What rules should I have for...

[Guest]

[metalforlife]

"svchost.exe" and "system"? And, how to setup svchost.exe so that the undesired services are blocked, and  the required ones are allowed?

[clockwork]

i block everything internet related to system and svchost. you should make a test running of windows update, to see if there appear questions.
and the defense rules you should make for those, you will notice when you need it.
just run your operating system. and when YOU do something, and a question is asked about something that fits to your action, you can be relative sure, that its needed.
when YOU dont do something or the question doesnt fit, be careful why theres a question.

if you want to get rid of un-needed services, theres a program from the german chaos computer club, which disables those services. "...and in the most cases a firewall could be not more necessary".
for all the other cases you have the comodo firewall running

http://www.dingens.org/index.html.en

its name is NOT shutdown windows SERVERS.... thats a strange error on that page. its about SERVICES.
when you see any problems, just use the program again to undo. i never had a problem with it. i used some other programs, because its better to have a secure base than to trust a running process too much.

in the start my xp has under "system" 9 windows processes running. the whole process amount is 22 (including 2 comodo, 2 avira, 2 punkbuster, 2 grafic card processes), when i ask the task explorer. but THE services are mostly located under "system".

[adioz86]

I would recommend:

"System": everything for it except LAN (192.168.0.1 - 192.168.255.255) Incoming /Outgoing
The same for "Windows Operating System".
LAN is needed if you want to play on LAN Party.

For svchost.exe: Allow Outgoing TCP HTTP(80) and HTTPS(443). If you need the exactly IP of Microsoft server for Windows Update you have to look it up your self (something like 65.xxx.xxx.xxx).
Allow Outgoing UDP NTP(123) for time synchronisation.
Allow LAN like above.
Allow DNS Resolve: Outgoing UDP Port 53.

I would recommend to remove the default ruleset for "Windows Update Application" or something like that.

[metalforlife]

adioz86, I presume you mean that I should remove svchost.exe from the  "windows updater applications" file group, and instead add it to "network security policy" separately.

For the LAN rules for all the three, what do you mean by "play on LAN Party"? And, how do I add Windows Operating System as a separate application?

[adioz86]

"play on LAn PArty" just mean, that you have in a LAN just to allow the apps(game.exe), which want to connect the LAN. That was the problem at my LAN party, and with this settings for the three it works then. Just had to allow the game.exe.

You can add Windows Operation System: Network Security Policies->add->choose acive Process->and on top there shoudl be Windows Operation System.

You should let svchost.exe in Windows Updater application group of Defense+. But with default settings there has been an entry with "Windows Updater" or something like that in Network security policies. This rule should be removed.

[metalforlife]

Nope, I do not play LAN games. Would the rule for the LAN be necessary now?

[adioz86]

No, then you don't need them.

I would recommend:
"System": everything for it except LAN (192.168.0.1 - 192.168.255.255) Incoming /Outgoing
The same for "Windows Operating System".
LAN is needed if you want to play on LAN Party.

I meant block everything except of LAN. So you can block everything for System and Windows Operation System. I would not recommend to log blocked actions, cause your Firewall log would increase really fast.

[clockwork]

i definitely would suggest to log blocked things!
how should you know otherwise why something doesnt work?
the best chance you have when you start something, but it doesnt work, and then you see in the log, "hey, it was blocked".

who cares, if a log becomes big? after 2mb it will be erased in default.

for me its always "block and log".

[metalforlife]

No, then you don't need them.
I meant block everything except of LAN. So you can block everything for System and Windows Operation System. I would not recommend to log blocked actions, cause your Firewall log would increase really fast.

So that is "allow" incoming and outgoing for LAN, and block everything else?

i definitely would suggest to log blocked things!
how should you know otherwise why something doesnt work?
the best chance you have when you start something, but it doesnt work, and then you see in the log, "hey, it was blocked".

who cares, if a log becomes big? after 2mb it will be erased in default.

for me its always "block and log".

I get 20-30 alters every minute on an average. I don't want to stop logging just to see a neat events window, but I want the logging to decrease as I configure the firewall better. I haven't gotten around it as of yet, and as I keep learning more and more, I'll configure it as I want and for lesser alerts.

[adioz86]

So that is "allow" incoming and outgoing for LAN, and block everything else?

That's right.

I get 20-30 alters every minute on an average. I don't want to stop logging just to see a neat events window, but I want the logging to decrease as I configure the firewall better. I haven't gotten around it as of yet, and as I keep learning more and more, I'll configure it as I want and for lesser alerts.

Then I recommend you, if you are not in a LAN, to block 137-139and 445, and just block and log everything else.

[metalforlife]

I'll do that, thanks.

[shadowRider]

Are you guys able to see the Network Map under windows Network & Sharing tab?   I have allowed all communication for my LAN addresses 192.168.1.1. through 192.168.1.110 via the general rules, and Windows is not able to see or access the other computers or printers, even though I can access the printer and router via internet explorer.

[adioz86]

Which Operating System do you have?

It looks like there is something blocked by a firewall or OS? Look up your Firewall Logs.
If you can access them via IE, then it should be possible to access them via windows.

[metalforlife]

Hello adioz86, for the outgoing rules for svchost.exe to work, do I have to add anything ("incoming") to Global Rules?

For ports 67 and 68 (DHCP), in the beginning, I used to see lots of log entries that showed blocked-incoming for svchost.exe. Afterward svchost.exe stopped receiving anything for ports 67 and 68, and I started seeing connections through the ports 67 and 68 for System and Windows Operating System being blocked. Now it is only Windows Operating System that receives anything through those two ports, all of which are blocked by the firewall.

How should I configure these three applications for ports 67 and 68?

For all the rules for svchost.exe, System and Windows Operating System do I have to add corresponding rules to Global Rules?

Edit: My Stealth Ports Wizard setting is "Block all incoming connections - (the "dash" is missing from the interface; probably a bug.) stealth my ports to everyone".

[adioz86]

I have never used Ports Stealth Wizard, and never got a problem with it(logs to much). I configure that for each app.

I have just allowed Outgoing UDP remote Port 67 for svchost.exe and the other connections already mentioned in a post..
For System and windows operation system i have just a block rule on my laptop, without logging, cause i dont use it for LAN.
everything work fine with it.

For default i would always deny incoming traffic.
If your computer access internet, it always do it with an outgoing connection.
Just for filesharing and torrent client, incoming traffic is needed.

[Tags:]