Greetings:
I have been doing some testing of the beta W7FC Plus 5.0.0.1 release and have some questions.
1) How do I create a rule that says enable if request is to IP x.x.x.x from local port Y to remote port Z. I don't see a way to specify both a local and remote port in one rule. I know I can set up two separate rules but I don't think the result would be the same.
2) In a related question to 1 above, if I have a zone with 5 enable rules, do all 5 rules have to be matched for the request to be allowed or will the request be allowed if just 1 of the 5 rules match?
3) I deleted some of your predefined zones that i didn't feel I needed. But when I restarted W7FC I got an error and all my applications were set to disabled. Why can't I delete unneeded predefined zones? The reason I might want to do this is to make the drop-down lists more manageable on the block window that comes up for new applications.
4) Is there a way yet to disable the overhead of remote management (i.e. the building of the list of all computers on the network, etc.) If I don't intend to use the remote management functions, I'd like to not have the overhead of scanning the network over the local LAN.
5) I tried installing W7FC Plus on another computer using RDP. I selected the option on the installation screen to enable RDP and to start W7FC. When I pressed finish W7FC started up and locked my RDP session from accessing the computer I was installing W7FC on. I had to go to the console of that computer and logon. It showed that W7FC had set "System" to disabled and had displayed the block window for me to set my desired zone/rules for "System". This made it impossible for me to install the product remotely using RDP. Is this a bug in your product or did I do something wrong? I thought setting the enable RDP on the installation screen would ensure that I could continue to RDP into that computer after W7FC started up and initialized itself (this was a first time install on that computer, not an upgrade on an existing install).
Thanks
vistafirewallcontrol.freeforums.org
VistaFirewallControl (Windows7 and Vista firewall) support forum
| Welcome | ||
|---|---|---|
| Welcome to vistafirewallcontrol You are currently viewing our boards as a guest, which gives you limited access to view most discussions and access our other features. By joining our free community, you will have access to post topics, communicate privately with other members (PM), respond to polls, upload content, and access many other special features. In addition, registered members also see less advertisements. Registration is fast, simple, and absolutely free, so please, join our community today! |
||
W7FW Plus rules question
4 posts
• Page 1 of 1
W7FW Plus rules question
by RangerXus » Sat Feb 18, 2012 6:20 am
- RangerXus
- Posts: 10
- Joined: Tue Mar 15, 2011 4:14 am
Re: W7FW Plus rules question
by VistaFirewallControl » Mon Feb 20, 2012 10:43 am
>1) How do I create a rule that says enable if request is to IP x.x.x.x from local port Y to remote port Z. I don't see a way to specify both a local and remote port in one rule. I know I can set up two separate rules but I don't think the result would be the same.
Formally there must be 2 separate rules to achieve the above.
However we do not see a practical sense for 2 rules, typically for outgoing communication the local port is random, for incoming communication the remote port is random.
UDP “connections” is an exception. But still there is no a practical sense to restrict the ports on the both sides.
>2) In a related question to 1 above, if I have a zone with 5 enable rules, do all 5 rules have to be matched for the request to be allowed or will the request be allowed if just 1 of the 5 rules match?
The first match determines the result. ZoneResult is used if none of the rules is triggered.
The rules are analyzed from bottom to top (w7/vista) and top-to-bottom (XP)
>3) I deleted some of your predefined zones that i didn't feel I needed. But when I restarted W7FC I got an error and all my applications were set to disabled. Why can't I delete unneeded predefined zones? The reason I might want to do this is to make the drop-down lists more manageable on the block window that comes up for new applications.
The behavior is not expected. The repository zones are independent. The zones applied to applications are zone copies only. Though the zones repository presence may be checked by some specific operations.
How to reproduce? What zone(s) deletion produced the behavior?
Did the restart only produce the problem?
>4) Is there a way yet to disable the overhead of remote management (i.e. the building of the list of all computers on the network, etc.) If I don't intend to use the remote management functions, I'd like to not have the overhead of scanning the network over the local LAN.
No way in the current version, we will implement the option in the next build.
We do not think the overhead is significant. Once 15-20 sec W7FC uses the system default neighborhood discovery only.
>5) I tried installing W7FC Plus on another computer using RDP. I selected the option on the installation screen to enable RDP and to start W7FC. When I pressed finish W7FC started up and locked my RDP session from accessing the computer I was installing W7FC on. I had to go to the console of that computer and logon. It showed that W7FC had set "System" to disabled and had displayed the block window for me to set my desired zone/rules for "System".
XP or W7?
Please check the zones tab – LocalSystem and Local+DNS+DHCP zones for
for "RemoteDesktop" rule presence and state/validity.
> (this was a first time install on that computer, not an upgrade on an existing install).
System should be detected (and advised) with LocalSystem zone.
If LocalSystem is missed in the zones tab (the product was installed, the zone was removed and then reinstalled on-the-top, for instance), W7FC gets the default zones (from Settings), the installer default is DisableAll.
However for the first install……. So XP or W7?
Formally there must be 2 separate rules to achieve the above.
However we do not see a practical sense for 2 rules, typically for outgoing communication the local port is random, for incoming communication the remote port is random.
UDP “connections” is an exception. But still there is no a practical sense to restrict the ports on the both sides.
>2) In a related question to 1 above, if I have a zone with 5 enable rules, do all 5 rules have to be matched for the request to be allowed or will the request be allowed if just 1 of the 5 rules match?
The first match determines the result. ZoneResult is used if none of the rules is triggered.
The rules are analyzed from bottom to top (w7/vista) and top-to-bottom (XP)
>3) I deleted some of your predefined zones that i didn't feel I needed. But when I restarted W7FC I got an error and all my applications were set to disabled. Why can't I delete unneeded predefined zones? The reason I might want to do this is to make the drop-down lists more manageable on the block window that comes up for new applications.
The behavior is not expected. The repository zones are independent. The zones applied to applications are zone copies only. Though the zones repository presence may be checked by some specific operations.
How to reproduce? What zone(s) deletion produced the behavior?
Did the restart only produce the problem?
>4) Is there a way yet to disable the overhead of remote management (i.e. the building of the list of all computers on the network, etc.) If I don't intend to use the remote management functions, I'd like to not have the overhead of scanning the network over the local LAN.
No way in the current version, we will implement the option in the next build.
We do not think the overhead is significant. Once 15-20 sec W7FC uses the system default neighborhood discovery only.
>5) I tried installing W7FC Plus on another computer using RDP. I selected the option on the installation screen to enable RDP and to start W7FC. When I pressed finish W7FC started up and locked my RDP session from accessing the computer I was installing W7FC on. I had to go to the console of that computer and logon. It showed that W7FC had set "System" to disabled and had displayed the block window for me to set my desired zone/rules for "System".
XP or W7?
Please check the zones tab – LocalSystem and Local+DNS+DHCP zones for
for "RemoteDesktop" rule presence and state/validity.
> (this was a first time install on that computer, not an upgrade on an existing install).
System should be detected (and advised) with LocalSystem zone.
If LocalSystem is missed in the zones tab (the product was installed, the zone was removed and then reinstalled on-the-top, for instance), W7FC gets the default zones (from Settings), the installer default is DisableAll.
However for the first install……. So XP or W7?
- VistaFirewallControl
- Site Admin
- Posts: 624
- Joined: Fri Mar 27, 2009 11:25 am
Re: W7FW Plus rules question
by RangerXus » Tue Feb 21, 2012 12:39 am
Re: W7FW Plus rules question
Unread postby VistaFirewallControl » Mon Feb 20, 2012 5:43 am
>1) How do I create a rule that says enable if request is to IP x.x.x.x from local port Y to remote port Z. I don't see a way to specify both a local and remote port in one rule. I know I can set up two separate rules but I don't think the result would be the same.
Formally there must be 2 separate rules to achieve the above.
However we do not see a practical sense for 2 rules, typically for outgoing communication the local port is random, for incoming communication the remote port is random.
UDP “connections” is an exception. But still there is no a practical sense to restrict the ports on the both sides.
>>> I agree that the majority of the time the local outgoing port is a random dynamic port for TCP. But there are some exceptions to that. UDP often uses the same ports for incoming and outgoing. I understand that adding this capability to W7FC would not add major improvement and may even complicate using the product for the average user. But if you ever want to claim that W7FC is a full featured firewall, then I think this functionality would have to be added since all the other top of the line firewalls have this ability. It just depends on how you want to target/market your product.
>2) In a related question to 1 above, if I have a zone with 5 enable rules, do all 5 rules have to be matched for the request to be allowed or will the request be allowed if just 1 of the 5 rules match?
The first match determines the result. ZoneResult is used if none of the rules is triggered.
The rules are analyzed from bottom to top (w7/vista) and top-to-bottom (XP)
>>> This precludes then any ability to restrict access to a specific local port / remote port combination. This is not a complaint, just an observation.
>3) I deleted some of your predefined zones that i didn't feel I needed. But when I restarted W7FC I got an error and all my applications were set to disabled. Why can't I delete unneeded predefined zones? The reason I might want to do this is to make the drop-down lists more manageable on the block window that comes up for new applications.
The behavior is not expected. The repository zones are independent. The zones applied to applications are zone copies only. Though the zones repository presence may be checked by some specific operations.
How to reproduce? What zone(s) deletion produced the behavior?
Did the restart only produce the problem?
>>> I will have to repeat this scenario to provide more detail. But yes, I think when I restarted W7FC is when I received the error. My gut reaction was that this had to do with the fact that W7FC uses the pre-defined zones for it's recommendations and didn't like it when restarted to find they no longer existed. I think there was another post in the forum of another user talking about a similar event. When I have time to test again I will post more details. Note though that the predefined zones I deleted were not used by any of my applications - of course that shouldn't matter since the applications use a copy of those zones/rules.
>4) Is there a way yet to disable the overhead of remote management (i.e. the building of the list of all computers on the network, etc.) If I don't intend to use the remote management functions, I'd like to not have the overhead of scanning the network over the local LAN.
No way in the current version, we will implement the option in the next build.
We do not think the overhead is significant. Once 15-20 sec W7FC uses the system default neighborhood discovery only.
>>> It is not just a case of overhead but some network admins don't like programs scanning the entire network even if using Windows standard methods to do the scanning. It looks suspicions like some malware is active on the network. I think the average home user will not be adept enough to remotely manage other W7FC installations on there home network nor desire to do so. It seems to me to be a feature for business environments, but not home environments. And there is the situation of a laptop being on a public hotspot at the local coffee shop... should it be trying to scan that public network? I just think this is really an option that should be disabled by default and enabled by users who understand it and want to use it.
>5) I tried installing W7FC Plus on another computer using RDP. I selected the option on the installation screen to enable RDP and to start W7FC. When I pressed finish W7FC started up and locked my RDP session from accessing the computer I was installing W7FC on. I had to go to the console of that computer and logon. It showed that W7FC had set "System" to disabled and had displayed the block window for me to set my desired zone/rules for "System".
XP or W7?
Please check the zones tab – LocalSystem and Local+DNS+DHCP zones for
for "RemoteDesktop" rule presence and state/validity.
> (this was a first time install on that computer, not an upgrade on an existing install).
System should be detected (and advised) with LocalSystem zone.
If LocalSystem is missed in the zones tab (the product was installed, the zone was removed and then reinstalled on-the-top, for instance), W7FC gets the default zones (from Settings), the installer default is DisableAll.
However for the first install……. So XP or W7?
>>> Regarding item 5 above... This was on a W7 machine (both the local and the remote). The remote was a new install. What happened was once the install was finished and the service started, it immediately blocked and issued the windows for what to do for "System" and the system ports were blocked waiting for the response. So even if RDP port 3389 was open, your FW would not allow a connection until the "System" window was answered. The of course came the next prompts for Host Processes and Local Security Processes. Because of this there was no way to reconnect remotely. I got around this problem by doing the following: pre-creating an export.xml file with "System", Host Processes, and Local Security Processes enabledall called initialize.xml. I copied it to the remote computer. Then I did the install via RDP on to the remote computer. At the last installation prompt (the one that asks if you want to start W7FC), I first disabled the newly installed W7FC service so it could not start. Then I answered the last installation screen and it ended but because I disabled the service RDP did not get locked out. I then changed the service to automatic (but did not start it). I then imported my initialize.xml file into W7FC. At that point the service automatically started but used my imported enableall rules so it did not lock me out. I then started the W7FC console and was on my way. A lot of work! I just think that if you check the enable RDP during the installation, the installer should also enable "System" and whatever other applications (Host processes, etc.) to really allow RDP access to continue on a new installation.
Edit: I just found another forum topic that had this same problem with the Server version of your product. See "Locked Out ! - Server 2008 R2". It says you fixed this in the Server version but maybe not in the Plus version?
Unread postby VistaFirewallControl » Mon Feb 20, 2012 5:43 am
>1) How do I create a rule that says enable if request is to IP x.x.x.x from local port Y to remote port Z. I don't see a way to specify both a local and remote port in one rule. I know I can set up two separate rules but I don't think the result would be the same.
Formally there must be 2 separate rules to achieve the above.
However we do not see a practical sense for 2 rules, typically for outgoing communication the local port is random, for incoming communication the remote port is random.
UDP “connections” is an exception. But still there is no a practical sense to restrict the ports on the both sides.
>>> I agree that the majority of the time the local outgoing port is a random dynamic port for TCP. But there are some exceptions to that. UDP often uses the same ports for incoming and outgoing. I understand that adding this capability to W7FC would not add major improvement and may even complicate using the product for the average user. But if you ever want to claim that W7FC is a full featured firewall, then I think this functionality would have to be added since all the other top of the line firewalls have this ability. It just depends on how you want to target/market your product.
>2) In a related question to 1 above, if I have a zone with 5 enable rules, do all 5 rules have to be matched for the request to be allowed or will the request be allowed if just 1 of the 5 rules match?
The first match determines the result. ZoneResult is used if none of the rules is triggered.
The rules are analyzed from bottom to top (w7/vista) and top-to-bottom (XP)
>>> This precludes then any ability to restrict access to a specific local port / remote port combination. This is not a complaint, just an observation.
>3) I deleted some of your predefined zones that i didn't feel I needed. But when I restarted W7FC I got an error and all my applications were set to disabled. Why can't I delete unneeded predefined zones? The reason I might want to do this is to make the drop-down lists more manageable on the block window that comes up for new applications.
The behavior is not expected. The repository zones are independent. The zones applied to applications are zone copies only. Though the zones repository presence may be checked by some specific operations.
How to reproduce? What zone(s) deletion produced the behavior?
Did the restart only produce the problem?
>>> I will have to repeat this scenario to provide more detail. But yes, I think when I restarted W7FC is when I received the error. My gut reaction was that this had to do with the fact that W7FC uses the pre-defined zones for it's recommendations and didn't like it when restarted to find they no longer existed. I think there was another post in the forum of another user talking about a similar event. When I have time to test again I will post more details. Note though that the predefined zones I deleted were not used by any of my applications - of course that shouldn't matter since the applications use a copy of those zones/rules.
>4) Is there a way yet to disable the overhead of remote management (i.e. the building of the list of all computers on the network, etc.) If I don't intend to use the remote management functions, I'd like to not have the overhead of scanning the network over the local LAN.
No way in the current version, we will implement the option in the next build.
We do not think the overhead is significant. Once 15-20 sec W7FC uses the system default neighborhood discovery only.
>>> It is not just a case of overhead but some network admins don't like programs scanning the entire network even if using Windows standard methods to do the scanning. It looks suspicions like some malware is active on the network. I think the average home user will not be adept enough to remotely manage other W7FC installations on there home network nor desire to do so. It seems to me to be a feature for business environments, but not home environments. And there is the situation of a laptop being on a public hotspot at the local coffee shop... should it be trying to scan that public network? I just think this is really an option that should be disabled by default and enabled by users who understand it and want to use it.
>5) I tried installing W7FC Plus on another computer using RDP. I selected the option on the installation screen to enable RDP and to start W7FC. When I pressed finish W7FC started up and locked my RDP session from accessing the computer I was installing W7FC on. I had to go to the console of that computer and logon. It showed that W7FC had set "System" to disabled and had displayed the block window for me to set my desired zone/rules for "System".
XP or W7?
Please check the zones tab – LocalSystem and Local+DNS+DHCP zones for
for "RemoteDesktop" rule presence and state/validity.
> (this was a first time install on that computer, not an upgrade on an existing install).
System should be detected (and advised) with LocalSystem zone.
If LocalSystem is missed in the zones tab (the product was installed, the zone was removed and then reinstalled on-the-top, for instance), W7FC gets the default zones (from Settings), the installer default is DisableAll.
However for the first install……. So XP or W7?
>>> Regarding item 5 above... This was on a W7 machine (both the local and the remote). The remote was a new install. What happened was once the install was finished and the service started, it immediately blocked and issued the windows for what to do for "System" and the system ports were blocked waiting for the response. So even if RDP port 3389 was open, your FW would not allow a connection until the "System" window was answered. The of course came the next prompts for Host Processes and Local Security Processes. Because of this there was no way to reconnect remotely. I got around this problem by doing the following: pre-creating an export.xml file with "System", Host Processes, and Local Security Processes enabledall called initialize.xml. I copied it to the remote computer. Then I did the install via RDP on to the remote computer. At the last installation prompt (the one that asks if you want to start W7FC), I first disabled the newly installed W7FC service so it could not start. Then I answered the last installation screen and it ended but because I disabled the service RDP did not get locked out. I then changed the service to automatic (but did not start it). I then imported my initialize.xml file into W7FC. At that point the service automatically started but used my imported enableall rules so it did not lock me out. I then started the W7FC console and was on my way. A lot of work! I just think that if you check the enable RDP during the installation, the installer should also enable "System" and whatever other applications (Host processes, etc.) to really allow RDP access to continue on a new installation.
Edit: I just found another forum topic that had this same problem with the Server version of your product. See "Locked Out ! - Server 2008 R2". It says you fixed this in the Server version but maybe not in the Plus version?
- RangerXus
- Posts: 10
- Joined: Tue Mar 15, 2011 4:14 am
Re: W7FW Plus rules question
by VistaFirewallControl » Tue Feb 21, 2012 4:01 pm
>>> This precludes then any ability to restrict access to a specific local port / remote port combination. This is not a complaint, just an observation.
That’s not correct.
Just create 2 separate enabling rules. One with the local port specified, the second with the remote port specified. The ZoneResult=Disable.
The rules with non-matching data are skipped, So the first rule analyses local port only and passes to the following analysis any remote port
>>> It is not just a case of overhead but some network admins don't like programs scanning the entire network
The switching off feature will be implemented, for now it’s scheduled on this week.
> And there is the situation of a laptop being on a public hotspot at the local coffee shop... should it be trying to scan that public network?
Typically such networks use “host isolation” option, so host-to-host communication is disabled by the hotspot.
>>> Regarding item 5 above... This was on a W7 machine (both the local and the remote).
There is no problem to fix the bug (of any), there is a problem to reproduce.
We tried 3 times yesterday on clean W7FC (both XP and W7) installations over RDP. There were no problems encountered. We do not claim there is no problem at all.
We must see (or log at least) the problem first. Otherwise there is nothing to fix.
>your FW would not allow a connection until the "System" window was answered.
That’s not correct. W7FC sets Settings/DefaultZone or application/service specific default zone immediately after the initial blocking, anyway before the prompt. Even running GUI is not required for that.
The default zone for System is LocalSystem. The installer sets the RDP enabling rule to System before the service is started in the operable (not setup) mode.
>The of course came the next prompts for Host Processes and Local Security Processes. Because of this there was no way to reconnect remotely.
The needs or prompts are just scheduled for the GUI.
You can check that yourself. Delete System from Programs and for System detection.
Then “cancel” the prompt or close the entire GUI temporarily. Then check the zone set to System.
>and Local Security Processes ….
We have a suspect probably. W7FC does not tweak LSASS for RDP.
We should verify that.
>if you check the enable RDP during the installation, the installer should also enable "System" and whatever other applications (Host processes, etc.) to really allow RDP access to continue on a new installation.
RDP is implemented in System (W7) and HostProcess (XP). The both are patched by the installer accordingly.
>Edit: I just found another forum topic that had this same problem with the Server version of your product. See "Locked Out ! - Server 2008 R2". It says you fixed this in the Server version but maybe not in the Plus version?
The both. Starting from 4.5 at least.
That’s not correct.
Just create 2 separate enabling rules. One with the local port specified, the second with the remote port specified. The ZoneResult=Disable.
The rules with non-matching data are skipped, So the first rule analyses local port only and passes to the following analysis any remote port
>>> It is not just a case of overhead but some network admins don't like programs scanning the entire network
The switching off feature will be implemented, for now it’s scheduled on this week.
> And there is the situation of a laptop being on a public hotspot at the local coffee shop... should it be trying to scan that public network?
Typically such networks use “host isolation” option, so host-to-host communication is disabled by the hotspot.
>>> Regarding item 5 above... This was on a W7 machine (both the local and the remote).
There is no problem to fix the bug (of any), there is a problem to reproduce.
We tried 3 times yesterday on clean W7FC (both XP and W7) installations over RDP. There were no problems encountered. We do not claim there is no problem at all.
We must see (or log at least) the problem first. Otherwise there is nothing to fix.
>your FW would not allow a connection until the "System" window was answered.
That’s not correct. W7FC sets Settings/DefaultZone or application/service specific default zone immediately after the initial blocking, anyway before the prompt. Even running GUI is not required for that.
The default zone for System is LocalSystem. The installer sets the RDP enabling rule to System before the service is started in the operable (not setup) mode.
>The of course came the next prompts for Host Processes and Local Security Processes. Because of this there was no way to reconnect remotely.
The needs or prompts are just scheduled for the GUI.
You can check that yourself. Delete System from Programs and for System detection.
Then “cancel” the prompt or close the entire GUI temporarily. Then check the zone set to System.
>and Local Security Processes ….
We have a suspect probably. W7FC does not tweak LSASS for RDP.
We should verify that.
>if you check the enable RDP during the installation, the installer should also enable "System" and whatever other applications (Host processes, etc.) to really allow RDP access to continue on a new installation.
RDP is implemented in System (W7) and HostProcess (XP). The both are patched by the installer accordingly.
>Edit: I just found another forum topic that had this same problem with the Server version of your product. See "Locked Out ! - Server 2008 R2". It says you fixed this in the Server version but maybe not in the Plus version?
The both. Starting from 4.5 at least.
- VistaFirewallControl
- Site Admin
- Posts: 624
- Joined: Fri Mar 27, 2009 11:25 am
4 posts
• Page 1 of 1
Who is online
Users browsing this forum: No registered users and 0 guests
