Sometimes it turns out that when carrying out the next project, I accidentally discover some circumstances that, it seems, no one is hiding, you can even find documentation that explains the essence... But many, including me, are captive of misconceptions, so they don’t look for that documentation, relying on a completely incorrect picture of the world. I already have a whole series of articles planned, in which I simply report that everything, it turns out, is not what many (including me) thought. I had an article about DMA, there was an article about the performance of the PCI Express bus. This same series includes an article about configuration ROMs for Altera FPGAs. Today I would like to tell you a few words about the work of the Windows Firewall, or, as it is called in the Russified OS, the firewall. In general, this is a very good thing, but in particular... It turns out that by default it works in a rather interesting mode. As they say: “But the boys don’t even know.” So, let's start to figure out what's what.
Introduction
First, I will explain the essence of the problem that I solved.
I needed to check how correctly the next board works with our All Hardware service. But not the one I tested in one of the previous articles, but a more sophisticated one, with a Xilinx FPGA. What is the All Hardware service? This is a site where the user goes, logs in and receives a list of various boards physically located on the server. Why is he doing this? To work with the board without buying it. For example, to see if it suits him, or just to practice working with a specific controller. The boards are provided by manufacturers, and the service provides a time-limited session of working with them. The user selects a board from the list and receives three things: an IP address, a port number, and video from a camera that looks at this breadboard. In fact, you can still forward ports via SSH, but I’m not an expert in them. In my part - exactly the address, port and video.
Next, the user in the development environment, which is located on his local machine, must select a remote debugger (for most environments this is the good old GDB, for Cale it is more perverted, but if you are interested, you can make a separate article about this, this does not apply to the firewall). The issued IP and port are entered there, after which you can start a remote debugging session, focusing on what is happening with the board based on the picture from the camera and the ports forwarded through SSH.
Thus, anyone can experience working with various development boards without purchasing them. In this case, as in the case of Redd, the development environment and source codes are located on the local machine. Only the binary code goes to the server. But after the work session expires, the automation erases the ROM, so the next user will no longer be able to read the code.
So, back to the topic of the article. Which side of the firewall is this? It's simple. I had to work with Xilinx FPGAs. And their development environment officially has the WebTalk function. I absolutely didn’t want it to report my actions “where it should be,” so the environment was installed on a non-networked machine. Even if she really wanted to, her arms are short. There is no physical channel and that's it! But the concept of the All Hardware service is that there must be a network. To check, the car had to be temporarily connected to a wire (in fact, the lack of a network is more of a habit; there’s nothing interesting on that car anyway). What to do? Step on the throat of your paranoia? Well, I do not! I decided to limit the list of allowed addresses to the development environment so that it could only work with localhost and the All Hardware server. I don’t know what will happen next, but now the All Hardware server has the same IP address. It's just that new ports are issued from session to session. So, the goal is clear, let's begin implementation.
Fixing the main flaws of Windows 10 with Comodo Firewall and simplewall
Reward accrued
This material was written by a site visitor and was compensated for.
Windows 10 was released back in 2020, and most of its flaws and shortcomings have long been corrected, weak points have been improved, and some controversial solutions have been completely removed. The flow of criticism has noticeably decreased over the past couple of years, and Microsoft itself has stopped chasing innovations and focused on the stability of Windows 10.
A clear example of this is the very careful and slow rollout of version 1903. There will also be few changes in version 19H2 (1909), which is coming out soon. The emphasis is on polishing the existing functions and taking care of the user experience.
One of the main disadvantages of Windows 10 was and is considered to be the increased activity of the system, which goes about its business, and not the needs of the user. Telemetry, which loads the processor and slows down the hard drive, is a prime example of this.
The second drawback, which at the beginning caused a flurry of criticism, was the Windows 10 update system. Ten was updated whenever it wanted, not particularly interested in what the user was doing at the moment.
Microsoft has dealt with this problem very seriously, and now updates can be postponed for a while using Windows 10 itself.
I used to love modifying Windows 10 with tweakers, disabling updates and making a bunch of changes. Now I have radically changed my approach to tweaks and modifications. I hacked Windows 10 using MSMG ToolKit and Dism++, and used tweakers Destroy Windows 10 Spying and O&O ShutUp10.
But after analyzing the resources expended, the time and the results obtained, I abandoned it. No matter how you slice Windows 10, you won’t be able to see any performance gains, but the loss of stability and the reduction in time before reinstallation are very noticeable.
Popular utilities turned out to have a flaw: DWS (Destroy Windows 10 Spying) is practically a Trojan of murky origin, caught installing a root certificate into the system.
In general, now I decided to interfere minimally with the operation of Windows. But is it possible to solve the two problems I described above in minimal ways? It turns out it is possible. And in almost 2 clicks, simultaneously receiving additional useful effects.
announcements and advertising
2080 Super Gigabyte Gaming OC for 60 rubles.
Compeo.ru - the right comp store without any tricks
RTX 2060 becomes cheaper before the arrival of 3xxx
Ryzen 4000
series included in computers already in Citylink
The price of MSI RTX 2070 has collapsed after the announcement of RTX 3xxx
Core i9 10 series is half the price of the same 9 series
The price of memory has been halved in Regard - it’s more expensive everywhere
In short, I will restrict Internet access to Windows itself, while leaving the Internet for programs to run. This immediately solves the problem of updates, now they are under your complete control. Telemetry also suddenly stops when Windows thinks there is no Internet access.
Additionally, we get system protection from many Trojans, data leaks, hidden miners, and so on. When our Internet is based only on white lists, you can immediately see who wants to get out there.
I tried two tools for this: the open source firewall program simplewall and the very advanced free firewall Comodo Firewall .
Simplewall on github, open source gives full confidence in the program. Comodo Firewall website. Comodo has long been known for its safety products and there are no complaints about it.
An important digression. Nowadays, when trying to get to the website of some software product, using the first search links, with a 90% probability you will end up on the wrong sites. Therefore, I first look for a description of the program on Wikipedia and there I already look at the link to the site. Try, for example, with the popular WinRAR archiver. The first three links are not the developer's site.
***
First I’ll tell you about simplewall. Comodo Firewall is more complex, but more flexible and can provide unrivaled security against malware.
After downloading simplewall from the link, feel free to install it. You will only need the “enable filtering” button. After enabling it, any application accessing the Internet will ask permission. Feel free to block system services, after which the system will think that the computer does not have access to the Internet. That's it, you are again the full owner of your computer.
Now the Windows 10 update process will look like this: disable filtering in simplewall and click the “check for updates” button. If you make a backup of the system disk before doing this, then even an unsuccessful update can be easily rolled back. The advantage of delayed installation of updates is that within a couple of weeks from their release, problems in them are corrected.
This is what my list of allowed programs looks like.
And so, prohibited.
Do you see everyone’s “favorite” CompatTelRunner.exe there? Now he doesn't pose a problem.
If you wish, you can go deeper into the program settings; there are rules for system services and applications, but simple filtering is enough for me.
Program lists can be exported and imported, which is very convenient. All kinds of malware and programs that leak personal data are now left out of business.
***
Now about Comodo Firewall. It is more complicated, but exploring its possibility is extremely useful. It easily provides a whitelist of programs not only for accessing the Internet, but also for launching them. This is a very powerful tool for fighting viruses and Trojans. They simply won’t start or won’t retrieve a malicious module from the Internet. You can run any repacks without fear.
Program features:
- Firewall
- Proactive Defense
- Protection against Internet attacks
- Buffer overflow protection
- Protection against unauthorized access
- Protect important system files and registry entries from internal attacks
- Detecting a buffer overflow that occurs in HEAP memory
- Detection of ret2libc attacks
- Detection of broken/bad SEH chains.
In the Comodo Firewall firewall settings, you need to select “custom ruleset”. Now programs will ask permission.
CCleaner decided to update. We forbid it, after the scandal with the collection of statistics, there is no trust in him.
We edit the rules for system applications and updates, and that’s it: the computer is completely under our control.
But the main feature of Comodo Firewall is application rules or HIPS. After enabling “paranoid mode”, any program will ask permission to run and modify files or the registry.
We process it as a rule and forget about it. The set of prohibitions and permissions is very flexible.
After spending a couple of hours on our set of programs, we get a system that will not let through any malware, even if it is not yet in the anti-virus databases.
Spend a few hours learning Comodo Firewall, you won't regret it. As a result, you have the most secure system with full control of system activity and updates. You can even block the OSD of the volume control.
All of the above will also work for Windows 7. Especially when it runs out of support (in 4 months) and becomes vulnerable to new malware.
Try it, experiment. Write in the comments how you solve the problem of Windows 10 security and activity.
Which firewall should I use?
I used Outpost Firewall on Windows XP and Windows 7.
This is a domestic development. Very reliable and convenient. I even bought myself a lifetime license for three cars. Once this firewall helped me identify a Trojan that no antivirus had seen. When I managed to take the file with the body of the virus, I fed it to several antiviruses supplied on LiveCD. No one noticed anything suspicious. And my firewall was simply in paranoid mode, which is how I learned about the suspicious activity of the program. Everything was fine until the manufacturer of this firewall closed under strange circumstances. After that, I became very sad. I was so sad that my main laptop still has 7 with Outpost, since I didn’t look for a replacement. But the Xilinx development environment wants a ten! Wonderful! So, it’s time to master working with the firewall built into this OS!
We all know that when some program tries to access the network, this standard firewall asks us whether to allow it to access the network or not. We can prohibit it immediately, or we can uncheck the permission box later; there are a lot of guides on this on the Internet. These are the checkboxes:
Everyone knows this. But what is the value of this knowledge? I will omit my thoughts that overwhelmed me when reading a lot of the same type of articles “how to block an application from accessing the network”, which do not tell how not to ban it, but only to limit it. I’d rather show my conclusions using an example specially made for this purpose. Let's write two simple console applications.
Download Windows Firewall Control
I recommend downloading this program and the crack from its official website...
Don’t worry that the website of the program’s manufacturers is in English - everything will be fine, I’ll show and tell you everything now.
So, first download the Windows Firewall Control program itself by clicking on the link on the main page...
After that, download the Windows Firewall Control cracker.
Server
The first application will pretend to be a server. It receives UDP packets that contain strings and displays them on the screen. So that we are talking about the same thing, here is its source text in C++: #include #include #include // Need to link with Ws2_32.lib #pragma comment (lib, "Ws2_32.lib") #define DEFAULT_BUFLEN 16 int main(int argc, char** argv) { if (argc != 2) { printf("usage: ServerTest.exe port"); return -1; } WSADATA wsaData; WSAStartup(MAKEWORD(2, 2), &wsaData); // The socket address to be passed to bind sockaddr_in addr; addr.sin_family = AF_INET; addr.sin_addr.s_addr = INADDR_ANY; addr.sin_port = htons((u_short)strtoul (argv[1],0,0)); SOCKET sock = socket(AF_INET, SOCK_DGRAM, 0/*IPPROTO_UDP*/); bind(sock, (struct sockaddr*) &addr, sizeof(addr)); while (true) { struct sockaddr from; int len = sizeof(from); char buf[DEFAULT_BUFLEN]; memset(buf, 0, DEFAULT_BUFLEN); recvfrom(sock, buf, DEFAULT_BUFLEN-1, 0, &from, &len); printf(buf); } return 0; } We run this program, passing the port number as an argument (say, 1234) and predictably receive a request from the firewall:
Let's allow him network activity... Let him wait for now, and we'll write the client part in the form of another EXE.
Installation
The installation process does not require special skills. You just need to run the installer with elevated rights. It should be mentioned that the program will create shortcuts in all main sections and automatically record itself in startup. This will allow it to turn on after each system start. Once Windows Firewall Control starts, it does not open any windows, but simply displays an icon in the system tray. By double-clicking on it, you will see a panel on the screen that can be used to select the filtering level, perform configuration, or use other built-in tools.
Client
Let our client send strings with a spinning stick to the server. Here is its text: #include #include #include #include "Windows.h" // Need to link with Ws2_32.lib #pragma comment (lib, "Ws2_32.lib") #define DEFAULT_BUFLEN 16 int main(int argc, char* * argv) { if (argc != 3) { printf("usage: ClientTest.exe address port"); return -1; } WSADATA wsaData; WSAStartup(MAKEWORD(2, 2), &wsaData); struct sockaddr_in server, client = { AF_INET,INADDR_ANY,INADDR_ANY }; memset(&server, 0, sizeof(server)); server.sin_family = AF_INET; server.sin_port = htons((u_short)strtoul (argv[2],0,0)); InetPton(AF_INET, argv[1], &server.sin_addr.s_addr); SOCKET sock = socket(PF_INET, SOCK_DGRAM, 0); bind(sock, (sockaddr*)& client, sizeof(client)); for (int i=0;;i++) { static const char* sticks[] = { “\\\r”,”|\r”,”/\r”,”-\r” }; sendto(sock, sticks[i%4], strlen(sticks[i%4])+1, 0, (sockaddr*)& server, sizeof(server)); Sleep(250); } } We launch it by specifying the server address and the port that the server had (for me it’s 192.168.1.95 and 1234), after which a slightly different wand than I wanted, but still a wand, starts running in the server window:
But what worries me is not that the “\r” character does not return the carriage to the beginning of the line, but that the client is a separate process... Launched from a completely separate file!.. And the firewall did not ask me for permission to allow its network activity. Instead, he resolved it himself, without even informing me that the program would go anywhere. How so?
Repacks from elchupacabra
Windows Firewall Control (Repack) -
a small utility that provides the user with comfortable access to the most commonly used options of the built-in firewall of Windows operating systems.
The built-in Firewall tool, which is implemented in Windows operating systems, is unfortunately not convenient enough to configure and manage, which makes it difficult for especially inexperienced users to use all its capabilities. However, with the help of the application, even a beginner who does not know the technical intricacies of PC administration will be able to configure his network barrier to the most optimal parameters. After installation, the program is placed in the system tray (context menu), from where various firewall options are effectively managed. For example, you can quickly allow/deny other programs to access the network, configure additional rules, view current active network connections, import/export policies, and much more. Windows Firewall Control has several traffic filtering modes:
• High level - all outgoing connections are blocked, preventing you from connecting to your PC. • Medium level - connections that do not comply with the rule you set are blocked, and the rest work without restrictions. • Low level - connections are allowed that even do not match the rule, but you have the ability to block applications to prevent outgoing connections. • Disable Windows Firewall - Windows Firewall is completely disabled (not recommended for use).
Features of the Windows Firewall Control repack:
1. Installation of the program or unpacking of the portable (portable app format) version combined in one distribution package 2. Components responsible for collecting and sending user data have been removed 3. Multilingual interface (including Russian /with edits lrepacks.ru/) 4. Optional installation of rules recommended by the program 5. Picks up the external settings file settings.reg (if located next to the installer)
ATTENTION!!! There may be a slight FALSE detection on the bootloader of the portable version.
Previous version under the BiniSoft brand
Windows Firewall Control 5.4.1.0 (Repack & Portable)
—
3.1Mb
(turbobit)/
Mirror
(katfile) /
Mirror
(up-load) /
Mirror
(uploadrar)/ Attention! You do not have permission to view hidden text.
System requirements: Windows 7/8/8.1/10
File size: 2.1Mb
Visit: OFFICIAL SITE
Download Windows Firewall Control 6.4.0.0 (Repack & Portable): from Turbobit
Download Windows Firewall Control 6.4.0.0 (Repack & Portable): from Katfile
Download Windows Firewall Control 6.4.0.0 (Repack & Portable): from Up-load
Download Windows Firewall Control 6.4.0.0 (Repack & Portable): from Uploadrar
Direct download links (upload.ee / Yandex Disk) are available only for the “Patron” group (What is Premium?).
A little theory about firewall operating modes
Here we come to the essence of the article.
By default, the Windows firewall allows all outgoing connections unless they are explicitly denied. That is, they won’t be able to connect to us from the outside, but if some program has penetrated our machine (or we installed it voluntarily), it may well send whatever it wants, and no one will forbid it by default!
Actually, here is the corresponding firewall setting:
Everything that is not prohibited is permitted. An application can be explicitly prevented from being active. This is exactly what a huge number of articles on the Internet are devoted to... But the Trojan will climb onto our machine unnoticed, we will not even guess that it is the one that needs to be added to the prohibited applications. Again, this does not solve my problem stated in the introduction of the article. I need to leave access to those addresses that I have allowed and deny all others.
To do this, you need to set the firewall to “deny everything that is not allowed” mode for outgoing connections. I'm always confused about how to enter the corresponding menu item... Yep, I found it...
And there, first select the tab corresponding to the active profile (in my picture it was “General Profile”), and then switch the “Outgoing connections” selection list from “Allow (default)” to “Block”.
That's it, can we sleep peacefully? Unfortunately no. If everything were so simple, I’m sure Microsoft would immediately select the “Block” mode for everyone. It's a shame, but it's just the beginning.
Installation and Russification of Windows Firewall Control
That's it, let's move on to installation and Russification. We start the installation by clicking on the first downloaded file...
The first checkbox is shortcuts in the Quick Launch panel and on the desktop. The second is to run the Windows Firewall Control program with the system. The third is to allow Windows Firewall to be managed. I recommend leaving the second and third ones.
I recommend
The entire program is installed. Now you need to turn it off by right-clicking on the tray shortcut to “Exit”...
Copy the second downloaded file (which is language), go to the folder where you installed the program and paste it there...
Close all folders and restart the operating system. We get a Russified program in the tray...
A little about applied masochism
So. Let's say you turned on outgoing blocking mode... Everything died immediately, including browsers. In general, no one bothers you to return the selection to its old position at any time and roll back to the original option. But let's see what the new regime gives us in general. We get a list of rules. And these rules can be set to an unconditional permission condition, or you can set a list of open ports and a list of open addresses for the application. Addresses can be specified as a group. Here is the port configuration window:
Here is the address settings window:
Moreover, no one bothers you to open a port for any programs by limiting the list of valid addresses for it. That is, we say not “Allow program such-and-such access to ports such-and-such,” but “All programs running through port such-and-such should be allowed to work, limiting the addresses to the next group.”
Everything is great, except for one thing. If the system generates a list of rules for incoming connections, then for outgoing connections you need to add everything yourself. As I said, my browser died - I had to add it to the allowed outbox myself. I won’t describe how addresses are configured; that’s not what the article is about. Articles about setting up rules (for the purpose of blocking, really) are a dime a dozen. In general, I usually found a suitable incoming rule, copied the file name from there, and then created an outgoing rule pointing to the same file. Well, I allowed this program to be active.
When I had a problem connecting to a VPN in the office, I searched the list of ready-made rules and found this (I knew in advance that our VPN connection was using the L2TP protocol):
The rule was created for us, but not activated. I went into its properties, activated it, after which a green ball with a check mark appeared in the list on the left, and the VPN connection to the office started working.
But one way or another, in general, working with such a firewall smacks of masochism. You must have an iron will so as not to shout: “I’m tired of all this” and not return to the old mode of operation. I had almost reached this state (fortunately, the experiments with Xilinx for All Hardware had already been completed), but one of my friends suggested a beautiful solution to me.
Add-on to the standard firewall
It turns out that there is an officially free Windows Firewall Control program.
It doesn't do anything by itself, but simply manages the firewall built into Windows, providing very user-friendly interfaces. Now you don’t have to run through a bunch of menus to configure something. All settings are conveniently and compactly collected on several tabs. I will not describe all the functions of this program. The purpose of the article is not to describe it, but simply to note its existence. Further, everyone will be able to find specialized articles, knowing the name Windows Firewall Control.
And now, when I launched the client part from the example above, I finally received the message:
I can allow him access, after which a rule will be automatically created, I can deny access, I can block the application once.
So, just for fun, I found an automatically created rule in the standard firewall list and limited the list of available addresses to it:
In general, life has become much easier with this application, even when using the standard Windows Firewall. It's so much better that this Windows 10 machine remains online because it's not as vulnerable as it was before.
Windows Firewall Control program
They are scattered almost throughout the entire system. It is almost impossible to understand where, what and how to configure without a diploma of a system administrator of the highest category.
The tiny (312 kb.), free Windows Firewall Control program will collect all the settings and parameters of the Windows firewall into a bunch, allowing you to quickly allow or deny programs access to the Internet in just a couple of clicks, configure rules, view current active network connections, import or export policies, and also effectively manage various parameters using the context menu.
Windows Firewall Control adds absolutely nothing to the system or changes it, but only displays all the built-in functions of the Windows firewall in one window for ease of use.
