vistafirewallcontrol.freeforums.org

[claudiubotezatu]

Hi,

there are 3 option there, none of them explained in the manual;

A.B.C.D/24 If by that it means an IP like 192.168.121.(any number) , so only 24 bit , shouldn't have been A.B.C.x/24?

A.B.C.D/24:XY The same like above but also specified a local port ;

x.x.x.x/0:XY That means ANY IP but a specific port???

[VistaFirewallControl]

>A.B.C.D/24 If by that it means an IP like 192.168.121.(any number) , so only 24 bit , shouldn't have been A.B.C.x/24?

Should be. Thank you for the suggestion. The changes will be available in the next build.
A.B.C.0/24 is more strict probably.

>A.B.C.D/24:XY The same like above but also specified a local port ;

Correct.

>x.x.x.x/0:XY That means ANY IP but a specific port???

Correct.

[jclarkw]

I'm still confused about the display/application of specific addresses/ports (and the behavior of the rule editing box in general) in W7FC, XP version:

1) For example, my log file shows the following entry when Spooler SubSystem App is blocked from printing to my LAN-connected printer: "...TCP 192.168.1.101:9100(****)..." where "****" represents a sometimes-sequential, 4-digit number that seems to be different for each different connection/app attempt. (I can't find any description in the manual of how to read the log file. Apparently 9100 is the port number for the data transfer in this case. What is the number in parentheses?) But when I accept the apparently most specific form (A.B.C.D/24:XY) of the rule that is offered by the Edit Application box that pops up on detection, I get instead, "...TCP192.168.1.0/24:9100 Outgoing..." Where did my least significant address -- .101 -- go? Does the "24" tell W7FC to ignore the least significant byte?

If I over-ride the "default" above by explicitly replacing ".0/24:" with ".101/32:" in the address field, I get something confusing, since the Edit Application box still show a zone named, "TCP192.168.1.0/24:9100 Outgoing". Eventually I stumbled on this same-named zone in the Zone List and opened it, only to find that it showed the correct (full) address and port. After editing the name to match there, I had TWO entries in the Zone List; but when I went back to the Edit Application box and tried to change to the re-named zone, it wouldn't let me.

After some floundering around and giving counter-intuitive answers to yes/no questions, I somehow got rid of the old-named zone from the Zone List and got the Application List to accept the new-named zone. All seems to be well (although I have some lingering uncertainty), but it shouldn't be this hard. What was I doing wrong? Can you give some clear and explicit instructions for how to manipulate these various dialog boxes?

2) There is another confusion in this process: Dismissing the pop-up Edit Application box and instead right-clicking the corresponding entry in the "Blocked Events" tab produces an apparently ordered sequence of "Permit the remote PC,"... "Permit the service worldwide" buttons. How do these options correspond (or not) to the above specificity buttons in the Edit Application box?

If I select, "Permit the service for the remote PC," for example, it seems to preserve all 32 bits of the address, plus the port number, in a second rule of the resulting Edit Zone box -- there's a DisableAll rule in the first position that I had to deleted before clicking OK. This appears to work -- the printer prints its job -- but only the first time. The application zone reverts to DisableAll thereafter. Is this chioce of "Permit" buttons supposed to be a one-time permission, or what am I doing wrong here?

3) When composing/editing a rule in general, am I guessing correctly that any field left blank implies an arbitrary value for the corresponding parameter?

4) Finally, I'm still having trouble with the blocked-event balloons. (There's an earlier unanswered question to Tech Support on this.) Whenever a blocked/detection event occurs, a FLASHING balloon appears, but it never goes away. (Should it flash? This makes it much harder to read.) After I have the application properly permitted, the only way I have found to get rid of this flashing balloon (other than to reboot) is to check and then uncheck the "Do not show Log Balloon" box on the Settings tab. (Note that I had previously been instructed to increase the registry setting for BalloonTime from 5 seconds, when I was trying the Free version. It's still set at 60 seconds, although I am now testing the Plus verion that I was told to installed over top of the previous. It might possibly also be relevant that I'm running from a Limited User account in XP.)

Sorry to run on so long, but trial-and-error in the absence of clear instructions can be pretty frustrating . Thanks for any further clarification -- jclark

[jclarkw]

A related problem (this time running from an Administrator account in XP just to make sure): I'm trying to craft a minimal zone that will satisfy Adobe Reader 10, both running and updating, etc. (AcroRd32.exe and adobeARM.exe have consecutively showed up in the Program LIst.) The idea was to test the addition of various rules to the new zone in hopes of preventing blocking; but as soon as I close Reader to try again, the program names (and the corresponding zone setting, of course) disappear from the Program List, and I'm back at square one. At this point I can't even get either program to show up in the list at all. i'm just running in circles here. I'm going to reboot; but what gives?!

OK, it SEEMS to be working right after a reboot. Still seems OK after going back to my Limited User account. But what am I doing wrong to produce this crazy behavior?? Something to do with the Limited User Account (which has seemed OK until now)??? -- jclarkw

[jclarkw]

>>...but as soon as I close Reader to try again, the program names (and the corresponding zone setting, of course) disappear from the Program List...<<


The same thing just happened to me again (also from a Administrator accoun). Upon installation of Firefox and appropriate configuration in W7FC, the Program List entry of IE8 disappeared. Conversely, replacing the IE settings caused Firefox to disappear. (This disappearance MIGHT be connected to my going to the Setting tab, checking, and unchecking the balloons box to get the obsolete balloons to stop flashing -- see above. I THINK when I finally got both browsers properly listed was a case where I hadn't bothered to "disappear" the balloons...)

[VistaFirewallControl]

>1) For example, my log file shows the following entry when Spooler SubSystem App is blocked from printing to my LAN-connected printer: "...TCP 192.168.1.101:9100(****)..." where "****" represents a sometimes-sequential, 4-digit number that seems to be different for each different connection/app attempt. (I can't find any description in the manual of how to read the log file. Apparently 9100 is the port number for the data transfer in this case. What is the number in parentheses?)


The local port number. TCP/UDP connection is established port-to-port. The local port numbers are (while not specified by the service developers) are random and typically sequential.
It’s rather TCP stack (not firewall) specific.


>But when I accept the apparently most specific form (A.B.C.D/24:XY) of the rule that is offered by the Edit Application box that pops up on detection, I get instead, "...TCP192.168.1.0/24:9100 Outgoing..." Where did my least significant address -- .101 -- go? Does the "24" tell W7FC to ignore the least significant byte?

/24 ignores the least significant.
You could use /32 (if required) creating/patching the rule manually.
Please read an IP addressing basics explanation for the details. It would be better to read a systematic source


>If I over-ride the "default" above by explicitly replacing ".0/24:" with ".101/32:" in the address field, I get something confusing, since the Edit Application box still show a zone named, "TCP192.168.1.0/24:9100 Outgoing".

The name is given automatically at the rule creating, you can edit the name anytime.

>Eventually I stumbled on this same-named zone in the Zone List and opened it, only to find that it showed the correct (full) address and port. After editing the name to match there, I had TWO entries in the Zone List;

The zones list keeps by-name uniqueness. Changing the name dups the zone. Delete unnecessary zone if required

>but when I went back to the Edit Application box and tried to change to the re-named zone, it wouldn't let me.

Please be more descriptive. An error message? What is the context of the editing?

>All seems to be well (although I have some lingering uncertainty), but it shouldn't be this hard. What was I doing wrong? Can you give some clear and explicit instructions for how to manipulate these various dialog boxes?


Briefly. There are 4 related entities. Zone List, Program List, EditProgram and EditZone dialogs
Edit zone dialog allows editing the zone in ZoneList and ProgramsList. ProgramsList keeps independent copies of zones from the ZoneList. So there are 2 zones of the same name possible, in the repository and the applied to application.
EditProgram dialog allow to select copy (apply) a new zone form ZoneList to application


>2) There is another confusion in this process: Dismissing the pop-up Edit Application box and instead right-clicking the corresponding entry in the "Blocked Events" tab produces an apparently ordered sequence of "Permit the remote PC,"... "Permit the service worldwide" buttons. How do these options correspond (or not) to the above specificity buttons in the Edit Application box?

"Permit the remote PC" IP/32:x (any port)
"Permit the remote subnetwork (256 PCs)" IP/24:x
"Permit the remote corp network (65536 PCs)" IP/16:x
"Permit the service for the remote PC" IP/32:A
"Permit the service for the remote subnetwork (256 PCs)" IP/24:A
"Permit the service for the remote corp network (65536 PCs)" IP/16:A
"Permit the service worldwide" IP/0:A

Just choose an item and review the created rule before applying to application. You will be shown with all the details.


>Is this chioce of "Permit" buttons supposed to be a one-time permission, or what am I doing wrong here?

The edited zone is applied to the application and can be rewritten by EditApplication.
If you edit a zone for an application please edit the zone name accordingly, just to distinguish the edited and unedited separate copies.


>3) When composing/editing a rule in general, am I guessing correctly that any field left blank implies an arbitrary value for the corresponding parameter?

Yes.

>4) Finally, I'm still having trouble with the blocked-event balloons. (There's an earlier unanswered question to Tech Support on this.) Whenever a blocked/detection event occurs, a FLASHING balloon appears, but it never goes away. (Should it flash? This makes it much harder to read.)

The balloon may flash only if there is another application tries to repaint the screen. The balloon is redrawn/refreshed again on the time basis and specified as “topmost” window.
So the competition could look like flashing.


>After I have the application properly permitted, the only way I have found to get rid of this flashing balloon (other than to reboot) is to check and then uncheck the "Do not show Log Balloon" box on the Settings tab.

EditPrograms dialog allows per-application balloon disabling.

> (Note that I had previously been instructed to increase the registry setting for BalloonTime from 5 seconds, when I was trying the Free version. It's still set at 60 seconds, although I am now testing the Plus verion that I was told to installed over top of the previous. It might possibly also be relevant that I'm running from a Limited User account in XP.)

ON-the-top installation just keeps the maximum of previous settings. Please feel free to edit the value back. The w7fc control panel restart us required.

[VistaFirewallControl]

>A related problem (this time running from an Administrator account in XP just to make sure): I'm trying to craft a minimal zone that will satisfy Adobe Reader 10, both running and updating, etc. (AcroRd32.exe and adobeARM.exe have consecutively showed up in the Program LIst.) The idea was to test the addition of various rules to the new zone in hopes of preventing blocking; but as soon as I close Reader to try again, the program names (and the corresponding zone setting, of course) disappear from the Program List, and I'm back at square one. At this point I can't even get either program to show up in the list at all. i'm just running in circles here. I'm going to reboot; but what gives?!

Use EditPrograms/Apply (not EditPrograms/ApplyOnce)
ApplyOnce deletes application from the list after the application is edited automatically
Read the note on the EditPrograms

>>...but as soon as I close Reader to try again, the program names (and the corresponding zone setting, of course) disappear from the Program List...<<

Please see the above

[jclarkw]

OK, I think I understand most of what you say here. (I'll need to re-read the highly condensed manual several more times to try to understand these nuances about the inter-related Edit dialogs and the duplicate zones of the same name...) But here are two places where I think you misunderstand my points:


>>The balloon may flash only if there is another application tries to repaint the screen. The balloon is redrawn/refreshed again on the time basis and specified as “topmost” window.
So the competition could look like flashing.<<

This turns out not to be the reason. After I moved all other windows out of the way, I realized that the flashing is alternation between the blocked-access-details balloon and the "Trial notification. Activation Required" nag balloon. (I'm still testing the software and have not yet bought a license.) But the alternating balloons never go away...

>> >>After I have the application properly permitted, the only way I have found to get rid of this flashing balloon (other than to reboot) is to check and then uncheck the "Do not show Log Balloon" box on the Settings tab.<<

EditPrograms dialog allows per-application balloon disabling.<<

OK, I see that check box also, but I don't want to prevent FUTURE blocking notices from the particular application (at least not yet). I'm sure I've already permitted the access in question. I just want the old balloon to go away after the BalloonTime set in the registry. (Might its persistence be because the timer is reset each time the information balloon is re-written after alternating with the nag balloon, even though it's the same balloon for the same event long past?)


>> >>A related problem (this time running from an Administrator account in XP just to make sure): I'm trying to craft a minimal zone that will satisfy Adobe Reader 10, both running and updating, etc. (AcroRd32.exe and adobeARM.exe have consecutively showed up in the Program LIst.) The idea was to test the addition of various rules to the new zone in hopes of preventing blocking; but as soon as I close Reader to try again, the program names (and the corresponding zone setting, of course) disappear from the Program List, and I'm back at square one. At this point I can't even get either program to show up in the list at all. i'm just running in circles here. I'm going to reboot; but what gives?!<<

Use EditPrograms/Apply (not EditPrograms/ApplyOnce)
ApplyOnce deletes application from the list after the application is edited automatically
Read the note on the EditPrograms<<

I'm almost certain that I did use the "Apply" button. (To my knowledge I've never used any "ApplyOnce" button.) Could the disappearance have anything to do with the unconventional way that I made the blocked/nag balloons go away, as I suggested earlier ("...the only way I have found to get rid of this flashing balloon [other than to reboot] is to check and then uncheck the "Do not show Log Balloon" box on the Settings tab")? Or might it also be related to the trial-notification issue mentioned above? (Certainly the randomly appearing Register screens interfere with responding to pop-up Edit Application screens...)


In an effort to replicate the problem with selecting a "Permit the service for the remote PC" option by right-clicking on a blocked event, I now find that new blocked events (which do produce balloons, entries in blocked.log, and entries in the Program List) are not even getting listed in the Blocked Events tab! Something flaky seems to be going on here...

...so I rebooted. Now things are even wierder: There are no more nag screens or ballons, as though I had been automitically registered somehow, and the blocked balloons are indeed timing out as advertised. BUT blocked events are STILL not appearing on the corresponding tab. I'm just getting more and more frustrated with the apparently inconsistent behavior (or my incorrect manipulation?) of your software!

I should probably reiterate in this context that I'm running the Windows XP version of W7FC. Please help. -- jclarkw

[VistaFirewallControl]

>(I'm still testing the software and have not yet bought a license.) But the alternating balloons never go away...

Restart the PC to get nag text free testing.

>OK, I see that check box also, but I don't want to prevent FUTURE blocking notices from the particular application (at least not yet). I'm sure I've already permitted the access in question. I just want the old balloon to go away after the BalloonTime set in the registry.

The balloon traces the events history automatically and shows the last events only.
Obviously, the balloon must not be disabled neither in Settings nor per-application.


> I'm almost certain that I did use the "Apply" button. (To my knowledge I've never used any "ApplyOnce" button.) Could the disappearance have anything to do with the unconventional way that I made the blocked/nag balloons go away, as I suggested earlier ("...the only way I have found to get rid of this flashing balloon [other than to reboot] is to check and then uncheck the "Do not show Log Balloon" box on the Settings tab")? Or might it also be related to the trial-notification issue mentioned above? (Certainly the randomly appearing Register screens interfere with responding to pop-up Edit Application screens...)

The application listing is unconditional and persistent. The only imaginable way for an application to disappear automatically is asking for that evidently via ApplyOnce or deleting the application manually.


>In an effort to replicate the problem with selecting a "Permit the service for the remote PC" option by right-clicking on a blocked event, I now find that new blocked events (which do produce balloons, entries in blocked.log, and entries in the Program List) are not even getting listed in the Blocked Events tab! Something flaky seems to be going on here...

If a blocked activity is enabled (in spite of applying an enabling zone or patching the current zone to enable the activity) there will be no blocks anymore and so no related events.

>...so I rebooted. Now things are even wierder: There are no more nag screens or ballons, as though I had been automitically registered somehow, and the blocked balloons are indeed timing out as advertised. BUT blocked events are STILL not appearing on the corresponding tab. I'm just getting more and more frustrated with the apparently inconsistent behavior (or my incorrect manipulation?) of your software!

Could it be of the reason above?
Check TrayIcon:Mode….. should not be Mode:EnableAll.
Delete an application from the list and try to redetect by forcing the application's network activity.
Check Windows7FirewallService is running in services.msc.
Check Windows7FirewallControl is running in devmgmt.msc (“Show hidden/not PnP devices” must be used. The driver is in not-PnP group)

[jclarkw]

>>Could it be of the reason above?
Check TrayIcon:Mode….. should not be Mode:EnableAll.
Delete an application from the list and try to redetect by forcing the application's network activity.
Check Windows7FirewallService is running in services.msc.
Check Windows7FirewallControl is running in devmgmt.msc (“Show hidden/not PnP devices” must be used. The driver is in not-PnP group)<<


After a reboot, answers to the above questions are: Yes, Yes, Yes, and Yes. The nag balloons are back, flashing, and persistent on a blocked event.

More importantly, the same symptoms still occur: "...new blocked events [in fact, new detections after being deleted from the Programs List as you recommended] (which [DO] produce [new] balloons, [new] entries in blocked.log, and [new] entries in the Program List) are not even getting listed in the Blocked Events tab!"

This new behavior started Monday (see above), and I KNOW it isn't supposed to work like this! Maybe it's time for a CLEAN (how?) uninstall and re-install?