Welcome
Welcome to vistafirewallcontrol

You are currently viewing our boards as a guest, which gives you limited access to view most discussions and access our other features. By joining our free community, you will have access to post topics, communicate privately with other members (PM), respond to polls, upload content, and access many other special features. In addition, registered members also see less advertisements. Registration is fast, simple, and absolutely free, so please, join our community today!

Learning about Domain (By-Name) rules

Learning about Domain (By-Name) rules

Postby sp4096 » Sun Jan 01, 2017 7:46 pm

Learning about Domains
According to the built-in Help file,
"Above application" rules are evaluated before the application's zone rules, right?
It seems to be like that. But what is Low and High?
"Below application" rules are after some zone result ... I can't come to grips with it trialing a deny rule on one site, such as this for instance.
And here, too, please explain Low and High.
Can you give an example with expected results, please?

How come when I open Windows10FirewallControl.chm from the right click menu in the installation directory I don't see By-Name rules section which I do see when I open Help from the Sphinx icon? Is that another lovely M$ confusing feature?
sp4096
 
Posts: 111
Joined: Tue Apr 26, 2016 2:57 am

Re: Learning about Domain (By-Name) rules

Postby VistaFirewallControl » Mon Jan 02, 2017 6:12 pm

>"Above application" rules are evaluated before the application's zone rules, right?

Right.

>It seems to be like that. But what is Low and High?

High is just higher than Low.
It can be used for excluding a “point” from a wide template.
For instance with
Above Apps Low = site.com = Disable
Above Apps High = a-name.site.com = Enable.
You disable any *.site.com excepting (keeping enabled) a-name.site.com.

>"Below application" rules are after some zone result ...

Not exactly. ZoneResult is final always. BelowApps can be triggered after specified rules in a zone, but before ZoneResult.
The priority is near Settings/AllApps.

>Can you give an example with expected results, please?

AboveApps sample is above.
BelowApps sample is the following.
Imagine you have a set of application with LanOnly, but then you find the need of a single site.com to be enabled for all of them.
So you create BelowApps = site.com Enable.
If you do not have “clashing” (intercepting) rules for site.com, High or Low is irrelevant.

>How come when I open Windows10FirewallControl.chm from the right click menu in the installation directory I don't see By-Name rules section which I do see when I open Help from the Sphinx icon?

It’s impossible if you have a single chm installed.
Actually the both just open the same chm.
The section is called DomainNames.
VistaFirewallControl
Site Admin
 
Posts: 1493
Joined: Fri Mar 27, 2009 11:25 am

Re: Learning about Domain (By-Name) rules

Postby sp4096 » Mon Jan 02, 2017 10:00 pm

Re: Domain rules - great explanations, pretty slick actually and I think I understand. Thanks.

Re: Help file. My error. The impossible did not happen :) Wrong file association so I never got the search box where Domain and by-Name comes up.

EDIT: back to domains - I just want to learn or confirm if I understand what you wrote above.
I'm using your default domain rules. OCSP is below apps low. So what happened here? NVT-erpsvc.exe uses modified WebBrowser rule with just 3 ports and the packet is for certificate or signature.

2017:01:02|16:29:25|Added||IPv4 23.54.187.27|Domains: Allow OCSPs|Domains: Allow OCSPs/ocsp.*.*/ocsp.verisign.com
2017:01:02|16:29:25|Clashed||IPv4 23.54.187.27|ocsp.verisign.com|ss.symcd.com
2017:01:02|16:29:25|Allowed|1|IPv4 TCP 23.54.187.27:80(50367)|NoVirusThanks EXE Radar Pro Service|WebBrowser Zone-53-80-443/Port80Outgoing Outgoing|C:\program files\novirusthanks\exe radar pro\erpsvc.exe
sp4096
 
Posts: 111
Joined: Tue Apr 26, 2016 2:57 am

Re: Learning about Domain (By-Name) rules

Postby VistaFirewallControl » Tue Jan 03, 2017 2:38 pm

> So what happened here? NVT-erpsvc.exe uses modified WebBrowser rule with just 3 ports and the packet is for certificate or signature.

>2017:01:02|16:29:25|Added||IPv4 23.54.187.27|Domains: Allow OCSPs|Domains: Allow OCSPs/ocsp.*.*/ocsp.verisign.com

An application (DomainNames rules do not distinguish by-application) asks for the by-name rule.
The firewall finds IP address for the domain and creates a per-IP rule.
So the rule “Added”

>2017:01:02|16:29:25|Clashed||IPv4 23.54.187.27|ocsp.verisign.com|ss.symcd.com

The final filtering is made by IP address anyway and the firewall finds that
23.54.187.27 belongs to ocsp.verisign.com and ss.symcd.com simultaneously.
It’s not a problem if the rules results for the both domains are equal (i.e Disable-Disable or Enable-Enable).
The firewall just notices that the IPs are “clashed”


>2017:01:02|16:29:25|Allowed|1|IPv4 TCP 23.54.187.27:80(50367)|NoVirusThanks EXE Radar Pro Service|WebBrowser Zone-53-80-443/Port80Outgoing Outgoing|C:\program files\novirusthanks\exe radar pro\erpsvc.exe

erpsvc.exe is allowed to access to 23.54.187.27:80 by the Port80Outgoing rule.
WebBrowser zone applied to erpsvc.exe has evident Port80Outgoing rule that was triggered before (BelowApps) Domains: Allow OCSPs.
VistaFirewallControl
Site Admin
 
Posts: 1493
Joined: Fri Mar 27, 2009 11:25 am

Re: Learning about Domain (By-Name) rules

Postby sp4096 » Wed Feb 15, 2017 3:21 am

On the Domains tab is a checkbox up top with (Affects Applications per-name rules)
I just want to confirm that if UNchecked, then if an application uses one of those, then that rule will be ignored in whatever application it exists.
For instance IF wermgrSnooping.exe has a rule to block telemetry, then unchecking that option on the Domains tab will permit wermgrSnooping to connect to Microsoft's server essentially ignoring the block telemetry rule under wermgr..
sp4096
 
Posts: 111
Joined: Tue Apr 26, 2016 2:57 am

Re: Learning about Domain (By-Name) rules

Postby VistaFirewallControl » Wed Feb 15, 2017 11:12 am

>On the Domains tab is a checkbox up top with (Affects Applications per-name rules)
I just want to confirm that if UNchecked, then if an application uses one of those, then that rule will be ignored in whatever application it exists.

Correct.
The check manages all by-name rules in the entire firewall

>For instance IF wermgrSnooping.exe has a rule to block telemetry, then unchecking that option on the Domains tab will permit wermgrSnooping to connect to Microsoft's server essentially ignoring the block telemetry rule under wermgr..

Strictly speaking the final permission depends on the other rules, the by-name rule will be just ignored.
VistaFirewallControl
Site Admin
 
Posts: 1493
Joined: Fri Mar 27, 2009 11:25 am

Re: Learning about Domain (By-Name) rules

Postby sp4096 » Sat Jul 08, 2017 3:38 am

Still haven't learned in spite of your super answers. So here's another question:
How come "watson.telemetry.microsoft.com" for wermgr.exe falls under Universal telemetry and not Microsoft telemetry? Are domain rules evaluated from the bottom up?
I tried once to add watson... to domains and it didn't work, Sphinx ignored my trial entry.
Also tried *.telemetry.microsoft.com. That also didn't work.
sp4096
 
Posts: 111
Joined: Tue Apr 26, 2016 2:57 am

Re: Learning about Domain (By-Name) rules

Postby VistaFirewallControl » Sun Jul 09, 2017 3:43 pm

How come "watson.telemetry.microsoft.com" for wermgr.exe falls under Universal telemetry
and not Microsoft telemetry?

"watson.telemetry.microsoft.com" matches *telemetry*
"Microsoft telemetry" rule is not enabled by default.

>Are domain rules evaluated from the bottom up?

That's strictly not correct. Priority inside the domains list is not determined.
The blocking is actually made on the IP basis, IP changes are traced by the WxFC automatically.
The by-IP filtering inside the level is of arbitrary priority by definition.
So if you have 2+ by-name rules, any of them can be triggered first.
If the both rules have the same permission it hardly can caused a problem.

> I tried once to add watson... to domains and it didn't work, Sphinx ignored my trial entry.

That may be a syntax related problem. What is the full template?

>Also tried *.telemetry.microsoft.com. That also didn't work.

Did no you forget to enable the rule?

Going deeper, if you made everything correctly the problem may theoretically be in the logic.
By-name filtering is made on IP basis finally.
The name-to-IP conversion is made when the connection is initiated (DNS asked).
If an application already resolved name-to-ip and cached the IP all the rules set after may make no effect.
The by-IP rules to implement by-name filters are generated when DNS is asked.
Actually access.log shows the details (please review Added and Updated entries)

If you need an assistance, welcome ..... with the access.log and Settings/Export (to review the rules)
VistaFirewallControl
Site Admin
 
Posts: 1493
Joined: Fri Mar 27, 2009 11:25 am

Re: Learning about Domain (By-Name) rules

Postby sp4096 » Thu Jul 13, 2017 3:34 am

Yes, I did forget to enable the rule.
Your explanations are super, thanks.

I did add "watson.telemetry.microsoft.com" and it's working for wermgr. I'll probably ditch it - this was just experimenting with how to do it.
But when I look in the access.log, trying to understand Added/Updated - every application which has *telemetry* block now shows up as "watson.telemetry.microsoft.com". Is that what it's supposed to say?
sp4096
 
Posts: 111
Joined: Tue Apr 26, 2016 2:57 am

Re: Learning about Domain (By-Name) rules

Postby VistaFirewallControl » Thu Jul 13, 2017 10:18 am

Sorry we have to explain once more.

1 Priority inside the domains pane (with the same Above/Below High/Low) is arbitrary

if your domain ("watson.telemetry.microsoft.com" for instance) matches 2+ rules at once (for instance "watson.telemetry.microsoft.com" and "*telemetry*") there is no way to predict what rule will be triggered first.
You should use High/Low priorities at least

2 The by-name filtering is effectively made by IP.

if you access 2 different sites physically located on the same IP but controlled by different by-name rules, there is no way to predict the triggered rule.
You should use High/Low priorities at least
VistaFirewallControl
Site Admin
 
Posts: 1493
Joined: Fri Mar 27, 2009 11:25 am


Return to Specific behavior

Who is online

Users browsing this forum: No registered users and 1 guest

cron
suspicion-preferred