Windows Firewall Control (WFC) by BiniSoft.org

I don t think you really need to set IP6 IP-s manually apart the DNS ones.

Alexandru ,is there a possibility for the wfc start-up to conflict with the Creative X-Fi driver services at start-up ?!
There is an exe CTxfispi.exe from Creative drivers that starts hidden and seems to be related to a bug related to SSD-s and Creative drivers ,randomly not initializing the card.
I ve seen many times since using wfc ,could be conincidental ,that sometimes after reinstalling or uninstalling wfc the Creative driver loads incomplete.Other times wfc is not loading and the Creative driver works.
Just asking if there could be some conflict as prior to wfc i ve used Private Firewall and such randomness with Creative did not happened.Not saying it s wfc fault ,just asking if it could be possible based on the design.

 

That's absolut not correct!

Since I have native IPv6 with my Router and NIC and more and more and more Internet Sites are with IPv6 addresses too, my System takes in much cases automatically these new IPv6 addresses. A good example is Google Search, which I use always via IPv6.

Also I use Sites in Internet (for testing purposes) which IPv6 ONLY (no dual stack). These sites are not reachable via IPv4.

Another example is with VPN. If I use one without IPv6 support, I MUST block IPv6 things - instead I would have a IPv6 Leak. I use a special ruleset to ensure, that all traffic is over Port 443 (SSL over OpenVPN). DNS is only open for two related VPN-DNS servers (Port 53) - the rest is blocked. So I should have no leak, even if the VPN connection were terminated unexpectedly. Only if I quit the VPN program manually (if connected or not), the ruleset changes to another one with "normal" rules and IPv6 traffic.

DNS are also different. It exist DNS with or without native IPv6. It's possible, that I must open or block an external DNS Server with IPv6.

Also I don't use Teredo (tunneling over UDP through NATs) and other non-nativ IPv6 related things. With Teredo for ex. the NAT on router would be levered. And I have a special hardware IPv6 firewall in my router for open for ex. a port - this is the first IPv6 defense wall in my security concept. But I don't use this HW-Firewall for blocking outbound access for a domain or so (at least not at the moment) - this is done with my Win-Firewall (IP-related and other program (domain-related). This means of course: I must have the possibility to block Non-Local IPv6 destinations - even for IPv6 exist Blacklists (for ex. FCrDNS (Forward Confirmed reverse DNS)) or for other undesired IPs.

Also I have some programs, which uses IPv6 Multicast things. But Multicast is not basically local. Here, I must restrict the traffic to Local Multicast ("Node-Local Scope", "Link-Local Scope" and "Site-Local Scope").

And last but not least: not only Webserver or VPN things are important. I have for ex. a multimedia server. At the moment it's IPv4 only and not reachable from Internet (Inbound) or over VPN. But it's absolutly possible, that the next such local server has a native IPv6 address too. and if I want to have access from the outside of my local net and my remote device is IPv6 ready, I must/will have the possibility to define a related Inbound rule for IPv6 too.

You see, it's not an easy DNS-only thing!

Greetings,
Alpengreis

 

I will take a look again over the IPv6 thing and see if I can do anything in WFC related to this problem.

This has nothing to do with WFC which is a .NET Framework application. The Windows service too. WFC does not use any driver so it can't interfere with other drivers.

 

Windows Firewall Control v.4.0.9.6

What's new:
- Fixed: A new approach is used to determine if an unauthorized rule is added in order to fix the problem with AppGuard and Steam.
- Fixed: IPv6 addresses and ranges are not handled correctly in the service, making them to appear as invalid in Properties view of a rule. It is also impossible to export these kind of rules.
- Fixed: The scroll position does not scroll to top when the user filters the rules displayed in Manage Rules data grid from the Display and Filter combo boxes or when the Connections Log is updated to a different search.
- Fixed: The active state of the notification sound is not preserved in case of an update to a newer version.
- Fixed: After creating a new rule from 'Connections Log' or 'New Rules Wizard' the view is automatically switched to Manage Rules.

Installation notes: Just use the updater to upgrade to this version.

Download location: http://binisoft.org/download/wfc4setup.exe
SHA1: ac31e7e15f167eadeeda45f991aa609fc66de8fd

Thank you for your support and your feedback. Please let me know if the reported problems are now fixed.
Have a great weekend,
Alexandru

PS: Alpengreis, it should work now with your original string with all of those IPv6 addresses and ranges. I think in the next version I will remove that override check box because the validation works correctly now also for IPv6 input. There is no need to use WFwAS anymore for defining these kind of rules.

 

How did you detect this in Wireshark? Do you have any special filters or plugins being used? It's my understanding that you can't pinpoint network data attach to specific programs in Wireshark, only in a general "raw" format, so I'm wondering if you were able to do that, or if you were just seeing DNS packets in general.

 

I'm loving the recent feature of being able to see all connection attempts/ports made by a program "live", without the 30-second delay! Thanks much for that. Very helpful to quickly see other remote ports the program attempts to call out on, instead of having to create a rule, then jump into the log to watch for other attempts.

Thanks again for that.

 

AppGuard is still creating rules.

After rebooting there are rules that show it blocked, and rules that show it is allowed.


Now got the Pop-up for AppGuard, after the fourth reboot asking, I blocked it.
Shown in photo "new"
Notice the other (older) AppGuard rules are capitalize.

Something else I notice; WFC switches to "High Filtering" while browsing (twice now) once when editing this post.

 

That's absolutly great! It now seems to work perfect! Thank you VERY much for this, this point was an important one for me personally! Well done

This is not yet fixed. I mean ALSO: If I make a change within Rule Manager for ex. from Outbound Rules to Inbound Rules, then the scrollbar should be on top. This is not yet the case. I have tested also with filtering enabled - does not work (not on top).

Fixed, thank you!

Also not yet fixed is the thing with the unwanted rule-opening after partial export.

I have this every time after export of ONE rule. I really confirm the save dialog only ONCE with Enter, nevertheless the rule is then opened.
When exporting multiple rules at once, it's ok.

About this ...

I mean NOT a Standard User Account, I mean a LIMITED User Account. Here the WFC were not terminated.

About this thing ...

I had (as said) tried, but the value was resetted "immediately" - not once I had a bigger window. Maybe it's related to LIMITED User Account. I make some new tests ...

Edit: Tested now: I change the "306" to "366" - the window still has the normal size - and AFTER close the notification window, the value is back on "306"!

The IPv6 Validation was certainly a hard thing! Thanks again for this and a nice Weekend!

Alpengreis

 

Maybe it's a dumb question from me - but nevertheless: you're sure you do not have the "High Filtering Profiles" activated in the Profiles Menu, right?

I mean this here ...

Greetings,
Alpengreis

 

That's the cause (for the switching modes)! Thanks

But the AppGuard thing is a pain.

 

Have you asked the AppGuard people for an explanation? There might be one and they might help fix things.

 

Why? This is a firewall problem. A Firewall/controller is meant to stop activities like this, plain and simple. If this (AppGuard) can do this, what's next?
I can't call a hacker and ask him or her if they might fix this.
Thanks anyway.

 

An example with Windows 7 "Standard" (New) Installation, within Limited User Account:

A Program Setup (Installation) that needs "Run as Administrator" (and you allow this) has the possibility to add, change and delete rules in the Windows Firewall. That is practically the same, as you start a Command Prompt with "Run as Administrator" and you can can add then (for ex.) a rule with netsh!

With "Run as Administrator" you can even delete Reg-Keys, you can make a HDD-Format etc etc ...

This means: You should verify in advance that you trust the program that you install! With Antivirus-Programm, Program-Reputation, Reputation of the Developer (-Person or -Company) or so ...

Greetings,
Alpengreis

Edit: Maybe Alexandrud can prevent this behaviour with WFC function: "Disable the ability of other programs to add firewall rules" - but it seems to be not yet succeeded ...

 

True, it's a firewall problem, not a UI app like WFC4, so you could ask Microsoft... good luck there, or AppGuard to find out why it's doing what you don't like, maybe there's a bug they don't know about...

To say it once more, WFC4 is a UI to facilitate maintenance of Windows Firewall rules and thus isn't to blame if WF doesn't act the way you'd like.

 

Cheers for the new release...
For me... the "Disable the ability..." tickbox, if left ticked upon reboot/shutdown, actually does prevent AppGuard creating its dodgy inbound firewall rules. I tried a reboot/shutdown with the above tickbox not ticked, and AppGuard made its rules when Windows loaded up. So well done Alexandru!

 

This may be a bit off, but I suggest that you look into your modem/router for a AppGuard rule there. Some Modem/Routers synch themselves to the Win FW.
I am now in the midst of pulling my hair out - I changed my modem/router and although I looked at every possibility of synching that might be there, the whole Win FW went crazy and blocked everything - regradless of what the fw manager has in its store. (note - on that system I don't use the wfc 4 but another FW manager - but the argument here is still the same)

 

I have an idea yet because of the unwanted automatically added firewall rules ...

Especially if that does not work completely with the "Disable the ability of other programs to add firewall rules". But especially for those who have not enabled this feature.

WFC could - if a rule is added so - whether inbound or outbound - also display a Notification - perhaps with possibility to remove these through WFC.

Of course, this would be just a help, not a real solution. But at least you would be notified immediately and not have to always look manually in the Rule Manager.

Have a nice weekend all,
Alpengreis

Edit:
The following IDs of MPSSVC could be interesting to do this:

ID 4946 added
ID 4947 changed
ID 4948 deleted

and maybe other related IDs from this section ...

Edit 2:
Or even better Protocol "Microsoft-Windows-Windows Firewall With Advanced Security/Firewall"

ID 2004 added
ID 2005 changed
ID 2006 deleted

...

 

There is a bug with importing the rules.

Before installing i ve uninstalled 4.0.8.6 ticking the restore default windows firewall rules and cleaning the activation status.

After installation of the new ,i have set the interface settings in the main panel (theme color and the 3 checkboxes) ,afterwards with the firewall on Medium i ve loaded the rule set created into previous version ,some rules may have been created in the windows firewall itself.
So with the default rules and set on medium i ve loaded the rule set as stated and it showed all of them in the manage rules window.
After this the firewall switched automatically to Low filtering policy (it was on Medium).Rules were all there at this time.
As i ve wanted Medium filtering i ve switched to Medium and voila half of my rules disappeared.
I can do this over and over and part of the rules are simply removed once i switch global policy to Medium

I was able to do this in 2 installations.So somehow previous rule set gets broken.
I do not understand why after loading my rule set it automatically switches to Low Filtering either.When the rules were saved/exported there was used Medium policy as well.

The rule set loads ok in the 4.0.8.6

Apart from this it looks ok.

 

You smecker, is that some russkie thing in your nick? Posted on that TinyWall thread someone asked. I asked you to reply, none happened. Go post there what you meant. I have nothing against this controller and sure would not recommend anyone to use TW if they have not got used to its gui failings, but post there what you meant with that short non understandable post. TW's gui is pretty and simple as it is. It is just not stable.

 

I too had a problem although I was going from 4.0.9.0 (which I uninstalled) to 4.0.9.6 (which I installed).

So I restored a snapshot of my system taken immediately before the uninstall/install to get back to 4.0.9.0, I uninstalled 4.0.9.0 with the settings to keep the rules and not delete the activation code. I then installed 4.0.9.2 and everything was OK so I updated to 4.0.9.6 and everything is still OK, I have all my rules, nothing was lost. Filtering was still set to Medium, so those rules were also kept. I didn't import anything.

J

 

You ve used the last option , i ve used the first , as well as the activation status for total uninstall i thought.
I went from 4.0.8.6 to 4.0.9.6 directly
It s no problem for me as i ve made another set over the ones that remained.
It switched automatically to Low nevertheless on importing and lost part of the rules when switched to Medium ,as described in my previous post.

Good build overall.

Could there be a manual limit for the logs size Alexandru ,so they get cleared after a specific amount of time or number or something like that ?

 

Glad to hear that you got it sorted,

J

 

As always, thanks for the fantastic development on this.

A few feature requests, if any interest/time:

• Ability to jump straight to "Connection Log" from keyboard shortcut (instead of Rules page). I most often need to see the log rather than rules, and it'd be great if we could set a default view to open to.
  
  
• Keyboard shortcuts to switch between views (e.g., CTRL-TAB and CTRL-SHIFT-TAB to switch between views, just like switching between tabs in a browser).
  
  Currently, this can somewhat be done, but it's having to TAB to the view-box (which is difficult to see selected) and then arrow up and down between views. It'd be great if we could do this with CTRL-TAB and CTRL-SHIFT-TAB. Or, similar to a browser: CTRL-1, CTRL-2, CTRL-3.
  
  
• Option to show "duplicate" programs -- function to show/filter rules where there exists more than one rule for a particular .exe, sort of like "Find Invalid Rules" function, except for dupe programs. Currently, I have to filter for a specific program name and then sort by file location to see if there are more rules already set for it. It'd be great if we could click a function to quickly analyze for this, showing all rules that exist for programs with more than one rule.
  
  
• Option to show duplicate *rules* -- sometimes I'm unsure if I've previously set a rule for a particular IP/port for a particular program. I then need to filter for that program name, then sort by location to see if there are duplicate rules already set for it. It'd be great if we could click a function to quickly analyze for this, showing duplicate rules. Of course, there needs to be clarification what constitutes a dupe -- is it every variable exactly the same? Is it the same rule name? Is it the same external IP?
  
  
• Auto-refreshing option for connection log (like every 5/10/30 seconds)
  
  
• Shortcut for refreshing "Connection Log" as CTRL-R rather than F5 -- copies the same shortcut for reloading pages in a browser page, which extends commonality between programs, and best of all, is an easier shortcut, keeping the hand resting in the home position without having to reach for an infrequently used F-key.

And my most hoped-for feature ideas:

"Condensing"!

• **Ability to "condense" selected rules -- because programs often use a number of different ports/protocols/IP's over time, sometimes we only see a single IP/port/protocol in a blocked entry. I'll then create a rule for that single entry. Later, the program gets blocked again trying to connect to a new external IP over the same port. So I have to make another rule for that. Eventually, I have many single rules for one program, which I then manually condense down into fewer rules by hand -- like grouping IP's or ports into one rule, then deleting the single rules.
  
  It'd be great if, on the "Rules" page, we could shift-select a group of rules, right-click and select "Condense Rules". This would then analyze the selected rules and condense rules with similar traits into a single rule. So let's say I have 10 selected rules for a certain program, each all connecting over port 80 but each to a different IP -- "Condense Rules" would condense all 10 rules into a single rule over port 80, lumping all the allowable IP addresses into one variable. Sort of like defragging a hard drive
  
  Of course, there would need to be user clarification for which variable to anchor the "Condense" on -- i.e., condensing on external port, condensing on external IP, etc. In other words, do we want the condensed rule to be for port 80 but with 10 separate IP's? Or do we want a condensed rule for a single IP but allowable over 10 different ports? However, this could be simple by letting the user choose which variable to anchor the condense on, like via a sub-menu beneath "Condense Rules" -> "Condense on external IP", "Condense on external port", "Condense on adapter", etc.
  
  
• **Ability to group-select rule creation -- let's say I'm looking at the log and see 10 new entries for "test.exe", where each entry connects to a different IP or external port. It'd be awesome if we could shift-select those 10 entries, right-click and select "Create custom new rule (Condense)", which opens a custom-rule dialog and pre-fills the grouping of variables amongst these 10 rules. So if these 10 entries all connect to the same external IP (12.34.56.78 ) but each entry used a different port (e.g. port 1,2,3,4,5...), then the custom-rule dialog would pre-fill this condensed-rule with 12.34.56.78 as external IP, but allowable ports being 1-10. WFC could simply condense all 10 selected rules into a single rule regardless of common variables, making one rule and condensing multiple IP's, ports, protocols, and adapters into one variable.
  
  An extension idea of this, though not as imperative, is WFC could analyze the selected blocked-entries and determine similarities between them, offering options to create separate condensed rules based on duplicated variables -- e.g., out of the 10 selected entries: 3 rules anchored on same IP, 7 rules anchored on same port, 5 rules anchored on same adapter, etc). But if that'd require too much programming, we could just leave the condensing-selection up to the user -- whatever entries are selected will have their respective variables all grouped into a single rule. The user then has the ability to uncheck or clear any grouped variables that they don't want defined.

Anyway, just some hopeful suggestions. And of course, I'd be more than happy to help out with any of these, if needed.

 

4.0.9.6 installed for a couple of days, no AppGuard rules and program is very smooth. Nice update!

 

In the Manage Rules, if you change the value of the Display or Filter combo boxes the scroll is set on top of the data grid. Anyone else still having this problem ?

I will try to fix this also for single selection. It works with the mouse.

I can define two types of users: Administrator or Standard user. How do you create a Limited User Account ? Or what is different ?

Indeed. It seems to work from the debug version but not from the release version. I will look into it.

This will not help, as these rules are created at boot time, before WFC initialization.

Yes, it is a bug there. When importing a policy, please disable "Disable the ability of....". This prevents importing a policy correctly. I will fix this in the next version.

A policy file has nothing to do with WFC profiles. Because of this, when the import is used, WFC resets the profile to Low Filtering to avoid problems.

I like many of these ideas. I will implement them and I will see how to implement the "condensing" features.