PrivateFirewall - can rules be trusted?

Discussion in 'other firewalls' started by Frank648, Jun 22, 2012.

Thread Status:
Not open for further replies.
  1. Frank648

    Frank648 Registered Member

    Joined:
    Nov 16, 2005
    Posts:
    96
    Hi all,

    my trust in PFW-rules are somewhat disturbed after checking the Applications window.
    This claims to show apps that attempted to access the Internet.

    As an example in the screen capture
    - AIDA64 attempted outgoing connection and was set to blocked (Deny).
    - The Application rules window for AIDA64 however shows it as Allow UDP...
    - The Add/Edit Rule window belonging to AIDA64 says "This rule will Allow traffic"

    OK, this all is for UDP(17) but belongs to a rule which is set to DENY.

    I would expect a "Deny" in every window belonging to AIDA64.
    There are more rules like that.
    Some rules set to Deny are completely empty when double clicking.
    Others like Outlook Express i.E. happily show 7 entries allowed, even
    though the main rule is set to Deny.

    Are those rules sneaking out behind my back?
    Using WinXP and Win7 Ult

    PFW-rules-1.jpg

    Apologies for poor capture
     
  2. Blues7

    Blues7 Registered Member

    Joined:
    May 11, 2009
    Posts:
    858
    Location:
    Blue Ridge Mountains
    I would do a test if I were you.

    Leave the individual settings as they are but just make sure that you have right clicked the app within the "Applications" tab and selected "set all rules to deny traffic".

    Then, go to "advanced settings" and ensure that the app is not allowed to act as a "parent" and reach the net via another trusted app.

    After you've done this, try to have the app you've selected connect to the internet and let us (and perhaps the good folks at Privacyware) know the results.


    I suspect that your settings for PrivateFirewall (default, manual, etc) allowed the program you are referring to to be installed as trusted/allowed and thus the permissive rules were granted. However, after following the steps outlined above it should not be able to connect out.

    You can also right click on the app within "Applications" and click "remove" which will mean that when you run it next time it should alert to the outbound connection attempt (assuming you have that option selected in your "settings"). There are a variety of ways to achieve the same goal.
     
    Last edited: Jun 22, 2012
  3. Blues7

    Blues7 Registered Member

    Joined:
    May 11, 2009
    Posts:
    858
    Location:
    Blue Ridge Mountains
    Out of curiosity I just ran a test of my own...I used the application "hostsman" which updates your hosts file from a variety of available online subscriptions.

    In the "Process Monitor" tab hostsman is set to "filter" (yellow).

    In the "Applications" tab I set it to "set all rules to deny traffic".

    If I double click hostsman in "Applications", the two existing rules (UDP & TCP) are both referring to allowing the connections.

    Hostsman is not listed in "advanced settings" as a parent. (If it were, I'd have set it to block/deny).

    Okay...

    So I opened hostsman, tried to connect out and download updated hosts lists and could not connect. I checked the firewall log and it showed that the app was blocked based upon rules that I had set for the application.

    Looks like it works as intended. :thumb:
     
  4. Frank648

    Frank648 Registered Member

    Joined:
    Nov 16, 2005
    Posts:
    96
    @Blues7

    Thank you for replying.

    All programs in Process Monitor are Filter or Allow.
    Any program trying to access the Internet was either allowed or blocked.

    The Application Tab shows those programs, I don't want to get out, as "Set All rules to Deny Traffic".
    In the "Advanced Application Settings" most of the denied programs don't show up under the Parents-Tab.
    The ones that did (green), I set to "Deny Access" (red).

    I have not changed anything in "Advanced Application Settings - Processes".
    The entries are all green and probably should be.

    Testing it:
    So far, no program got out and was blocked trying to do so :thumb:

    Well,
    it is kind of confusing, if a program is set to deny access and still shows allowed when double clicking it.

    My trust in PFW comes back up to light green but will keep me alert.
     
  5. Blues7

    Blues7 Registered Member

    Joined:
    May 11, 2009
    Posts:
    858
    Location:
    Blue Ridge Mountains
    Frank, my guess (and it's only a guess) is that when you modify the rules in a blanket fashion (such as set all rules to allow or deny or filter) it's referring to all the rules as already set for the app (which are visible when you double click the entry).

    I agree that the language can leave some question in your mind but the effect of the change in setting would be to:

    Allow all the rules as presently listed and set

    Deny all the rules as presently listed and set

    Filter all the rules as presently listed and set

    You can of course create or modify those rules individually by customizing them further...but the beauty of the system (to my mind) is that if you change your mind and set back to "allow" or "filter"...you don't have to figure out and recreate all the rules that had already been established.

    I may be off in my theory but that's my read.

    I do know that Greg Salvato has told me on numerous occasions that revamping the GUI is on their list of things to get done...but getting ready for Windows 8 is apparently their top priority at the moment so we'll just have to be patient in the meantime.

    Oh, and you're very welcome. :cool:
     
    Last edited: Jun 22, 2012
  6. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    2,969
    Location:
    U.S.A.
    Application rule behavior depends on what mode PF is running in; Standard or Manual.

    I suspect you are running in Manual mode? If so when you receive a popup alert, one of the alert options is "Remember my answer." If you don't click on that option, PF will only create a "temporary" rule in effect until you re-boot your PC. As I recall, this temporary rule is not shown for the application in question. Hence the rule behavior you are observing.
     
  7. Blues7

    Blues7 Registered Member

    Joined:
    May 11, 2009
    Posts:
    858
    Location:
    Blue Ridge Mountains
    Frank, I wrote to Greg Salvato earlier today to check and make sure that I wasn't off-base in my reply to you (quoted above).

    Here's an excerpt from Greg's email to me after his having the chance to read your concerns and my replies to you:

    Sounds like Greg and staff may try to address the matter in a future version to make it clearer from the get-go. :thumb:
     
  8. Frank648

    Frank648 Registered Member

    Joined:
    Nov 16, 2005
    Posts:
    96
    Thank you for following up on my concern, Blues7
    Your help is much appreciated :thumb:
     
  9. Blues7

    Blues7 Registered Member

    Joined:
    May 11, 2009
    Posts:
    858
    Location:
    Blue Ridge Mountains
    Happy to do it and it helps us all learn as we go. :cool: :thumb:
     
Loading...
Thread Status:
Not open for further replies.