Windows firewall freeze my navigation

Discussion in 'other firewalls' started by EboO, Mar 20, 2011.

Thread Status:
Not open for further replies.
  1. EboO

    EboO Registered Member

    Joined:
    Mar 12, 2011
    Posts:
    287
    Hi,

    I hope my title is explicit :)
    I'm using windows 7 firewall (64 bits) in advanced mode and when i block outbound connections internet is laggy.
    The private profile is activate, with rules by default. I just add rules for my software (no specific restrictions).
    I think a rule is missing, because when i allow outbound connections no problem.
    I've got a public profil too for my vm's network (virtualbox)

    I hope somebody can help me.

    Thanks.
     
    Last edited: Mar 20, 2011
  2. sbseven

    sbseven Registered Member

    Joined:
    Jan 30, 2011
    Posts:
    140
    Not quite sure what you mean by "laggy" as a firewall will either allow a connection or never allow it.

    To trouble-shoot what's getting blocked by the Windows Firewall, you can enable some specific auditing. This will give you information on the packets being blocked and which process / application it affects. See this post: https://www.wilderssecurity.com/showpost.php?p=1717632&postcount=135

    The above link is part of a useful thread on the Windows Firewall, if you're not already aware of it: https://www.wilderssecurity.com/showthread.php?t=239750
     
  3. EboO

    EboO Registered Member

    Joined:
    Mar 12, 2011
    Posts:
    287
    I know this links. I'm trying something : i asked to the firewall to write every event and this afternoon i will read the log. Perhaps i will help me.

    Sorry if "laggy" is not really adapted, i'm french and don't know which term i can use to describe it :oops:
     
  4. EboO

    EboO Registered Member

    Joined:
    Mar 12, 2011
    Posts:
    287
    Hi,
    I'm going to read again the two links.
    I post the log with outbound connections blocked, the log contain ignored packet. Perhaps it will help to understand the problem.
    I'm using clear cloud dns.

    Thanks.

    EDIT : i've tried the command and it didn't work :(
    I've an error : 0x00000057
    Is there another way to know where's the problem and which connection is blocked ?
     

    Attached Files:

    • log.txt
      File size:
      12 KB
      Views:
      13
    Last edited: Mar 22, 2011
  5. sbseven

    sbseven Registered Member

    Joined:
    Jan 30, 2011
    Posts:
    140
    The log you posted contains some inbound connections being blocked. The only one of note is an inbound connection from 193.252.242.125 on port 80. This appears to be -www.pagesjaunes.fr (french yellow pages)? -http://whois.domaintools.com/193.252.242.125

    Ahh, I think that's because you're running the French version of windows! The subcategories of the auditpol command probably aren't the same as the English language ones.

    Try running this command from an elevated command prompt:
    auditpol /list /subcategory:*
    If you can run that command, it will give you the list of auditpol subcategories (en Français). Find the one that translates to: "Filtering Platform Packet Drop". (Filtrage de...)? Substitute the French equivalent of "Filtering Platform Packet Drop" in this command:
    auditpol /set /subcategory:"Filtering Platform Packet Drop" /success:disable /failure:enable

    Use this command instead of the very long auditpol.exe command in the link. (You only need this single subcategory to log the packets the firewall is blocking). Then stop and restart the firewall as detailed in step 4. of this link: http://technet.microsoft.com/en-us/library/cc754714(WS.10).aspx

    Any packets dropped by the Windows Firewall from now on will appear in the Security event log with Event ID = 5152. You can use this information to sort out your problems.

    Bonne Chance ;)
     
  6. EboO

    EboO Registered Member

    Joined:
    Mar 12, 2011
    Posts:
    287
    Thanks, the command is right (in french it's "Rejet de paquet par la plateforme de filtrage, not really ton find :) )

    About the inbound connection blocked i wasn't on www.pagesjaunes.fr during my test, probably a pop-up/advertissement.
     
  7. sbseven

    sbseven Registered Member

    Joined:
    Jan 30, 2011
    Posts:
    140
    Good.

    If you want to check the current audit setting:
    auditpol /get /subcategory:"Rejet de paquet par la plateforme de filtrage"

    If you want to turn off the auditing:
    auditpol /set /subcategory:"Rejet de paquet par la plateforme de filtrage" /success:disable /failure:disable
     
  8. EboO

    EboO Registered Member

    Joined:
    Mar 12, 2011
    Posts:
    287
    Thanks for this informations.

    I've looked for the audit :
    a lot of inbound packet are blocked, no problem.
    A few outbound packet are blocked, essentially from my ip to dns server (one time it's svchost.exe to 207.46.232.182 on port 123, it's windows time i think)
    Is it a dns problem ?
    I've got this rule for dns : svchost UDP out, remote ip 74.118.212.1 and 74.118.212.2, port 53.
     
  9. sbseven

    sbseven Registered Member

    Joined:
    Jan 30, 2011
    Posts:
    140
    This link is useful for pointers to some of the rules you might want in your firewall: http://www.outpostfirewall.com/forum/showthread.php?t=9858

    A couple of rules you probably want:
    • Windows Update (svchost.exe for service wuauserv)
    • Windows Time (svchost.exe for service W32Time) if you want to sync it with a server.

    Note:
    • DNS (and DHCP) should already be covered by default rules under "Core Networking" (in English).
    • You should always setup a rule for svchost.exe for a particular service for added security.
     

    Attached Files:

    Last edited: Mar 22, 2011
  10. EboO

    EboO Registered Member

    Joined:
    Mar 12, 2011
    Posts:
    287
    Many thanks for the help and the informations.
    I going to read the outpost topic, there's also a topic about programs to allow in this section of the forum.
    I stop the audit. I will if it works fine :)
    I removed clearcloud's ip from the dns rule (they're in my wireless card's parameters).
     
  11. EboO

    EboO Registered Member

    Joined:
    Mar 12, 2011
    Posts:
    287
    Bad news : my problem is still here, i don't understand why.
    During the activation of the audit everything were fine.
    It seems to happen when i have many outbound connections. I can't explain it o_O
     
    Last edited: Mar 22, 2011
  12. pandlouk

    pandlouk Registered Member

    Joined:
    Jul 15, 2007
    Posts:
    2,558
    With what browser?
    For firefox you should also allow incoming connections from local host (127.0.0.1).

    Panagiotis
     
  13. EboO

    EboO Registered Member

    Joined:
    Mar 12, 2011
    Posts:
    287
    Which type of rule please ?
    I'm using opera and firefox.
    For both the rule is "outbound from any to any", no port restrictions.
     
  14. sbseven

    sbseven Registered Member

    Joined:
    Jan 30, 2011
    Posts:
    140
    I think you need to explain your problem in more detail, if you need more help.

    What error messages are you seeing? Is the problem consistently happening or just intermittently? Is it a specific application that doesn't work properly? Does your web browser work? Are you failing to connect to a LAN or network shares?
     
  15. sbseven

    sbseven Registered Member

    Joined:
    Jan 30, 2011
    Posts:
    140
    That may depend on your individual configuration. I'm using Firefox but have no rules for local host...
     
  16. EboO

    EboO Registered Member

    Joined:
    Mar 12, 2011
    Posts:
    287
    There's no error message, what i can say it's the opening of the web pages that is slow (with firefox or opera)
    Sometimes it takes a long time to download my emails with thunderbird, sometimes no.
    No problem with my connection.
    I'm using my pc essentially for web, that why i say the problem is with browsers.
    If i change settings in the firewall and allow outbound connections everything works fine.
    And the only error with the audit is about the dns.
     
  17. pandlouk

    pandlouk Registered Member

    Joined:
    Jul 15, 2007
    Posts:
    2,558
  18. sbseven

    sbseven Registered Member

    Joined:
    Jan 30, 2011
    Posts:
    140
    OK, I understand. What programs are you running in real-time (anti-virus software, HIPS, monitors etc)? Could something be clashing or timing out when you block outbound?

    What is this error exactly?
     
  19. sbseven

    sbseven Registered Member

    Joined:
    Jan 30, 2011
    Posts:
    140
    Yes, I see those loopback connections for Firefox via TCPView, but as I said I can't see an active rule within the Windows Firewall that covers this. Is it default allowed via some other mechanism? My Firefox rule is the standard: Allow TCP OUT 80, 443.
     
  20. EboO

    EboO Registered Member

    Joined:
    Mar 12, 2011
    Posts:
    287
    The other real-time protection program is vipre antivirus (not the premium version) and i don't know which program can block the connection.

    The error about dns is in the audit : it's when i make a filter with 5152.
    I enable again the audit and try to have more informations.

    The clear cloud dns are only on my notebook, not on my routeur (it create a conflict with the home phone) could it be the reason of the problem ?
     
  21. EboO

    EboO Registered Member

    Joined:
    Mar 12, 2011
    Posts:
    287
    Is it necessary to allow inbound connection from dns server to pc ?

    Since yesterday i've looked for the error in the audit, everything is about clear cloud for outbound and for inbound sometimes.
     
  22. sbseven

    sbseven Registered Member

    Joined:
    Jan 30, 2011
    Posts:
    140
    I don't think Vipre Antivirus monitors HTTP traffic so it shouldn't be involved in your issue. It does monitor email traffic over POP3/SMTP apparently. You'll need to refer to the product documentation regarding any firewall settings that may be required. Or ask on their support forum.

    You could test that Vipre isn't causing your problem by disabling it temporarily and seeing if that makes any difference.

    Not sure what you mean here. I assume you're using ADSL filters appropriately? http://fr.wikipedia.org/wiki/Filtre_ADSL

    No.

    Can you attach a screen print of each of these error messages?
     
  23. EboO

    EboO Registered Member

    Joined:
    Mar 12, 2011
    Posts:
    287
    Thanks trying to help me :)

    I tried with vipre disabled and it's the same problem. I'm using vipre since two weeks, before i've got antivir premium and OA (hips disabled) but no issue. I uninstalled antivir and launched the avira regcleaner, everything seems to be ok. Same for OA, no entries on boot time in autoruns.

    About my routeur i've got a problem with the phone because my box were "crazy" and lost the synchronisation and couldn't load the file for the phone after (probably due to the dns). But now i've changed and it works fine.

    I post an attachment of an error.
     

    Attached Files:

  24. sbseven

    sbseven Registered Member

    Joined:
    Jan 30, 2011
    Posts:
    140
    I've seen that error before, I get the same event in my Vista setup. I actually posted about it here, item 2. (https://www.wilderssecurity.com/showpost.php?p=1831714&postcount=389). Nobody came up with a satisfactory answer as to it's meaning, but it does not cause any problems on my machine and I don't think it is the cause of your problem. I'm pretty sure you can ignore it.

    So it appears that nothing is actually being blocked by the firewall...

    Does the slowdown happen, immediately, every time you switch outbound blocking on? (So you can switch outblock blocking on, immediately slow access, switch outbound blocking off, immediately fast access, switch outbound blocking on, slow access...). I think you mentioned earlier that it sometimes works OK until you have "many outbound connections". Maybe this indicates it's not actually the firewall causing the problem?

    Have you tested with a different DNS service? You could try Norton DNS as a test: 198.153.192.1 and 198.153.194.1 or your ISP's DNS. Or test a third party firewall to see if you get the same issues?

    Sorry, I haven't got any definite answers for you.
     
  25. EboO

    EboO Registered Member

    Joined:
    Mar 12, 2011
    Posts:
    287
    The slowdown appear while i'm using opera or firefox, or thunderbird for example.
    I happen immediately when i try to load a page. And now I notice that outbound on or off it's the same...
    I think it's a dns problem, because the slowdown seems to be augmented by the number of outgoing request.
    I'm going to try with my isp dns, my dns cache is empty.

    More (good ? ) informations later.
     
Loading...
Thread Status:
Not open for further replies.