Lars said:
On Mon, 03 Jan 2005 15:31:58 -0500, Triffid spoketh
Please provide examples of unsolicited traffic that the Windows firewall
claims to have blocked but which in fact it has not.
I fail to see the relevance of solicited vs. unsolicited traffic to the
issue I raised.
The firewall permits inbound FTP data connections by default, but does
not display an exception for FTP by default, i.e. there is at least one
invisible "permit" rule built in. The firewall raises a Windows Security
Alert when traffic is permitted by the invisible rule.
The Alert says "Windows Firewall has blocked this program from accepting
connections...", which is misleading because it has in fact permitted
the connection - apparently by design.
The responses to my post suggest people here don't consider this
behavior problematic, but it makes me distrust the software - so I dug a
little deeper to see if my unease is justified. Turns out it is.
I clicked "Unblock" on the Alert window, which added a visible exception
for the Windows FTP client with unlimited scope. This is reasonable
behavior, although it would be nice if the user were prompted for scope
given that the FTP data connection which raised the alert was from a
server on the local subnet.
FTP continues to function after adding the exception, the exception
merely stops the spurious alerts (as expected)
Next I constrained the FTP exception's scope to "Custom list" and
specified a single RFC1918 IP address which is *not* on my local subnet,
i.e. I configured the firewall to permit FTP data connections from one
unreachable IP address *only*.
Guess what?
Active mode FTP still works to all servers, regardless of their IP
address. I then changed the scope to "My network (subnet) only". Same
result, i.e. restricting scope has no effect.
In summary:
- Windows Firewall has a default exception for FTP, with unlimited
scope, but it is not shown on the default exception list.
- Windows Firewall raises spurious FTP alerts unless a visible FTP
exception is added.
- Changes to the FTP exception scope have no effect. Scope is unlimited
regardless of configured scope.
Microsoft has already released a patch to fix exception scope on dialup
connections. Given the above, one wonders how many more invisible
exceptions and broken scope restrictions remain to be discovered.
Triffid