Windows Firewall drops packets even when behind a hardware firewal

[Guest]

I recently enabled the Windows Firewal log and being behind a "locked down"
NAT Router, I expected to see nothing. A few days later I noticed a bunch of
droped TCP packet entries and thought something was wrong with the router.

Here are a few examples:

2006-04-24 09:47:02 DROP TCP 63.101.150.68 172.16.64.57 80 1177 263 AP
2535659266 1617252021 33120 - - - RECEIVE

2006-04-24 09:47:17 DROP TCP 66.39.107.246 172.16.64.57 80 1183 1500 A
823588747 677492962 65535 - - - RECEIVE

2006-04-24 09:49:11 DROP TCP 209.62.176.182 172.16.64.57 80 1233 48 SA
1216910770 43087295 17520 - - - RECEIVE

2006-04-24 09:51:49 DROP TCP 64.154.81.197 172.16.64.57 80 1246 301 AP
4063871258 2431426759 32767 - - - RECEIVE

2006-04-24 09:54:24 DROP TCP 207.142.131.203 172.16.64.57 80 1313 48 SA
1643399492 3961982485 5840 - - - RECEIVE

I checked another PC at a completely different location behind a completly
different firewall and noticed the same sort of thing. I'm pretty sure that
these entries are coincident with websurfing. Sometimes the source IPs
corespond to sites visited at that time, some not, some I cant tell.

Can anyone explain this to me?

 

[Guest]

NAT will drop connections that are not initiated from behind the NAT device.

The entries you are seeing in your firewall log would have been part of a
connection initiated from behind the NAT device or in layman's terms, from
your computer.

These connections are allowed by the NAT device as they correspond to an
initial connection made from behind the NAT device, but Windows firewall has
decided to drop them based on it's own criteria.

 

[Guest]

Thanks for chiming in.

I just want to make sure I fully understand: The PC makes a request to a
site so the NAT Router lets the answer from the site through, but Windows
Firewall is deciding that some of that answer is unsolicited?

It would seem then that the Windows Firewall is more sophisticated than
people give it credit for. At very least, it would seem a really bad idea to
disable it even when you are behind a hardware firewall.

Can think of an example of what/why the Windows Firewall would be dropping?
I just hit tomshardware.com for example and it logged a handful of dropped
packets....

 

[Guest]

The PC makes a request to a site so the NAT Router lets the answer from the
site through, but Windows Firewall is deciding that some of that answer is
unsolicited?

Correct about the NAT part, why Windows firewall is dropping some packets is
hard to know, the logging isn't great...

Does anyone know how to look at the Windows firewall rule base?