Vista Firewall Issue

[Antius]

Happy new year everyone, I'm using the 64bit version of Vista Ultimate,
I have an ethernet connection to a cable modem & no home network, IPv6
is disabled.

When I set the firewall to block all outbound connections but allow a
few exceptions, the programs exempted from this rule can't access the
internet any longer for example Internet Explorer, Windows Mail etc,
irrespective of what profile they're under e.g. public ,private or
domain.

The problem persists even if I change the network location type from
public to private in the Network & Sharing
Center, is there a way to resolve this without having to set 'Outbound
connections that do not match a rule are allowed' in Windows
Firewall with Advanced Security?.


--
Antius

 

[Jesper]

RE: Vista Firewall Issue

Don't set a "block all" outbound rule. It is virtually impossible to do that
on a general purpose system, and it provides virtually no security. You would
need to permit all ports between 1024 and 5000 for your apps to function.

What *specific* threat are you trying to mitigate?
---
Your question may already be answered in Windows Vista Security:
http://www.amazon.com/gp/product/0470101555?ie=UTF8&tag=protectyourwi-20


"Antius" wrote:

>
> Happy new year everyone, I'm using the 64bit version of Vista Ultimate,
> I have an ethernet connection to a cable modem & no home network, IPv6
> is disabled.
>
> When I set the firewall to block all outbound connections but allow a
> few exceptions, the programs exempted from this rule can't access the
> internet any longer for example Internet Explorer, Windows Mail etc,
> irrespective of what profile they're under e.g. public ,private or
> domain.
>
> The problem persists even if I change the network location type from
> public to private in the Network & Sharing
> Center, is there a way to resolve this without having to set 'Outbound
> connections that do not match a rule are allowed' in Windows
> Firewall with Advanced Security?.
>
>
> --
> Antius
>

 

[Antius]

Re: Vista Firewall Issue


Thanks for your prompt response Jesper, I want to block programs that
I'm unaware of from making outbound connections since the Vista firewall
doesn't seem to warn me of these events in real time.


--
Antius

 

[Hatter]

Re: Vista Firewall Issue

Then what you might want is 3rd party firewall that does alert you when a
program makes an attempt.

I was using AVG Suite and found it useful, but switched to another product.

Also, you can set up rules to monitor, log and block services from your
router.

"Antius" <Antius.32kpvz@no-mx.forums.net> wrote in message
news:Antius.32kpvz@no-mx.forums.net...
>
> Thanks for your prompt response Jesper, I want to block programs that
> I'm unaware of from making outbound connections since the Vista firewall
> doesn't seem to warn me of these events in real time.
>
>
> --
> Antius

 

[Jesper]

Re: Vista Firewall Issue

You are really setting yourself up for a world of hurt. First, you cannot
block a program from making outbound connections. Any program that wishes to
do so can without your noticing. There is no way, including with third-party
firewalls, to effectively block one program from making outbound connections
as another program running in the same user context. Third party firewalls
can be set up to notify you when programs that chose to not be stealthy try
to connect outbound, but they cannot stop malicious programs that do so.

Second, when you use that functionality in third-party products you will be
notified incessantly because the programs can use any port they want to
communicate out. The usual response is to disable the notifications for
particular applications, which completely obviates any value in the feature.
Since it provides no security value the Vista firewall does not include the
notification functionality.

In other words, attempting to block outbound unapproved traffic provides no
additional security whatsoever, but is often used as a selling point by
vendors who either do not understand security, or are trying to make money by
misleading customers. If you want that type of functionality, you need a
third-party firewall from one of those vendors. My advice would be to focus
on things that actually will improve your security instead.

Having now tried to dissuade you from the entire project, the Vista firewall
can be used to create a "block all" rule and permit only certain programs.
More than likely you have a rule that does not permit the program to
communicate on all ports to all ports, for all users. If you configure the
firewall log to log dropped packets you will get log events like this one:
2008-01-02 15:40:00 DROP TCP 1.2.3.4 65.99.255.140 52969 80 0 - 0 0 0 - - -
SEND

That will at least tell you what the firewall saw even though it does not
tell you which application made the connection. Notice the source port:
52969. Client apps can use any port they want for the source port, and you
need to permit all 64,000 of them. Might that be what is blocking your
traffic?

There is more information about troubleshooting the Windows Firewall here:
http://technet2.microsoft.com/Windo...ade8-4dbe-ac05-6ef10a6dd7a51033.mspx?mfr=true. It may be useful to you.
---
Your question may already be answered in Windows Vista Security:
http://www.amazon.com/gp/product/0470101555?ie=UTF8&tag=protectyourwi-20


"Antius" wrote:

>
> Thanks for your prompt response Jesper, I want to block programs that
> I'm unaware of from making outbound connections since the Vista firewall
> doesn't seem to warn me of these events in real time.
>
>
> --
> Antius
>

 

[Straight Talk]

Re: Vista Firewall Issue

On Wed, 2 Jan 2008 16:27:32 -0600, "Hatter"
<hatter@msnews.microsoft.com> wrote:

>Then what you might want is 3rd party firewall that does alert you when a
>program makes an attempt.

Host based outbound control is an illusion.

 

[DevilsPGD]

Re: Vista Firewall Issue

In message <fbuon3lj2fif4aero3rr6ip355ce5sh2ub@4ax.com> Straight Talk
<b__nice@hotmail.com> wrote:

>On Wed, 2 Jan 2008 16:27:32 -0600, "Hatter"
><hatter@msnews.microsoft.com> wrote:
>
>>Then what you might want is 3rd party firewall that does alert you when a
>>program makes an attempt.
>
>Host based outbound control is an illusion.

Not necessarily. If you're a limited user, and don't elevate or
otherwise give admin access, you can trust host-based solutions.

Otherwise, they're just snakeoil.

 

[Antius]

Re: Vista Firewall Issue


Hello again Jesper, you mentioned that 'the Vista firewall
can be used to create a "block all" rule and permit only certain
programs' can you give some examples of how to configure that setup?,
none of my specific outbound rules have been overridden by a block rule,
all apps are allowed to communicate from any local address or source
port to any remote address or port for any user but I have restricted
the protocol to TCP.


--
Antius

 

[Nick /////]

Re: Vista Firewall Issue

"Antius" <Antius.32kiy5@no-mx.forums.net> wrote in message
news:Antius.32kiy5@no-mx.forums.net...
>
> Happy new year everyone, I'm using the 64bit version of Vista Ultimate,
> I have an ethernet connection to a cable modem & no home network, IPv6
> is disabled.
>
> When I set the firewall to block all outbound connections but allow a
> few exceptions, the programs exempted from this rule can't access the
> internet any longer for example Internet Explorer, Windows Mail etc,
> irrespective of what profile they're under e.g. public ,private or
> domain.
>
> The problem persists even if I change the network location type from
> public to private in the Network & Sharing
> Center, is there a way to resolve this without having to set 'Outbound
> connections that do not match a rule are allowed' in Windows
> Firewall with Advanced Security?.
>
>
> --
> Antius

As other have pointed out value is questionable and pain and agro is high.

If you must then:

www.sphinx-soft.com Vista Firewall Control will do what you want far more
easily than you trying to configure yourself.

Nick /////

 

[Jesper]

Re: Vista Firewall Issue

All you do is set the firewall to block all outbound traffic. Then you create
an outbound program rule. In my case I permitted Internet Explorer
(%programfiles%\Internet Explorer\iexplore.exe) to communicate out over all
protocols and all ports. After that IE could browse the web but Firefox could
not. I just tested it and went through the wizard clicking Yes on most
everything.

Start with that very open rule. Then start putting in more restrictions
until you see what breaks.

I still question the need for this exercise, BTW.
---
Your question may already be answered in Windows Vista Security:
http://www.amazon.com/gp/product/0470101555?ie=UTF8&tag=protectyourwi-20


"Antius" wrote:

>
> Hello again Jesper, you mentioned that 'the Vista firewall
> can be used to create a "block all" rule and permit only certain
> programs' can you give some examples of how to configure that setup?,
> none of my specific outbound rules have been overridden by a block rule,
> all apps are allowed to communicate from any local address or source
> port to any remote address or port for any user but I have restricted
> the protocol to TCP.
>
>
> --
> Antius
>

 

[Straight Talk]

Re: Vista Firewall Issue

On Thu, 03 Jan 2008 00:32:03 -0700, DevilsPGD
<spam_narf_spam@crazyhat.net> wrote:

>In message <fbuon3lj2fif4aero3rr6ip355ce5sh2ub@4ax.com> Straight Talk
><b__nice@hotmail.com> wrote:
>>
>>Host based outbound control is an illusion.
>
>Not necessarily. If you're a limited user, and don't elevate or
>otherwise give admin access, you can trust host-based solutions.

LUA surely helps containing malware. LUA does not ensure trust in
outbound control. Various IPC methods still apply.

>Otherwise, they're just snakeoil.

They are.

 

[Hatter]

Re: Vista Firewall Issue

I had a printer driver that when installed, would try to make an outbound
connection - and fail.

So I disabled the ports and services it was using. The driver now installed
and working.

I don't want OpenOffice communicating or grabbing images or content off the
'net.

I see that I would be fighting a swarm of bees to counter the group-think
going on here, just realize that not everyone buys snake oil but still wants
to monitor or block applications from initiating their own outbound
connection. Calling home, checking for updates, or reporting on user
activity.


"Straight Talk" <b__nice@hotmail.com> wrote in message
news:fbuon3lj2fif4aero3rr6ip355ce5sh2ub@4ax.com...
> On Wed, 2 Jan 2008 16:27:32 -0600, "Hatter"
> <hatter@msnews.microsoft.com> wrote:
>
>>Then what you might want is 3rd party firewall that does alert you when a
>>program makes an attempt.
>
> Host based outbound control is an illusion.

 

[Antius]

Re: Vista Firewall Issue


Hi Jesper, I'm still having the same problem, blocking all outbound
traffic & creating an outbound rule to communicate through the firewall
no longer works, before I abandon this line of enquiry do any of the
pre-existing rules especially those belonging to the Core-Networking
group have to be enabled to allow apps like Internet Explorer, Windows
Mail etc to communicate succesfully through the firewall?.


--
Antius

 

[DevilsPGD]

Re: Vista Firewall Issue

In message <ADB32C77-40B0-4EB7-B480-69CF91D16FC9@microsoft.com> "Hatter"
<hatter@msnews.microsoft.com> wrote:

>I see that I would be fighting a swarm of bees to counter the group-think
>going on here, just realize that not everyone buys snake oil but still wants
>to monitor or block applications from initiating their own outbound
>connection. Calling home, checking for updates, or reporting on user
>activity.

The problem is, host-based software can be overcome by other host-based
software. Any application that doesn't want it's activities monitored
by a specific host-based packet filter can either reconfigure it or
bypass it.