Vista firewall not blocking outbound traffic despite explicit rules to do so

"Martin Hueser" <hueser@gmx.net> wrote in message
news:4977C2C6-47C1-4FE7-9561-3F2708C65B82@microsoft.com...

> Maybe the rules are in the wrong profile? Vista distinguishes three
> network profiles, public, private and domain. Each can have different
> firewall rules. Look in the "Network and Sharing Center" to see which
> profile is active.

The rules are set for all three profiles.

Roof Fiddler;166750 Wrote:

> "Martin Hueser" <hueser@gmx.net> wrote in message
> news:4977C2C6-47C1-4FE7-9561-3F2708C65B82@microsoft.com...

> > Maybe the rules are in the wrong profile? Vista distinguishes three
> > network profiles, public, private and domain. Each can have different
> > firewall rules. Look in the "Network and Sharing Center" to see which
> > profile is active.

> The rules are set for all three profiles.

Check the following settings:
01. Open the Firewall GUI and select "Windows Firewall Properties"
(hyperlink styled text) from the (center)main page.
02. Check if the setting "Outbound connections" (drop-down button) in
section "State" is set to "Block". Otherwise do so...

IMPORTANT NOTE: please keep in mind that by performing this action, all
outbound traffic without explicit rules to allow outbound traffic will
be blocked. Including Windows Update etc. For all the application you
should make seperate rules allowing them to connect...

Good luck!


--
ABoyCalledSilly

- windows vista ultimate 64-bit en
---------------------------------------
- cooler master stacker 830
- asus p5b deluxe
- conroe e6600
- 2x corsair memory (twin2x2048-8500c5)
- 3x seagate barracuda 7200.10, 320gb (sata ii, 16mb)
- ati sapphire x1950 pro
- creative x-fi xtreme gamer
------------------------------------------------------------------------
ABoyCalledSilly's Profile: http://www.vista64.net/forums/member.php?userid=1371
View this thread: http://www.vista64.net/forums/showthread.php?t=35645

"ABoyCalledSilly" <ABoyCalledSilly.2ljrrc@no-mx.forums.net> wrote in message
news:ABoyCalledSilly.2ljrrc@no-mx.forums.net...

> Check the following settings:
> 01. Open the Firewall GUI and select "Windows Firewall Properties"
> (hyperlink styled text) from the (center)main page.
> 02. Check if the setting "Outbound connections" (drop-down button) in
> section "State" is set to "Block". Otherwise do so...
>
> IMPORTANT NOTE: please keep in mind that by performing this action, all
> outbound traffic without explicit rules to allow outbound traffic will
> be blocked. Including Windows Update etc. For all the application you
> should make seperate rules allowing them to connect...

But I don't want to block all traffic by default. (Well actually I do, but I
gave up in frustration while trying to do that months ago while running RC1
and RC2 because Vista wouldn't honor my rules to allow certain outbound
connections.)
I need to block particular programs from initiating outbound connections,
not block all programs.

Roof Fiddler;171113 Wrote:

> "ABoyCalledSilly" <ABoyCalledSilly.2ljrrc@no-mx.forums.net> wrote i
> messag
> news:ABoyCalledSilly.2ljrrc@no-mx.forums.net..

> > Check the following settings
> > 01. Open the Firewall GUI and select "Windows Firewall Properties
> > (hyperlink styled text) from the (center)main page
> > 02. Check if the setting "Outbound connections" (drop-down button) i
> > section "State" is set to "Block". Otherwise do so..

>

> > IMPORTANT NOTE: please keep in mind that by performing this action

> al

> > outbound traffic without explicit rules to allow outbound traffi

> wil

> > be blocked. Including Windows Update etc. For all the application yo
> > should make seperate rules allowing them to connect..

>
> But I don't want to block all traffic by default. (Well actually I do
> but
> gave up in frustration while trying to do that months ago while runnin
> RC
> and RC2 because Vista wouldn't honor my rules to allow certain outboun
> connections.
> I need to block particular programs from initiating outboun
> connections
> not block all programs

Ok, now i understand completely... frustrating situation ;

Can you specify the "rules it wouldn't honor"? Maybe there's a solutio
around the corner :

Another option is using your Hostfil
(C:\Windows\System32\drivers\etc\hosts). Have you tried using it

Example: suppose a certain application tries to connect to a specifi
url/ip. Entering the following lines (use notepad or something) in you
hostfile will redirect all traffic to ip 127.0.0.1 (local
127.0.0.1 'www.domainname.com' (http://www.domainname.com
127.0.0.1 update.domainname.co
127.0.0.1 123.456.789.

Good luck

--
ABoyCalledSill

- windows vista ultimate 64-bit en
---------------------------------------
- cooler master stacker 830
- asus p5b deluxe
- conroe e6600
- 2x corsair memory (twin2x2048-8500c5)
- 3x seagate barracuda 7200.10, 320gb (sata ii, 16mb)
- ati sapphire x1950 pro
- creative x-fi xtreme game
-----------------------------------------------------------------------
ABoyCalledSilly's Profile: http://www.vista64.net/forums/member.php?userid=137
View this thread: http://www.vista64.net/forums/showthread.php?t=3564

"ABoyCalledSilly" <ABoyCalledSilly.2lmfzu@no-mx.forums.net> wrote in message
news:ABoyCalledSilly.2lmfzu@no-mx.forums.net...

> Ok, now i understand completely... frustrating situation
>
> Can you specify the "rules it wouldn't honor"? Maybe there's a solution
> around the corner

Outbound rule:
name: "block network for adobe reader"
profile: any
enabled: yes
action: block
program: %ProgramFiles%\Adobe\Reader 8.0\Reader\AcroRd32.exe
local address: any
remote address: any
protocol: any
local port: any
remote port: any
allowed computers: any
properties\programs and services\services\settings\apply this rule as
follows: apply to all programs and services
properties\advanced\profiles: all profiles
profiles\interface types\customize\This rule applies to connections on the
following interface types: All interface types

I have one such rule for every EXE in the %ProgramFiles%\Adobe directory
(six EXEs total), including AcroRd32.exe.

Yet when I run the program and tell it to check for updates over the
internet, it does so with no problem.

Not that it should matter, since those outbound rules I have in place should
cover all cases, but my active profile is Public, and I have inbound
connections blocked by default and outbound allowed by default. I'm running
RTM, UAC is enabled, and I'm using an administrative account. I don't have
any firewall software installed other than the default one included with
Vista, and I don't have any configuration complications which I could
imagine might be causing my problem. I know that specifying the programs
using the pathname %ProgramFiles%\Adobe\Reader 8.0\Reader isn't the problem
because Vista itself chose to specify it that way; I just used the New
Outbound Rule wizard to create the rules, and selected the programs using
the file dialog box.

> Another option is using your Hostfile
> (C:\Windows\System32\drivers\etc\hosts). Have you tried using it?

That won't work because I'm not trying to block all programs from accessing
particular sites, but block particular programs from accessing any sites.

In the followin directory is a AdobeDownloadManager :

\Program Files\Common Files\Adobe\ESD\

Maybe it is doing the update downloading?

"sd321" <sd321@discussions.microsoft.com> wrote

> In the followin directory is a AdobeDownloadManager :
>
> \Program Files\Common Files\Adobe\ESD\
>
> Maybe it is doing the update downloading?

On this installation it's in \Program Files\Common Files\Adobe\Udater5
AdobeUpdater.exe is the file.

--
Rock [MVP - User/Shell]

"Rock" <rock@nospam.net> wrote in message
news:%23vv91lVTHHA.1228@TK2MSFTNGP06.phx.gbl...

> "sd321" <sd321@discussions.microsoft.com> wrote
>

>> In the followin directory is a AdobeDownloadManager :
>>
>> \Program Files\Common Files\Adobe\ESD\
>>
>> Maybe it is doing the update downloading?

>
> On this installation it's in \Program Files\Common Files\Adobe\Udater5
> AdobeUpdater.exe is the file.

That was it! Thanks an bunch.
Now I have another question. If this is how Vista works, then doesn't it
mean that outbound rules are useless as a security measure on a system where
outbound connections are allowed by default? If a program finds that it
can't get a connection, all it has to do is create a new .exe file and then
run it, and the new .exe can get to the network. That means on Vista, in
order to have outbound security, you have to disallow outbound connections
by default and add rules to allow connections for particular trusted
programs.
Wouldn't it make more sense for an outbound rule for a program to apply not
to the program, but to all _processes_ started from that program? (And of
course to children of that process too.) That would solve the problem, and
allow outbound connections to be allowed by default without allowing blocked
programs to get around the rules this way.