Windows Firewall Control (WFC) by BiniSoft.org

Discussion in 'other firewalls' started by alexandrud, May 20, 2013.

  1. Alpengreis

    Alpengreis Registered Member

    Joined:
    Oct 7, 2013
    Posts:
    670
    Location:
    Switzerland
  2. Tiamati

    Tiamati Registered Member

    Joined:
    Feb 1, 2021
    Posts:
    12
    Location:
    Canada
    Hello guys!
    I'm currently using and testing WFC and i like it. However, i wish there were more premade rules for windows default apps. Can you help me to decide if i should allow this connections?

    1) Edge/Chrome inbound TCP/UDP rules

    2) Svchost inbound rules for SSDPSRV services

    3) NT Kernel inbound rules

    https://malwaretips.com/attachments/1612150024027-png.253681/
     
  3. alexandrud

    alexandrud Developer

    Joined:
    Apr 14, 2011
    Posts:
    2,408
    Location:
    Romania
    If this machine is the only one in your local network, NO to all of them. If you connect to this machine from other machines in your network, NO to first one and YES to second and third, depending on situation. If you don't connect to this machine from other machines, again NO to all of them.
     
  4. Tiamati

    Tiamati Registered Member

    Joined:
    Feb 1, 2021
    Posts:
    12
    Location:
    Canada
    Ty @alexandrud! I'm honored to receive help from the WFC creator himself :thumb:

    After your comment, i decided to disable other inbound connections i was allowing, including: TCP/UDP from firefox, edge, chrome, steam, steam web helper, Spotify, aomei backupper. and my VPN desktop app. I left Edge mDNS inbound rule allowed, but idk if i should. Any idea why these softwares would need inbound rules?

    I also noticed that a lot of Microsoft apps also use inbound rules like Sticknotes, Solitaire and others. I don't have a clue about the reason they would even need that.

    I left torrent clients with inbound rules allowed too, cause i believe they need it to p2p work properly right?

    tyvm for you attention
     
  5. chrcol

    chrcol Registered Member

    Joined:
    Apr 19, 2006
    Posts:
    982
    Location:
    UK
    I think edge is probably for the webrtc feature. How that made it into a web browser I will never know, with browsers been the main way into a system, they need to be feature minimalistic, but they becoming more like operating systems.

    But I have my own question, having now migrated to windows 10, is the latest WFC feature parity with the older pre malwarebytes versions? I seen some posts mention lack of protecting rules been made by 3rd party apps, but from what I can see in the changelogs secure rules are still there.
     
  6. aldist

    aldist Registered Member

    Joined:
    Nov 8, 2017
    Posts:
    1,088
    Location:
    Lunar module
    For normal operation of any browser, it is enough to allow only outgoing connections to a limited number of remote ports. for browser Incoming connections are not required.
    Considering the posts above, if server applications that require incoming connections are not installed on the computer, and you do not transfer files over WiFi between the computer and a mobile phone, etc., all incoming connections to the computer can be denied.
    With some practice, you can deny all outgoing and incoming connections for svchost without affecting the operating system.
     
  7. alexandrud

    alexandrud Developer

    Joined:
    Apr 14, 2011
    Posts:
    2,408
    Location:
    Romania
    I do not allow inbound connections on my laptop for anything. Inbound is blocked for all connections. Indeed, for torrent clients, you need to allow inbound access for the torrent client. Two rules actually, one for UDP and one for TCP. An inbound rule for ANY protocol for the torrent client will not be enough.
    The current version of WFC has improved features and many bugs fixed. I recommend you to use the latest version.
     
  8. aldist

    aldist Registered Member

    Joined:
    Nov 8, 2017
    Posts:
    1,088
    Location:
    Lunar module
    v6.4.0.0, the "disable unautorized rules" option is enabled, rules protection is triggered
    123.png
    uTorrent downloads normally if it is denied incoming connections, this is checked.
     
  9. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    BTW, a general question but I have never understood why HIPS and certain firewall sometimes alert about apps wanting to make inbound connections, what does this exactly mean? I always considered this to be a high risk behavior because not many apps ask for this permission. For example, even Firefox asks for this permission, but I'm not sure why it needs it.
     
  10. alexandrud

    alexandrud Developer

    Joined:
    Apr 14, 2011
    Posts:
    2,408
    Location:
    Romania
    For downloading yes. I don't know if denying inbound will not make you appear as unconnectable and then your seeding will be affected.
     
  11. alexandrud

    alexandrud Developer

    Joined:
    Apr 14, 2011
    Posts:
    2,408
    Location:
    Romania
    Marketing maybe? We have this useless feature which others don't have :) Windows Firewall displays notifications when a new software wants to listen on a port for inbound connections. To this notification, the usual answer is also NO.
     
  12. Tiamati

    Tiamati Registered Member

    Joined:
    Feb 1, 2021
    Posts:
    12
    Location:
    Canada
    Ty for your help guys!

    Do you know which ports?

    Yep, i noticed qbittorrent already created those 2 rules

    I have read that windows would require inbound connections for security protocols. Kernel inbound conections specially. Do you know anything about it? I'm not sure if this information is precise.

    Yep, torrent client works without those inboud rules, but the speed will be reduced...
     
  13. aldist

    aldist Registered Member

    Joined:
    Nov 8, 2017
    Posts:
    1,088
    Location:
    Lunar module
    This Polichinelle secret is known to everyone, local ports all, remote ports 80, 443, 8080. If video surveillance etc. is used, other specific ports may be added.
     
  14. alexandrud

    alexandrud Developer

    Joined:
    Apr 14, 2011
    Posts:
    2,408
    Location:
    Romania
    You need inbound connections if you need to connect to your machine. For example Remote Desktop Connection so that you can connect remotely to your own machine by using this protocol. Otherwise, inbound connections are not required to be allowed.
     
  15. alexandrud

    alexandrud Developer

    Joined:
    Apr 14, 2011
    Posts:
    2,408
    Location:
    Romania
    Bad actors would use also these ports. Restricting a browser to only specific remote ports does not add any security.
     
  16. aldist

    aldist Registered Member

    Joined:
    Nov 8, 2017
    Posts:
    1,088
    Location:
    Lunar module
    80, 443, 8080 these are allowed ports. Okay, tell us what else you can do in your firewall to keep out the bad guys.
     
  17. reasonablePrivacy

    reasonablePrivacy Registered Member

    Joined:
    Oct 7, 2017
    Posts:
    1,999
    Location:
    Member state of European Union
    I agree.
    I'm sorry but probably layer 3&4 (OSI Model) firewall isn't a right tool to protect a browser used for surfing the Web. The only thing you can do at this level is to use some sort of IPv4 blocklist for general browsing. If I had to choose one blocklist to protect web browser it would be dns-based, not IP-based meaning I wouldn't use level 3&4 firewall to do that. That is why I have local forwarding dns that has some blocklist and forwards not-blocked queries to filtering external DNS services such as Quad9.
     
  18. aldist

    aldist Registered Member

    Joined:
    Nov 8, 2017
    Posts:
    1,088
    Location:
    Lunar module
    The use of block lists in any form is a passed stage, it was popular 3-4 years ago, and it is not very useful. I am using external DNS servers and Windows DNSCache service has stopped.
     
  19. reasonablePrivacy

    reasonablePrivacy Registered Member

    Joined:
    Oct 7, 2017
    Posts:
    1,999
    Location:
    Member state of European Union
    IP filtering (L3&L4 firewall ) for general Web surfing is even less useful. Blocking ports is practically useless. I suggest to search for other means to secure a web browser other than a L3&L4 firewall.
    It doesn't mean that firewall is useless completely, it is just useless to protect that one, particular program - web browser.
     
  20. Tiamati

    Tiamati Registered Member

    Joined:
    Feb 1, 2021
    Posts:
    12
    Location:
    Canada
    Ty for the information

    I'm currently using NextDNS. It seems to have greater protection than Quad9 in the last tests i saw.

    Interesting, ty.

    I noticed some conections from Windows DNSCache. What is it exactly?
     
  21. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    4,063
    Location:
    Canada
    @alexandrud

    thank you for developing and providing this program. I've been using it for a few weeks now, and it's far exceeded my expectations :thumb:
     
  22. kronckew

    kronckew Registered Member

    Joined:
    Aug 27, 2006
    Posts:
    454
    Location:
    CSA Consulate, Glos., UK
    It's a temporary storage area for DNS requests/responses. If a process requests a DNS address, the OS ideally checks your Hosts file first (a leftover from Microsoft's distant Unix/MSDOS past ) and then it checks the DNS cache, which may contain a few hundred or more responses to queries you've made since booting up. If there is nothing there, or if the DNS service is stopped, it will then check your network's DNS server on the external dirty side of the firewall. Saves making frequent time-wasting requests and hogging bandwidth. Your prog will still work if the DNS client service (the cache) is stopped , but a bit slower from increased traffic. There are a few other things it does in support of network services that are not DNS related.Your browser may have it's own DNS cache, Firefox does, it normally uses the port 53 dns system and has an configurable cache size. recent firefox versions also allow DOH, DNS over HTTP on port 5353 or 443, tho it can be tricky to set up. It normally defaults to falling back to the OS DNS systems if DOH fails to respond, tho you can set it to stop doing that.

    If you make any rules to allow DNS client internet access, you could specify the remote address as 'any' on the main dns ports 53,80, etc. but it's be safer to allow it only to the specific IPs of your DNS provider. Note also TCP is a 'directional' protocol so your firewall 'knows' you sent the request, and expects a reply, so no incoming rule is needed unless it times out. UDP, used for traditional requests is not directional, but again your PC remembers you sent the request and will not normally need an incoming rule. Incoming rules might be needed come from other PCs on your local network on the clean side of your router/firewall that connect to the internet via your PC, or router, such as smart TVs, Phones, etc. best if they are oing that thru your router rather than your PC. If you are running a web server that must allow anyone to from the outside to connect, you will need to open up more to incoming traffic, which is risky and will require more protection.
     
    Last edited: Feb 4, 2021
  23. aldist

    aldist Registered Member

    Joined:
    Nov 8, 2017
    Posts:
    1,088
    Location:
    Lunar module
    If you create a separate DNS rule for each browser or program that needs access to the Internet, with the DNSCache service disabled and using external DNS, and completely blocking svchost.exe everything works just as quickly and without problems.
     
  24. kilves76

    kilves76 Registered Member

    Joined:
    Feb 11, 2012
    Posts:
    26
    This is interesting, could you expand this a little? Why do tcp and udp need their own rules in order to accept incoming connections? I've really been under the impression that ALL + IN Edge Traversal is enough. I do see "I" flag in my peer list all the time, indicating incoming connections. The only rules are ALL IN & OUT for the client.
     
  25. chrcol

    chrcol Registered Member

    Joined:
    Apr 19, 2006
    Posts:
    982
    Location:
    UK
    It seems browser rules are done for mDNS reasons. I have put on 6.4.0.0, looking at the WFC recommended rules, they are certainly much more streamlined than default rules.

    So I take it enabled recommended rules and then let secure rules disable/delete the default service rules, maybe only keeping @ store rules? and my own custom rules.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.