Windows Firewall Control (WFC) by BiniSoft.org

Discussion in 'other firewalls' started by alexandrud, May 20, 2013.

  1. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    9,272
    Location:
    U.S.A. (South)
    Thanks WFC maker. High time to brush up on it again. Another duh question but with the new recently released 6.5 is there anything that you would officially suggest other than what others and yourself have mentioned when installing WFC in Windows 10 anew.
     
  2. alexandrud

    alexandrud Developer

    Joined:
    Apr 14, 2011
    Posts:
    2,040
    Location:
    Romania
    I might not be the right person to answer this. Below are all my rules:

    upload_2021-6-7_23-17-13.png

    Notifications are disabled, Secure Rules enabled, Medium Filtering profile. Windows Update rule enabled once a month when I remember to check for Windows Updates. Everything else silently blocked. Each person with his own needs.
     
  3. antdude

    antdude Registered Member

    Joined:
    Apr 10, 2010
    Posts:
    18
    Location:
    An Ant Farm
    Well, it would still be nice to show what domain name the program is connecting to like Notepad++ is doing in my attached screen shot/capture. When I look at its IP address, I wouldn't know if that would be NPP's server from its whois feature (Cloudflare). In other older software firewalls (e.g., PC Tools Firewall Plus v7) in older Windows versions, they would tell me the domain name and its IP address it is trying to connect to.
     

    Attached Files:

    • npp.gif
      npp.gif
      File size:
      40.3 KB
      Views:
      15
  4. alexandrud

    alexandrud Developer

    Joined:
    Apr 14, 2011
    Posts:
    2,040
    Location:
    Romania
    This is not a good example. In this screenshot:
    upload_2021-6-8_9-7-28.png
    it is Notepad++ itself that is making the connection to a specific domain and if that connection fails it displays that it could not connect to it. It does not resolve an IP address to a domain name.

    In older Windows versions, those firewalls used to have their own drivers. This means they could intercept your network packets from start to end. You enter yahoo.com in your browser, you initiate a connection to that domain, that driver knows about this request and can show a notification about yahoo.com. Back to WFC, it works in a passive way. It has access to limited data which is logged in the Security event log by Windows Firewall. Without inspecting network traffic, there is no way for WFC to display the domain name from an IP address. An IP address can host hundreds of websites.
     
  5. TairikuOkami

    TairikuOkami Registered Member

    Joined:
    Oct 10, 2005
    Posts:
    3,142
    Location:
    Slovakia
    You are right, PH can display it when running as admin with the driver loaded, but it is not really worth the risk of being hijacked, it is OK for temporarily inspecting the traffic, but that is it.
    I thought it too at first, but the domain name does not really say much, besides the IP can be different based on the region you are in, when in EU, you will get EU servers, etc.
    Fox example my cloud software connects to 46.165.242.15, but thanks to ipnetinfo I know, it can use the IP range 46.165.240.0-46.165.247.255, so I add that to the firewall.
     

    Attached Files:

  6. kobashi

    kobashi Registered Member

    Joined:
    Jun 15, 2021
    Posts:
    1
    Location:
    Earth
    Hello, this is my first message here.
    I am asking for your help please, I am totally n00b to networking...
    I have set the WFC recommended rules and deleted all the previous ones.
    I am using a regular internet connection at home without any private network.
    I still get notifications about two Windows services (svchost.exe) from time to time : DNS Client, DHCP Server.
    What would you recommend about these two services :
    - setting up rules ? which ones ? I have tried some with no success (sometime blocking the whole traffic)
    - adding svchost.exe to ignore list ? (that would make me unable to further set a rule of other Windows services)
    - other ?

    Same question with SYSTEM, I also get random notifications about it (Protocol : IGMP).
    Thank you for your help guys
     
    Last edited: Jun 15, 2021
  7. TairikuOkami

    TairikuOkami Registered Member

    Joined:
    Oct 10, 2005
    Posts:
    3,142
    Location:
    Slovakia
    DNS Client is fairly easy, just setup your DNS servers IPs and UDP port 53 outbound, that should do.
    DHCP is similar, you need to allow ports 67/68 in some fashion, I have simply setup static IP address.
    Svchost.exe is a pain to setup, but once done, it just works, with occasional prompts.

    capture_06152021_161742.jpg

    You can block it altogether, unless your app really needs ping.

    https://www.bleepingcomputer.com/ne...k-malware-uses-icmp-for-covert-communication/
     
  8. mantra

    mantra Registered Member

    Joined:
    Jan 25, 2005
    Posts:
    5,770
  9. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    9,272
    Location:
    U.S.A. (South)
    @alexandrud - Its useful enough template to my suiting and I wish you happiness and success
     
  10. aldist

    aldist Registered Member

    Joined:
    Nov 8, 2017
    Posts:
    804
    Location:
    Lunar module
    You can add an IP-range using the correct syntax for the separation of addresses when the red backlight of the IP string will change to the green.
     
  11. mantra

    mantra Registered Member

    Joined:
    Jan 25, 2005
    Posts:
    5,770
    hi @aldist
    is there a screenshot how add an ip-range?
    and are there some rules set that can be shared made to make windows more secure ?
    thanks
     
  12. TairikuOkami

    TairikuOkami Registered Member

    Joined:
    Oct 10, 2005
    Posts:
    3,142
    Location:
    Slovakia
    You can add it directly to the notification or by editing the existing rule, but it requires a surgical precision, the box is so tiny. It would be better if people could add IPs or IP angles per line.
    Limit windows processes, like svchost.exe, often used by malware. Limiting it per IP ranges might seem difficult, but there are only handful of them. For example my location produced those, they can be also used by MS apps, store, etc.
    Code:
    2.19.32.0-2.19.47.255,2.20.20.0-2.20.23.255,2.23.0.0-2.23.15.255,2.23.96.0-2.23.111.255,13.64.0.0-13.107.255.255,20.33.0.0-20.128.255.255,20.180.0.0-20.191.255.255,23.192.0.0-23.223.255.255,23.32.0.0-23.67.255.255,40.64.0.0-40.71.255.255,40.74.0.0-40.125.127.255,40.126.0.0-40.126.63.255,51.10.0.0-51.13.255.255,51.103.0.0-51.105.255.255,52.132.0.0-52.143.255.255,52.145.0.0-52.191.255.255,52.224.0.0-52.255.255.255,104.64.0.0-104.127.255.255
     

    Attached Files:

  13. mantra

    mantra Registered Member

    Joined:
    Jan 25, 2005
    Posts:
    5,770
    @TairikuOkami
    hi
    in short to block a range is enough 140.120.54.0-140.120.54.255
    to block all the ip 140.120.54.x ?
    thanks
     
  14. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    3,212
    Location:
    Canada
  15. aldist

    aldist Registered Member

    Joined:
    Nov 8, 2017
    Posts:
    804
    Location:
    Lunar module
    Yes, right. And if you need access to the address 140.120.54.121 from this range, then the deny rule must contain two sub-ranges
    140.120.54.0-140.120.54.120,140.120.54.122-140.120.54.255
    As you can see 140.120.54.121 is excluded from these ranges.

    @alexandrud
    What is your opinion whether it is necessary to make a column with row numbering like 1, 2, 3 ... 26 ... etc. in the rules panel? This will greatly facilitate user navigation in the rules, since the line number is easy to remember.
     
    Last edited: Jun 21, 2021
  16. alexandrud

    alexandrud Developer

    Joined:
    Apr 14, 2011
    Posts:
    2,040
    Location:
    Romania
    I can add a row numbering but I can't ensure the same number for a specific rule. An index property does not exist among other properties of a rule. Once you delete a rule, other rules will change the index. Since there is no order of processing the rules, a column with a random numbering from 1 to X doesn't seem very useful.
     
  17. aldist

    aldist Registered Member

    Joined:
    Nov 8, 2017
    Posts:
    804
    Location:
    Lunar module
    Yes of course. This is just the ordinal number of the line, it is not rigidly tied to a specific rule. There was rule # 56 for Firefox, if you remove any rule above, the rule for Firefox gets # 55 ... and so on.
     
  18. Graphite85

    Graphite85 Registered Member

    Joined:
    Aug 28, 2020
    Posts:
    19
    Location:
    New Zealand
    I've got an issue with Secure Boot and an Asus Z590 motherboard. When I change the profile from high filtering (Secure Boot) to medium filtering my Ethernet adapter/connection is not restored. What could be the problem?
     
  19. alexandrud

    alexandrud Developer

    Joined:
    Apr 14, 2011
    Posts:
    2,040
    Location:
    Romania
    Not related with your motherboard. Check in Rules Panel if those two block all firewall rules that are created when High Filtering profile is set are removed when you set back Medium Filtering profile. Secure Boot only sets High filtering profile when a system shutdown event is detected.
     
  20. aldist

    aldist Registered Member

    Joined:
    Nov 8, 2017
    Posts:
    804
    Location:
    Lunar module
    Maybe your network adapter is in the off state? The firewall rules will not enable it.
    sss.png
     
  21. TairikuOkami

    TairikuOkami Registered Member

    Joined:
    Oct 10, 2005
    Posts:
    3,142
    Location:
    Slovakia
    DHCP assigns IP at boot, so maybe the timeout period is too long or just something has gone wrong. Check: ipconfig /all
     
  22. Graphite85

    Graphite85 Registered Member

    Joined:
    Aug 28, 2020
    Posts:
    19
    Location:
    New Zealand
    "Those two"? Which two?
     
  23. alexandrud

    alexandrud Developer

    Joined:
    Apr 14, 2011
    Posts:
    2,040
    Location:
    Romania
    Set High Filtering profile and open Rules Panel. You will notice two new rules which block all inbound and outbound connections. Those two.
     
  24. aldist

    aldist Registered Member

    Joined:
    Nov 8, 2017
    Posts:
    804
    Location:
    Lunar module
    When the High Filtering profile is enabled or when booting with the Secure Boot option enabled, WFC creates two global deny rules and there is no internet access for everyone.
    ScreenShot_103.png
    When the Medium Filtering profile is enabled, these rules are removed and Internet access appears.
    Even with svchost.exe completely blocked, the IP address is assigned after exactly 16 seconds
     
  25. Graphite85

    Graphite85 Registered Member

    Joined:
    Aug 28, 2020
    Posts:
    19
    Location:
    New Zealand
    Yes the two rules are removed when I switch from high filtering to medium filtering. I will turn on Secure Boot again and see what the two rules are doing on an actual clean boot. That's where I was having issues.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.