Discussion in 'other firewalls' started by alexandrud, May 20, 2013.
Good suggestions, really!
I'm currently using and testing WFC and i like it. However, i wish there were more premade rules for windows default apps. Can you help me to decide if i should allow this connections?
1) Edge/Chrome inbound TCP/UDP rules
2) Svchost inbound rules for SSDPSRV services
3) NT Kernel inbound rules
If this machine is the only one in your local network, NO to all of them. If you connect to this machine from other machines in your network, NO to first one and YES to second and third, depending on situation. If you don't connect to this machine from other machines, again NO to all of them.
Ty @alexandrud! I'm honored to receive help from the WFC creator himself
After your comment, i decided to disable other inbound connections i was allowing, including: TCP/UDP from firefox, edge, chrome, steam, steam web helper, Spotify, aomei backupper. and my VPN desktop app. I left Edge mDNS inbound rule allowed, but idk if i should. Any idea why these softwares would need inbound rules?
I also noticed that a lot of Microsoft apps also use inbound rules like Sticknotes, Solitaire and others. I don't have a clue about the reason they would even need that.
I left torrent clients with inbound rules allowed too, cause i believe they need it to p2p work properly right?
tyvm for you attention
I think edge is probably for the webrtc feature. How that made it into a web browser I will never know, with browsers been the main way into a system, they need to be feature minimalistic, but they becoming more like operating systems.
But I have my own question, having now migrated to windows 10, is the latest WFC feature parity with the older pre malwarebytes versions? I seen some posts mention lack of protecting rules been made by 3rd party apps, but from what I can see in the changelogs secure rules are still there.
For normal operation of any browser, it is enough to allow only outgoing connections to a limited number of remote ports. for browser Incoming connections are not required.
Considering the posts above, if server applications that require incoming connections are not installed on the computer, and you do not transfer files over WiFi between the computer and a mobile phone, etc., all incoming connections to the computer can be denied.
With some practice, you can deny all outgoing and incoming connections for svchost without affecting the operating system.
I do not allow inbound connections on my laptop for anything. Inbound is blocked for all connections. Indeed, for torrent clients, you need to allow inbound access for the torrent client. Two rules actually, one for UDP and one for TCP. An inbound rule for ANY protocol for the torrent client will not be enough.
The current version of WFC has improved features and many bugs fixed. I recommend you to use the latest version.
v188.8.131.52, the "disable unautorized rules" option is enabled, rules protection is triggered
uTorrent downloads normally if it is denied incoming connections, this is checked.
BTW, a general question but I have never understood why HIPS and certain firewall sometimes alert about apps wanting to make inbound connections, what does this exactly mean? I always considered this to be a high risk behavior because not many apps ask for this permission. For example, even Firefox asks for this permission, but I'm not sure why it needs it.
For downloading yes. I don't know if denying inbound will not make you appear as unconnectable and then your seeding will be affected.
Marketing maybe? We have this useless feature which others don't have Windows Firewall displays notifications when a new software wants to listen on a port for inbound connections. To this notification, the usual answer is also NO.
Ty for your help guys!
Do you know which ports?
Yep, i noticed qbittorrent already created those 2 rules
I have read that windows would require inbound connections for security protocols. Kernel inbound conections specially. Do you know anything about it? I'm not sure if this information is precise.
Yep, torrent client works without those inboud rules, but the speed will be reduced...
This Polichinelle secret is known to everyone, local ports all, remote ports 80, 443, 8080. If video surveillance etc. is used, other specific ports may be added.
You need inbound connections if you need to connect to your machine. For example Remote Desktop Connection so that you can connect remotely to your own machine by using this protocol. Otherwise, inbound connections are not required to be allowed.
Bad actors would use also these ports. Restricting a browser to only specific remote ports does not add any security.
80, 443, 8080 these are allowed ports. Okay, tell us what else you can do in your firewall to keep out the bad guys.
I'm sorry but probably layer 3&4 (OSI Model) firewall isn't a right tool to protect a browser used for surfing the Web. The only thing you can do at this level is to use some sort of IPv4 blocklist for general browsing. If I had to choose one blocklist to protect web browser it would be dns-based, not IP-based meaning I wouldn't use level 3&4 firewall to do that. That is why I have local forwarding dns that has some blocklist and forwards not-blocked queries to filtering external DNS services such as Quad9.
The use of block lists in any form is a passed stage, it was popular 3-4 years ago, and it is not very useful. I am using external DNS servers and Windows DNSCache service has stopped.
IP filtering (L3&L4 firewall ) for general Web surfing is even less useful. Blocking ports is practically useless. I suggest to search for other means to secure a web browser other than a L3&L4 firewall.
It doesn't mean that firewall is useless completely, it is just useless to protect that one, particular program - web browser.
Ty for the information
I'm currently using NextDNS. It seems to have greater protection than Quad9 in the last tests i saw.
I noticed some conections from Windows DNSCache. What is it exactly?
thank you for developing and providing this program. I've been using it for a few weeks now, and it's far exceeded my expectations
It's a temporary storage area for DNS requests/responses. If a process requests a DNS address, the OS ideally checks your Hosts file first (a leftover from Microsoft's distant Unix/MSDOS past ) and then it checks the DNS cache, which may contain a few hundred or more responses to queries you've made since booting up. If there is nothing there, or if the DNS service is stopped, it will then check your network's DNS server on the external dirty side of the firewall. Saves making frequent time-wasting requests and hogging bandwidth. Your prog will still work if the DNS client service (the cache) is stopped , but a bit slower from increased traffic. There are a few other things it does in support of network services that are not DNS related.Your browser may have it's own DNS cache, Firefox does, it normally uses the port 53 dns system and has an configurable cache size. recent firefox versions also allow DOH, DNS over HTTP on port 5353 or 443, tho it can be tricky to set up. It normally defaults to falling back to the OS DNS systems if DOH fails to respond, tho you can set it to stop doing that.
If you make any rules to allow DNS client internet access, you could specify the remote address as 'any' on the main dns ports 53,80, etc. but it's be safer to allow it only to the specific IPs of your DNS provider. Note also TCP is a 'directional' protocol so your firewall 'knows' you sent the request, and expects a reply, so no incoming rule is needed unless it times out. UDP, used for traditional requests is not directional, but again your PC remembers you sent the request and will not normally need an incoming rule. Incoming rules might be needed come from other PCs on your local network on the clean side of your router/firewall that connect to the internet via your PC, or router, such as smart TVs, Phones, etc. best if they are oing that thru your router rather than your PC. If you are running a web server that must allow anyone to from the outside to connect, you will need to open up more to incoming traffic, which is risky and will require more protection.
If you create a separate DNS rule for each browser or program that needs access to the Internet, with the DNSCache service disabled and using external DNS, and completely blocking svchost.exe everything works just as quickly and without problems.
This is interesting, could you expand this a little? Why do tcp and udp need their own rules in order to accept incoming connections? I've really been under the impression that ALL + IN Edge Traversal is enough. I do see "I" flag in my peer list all the time, indicating incoming connections. The only rules are ALL IN & OUT for the client.
It seems browser rules are done for mDNS reasons. I have put on 184.108.40.206, looking at the WFC recommended rules, they are certainly much more streamlined than default rules.
So I take it enabled recommended rules and then let secure rules disable/delete the default service rules, maybe only keeping @ store rules? and my own custom rules.
Separate names with a comma.