Windows 7 firewall question - how to enable connections to random port from 10.22.0.0/16
Hi.
All the time I have to turn off firewalls to allow a normal work process. :-\
But seems it is a not recommended practice. So, I decided to figureout how to setup my firewall to make it working correct.
Unfortunately the first attempt fail. It looks like obvious things are not working as expected. :-(
So, decided to ask...
Situation is following:
1) Windows 7 x64. Computer connected to internet via router, router connected to modem (38MBit)... which maybe is not important here at all, so this is just for information.
2) Usually I'm working on a VPN (CheckPoint EndPoint Connect R73 HFA1). Inside a VPN I'm usually get the address like 10.22.128.x (where X is a number from 1 to 32).
VPN is configured to route all traffic through the VPN, so there should not be any influence of router and modem on way...
Inside a remote network (to which I connected to via VPN) we have addresses like 10.22.2.x, 10.22.5.x, 10.22.9.x and so on - up to 20 variants for different subsystems (all in the 10.22.x.x).
3) So, I need to allow all incoming connections from the 10.22.x.x addresses.
The problem. In windows firewall I have created a rule: Custom -> All Programs -> Protcol=Any -> Scope: LocalAddresses=10.22.0.0/1
I can do some remote tests from a 2 remote computers (one 10.22.2.x, second 10.22.9.x) I see that PING to my computer works fine and it is controled by the rule I just created. If I enable/disable the rule I see that ping is work or not work. The same with FTP - when rule enabled I can open FTP to my computer. So, it seems that rule is correct in general... BUT(!!!)
The client-server software that want to connect to a random port on my computer is not able to connect!
In particular it works like this: client application create a local TCP socket and start to listen on some (random) port number, then it send request to a server and put a own IP address + socket port number into the request. The server application prepare data and try to connect the specified IP+port to send the data. But that does not work if firewall is ON! Which makes me think that my rule is not covering this case. But why?!
In a log file on server I see messages:
Unable to connect to remote address 10.22.128.9 port 50667 tcp/ip error 10060
Unable to connect to remote address 10.22.128.9 port 53227 tcp/ip error 10060
Unable to connect to remote address 10.22.128.9 port 53995 tcp/ip error 10060
The problem is exactly in the firewall because when if I turn it OFF all things start to work fine.
Questions are:
What also should I configure there to enable such incoming connections? I mean - to such "random ports".
Why it is not enough to specify that all 10.22.0.0/16 addresses allowed to do any connections?
Is it a bug in Windows 7 Firewall? Or did I miss something in configuration?...
Regards,
Dmitry.
PS. I'm a developer, not a system or network administrator, so I'm a bit not familiar with such network stuff. I know the basic things but do not understand such situations. That is why I need some help with it. Please.
All the time I have to turn off firewalls to allow a normal work process. :-\
But seems it is a not recommended practice. So, I decided to figureout how to setup my firewall to make it working correct.
Unfortunately the first attempt fail. It looks like obvious things are not working as expected. :-(
So, decided to ask...
Situation is following:
1) Windows 7 x64. Computer connected to internet via router, router connected to modem (38MBit)... which maybe is not important here at all, so this is just for information.
2) Usually I'm working on a VPN (CheckPoint EndPoint Connect R73 HFA1). Inside a VPN I'm usually get the address like 10.22.128.x (where X is a number from 1 to 32).
VPN is configured to route all traffic through the VPN, so there should not be any influence of router and modem on way...
Inside a remote network (to which I connected to via VPN) we have addresses like 10.22.2.x, 10.22.5.x, 10.22.9.x and so on - up to 20 variants for different subsystems (all in the 10.22.x.x).
3) So, I need to allow all incoming connections from the 10.22.x.x addresses.
The problem. In windows firewall I have created a rule: Custom -> All Programs -> Protcol=Any -> Scope: LocalAddresses=10.22.0.0/1
I can do some remote tests from a 2 remote computers (one 10.22.2.x, second 10.22.9.x) I see that PING to my computer works fine and it is controled by the rule I just created. If I enable/disable the rule I see that ping is work or not work. The same with FTP - when rule enabled I can open FTP to my computer. So, it seems that rule is correct in general... BUT(!!!)
The client-server software that want to connect to a random port on my computer is not able to connect!
In particular it works like this: client application create a local TCP socket and start to listen on some (random) port number, then it send request to a server and put a own IP address + socket port number into the request. The server application prepare data and try to connect the specified IP+port to send the data. But that does not work if firewall is ON! Which makes me think that my rule is not covering this case. But why?!
In a log file on server I see messages:
Unable to connect to remote address 10.22.128.9 port 50667 tcp/ip error 10060
Unable to connect to remote address 10.22.128.9 port 53227 tcp/ip error 10060
Unable to connect to remote address 10.22.128.9 port 53995 tcp/ip error 10060
The problem is exactly in the firewall because when if I turn it OFF all things start to work fine.
Questions are:
What also should I configure there to enable such incoming connections? I mean - to such "random ports".
Why it is not enough to specify that all 10.22.0.0/16 addresses allowed to do any connections?
Is it a bug in Windows 7 Firewall? Or did I miss something in configuration?...
Regards,
Dmitry.
PS. I'm a developer, not a system or network administrator, so I'm a bit not familiar with such network stuff. I know the basic things but do not understand such situations. That is why I need some help with it. Please.
Tolomir
Instead of using a port allow incoming connections to the client program.
ASKER
Allow connections to incoming program IS NOT THE SOLUTION AT ALL!
We have about 80 different programs that use such approach. Also - on the development environment we have about 10-20 copies of the same programs. As you can see - IT IS ABSOLUTELY WEIRD to allow incoming connections to all these programs! Because describe in a firewall configuration about 800 executables - that is VERY STUPID! I hope Windows firewall is not such stupid... :-\
So, please suggest other solution.
We have about 80 different programs that use such approach. Also - on the development environment we have about 10-20 copies of the same programs. As you can see - IT IS ABSOLUTELY WEIRD to allow incoming connections to all these programs! Because describe in a firewall configuration about 800 executables - that is VERY STUPID! I hope Windows firewall is not such stupid... :-\
So, please suggest other solution.
You didn't write that there is more than one client - server application...
You can try Scope: LocalAddresses=any (this will enable the rule for any IP your computer might get)
You can try Scope: LocalAddresses=any (this will enable the rule for any IP your computer might get)
ASKER
Hm... even I (not expert in network questions) understand that changing scope could not affect anything.
But ok. I just tested this thing also - set LocalAddresses=any - it did not change anything. I still have problems with back-connection to my computer.
But ok. I just tested this thing also - set LocalAddresses=any - it did not change anything. I still have problems with back-connection to my computer.
Out of curiosity, change the rule to
From any ip, any port to any ip,any port
practically disabling firewall to block anything.
If that doesn't work, the windows firewall is somewhat buggy and you have to try some 3rd party solution.
I would try some cheap hardware solution though.
--
still I would use a different setup. You only use VPN to connect to the company use remote desktop to connect to some workstation and so the tests there.
A dedicated testing computer helps the eleminate any interference by some gaming software, whatever.
Tolomir
From any ip, any port to any ip,any port
practically disabling firewall to block anything.
If that doesn't work, the windows firewall is somewhat buggy and you have to try some 3rd party solution.
I would try some cheap hardware solution though.
--
still I would use a different setup. You only use VPN to connect to the company use remote desktop to connect to some workstation and so the tests there.
A dedicated testing computer helps the eleminate any interference by some gaming software, whatever.
Tolomir
ASKER
I just tried to change Scope=Any IP for both - Local and Remote. But it did not help!
Seems windows firewall working in some weird way. :-(
Or I do not understand something.
Any ideas why it does not work?
Seems windows firewall working in some weird way. :-(
Or I do not understand something.
Any ideas why it does not work?
ASKER
Yes, it set for all profiles. And EdgeTraversal is enabled.
ASKER
Btw, do you know if any 3rd party firewalls supports rules which could check the VERSION_INFO block in executable?
For example if it would be possible to define a rule like this:
ENABLE_ALL_IF(VERSION_INFO
that would solve all my problems!
For example if it would be possible to define a rule like this:
ENABLE_ALL_IF(VERSION_INFO
that would solve all my problems!
This would be at the application layer. A firewall controls traffic usually on ip level. I.e. such an information is not available at that level.
I would really tryout some hardware solution. Put the firewall between modem and router, or depending on your connection get an dsl modem,firewall,router all-in-once device.
I know that hardware is expensive in Russia, but 3rd party software firewalls provide no better protection then the given windows firewall. And for testing you should be able to get a used device.
I would really tryout some hardware solution. Put the firewall between modem and router, or depending on your connection get an dsl modem,firewall,router all-in-once device.
I know that hardware is expensive in Russia, but 3rd party software firewalls provide no better protection then the given windows firewall. And for testing you should be able to get a used device.
ASKER
Ok...
Btw, not agree about "application layer" vs "ip level". Because if firewalls allow to define rules per particular exe file then it is absolutely ok to define a bit more smart exe-files filtering.
So, there is no clear boundary between "application layer" and "ip level" to distinguish them.
Btw, not agree about "application layer" vs "ip level". Because if firewalls allow to define rules per particular exe file then it is absolutely ok to define a bit more smart exe-files filtering.
So, there is no clear boundary between "application layer" and "ip level" to distinguish them.
A windows firewall of cause is able to deal with it right. But that is a desktop firewall. - Nope, all glued together in a software solution.
Have you already tried to allow full communication to a "single" tool you are using, I know you use too many of them for a practical approach, I just want to know if that would work.
Have you already tried to allow full communication to a "single" tool you are using, I know you use too many of them for a practical approach, I just want to know if that would work.
and how about this approach?
still I would use a different setup. You only use VPN to connect to the company use remote desktop to connect to some workstation and so the tests there.
A dedicated testing computer helps the eliminate any interference by some gaming software, whatever.
---
This is what I use right now (access my office PC via openVPN)
still I would use a different setup. You only use VPN to connect to the company use remote desktop to connect to some workstation and so the tests there.
A dedicated testing computer helps the eliminate any interference by some gaming software, whatever.
---
This is what I use right now (access my office PC via openVPN)
ASKER
Use the remote PC is extremely bad, inconvenient and slow thing! I hate it. It makes me very slow - I have to depend on a network lags and such things. :-(
It is not a solution at all!
Run 1 or 2 local VM with virtual network between them - maybe a solution in some cases but not always because quite often I need to connect remote systems for tests, so it cannot be done with local VMs.
And actually my question was about firewalls - why obvious things are not working there. It looks like when firewall rule set Protocol=Any it means "any of known/favourite protocols", but not the real "any". :-\
Also - I found that it works only if I define exe in firewall rules, then it will allow connections only to particular exe. Which is not a solution in my case because then I have to define more then 6000 executables in a firewall... :-\
So, it looks like that only possible solution in my case - turn the firewall OFF and work as usual.
It is not a solution at all!
Run 1 or 2 local VM with virtual network between them - maybe a solution in some cases but not always because quite often I need to connect remote systems for tests, so it cannot be done with local VMs.
And actually my question was about firewalls - why obvious things are not working there. It looks like when firewall rule set Protocol=Any it means "any of known/favourite protocols", but not the real "any". :-\
Also - I found that it works only if I define exe in firewall rules, then it will allow connections only to particular exe. Which is not a solution in my case because then I have to define more then 6000 executables in a firewall... :-\
So, it looks like that only possible solution in my case - turn the firewall OFF and work as usual.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
So, the actual answer is - it is impossible to do with Windows 7 Firewall. Only the way to solve - use the 3rd party tools but not a fact it will fit your needs. Or use or hardware solutions...
Ok. Seems it is only the option we have at the moment.
Ok. Seems it is only the option we have at the moment.