Windows 10: DNS Client allowed by firewall rule, but still get blocked

Hi,

First; I am using Binisoft/Malwarebytes Windows Firewall Control as frontend for Windows Firewall.

My problem is that I allowed DNS Client to local gateway with UDP on port 53, but still for some reason it is being blocked. When opening the log window in Windows Firewall Control it says 'Blocked'.

The name of the rule was set automatically to DNS Client, but as service I notice in the log that DNS Client is reported with Dnscache as service, but in the rules dialog box there is no Dnscache in the Services drop down menu.

I am not sure if what I wrote in previous paragraph is of any significance, but my initial question would be if there is any other service that also have to be allowed with outbound rule to make DNS Client work? I have a pretty strict rule set, so nothing get out by coincidence.

Could someone please help me out?

Thank you,


Windows 10 Pro 1909

:)

 

firewall rule to block addresses NOT on an IP list?


I am just starting to learn the Windows Firewall (working on both Windows 7 and 10) and I'm not impressed with the inflexibility of its rules. I would like to know if


1. Is there is a way to do what I want with Windows Firewall?
2. Is there is a third-party firewall that would do it?


What I want to do is create a rule that blocks outgoing connections, for program X, that are to a destination **NOT** in an IP list.


Windows Firewall is not very flexible in how you specify IP list rules. When you give an IP list, your rule will match that list... you can't say "trigger the rule for non-matching IP addresses." Therefore to allow outgoing connections to a list, you have to


1. Change the entire firewall policy to block outgoing connections by default so that you can create an "allow rule" matching your list. This will mess up the rest of your programs.


2. Somehow combine a block rule and allow rule. Create a block rule for most traffic, with the "allow" rule overriding it when appropriate. However, this doesn't appear to be possible in general. It **may** be possible for connections that use IPSec, I'm not sure. And I'm not sure if I can use IPSec in my application.

And is there a third-party firewall that can do it? Most 3rd-party firewalls are LESS sophisticated than Windows Firewall, because the use case they are addressing is providing an interface that doesn't require much comprehension. I need one that's actually MORE sophisticated than Windows Firewall.

 

Windows Firewall: Doesn't show blocking rules

Hello!

Today I've blocked all connections of a program by creating a outbound rule in Windows Firewall. However, I now wish to remove it. The problem: I can't find that newly created rule anywhere in the list. The rule does take an effect, since deactivating the
Firewall lets the program run properly. I can only see rules in the list that "allow" stuff, but not those who block things.

What I have tried so far:

- All filters set to "Show all" within the Firewall

- Created the same rule again, doesn't show up

- Created a rule that allows the program, shows up

Any solutions?

 

Inbound Firewall Rule that Blocks

Code:

Please help me understand how the 2 Inbound Rules created by MMC actually operate.

Action, Enabled, Service, Program,                     Protocol

Block,  Yes,     Any,     C:\windows\system32\mmc.exe, TCP

Block,  Yes,     Any,     C:\windows\system32\mmc.exe, UDP
If these 2 rules were Outbound Rules, I'd say that client process 'mmc.exe' is blocked.

But applying equivalent logic (that 'mmc.exe' is blocked) to Inbound Rules doesn't make sense -- why would 'mmc.exe' (which created these Rules) block itself?

What (somewhat) makes sense is that 'mmc.exe' is a requester, and that these rules block all TCP & UDP datagrams & all processes.

If so, then there's quite a difference between Outbound & Inbound Rules.

In Outbound Rules, 'Program' specifies the target (the process that's blocked), whereas in Inbound Rules, 'Program' specifies the requester (the process that provokes blocking).

This is crucial reasoning because, if correct, then, as a consequence, every process is the target of Inbound Rules that Block.

What about Inbound Rules that Allow? I've always assumed that an Inbound+Allow means the specified 'Program' installs a listener (i.e., has handler(s) for the specified socket(s)).

I think that's pretty straightforward.

I've read what Microsoft provides and it's grossly inadequate -- what a surprise, eh?

Microsoft documentation presents only trivial explanation of how to complete the fields (example: "Type the path to the program in the text box"), or the tutorial's scope is limited (example: "On the Action page, select Allow the connection, and then click
 Next" -- no mention of "Block the connection").

Other web hits are just plain wrong (examples: "Program – Block or allow a program"; "Program - creates rule that controls connections for an app or program"; "if you are downloading a file through BitTorrent, the download of that file is filtered through an
 inbound rule" -- Rules control connections, not streams) or show ridiculous cases (example: "I want to block all outgoing connections on port 80").
Does anyone know of an architectural reference or guidebook that explains how Firewall Rules are implemented in a running system?
Warm Regards -- Mark.