine, but there are some blocked outbound connections in the firewall log.
    Some of them are from svchost trying to access Microsoft-Servers.
    I could leave it as it is, but I'm not paranoid as I said before and I know that most of the call home's are intended for debugging for example and most of them serve a good purpose.
    I want to allow these connections, but without giving svchost free access to the internet.
    Is it possible to find out the services behind svchost and what they are trying to send to the internet?

    Regards,
    Tintifax
     
  2. Kobayashi maru

    Kobayashi maru Registered Member

    Joined:
    Nov 7, 2009
    Posts:
    124
    Location:
    Drivin' all night my hands wet on the wheel....
    I'm wondering why you would use the Windows firewall when your requirements are so strict. It nowhere near meets your needs.
    Not only is their all the apps themselves, there are the proliferation of ports too, and as you might expect, they are all used. You will hit frustration.

    You will learn so much more from a real firewall set to manual rule mode (disable auto-rules for 'trusted vendors' too). This will give you what you're looking for in far more depth.

    Note that if you use Avast's web scanning module, most connects should go through that.

    If you must have Windows firewall, allow svchost and be done with it, or try one of the glut of Win firewall front ends.

    Favourite, is a proper firewall.
     
  3. AmazingM

    AmazingM Registered Member

    Joined:
    Feb 9, 2002
    Posts:
    7
  4. Tintifax

    Tintifax Registered Member

    Joined:
    Aug 25, 2013
    Posts:
    6
    Oooops! I could have found that thread by using the forum search. Sorry.
    But thanks for the link AmazingM! It will take some time to read, but I found the answers to many of my questions on the first page!

    Thanks for the info Kobayashi maru!
    Until now I'm okay with the Windows Firewall and Windows Firewall Notifier. I like the fact that you can set up rules for specific services, not only for svchost in general.
    But I have to give in that it's really hard to figure out what services behind svchost are trying to access the internet.
    I read a post by the Author of Windows Firewall Notifier.
    He says that it's almost impossible to reveal a service that is hiding behind svchost when it's only running for some Milliseconds.
    Maybe there's another front end for the Windows Firewall that is capable of doing this.
    But you're right. If it's getting too complicated I'll try a 3rd party firewall.
    There's no learning effect when you don't know what's going on because Windows behaves kind of mysterious. ;)

    Concerning the Avast proxy: After I installed Avast I created a rule for AvastSvc.exe which is the proxy.
    Now I can see Firefox connect to localhost and AvstSvc connect to the internet when I enter a URL, works just fine and I feel like understanding how! :)

    Thanks!
     
  5. AmazingM

    AmazingM Registered Member

    Joined:
    Feb 9, 2002
    Posts:
    7
    I'm happy to help. Enjoy your learning experience. :)
     
  6. Tintifax

    Tintifax Registered Member

    Joined:
    Aug 25, 2013
    Posts:
    6
    Hm, I have some blocked outbound connections from svchost in the log I can't figure out what they are good for:

    1) To 0.0.0.0 Port 68.
    I know that a DHCP request is done from 0.0.0.0/68 to 255.255.255.255/67.
    So this looks like my Computer wants to answer to a DHCP-Request from any other PC in my Network? But my PC is no DHCP Server! Why does it answer to a DHCP-Request?!

    2) To Standardgateway Port 137
    This is NetBIOS, right? Well, I deactivated everything that has to do with File- and Printersharing, I even deactivated NetBIOS over TCP/IP in the IPv4 settings.

    3) To Standardgateway Port 53
    That's the most confusing block because I have a rule for DNS (UDP 53) and it works.

    Any ideas?
     
  7. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    2,969
    Location:
    U.S.A.
    This is a standard DHCP broadcast that will occur at boot time or upon resume from stand-by mode. It is issued by svchost.exe and DHCP service. You can create an outbound rule for svchost.exe and DHCP service to all any local IP port 68 to remote IP 255.255.255.255 port 67 and move to above any existing DHCP rules.

    If you have NetBIOS for IPv4 disabled, just disable the Network Discovery rules inbound and oubound for NB-Diagram and NB-Name. Note that these oubound requests are probably in response to inbound traffic from your router.

    These are probably coming from one or more of your apps for updating, etc. If you created outbound rules for your apps using the "program" option, you should not be seeing these since the rule will allow all necessary TCP and UDP outbound. If your restricting the app rules by protocol, your going to have to allow outbound UDP port 53 to your gateway I assume. BTW - the WIn 7 firewall does not use the global core DNS rule for apps. Another eye opener is that WIN 7 will use the DNSCache service outbound UDP port 5355 if port 53 is not available. These requests are usually hidden BTW.

    I gave up long ago trying to create outbound rules for the WIN 7 firewall. You will probably end up blocking critical certificate updates and other necessary outbound service requests that WIN 7 requires.
     
  8. Tintifax

    Tintifax Registered Member

    Joined:
    Aug 25, 2013
    Posts:
    6
    Hm, but DHCP requests (DHCPDISCOVER) are sent FROM 0.0.0.0/68 (because the client has no IP-Adress yet) TO 255.255.255.255/67 (broadcast, so any DHCP-Server in the same Subnet will reply).
    My PC (svchost) tries to send TO 0.0.0.0/68. Is this the answer (DHCPOFFER) to a client that wants to obtain an IP-adress?
    Could you please explain that to me?

    Sorry, I didn't exactly understand what you mean but I made a new outbound allow rule for svchost, DHCP-Client Service, to any IP with any Protocol. Still get these entries in the log.

    I disabled these rules when I started setting up my Firewall one week ago. Nevertheless these entries appear in the log.

    I don't think so because EVERY inbound rule is deactivated. Or did I misunderstand something?

    Right, that's why I made a rule for DNS for EVERY Programm, but restricted to the DNS-Servers IP-Adress one week ago. Nevertheless I have blocked connections in the log.

    I have disabled the DNSCache Service because I have a DNS-Server running on my router/modem which responds very quickly, so no need for caching. But thanks, good to know!

    Well, I can understand that. It can get really troublesome, but I haven't given up yet! :)

    What for example? What happens if certificates aren't updated? What could be necessary service requests?

    Sorry for so many questions.
     
  9. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    2,969
    Location:
    U.S.A.
    This has been recommended before when the topic of creating outbound WIN 7 firewall rules, so I will suggest it again.

    Download Sphinx's Windows Firewall Control and use it to set up your outbound rules. Once that is done, you can use those rules as a guide for setting up your WIN 7 firewall outbound rules. You can then uninstall the Sphix software.
     
  10. Tintifax

    Tintifax Registered Member

    Joined:
    Aug 25, 2013
    Posts:
    6
    Okay, because I couldn't firgure out what processes wanted to access Standardgateway Port 137 and 0.0.0.0 Port 68 I disabled
    the DHCP-Client service and set up a static IP and now both connection attemps are gone! Nice!
    But there are still blocked connections from svchost.exe, consent.exe and rundll32.exe to some Microsoft related servers.
    Sorry, but Sphinx's Firewall Control is no help here because it doesn't tell me what service is trying to access the internet,
    it just says "svchost.exe". That's the same information I get from the Eventlog.
    Any ideas how to figure out what service is hiding behind svchost?

    Can anybody tell me what can happen if certificates aren't updated? And what "necessary service requests" could be?
     
  11. jnthn

    jnthn Registered Member

    Joined:
    Sep 22, 2010
    Posts:
    185

    Try Binisoft's Windows Firewall Control v4 which would show you which process ID the blocked connections from svchost.exe is from, then cross reference the PID with Process Hacker or Process Explorer to verify which service is causing the connect outs. Most PID's for svchost are associated with multiple services though so this method isn't perfect.
     

    Attached Files:

  12. Tintifax

    Tintifax Registered Member

    Joined:
    Aug 25, 2013
    Posts:
    6
    Oh, sounds nice! Will give it a try.
    Thanks!
     
  13. Jarmo P

    Jarmo P Registered Member

    Joined:
    Aug 27, 2005
    Posts:
    1,184
    Installing TinyWall could be another option. It uses Windows firewall, but disables all the built in rules. The TW rules for DHCP Client, DNS Client, Network Discovery, Time Sync, Windows Update, Filtered ICMP Traffic can be inspected in the Windows firewall rules.

    Disable your internet connection.
    Export you application rules and then delete them. Uncheck also the above mentioned except the one you are interested. and go see the corresponding rules in the Windows firewall.

    Once done check those all and import your application rules back. Easy :)
     
Loading...
Thread Status:
Not open for further replies.