Firewall rules

[novice 20]

I am being asked to create some firewall rules for svchost.exe.

I thought this are built-in rules.

 

[cyberhash 188]

Not if you are using interactive mode , are you using that ?

[Marcos 5,074]

Built-in rules can be displayed after checking the appropriate box in the rule editor. For communications with no rule the user is asked about action to take.

[novice 20]

I am using interactive mode .

I see in built-in rules a lot of them about svchost.exe.

I thought the built in rules  would cover all svchost.exe requests.

[itman 1,659]

4 hours ago, MSE said:

I see in built-in rules a lot of them about svchost.exe.

I thought the built in rules  would cover all svchost.exe requests.

The default svchost.exe firewall rules cover the basic services used in internal and external network communication. These are; DNS, DHCP, NTP, SSDP and ICSLAP i.e. UPnP, RPC, RDP, Web Services Discovery, and PNRP. Also note that depending on IDS options selected, these default rules can change.

Additionally, the Eset firewall has an option to use Windows firewall inbound rules which some find useful especially in Win 10 since it includes default rules for Windows app processes.

The primary purpose of the Eset firewall, and any firewall for that matter, is to block unsolicited inbound communication. As far as providing default outbound app and system process rules not directly related to basic network connectivity, that is impractical to do since each PC software configuration is different. The recommended procedure for creating such rules is to enable the firewall's training mode. In this mode all inbound and outbound will be learned and corresponding rules created. After a few days, switch the firewall mode to interactive if you wish to monitor all outbound network traffic in the firewall. This learning procedure can be sped up by booting a few times, opening up all apps the require outbound network connections, running Win Updates, and related like activity.

Another option that can be used is to open the Win firewall and manually duplicate all outbound rules there in the Eset firewall. Note that the Win firewall only includes rules for Win apps and system processes. You will still have to manually create rules for browsers, PDF readers, etc..

Edited February 26, 2018 by itman

[novice 20]

7 hours ago, itman said:

The recommended procedure for creating such rules is to enable the firewall's training mode. In this mode all inbound and outbound will be learned and corresponding rules created. After a few days, switch the firewall mode to interactive if you wish to monitor all outbound network traffic in the firewall. This learning procedure can be sped up by booting a few times, opening up all apps the require outbound network connections, running Win Updates, and related like activity.

For this we have TinyWall, free, which works exactly the same. (enable the firewall's training mode....)

[itman 1,659]

23 minutes ago, MSE said:

For this we have TinyWall, free, which works exactly the same.

Not quite by a long stretch. It's a simple two-way firewall designed to be an add-on to the Win firewall. It has no IDS protection. It has been and is buggier than hell: https://www.wilderssecurity.com/threads/gave-up-on-tinywall.396865/ .

Edited February 26, 2018 by itman

[MasterTB 8]

On 26/2/2018 at 6:50 PM, MSE said:

For this we have TinyWall, free, which works exactly the same. (enable the firewall's training mode....)

What about enabling training mode on the pc that is running Eset? You do have that option. Turn it on, set a time period, restart, do your things, go back to interactive, the rules should be there.