Firewall blocks outbound traffic even if outbound rule exists

Hello,

the Microsoft Vista firewall doesn’t block outbound traffic by default. So
all doors are open for keyloggers. Since there is no alternative firewall at
this time, I have to use the complicated firewall from Vista. I studied
diverse internet pages to get handled the Vista firewall. So I found out that
there exists an extended configuration…

In this extended configuration I blocked the outbound traffic and added
rules for some programs that I want to allow outgoing traffic on all ports
and all profiles. Now those programs can’t access the internet anymore
although they’re allowed by rules.

A friend of mine does it the same way like I done with configuration and he
tells me he can access to internet by browser.

I don’t know what could be wrong. Does anyone knows a hint? I use Windows
Vista Ultimate 64-bit with the private profile.

Here are two pictures that shows my extended configuration of the firewall.
Sorry for that the text in the pictures is in german.
Pic1_Overview: http://img508.imageshack.us/img508/1...verviewwr0.gif
Pic2_Outgoing Rules:
http://img508.imageshack.us/img508/6...ngrulesid3.gif

Greetings

Curt

> the Microsoft Vista firewall doesn’t block outbound traffic by default.

Incorrrect. It does block outbound traffic by default.

> So
> all doors are open for keyloggers.

Outbound blocking hostbased firewalls cannot block keystroke loggers, so,
yes, your statement is accurate, but applies to all platforms and all
host-based firewalls.

>I have to use the complicated firewall from Vista.

I can't speak on behalf of Microsoft, but please accept my apologies for
their giving you a firewall that actually does a much better job at what a
firewall can meaningfully do than any other firewall on the market.

BTW, if you want a much noisier and less useful alternative, OneCare 1.5
runs on Vista. Its firewall is much noisier, much slower, and much more
annoying.


> In this extended configuration I blocked the outbound traffic and added
> rules for some programs that I want to allow outgoing traffic on all ports
> and all profiles. Now those programs can’t access the internet anymore
> although they’re allowed by rules.

You need to tell us exactly how your firewall is configured if we are to be
able to help you determine what is going on here. More than likely the
programs are not identified properly.

> Here are two pictures that shows my extended configuration of the firewall.
> Sorry for that the text in the pictures is in german.
> Pic1_Overview: http://img508.imageshack.us/img508/1...verviewwr0.gif
> Pic2_Outgoing Rules:
> http://img508.imageshack.us/img508/6...ngrulesid3.gif

Please do not post pictures. Post a configuration script instead.

"Jesper" <Jesper@discussions.microsoft.com> wrote in message
news:6C77AFA9-2837-4985-A1E8-E37AC90B1673@microsoft.com...
>> the Microsoft Vista firewall doesn't block outbound traffic by
>> default.
>
> Incorrrect. It does block outbound traffic by default.
>

Actually, the OP was correct. In Vista, outbound connections are set to
Allow by default. See
http://technet2.microsoft.com/Window....mspx?mfr=true,
http://www.microsoft.com/technet/com...uy/cg0106.mspx
and others.

Regards,

Dave

Nope. The OP was wrong. The Vista firewall by default is set to allow all
outbound connections that are not defined to be blocked. By default it blocks
outbound connections from many built-in services. This is also all the actual
blocking security value you can get out of outbound filters.

"Dave R." wrote:

>
> "Jesper" <Jesper@discussions.microsoft.com> wrote in message
> news:6C77AFA9-2837-4985-A1E8-E37AC90B1673@microsoft.com...
> >> the Microsoft Vista firewall doesn't block outbound traffic by
> >> default.
> >
> > Incorrrect. It does block outbound traffic by default.
> >
>
> Actually, the OP was correct. In Vista, outbound connections are set to
> Allow by default. See
> http://technet2.microsoft.com/Window....mspx?mfr=true,
> http://www.microsoft.com/technet/com...uy/cg0106.mspx
> and others.
>
> Regards,
>
> Dave
>
>
>

"Jesper" <Jesper@discussions.microsoft.com> wrote in message
news:90043A33-EF09-4B12-A878-0D22496C8D48@microsoft.com...
>
> "Dave R." wrote:
>>
>> "Jesper" <Jesper@discussions.microsoft.com> wrote in message
>> news:6C77AFA9-2837-4985-A1E8-E37AC90B1673@microsoft.com...
>> >> the Microsoft Vista firewall doesn't block outbound traffic by
>> >> default.
>> >
>> > Incorrrect. It does block outbound traffic by default.
>> >
>>
>> Actually, the OP was correct. In Vista, outbound connections are set
>> to
>> Allow by default. See
>> http://technet2.microsoft.com/Window....mspx?mfr=true,
>> http://www.microsoft.com/technet/com...uy/cg0106.mspx
>> and others.
>>
> Nope. The OP was wrong.

We're starting to split hairs here...

> The Vista firewall by default is set to allow all
> outbound connections that are not defined to be blocked.

I agree with this, and had you clarified it this way initially I
wouldn't have disagreed, but the way you responded to the OP made it
sound like the default was to block all outbound traffic when this
clearly isn't the case.

> By default it blocks outbound connections from many built-in services.

I don't have a Vista machine to look at to confirm, so I'll take your
word for it.

> This is also all the actual blocking security value you can get out of
> outbound filters.

Agreed.

Best Regards,

Dave

Dave R. wrote:
> "Jesper" <Jesper@discussions.microsoft.com> wrote in message
> news:90043A33-EF09-4B12-A878-0D22496C8D48@microsoft.com...
>> "Dave R." wrote:
>>> "Jesper" <Jesper@discussions.microsoft.com> wrote in message
>>> news:6C77AFA9-2837-4985-A1E8-E37AC90B1673@microsoft.com...
>>>>> the Microsoft Vista firewall doesn't block outbound traffic by
>>>>> default.
>>>> Incorrrect. It does block outbound traffic by default.
>>>>
>>> Actually, the OP was correct. In Vista, outbound connections are set
>>> to
>>> Allow by default. See
>>> http://technet2.microsoft.com/Window....mspx?mfr=true,
>>> http://www.microsoft.com/technet/com...uy/cg0106.mspx
>>> and others.
>>>
>> Nope. The OP was wrong.
>
> We're starting to split hairs here...
>
>> The Vista firewall by default is set to allow all
>> outbound connections that are not defined to be blocked.
>
> I agree with this, and had you clarified it this way initially I
> wouldn't have disagreed, but the way you responded to the OP made it
> sound like the default was to block all outbound traffic when this
> clearly isn't the case.
>
>> By default it blocks outbound connections from many built-in services.
>
> I don't have a Vista machine to look at to confirm, so I'll take your
> word for it.
>
>> This is also all the actual blocking security value you can get out of
>> outbound filters.
>
> Agreed.
>
> Best Regards,
>
> Dave
>
>
This article may provide a bit more insight as to what the firewall
actually does or doesn't do:
http://www.computerworld.com/action/...1&pageNumber=1
YMMV

--
norm

> > The Vista firewall by default is set to allow all
> > outbound connections that are not defined to be blocked.
>
> I agree with this, and had you clarified it this way initially I
> wouldn't have disagreed, but the way you responded to the OP made it
> sound like the default was to block all outbound traffic when this
> clearly isn't the case.

Yeah, sorry. I'm getting a bit tired of answering that question a thousand
times. Especially since most of the questions stem from a bunch of
misinformed reporters and self-styled security experts declared that their
version of reality was more correct than what actually is there.

> This article may provide a bit more insight as to what the firewall
> actually does or doesn't do:
> http://www.computerworld.com/action/...1&pageNumber=1
> YMMV

That article skirts reality by stating facts, and then stretching them into
conclusions that lie somwhere between half-truths, misleading statements, and
the type of near-lies that has proven so effective in shaping public policy
and selling copies of magazines.

Take this statement:
"In addition, there may be no practical way to use outbound filtering to
stop all unwanted outbound connections"

Absolutely true. Except, the author of the article really meant to say that
"In addition, there may be not practical way to use outbound filtering in the
Windows Vista firewall to stop all unwanted outbound connections, whereas
third-party firewalls offer that ability." The original statement is true,
and applies to all firewalls. What he meant to say is true too, but only up
to the point of the inserted comma.

Likewise misleading is the statement that "every outbound rule allows
outbound connections." Yes, that is correct; as long as you consider only the
rules you can see in the GUI. If you take into account the rules that you do
not see, the ones that actually make a difference but that are only available
using WMI calls, it is untrue. Those are the rules that block services, the
only thing you can meaningfully restrict from making outbound connections,
from doing so. The ones you see in the GUI are there to ensure your computer
does not turn into a boat anchor if you block all outbound connections except
those that are allowed. By default they make no difference.

Another great statement is: "Making matters worse, there is no way for an
individual or IT staffer on his own to create an alll-purpose rule that will
brlock malware from making outbound connections."

Shame on Microsoft! How dare they not build that functionality in? I mean,
how hard could it possibly be to put in a rule like this:

if software.intent == malicious then
block traffic
else
allow traffic
end if

That'd be the simplest thing in the world! The "competing firewalls often
use built-in intelligence" to handle that task. All you have to do is discern
what the software is actually intent on doing. If the user goes to eBay to
buy a legitimate DVD then we would allow the connection, but if they intend
to buy a bootleg one we would block it. If the software looks up a hostname
for purposes of doing online chatting we would allow it, but if it is looking
up a hostname to attack it we block it. Simple!

I have a better idea: let's just not sell Windows Vista to evil people. That
way we don't need any firewalls at all!

So, sarcasm aside for a few seconds: yes, the statement is correct, and yet
the meaning of it is so amazingly incorrect. In reality, what the competing
software is doing is going on patterns; patterns that almost invariable boil
down to a software signature that identifies malicious software and attempts
to block all known bad things. Now you just have to know all the known bad
things and you're home free.

About the only really true part of that article is the comment on the
schizophrenic approach taken by the oneCare team, which does provide outbound
filtering. It is as noisy, annoying, and meaningless as the outbound
filtering provided by all the other vendors.

I'm going to leave now and go move the moon a few degrees because it is
shining in my window and annoying me. That should be a simple task, sort of
like making outbound filtering stop malware that is already executing on my
computer from doing malicious things. While I am at it I think I'll go down
to the convenience store on the corner and ask the burglars there to just be
nice, sit still, and not steal anything until the Anti-Burglar patrol has an
updated set of signatures to detect them.

Jesper wrote:
>> This article may provide a bit more insight as to what the firewall
>> actually does or doesn't do:
>> http://www.computerworld.com/action/...1&pageNumber=1
>> YMMV
>
> That article skirts reality by stating facts, and then stretching them into
> conclusions that lie somwhere between half-truths, misleading statements, and
> the type of near-lies that has proven so effective in shaping public policy
> and selling copies of magazines.
>
> Take this statement:
> "In addition, there may be no practical way to use outbound filtering to
> stop all unwanted outbound connections"
>
> Absolutely true. Except, the author of the article really meant to say that
> "In addition, there may be not practical way to use outbound filtering in the
> Windows Vista firewall to stop all unwanted outbound connections, whereas
> third-party firewalls offer that ability." The original statement is true,
> and applies to all firewalls. What he meant to say is true too, but only up
> to the point of the inserted comma.
>
> Likewise misleading is the statement that "every outbound rule allows
> outbound connections." Yes, that is correct; as long as you consider only the
> rules you can see in the GUI. If you take into account the rules that you do
> not see, the ones that actually make a difference but that are only available
> using WMI calls, it is untrue. Those are the rules that block services, the
> only thing you can meaningfully restrict from making outbound connections,
> from doing so. The ones you see in the GUI are there to ensure your computer
> does not turn into a boat anchor if you block all outbound connections except
> those that are allowed. By default they make no difference.
>
> Another great statement is: "Making matters worse, there is no way for an
> individual or IT staffer on his own to create an alll-purpose rule that will
> brlock malware from making outbound connections."
>
> Shame on Microsoft! How dare they not build that functionality in? I mean,
> how hard could it possibly be to put in a rule like this:
>
> if software.intent == malicious then
> block traffic
> else
> allow traffic
> end if
>
> That'd be the simplest thing in the world! The "competing firewalls often
> use built-in intelligence" to handle that task. All you have to do is discern
> what the software is actually intent on doing. If the user goes to eBay to
> buy a legitimate DVD then we would allow the connection, but if they intend
> to buy a bootleg one we would block it. If the software looks up a hostname
> for purposes of doing online chatting we would allow it, but if it is looking
> up a hostname to attack it we block it. Simple!
>
> I have a better idea: let's just not sell Windows Vista to evil people. That
> way we don't need any firewalls at all!
>
> So, sarcasm aside for a few seconds: yes, the statement is correct, and yet
> the meaning of it is so amazingly incorrect. In reality, what the competing
> software is doing is going on patterns; patterns that almost invariable boil
> down to a software signature that identifies malicious software and attempts
> to block all known bad things. Now you just have to know all the known bad
> things and you're home free.
>
> About the only really true part of that article is the comment on the
> schizophrenic approach taken by the oneCare team, which does provide outbound
> filtering. It is as noisy, annoying, and meaningless as the outbound
> filtering provided by all the other vendors.
>
> I'm going to leave now and go move the moon a few degrees because it is
> shining in my window and annoying me. That should be a simple task, sort of
> like making outbound filtering stop malware that is already executing on my
> computer from doing malicious things. While I am at it I think I'll go down
> to the convenience store on the corner and ask the burglars there to just be
> nice, sit still, and not steal anything until the Anti-Burglar patrol has an
> updated set of signatures to detect them.

All sarcasm aside, are you saying that other than for appearances, the
vista outbound firewall has no user controlled functionality that is
worth bothering with? If so, then why bother with a user interface at
all (meaning the user enabled rules vs the default of no rules)? If the
user cannot be expected to figure out what is good or bad, then why give
him the choice? Are all existing outgoing firewalls prior to the vista
incarnation just smoke and mirrors in the way they provide for user input?
--
norm

> All sarcasm aside

What would be the fun in putting all the sarcasm aside? :-)

Glad you got that much of it was overly sarcastic though.

> are you saying that other than for appearances, the
> vista outbound firewall has no user controlled functionality that is
> worth bothering with?

No, that is not at all what I am saying. What I am saying is four things:

1) By default, the Windows Vista firewall provides a sane set of rules that
are reasonable for many environments. There are many pre-defined rules that
have an impact by default. Many (most) services, for instance, are heavily
restricted.

2) The functionality provided by the Windows Vista firewall provides simple
(relatively speaking) centralized management ability of the types of
protection that is meaningful for a host-based firewall to provide. In fact,
building a meaningful rule-set that implements host isolation is simpler with
the Windows Vista firewall than with any prior product, at least that I have
used.

3) Yes, all prior existing outbound filtering host based firewalls are
purely smoke and mirrors. They provide no meaningful protection against
arbitrary malicious applications already running on the host. The fundamental
infrastructure to do so (integrity labels, User Account Control, and service
SIDs) does not exist in operating systems prior to Windows Vista.

4) The popular press has, played and continues to play, a crucial role in
steering customer perception away from things that actually help protect
people, and toward the smoke and mirrors functionality provided by the
after-market firewalls, including OneCare. I do not know why that is,
although I am conjecturing that it is because complaining about Microsoft
sells magazines, and actually stating that Microsoft did something right gets
you branded as a sell-out.

If so, then why bother with a user interface at
> all (meaning the user enabled rules vs the default of no rules)? If the
> user cannot be expected to figure out what is good or bad, then why give
> him the choice? Are all existing outgoing firewalls prior to the vista
> incarnation just smoke and mirrors in the way they provide for user input?
> --
> norm
>