Windows Firewall Control (WFC) by BiniSoft.org

I've been using WFC for several years and it's great. Yesterday I noticed something that puzzles me.

I've installed Wireguard on my PC which connects to a Wireguard server at remote location.

Curiously I didn't need to create an ALLOW OUT rule on my PC with the WFC filtering profile set to medium. Wireguard simply connected to the server without any issues. Nothing showed up in the WFC ALLOW OUT logs either.

Upon investigation, I found there was no way to stop Wireguard via Windows Firewall (using WFC). I tried creating specific BLOCK rules for the Wireguard process, port, protocol but nothing worked. Then I tried general block rules for all processes, ports, protocols and still Wireguard could make a connection to the server and maintain its 'handshaking'.

Finaly I tried setting the WFC filtering profile to high, which I thought would completely block my PC from accessing the internet. But Wireguard could still connect to the remote server and maintain the connection, although nothing else on my PC could connect to the internet.

I then executed netsh wfp show state D:\wfpstate.xml to track down the rule which was allowing Wireguard to make the connection. I discovered it was;

<name>Default Outbound</name>
<description>This is the default outbound filter which blocks or permits traffic based on user configured default settings</description>

Would this mean there is a problem/bug with Winows Firewall itself because it allows some traffic no matter what?

 

Which product have you installed?
Maybe it uses driver for connections.

 

Something's wrong with your ruleset. I use wireguard all the time, both the VPN protocol and the application. It can most definiteltly can be blocked with a deny rule. Wireguard by default runs on UDP port 51820. Is that allowed by any other rule? How are your firewall profiles setup? Are both public and private deny by default?

 

Like any VPN protocol, WireGuard should be able to bypass firewalls, including Windows Firewall. I confirm that WireGuard can activate a tunnel and this has nothing to do with Windows Firewall. However, you still need to allow your programs through Windows Firewall to allow them to connect to your network, protected or unprotected. This is expected behavior.

 

Thats the part I don't understand. How can Wireguard establish a tunnel to a remote machine (on port 51730 in my case) when no outgoing connections are allowed? (High filtering enabled). And why does this have nothing to do with the firewall?

Obviously traffic can flow through the VPN tunnel unimpeded by a firewall, once the tunnel is established (assuming there are no specific BLOCK rules on the program utilising the tunnel). I'm trying to understand how the tunnel is being established in the first place.

 

Please send an email to team@wireguard.com and they can probably explain it better than I could do it.

 

Did they respond? If you have news related to this topic share them with us too. Thank you.

 

I haven't received a response yet. I'll follow it up.

If / when they respond I will definitely share the information here.

 

I've been having a very odd issue with the firewall. I'm not able to tell if it's with WFC, Windows' advanced firewall, or both. I know the former is just a GUI for the latter, but maybe there's a setting there causing my issue. Anyway, I play Destiny 2 on Steam. And, lately, I cannot successfully connect to the Destiny 2 servers without first disabling the Firewall. That makes no sense because, as you can see below the rule for Destiny2.exe allows access for everything. Nothing is blocked, in or out. Yet if I look the the log there are numerous entries for Destiny2.exe. If I let WFC create an allow rule for me, based on the log, it creates a rule that matches what I already have. And still I get more blocked entries in the log.. I'm at a loss for what the issue could be. There are no block rules that could be denying the request, yet if I disable the firewall everything works. Anyone have any ideas?

 

See "Firewall" tab in "Process Hacker 3" for WFP blocked actions.

 

For inbound rules, some of them don't work with Any protocol. Create two inbound rules, one for UDP protocol and one for TCP protocol. This will allow you in theory to play the game with Low Filtering profile, so that you don't have to disable Windows Firewall. As for the outbound rule not being applied, use this guide to find out which rule blocks the connection despite having the allow rule. You could also send an email to the developers of the game and ask them how to allow their game when outbound filtering is enabled in Windows Firewall. They must have a solution.

 

@alexandrud, thanks so much! I think I got it working now, even with medium filtering mode. I've tried everything I could think of, clearing all my rules and entering learning mode, deleting all my block rules, creating allow rules from the log. But nothing worked. I did not know that Windows' firewall had a tcp/upd limitation. I think that's what solved it for me. I created both rules, and launched the game. It launched successfully, and there were no blocked log entries.

Knowing my luck, tomorrow it won't work. But right now it does. Thanks!!

Edit - I spoke too soon. After rebooting, I'm back to the same problem even with the seperate tcp and udp rules. I tried searching the netevents.xml files and there are no 73053 entries. So I'm not sure what do you. But it does work with EFC on low mode.

Edit 2 - I think it has something to do with private versus public network profiles. I'm not sure why yet, but I know that when an adapter is set to private it does not work and when it's set to public it does. I use profiles to restrict application connectivity, restricting all but private profiles.

 

Hmmm...the only process hacker app I know of it only on version 2.39, and has to firewall tab. Link?

 

https://processhacker.sourceforge.io/nightly.php

 

Everything seems to work if I set the adapter to public, then alter my firewall rules to block the private and domain profiles for apps I want blocked (rather than blocking the public and domain like it was set up before when the adapter was using the private profile). The only issue is I cannot figure out why that matters.

 

@tnodir, that was the application I was thinking about. But I didn't know about v3. Thanks for the link. I'll test it after I get off work.

 

That is the filter id from my machine, on your machine it will different. But, forget about it. I just tried the Firewall tab from Process Hacker 3.0.4754 and it does this matching automatically. Thank you @tnodir for mentioning this modern solution

Windows Firewall just enables/disables some group names when you switch the location. The difference is in the amount of enabled firewall rules. Don't tell me it is svchost.exe Anyway, keep us updated if you find the culprit.

 

Ok. This is very interesting, and I have no idea what to do next. When using Process Hacker v3, the reason for blocking destiny2.exe is "This is the default outbound filter which blocks or permits traffic based on user configured default settings." Since there's no actually block rule I'm not sure what to do.

 

sort your rules for name in each mode (private/public), take images and compare images, then you will see if there is a rule missing or deactivated which may mandatory.

for a common network with router (and maybe other lan computers) "private" is appropriate, public means direct access to the web, means wifi, modem, other.

"public" is more strict from my view and need more or other security settings than "private". thats a major question when you install windows 8/10/11: see
https://www.howtogeek.com/245982/wh...tween-private-and-public-networks-in-windows/

 

Hello guys. I am using AnyDesk program on Windows 10. I created rules for AnyDesk to allow it Internet access but everytime I run AnyDesk with admin privilegues, AnyDesk creates duplicate rules. As I see it, Windows won't tell AnyDesk that appropriate rules already exist. Is there a way to fix it? Screenshot attached. Rules are identical (according to WFC)

Spoiler: Screenshot

https://i.imgur.com/XMKY3iq.png

 

Applications running with administrative privileges can create Windows firewall rules on their own, this is normal from the operating system's point of view, but not from the user's point of view.
The WFC with the Secure Rules + Disable unautorized rules option enabled disables these rules and adds the U prefix to the rule name.
If you select Secure Rules + Delete unautorized rules, unauthorized rules will be removed.
Choose the option that works best for you.
Stay with Ukraine!

 

Why didn't you include the direction of the rules in your example? If those rules that are in Windows Firewall Control group are outbound rules, they are not required. Just one outbound rule for Any location is required to allow outbound connections to their servers. As for the inbound rules, add them in a group name so that Secure Rules will not disable them and they will not be created again as duplicates.

 

Ok. I think I really have the solution this time. I thought the solution was the profile type. That was not the case. After I rebooted my issue was still there, even with the profiler change. But, as @alexandrud said, sometimes the allow rules don't work like they're supposed to. This was the case here. The allow rules, allow generically set, didn't work. I created 4 allow rules, UPD in/out and TCP in/out, and now destiny 2 work on the private profile.

 

Good for you, if it would only work with Microsoft Account Sign-in Assistant (svchost.exe).

 

For me, unrestricted outbound allow for svchost.exe works just fine with Windows 11 tied to an MS account.