Windows Firewall with Advanced Security (Guide for Vista)

You're welcome! BTW, I hardly ever use uTorrent, but when I did use it with those rules it seemed the connection was slower than without the fw enabled, and often it would speed up when I stopped the torrent download, then re-started it a bit later. I don't know why it would happen, but for some reason this would help. It seems torrent utilities need very liberal rules to run best, maybe more open icmp rules are needed, but I'd rather keep things tight and live with a slower connection as a tradeoff, especially since I hardly ever use it.

 

I agree, I still am not satisfied with the upload performance though I allowed (upon recommendation in their forum) ICMP "Destination unreachable" out for all programs and only for Utorrent ICMP type 3 code 4. So I think it needs more ICMP settings allowed but I'm tired of trying.

 

Just one little question: does the Windows FW w/AS allow a way to save the configuration to a file so you can import it in a second computer?

Thanks!

 

Yes, to import or export the configuration:

-http://www.online-tech-tips.com/computer-tips/import-and-export-windows-firewall-configurations/

If you are behind a router, as I am, that could and will also impede the torrent's network performance. You could try forwarding the torrent ports to your pc's local ip address. You can probably search for and find ot how for your router make/model.

 

Thanks mate!

 

Whilst I understand peoples reticence to allow various types of ICMP message through the firewall, restricting the protocols functionality, can and will cause communication problems. In addition to allowing Echo replies, I'd suggest the following.

ICMP type 3 (Destination unreachable) either via a general rule or more explicitly, by defining the individual unreachable codes. Because of the fluid nature of a torrent swarm, it's recommended that one allows these messages.

If you do decide to create specific rules, be sure you also allow type 3 code 4, which is Fragmentation needed (correct MTU negotiation), in addition to type 3, codes 1, 2 and 3. (not all may be necessary or desirable)

ICMP Type 11 (Time exceeded) This plays an important part in error reporting. In addition, you will not be able to use tracert without this enabled.

I appreciate there are a number of ways in which ICMP may be used maliciously, however, at heart, ICMP is nothing more than a messaging protocol. It does not carry a payload, in the sense that TCP ot UDP do, and without ICMP messages, various communication errors will go unnoticed/processed.

For more information:
RFC 792 - Internet Control Message Protocol (RFC792)

RFC 1122 - Requirements for Internet Hosts - Communication ...

ICMP Usage In Scanning (PDF)

 

These are my ICMPv4 (I have several ICMPv6 as well) rules in text form, built off of several days of using Jetico pfw a few months ago...

I don't have Fragmentation needed because it never triggered Jetico's network activity monitoring. I think for a basic home, non-networked pc, these are probably more than adequate. For torrent downloads/uploads and local networking, probably more are needed, for sure.

 

Fragmentation needed is covered, because your Destination unreachable rule, is set for type 3 code any. For torrent traffic, this is probably the most important.

One thing I didn't mention in my earlier post, is the requirement for ICMP6 when using IPv6. This protocol moves the goal posts completely, with regard to ICMP6 and needs to be considered very carefully.

 

Okay I see, because Fragmentation needed is code 4 for type 3 (Destination unreachable). Thanks for pointing that out

*EDIT*

I just realized I also have a "ICMP Destination unreachable to router" rule...

Code:

Rule Name:                            Destination Unreachable to router
----------------------------------------------------------------------
Enabled:                              Yes
Direction:                            Out
Profiles:                             Domain,Private,Public
Grouping:                             
LocalIP:                              Any
RemoteIP:                             192.168.1.254/32
Protocol:                             ICMPv4
                                      Type    Code
                                      3       Any 
Edge traversal:                       No
Action:                               Allow

This was also created off of Jetico pfw.

 

I can't really think of a reason why you'd need both those rules, as the more general of the two does everything the more restrictive rule does.

These text dumps are from Jetico?

 

One is inbound, the other outbound (outbound to the router).The text files are created from cmd line: netsh advfirewall firewall show rule name=all >c:\users\johndoe\firewallrules.txt

Jetico is used to help create the rules when it is in learning mode. It will pop-up an alert whenever some form of network activity is attempted, either from a program, service or other type protocol such as icmp, igmp...etc. It's up to the user to allow or deny the rule, and fine-tune it to their liking. After several days of this, I export the final config (.xml file), uninstall Jetico, activate Win 7 fw, choose Public profile, then use the config file to help me assemble the same rules, at least those I choose to use, for it.

 

It would help if I could as it clearly says 'out' doh!

When I was setting-up Windows 7 firewall, I used a similar approach, although a different third-party product was used as a basis for what has now been implemented.

 

No worries..been there done that all the time

It helped me a lot. There's no way I could have figured out all those rules it generated alerts on.

 

I'm trying to quiet the last "noise" items in my windows firewall logs. Can anyone help shed any light on what's causing the following?

1. After every boot, I get the following dropped packet for the svchost.exe process that runs the DHCP Client (amongst others). I have the standard Core Networking - Dynamic Host Configuration Protocol (DHCP-In) entry enabled, but this message is dropped because the source and destination ports are swapped...






2. Randomly (while browsing I think), I get the following dropped packet. The destination IP is either of the DNS entries that I've got hard set in my router. Interestingly this entry only appears in the event log and doesn't appear in the pfirewall.log for some reason?



I tried setting up an ICMP rule covering Destination Unreachable for my DNS addresses after readiing https://www.wilderssecurity.com/showpost.php?p=1823956&postcount=384 (wat0114's post a few above) and this old post https://www.wilderssecurity.com/showpost.php?p=8459&postcount=2, but it made no difference.


3. I also get random TCP:80 to M$ addresses from the svchost.exe that is running:

• Cryptographic Services
• DNS Client
• KtmRm for Distributed Transaction Coordinator
• Network Location Awareness

Anyone know off-hand, which one is phoning home, before I do some trial and error testing?

Thanks.

 

I get lots of blocked ICMP from my router to local 224.0.0.1 with no rhyme or reason why, since I have ICMP rules that should cover these, but it makes no difference. I'm really quite confused as to why they're happening Anyway, it doesn't seem to adversely affect my network traffic.

Probably wuauserv.exe. If you check my rules, I've restricted it to specific ip address/CIDR mask Windows update server addresses:

Code:

Rule Name:                            Custom Rule - Allow svchost - wuauserv  to Port 80 & 443 - Service: wuauserv
----------------------------------------------------------------------
Enabled:                              Yes
Direction:                            Out
Profiles:                             Public
Grouping:                             
LocalIP:                              Any
RemoteIP:                             65.54.51.0/24,65.54.95.0/24,65.55.0.0/16,206.108.207.0/24,207.46.0.0/16
Protocol:                             TCP
LocalPort:                            Any
RemotePort:                           80,443
Edge traversal:                       No
Action:                               Allow

Keep in mind these addresses could be very different for you as they vary from region to region.

 

I agree I've not noticed any issues, but wondered what the actual ICMP error is? (You can't tell from the event logs as it doesn't give the specific ICMP code/subcode). Actually, this is the only ICMP drop packet I normally see, even with no ICMP FW rules, although I only have a single PC and router setup.

No, it's not that. This is always coming from the specific svchost.exe PID which contains the 4 services in my previous post...

 

It's a bad day for me - definitley not too sharp today . I've done some checking of my logs and I indeed see the the same svchost-related services blocked that you see. Well, I don't know which service is is trying to connect to those MS ip addresses, but maybe I'll dig a bit later on If you find out, please let me know.

*EDIT*

to add: important thing to know is that whatever's blocked, it's not required for windows updates. The wuauserv.exe service isall that's required.

 

I'm trying svchost.exe->DNS Client. I've given it access to TCP:80 OUT for a while...

 

255.255.255.255 is limted broadcast (check all the machines on your network),

http://support.microsoft.com/kb/140859

- disable DHCP Client service.

Your outbound connection to IP 198.153.192.1 , and a connection to Symantec Corporation ?? ,verify.

http://www.myiptest.com/staticpages/index.php/whois

wat,

- disable Routing and Remote Access service

http://technet.microsoft.com/en-us/library/cc957901.aspx

If you're on the network behind a router is not necessary to have any ICMP rule, you can disable it all.

I wish you a beautiful day...

 

Hi sparviero,

I do have that service disabled (some others as well) for several weeks now.

 

Ok, you have bad explained in your post above, it is not ICMP protocol 1, you now have shown that it is IGMP protokol 2, then do so, disable IGMP multicat.

https://www.wilderssecurity.com/showpost.php?p=1785367&postcount=321

Remains equally, if you're on the network behind a router is not necessary to have any ICMP rule, you can disable it all.

 

Thanks for the reply.

This machine is a laptop. Will it cause anyway issues when I'm out and about? Also, can you explain why I should disable this service? (I couldn't really understand much from the link). I'm also on Vista, does that make a difference?

- EDIT -
If I disable DHCP Client service I can't connect wirelessly to my router...

I use Norton DNS, these are their DNS servers...

 

Yes, badly explained is right. But you can see I have an allow rule for the igmp inbound but it's still getting blocked, unless I'm missing the boat somehow??

 

The DHCP message is likely a DHCPACK

Code:

DHCP ACK

Once a DHCP server has received the client's Request, it responds with a DHCP ACK message.

The details of the base DHCP ACK frame are:

    Size of 342 bytes.

    Destination Hardware Address of FFFFFFFFFFFF, indicating an Ethernet broadcast.

    Type of packet is IP (0x800).

The details of the 20 byte IP portion of the frame are:

    Source Address is that of the DHCP server.

    Destination Address of 255.255.255.255, indicating a network broadcast, as the client has not acquired an address yet.

    Protocol is UDP (User Datagram Protocol).

The details of the eight byte UDP portion of the frame are:

    Source Port is BOOTP Server (UDP port 67).

    Destination Port is BOOTP Client (UDP port 68).

The remainder of the frame, 300 bytes, is the DHCP Offer portion. Its details include:

    Your IP Address lists the IP address the DHCP server is offering to the client.

    In the DHCP Option Field section, Lease renewal times are listed as Renewal Time Value and Rebinding Time Value.

    The IP Address Lease Time lists the duration of the lease, which defaults to three days.

    Server Identifier lists the IP address of the DHCP server that made this offer.

    The Subnet Mask lists the proposed subnet mask parameter value.

    Any configured options that the client requested in the Request frame are listed, such as Router, NetBIOS Name Service and NetBIOS Node Type.

Is there no Type and Code associated with this? It may be being caused by attempted DNS registration, which is not applicable outside Active Directory. Try changing the settings for the "Register this connection's addresses in DNS" checkbox in the Windows Advanced TCP/IP Settings dialogue box.

More than likely a certificate update (Cryptographic Services)

More than likely Router Discovery

Personally, I wouldn't try and disable ICMP on my LAN, doing so may cause important messages to go astray. Remember also, that ICMPv6 is critical to the protocol and communication. Even if we're not there yet, a great many people are using IPv6 enabled operating systems.

 

Hi wat,

Perhaps by public and private domain profiles, indeed there are few arguments for understanding.
Windows will conclude that it is on a private or public network (e.g. VMware is installed and has multiple network adapters not connected to the domain network).
The exceptions will duplicate the rule settings for the domain profile but apply to public and private network profiles, for the sake of sensible security.
As IGMP multicast can be optional, it's up to you to decide.

http://www.networksorcery.com/enp/protocol/igmp.htm

all good, I hope