vistafirewallcontrol.freeforums.org

VistaFirewallControl (Windows7 and Vista firewall) support forum


Welcome
Welcome to vistafirewallcontrol

You are currently viewing our boards as a guest, which gives you limited access to view most discussions and access our other features. By joining our free community, you will have access to post topics, communicate privately with other members (PM), respond to polls, upload content, and access many other special features. In addition, registered members also see less advertisements. Registration is fast, simple, and absolutely free, so please, join our community today!

Wireless Printer issues

Forum rules
Post a reply

Wireless Printer issues

Postby DarryDoo » Mon Jan 02, 2012 2:24 pm

Greetings.

Using Windows 7 Firewall Control 4.2.21.93, trial version, on Vista Home Premium x86 SP2 fully patched.

<asskiss>
I've been looking for a good outbound firewall solution since ZoneAlarm became sheer bloatware -- yes, that long. I knew that Windoze had an outbound firewall, but it was unwieldy to use. Not only does your product harken back to the early days of ZA, it implements a feature that I've been seeking for a few years -- the "Expensive Mode"! Exactly what I need for managing data usage on cellular networks! :) I'll be buying the full version this weekend.
</asskiss>

The problem: UDP ports being blocked in LanOnly rule: Canon WiFi printer on 192.168.1.118/24, my laptop 192.168.1.112:
Code: Select all
.
.
.
2012:01:02|04:07:41|IPv4 UDP 192.168.1.134:8612(55468)|Canon IJ Network Scan Utility|LanOnly Outgoing|C:\program files\canon\canon ij network scan utility\cnmnsut.exe
2012:01:02|04:08:01|IPv4 UDP 192.168.1.118:8612(55469)|Canon IJ Network Scan Utility|LanOnly Outgoing|C:\program files\canon\canon ij network scan utility\cnmnsut.exe
2012:01:02|04:08:04|IPv4 UDP 255.255.255.255:8612(55470)|Canon IJ Network Scan Utility|LanOnly Outgoing|C:\program files\canon\canon ij network scan utility\cnmnsut.exe
2012:01:02|04:08:04|IPv4 UDP 255.255.255.255:8612(55470)|Canon IJ Network Scan Utility|LanOnly Outgoing|C:\program files\canon\canon ij network scan utility\cnmnsut.exe
2012:01:02|04:08:06|IPv4 UDP 192.168.1.102:8612(55471)|Canon IJ Network Scan Utility|LanOnly Outgoing|C:\program files\canon\canon ij network scan utility\cnmnsut.exe
2012:01:02|04:08:06|IPv4 UDP 192.168.1.103:8612(55471)|Canon IJ Network Scan Utility|LanOnly Outgoing|C:\program files\canon\canon ij network scan utility\cnmnsut.exe
2012:01:02|04:08:07|IPv4 UDP 192.168.1.104:8612(55471)|Canon IJ Network Scan Utility|LanOnly Outgoing|C:\program files\canon\canon ij network scan utility\cnmnsut.exe
2012:01:02|04:08:07|IPv4 UDP 192.168.1.105:8612(55471)|Canon IJ Network Scan Utility|LanOnly Outgoing|C:\program files\canon\canon ij network scan utility\cnmnsut.exe
.
.
.
2012:01:02|04:08:12|IPv4 UDP 192.168.1.132:8612(55471)|Canon IJ Network Scan Utility|LanOnly Outgoing|C:\program files\canon\canon ij network scan utility\cnmnsut.exe
2012:01:02|04:08:12|IPv4 UDP 192.168.1.133:8612(55471)|Canon IJ Network Scan Utility|LanOnly Outgoing|C:\program files\canon\canon ij network scan utility\cnmnsut.exe
2012:01:02|04:08:12|IPv4 UDP 192.168.1.134:8612(55471)|Canon IJ Network Scan Utility|LanOnly Outgoing|C:\program files\canon\canon ij network scan utility\cnmnsut.exe
2012:01:02|04:08:33|IPv4 UDP 192.168.1.118:8612(55472)|Canon IJ Network Scan Utility|LanOnly Outgoing|C:\program files\canon\canon ij network scan utility\cnmnsut.exe
2012:01:02|04:08:36|IPv4 UDP 255.255.255.255:8612(55473)|Canon IJ Network Scan Utility|LanOnly Outgoing|C:\program files\canon\canon ij network scan utility\cnmnsut.exe
2012:01:02|04:08:36|IPv4 UDP 255.255.255.255:8612(55473)|Canon IJ Network Scan Utility|LanOnly Outgoing|C:\program files\canon\canon ij network scan utility\cnmnsut.exe
ad infinitum, ad nauseam.

When attempting to print to this printer,
Code: Select all
2012:01:02|05:56:41|IPv4 UDP 255.255.255.255:8611(53472)|Spooler SubSystem App|LanOnly Outgoing|C:\windows\system32\spoolsv.exe
2012:01:02|05:56:41|IPv4 UDP 255.255.255.255:8611(53472)|Spooler SubSystem App|LanOnly Outgoing|C:\windows\system32\spoolsv.exe
2012:01:02|05:56:45|IPv4 UDP 192.168.1.118:8611(53473)|Spooler SubSystem App|LanOnly Outgoing|C:\windows\system32\spoolsv.exe
2012:01:02|05:56:46|IPv4 UDP 192.168.1.102:8611(53474)|Spooler SubSystem App|LanOnly Outgoing|C:\windows\system32\spoolsv.exe
2012:01:02|05:56:46|IPv4 UDP 192.168.1.103:8611(53474)|Spooler SubSystem App|LanOnly Outgoing|C:\windows\system32\spoolsv.exe
2012:01:02|05:56:46|IPv4 UDP 192.168.1.104:8611(53474)|Spooler SubSystem App|LanOnly Outgoing|C:\windows\system32\spoolsv.exe
2012:01:02|05:56:47|IPv4 UDP 192.168.1.106:8611(53474)|Spooler SubSystem App|LanOnly Outgoing|C:\windows\system32\spoolsv.exe
2012:01:02|05:56:47|IPv4 UDP 192.168.1.107:8611(53474)|Spooler SubSystem App|LanOnly Outgoing|C:\windows\system32\spoolsv.exe
2012:01:02|05:56:47|IPv4 UDP 192.168.1.108:8611(53474)|Spooler SubSystem App|LanOnly Outgoing|C:\windows\system32\spoolsv.exe
2012:01:02|05:56:47|IPv4 UDP 192.168.1.109:8611(53474)|Spooler SubSystem App|LanOnly Outgoing|C:\windows\system32\spoolsv.exe
2012:01:02|05:56:48|IPv4 UDP 192.168.1.118:8611(53473)|Spooler SubSystem App|LanOnly Outgoing|C:\windows\system32\spoolsv.exe
2012:01:02|05:56:48|IPv4 UDP 192.168.1.112:8611(53474)|Spooler SubSystem App|LanOnly Outgoing|C:\windows\system32\spoolsv.exe
.
.
.
2012:01:02|05:56:52|IPv4 UDP 192.168.1.132:8611(53474)|Spooler SubSystem App|LanOnly Outgoing|C:\windows\system32\spoolsv.exe
2012:01:02|05:56:52|IPv4 UDP 192.168.1.134:8611(53474)|Spooler SubSystem App|LanOnly Outgoing|C:\windows\system32\spoolsv.exe
2012:01:02|05:56:54|IPv4 UDP 192.168.1.118:8611(53473)|Spooler SubSystem App|LanOnly Outgoing|C:\windows\system32\spoolsv.exe
2012:01:02|05:56:56|IPv4 UDP 192.168.1.118:8611(53903)|Spooler SubSystem App|LanOnly Outgoing|C:\windows\system32\spoolsv.exe
2012:01:02|05:56:57|IPv4 UDP 255.255.255.255:8611(53904)|Spooler SubSystem App|LanOnly Outgoing|C:\windows\system32\spoolsv.exe
2012:01:02|05:56:57|IPv4 UDP 255.255.255.255:8611(53904)|Spooler SubSystem App|LanOnly Outgoing|C:\windows\system32\spoolsv.exe

I had to give both EXE's EnableAll in order to permit UDP (directed or broadcast), and therefore printing, on the LAN. Obviously not the desired security.

I'd originally thought the addresses in question were the DHCP scope, but the scope is 192.168.1.100-150, so I don't know the significance of the address range 101-134.

Is this expected behaviour? If so, what's the rationale for blocking LAN-destined UDP in LanOnly?

Thanks in advance!
Darren
DarryDoo
 
Posts: 2
Joined: Mon Jan 02, 2012 11:18 am
Top
 
Top

Re: Wireless Printer issues

Postby VistaFirewallControl » Wed Jan 04, 2012 10:28 am

Dear Darren,


Could you please verify LanOnly zone for 192.168.1.0/24 rule and send us the screenshot to verify.
Obviously 192.168.1/24 enabling rule must enable all the in-LAN communication.

However the genuine reason could be in the applications logic.
The both listings start from blocked 255.255.255.255, i.e. the broadcast message to discover a required device/service. After the broadcast is blocked the applications generates the iteration through the address range and fail (for a reason).

Isn’t there a sense to enable the broadcast first to the both spoolsv and the Canon utility.
E.g to insert a 255.255.255.255/32 enabling rule to LanOnly zone and reapply the zone to the both programs.
Please try and inform us on the result, most probably we should include enabled broadcast into LanOnly default.
VistaFirewallControl
Site Admin
 
Posts: 624
Joined: Fri Mar 27, 2009 11:25 am
Top

Re: Wireless Printer issues

Postby DarryDoo » Thu Jan 05, 2012 5:23 am

VistaFirewallControl wrote:Dear Darren,
Could you please verify LanOnly zone for 192.168.1.0/24 rule and send us the screenshot to verify.
Obviously 192.168.1/24 enabling rule must enable all the in-LAN communication.

screenshot2.jpg
screenshot2.jpg (33.87 KiB) Viewed 60 times


Well! :D

I didn't realize that IP address ranges weren't dynamic!

Root cause: silly me. I installed the software while connected to a different wireless network (tethered vs. home). I'll add the new subnet and test again.


Edit:

screenshot3.jpg
screenshot3.jpg (44.73 KiB) Viewed 60 times


New subnet, changed rules back to LanOnly, success! Thanks a bunch.

I wonder if there's a better way to manage LAN connections? What about making LAN connections always LanOnly irrespective of subnet, and manage unwanted LAN connections via exclusion rules? I'd have to think that when most users are thinking LAN, they're not necessarily thinking of any one specific LAN, but any LAN they might be connected to? I know that I connect to many LANs, in fact to different routed subnets within some LANs, and having to verify that the correct subnet is in the Zone might be tedious.

This means more work from the program: query LAN connections, determine LAN addresses, dynamically create subnet rules, rinse and repeat. But then LAN and WAN rules could be represented simply as additional checkboxes in the Rules dialog boxes...
Comme ça.jpg
Comme ça.jpg (40.93 KiB) Viewed 60 times


My $0.02!

Cheers
Darren
DarryDoo
 
Posts: 2
Joined: Mon Jan 02, 2012 11:18 am
Top

Re: Wireless Printer issues

Postby VistaFirewallControl » Thu Jan 05, 2012 10:07 am

Obviously 192.168.43/24 enabled LAN does not include neither the printer nor the laptop (the both are in 192.168.1/24)

>What about making LAN connections always LanOnly irrespective of subnet…….., >dynamically create subnet rules, rinse and repeat. But then LAN and WAN rules could be represented simply as additional checkboxes in the Rules dialog boxes...

Unfortunately it won’t work at all generally.
Obviously it could help in a (typical) home environment, where LAN is mostly safe principally.
However, if you are connected to a public network, airport/cafe/etc/ wifi, the LAN is the entire airport, which is definitely not safe. Any exclusion, made after the “LAN” connection, could be made too late. The default state must be rather more disabling than more enabling. Otherwise the unwanted activity would be just permitted initially (by default)
Moreover, it would be hardly correct taking into account a connection media type generally.
There can be just no a strict way to determine the genuine media type precisely (autogenerated network adapter name is not a good sign) and, more important, there is no a common media type dependent security policy.
Most probably W7FC will reflect connection type from the system (home or public) and rearrange the rule automatically. It's more reliable data to make a security related decision.
Unfortunately the problem gets foggy if you have several concurrent network interfaces up and running.

>in fact to different routed subnets within some LANs, and having to verify that the correct subnet is in the Zone might be tedious.

W7FC offers a better way, please read the below.

>I wonder if there's a better way to manage LAN connections?

All the LAN related rules are prepended with “LAN” prefix. Pressing Settings/LAN button you can re-gather all network adapters (so all momentary LANs you are connected via), edit the list (exclude unsafe LANs for instance) and replace all the LAN prefixed rules (in all the programs and the zones) with the new set at once.
So migrating to a new LAN environment takes mostly a single click. Please read the manual for details and do not hesitate to contact us.
VistaFirewallControl
Site Admin
 
Posts: 624
Joined: Fri Mar 27, 2009 11:25 am
Top
Post a reply

Return to Specific behavior

Who is online

Users browsing this forum: No registered users and 0 guests

Donate Now
Donate Now

Hosted by FreeForums.org | Create a free forum | Powered by phpBB
A Member of the Crowdgather Forum Community
About FreeForums | Legal / TOS | Privacy | Terms of Use | Advertise Here | Investors | Contact FreeForums.org
Report Violation


suspicion-preferred