Firewall blocks outbound traffic even if outbound rule exists

[Guest]

Hello,

the Microsoft Vista firewall doesn’t block outbound traffic by default. So
all doors are open for keyloggers. Since there is no alternative firewall at
this time, I have to use the complicated firewall from Vista. I studied
diverse internet pages to get handled the Vista firewall. So I found out that
there exists an extended configuration…

In this extended configuration I blocked the outbound traffic and added
rules for some programs that I want to allow outgoing traffic on all ports
and all profiles. Now those programs can’t access the internet anymore
although they’re allowed by rules.

A friend of mine does it the same way like I done with configuration and he
tells me he can access to internet by browser.

I don’t know what could be wrong. Does anyone knows a hint? I use Windows
Vista Ultimate 64-bit with the private profile.

Here are two pictures that shows my extended configuration of the firewall.
Sorry for that the text in the pictures is in german.
Pic1_Overview: http://img508.imageshack.us/img508/1254/01overviewwr0.gif
Pic2_Outgoing Rules:
http://img508.imageshack.us/img508/658/02outgoingrulesid3.gif

Greetings

Curt

 

[Guest]

the Microsoft Vista firewall doesn’t block outbound traffic by default.

Incorrrect. It does block outbound traffic by default.

So
all doors are open for keyloggers.

Outbound blocking hostbased firewalls cannot block keystroke loggers, so,
yes, your statement is accurate, but applies to all platforms and all
host-based firewalls.

I have to use the complicated firewall from Vista.

I can't speak on behalf of Microsoft, but please accept my apologies for
their giving you a firewall that actually does a much better job at what a
firewall can meaningfully do than any other firewall on the market.

BTW, if you want a much noisier and less useful alternative, OneCare 1.5
runs on Vista. Its firewall is much noisier, much slower, and much more
annoying.

In this extended configuration I blocked the outbound traffic and added
rules for some programs that I want to allow outgoing traffic on all ports
and all profiles. Now those programs can’t access the internet anymore
although they’re allowed by rules.

You need to tell us exactly how your firewall is configured if we are to be
able to help you determine what is going on here. More than likely the
programs are not identified properly.

Here are two pictures that shows my extended configuration of the firewall.
Sorry for that the text in the pictures is in german.
Pic1_Overview: http://img508.imageshack.us/img508/1254/01overviewwr0.gif
Pic2_Outgoing Rules:
http://img508.imageshack.us/img508/658/02outgoingrulesid3.gif

Please do not post pictures. Post a configuration script instead.

 

[Dave R.]

Incorrrect. It does block outbound traffic by default.

Actually, the OP was correct. In Vista, outbound connections are set to
Allow by default. See
http://technet2.microsoft.com/Windo...c32b-4cbd-ae2a-8e77f2ced35c1033.mspx?mfr=true,
http://www.microsoft.com/technet/community/columns/cableguy/cg0106.mspx
and others.

Regards,

Dave

 

[Guest]

Nope. The OP was wrong. The Vista firewall by default is set to allow all
outbound connections that are not defined to be blocked. By default it blocks
outbound connections from many built-in services. This is also all the actual
blocking security value you can get out of outbound filters.

 

[Dave R.]

Nope. The OP was wrong.

We're starting to split hairs here...

The Vista firewall by default is set to allow all
outbound connections that are not defined to be blocked.

I agree with this, and had you clarified it this way initially I
wouldn't have disagreed, but the way you responded to the OP made it
sound like the default was to block all outbound traffic when this
clearly isn't the case.

By default it blocks outbound connections from many built-in services.

I don't have a Vista machine to look at to confirm, so I'll take your
word for it.

This is also all the actual blocking security value you can get out of
outbound filters.

Agreed.

Best Regards,

Dave

 

[norm]

We're starting to split hairs here...


I agree with this, and had you clarified it this way initially I
wouldn't have disagreed, but the way you responded to the OP made it
sound like the default was to block all outbound traffic when this
clearly isn't the case.


I don't have a Vista machine to look at to confirm, so I'll take your
word for it.


Agreed.

Best Regards,

Dave

This article may provide a bit more insight as to what the firewall
actually does or doesn't do:
http://www.computerworld.com/action...ewArticleBasic&articleId=9010661&pageNumber=1
YMMV

 

[Guest]

The Vista firewall by default is set to allow all

I agree with this, and had you clarified it this way initially I
wouldn't have disagreed, but the way you responded to the OP made it
sound like the default was to block all outbound traffic when this
clearly isn't the case.

Yeah, sorry. I'm getting a bit tired of answering that question a thousand
times. Especially since most of the questions stem from a bunch of
misinformed reporters and self-styled security experts declared that their
version of reality was more correct than what actually is there.

 

[Guest]

This article may provide a bit more insight as to what the firewall

actually does or doesn't do:
http://www.computerworld.com/action...ewArticleBasic&articleId=9010661&pageNumber=1
YMMV

That article skirts reality by stating facts, and then stretching them into
conclusions that lie somwhere between half-truths, misleading statements, and
the type of near-lies that has proven so effective in shaping public policy
and selling copies of magazines.

Take this statement:
"In addition, there may be no practical way to use outbound filtering to
stop all unwanted outbound connections"

Absolutely true. Except, the author of the article really meant to say that
"In addition, there may be not practical way to use outbound filtering in the
Windows Vista firewall to stop all unwanted outbound connections, whereas
third-party firewalls offer that ability." The original statement is true,
and applies to all firewalls. What he meant to say is true too, but only up
to the point of the inserted comma.

Likewise misleading is the statement that "every outbound rule allows
outbound connections." Yes, that is correct; as long as you consider only the
rules you can see in the GUI. If you take into account the rules that you do
not see, the ones that actually make a difference but that are only available
using WMI calls, it is untrue. Those are the rules that block services, the
only thing you can meaningfully restrict from making outbound connections,
from doing so. The ones you see in the GUI are there to ensure your computer
does not turn into a boat anchor if you block all outbound connections except
those that are allowed. By default they make no difference.

Another great statement is: "Making matters worse, there is no way for an
individual or IT staffer on his own to create an alll-purpose rule that will
brlock malware from making outbound connections."

Shame on Microsoft! How dare they not build that functionality in? I mean,
how hard could it possibly be to put in a rule like this:

if software.intent == malicious then
block traffic
else
allow traffic
end if

That'd be the simplest thing in the world! The "competing firewalls often
use built-in intelligence" to handle that task. All you have to do is discern
what the software is actually intent on doing. If the user goes to eBay to
buy a legitimate DVD then we would allow the connection, but if they intend
to buy a bootleg one we would block it. If the software looks up a hostname
for purposes of doing online chatting we would allow it, but if it is looking
up a hostname to attack it we block it. Simple!

I have a better idea: let's just not sell Windows Vista to evil people. That
way we don't need any firewalls at all!

So, sarcasm aside for a few seconds: yes, the statement is correct, and yet
the meaning of it is so amazingly incorrect. In reality, what the competing
software is doing is going on patterns; patterns that almost invariable boil
down to a software signature that identifies malicious software and attempts
to block all known bad things. Now you just have to know all the known bad
things and you're home free.

About the only really true part of that article is the comment on the
schizophrenic approach taken by the oneCare team, which does provide outbound
filtering. It is as noisy, annoying, and meaningless as the outbound
filtering provided by all the other vendors.

I'm going to leave now and go move the moon a few degrees because it is
shining in my window and annoying me. That should be a simple task, sort of
like making outbound filtering stop malware that is already executing on my
computer from doing malicious things. While I am at it I think I'll go down
to the convenience store on the corner and ask the burglars there to just be
nice, sit still, and not steal anything until the Anti-Burglar patrol has an
updated set of signatures to detect them.

 

[norm]

That article skirts reality by stating facts, and then stretching them into
conclusions that lie somwhere between half-truths, misleading statements, and
the type of near-lies that has proven so effective in shaping public policy
and selling copies of magazines.

Take this statement:
"In addition, there may be no practical way to use outbound filtering to
stop all unwanted outbound connections"

Absolutely true. Except, the author of the article really meant to say that
"In addition, there may be not practical way to use outbound filtering in the
Windows Vista firewall to stop all unwanted outbound connections, whereas
third-party firewalls offer that ability." The original statement is true,
and applies to all firewalls. What he meant to say is true too, but only up
to the point of the inserted comma.

Likewise misleading is the statement that "every outbound rule allows
outbound connections." Yes, that is correct; as long as you consider only the
rules you can see in the GUI. If you take into account the rules that you do
not see, the ones that actually make a difference but that are only available
using WMI calls, it is untrue. Those are the rules that block services, the
only thing you can meaningfully restrict from making outbound connections,
from doing so. The ones you see in the GUI are there to ensure your computer
does not turn into a boat anchor if you block all outbound connections except
those that are allowed. By default they make no difference.

Another great statement is: "Making matters worse, there is no way for an
individual or IT staffer on his own to create an alll-purpose rule that will
brlock malware from making outbound connections."

Shame on Microsoft! How dare they not build that functionality in? I mean,
how hard could it possibly be to put in a rule like this:

if software.intent == malicious then
block traffic
else
allow traffic
end if

That'd be the simplest thing in the world! The "competing firewalls often
use built-in intelligence" to handle that task. All you have to do is discern
what the software is actually intent on doing. If the user goes to eBay to
buy a legitimate DVD then we would allow the connection, but if they intend
to buy a bootleg one we would block it. If the software looks up a hostname
for purposes of doing online chatting we would allow it, but if it is looking
up a hostname to attack it we block it. Simple!

I have a better idea: let's just not sell Windows Vista to evil people. That
way we don't need any firewalls at all!

So, sarcasm aside for a few seconds: yes, the statement is correct, and yet
the meaning of it is so amazingly incorrect. In reality, what the competing
software is doing is going on patterns; patterns that almost invariable boil
down to a software signature that identifies malicious software and attempts
to block all known bad things. Now you just have to know all the known bad
things and you're home free.

About the only really true part of that article is the comment on the
schizophrenic approach taken by the oneCare team, which does provide outbound
filtering. It is as noisy, annoying, and meaningless as the outbound
filtering provided by all the other vendors.

I'm going to leave now and go move the moon a few degrees because it is
shining in my window and annoying me. That should be a simple task, sort of
like making outbound filtering stop malware that is already executing on my
computer from doing malicious things. While I am at it I think I'll go down
to the convenience store on the corner and ask the burglars there to just be
nice, sit still, and not steal anything until the Anti-Burglar patrol has an
updated set of signatures to detect them.

All sarcasm aside, are you saying that other than for appearances, the
vista outbound firewall has no user controlled functionality that is
worth bothering with? If so, then why bother with a user interface at
all (meaning the user enabled rules vs the default of no rules)? If the
user cannot be expected to figure out what is good or bad, then why give
him the choice? Are all existing outgoing firewalls prior to the vista
incarnation just smoke and mirrors in the way they provide for user input?

 

[Guest]

All sarcasm aside

What would be the fun in putting all the sarcasm aside?

Glad you got that much of it was overly sarcastic though.

are you saying that other than for appearances, the
vista outbound firewall has no user controlled functionality that is
worth bothering with?

No, that is not at all what I am saying. What I am saying is four things:

1) By default, the Windows Vista firewall provides a sane set of rules that
are reasonable for many environments. There are many pre-defined rules that
have an impact by default. Many (most) services, for instance, are heavily
restricted.

2) The functionality provided by the Windows Vista firewall provides simple
(relatively speaking) centralized management ability of the types of
protection that is meaningful for a host-based firewall to provide. In fact,
building a meaningful rule-set that implements host isolation is simpler with
the Windows Vista firewall than with any prior product, at least that I have
used.

3) Yes, all prior existing outbound filtering host based firewalls are
purely smoke and mirrors. They provide no meaningful protection against
arbitrary malicious applications already running on the host. The fundamental
infrastructure to do so (integrity labels, User Account Control, and service
SIDs) does not exist in operating systems prior to Windows Vista.

4) The popular press has, played and continues to play, a crucial role in
steering customer perception away from things that actually help protect
people, and toward the smoke and mirrors functionality provided by the
after-market firewalls, including OneCare. I do not know why that is,
although I am conjecturing that it is because complaining about Microsoft
sells magazines, and actually stating that Microsoft did something right gets
you branded as a sell-out.

If so, then why bother with a user interface at

 

[norm]

What would be the fun in putting all the sarcasm aside?

Glad you got that much of it was overly sarcastic though.


No, that is not at all what I am saying. What I am saying is four things:

1) By default, the Windows Vista firewall provides a sane set of rules that
are reasonable for many environments. There are many pre-defined rules that
have an impact by default. Many (most) services, for instance, are heavily
restricted.

2) The functionality provided by the Windows Vista firewall provides simple
(relatively speaking) centralized management ability of the types of
protection that is meaningful for a host-based firewall to provide. In fact,
building a meaningful rule-set that implements host isolation is simpler with
the Windows Vista firewall than with any prior product, at least that I have
used.

3) Yes, all prior existing outbound filtering host based firewalls are
purely smoke and mirrors. They provide no meaningful protection against
arbitrary malicious applications already running on the host. The fundamental
infrastructure to do so (integrity labels, User Account Control, and service
SIDs) does not exist in operating systems prior to Windows Vista.

4) The popular press has, played and continues to play, a crucial role in
steering customer perception away from things that actually help protect
people, and toward the smoke and mirrors functionality provided by the
after-market firewalls, including OneCare. I do not know why that is,
although I am conjecturing that it is because complaining about Microsoft
sells magazines, and actually stating that Microsoft did something right gets
you branded as a sell-out.

If so, then why bother with a user interface at

It may be that points 1 and 2 accurately reflect the vista firewall
capability. I don't know, as I have not spent any time working with the
firewall. Point 3, however, leaves me wondering. Prior to ms entering
the outgoing firewall market, I don't recall that many previously
existing outgoing firewalls were described by nor accused by the
knowledgeable community of being smoke and mirrors. IOW, they did the
advertised job they were intended to do, and had they not, it would have
been reported as so. Now there seems to be a suggested paradigm shift
due to ms being in the market. As to point 4, ms has done many things
"right", but just as importantly, it has done some things "not so
right". I believe there is more to the reporting than only "it is
because complaining about Microsoft sells magazines". On any level, what
is different in substantiation as to what the magazines report vs the
statement you made earlier in the thread; "I can't speak on behalf of
Microsoft, but please accept my apologies for their giving you a
firewall that actually does a much better job at what a firewall can
meaningfully do than any other firewall on the market". I believe the
jury on both sides of the discussion is still out.

 

[Guest]

Point 3, however, leaves me wondering. Prior to ms entering

the outgoing firewall market, I don't recall that many previously
existing outgoing firewalls were described by nor accused by the
knowledgeable community of being smoke and mirrors.

There has been a small part of the community that has made that claim for a
long time. You may also recall that at one point Microsoft made the same
claim (when XP first came out, and again when XP SP2 came out).

IOW, they did the
advertised job they were intended to do, and had they not, it would have
been reported as so.

No, they did not. They never stopped malware from connecting out. If they
had the adware/spyware problem would never have been. Look back at what
happened. The vendors claimed that they would stop attackers. Yet, people got
themselves infested with spyware. Somehow the firewall vendors managed to pin
that one on MS, even though they kept making claims that they were solving
it.

The most they could do was stop things like Blaster from communicating out,
although I can't recall anyone ever being saved by that since the service
that Blaster attacked had a legitimate need to connect out and therefore
could not be stopped from doing so on most systems.

As to point 4, ms has done many things
"right", but just as importantly, it has done some things "not so
right". \
Absolutely.

I believe there is more to the reporting than only "it is
because complaining about Microsoft sells magazines". On any level, what
is different in substantiation as to what the magazines report vs the
statement you made earlier in the thread; "I can't speak on behalf of
Microsoft, but please accept my apologies for their giving you a
firewall that actually does a much better job at what a firewall can
meaningfully do than any other firewall on the market". I believe the
jury on both sides of the discussion is still out.

I think they jury has gone home, personally. As for what is different in
substantiation, I have done some amount of research on the competition. Here
is what I have discovered:
1. Firewalls that ask the user each time they connect out quickly end up
having that functionality either turned off, or turned into a fast-clicking
exercise. Users do not understand the decisions they are asked to make and
make the only one they do understand: "Do you want this dialog to go away?"

2. The Windows Vista firewall (like the one in Windows XP SP2) is one of the
few that protects the system at boot. Most others do not. During the Blaster
epidemic machines would get infected one reboot in 12 even if they had the
firewall running. Protection at boot has proven FAR more important than
outbound filtering.

3. Manageability is critical. Network administrators must be able to define
a firewall policy and roll it out to a network with some assurance that
computers actually honor it.

4. Users should be users, not administrators. Decisions about unblocking
applications are administrative decisions that are either granted to users
(making them some form of administrator) or all users are made administrators
to enable them to answer pop-ups they do not understand.

5. The third-party firewalls make unsubstantiated claims they cannot
possibly live up to. The latest version of Symantec's product now claims it
"blocks online identity theft." McAfee's latest product allows you to "surf
the Web, shop, bank, e-mail and instant message safely and securely." Sorry,
but software cannot possibly ever do that. It can help you reach that goald,
but by itself, it cannot.

 

[Guest]

By the side - what about the problem I mentioned. ;-)

I don't know how to extract the configuration script of the firewall. But I
can try to explain the way I configurated it.

In extended configuration outbound traffic was set to "block" for all three
profiles. Then rules was made for outgoing traffic. The english naming could
deviate:

1) "New rule" [NEXT]
2) "Program" [NEXT]
3) The path of program was set [NEXT]
(e.g. %ProgramFiles%\Internet Explorer\iexplore.exe)
(e.g. %ProgramFiles%\Mozilla Firefox\firefox.exe)
4) "Allow connection" [NEXT]
5) All profiles was checked [NEXT]
6) The name of the rule was set

Last but not least . . .
7) Testing Internet Explorer: It can't connect to Internet anymore.
8) Testing Mozilla Firefox: It can't connect to Internet anymore.

So I have to reset outgoing traffic in private profile to "allow". Otherwise
I can't browse the Internet anymore.

Vista Ultimate 64-bit was installed a few days ago. Beside the gaming
software "Steam" I've installed Avast!AntiVirus. There's no software
installed that could cause of the problem. And finally the problem is
activated by the Vista Firewall.

What the f... Do I have to reinstall Vista? I guess the problem will appear
again after reinstalling.


At the end answers to replies that aren't part of the question:

It does block outbound traffic by default.

That can't be right. Every software that I use is able to send data to
internet. In the extended configuration of outgoing connections "allow" is
default. Its even named "allow (default)". This fact is confirmed by several
discussions I found in Internet, confirmed by seriously technical periodicals
and also confirmed by these Microsoft discussion groups, too. It's a clearly
fact.

Outbound blocking hostbased firewalls cannot block keystroke loggers

This is not right! I have some experiences with keyloggers and I know that
Software Firewalls block the intention of keyloggers to send logfiles through
internet. With an open outbound traffic every software can send everything.
But perhaps it's even intended by microsoft. It wouldn't be a surprise.

 

[norm]

There has been a small part of the community that has made that claim for a
long time. You may also recall that at one point Microsoft made the same
claim (when XP first came out, and again when XP SP2 came out).


No, they did not. They never stopped malware from connecting out. If they
had the adware/spyware problem would never have been. Look back at what
happened. The vendors claimed that they would stop attackers. Yet, people got
themselves infested with spyware. Somehow the firewall vendors managed to pin
that one on MS, even though they kept making claims that they were solving
it.

The most they could do was stop things like Blaster from communicating out,
although I can't recall anyone ever being saved by that since the service
that Blaster attacked had a legitimate need to connect out and therefore
could not be stopped from doing so on most systems.


I think they jury has gone home, personally. As for what is different in
substantiation, I have done some amount of research on the competition. Here
is what I have discovered:
1. Firewalls that ask the user each time they connect out quickly end up
having that functionality either turned off, or turned into a fast-clicking
exercise. Users do not understand the decisions they are asked to make and
make the only one they do understand: "Do you want this dialog to go away?"

Hmmm. I wonder what recent ms security feature has been said to have the
same cause and effect issue? ;

2. The Windows Vista firewall (like the one in Windows XP SP2) is one of the
few that protects the system at boot. Most others do not. During the Blaster
epidemic machines would get infected one reboot in 12 even if they had the
firewall running. Protection at boot has proven FAR more important than
outbound filtering.

I disagree. Obviously, one would want to stop any malware from ever
infecting a machine. But the whole purpose of an outbound firewall
should be to stop any outgoing traffic not ok by the user, or the
firewall defaults. Certainly if one does manage to get infected, and
that infector needs to call home or do whatever it must, then an
outbound firewall is the last means of protection.

3. Manageability is critical. Network administrators must be able to define
a firewall policy and roll it out to a network with some assurance that
computers actually honor it.

4. Users should be users, not administrators. Decisions about unblocking
applications are administrative decisions that are either granted to users
(making them some form of administrator) or all users are made administrators
to enable them to answer pop-ups they do not understand.

As far as your statement of admins being admins and users being users,
don't users still have the option to set rules over and above the
default settings for outgoing traffic with vista? What suddenly makes
the user smart enough to do such a thing now vs when he was deluged with
popups on the old, ineffective firewalls you describe as smoke and mirrors?

5. The third-party firewalls make unsubstantiated claims they cannot
possibly live up to. The latest version of Symantec's product now claims it
"blocks online identity theft." McAfee's latest product allows you to "surf
the Web, shop, bank, e-mail and instant message safely and securely." Sorry,
but software cannot possibly ever do that. It can help you reach that goald,
but by itself, it cannot.

Inserting "ms" in place of "mcafee", the following looks like this:
Microsoft's latest product allows you to "surf the Web, shop, bank,
e-mail and instant message safely and securely." Look somewhat familiar?
Actually, one could insert just about any virus/malware prevention
provider name in place of mcafee and the statement could define what
they promise. And finally, what, before this vista firewall security
breakthrough, did you use for outgoing protection? Or did you just now
become convinced that, finally, an app has appeared that will provide
ultimate protection and you can now use one? I still say the jury is out.

 

[Guest]

No hints? :-(

I've asked Microsoft by phone - but they asked me if I bought the OEM
version ...then I have to call an expensive phone number. I guess If I call
this number I have costs but no solution.

 

[Captain Roberts]

No hints? :-(

I've asked Microsoft by phone - but they asked me if I bought the OEM
version ...then I have to call an expensive phone number. I guess If I
call
this number I have costs but no solution.

Check out these trialware software from Symantec. If any of them meet your
needs you can purchase it. If not, just uninstall it. Make sure you do a
complete backup of your system before you install any of these products as
the removal of trial software from Symantec is not that great.


http://shop.symantecstore.com/store...ge/ThemeID.106300/Software/categoryID.6272000

 

[Captain Roberts]

Correction on my last post. You can only pick NIS 2007 as the others are not
Vista compatible.

 

[Rock]

No hints? :-(

I've asked Microsoft by phone - but they asked me if I bought the OEM
version ...then I have to call an expensive phone number. I guess If I
call
this number I have costs but no solution.

What problem?

 

[Guest]

Hello,

you can read the description of the problem in the first post.

Short: Outgoing traffic was blocked in extended configuration for all
profiles. Rules was defined for all profiles to allow iExplorer and Mozilla
outgoing traffic. So it should work - but it doesn't work. Browsers can't
communicate through firewall. So I have to leave all outgoing traffic open.

 

[Rock]

Hello,

you can read the description of the problem in the first post.

Short: Outgoing traffic was blocked in extended configuration for all
profiles. Rules was defined for all profiles to allow iExplorer and
Mozilla
outgoing traffic. So it should work - but it doesn't work. Browsers can't
communicate through firewall. So I have to leave all outgoing traffic
open.

You are using the awful web interface. Many people, including me, use a
newsreader to access what are actually Usenet newsgroups. We only download
the latest posts, so the previous messages might not be visible. It is
standard protocol to quote at least a portion of the message to which you
reply to keep the context. Sorry I don't have a resolution for your issue.