M
MarkFilipak.Windows
Please help me understand how the 2 Inbound Rules created by MMC actually operate.
Action, Enabled, Service, Program, Protocol
Block, Yes, Any, C:\windows\system32\mmc.exe, TCP
Block, Yes, Any, C:\windows\system32\mmc.exe, UDP
If these 2 rules were Outbound Rules, I'd say that client process 'mmc.exe' is blocked.
But applying equivalent logic (that 'mmc.exe' is blocked) to Inbound Rules doesn't make sense -- why would 'mmc.exe' (which created these Rules) block itself?
What (somewhat) makes sense is that 'mmc.exe' is a requester, and that these rules block all TCP & UDP datagrams & all processes.
If so, then there's quite a difference between Outbound & Inbound Rules.
In Outbound Rules, 'Program' specifies the target (the process that's blocked), whereas in Inbound Rules, 'Program' specifies the requester (the process that provokes blocking).
This is crucial reasoning because, if correct, then, as a consequence, every process is the target of Inbound Rules that Block.
What about Inbound Rules that Allow? I've always assumed that an Inbound+Allow means the specified 'Program' installs a listener (i.e., has handler(s) for the specified socket(s)).
I think that's pretty straightforward.
Does anyone know of an architectural reference or guidebook that explains how Firewall Rules are implemented in a running system?
I've read what Microsoft provides and it's grossly inadequate -- what a surprise, eh?
Microsoft documentation presents only trivial explanation of how to complete the fields (example: "Type the path to the program in the text box"), or the tutorial's scope is limited (example: "On the Action page, select Allow the connection, and then click Next" -- no mention of "Block the connection").
Other web hits are just plain wrong (examples: "Program – Block or allow a program"; "Program - creates rule that controls connections for an app or program"; "if you are downloading a file through BitTorrent, the download of that file is filtered through an inbound rule" -- Rules control connections, not streams) or show ridiculous cases (example: "I want to block all outgoing connections on port 80").
A good reference begins each section with a statement of a problem that needs to be overcome.
The reference I seek will not explain how to fill out the dialogs to create a Firewall Rule, but Will talk about processes & software (network stack) components and what settings address them.
Continue reading...
Action, Enabled, Service, Program, Protocol
Block, Yes, Any, C:\windows\system32\mmc.exe, TCP
Block, Yes, Any, C:\windows\system32\mmc.exe, UDP
If these 2 rules were Outbound Rules, I'd say that client process 'mmc.exe' is blocked.
But applying equivalent logic (that 'mmc.exe' is blocked) to Inbound Rules doesn't make sense -- why would 'mmc.exe' (which created these Rules) block itself?
What (somewhat) makes sense is that 'mmc.exe' is a requester, and that these rules block all TCP & UDP datagrams & all processes.
If so, then there's quite a difference between Outbound & Inbound Rules.
In Outbound Rules, 'Program' specifies the target (the process that's blocked), whereas in Inbound Rules, 'Program' specifies the requester (the process that provokes blocking).
This is crucial reasoning because, if correct, then, as a consequence, every process is the target of Inbound Rules that Block.
What about Inbound Rules that Allow? I've always assumed that an Inbound+Allow means the specified 'Program' installs a listener (i.e., has handler(s) for the specified socket(s)).
I think that's pretty straightforward.
Does anyone know of an architectural reference or guidebook that explains how Firewall Rules are implemented in a running system?
I've read what Microsoft provides and it's grossly inadequate -- what a surprise, eh?
Microsoft documentation presents only trivial explanation of how to complete the fields (example: "Type the path to the program in the text box"), or the tutorial's scope is limited (example: "On the Action page, select Allow the connection, and then click Next" -- no mention of "Block the connection").
Other web hits are just plain wrong (examples: "Program – Block or allow a program"; "Program - creates rule that controls connections for an app or program"; "if you are downloading a file through BitTorrent, the download of that file is filtered through an inbound rule" -- Rules control connections, not streams) or show ridiculous cases (example: "I want to block all outgoing connections on port 80").
A good reference begins each section with a statement of a problem that needs to be overcome.
The reference I seek will not explain how to fill out the dialogs to create a Firewall Rule, but Will talk about processes & software (network stack) components and what settings address them.
Continue reading...