Windows Firewall Rules

[R4D3]

Hey,

 

because the MS Firewall sucks in Standard Mode, i try to make a better rules set...

 

This set blocks Everything - that wanna call in, or out, - if you wanna allow a Prog, to connect to the Internet - you have to allow every File that a Prog need to be Connected:

 

Example:

Firefox: you have to make a rule for Firefox.exe and PluginContainer.exe first...

Opera: you have to allow OperaLauncher and Opera.exe (with every Update from Opera you need to reconfig, cause the path has changed...

 

What is allowed now ? (Call Out Only)

DNS, DHCP, Windows Update, Opera 28

 

Whats forbidden ?

Everything, thats not allowed !

Some extra Protocol's like IGMP, ICMP, and some Ports from TCP and UDP get an Extra Block - so they are forbidden even for allowed Progs)

 

- Some Programs Windows feature Rules-set are Disabled in a Test-mode (means, when you activate them, not all of them working now - if someone find the mistakes in the Test-rules (i think most of them - like feedback, just don't work, cause i need a rule for the windows online account sign in) - would be nice, if someone can fix it... (i just put in that stuff i know, for Internet connections, - but i don´t know very much...)

 

Before you try, and Import my Rules-set - Backup yours ! - and add a Rules for your Browser, - if it is not Opera 28...)

R4D3s_FW_Rules.zip

 

 

P.S. - i agree that a Firewall (Paketfilter) who is asking you, when a program wants to be connected (Like Kerio 2.16 for XP) would be much better - maybe in Windows 2030 we got it....

Edited March 15, 2015 by R4D3

[Tripredacus]

Honestly, this is how it should be done.... block everything with exceptions. Firewalls seem to be set as block all incoming but don't block outgoing. I suppose this is to make up for the mass amount of people that don't know how to computer. Of course, most of any infections are because a person clicks on something or goes to a website.

[ptd163]

Holy crap. I know it's necessary, but man, talk about going nuclear.

Edited August 3, 2015 by ptd163

[NoelC]

I've been doing some experimenting in this area.  See also:

 

http://www.msfn.org/board/topic/174264-experimenting-with-windows-firewall-to-block-by-default

 

-Noel

[R4D3]

I did some kind of update and got a bit more understanding over the time... - the new ruleset allows HTTPS connections outgoing, and i added a rule to copy for other connections (some updates, even on windows do not use https - without custom additions they will be blocked! -> The WindowsUpdate-Rule is still ways to open -> i dont get it better...

Watch the pics to understand, what i understand about it, so far

R4D3.wfw

Edited August 24, 2020 by R4D3

[aviv00]

i use windows firewall control

i remove all the rules before the installation

set the filter level to green / medium

disable the rules that i dont need and wfc made

leave dns / dhcp v4 firefox and sometimes time service

connecting back the internet cable

Edited August 28, 2020 by aviv00

[R4D3]

He he, hey... - i used "windows firewall control" too, but i like it more native (i used kerio 2x on xp) but since than, i try to make my rules better... - now https outbound is allowed for everthing, and only progs that need other port/protokols need an extra rule -> funny that you post 9 mins ago, cause i was here to share something else

So here we go: Harden NETSH-Command (for now, only german script - not finished yet)

Why this:  Some programs like Chrome, Firefox, etc -> hjacking the Firewall and adding unwanted rules! (I would prefer a MS Inbuild Password Protection against it) -> Not sure, how it works in general, but if this happens with NETSH - i decide to "Harden" this file/command via (i normally dont like them) NTFS Permissions. - In this test i only give Admin & System the right to run the command, and remove the others

TAKEOWN /F C:\Windows\System32\netsh.exe /A
icacls C:\Windows\System32\netsh.exe /inheritance:r
icacls C:\Windows\System32\netsh.exe /remove "VORDEFINIERT\Benutzer"
icacls C:\Windows\System32\netsh.exe /remove "ALLE ANWENDUNGSPAKETE"
icacls C:\Windows\System32\netsh.exe /remove "ALLE EINGESCHRŽNKTEN ANWENDUNGSPAKETE"
icacls C:\Windows\System32\netsh.exe /remove "NT-AUTORITŽT\SYSTEM"
icacls C:\Windows\System32\netsh.exe /grant VORDEFINIERT\Benutzer:(R)
icacls C:\Windows\System32\netsh.exe /grant NT-AUTORITŽT\SYSTEM:(F)
icacls C:\Windows\System32\netsh.exe /grant VORDEFINIERT\Administratoren:(F)
icacls C:\Windows\System32\netsh.exe /setowner "NT SERVICE\TrustedInstaller"

TAKEOWN /F C:\Windows\SysWOW64\netsh.exe /A
icacls C:\Windows\SysWOW64\netsh.exe /inheritance:r
icacls C:\Windows\SysWOW64\netsh.exe /remove "VORDEFINIERT\Benutzer"
icacls C:\Windows\SysWOW64\netsh.exe /remove "ALLE ANWENDUNGSPAKETE"
icacls C:\Windows\SysWOW64\netsh.exe /remove "ALLE EINGESCHRŽNKTEN ANWENDUNGSPAKETE"
icacls C:\Windows\SysWOW64\netsh.exe /remove "NT-AUTORITŽT\SYSTEM"
icacls C:\Windows\SysWOW64\netsh.exe /grant VORDEFINIERT\Benutzer:(R)
icacls C:\Windows\SysWOW64\netsh.exe /grant NT-AUTORITŽT\SYSTEM:(F)
icacls C:\Windows\SysWOW64\netsh.exe /grant VORDEFINIERT\Administratoren:(F)
icacls C:\Windows\SysWOW64\netsh.exe /setowner "NT SERVICE\TrustedInstaller"

pause

When its proved, i maybe do an english Version to...

- i get some unicode/utf problem with the script, - so the german "Ä" is "Ž"

 

P.S. MS BUG INFO

If you edit Firewall Rules, DO NOT COPY AND PASTE NAMES, or the console will crash

Edited August 28, 2020 by R4D3

[aviv00]

12 hours ago, R4D3 said:

and adding unwanted rules! (

hey

yes also windows adding back

so i use secure rules option in wfc

it can del them or disable them

 

also sometimes i set firefox only for normal user  to accessing the internet

and running it with bat file no need to enter password

using runas and savecerd option

running in normal user put another layer of security 

 

if ms could apply the root idea from linux here

it will save us time and lots of effort

Edited August 28, 2020 by aviv00