Welcome
Welcome to vistafirewallcontrol

You are currently viewing our boards as a guest, which gives you limited access to view most discussions and access our other features. By joining our free community, you will have access to post topics, communicate privately with other members (PM), respond to polls, upload content, and access many other special features. In addition, registered members also see less advertisements. Registration is fast, simple, and absolutely free, so please, join our community today!

Learning about Domain (By-Name) rules

Learning about Domain (By-Name) rules

Postby sp4096 » Sun Jan 01, 2017 7:46 pm

Learning about Domains
According to the built-in Help file,
"Above application" rules are evaluated before the application's zone rules, right?
It seems to be like that. But what is Low and High?
"Below application" rules are after some zone result ... I can't come to grips with it trialing a deny rule on one site, such as this for instance.
And here, too, please explain Low and High.
Can you give an example with expected results, please?

How come when I open Windows10FirewallControl.chm from the right click menu in the installation directory I don't see By-Name rules section which I do see when I open Help from the Sphinx icon? Is that another lovely M$ confusing feature?
sp4096
 
Posts: 101
Joined: Tue Apr 26, 2016 2:57 am

Re: Learning about Domain (By-Name) rules

Postby VistaFirewallControl » Mon Jan 02, 2017 6:12 pm

>"Above application" rules are evaluated before the application's zone rules, right?

Right.

>It seems to be like that. But what is Low and High?

High is just higher than Low.
It can be used for excluding a “point” from a wide template.
For instance with
Above Apps Low = site.com = Disable
Above Apps High = a-name.site.com = Enable.
You disable any *.site.com excepting (keeping enabled) a-name.site.com.

>"Below application" rules are after some zone result ...

Not exactly. ZoneResult is final always. BelowApps can be triggered after specified rules in a zone, but before ZoneResult.
The priority is near Settings/AllApps.

>Can you give an example with expected results, please?

AboveApps sample is above.
BelowApps sample is the following.
Imagine you have a set of application with LanOnly, but then you find the need of a single site.com to be enabled for all of them.
So you create BelowApps = site.com Enable.
If you do not have “clashing” (intercepting) rules for site.com, High or Low is irrelevant.

>How come when I open Windows10FirewallControl.chm from the right click menu in the installation directory I don't see By-Name rules section which I do see when I open Help from the Sphinx icon?

It’s impossible if you have a single chm installed.
Actually the both just open the same chm.
The section is called DomainNames.
VistaFirewallControl
Site Admin
 
Posts: 1479
Joined: Fri Mar 27, 2009 11:25 am

Re: Learning about Domain (By-Name) rules

Postby sp4096 » Mon Jan 02, 2017 10:00 pm

Re: Domain rules - great explanations, pretty slick actually and I think I understand. Thanks.

Re: Help file. My error. The impossible did not happen :) Wrong file association so I never got the search box where Domain and by-Name comes up.

EDIT: back to domains - I just want to learn or confirm if I understand what you wrote above.
I'm using your default domain rules. OCSP is below apps low. So what happened here? NVT-erpsvc.exe uses modified WebBrowser rule with just 3 ports and the packet is for certificate or signature.

2017:01:02|16:29:25|Added||IPv4 23.54.187.27|Domains: Allow OCSPs|Domains: Allow OCSPs/ocsp.*.*/ocsp.verisign.com
2017:01:02|16:29:25|Clashed||IPv4 23.54.187.27|ocsp.verisign.com|ss.symcd.com
2017:01:02|16:29:25|Allowed|1|IPv4 TCP 23.54.187.27:80(50367)|NoVirusThanks EXE Radar Pro Service|WebBrowser Zone-53-80-443/Port80Outgoing Outgoing|C:\program files\novirusthanks\exe radar pro\erpsvc.exe
sp4096
 
Posts: 101
Joined: Tue Apr 26, 2016 2:57 am

Re: Learning about Domain (By-Name) rules

Postby VistaFirewallControl » Tue Jan 03, 2017 2:38 pm

> So what happened here? NVT-erpsvc.exe uses modified WebBrowser rule with just 3 ports and the packet is for certificate or signature.

>2017:01:02|16:29:25|Added||IPv4 23.54.187.27|Domains: Allow OCSPs|Domains: Allow OCSPs/ocsp.*.*/ocsp.verisign.com

An application (DomainNames rules do not distinguish by-application) asks for the by-name rule.
The firewall finds IP address for the domain and creates a per-IP rule.
So the rule “Added”

>2017:01:02|16:29:25|Clashed||IPv4 23.54.187.27|ocsp.verisign.com|ss.symcd.com

The final filtering is made by IP address anyway and the firewall finds that
23.54.187.27 belongs to ocsp.verisign.com and ss.symcd.com simultaneously.
It’s not a problem if the rules results for the both domains are equal (i.e Disable-Disable or Enable-Enable).
The firewall just notices that the IPs are “clashed”


>2017:01:02|16:29:25|Allowed|1|IPv4 TCP 23.54.187.27:80(50367)|NoVirusThanks EXE Radar Pro Service|WebBrowser Zone-53-80-443/Port80Outgoing Outgoing|C:\program files\novirusthanks\exe radar pro\erpsvc.exe

erpsvc.exe is allowed to access to 23.54.187.27:80 by the Port80Outgoing rule.
WebBrowser zone applied to erpsvc.exe has evident Port80Outgoing rule that was triggered before (BelowApps) Domains: Allow OCSPs.
VistaFirewallControl
Site Admin
 
Posts: 1479
Joined: Fri Mar 27, 2009 11:25 am

Re: Learning about Domain (By-Name) rules

Postby sp4096 » Wed Feb 15, 2017 3:21 am

On the Domains tab is a checkbox up top with (Affects Applications per-name rules)
I just want to confirm that if UNchecked, then if an application uses one of those, then that rule will be ignored in whatever application it exists.
For instance IF wermgrSnooping.exe has a rule to block telemetry, then unchecking that option on the Domains tab will permit wermgrSnooping to connect to Microsoft's server essentially ignoring the block telemetry rule under wermgr..
sp4096
 
Posts: 101
Joined: Tue Apr 26, 2016 2:57 am

Re: Learning about Domain (By-Name) rules

Postby VistaFirewallControl » Wed Feb 15, 2017 11:12 am

>On the Domains tab is a checkbox up top with (Affects Applications per-name rules)
I just want to confirm that if UNchecked, then if an application uses one of those, then that rule will be ignored in whatever application it exists.

Correct.
The check manages all by-name rules in the entire firewall

>For instance IF wermgrSnooping.exe has a rule to block telemetry, then unchecking that option on the Domains tab will permit wermgrSnooping to connect to Microsoft's server essentially ignoring the block telemetry rule under wermgr..

Strictly speaking the final permission depends on the other rules, the by-name rule will be just ignored.
VistaFirewallControl
Site Admin
 
Posts: 1479
Joined: Fri Mar 27, 2009 11:25 am


Return to Specific behavior

Who is online

Users browsing this forum: No registered users and 0 guests

suspicion-preferred