Windows Firewall with Advanced Security (Guide for Vista)

Great feature of Win FW (and already mentioned by Steam at the end of 1. post) is svchost strict bind to every particular service for which it is host on machine, I never see rule created in such way on any third party FW, it is however possible to actually do this with 3rd party home FW but with extensive HIPS support or to some extent by monitoring command line of particular svchost branch... but neither way is good enough

In other words with Win FW you can create rule for every service which is "proxied" by svchost, separated... that is great granularity and controlling possibility for a home user, I wonder why there is no similar option in "other" FWs... btw I realy dont like svchost

 

Yes, by default, utorrent will be granted all inbound by WF. No need for this really.

This will simply make use of UPnP in routers to dynamically forward an inbound port. Not needed if you setup server connection manually.

uTorrent allows to fix any port.

Regarding LPD, you may wish to disable it here (it is enabled by default) -



- so the UDPs don't get blocked on port 6771.

Cheers,

 

Speaking of which, I don't why but even though I have UPnP disabled in the router, I still get tons of these entries showing in the Vista fw logs, and they are clearly originating from the router (D-Link DIR 655).

Code:

2009-10-20 08:59:55 DROP UDP 192.168.0.1 239.255.255.250 1900 1900 380 - - - - - - - RECEIVE
2009-10-20 08:59:56 DROP UDP 192.168.0.1 239.255.255.250 1900 1900 315 - - - - - - - RECEIVE
2009-10-20 08:59:56 DROP UDP 192.168.0.1 239.255.255.250 1900 1900 306 - - - - - - - RECEIVE
2009-10-20 08:59:56 DROP UDP 192.168.0.1 239.255.255.250 1900 1900 370 - - - - - - - RECEIVE
2009-10-20 08:59:56 DROP UDP 192.168.0.1 239.255.255.250 1900 1900 380 - - - - - - - RECEIVE

Do you know what could cause this? Anyways, thanks again for your help, especially with regards to the uTorrent setup

 

Unless I missed it, there is no FTP control. Firefox and IE my rules must be disabled first then connect to FTP. When done enable.

Not to hard for apps, its Windows services that is cumbersome. Just tried to update the time service and no go. One would think that w32time.exe was the app needed but again NOT. It is svchost again.

If the log would show what service, app, exe, etc that was trying to connect out it would be much easier to configure a rule.

Nice post!

 

Hi Robert,

the rule I created works here. You need to to specify svchost.exe for the program, and then choose Settings button to specify the W32Time service. I used port 123 for both local and remote ports, UDP protocol. I did not specify a remote ip address, however.

Member Kees earlier in this thread mentioned a great idea to temporarily use the free version of Vista/Win 7 firewall control to aid in setting up program rules. It helped me.

 

Thanks for the help wat0114. I already have and tested the rule.

Program: svchost.exe
UDP Port: 123
Scope>These IP Addresses: 192.43.244.18 (time.nist.gov)

I might install last version of Tiny Software on a XP machine and look at the outbound rules from a backup I have. Then duplicate them in Win7. Been awhile since I had to create so many specific (Protocols, Ports and IP's) for outbound rules. But I know with the rules sets in Tiny, that's all I needed.

Robert

 

Hi Robert,

I dont currently have vista installed, but there is stateful ftp

Ref:- http://technet.microsoft.com/en-us/library/cc771920(WS.10).aspx


[In vista there is a reg key (I need to check) under //firewallpolicy that is enabled/disabled.]


- Stem

 

Stem, I'm on Win7 Pro x64 RTM. I will have to check another machine with Vista Ultimate x86 to see the difference.

Will get back later.

Robert

P.S. Here we go again guys!

 

Hi Robert,

The above netsh command is also for win7


- Stem

 

These are SSDP multicast discovery packets. There must be an option in the router to disable multicast traffic. Like this one -



Cheers,

 

Hi Seer, that option is disabled in my router, has been for a few days, but I'm still seeing those packets.

 

I remember that I've seen this same issue some time ago. While I can't remember the exact model (it was a Linksys) and the term was different ("muliticast passthrough" I think), this option worked and actually stopped the multicasts. I am clueless as to what is happening with your D-Link.

 

That makes two of us I've tried everything conceivably possible, but it just doesn't stop the packets. Maybe it's a bug with the firmware, although I'm running the latest version. Still, it's not a big deal and far from a showstopper, so I'll just accept them. Too many more important things to worry about

Thanks again for your help!

 

Does anyone knows what outbounds rules are needed for homegroups?. When I disable outbound protection they start working again so there's must be a mising outbound rule. Why on earth Microsoft didn't make this easier to configure?.

I created two rules that appear under the category of "Home Group" but it's still not working.

Could someone give me a hint?.

Thanks for the great guide!!.

 

Create this rule:

1) Create an Outgoing rule for svchost.
2) Set Profile to Private.
3) Ports and Protocols to TCP Port 5357.
4) Scope to Remote IP Local Subnet.

Horrible logging! Why? You do not know what program is sending/receiving the requests.

Robert

 

Then create this rule:

1) Create Outgoing rule for svchost.
2) Set Profile to Private.
3) Protocol and Ports to UDP Any.
4) Local IP to fe80::791f:4357:10a:xxxx (check your log for the correct IP).
5) Remote IP to fe80::11a3:645a:66c:xxxx (check your log for all your PC's in your Network and add the different IP's).

If you are using more than 1 Router in your Network than you have to input the correct IP's for both Local and Remote too. I have 3 Wireless Routers and 1 Switch so making it harder to configure.

I had to add my Local IP and the IP of the Remote PC (along with the fe:80's) which is using another Router but still connected to my Network and using the same IP range and Subnet Mask.

Why I cannot get the HomeGroup to refresh I do not know. Logging off does not do it either. I must restart the PC.

So, one needs to create BOTH of these rules to be able to have all PC's in the HomeGroup to recognize each other.

If anyone can figure out which specific UDP port(s) to input than post.

Robert

 

Well, thanks for the information. Anyway, I was hoping to find an easier solution. Create an outbound rule for an especific service or exe and thats it. The problem with this is that, NOBODY uses windows firewall. I really don't know why.

I will try to connect to the homegroup using "Windows 7 Firewall Control" and see if it tells me what exe is trying to detect the homegroup....

If I found anything I'll post it back.

 

OK. Sorry it I made it seem difficult.

Robert

 

You don't have to apologise at all!!. I really appreciate the information you gave me. Especially because I know how difficult is to find out this kind of things when they are poorly documented.

I tried with Windows 7 Firewall Control but homegroups didn't work either. It didn't even warn me what process was trying to go outbound...

We should try with some kind of "network" analyzer in order to figure this out.

 

Like you know its Windows Monitoring or Log Viewer that makes it difficult. But the 2 rules I posted work for all (4) desktops/laptops in my HomeGroup. Took me a hour to dissect the log and create, delete, create, create, delete, delete, etc rules to get it to work.

Not that hard now if my rules work for everyone...the "Devil is in the details".

I can help you now if you want to create the 2 rules and run into problems.

Robert

 

Did you try with this??

http://www.microsoft.com/downloads/...30-673D-45A0-8446-69C36E6F5C13&displaylang=en


It seems there are a lot of services needed by homegroups.

 

Hi guys!
I'm sorry, i have not read all the 3d yet..

BTW mi question is: How wfw processes the rules? top-down or bottom-top?

Thanks in advance

 

There's no actual top-bottom or bottom-top order of rules processing. Basically in a nutshell, block rules take precedence over allow rules, whether they be inbound or outbound rules. There's some info here

 

Thanks wat0114 , your answer was very clear!

Regards

 

Even though that was from TechNet Magazine, I actually found that description to be much more confusing then simply saying that there is an ordering (as there must be in any such rule evaluation scenario), and providing it as is done in Microsoft's own Introduction to Windows Firewall with Advanced Security: