What rules should I have for...

[Guest]

[metalforlife]

"svchost.exe" and "system"? And, how to setup svchost.exe so that the undesired services are blocked, and  the required ones are allowed?

[adioz86]

I would recommend:

"System": everything for it except LAN (192.168.0.1 - 192.168.255.255) Incoming /Outgoing
The same for "Windows Operating System".
LAN is needed if you want to play on LAN Party.

For svchost.exe: Allow Outgoing TCP HTTP(80) and HTTPS(443). If you need the exactly IP of Microsoft server for Windows Update you have to look it up your self (something like 65.xxx.xxx.xxx).
Allow Outgoing UDP NTP(123) for time synchronisation.
Allow LAN like above.
Allow DNS Resolve: Outgoing UDP Port 53.

I would recommend to remove the default ruleset for "Windows Update Application" or something like that.

[metalforlife]

adioz86, I presume you mean that I should remove svchost.exe from the  "windows updater applications" file group, and instead add it to "network security policy" separately.

For the LAN rules for all the three, what do you mean by "play on LAN Party"? And, how do I add Windows Operating System as a separate application?

[adioz86]

"play on LAn PArty" just mean, that you have in a LAN just to allow the apps(game.exe), which want to connect the LAN. That was the problem at my LAN party, and with this settings for the three it works then. Just had to allow the game.exe.

You can add Windows Operation System: Network Security Policies->add->choose acive Process->and on top there shoudl be Windows Operation System.

You should let svchost.exe in Windows Updater application group of Defense+. But with default settings there has been an entry with "Windows Updater" or something like that in Network security policies. This rule should be removed.

[metalforlife]

Nope, I do not play LAN games. Would the rule for the LAN be necessary now?

[adioz86]

No, then you don't need them.

I would recommend:
"System": everything for it except LAN (192.168.0.1 - 192.168.255.255) Incoming /Outgoing
The same for "Windows Operating System".
LAN is needed if you want to play on LAN Party.

I meant block everything except of LAN. So you can block everything for System and Windows Operation System. I would not recommend to log blocked actions, cause your Firewall log would increase really fast.

[metalforlife]

No, then you don't need them.
I meant block everything except of LAN. So you can block everything for System and Windows Operation System. I would not recommend to log blocked actions, cause your Firewall log would increase really fast.

So that is "allow" incoming and outgoing for LAN, and block everything else?

i definitely would suggest to log blocked things!
how should you know otherwise why something doesnt work?
the best chance you have when you start something, but it doesnt work, and then you see in the log, "hey, it was blocked".

who cares, if a log becomes big? after 2mb it will be erased in default.

for me its always "block and log".

I get 20-30 alters every minute on an average. I don't want to stop logging just to see a neat events window, but I want the logging to decrease as I configure the firewall better. I haven't gotten around it as of yet, and as I keep learning more and more, I'll configure it as I want and for lesser alerts.

[adioz86]

So that is "allow" incoming and outgoing for LAN, and block everything else?

That's right.

I get 20-30 alters every minute on an average. I don't want to stop logging just to see a neat events window, but I want the logging to decrease as I configure the firewall better. I haven't gotten around it as of yet, and as I keep learning more and more, I'll configure it as I want and for lesser alerts.

Then I recommend you, if you are not in a LAN, to block 137-139and 445, and just block and log everything else.

[metalforlife]

I'll do that, thanks.

[shadowRider]

Are you guys able to see the Network Map under windows Network & Sharing tab?   I have allowed all communication for my LAN addresses 192.168.1.1. through 192.168.1.110 via the general rules, and Windows is not able to see or access the other computers or printers, even though I can access the printer and router via internet explorer.

[adioz86]

Which Operating System do you have?

It looks like there is something blocked by a firewall or OS? Look up your Firewall Logs.
If you can access them via IE, then it should be possible to access them via windows.

[metalforlife]

Hello adioz86, for the outgoing rules for svchost.exe to work, do I have to add anything ("incoming") to Global Rules?

For ports 67 and 68 (DHCP), in the beginning, I used to see lots of log entries that showed blocked-incoming for svchost.exe. Afterward svchost.exe stopped receiving anything for ports 67 and 68, and I started seeing connections through the ports 67 and 68 for System and Windows Operating System being blocked. Now it is only Windows Operating System that receives anything through those two ports, all of which are blocked by the firewall.

How should I configure these three applications for ports 67 and 68?

For all the rules for svchost.exe, System and Windows Operating System do I have to add corresponding rules to Global Rules?

Edit: My Stealth Ports Wizard setting is "Block all incoming connections - (the "dash" is missing from the interface; probably a bug.) stealth my ports to everyone".

[adioz86]

I have never used Ports Stealth Wizard, and never got a problem with it(logs to much). I configure that for each app.

I have just allowed Outgoing UDP remote Port 67 for svchost.exe and the other connections already mentioned in a post..
For System and windows operation system i have just a block rule on my laptop, without logging, cause i dont use it for LAN.
everything work fine with it.

For default i would always deny incoming traffic.
If your computer access internet, it always do it with an outgoing connection.
Just for filesharing and torrent client, incoming traffic is needed.

[metalforlife]

I am almost done, thanks. Just one more time, if you can tell me what rules I should have for System and Windows Operating System....

To give you more info. I have attached images. Take it into consideration that I am on a LAN.

[adioz86]

Okay, for Windows Operation System: Block all except incoming/outgoing LAN(192.158.0.1-192.168.255.255)
If you want to log actions, then i would prefer to not log Port 137-139. Cause your log would lese increase, without having an effect for you.
The blocked connections to 137 and 138 are NetBios traffic to your internet provider i think (http://ip-address-lookup-v4.com/lookup.php?ip=124.123.15.255)
the blocked connection to 67 should be DHCP for getting IP. I would allow that traffic, if you do not get connected to internet.
So for system you just need the LAN connection and nothing more.

[Tags:]