vistafirewallcontrol.freeforums.org

[jclarkw]

>>Could you please repeat the policy you would like to implement? ... Otherwise the discussion would hardly be usable<<


I disagree, and I think you are missing my point.

Either to understand the actual behavior of your pre-defined zones, or to design new zones/rules to implement an arbitrary security policy, the user needs a complete understanding of exactly how W7FC executes an arbitrary set of rules (either "disable" or "enable") in the context of a hypothetical zone (also either "disable" or "enable") and at all "levels" of the decision tree in order to arrive at a final block/permit decision on any access attempt by an application.

In other words, I'm looking now at the general case, not a specific example. The broad sketch at the bottom of your last post lacks the requried detail. The available documentation lacks the required clarity.

I thought we were approaching an adequate verbal description of W7FC behavior in two of the earlier posts in this thread, but yours (Fri Feb 03, 2012 4:43 am) seems a bit cryptic and lacking in detail, while my attempt to clarify and extend it (Fri Feb 03, 2012 11:33 am) seems inconsistent. I'm asking that you clarify the behavior of W7FC sufficiently that an intelligent user can design zones/rules to implement his/her own security policy without extensive trial-and-error experimentation. A comprehensive flow chart would probably be the most useful presentation, but an adequate verbal description would be a big help!

[VistaFirewallControl]

from http://sphinx-soft.com/Vista/zones.html
The firewall compares application access parameters with the zone set to the application rule by rule, sequentially, in the reverse order. The rules at the bottom take precedence. If rule parameters are matched application access information, the firewall uses the rule result to enable/disable the application accordingly. If there are no rules matched application access data, the result parameter of the entire zone is used enable/disable the application access attempt. Every application access attempt is treated in the same manner separately.

from http://sphinx-soft.com/Vista/settings.html
The rules act at a low priority; so any rules set to application directly/explicitly (either enabling or disabling) take precedence. In other words, the rules (in the context of an applications) trigger only if the application has no its own rules to enable or disable the same IP/protocol/port. If the application is set with such rules, the application's rules are used only.


Should the above be just graphical?

[jclarkw]

>>Should the above be just graphical?<<


Yes, definitely! Based on the slightly more elaborate description that I just received from Tech Support via e-mail, I think you need TWO SEPARATE graphical flow charts for the Win7 and the WinXP versions. They appear to differ significantly.

Anyhow, I MIGHT now have enough information, between this thread and the e-mails, to piece together a straw-man logical description for you to review and correct. (I'm still not sure exactly what you mean by "levels." It would help me a lot if you would review/correct my Fri Feb 03, 2012 11:33 am post in this thread, since that illustrates the level or detail that I am seeking!) Unfortunately I am traveling tomorrow and will not have time to focus on this for a while. It would be more accurate if you did the logical description for us anyhow...

Best Regards. -- jclarkw

[VistaFirewallControl]

>[Basic Concepts:]
[A) ]All the blocking entities are set with priorities (levels) [and are checked in the logical sequence given below].
[B) ]Any disabling item takes the supreme priority and generates “rejecting” result being found at any level. [The sequential level checking terminates at that point and OverallResult=Disable is returned.]
>[C) ]Any enabling items allows to pass to the next level. So, theoretically, if no disabling items [were

By Mode:EnableAll for instance

>] found at all, the activity [would be] enabled[. Nevertheless, if there is no disabling result (and if the event is not permitted by activating the AllApps Zone in the Settings tab), W7FC traps any event from an unlisted program and generates an OverallResult=DIsableAll(Detection). (Note, however, that the result of a detection can also be modified in the Settings tab.)]

The “detection” level is lowest, but applicationless.
So can be overridden by an application dedicated zone, allapps zone, subnetwork zone (the next version) and trayicon/rightclick/mode


>Sothe [sequential] layers [are as follows:]
[1)] The program requesting network access is compared to the Program List. [If not listed – Layer 2 below is skipped.]
[2) For a program matching any entry, the] RuleResults (not ZoneResults) [explicitly] set to [that] application [are checked in order from bottom to top of the Rules list. Any violated rule sets OverallResult=Disable, and the rest of the sequential level checking terminates at that point .

>**NOTE: (2) makse sense together with (4) for a zone with ZoneResult=Enable and disabling rules, but it CONNOT be correct for ZoneResult=Disable. The latter would make OverallResult=Disable even if RuleResult=Enable for all rules in the zone! Perhaps the logic of "disable trumps all" is reversed for ZoneResult=Disable? Please correct my misunderstanding. (Better yet, please provide a flow chart!)**

Will try to create the flowchart.

>[3)] Rules from the allapps zone [(if it is activated in the Settings tab) are then checked. Note that this level applies] to [ALL] applications, the both listed and unlisted[. If AllAppsResult=Enable, OverallResult=Enable, and the rest of the sequential level checking terminates at that point.

OverallResult=Enable may not be terminative. Only disable decision is final, enabling decision is just a way to go further.

>Otherwise, an AllAppsResult=Disable causes the testing to continue at Level 4. -- CORRECT?)]

Incorrect. AllApps has no an overall zone result.


>[4) The] ZoneResult from [any] listed application [is then checked. If ZoneResult=Disable, OverallResult=Disable and the sequence is terminated.][5) Finally, a] universal (internal/predefined) blocking rule [is applied to anything that drops through this sequence.] So if nothing is specified an AllApps and the application is not listed, it will be detected and so listed. [It will also be blocked unless the default setting for detected events has been changed in the Settings tab -- IS THIS CORRECT???]

Correct.

>So AllApps zone overrides only ZoneResults of listed applications and can not override the rules set to the applications.<<

Correct


Stay tuned we will prepare the flowchart finally

[jclarkw]

The new flowchart is WONDERFUL. It answers (nearly) all of my questions. In particular, it makes it clear why rule matches from an active AllApps zone prevent detection of new applications (as you warned). All I can find are (1) a trivial error in detail, (2) an apparently missing option, and (3) an ignorant question. (I was going to ask about the "Subnetwork" -- green -- blocks, but I understand from the above that they are place-holders for a not-yet-released feature.)

I still have to ask, however, does this flow chart apply equally to the Vista/Win7 and the XP versions of the program?

1) Error in Detail -- In the third (pink) block, shouldn't the arrow return from "more rules/yes" to to the top of "rule matches" instead of all the way to the top of the block ("App.exe listed")?

2) Missing Option -- If I correctly understood your critique of my Fri Feb 03, 2012 11:33 am post, it is possible to change the behavior of the "universal detection block" at the very bottom of the chart from the default "DisableAll" to another pre-defined (or new, presumably) zone by changing the entry in the Settings tab under "Default zone for initially detected applications." If this is correct, the flow chart should reflect that option.

3) Ignorant Question: Obviously an application-oriented firewall like this can only detect application activity by looking for OUTBOUND network requests (and somehow identifying them with a specific application -- none of my business how you do this!), as indicated at entry point of your flow chart. This is fine for the outgoing rules in the corresponding zone, but what about any incoming rules? How are these incoming messages associated with the application in question? (I think I'm supposed to know something about how TCP/IP determines whether or not an incoming message is a reply to an earlier outgoing request. If so, please just refer me to a basic text/Web site that explains this.)


Final comment: You folks have been amazingly patient and thorough in answering my many questions and, especially, in agreeing to clarify and expand your documentation. I don't believe I have ever encountered such fantastic tech support. I can only hope that my questions have helped a little to facililtate that manual update. I have a much better understanding now of how to use your software. If you think I can be helpful in reviewing any new draft users guide, please don't hesitate to e-mail me. I'll do my best.

[VistaFirewallControl]

>(I was going to ask about the "Subnetwork" -- green -- blocks, but I understand from the above that they are place-holders for a not-yet-released feature.)

Not-released, but available as 5.0 beta. Check the download page please.
Could/Network Edition for W7, however.

>I still have to ask, however, does this flow chart apply equally to the Vista/Win7 and the XP versions of the program?

Universal. The only difference is in the rules analyzing sequence.
Win7-> bottom-to-top,
XP->top-to-bottom.
The next XP dedicated patch will make XP equal to W7


>1) Error in Detail -- In the third (pink) block, shouldn't the arrow return from "more rules/yes" to to the top of "rule matches" instead of all the way to the top of the block ("App.exe listed")?

Sure, thank you! Fixed.

>2) Missing Option -- If I correctly understood your critique of my Fri Feb 03, 2012 11:33 am post, it is possible to change the behavior of the "universal detection block" at the very bottom of the chart from the default "DisableAll" to another pre-defined (or new, presumably) zone by changing the entry in the Settings tab under "Default zone for initially detected applications." If this is correct, the flow chart should reflect that option.


There is no way to change the detection block at all. The analyzing path just can stop (the decision can be made) before the block.
The Settings/DefaultZone is just a zone (temporarily) set on application detection _before_ the user prompt and therefore before the user chooses a more proper/suitable zone for the application.


>3) Ignorant Question: Obviously an application-oriented firewall like this can only detect application activity by looking for OUTBOUND network requests (and somehow identifying them with a specific application -- none of my business how you do this!), as indicated at entry point of your flow chart. This is fine for the outgoing rules in the corresponding zone, but what about any incoming rules? How are these incoming messages associated with the application in question? (I think I'm supposed to know something about how TCP/IP determines whether or not an incoming message is a reply to an earlier outgoing request. If so, please just refer me to a basic text/Web site that explains this.)


Sorry for confusing you, the analyzing path is equal for the both directions.
The ambiguity is fixed.


>I can only hope that my questions have helped a little to facililtate that manual update. I have a much better understanding now of how to use your software. If you think I can be helpful in reviewing any new draft users guide, please don't hesitate to e-mail me. I'll do my best.

The new manual is available as a part of 5.0 beta. Several paragraphs have been added following your helpful suggestions. Thank you!

[jclarkw]

>>The new manual is available as a part of 5.0 beta.<<


Three more questions (related to this thread but not directly to the new flow chart, which remains great!):

1) Is there any way to download the latest manual revision withOUT actually installing the 5.0 beta or any other version of W7FC? (A PDF users' guide, although probaby more difficult for you to maintain, could be tagged to a particular revision date or software version number. It would be easily printable and make great "bed-time reading," providing a good way for a new OR PROSPECTIVE user to learn how the software operates and what any new features do.)

2) Similarly, is there a way view or print out the current version history of the software from the Web?

3) I would still be most grateful for a concrete example of the use of LAN-prefixed rules/zones. Could you explain, for example, how to permit (or to deny!) Windows "File and Printer Sharing" on a home LAN in the context of W7FC? What applications would be affected? What special zones would need to be applied to them? (I know you tried to address a similar question for me via e-mail, but it didn't register. The only LAN placeholder that I've noticed so far on my system is in ExplorerZone, applied to Windows Explorer. But since "NetBIOS over Tcpip" is currently disabled on my machines -- I'm still using NetBEUI for file sharing -- perhaps I haven't triggered most applications to access the network by TCP/IP?)

[VistaFirewallControl]

>1) Is there any way to download the latest manual revision withOUT actually installing the 5.0

CHM only at the moment. Would you like us to PM you the CHM?

>2) Similarly, is there a way view or print out the current version history of the software from the Web?

the-latest-betas-releases-t6.html


>3) I would still be most grateful for a concrete example of the use of LAN-prefixed rules/zones. Could you explain, for example, how to permit (or to deny!) Windows "File and Printer Sharing" on a home LAN in the context of W7FC?

In order to permit the sharing must be permitted (not be disabled) by the system itself, to guarantee the related services are started and not blocked by WindowsFirewall at least.
From W7FC point, setting “HostProcess” and “System” to the automatically advised zones is enough.
In order to disable; The details are not officially published, but you will have to exclude
135-139 and 445 ports from the both applications and all the printer related

The simpler approach is the use of LANs to patch all LAN* rules. If LAN* list is empty there will be no in-LAN (including file/printer sharing) operations admitted, otherwise – the full LAN access.


>What applications would be affected?

System, HostProcess, printerspooler + (maybe) some OS dependent.

What special zones would need to be applied to them?

LocalSystem for Sytesm
Local+DNS+DHCP(svchost) for HostProcess.
LanOnly for printer spooler etc.

Or any other, configured more dedicatedly, equal by the implication.



>The only LAN placeholder that I've noticed so far on my system is in ExplorerZone, applied to Windows Explorer.

+ all LANxxxxOnly zones + LanService + LanWebServer

>But since "NetBIOS over Tcpip" is currently disabled on my machines

We are not sure regarding NetBEUI implementation. W7FC operates with TCP/UDP (and higher) only.

[jclarkw]

>>the-latest-betas-releases-t6.html<<

Thanks! What happened to (released?) version 4.5.1.15? When I download the current XP version, I still get 4.1.21.93 (which I'm now running).

>>CHM only at the moment. Would you like us to PM you the CHM?<<

Yes please.

>>From W7FC point, setting “HostProcess” and “System” to the automatically advised zones is enough...
The simpler approach is the use of LANs to patch all LAN* rules. If LAN* list is empty there will be no in-LAN (including file/printer sharing) operations admitted, otherwise – the full LAN access.<<

Thanks! That's quite clear. (I didn't expect guidance about NetBEUI, which seems to work locally around any firewall I've tried.) -- jclarkw

[VistaFirewallControl]

>Thanks! What happened to (released?) version 4.5.1.15? When I download the current XP version, I still get 4.1.21.93 (which I'm now running).

4.5 has been never released.


>>CHM only at the moment. Would you like us to PM you the CHM?<<

Done.