Solved

Windows 7 firewall question - how to enable connections to random port from 10.22.0.0/16

Posted on 2010-11-20
16
802 Views
Last Modified: 2012-05-10
Hi.

All the time I have to turn off firewalls to allow a normal work process. :-\
But seems it is a not recommended practice. So, I decided to figureout how to setup my firewall to make it working correct.

Unfortunately the first attempt fail. It looks like obvious things are not working as expected. :-(
So, decided to ask...

Situation is following:
1) Windows 7 x64. Computer connected to internet via router, router connected to modem (38MBit)... which maybe is not important here at all, so this is just for information.
2) Usually I'm working on a VPN (CheckPoint EndPoint Connect R73 HFA1). Inside a VPN I'm usually get the address like 10.22.128.x (where X is a number from 1 to 32).
VPN is configured to route all traffic through the VPN, so there should not be any influence of router and modem on way...
Inside a remote network (to which I connected to via VPN) we have addresses like 10.22.2.x, 10.22.5.x, 10.22.9.x and so on - up to 20 variants for different subsystems (all in the 10.22.x.x).
3) So, I need to allow all incoming connections from the 10.22.x.x addresses.

The problem. In windows firewall I have created a rule: Custom -> All Programs -> Protcol=Any -> Scope: LocalAddresses=10.22.0.0/16, RemoteAddresses=10.22.0.0/16.

I can do some remote tests from a 2 remote computers (one 10.22.2.x, second 10.22.9.x) I see that PING to my computer works fine and it is controled by the rule I just created. If I enable/disable the rule I see that ping is work or not work. The same with FTP - when rule enabled I can open FTP to my computer. So, it seems that rule is correct in general... BUT(!!!)

The client-server software that want to connect to a random port on my computer is not able to connect!
In particular it works like this: client application create a local TCP socket and start to listen on some (random) port number, then it send request to a server and put a own IP address + socket port number into the request. The server application prepare data and try to connect the specified IP+port to send the data. But that does not work if firewall is ON! Which makes me think that my rule is not covering this case. But why?!

In a log file on server I see messages:
Unable to connect to remote address 10.22.128.9 port 50667 tcp/ip error 10060
Unable to connect to remote address 10.22.128.9 port 53227 tcp/ip error 10060
Unable to connect to remote address 10.22.128.9 port 53995 tcp/ip error 10060

The problem is exactly in the firewall because when if I turn it OFF all things start to work fine.

Questions are:
What also should I configure there to enable such incoming connections? I mean - to such "random ports".
Why it is not enough to specify that all 10.22.0.0/16 addresses allowed to do any connections?
Is it a bug in Windows 7 Firewall? Or did I miss something in configuration?...


Regards,
Dmitry.

PS. I'm a developer, not a system or network administrator, so I'm a bit not familiar with such network stuff. I know the basic things but do not understand such situations. That is why I need some help with it. Please.
0
Comment
Question by:Dmitry_Bond
  • 8
  • 8
16 Comments
 
LVL 27

Expert Comment

by:Tolomir
ID: 34180964
Instead of using a port allow incoming connections to the client program.
0
 

Author Comment

by:Dmitry_Bond
ID: 34180991
Allow connections to incoming program IS NOT THE SOLUTION AT ALL!
We have about 80 different programs that use such approach. Also - on the development environment we have about 10-20 copies of the same programs. As you can see - IT IS ABSOLUTELY WEIRD to allow incoming connections to all these programs! Because describe in a firewall configuration about 800 executables - that is VERY STUPID! I hope Windows firewall is not such stupid... :-\
So, please suggest other solution.
0
 
LVL 27

Expert Comment

by:Tolomir
ID: 34181005
You didn't write that there is more than one client - server application...

You can try Scope: LocalAddresses=any (this will enable the rule for any IP your computer might get)
0
 

Author Comment

by:Dmitry_Bond
ID: 34182315
Hm... even I (not expert in network questions) understand that changing scope could not affect anything.

But ok. I just tested this thing also - set LocalAddresses=any - it did not change anything. I still have problems with back-connection to my computer.
0
 
LVL 27

Expert Comment

by:Tolomir
ID: 34182605
Out of curiosity, change the rule to

From any ip, any port to any ip,any port
practically disabling firewall to block anything.

If that doesn't work, the windows firewall is somewhat buggy and you have to try some 3rd party solution.

I would try some cheap hardware solution though.
--
still I would use a different setup. You only use VPN to connect to the company  use remote desktop to connect to some workstation and so the tests there.

A dedicated testing computer helps the eleminate any interference by some gaming software, whatever.

Tolomir
0
 

Author Comment

by:Dmitry_Bond
ID: 34215897
I just tried to change Scope=Any IP for both - Local and Remote. But it did not help!
Seems windows firewall working in some weird way. :-(
Or I do not understand something.
Any ideas why it does not work?
0
 
LVL 27

Expert Comment

by:Tolomir
ID: 34215988
is the rule active and set for all profiles? Did you enable egde traveral?


image4.png
0
 

Author Comment

by:Dmitry_Bond
ID: 34216033
Yes, it set for all profiles. And EdgeTraversal is enabled.
0
Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 

Author Comment

by:Dmitry_Bond
ID: 34216070
Btw, do you know if any 3rd party firewalls supports rules which could check the VERSION_INFO block in executable?

For example if it would be possible to define a rule like this:

ENABLE_ALL_IF(VERSION_INFO.CompanyName=MyCompany, VERSION_INFO.ProductName=MyProduct, VERSION_INFO.SpecialBuild=MyLocalBuild#XXX)

that would solve all my problems!
0
 
LVL 27

Expert Comment

by:Tolomir
ID: 34216403
This would be at the application layer. A firewall controls traffic usually on ip level. I.e. such an information is not available at that level.

I would really tryout some hardware solution. Put the firewall between modem and router, or depending on your connection get an dsl modem,firewall,router all-in-once device.

I know that hardware is expensive in Russia, but 3rd party software firewalls provide no better protection then the given windows firewall. And for testing you should be able to get a used device.
0
 

Author Comment

by:Dmitry_Bond
ID: 34216432
Ok...

Btw, not agree about "application layer" vs "ip level". Because if firewalls allow to define rules per particular exe file then it is absolutely ok to define a bit more smart exe-files filtering.
So, there is no clear boundary between "application layer" and "ip level" to distinguish them.
0
 
LVL 27

Expert Comment

by:Tolomir
ID: 34216464
A windows firewall of cause is able to deal with it right. But that is a desktop firewall. - Nope, all glued together in a software solution.

Have you already tried to allow full communication to a "single" tool you are using, I know you use too many of them for a practical approach, I just want to know if that would work.
0
 
LVL 27

Expert Comment

by:Tolomir
ID: 34216477
and how about this approach?

still I would use a different setup. You only use VPN to connect to the company  use remote desktop to connect to some workstation and so the tests there.

A dedicated testing computer helps the eliminate any interference by some gaming software, whatever.

---
This is what I use right now (access my office PC via openVPN)
0
 

Author Comment

by:Dmitry_Bond
ID: 34216502
Use the remote PC is extremely bad, inconvenient and slow thing! I hate it. It makes me very slow - I have to depend on a network lags and such things. :-(
It is not a solution at all!

Run 1 or 2 local VM with virtual network between them - maybe a solution in some cases but not always because quite often I need to connect remote systems for tests, so it cannot be done with local VMs.

And actually my question was about firewalls - why obvious things are not working there. It looks like when firewall rule set Protocol=Any it means "any of known/favourite protocols", but not the real "any". :-\
Also - I found that it works only if I define exe in firewall rules, then it will allow connections only to particular exe. Which is not a solution in my case because then I have to define more then 6000 executables in a firewall... :-\

So, it looks like that only possible solution in my case - turn the firewall OFF and work as usual.
0
 
LVL 27

Accepted Solution

by:
Tolomir earned 250 total points
ID: 34216545
You should really have some protection between your modem and your windows computer.

Maybe you give comodo a try, see the results on

http://www.matousec.com/projects/proactive-security-challenge/results.php


--

This is the download link of the free firewall.
http://www.comodo.com/home/internet-security/firewall.php
0
 

Author Closing Comment

by:Dmitry_Bond
ID: 34216634
So, the actual answer is - it is impossible to do with Windows 7 Firewall. Only the way to solve - use the 3rd party tools but not a fact it will fit your needs. Or use or hardware solutions...
Ok. Seems it is only the option we have at the moment.
0

Featured Post

Get up to 2TB FREE CLOUD per backup license!

An exclusive Black Friday offer just for Expert Exchange audience! Buy any of our top-rated backup solutions & get up to 2TB free cloud per system! Perform local & cloud backup in the same step, and restore instantly—anytime, anywhere. Grab this deal now before it disappears!

Join & Write a Comment

Data center, now-a-days, is referred as the home of all the advanced technologies. In-fact, most of the businesses are now establishing their entire organizational structure around the IT capabilities.
Microservice architecture adoption brings many advantages, but can add intricacy. Selecting the right orchestration tool is most important for business specific needs.
In this Micro Tutorial viewers will learn how to use Boot Corrector from Paragon Rescue Kit Free to identify and fix the boot problems of Windows 7/8/2012R2 etc. As an example is used Windows 2012R2 which lost its active partition flag (often happen…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now