Windows Firewall Questions

venomous21

New Member
Messages
12
Hello,

Have a windows 8.1 x64 pc. If I set my network to public and "block all connections including apps on the list of allowed apps," will this also block allowed apps in 'advanced settings' or are those not included? Or do I need to disable some of the incoming connections in 'advanced settings' for public?

I'm going to be travelling and connecting to untrusted networks and want everything incoming blocked by default. I will also be using a VPN.

Do you think outbound protection is necessary? I'm completely paranoid about what I allow to be installed and regularly scan with tdsskiller, malwarebytes, eset nod32, and super antispyware. I haven't got a virus in many, many years.

Thank you!
 

My Computer

System One

  • OS
    Windows 8.1
    Computer type
    Laptop
Who's firewall are you using, Windows or Eset?
 

My Computer

System One

  • OS
    windows 8.1 Update 1 Pro 64bit
    System Manufacturer/Model
    Pavillion H8-1202
    CPU
    I7-2600 @ 3.4 GHz
    Motherboard
    PEGATRON
    Memory
    8 GB
    Graphics Card(s)
    NIVDIA GeForce GT 520
    Sound Card
    Realtek ALC656GR CODEC
    Monitor(s) Displays
    Samsung SyncMaster S22B350
    Screen Resolution
    1920X1080 32 bit color
    Hard Drives
    Samsung 850 EVO SSD 500GB
    Keyboard
    Razer Blackwidow Ultimate 2013
    Mouse
    Logitech M510
Windows, just using eset for anti-virus. Also, I won't be using the vpn all the time, only for work related activities. Otherwise, i'll try to make sure to connect to https:// version of trusted websites.
 

My Computer

System One

  • OS
    Windows 8.1
    Computer type
    Laptop
Yes, if it's set to 'Block All Connections', it blocks all incoming connections, regardless of any green (allowed/active) rules in the inbound rules.

In the 'Advanced' section, if you go to 'Windows Firewall Properties', for each profile (domain/private/public), there are two block settings for inbound connections and you can tell what each of them do by the text description in the 'overview' section (see below screenshot).

If it's set to 'Block (default)', all inbound connections that do not match a rule are blocked (so if there's an allow rule there, it will be allowed). When a connection attempt is encountered, Windows Firewall will first look through all the block rules and if it doesn't find a matching rule it will then look through all the allow rules. As soon as it encounters a matching rule it will stop and apply that rule. If it comes across no rules, then it will apply the action you've set in the 'Windows Firewall Properties' settings (in this case block).

If it's set to 'Block All Connections', all inbound connections are blocked (regardless of the rules).


Untitled-2.jpg


Blocking all incoming connections won't prevent your apps from working as it's blocking incoming connections, not traffic. Internet traffic itself travels in both ways along the connection, however the apps themselves make outgoing connections. I'm not sure about the Skype app though, as I've never tired it.

For me I always set all networks to public and set it to 'Block All [incoming] Connections' (even at home), as I never need to receive incoming connections (such as for file sharing, hosting games, etc.) or share/stream anything over a network. Different people have different uses though.

As for your second question, whether outbound rules are necessary is a bit of a disputed area. I use outbound rules myself, but that's more of a personal preference than anything, as I just take an interest in what's making connections and to where. You can also use outbound rules to prevent perfectly legitimate software from phoning home whenever it wants to.

However, the other school of thought is that outbound rules don't really offer any solid protection against malicious software dialling out to command & control domains because as soon as a piece of software is able to get/is allowed admin privileges, it's game over as it can do what it wants, including creating it's own firewall exceptions, disabling/bypassing firewall protection altogether or possibly even installing it's own drivers. Smartscreen filter and UAC are probably more effective in reality (so there's a reduced chance of people being accidently tricked into installing malicious software), but it may be worth you reading around and deciding what you want to do yourself, as the verdict is split.

They way I see it is it's all extra layers. Although Windows Firewall isn't particularly user friendly, so you will need to have a bit of an idea what you want it to do when setting up the rules.
 
Last edited:

My Computer

System One

  • OS
    Win 8 64-bit
... continued from previous post

Also one of the major problems with outgoing rules is that the user needs to keep on top of their firewall rules to ensure things that they don't want blocked aren't automatically blocked. That means it requires maintenance, which for most people is just a nuisance, a PITA and really is more hassle than it's worth. The vast majority of people just aren't going to bother, which means it will inevitably lead to problems. Then there's the problem with things being blocked that shouldn't be blocked, for example blocking svchost from connecting to Certificate Authorities to download Certificate Revocation Lists, etc., which blocking will actually make the user less secure.

Unlike third party firewalls that display notifications for outgoing connections, Windows Firewall doesn't. Therefore, if setting outbound filtering, I'd strongly suggest turning on Firewall blocked connection logging in Group Policy so that you can see exactly what's being blocked by Windows Firewall. Otherwise you will almost certainly end up blocking legitimate Windows Processes that should be allowed to access the internet. Like I mentioned, Windows Firewall is not user friendly in the slightest and I don't think they really designed it for consumer use because of the headaches blocked outbound firewall connections can cause and debatable gain you get from it. But if you do fancy learning about it:

Enable Windows Firewall Blocked Connection Logging:
Group Policy Editor > Computer Configuration > Windows Settings > Security Settings > Advanced Audit Policy Configuration > System Audit Policies > Object Access > Audit Filtering Platform Connection > Failure

Group_Policy.jpg


Create Firewall Blocked Connection Event Logs in Event Viewer:
Event Viewer > Create Custom View > XML > Edit Query Manually

Blocked Inbound Connections Custom View

Code:
<QueryList>
  <Query Id="0" Path="Security">
    <Select Path="Security">*[System[(EventID=5150 or EventID=5157)]]
   and *[EventData[Data[@Name="Direction"]="%%14592"]]
</Select>
  </Query>
</QueryList>

Blocked Outbound Connections Custom View

Code:
<QueryList>
  <Query Id="0" Path="Security">
    <Select Path="Security">*[System[(EventID=5150 or EventID=5157)]]
   and *[EventData[Data[@Name="Direction"]="%%14593"]]
</Select>
  </Query>
</QueryList>


Which will look similar to this in Event Viewer:

Event_Viewer.jpg
 

My Computer

System One

  • OS
    Win 8 64-bit
Back
Top