PrivateFirewall - can rules be trusted?

Hi all,

my trust in PFW-rules are somewhat disturbed after checking the Applications window.
This claims to show apps that attempted to access the Internet.

As an example in the screen capture
- AIDA64 attempted outgoing connection and was set to blocked (Deny).
- The Application rules window for AIDA64 however shows it as Allow UDP...
- The Add/Edit Rule window belonging to AIDA64 says "This rule will Allow traffic"

OK, this all is for UDP(17) but belongs to a rule which is set to DENY.

I would expect a "Deny" in every window belonging to AIDA64.
There are more rules like that.
Some rules set to Deny are completely empty when double clicking.
Others like Outlook Express i.E. happily show 7 entries allowed, even
though the main rule is set to Deny.

Are those rules sneaking out behind my back?
Using WinXP and Win7 Ult



Apologies for poor capture

 

I would do a test if I were you.

Leave the individual settings as they are but just make sure that you have right clicked the app within the "Applications" tab and selected "set all rules to deny traffic".

Then, go to "advanced settings" and ensure that the app is not allowed to act as a "parent" and reach the net via another trusted app.

After you've done this, try to have the app you've selected connect to the internet and let us (and perhaps the good folks at Privacyware) know the results.


I suspect that your settings for PrivateFirewall (default, manual, etc) allowed the program you are referring to to be installed as trusted/allowed and thus the permissive rules were granted. However, after following the steps outlined above it should not be able to connect out.

You can also right click on the app within "Applications" and click "remove" which will mean that when you run it next time it should alert to the outbound connection attempt (assuming you have that option selected in your "settings"). There are a variety of ways to achieve the same goal.

 

Out of curiosity I just ran a test of my own...I used the application "hostsman" which updates your hosts file from a variety of available online subscriptions.

In the "Process Monitor" tab hostsman is set to "filter" (yellow).

In the "Applications" tab I set it to "set all rules to deny traffic".

If I double click hostsman in "Applications", the two existing rules (UDP & TCP) are both referring to allowing the connections.

Hostsman is not listed in "advanced settings" as a parent. (If it were, I'd have set it to block/deny).

Okay...

So I opened hostsman, tried to connect out and download updated hosts lists and could not connect. I checked the firewall log and it showed that the app was blocked based upon rules that I had set for the application.

Looks like it works as intended.

 

@Blues7

Thank you for replying.

All programs in Process Monitor are Filter or Allow.
Any program trying to access the Internet was either allowed or blocked.

The Application Tab shows those programs, I don't want to get out, as "Set All rules to Deny Traffic".
In the "Advanced Application Settings" most of the denied programs don't show up under the Parents-Tab.
The ones that did (green), I set to "Deny Access" (red).

I have not changed anything in "Advanced Application Settings - Processes".
The entries are all green and probably should be.

Testing it:
So far, no program got out and was blocked trying to do so

Well,
it is kind of confusing, if a program is set to deny access and still shows allowed when double clicking it.

My trust in PFW comes back up to light green but will keep me alert.

 

Frank, my guess (and it's only a guess) is that when you modify the rules in a blanket fashion (such as set all rules to allow or deny or filter) it's referring to all the rules as already set for the app (which are visible when you double click the entry).

I agree that the language can leave some question in your mind but the effect of the change in setting would be to:

Allow all the rules as presently listed and set

Deny all the rules as presently listed and set

Filter all the rules as presently listed and set

You can of course create or modify those rules individually by customizing them further...but the beauty of the system (to my mind) is that if you change your mind and set back to "allow" or "filter"...you don't have to figure out and recreate all the rules that had already been established.

I may be off in my theory but that's my read.

I do know that Greg Salvato has told me on numerous occasions that revamping the GUI is on their list of things to get done...but getting ready for Windows 8 is apparently their top priority at the moment so we'll just have to be patient in the meantime.

Oh, and you're very welcome.

 

Application rule behavior depends on what mode PF is running in; Standard or Manual.

I suspect you are running in Manual mode? If so when you receive a popup alert, one of the alert options is "Remember my answer." If you don't click on that option, PF will only create a "temporary" rule in effect until you re-boot your PC. As I recall, this temporary rule is not shown for the application in question. Hence the rule behavior you are observing.

 

Frank, I wrote to Greg Salvato earlier today to check and make sure that I wasn't off-base in my reply to you (quoted above).

Here's an excerpt from Greg's email to me after his having the chance to read your concerns and my replies to you:

Sounds like Greg and staff may try to address the matter in a future version to make it clearer from the get-go.

 

Thank you for following up on my concern, Blues7
Your help is much appreciated

 

Happy to do it and it helps us all learn as we go.