Windows 10: Inbound Firewall Rule Ignored - Does capitalization and / or unicode matter?

Hi All,


I have an application specific Inbound Connection firewall rule configured in Windows 10 x64. The application is 32-bit and installed in regular "Program Files x86". The firewall rule is configured to allow:


- For all profiles Domain, Private, Public,

- Allow *any* remote IP,

- To talk to *any* local IP,

- Using *any* protocol,


More concise from CSV rule export feature from Advanced Firewall configuration:


Name,Group,Profile,Enabled,Action,Override,Program,Local Address,Remote Address,Protocol,Local Port,Remote Port,Authorized Users,Authorized Computers,Authorized Local Principals,Local User Owner,Application Package,

MyApp,,All,Yes,Allow,No,C:\Program Files x86\My Path\Bin\MyApp.exe,Any,Any,Any,Any,Any,Any,Any,Any,Any,Any,



However, when the application starts I still get "Windows Defender Firewall has blocked some features of this app". The prompt references the same application. With the only difference being that the path given in the prompt is all small caps 'C:\program files x86\my path\bin\myapp.exe'.


The inbound firewall rule is configured with a Powershell script calling 'netsh advfirewall firewall add rule ...' and the path argument is given as


"C:\\Program\u0020Files\u0020x86\\My\u0020Path\\Bin\\myapp.exe"


with unicode escape sequence used to represent 'SPACE'.


Question:


- What could the reasons be for this Inbound rule seemingly being ignored?

- Does capitalization of the given path matter?

- Is the firewall configuration unable to deal the unicode escape sequence? And if so, should specify two rules - one with ASCII 'SPACE' and one with the unicode string?



Thank you for taking the time to read this and for any suggestions as to why this is not working for me,

T

:)

 

Inbound Firewall Rule that Blocks

Code:

Please help me understand how the 2 Inbound Rules created by MMC actually operate.

Action, Enabled, Service, Program,                     Protocol

Block,  Yes,     Any,     C:\windows\system32\mmc.exe, TCP

Block,  Yes,     Any,     C:\windows\system32\mmc.exe, UDP
If these 2 rules were Outbound Rules, I'd say that client process 'mmc.exe' is blocked.

But applying equivalent logic (that 'mmc.exe' is blocked) to Inbound Rules doesn't make sense -- why would 'mmc.exe' (which created these Rules) block itself?

What (somewhat) makes sense is that 'mmc.exe' is a requester, and that these rules block all TCP & UDP datagrams & all processes.

If so, then there's quite a difference between Outbound & Inbound Rules.

In Outbound Rules, 'Program' specifies the target (the process that's blocked), whereas in Inbound Rules, 'Program' specifies the requester (the process that provokes blocking).

This is crucial reasoning because, if correct, then, as a consequence, every process is the target of Inbound Rules that Block.

What about Inbound Rules that Allow? I've always assumed that an Inbound+Allow means the specified 'Program' installs a listener (i.e., has handler(s) for the specified socket(s)).

I think that's pretty straightforward.

I've read what Microsoft provides and it's grossly inadequate -- what a surprise, eh?

Microsoft documentation presents only trivial explanation of how to complete the fields (example: "Type the path to the program in the text box"), or the tutorial's scope is limited (example: "On the Action page, select Allow the connection, and then click
 Next" -- no mention of "Block the connection").

Other web hits are just plain wrong (examples: "Program – Block or allow a program"; "Program - creates rule that controls connections for an app or program"; "if you are downloading a file through BitTorrent, the download of that file is filtered through an
 inbound rule" -- Rules control connections, not streams) or show ridiculous cases (example: "I want to block all outgoing connections on port 80").
Does anyone know of an architectural reference or guidebook that explains how Firewall Rules are implemented in a running system?
Warm Regards -- Mark.

 

Windows 10 upgrade doesn't keep firewall inbound rules settings

Hi All,

I just migrated Windows 8.1 to Windows 10 through SCCM 2012 R2 SP1 TS then firewall inbound rules were not ok.

The three WMI rules are disabled; rules for ping response and SMB access for domain profile are disabled, they are enabled for private profile instead.

Which suggestion in this regard?

 

Inbound firewall rule for trusted subnets not working as expected

I'm trying to create a basic domain firewall policy (primarily for Win7) that does two things;

Allow two trusted subnets inbound connection to the host on ALL ports (so essentially open)

Block everything else

All outbound traffic will be unfiltered - only the inbound traffic is being controlled.

I created a domain firewall policy

I added an 'allow trusted subnets' inbound rule, which is as follows;

Action: Allow the connection

Allow all programs

Protocol Type: Any

Scope

Local IP addresses: Any

Remote IP addresses: My two subnets in CIDR annotation

Advanced

Profile: Domain

Block Edge traversal

I then set the Domain profile firewall state to ON, and set Inbound to Block (default) and Outbound to Allow (default). Running RSoP shows the policy is being applied, but here's the problem. Windows still allows inbound connectivity from all untrusted subnets!
My understanding is that setting the Domain policy state to ON means that all traffic inbound will be blocked unless specifically allowed, and I specifically allowed connectivity from only two trusted subnets!

I tried created a 'Deny All' rule after the allow one (even though that should be implied), and that worked great - it blocked everything inbound, even my trusted subnets!!!

Anyone have any idea what's going on here. I'm very familiar with firewalls in general, but this just isn't working as it should do. No other firewall policies are being applied according to RSoP and my testing.

Thanks