[Feedback] Firewall failing

‘Format verified Issue Reports - CIS’ is way to complicated so I’m sending you this here.

I have the latest ver. 5.10.228257.2253 (make this number selectable for the love of God), svchost.exe and Isass.exe (are part of ‘Windows System Applications’) are blocked by the firewall even when I have set ‘Windows System Applications’ as open as the stealth ports have set it, with a rule for all IP addresses/protocols Out allowed. I’m attaching my config file.

In detail: As you would see my zones and ports are well defined and allow normal traffic while protecting privileged ports. but even when those files are allowed normal functioning on ports above 1024 they get blocked, if I again add them as a individual rules (with the same rules as with ‘Windows System Applications’) and set it to log it, I’ll see they will then work OK after I restart Windows, but not immediately, they will fail about 10-15 times more and then I see the ‘passed’ log, weird but here gets even weirder, if I remove the couple of rules and restart windows they won’t get blocked again, EVER.

This is not a big deal since I can make a workaround but it doesn’t work as it should, looks like CIS is handling internally FW configs and is not obeying strictly the rule set, this has happened on every PC I’ve configured always since version 3, always made the work around.

Some rules work as they should, they block if set to block and allow when set to allow, but there are weird exceptions like this.


Another Weird behavior: AFAIK a rule set for an app. are read top down, right? (if this is not the case let me know) so I have moved some allow rules below the ‘block all traffic’ rule on an app., so CIS should only allow the ‘allow rules’ above the ‘block all traffic’ rule, but I’ve seen that is not the case. So, all rules are taking into account, I don’t think so since there is a ‘Move Up’ & ‘Move Down’ buttons to order the rule execution, right?


Please help me with these, is really disappointing to see the rules being jumped like that. Thanks for your time.

PS. I’ve seen the bug report format and is really annoying, your webmasters should make a web form to fill up.

[attachment deleted by admin]

I’m not completely sure I understand what you mean when you say " I have set ‘Windows System Applications’ as open as the stealth ports have set it, with a rule for all IP addresses/protocols Out allowed"? ‘Windows System Applications’ defines an outbound application rule for a number of system processes, whereas stealth ports, defines a global rule that blocks all inbound connections.

With regard to “with a rule for all IP addresses/protocols Out allowed” this is the default rule for both ‘Windows System Applications’ and Windows Updater Applications’

In detail: As you would see my zones and ports are well defined and allow normal traffic while protecting privileged ports.

Your Network Zones simply define a block of IP addresses, they don’t define any ports. However, you’ve defined a Global rule that:

Allows TCP or UDP - In - From Any - To Local Area Net - Source Port Any - Dest Port Not in Priv Ports.

You would be better changing the destination to either MAC/IP Address or Any. However, I’m not sure why you’d want do do this, as a number of critical system services use ports between 0 and 1023 to receive connections. To some extent, it will depend on your environment, however, If you want to restrict inbound connections by port range, you’re better of making specific application rules for said applications, for example utorrent.

but even when those files are allowed normal functioning on ports above 1024 they get blocked, if I again add them as a individual rules (with the same rules as with 'Windows System Applications') and set it to log it, I'll see they will then work OK after I restart Windows, but not immediately, they will fail about 10-15 times more and then I see the 'passed' log, weird but here gets even weirder, if I remove the couple of rules and restart windows they won't get blocked again, EVER.

This is not a big deal since I can make a workaround but it doesn’t work as it should, looks like CIS is handling internally FW configs and is not obeying strictly the rule set, this has happened on every PC I’ve configured always since version 3, always made the work around.

The first thing you should do is modify your pre-definded 'Firewalled Application policy, as you have a generic Allow IP out, followed by more specific outbound rules. these latter will never be used as the generic outbound rule takes precedence. For example, you have:

Allow IP Out Any Any Any
Allow IP Out Any DNS Any

The first rule already covers DNS, so the second rule is superfluous. You have also defined inbound rules which are unneeded as the firewall uses stateful inspection. This basically means that something like a reply to a DNS query will be allowed, without the need for specific rule.

You also appear to have used your pre-defined policy for Windows Operating System, this is completely unnecessary and this is not a ‘real’ - in that you won’t find a wos.exe on disk anywhere - process and only serves quite specific purposes.

Some rules work as they should, they block if set to block and allow when set to allow, but there are weird exceptions like this.

Another Weird behavior: AFAIK a rule set for an app. are read top down, right? (if this is not the case let me know) so I have moved some allow rules below the ‘block all traffic’ rule on an app., so CIS should only allow the ‘allow rules’ above the ‘block all traffic’ rule, but I’ve seen that is not the case. So, all rules are taking into account, I don’t think so since there is a ‘Move Up’ & ‘Move Down’ buttons to order the rule execution, right?


Can you be more specific about the rules in question. You great many generic ‘trusted’ and it;s difficuly to differentiate one form the other.

The first thing you should do is not post your ‘thinking loud’, you contradict yourself and you make suggestions not better than mine and anyway I explained clearly in the first post for more clarity there is my config. file; you’re not helping here, you’re just messing things up. Everything is there for a reason, tested myself, you really don’t know CIS very well so leave it to the people that do know it.

That’s not a great attitude towards someone trying to help you. 88)

You might want to re-read Radaghast’s very helpful post.

Edit: Just saw your edit…

Radaghast actually knows CIS very well. You would do well to listen to him.

Thanks for the positive feedback :slight_smile:

Actually, I’m trying very hard to understand your post and to help you with your very obvious problems.

you contradict yourself

Please explain where I’ve contradicted myself and I’ll make the appropriate amendments.

and you make suggestions not better than mine and anyway

I beg to differ, however, if you wish to discuss the merits or otherwise of your configuration, please continue.

I explained clearly in the first post for more clarity there is my config. file; you're not helping here, you're just messing things up.

Indeed, you posted your configuration because, understandably, you have problems with it. It’s these problems I’m trying to help you address.

Everything is there for a reason, tested myself,

I’m sure there’s a reason for your rules, it’s just a pity they’re causing you problems. Perhaps you’re testing regime needs some help too.

you really don't know CIS very well so leave it to the people that do know it.

I never fail to be amazed by the politeness of some users of these forums :slight_smile: Thank you for your kind words, you’re most welcome.