Discussion in 'other firewalls' started by alexandrud, May 20, 2013.
Thanks for all the interesting infos!
I recently installed Windows 10 1909 (was using years old image without updates) and restored my years old firewall rules.
everything seemed ok, until I noticed that when I'm connected through VPN everything goes through firewall, disregarding any rules.
Using WFC 126.96.36.199. at medium filtering.
whether the rules are undefined or blocked this functioned similarly for both states, VPN and without. Direct access works as expected.
Now firewall basically disabled when connected to VPN .
VPN Tap adapter shows unidentified though that might be ruling it in neither public nor private networks but even with assigned IPs and trying both locations gave same result, all passing through all directions.
Tried resetting firewall rules to minimum, to default, recommended same problem persists.
is this something specific newer versions of Windows Defender Firewall and or is there some misconfiguration on my part
The problem is the way NordVPN works. All the traffic is redirected through their own driver therefore Windows Firewall does not filter the traffic anymore. If the VPN is allowed everything is allowed. Ask the developers of NordVPN how to configure their software work with Windows Firewall when outbound filtering is enabled in Windows Firewall. I tried AirVPN and TunnelBear and they worked as expected with Windows Firewall. WFC has nothing to do with this. The problem is the incompatibility with Windows Firewall. One more thing that you could try is to configure the VPN connection at your router level (if it is possible) and then use Windows Firewall to allow/block access at application level.
tried vpn with openVPN tap and it also worked as expected.
this is not a viable option since I switch between direct and vpn .
P.S. Thanks for input and development
Better info info about this module yet: there it's possible to add domains manually!
Not exactly clear what do you want to say or ask.
Ok, sorry for the confusion.
I try it again:
My intention was to say, that the module in F-Secure is able also to add websites manually, additionally to the check via F-Secure cloud list. I would not like a solution via automatic cloud list (service) only. It's also possible to allow an automated blocked site (for ex. if it's a false positive).
So, with such a module (it exist others too (as you can read above)) it's at least possible to block websites, additionally to IPs via Windows Firewall.
If a system wide blocking is desired, you could block over the hosts file (for example).
OK, but F secure will alert you about a connection to that website? Otherwise is very simple to block any connection on your DNS , setting it to 0.0.0.0
But first you have to be aware about the website's existence....
For http it alert you even without extension, for https it give also alerts if you use the "Browsing Protection by F-Secure" AddOn (else it's blocked only). Additionally, it alert you on Google Search with a little status symbol.
Google Search ...
Red cross = "This website is not safe."
Question mark = "Website not analyzed (yet)."
Green hook = "Website should be okay."
After try to load a such site, here the alert ...
"Schädliche Website blockiert." --> "Malicious website blocked."
"Diese Website wurde als schädlich gemeldet. Wir empfehlen Ihnen, die Website nicht aufzurufen." --> "This website has been reported as harmful. We recommend that you do not visit the website."
I am sorry , but you did not understand anything from what we were taking about.
The issue is not to block " malicious website" but to get the domain name (provided by the firewall) to which an applications tries to connect.
Based on this info, you can decide to block the domain (rather then IP, which can fluctuate for the same domain)
This is not possible to be dine in WFC
This is not possible in Windows Firewall itself. WFC has nothing to do with this.
I know that, but without the possibility to figure out who is behind each and every IP and without the possibility to block /allow domains rather than IP (for applications using dynamic addressing) we just shoot in the dark , blindly allowing or denying requests.
In this scenario, with or without firewall will not make any difference.
For what it's worth, Emsisoft Anti-Malware includes a very competent and customisable Surf Protection module. You can manually add any hostname you like to block -also from a text file- with no performance hit. It can also accept IP addresses but is really optimized for domain names (best to use the WF/WFC for IP blocking), so it works well alongside the WF/WFC.
No problem and again, sorry for the confusion, was not my intention ...
Those infos were for the case you have the domain name(s) already (for example after analyze with DNSquerySniffer or something like that). Also the alert is always the same after blocking (regardless a site is really harmful or just blocked for another reason).
I made those infos EVEN because it's not possible to do that with WFC (Windows Firewall). My intention was to show ONE way to handle domain names too - outside of WFC (Windows Firewall).
That is nice, but first you have to be aware about the intention of a program from your PC to connect to that host. If you do not know the host , how are you going to block it?
And if you want to block a host , there are a lot of free "Host editors"
Yes, sure - I have other so called "host editors" too. That was only ONE possibility. The advantage of this solution related to internet browsing CAN be, that this module retrieves also domain names from a cloud - so there is at least a chance that for ex. a harmful domain is already blocked automatically BEFORE a program tries to connect a such destination.
My suggestion for generally programs (thanks for other postings in this thread too about this, so I can make a suggestion now hopefully) is as following to prevent undesired outgoing connections:
1) Block "all" outgoing traffic (medium filter in WFC).
2) Check a related notificiation - if necessary also the connection log - then you have the IP(s).
3) If necessary try to find out the domain/host-name - for example via DNSquerySniffer (not recommended via Reverse DNS, because you can't properly find out the right hostname in certain cases).
4) Block this/those IP(s) and if necessary the domain/host-name too via a "host editor" of your choice.
Yes, these are the required steps:
1. there are programs which will use dynamic addressing; in other words , for same ***.exe you can get 20-30 IP. Who has time or desire to investigate all of them , only to notice that next week these changed?
If you still have access to a Win 7 PC, install PC Tools Firewall Plus 7.0.123 and you will see how a real firewall is supposed to look like.
Yes, I know, that IS then difficult to handle.
I had - in earlier times here - installed (and tested) different firewalls including such with stateful inspection and others with packet-filtering, Personal Firewalls (Desktop Firewalls) (for ex. CHX-1, Outpost, Comodo, ZoneAlarm, Norton, etc. etc.) and external Hardware Firewall (Zyxel). Unfortunately not PC Tools - however: after I read some things about it, I can more or less imagine how it works.
Just - FOR ME PERSONALLY - I decided that my "bundle" Windows Firewall plus WFC in combination with F-Secure (including the HIPS via DeepGuard) plus some other "tools" (like uMatrix & uBlock) is enough FOR ME for my DESKTOP PC.
Additionally I have also a (dynamically) network based solution via DNS Servers between Provider<->Router in use (Internet Guard), which can block sites as 1st level defensive (a such site can be de-blocked manually if desired).
Then a router with NAT resp. separated firewall in use which controls some things as personal 2nd-Level-Defensive.
That means that some traffic will not even reach my LAN (hopefully). Those steps protects also other devices here, like Game Consoles, till to a certain level.
However: I am not naively - in many cases, the "attack" exist first, then it's known and THEN such a blocking is working finally. Fortunately in some cases, an unkown "attack" can avoided because the traffic is "unusual" resp. suspicious or similar.
I would NEVER say that this is the best or only solution or something like that. Also, I would never say that my solution is perfect - it's enough good for me currently, that's all.
PS: Hopefully not too much off topic, I wrote it just to make clear, that my security concept is not only Windows Firewall plus WFC ...
It'd be great if a dark-theme interface could make it into WFC.
Try a high contrast theme in Windows and WFC will be magically dark-themed This UI change does not add any value to the software and will be hard to get this approved. Sorry, but it will not be done any soon.
While using a network tool like Fiddler (Fiddler sets the system proxy to itself while it captures), is it normal/expected behavior for all firewall rules to basically go out the window except for Fiddler's, no longer being adhered to, all programs now able to flow without restriction through Fiddler's "phone line"?
I guess it comes down to where in the stack ordering or pyramid are firewall rules implemented: before or after system proxy'ing. In my current case, it seems that all programs are able to freely interact with the system proxy without restriction even if they have a specific firewall rule forbidding any network inbound/outbound activity. If that's the case, then that means that while using Fiddler, it basically negates your entire firewall, and should be mindful of.
(...which if this is the case, I'm not complaining about if that's normal, just wanting to understand for clarity, and make sure something isn't malfunctioning on my end)
Ok, no worries - thanks for the reply. High contrast themes look God-awful.
i'm still using the 188.8.131.52 version on win 10 1903 without any problems.
Are any security problem if i'm using this version ?
This is expected behavior when using a proxy which 'hijacks' the network packets. Windows Firewall rules are not applied anymore since all the traffic appears to be made by the proxy, not by the original software.
I will put this on the list of required features, and at some point it will implemented.
No problem at all.
Separate names with a comma.