Windows 11: What processes necessarily need connection or access to the network?

As explained in previous comments, the goal here is not to use firewall rules as the "ultimate antivirus/antimalware".
My intention is to use firewall rules as a privacy/security layer.

Firewalls alone never can't stop all the malicious scripts, virus, malwares etc.
But hardened firewalls may reduce/minimize the range/specter of attack, and as a firewall software Dev you know that better than me.

I'm an ignorant on the subject. But I'm a fast learner.
And thanks to the help I received here and other forums, I discovered that firewalls are kind of undervalued. And IMHO that has nothing to do with firewalls themself, the problem is "lazy users" (who don't want to spend time learning how to configure or harden firewalls). It's not easy to harden firewall rules. Firewall software also are not helping here, IMHO they're too binary, or they totally block stuff, or they totally allow stuff... and this is not good for average users. Another problem of firewall software (IMHO) is that they are focused on security or in privacy, but not in both, they don't offer friendly options to deal with firewall security/privacy separated settings, but both working in a complementary way.

In short, the general idea in this post is to find a way of hardening firewall rules, as a better privacy/security layer, but with the minimal settings offering the maximum privacy/security, in a friendly way understandable for average users.

 

I'm working with a group of users in different countries, so I can't use IPs in firewall rules.
I can use only protocols, in, out, port and similar settings.

 

Sure, it can be used for communications, just like ICMP, but not for downloads. Thus the reason I do not allow UDP for ports 1-1024, since those ports are used by default services and malware can try to hide within them.
Again, it is not about blocking everything, but limiting the exposure.

 

I was thinking more about data exfiltration, but file transfers are also possible via UDP. I understand your point though, limiting exposure.

 

In the case of DNS it isn't a huge issue as you could all use the same DNS servers. For windows updates etc I understand you're limited.

 

Thank you for your help.

I would say that I need steps to achieve what I want.
My first step is to define if I'm going to use DNS-client enabled or disabled.
DNS-client enabled needs firewall rules for svchost processes.
DNS-client disabled needs firewall rules for UDP in and out (for allowed programs).
In both cases I'm limited by mi ignorance, by the ignorance of my group of work, and I only can use firewall rules with protocols (TCP/UDP), in/out, ports etc.

 

Hi @TairikuOkami ,

Firstly and just remembering, my firewall software gold rule is "deny everything" by default.
Few Windows processes (Windows Update and Time) are allowed, and specific apps/programs are allowed (internet/network access).
My allowed stuff has TCP OUT 443.
I use DNSCrypt. So, I disabled DNS-client Windows service, which forced me to allow UDP IN/OUT 53 for the allowed stuff (if I don't allow UDP IN/OUT 53, apps/programs don't work). I may be wrong, but I prefer to allow UDP IN/OUT 53 for specific apps/programs, instead of allowing UDP OUT 53 to all svchost processes (when DNS-client Windows service is enabled).

In my tests these settings are not causing catastrophic events.
I can see tons of blocked internet/network requests, and I experience some delayed responses from few apps/programs. But nothing breaks. Even with tons of blocked requests, things work, and allowed apps/programs manage to connect to the internet.

I'm aware that my setup is not as efficient as yours. But I can't use IPs, I can only use protocols, in/out and ports.
I'm also aware that my setup may be negatively affecting connections that are beneficial. Due to my ignorance, unfortunately I don't know where, when or how to customize these beneficial connections. It's the price I pay for my setup. I can only say that visually I have not experienced any catastrophe with my setup.
Question: Please, what is your opinion about my setup? Would you improve something? Would you permit or restrict something?

I'm analyzing a different approach:
- Deny all accesses by default
- Allow all IN/OUT TCP 25 (SMTP), 110 (POP email accounts), 143 (IMAP email accounts), 443 (secure Web server), 587 (SMTP)
- Allow all IN/OUT UDP 53 (DNS lookups)... if DNS-client Windows service is disabled.
Please, what is your opinion about this second approach? It's more permissive, it blocks much less things, maybe less beneficial connections are broken, things work better (less delayed responses) etc... but I don't know if this permissiveness is efficient to improve security/privacy (original goal of my intention to harden the firewall).

Please, I would appreciate your helpful opinions.
Thank you!

 

Out of interest is your main worry targetted attacks due to your work? Or are you trying to secure yourself in the event you're randomly compromised like anyone else would be?

 

Why would you allow those? They are used for unencrypted emails, sent in plain text available for anyone to see enroute. You should setup your email client to use encrypted emails only, you will most likely need to install OpenSSL.

https://www.siteground.com/tutorials/email/protocols-pop3-smtp-imap

That seems reasonable and it will mitigate many exploits.

 

Understood. Thank you.
My second approach (please see my previous message) was suggested to me (in other forum) by "an expert" in firewall rules.
But I totally agree with your comment, it's like TCP 80, and I prefer 100% encrypted, so no 80, 25, 110.
Please, what about 143 (IMAP email accounts) and 587 (SMTP)? To keep or not to keep?

Please just to be clear, is it possible to infer that you "approve" my first approach (previous message)?:
- Deny all by default
- Allow few Window services, apps and programs
- TCP out 443 for allowed stuff
- DNSClient Windows service disabled => UDP IN/OUT 53 for allowed stuff
- DSNCrypt
I know in advance that my approach is far from perfect. But would you say that my approach is enough for my context? (Hardened firewall for group of ignorant users, IPs can't be used).

Thanks to your help @TairikuOkami I'm almost achieving my goal.
I just need to polish the final details.
Please, I count on you in my final steps.
Thank you for your patience.

 

Right, 143 is also unencrypted, but 587 is fine when coupled with encryption, make sure it is, because it might not be. You could use 465, but not all providers might support it.

Yes, technically are already more secure that the rest, since hardly anyone in the world actually uses a firewall for outbound control besides enterprises, so hackers/malware do not really expect that, unless you are in a targeted attack.

 

Great! I'll keep only 465. Thank you.

Wow, coming from you, your opinion means a lot for me. Thank you.

Final question (I promise!):
Firefox is the only browser requesting me lot of connections at fresh startup. Due to my setup, most of these Firefox requests are blocked, but everything seems to work fine. You already kindly explained me the Firefox TCP loopback issue, I superficially can understand the concept, but I have no clue how to solve this issue in my firewall rules. I saw the image you posted with your settings for Firefox. I wonder, is it possible (in my setup) to allow Firefox no 443 TCP OUT requests in a more restricted way than your Firefox firewall rule?

Final words: In my blocked-requests-log, at Firefox startup appears lot of "Remote Addresses" like 127.0.01, or [::1], or 255.255.255.255, or [ff02::1:2], most of them are TCP OUT, some of them are UDP IN/OUT, but all of them are requests to connect ports different than 443 and 53. All these "Remote Addresses" seem to me to be System "Remote Addresses". But as I said, everything is blocked in my setup, and even blocked, everything seems to work.
My question, please, is how to deal with "Remote Addresses" like 127.0.01, or [::1], or 255.255.255.255, or [ff02::1:2], for Firefox or for any other app/program? Are these "Remote Addresses" harmless? To allow all of them? To block? If I allow, what are the right ports for these "Remote Addresses"? Allow IN/OUT? Just OUT? TCP? UDP? Etc?

Thanks once again!

 

AFAIR i already wrote that some processes uses localhost for internal communication, thats why the remote address is 127.0.0.1 listed at your place.

its
localhost: port -> localhost: port+1 to send
and vice versa
localhost: port -> localhost: port-1 to receive

firefox udp is always outbound to WAN.

seriously? 443 is HTTPS = SSL, have fun blocking it.
or just typo?

 

Go to about:config and search - quic and mDNS - set them to false - restart Firefox. Quic will still try to make connections though. There might be a way to disable it completely.

Firefox works fine using just TCP Out 443. Probably only TOR version needs TCP loopback now. To avoid DNS requests (UDP), setup DOH within Firefox.

 

Understood. Thank you @TairikuOkami .

Please I'll appreciate a lot if by chance you can answer the last part of my question:

127.0.01, or [::1], or 255.255.255.255, or [ff02::1:2], all these "Remote Addresses" seem to be System "Remote Addresses". But as I said, everything is blocked in my setup, and even blocked, everything seems to work.
My question, please, is how to deal with "Remote Addresses" like 127.0.01, or [::1], or 255.255.255.255, or [ff02::1:2], for any app/program?
Are these "Remote Addresses" harmless?
To allow all of them? To block?
If I allow, what are the right ports for these "Remote Addresses"? Allow IN/OUT? Just OUT? TCP? UDP? Etc?

 

DoH in some implementations and configurations needs bootstraping - I mean they have a domain of DoH server without IP address. That domain must be resolved at the beginning before it can be used. I don't think there is a harm in enabling UDP port 53 out while still configuring browser to use DoH. Just hardcode IP address of plaintext DNS servers in that outbound UDP 53 rule.

 

[::1] is 127.0.0.1 but in IPv6. 255.255.255.255 or 0.0.0.0 is something similar to loopback, you are sending requests to yourself. Disabling mDNS might stop it.

https://en.wikipedia.org/wiki/Broadcast_address - https://en.wikipedia.org/wiki/Localhosthttps://en.wikipedia.org/wiki/Localhost

There is your answer then. Besides, since you are using DSNCrypt, it is probably allowed anyway, firewall just picks it up.

You can disable multicast within Windows as well.

Code:

rem Disable Multicast/mDNS repeater / https://f20.be/blog/mdns
reg add "HKLM\System\CurrentControlSet\Services\Dnscache\Parameters" /v "EnableMDNS" /t REG_DWORD /d "0" /f
reg add "HKLM\Software\Policies\Microsoft\Windows NT\DNSClient" /v "EnableMulticast" /t REG_DWORD /d "0" /f

I also disable IPv6 to avoid it's traffic compeltelly, but depending on your connection or apps, you might need it.

Code:

netsh int ipv6 isatap set state disabled
netsh int teredo set state disabled
netsh interface ipv6 6to4 set state state=disabled undoonstop=disabled
reg add "HKLM\System\CurrentControlSet\Services\Tcpip6\Parameters" /v "DisabledComponents" /t REG_DWORD /d "255" /f

 

Thank you @TairikuOkami for your great explanations, links and codes.

With regards to what I call "Remote Addresses" 127.0.01, [::1], 255.255.255.255, [ff02::1:2] etc, If DNSCrypt "probably allowed anyway", please how can I allow these remote addresses in my firewall rules? I don't mean only for Firefox, but to allow them for any app/program. What are the right ports for these "Remote Addresses"? Allow IN/OUT? Just OUT? TCP? UDP? Etc?
When I wrote my question to you, I had the feeling that these remote addresses (127.0.01, [::1], 255.255.255.255, [ff02::1:2] etc) were showing up due to DNSCrypt (which uses IPV4 DNS 127.0.0.1). Days ago, at Reddit, I contacted DNSCrypt Dev, who said that TCP OUT 443 will be fine as general setup (all UDP blocked). But unfortunately it's not fine for me due to my DNS-client Windows service disabled. This combo (DNSCrypt + no DNS-client) forces me to use different UDP settings. And considering that I also have the "deny by default" firewall rule, all together in my case probably is blocking useful harmless stuff (like remote addresses127.0.01, [::1], 255.255.255.255, [ff02::1:2] etc). Thus, if these specific remote addresses are useful/harmless, and avoiding the current interference of my firewall rules, perhaps would be better to allow all these remote addresses in my firewall rules.
Yeah, I know I said that in my setup these remote addresses are blocked (for TCP different than 443 and UDP 53), and everything seems to work fine. My problem is that my setup probably blocks useful harmless requests, I don't see visible or noticeable consequences, and due to my ignorance wrongly I conclude that "everything is fine". That's the reason I'm trying to allow useful requests.
I just don't know what is useful, harmless etc. Also, I don't know protocols/ports/in/out for specific stuff like 127.0.01, [::1], 255.255.255.255, [ff02::1:2] etc.

If your answer still is the same, then I'll keep everything blocked in my firewall rules (as it's now). I also I'm going to apply all your recommendations related to QUIC, mDNS, Multicast, IPV6 etc.
But, if your answer is to allow "Remote Addresses" 127.0.01, [::1], 255.255.255.255, [ff02::1:2] etc for all apps/programs, then please give me hand how to write my firewall rules (protocols, ports, in, out).

Thanks and sorry for bothering you!

 

Well they know better, I have not used DNSCrypt for quite some time, so I would be just guessing.

Useful as useful. For example I block ICMP (ping) and when playing a game, the firewall is full of blocked pings, the game tries to verify, that the connection is OK. I know it is, so I do not care.

 

127.0.0.1, [::1] is used for local inter process communication (IPC).

255.255.255.255, [ff02::1:2] is used for local area network (LAN) broadcast to communicate with DHCP on startup requesting IP address.
If you block these addresses and you use DHCP, then how does it obtain an IP address on boot?

 

Hi @tnodir,

My goal is to harden privacy/security firewall (software), using a minimalist setup with the best possible result:
1) Deny all internet access by default
2) Allow few Windows processes (Windows update + Time) and specific apps/programs
3) All allowed stuff uses only TCP OUT 443
4) Disable DNS-client Windows service => Enable DNSCrypt => This forces me to use UDP IN 53 for allowed stuff
5) Firewall rules can't use IPs (I need this setup to work in a group with people who live in different countries, and who know almost nothing about firewalls)

So, answering your question, in my setup 127.0.01, [::1], 255.255.255.255, [ff02::1:2] etc are allowed only under the rules above.
It's important to clarify that I'm quite ignorant on this firewall rules subject. And I'm sure there are better alternatives for the setup I'm looking for. I'm also aware that my setup can block useful/harmless requests, but given my ignorance on the matter, I haven't been able to do anything better. I achieved my setup thanks to the patient help of participants in this forum and kind Devs on Github / Reddit etc.
I have tested my setup for several days, nothing catastrophic happened, I had and still have small problems, but in general most things seem to work fine.

Please, if possible, my questions for you:

a) Would you improve anything in my setup described above?

b) Based on my ignorance, I found only two alternatives to build my setup: DNS-client Windows service "enabled" or "disabled". The first alternative is easier to configure, but requires the use of svchost, and it opens privacy/security risks. The second alternative is more difficult to configure, requires UDP IN for all allowed apps/programs, but does not use svchosts, and minimizes privacy/security risks.
Which of the two alternatives would you choose?

c) Which firewall rules would you choose to harden privacy/security?

d) Can your Fort firewall software achieve what I'm looking for (or something similar)?

Thank you in advance for your time, patience and help.

 

Hi @Decopi,

Ok, you're allowing these addresses for "2) Allow few Windows processes ...".

Maybe just install some 3rd party DNS resolver as system wide (leave DNS-client enabled)?
Look at PrivateWin10 for example.

I'm not an expert.
I've created the firewall program for my specific humble needs: comfortably allow/block programs by wildcard and globally blacklist IPv4 address ranges.
I don't need protocol/port filters or IPv6 or interactive mode with popups etc.

 

Thank you @tnodir.

@TairikuOkami, please, on same question: If I well understood, 127.0.01, [::1], 255.255.255.255, [ff02::1:2] etc are internal system addresses. So, if I create a firewall rule allowing 127.0.01, [::1], 255.255.255.255, [ff02::1:2] etc, but all of them as "remote addresses", IN/OUT (any direction), TCP/UDP (any protocol), any port etc... will it be harmless, right? Please correct me if I'm wrong, these specific addresses allowed in a firewall rule as "remote addresses", will it mean that I'm allowing my device to communicate with my device? In other words, if these addresses are "remote addresses" in my firewall rule, then these addresses will work as (direction) IN in my firewall rule. And considering that (direction) OUT only can be stuff inside my device, the OUT and IN in this firewall rule will be my device communicating with my device. Please, am I right? Is it harmless?

 

Technically yes, but it could be abused. Lets say a malware hijacks your browser, which is allowed. Malware could then send traffic via 127.0.0.1 and browser would catch it as a normal traffic, the same way like dnscrypt does.

 

127.0.0.1 is localhost. Windows Firewall does not filter connections to 127.0.0.1 for obvious reasons. Many programs use localhost for inter process communication and it makes no sense to block such requests. Whatever rule you create for 127.0.0.1, they will be ignored.