Jump to content

Mpeter

Members
  • Content Count

    2
  • Joined

  • Last visited

Profile Information

  • Location
    Hungary
  1. Thank yor for all of your responses. I'll try this, but first I'll go through the other 2 answers. I've blocked DNS (port 53, TCP and UDP) on direction "out" again. nslookup does not work as expected, but after starting a Wireshark capture there are still queries and responses going on port 53 as you can see here. DNS queries triggered by Firefox (e.g. by loading a page) get through too. I'll try what happens when I move rules above the hidden ones. As I said in the original post, I'm blocking DNS for testing purposes, as it is used so much that if it gets blocked properly then it will be easy to see
  2. I've been trying to configure my firewall to my taste for some time already, but it seems I've difficulties setting it up properly. Recently I've reinstalled Eset in English language, so I can see if something is translated wrongly, and you can help easier this way too. I assume, as your documentation states, that the rules are processed from the top to the bottom. I also assume that the first rule's action that fits a packet is applied to it, and evaluation of following rules will not happen. Please correct me if some of the assumptions are incorrect. I use automatic mode, and I did not modify the hidden rules, or if I did I did so with an other setting which is not in the firewall section. You can see my current rules on the first image. Before following, please not the first and last rules: the first one is there for testing purposes only. I'll talk about it below. the last one is to notify me with a popup in the bottom left if there are any unexpected incoming connections, and also if rules are not working as I expect I noticed the following anomalies: see the second rule from the end, named "Silent block Windows Connected Devices sync broadcasts". I placed it there so when a phone on my network communicates with the PC it's sync is set up with (it's an other one) then I won't get a notification about that. this service for some reason communicates with broadcasts through port 5050. Now take a look at the second picture. Here you can see that the above mentioned service's communication is not blocked by that rule, but rule evaluation is reaching the last rule, which blocks everything else and notifies me. My question is why doesn't the mentioned rule (2nd from the bottom) block the communication? If the first rule (named DNS deny) is turned on, DNS requests made with the nslookup command are blocked, but DNS requests made in any other way (Firefox browser (DOH is disabled), Windows service Dnsclient) are not, and I can even see them in a Wireshark capture, both the query and the response? see the third rule allowing any communication for qBittorrent. Sometimes I get log entries that the last rule (named Anything) blocks inbound communication for it. why isn't rule evaluation stop at the third rule, with the conclusion that this communication is allowed? that rule has an application filter, but the filter points to the executable that is trying to receive the connection. Please note that the logs on the second image only include entries for the first point. This happens quite frequently if certain conditions met, and a few minutes earlier I deleted all networking logs to make sure they don't make any confusion. If you need further information feel free to ask. If you provide instructions I can export these rules and upload them here so you can see a few details that are not seen in the list.
×
×
  • Create New...