Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Windows firewall inbound rules does not work.


  • Please log in to reply
8 replies to this topic

#1 AcesLight

AcesLight

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:07:01 PM

Posted 23 October 2014 - 09:01 AM

Hello guys,

 

I'm a I.T. Security student graduated 1 year ago. I was trying to tweak my Windows firewall with Advance security but the inbound rule failed to work. I created the following inbound rule:

 

Program : Any

Protocol Type: TCP

Local Port: Any

Remote port: 80, 443

Local IP address: Any

Remote IP address: Any

 

Block the connection

 

What I was trying to do (or at least what I want to try to do) was to block any web server from replying me (sending me the web pages) when my web browser try to request for it. It turns out the rule failed to work. Anybody knows why?



BC AdBot (Login to Remove)

 


#2 AcesLight

AcesLight
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:07:01 PM

Posted 24 October 2014 - 11:09 AM

Erm... any help?



#3 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,659 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:01 PM

Posted 24 October 2014 - 03:56 PM

Try this as an outbound rule.

 

But be aware that it will block much more than your browser. For example, it will also block Windows Update.


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2018
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#4 AcesLight

AcesLight
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:07:01 PM

Posted 25 October 2014 - 12:22 AM

Try this as an outbound rule.

 

But be aware that it will block much more than your browser. For example, it will also block Windows Update.

 

I know it works, but its weird. I can block my system using outbound but not inbound.



#5 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,659 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:01 PM

Posted 25 October 2014 - 04:45 AM

Because the firewall is a stateful firewall. http://en.wikipedia.org/wiki/Stateful_firewall

 

The TCP connections for web surfing are initiated by your browser (e.g. your machine), not by the webserver.

These connections are not blocked by your firewall if you configure an inbound rule.

And because it is a stateful firewall, it also allows the inbound packets that are part of the connection that was initiated by the outbound packet.


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2018
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#6 x64

x64

  • Members
  • 352 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London UK
  • Local time:12:01 PM

Posted 27 October 2014 - 05:45 PM

Firewalls consider the direction of a TCP connection to be the direction that it was established in. Once the connection is established, data can flow on it in both directions. In your example, the reply from the web server is not a new TCP connection, hence would not be regarded a s an inbound connection.

 

Think back to what happens when a TCP connection is established. Syn, Syn-Ack, Ack.. Does that happen for the reply from the web server? No (because it is not a new connection). The connection is established "Outbound" by the requesting program, the request is sent over it and and the TCP connection is held open for the reply (and further data transfer in either direction). Yes, packets will flow into your system, containing the reply, but as Didier days, the firewall is expecting the packet (because it matched an outbound rule and therefore is part of a connection that has been legitimately opened).

 

x64



#7 AcesLight

AcesLight
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:07:01 PM

Posted 27 October 2014 - 08:29 PM

Thanks for the help. But lets say in another situation, if Im trying to block a certain server on the internet (say if the computer system got infected by malware), and I'm preventing the malicious server from establishing a TCP connection with my system, will an inbound rule be valid?

#8 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,659 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:01 PM

Posted 28 October 2014 - 02:09 AM

Thanks for the help. But lets say in another situation, if Im trying to block a certain server on the internet (say if the computer system got infected by malware), and I'm preventing the malicious server from establishing a TCP connection with my system, will an inbound rule be valid?


Yes, an inbound rule will be valid.

But for the server to create a TCP connection with your machine, your machine has to be listening on a port, and that port also needs to be allowed by the firewall.
And that is very unlikely. So you will not even need an inbound rule, because your firewall is already blocking it (unless you added rules to the firewall to allow it).

Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2018
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#9 x64

x64

  • Members
  • 352 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London UK
  • Local time:12:01 PM

Posted 28 October 2014 - 07:37 AM

..... Additionally (at least in the ipv4 world - the internet as we know it today...) most endponts are behind NAT on either your home router, the acccess poiint that you are connected to, or the organisations firewall whose network you are on), so your computer would not be able to be directly accessed, unless that device was programmed to forward the port in.

 

Of yourse if your machine is directly on the internet (very few are) then ensuring that your Windows firewal is locked up tight would be sensible)

 

x64






1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users