I’m trying to set up a “default deny” ruleset for a laptop w/a wireless connection, but if I do so, the wireless setup fails. I have “default deny” working on my wired PC.
Vista uses the 169.254.x.x ip address initially before it has a connection configured.
Despite having outbound port 67 and outbound port 1900 configured for svchost.exe, these get blocked and logged by the firewall. Why doesn’t CF allow these through when they are configured?
After the wireless connection is configured, I can turn on the “deny all” global rule, and everything is fine, and the wireless connection can be disconnected and reconnected (apparently since it is no longer using the 169.254.x.x ip address).
Please check if it is outbound that is being blocked you usually need both ways for DHCP to work, and if I remember correctly inbound connections go through Global Rules first you have to put inbound rules in Global Rules above the block all rule or both ways for svchost.
Dennis
I have checked and it is outbound being blocked and logged.
All of these blocks are to a broadcast address.
I’m not getting any inbound blocks that are being logged.
The router’s MAC address is in the global rules, allowed for inbound & outbound.
I have tried:
Global rules has block for outbound only - prevents wireless connection.
Global rules has block for inbound only - allows wireless connection.
So it’s something about Windows Vista or Wireless that is different
from a wired connection on Windows XP.
The DHCP connection from Windows XP works fine with a similar setup,
blocking in/out in the global rules.
Take a look at the attached Wireshark log of a wireless DHCP sequence under Vista. Port 68 is bootpc, port 67 is bootps. If you send out the DHCP broadcast from port 68, the response is allowed by SPI, which takes precedence over your global rules. If you block port 68 out, you can’t access the DHCP server.
This is the rule I used on Vista wired connection if it is of any use.
UDP Out From IP any to IP 255.255.255.255 Where Source Port is 68 And Destination Port is 67
I do not need it now as when I changed to a Wireless Card I made the IP fixed on the Vista Computer.
Dennis
Ok, I added a global rule for UDP outbound from port 68 to 67.
That works, whereas a UDP-out for dest-67 or source-68 or dest-255.255.255.255 specific to svchost.exe does not work.