I've been doing some back and forth with SpyShelter support and would like to now answer my own questions regarding the firewall. This issue was based in the fact that I ticked for the zone to include ICMP. When ICMP is enabled for a zone then if it's trusted all ICMP traffic will be allowed and if it's blocked then all ICMP traffic will be blocked, regardless of the limitations of the rule ( example above trusted a specific subnet yet I was allowed to ping 22.214.171.124 If you check ICMP checkbox and zone is trusted it will be allowed for ANY IP If you check ICMP checkbox and zone is blocked it will be blocked for ANY IP According to support the zone list has a priority based on which was created last, latest = highest priority. Haven't tested this. There was an issue with my testing methodology here. Basically whenever Tixati is listening to a port it will show an alert if it can't listen to that port. I assumed that the lack of such an alert = it could accept incoming traffic. I don't think that's true but I can't confirm it yet. The issue here is reliable testing methodology, mainly because I haven't been able to reliably get another torrent client to connect to me in such a way that port forwarding would be relevant. I have confirmed that the incoming port is working for the intended port but results are inconclusive for unintended ports as I can't be certain whether no one was allowed to connect to it, or if no one simply tried to.. Besides that I'm not sure I share the opinion on SpyShelter support, while certain answers could have been more fleshed out I still received several answers of considerable length and overall I think the support was good. And, for me at least, better than what it's made out to be here. Edit: (Unrelated to the above) it seems like SpyShelter is giving me bluescreens with Windows 10 Anniversary Update. Had to uninstall it until it's fixed. Reported to SpyShelter with dump.