Vista Forums - View Single Post

01-02-2008

You are really setting yourself up for a world of hurt. First, you cannot
block a program from making outbound connections. Any program that wishes to
do so can without your noticing. There is no way, including with third-party
firewalls, to effectively block one program from making outbound connections
as another program running in the same user context. Third party firewalls
can be set up to notify you when programs that chose to not be stealthy try
to connect outbound, but they cannot stop malicious programs that do so.

Second, when you use that functionality in third-party products you will be
notified incessantly because the programs can use any port they want to
communicate out. The usual response is to disable the notifications for
particular applications, which completely obviates any value in the feature.
Since it provides no security value the Vista firewall does not include the
notification functionality.

In other words, attempting to block outbound unapproved traffic provides no
additional security whatsoever, but is often used as a selling point by
vendors who either do not understand security, or are trying to make money by
misleading customers. If you want that type of functionality, you need a
third-party firewall from one of those vendors. My advice would be to focus
on things that actually will improve your security instead.

Having now tried to dissuade you from the entire project, the Vista firewall
can be used to create a "block all" rule and permit only certain programs.
More than likely you have a rule that does not permit the program to
communicate on all ports to all ports, for all users. If you configure the
firewall log to log dropped packets you will get log events like this one:
2008-01-02 15:40:00 DROP TCP 1.2.3.4 65.99.255.140 52969 80 0 - 0 0 0 - - -
SEND

That will at least tell you what the firewall saw even though it does not
tell you which application made the connection. Notice the source port:
52969. Client apps can use any port they want for the source port, and you
need to permit all 64,000 of them. Might that be what is blocking your
traffic?

There is more information about troubleshooting the Windows Firewall here:
http://technet2.microsoft.com/Window....mspx?mfr=true. It may be useful to you.
---
Your question may already be answered in Windows Vista Security:
http://www.amazon.com/gp/product/047...otectyourwi-20

"Antius" wrote:

Quote:

>
> Thanks for your prompt response Jesper, I want to block programs that
> I'm unaware of from making outbound connections since the Vista firewall
> doesn't seem to warn me of these events in real time.
>
>
> --
> Antius
>

01-02-2008	#4 (permalink)
Jesper n/a posts	Re: Vista Firewall Issue You are really setting yourself up for a world of hurt. First, you cannot block a program from making outbound connections. Any program that wishes to do so can without your noticing. There is no way, including with third-party firewalls, to effectively block one program from making outbound connections as another program running in the same user context. Third party firewalls can be set up to notify you when programs that chose to not be stealthy try to connect outbound, but they cannot stop malicious programs that do so. Second, when you use that functionality in third-party products you will be notified incessantly because the programs can use any port they want to communicate out. The usual response is to disable the notifications for particular applications, which completely obviates any value in the feature. Since it provides no security value the Vista firewall does not include the notification functionality. In other words, attempting to block outbound unapproved traffic provides no additional security whatsoever, but is often used as a selling point by vendors who either do not understand security, or are trying to make money by misleading customers. If you want that type of functionality, you need a third-party firewall from one of those vendors. My advice would be to focus on things that actually will improve your security instead. Having now tried to dissuade you from the entire project, the Vista firewall can be used to create a "block all" rule and permit only certain programs. More than likely you have a rule that does not permit the program to communicate on all ports to all ports, for all users. If you configure the firewall log to log dropped packets you will get log events like this one: 2008-01-02 15:40:00 DROP TCP 1.2.3.4 65.99.255.140 52969 80 0 - 0 0 0 - - - SEND That will at least tell you what the firewall saw even though it does not tell you which application made the connection. Notice the source port: 52969. Client apps can use any port they want for the source port, and you need to permit all 64,000 of them. Might that be what is blocking your traffic? There is more information about troubleshooting the Windows Firewall here: http://technet2.microsoft.com/Window....mspx?mfr=true. It may be useful to you. --- Your question may already be answered in Windows Vista Security: http://www.amazon.com/gp/product/047...otectyourwi-20 "Antius" wrote: Quote: > > Thanks for your prompt response Jesper, I want to block programs that > I'm unaware of from making outbound connections since the Vista firewall > doesn't seem to warn me of these events in real time. > > > -- > Antius >
My System Specs