The Wiert Corner – irregular stream of stuff

Jeroen W. Pluimers on .NET, C#, Delphi, databases, and personal interests

  • My badges

  • Twitter Updates

  • My Flickr Stream

  • Pages

  • All categories

  • Enter your email address to subscribe to this blog and receive notifications of new posts by email.

    Join 1,440 other followers

Windows Firewall: Block rules take precedence over Allow rules

Posted by jpluimers on 2018/05/07

Reminder to self for Windows Firewall: Block rules take precedence over Allow rules (see * below as actually it is even more complex); [WayBackFirewall Rule Properties Page: General Tab has

Firewall rules are evaluated in the following order:

  1. Allow if secure with Override block rules selected in the Customize Allow if Secure Settings dialog box.
  2. Block the connection.
  3. Allow the connection.
  4. Default profile behavior (allow or block as specified on the applicable Profile tab of the Windows Firewall with Advanced Security Properties dialog box).

Within each category, rules are evaluated from the most specific to the least specific. A rule that specifies four criteria is selected over a rule that specifies only three criteria.

Which means that this will block TCP port 1024 traffic to bar.exe:

The Block rules are inserted by Windows if you click “Cancel” on a dialog like this (note the lowercase path, despite the application being at C:\Program Files (x86)\Foo\Bar.exe):

The problem is that the “Windows Firewall with Advanced Security” does not refresh with the F5, so initially you will not see the Block rules. Only after a manual refresh through the context menu helps:

After that, you disable the rule (or delete it, but then Windows will re-add it when you restart the application and cancel out of the dialog), then the Allow rule will take effect:

* Precedence is even more complex

Actually the precedence is even more complex, as explained by [WayBackOrder of Windows Firewall with Advanced Security Rules Evaluation, the order is this:

  1. Windows Service Hardening
  2. Connection security rules.
  3. Authenticated bypass rules.
  4. Block rules.
  5. Allow rules.
  6. Default rules.

–jeroen

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

 
%d bloggers like this: