Question about Microsoft Windows 7 Firewall Settings

September 22, 2014 at 06:28:31
Specs: Win 7
Windows Firewall has a setting to:

> Block all incoming connections, including those in the list of
> allowed programs

This web page says:

http://windows.microsoft.com/en-us/...

> This setting blocks all unsolicited attempts to connect to your
> computer. Use this setting when you need maximum protection
> for your computer, such as when you connect to a public network
> in a hotel or airport, or when a computer worm is spreading over
> the Internet. With this setting, you aren't notified when Windows
> Firewall blocks programs, and programs in the list of allowed
> programs are ignored.
>
> When you block all incoming connections, you can still view most
> webpages, send and receive e-mail, and send and receive instant
> messages.

How is it possible to do those things if all incoming connections
are blocked, including those in the list of allowed programs?

-- Jeff, in Minneapolis


See More: Question about Microsoft Windows 7 Firewall Settings

Report •

#1
September 22, 2014 at 08:47:25
The setting doesn't prevent programs on your PC from opening and using ports. The setting blocks all connections to listening ports. To see what's being blocked, open a Command Prompt and type:
netstat -a
Anything with a status of LISTENING or a remote address of *:*. That's what that setting blocks.

How To Ask Questions The Smart Way


Report •

#2
September 22, 2014 at 08:59:03
Read the first sentence again.

This setting blocks all unsolicited attempts to connect to your computer.

When you are browsing the web, sending Email, using IMs etc, you are soliciting replies from the remote computer. The firewall know which incoming packets are solicited and which are unsolicited.

You can leave this setting as blocked. The only time you might want to receive unsolicited packets is if you are running server of some kind which expects unsolicited requests.

Stuart


Report •

#3
September 22, 2014 at 09:47:24
Ah. So, when the Firewall presents the option,

> Block all incoming connections, including those in the list of
> allowed programs

the word "connections" refers to the making of new connections,
not to use of "connections" already open. It doesn't mean "Block
all incoming communications", it just means "Block all incoming
requests to make a new connection".

Ok, so my next question...

I thought I had set Windows Firewall to block everything IN BOTH
DIRECTIONS except for the absolute minimum required to use a
web browser. Then I installed an FTP program to upload files to
my website. To my surprise and alarm, the program connected
to the Internet without my having to tell Windows Firewall to let it
through. How is that possible?

-- Jeff, in Minneapolis


Report •

Related Solutions

#4
September 22, 2014 at 10:11:31
Not sure what you're expecting without us looking at your firewall's rules.

How To Ask Questions The Smart Way


Report •

#5
September 22, 2014 at 10:51:47
Using Windows Firewall with Advanced Security, I see that only
9 inbound ports are set to allow connection, all having to do with
network discovery, and all of those are in the "private" zone, not
the "public" zone that governs Internet connections.

Only 3 outbound rules are set to allow connections, all in the
"Core Networking" group. All others are blocked.

Before I started using a router/modem which has its own hardware
firewall, GRC Shields UP! (at http://www.grc.com/default.htm ) port
testing showed that all 1055 ports tested were stealthed by my
settings of Windows Firewall.

Does that info enable you to answer my question?

-- Jeff, in Minneapolis


Report •

#6
September 22, 2014 at 12:12:32
Not really. Thankfully there's a VBScript interface for Win7's firewall. This script will dump all of your enabled and active outbound rules to "firewall.txt" on your desktop.
'Modified from http://msdn.microsoft.com/en-us/library/aa364724%28v=vs.85%29.aspx"
With CreateObject("Scripting.FileSystemObject")
    Set outFile = .OpenTextFile( _
      .BuildPath(CreateObject("WScript.Shell").SpecialFolders("Desktop"), "firewall.txt"), _
      2, True)
End With

' Profile Type
Const NET_FW_PROFILE2_DOMAIN = 1
Const NET_FW_PROFILE2_PRIVATE = 2
Const NET_FW_PROFILE2_PUBLIC = 4

' Protocol
Const NET_FW_IP_PROTOCOL_TCP = 6
Const NET_FW_IP_PROTOCOL_UDP = 17
Const NET_FW_IP_PROTOCOL_ICMPv4 = 1
Const NET_FW_IP_PROTOCOL_ICMPv6 = 58

' Direction
Const NET_FW_RULE_DIR_IN = 1
Const NET_FW_RULE_DIR_OUT = 2

' Action
Const NET_FW_ACTION_BLOCK = 0
Const NET_FW_ACTION_ALLOW = 1


' Create the FwPolicy2 object.
Set fwPolicy2 = CreateObject("HNetCfg.FwPolicy2")

' The returned 'CurrentProfiles' bitmask can have more than 1 bit set if multiple profiles 
'   are active or current at the same time
CurrentProfiles = fwPolicy2.CurrentProfileTypes
if ( CurrentProfiles AND NET_FW_PROFILE2_DOMAIN ) then
   outFile.WriteLine("Domain Firewall Profile is active")
end if
if ( CurrentProfiles AND NET_FW_PROFILE2_PRIVATE ) then
   outFile.WriteLine("Private Firewall Profile is active")
end if
if ( CurrentProfiles AND NET_FW_PROFILE2_PUBLIC ) then
   outFile.WriteLine("Public Firewall Profile is active")
end if

' Get the Rules object
Set RulesObject = fwPolicy2.Rules

' Print all the rules in currently active firewall profiles.
outFile.WriteLine("Rules:")
For Each rule In Rulesobject
    if CBool(rule.Profiles And CurrentProfiles) And _
       CBool(rule.Direction And NET_FW_RULE_DIR_OUT) And _ 
            (rule.Enabled) Then
        outFile.WriteLine("  Rule Name:          " & rule.Name)
        outFile.WriteLine("   ----------------------------------------------")
        outFile.WriteLine("  Description:        " & rule.Description)
        outFile.WriteLine("  Application Name:   " & rule.ApplicationName)
        outFile.WriteLine("  Service Name:       " & rule.ServiceName)
        Select Case rule.Protocol
            Case NET_FW_IP_PROTOCOL_TCP    outFile.WriteLine("  IP Protocol:        TCP.")
            Case NET_FW_IP_PROTOCOL_UDP    outFile.WriteLine("  IP Protocol:        UDP.")
            Case NET_FW_IP_PROTOCOL_ICMPv4 outFile.WriteLine("  IP Protocol:        UDP.")
            Case NET_FW_IP_PROTOCOL_ICMPv6 outFile.WriteLine("  IP Protocol:        UDP.")
            Case Else                      outFile.WriteLine("  IP Protocol:        " & rule.Protocol)
        End Select
        if rule.Protocol = NET_FW_IP_PROTOCOL_TCP or rule.Protocol = NET_FW_IP_PROTOCOL_UDP then
            outFile.WriteLine("  Local Ports:        " & rule.LocalPorts)
            outFile.WriteLine("  Remote Ports:       " & rule.RemotePorts)
            outFile.WriteLine("  LocalAddresses:     " & rule.LocalAddresses)
            outFile.WriteLine("  RemoteAddresses:    " & rule.RemoteAddresses)
        end if
        if rule.Protocol = NET_FW_IP_PROTOCOL_ICMPv4 or rule.Protocol = NET_FW_IP_PROTOCOL_ICMPv6 then
            outFile.WriteLine("  ICMP Type and Code:    " & rule.IcmpTypesAndCodes)
        end if
        Select Case rule.Direction
            Case NET_FW_RULE_DIR_IN  outFile.WriteLine("  Direction:          In")
            Case NET_FW_RULE_DIR_OUT outFile.WriteLine("  Direction:          Out")
        End Select
        outFile.WriteLine("  Enabled:            " & rule.Enabled)
        Select Case rule.Action
            Case NET_FW_ACTION_ALLOW  outFile.WriteLine("  Action:             Allow")
            Case NET_FW_ACTION_BLOCk  outFile.WriteLine("  Action:             Block")
        End Select
        outFile.WriteLine("  Grouping:           " & rule.Grouping)
        outFile.WriteLine("  Edge:               " & rule.EdgeTraversal)
        outFile.WriteLine("  Interface Types:    " & rule.InterfaceTypes)
        InterfaceArray = rule.Interfaces
        if IsEmpty(InterfaceArray) then
            outFile.WriteLine("  Interfaces:         All")
        else
            LowerBound = LBound(InterfaceArray)
            UpperBound = UBound(InterfaceArray)
            outFile.WriteLine("  Interfaces:     ")
            for iterate = LowerBound To UpperBound
                outFile.WriteLine("       " & InterfaceArray(iterate))
            Next
        end if
        outFile.WriteLine ""
    end if
Next

How To Ask Questions The Smart Way

message edited by Razor2.3


Report •

#7
September 22, 2014 at 14:05:39
Okaaaay....

The VBScript produces a file 1390 lines long.
I'm guessing that what you want to know is which are the three
outbound ports that I said are not blocked. They are:

Core Networking - DNS (UDP-Out)
Remote port 53
The description of this one is a bit scary.

Core Networking - Dynamic Host Configuration Protocol (DHCP-Out)
Local port 68
Remote port 67

Core Networking - IPHTTPS (TCP-Out)
Remote port IPHTTPS

Does that do it?

-- Jeff, in Minneapolis


Report •

#8
September 24, 2014 at 08:49:53
I was actually hoping for the full file. That way I could search for remote port 21, as well as scan for a few FTP programs. If I found it, I could point the rule out. If not, I could say I didn't see an FTP rule, so make sure the firewall is configured to block by default.

How To Ask Questions The Smart Way


Report •

#9
September 24, 2014 at 09:39:22
Port 21 was not listed by number, nor did "FTP" appear in the listing.
None of the application names had to do with FTP.

I can still provide the whole listing if it will help answer the question,
but as I said, only those three entries are marked as "Allow". All the
others are marked as "Block". However...

I'm not sure whether ports not listed were set to be blocked by default.
The default default apparently is to allow. So that may be the answer.

-- Jeff, in Minneapolis


Report •

#10
September 24, 2014 at 09:55:11
The FTP program still works even though Windows Firewall is set to
block outgoing connections not defined by a rule.

-- Jeff, in Minneapolis


Report •

#11
September 24, 2014 at 10:37:29
Verify you're looking at the settings for whichever zone you're currently in. First line in text file will say which behavior set is being applied. Remember zoning is done by the connected access point.
Verify the rules, make sure you're not allowing anything you're not expecting. That the script gave you a 1400 line file indicates you have a lot more than 3 rules enabled.
Verify the files are going out over FTP and not, say, HTTP POST.

How To Ask Questions The Smart Way


Report •

#12
September 25, 2014 at 04:59:26
> Verify you're looking at the settings for whichever zone you're currently in.
> First line in text file will say which behavior set is being applied. Remember
> zoning is done by the connected access point.

Oh dear. It appears to be backwards.

The first line of the generated file said "Public Firewall Profile is active".
However, I ran the script while offline. I ran it again while connected to the
Internet, and then it says "Private Firewall Profile is active". These match
what I see when I look at the Windows Firewall main page.

When modem/router is off:

> Home or work (private) networks - Not Connected
> Public networks - Connected

When modem/router is on:

> Home or work (private) networks - Connected
> Public networks - Not Connected

When I was using a dial-up connection, and had no other network
connection of any kind, I set the Internet connection to "Public" for
strongest security. I thought that when I recently connected the new
modem/router via Ethernet cable, Windows asked me to choose a
zone, and I again set it to "Public". I don't understand why it seems
to now be reversed.

However, only a very small number of rules are different between the
Public and Private lists, and the SAME three outbound ports are the
only ports in the two lists that are set to Allow. All others are set to
Block. There are no inbound rules listed. Those ports are Blocked
by default, which effectively stealths them. Testing at GRC with the
dial-up connection showed all of the first 1055 ports to be Stealthed,
as I said above.

The new modem/router has its own built-in hardware firewall. GRC
shows that it has one Open port and two Blocked ports. All the rest
of the first 1055 (plus about 200 more I tested) are Stealthed.

> Verify the rules, make sure you're not allowing anything you're not expecting.

It appears that the error may be on the level of the entire firewall, not
individual rules or ports.

> That the script gave you a 1400 line file indicates you have a lot more than
> 3 rules enabled.

When modem/router is off, "Public Firewall Profile is active",
77 rules are set to Block, 3 are set to Allow.

When modem/router is on, "Private Firewall Profile is active",
81 rules are set to Block, 3 are set to Allow.

> Verify the files are going out over FTP and not, say, HTTP POST.

I'm using an FTP program:

> WS_FTP LE is a Windows-based file transfer client application
> that transfers files between a user’s local PC and another, remote
> computer system connected via a modem and telephone lines or
> by a local-area network. With WS_FTP LE, users can connect to
> any remote system that has a valid Internet address and an FTP
> server program, browse through directories and files, and transfer
> files between the two systems. In addition, users can create, change,
> and remove directories and view, execute, rename, or delete files.
>
> WS_FTP LE complies with the Windows sockets (Winsock) standard,
> allowing you to transfer files between a wide variety of systems,
> including Windows, OS/2, and UNIX systems.

-- Jeff, in Minneapolis


Report •

Ask Question