Windows 7 firewall question - how to enable connections to random port from 10.22.0.0/16
Posted on 2010-11-20
All the time I have to turn off firewalls to allow a normal work process. :-\
But seems it is a not recommended practice. So, I decided to figureout how to setup my firewall to make it working correct.
Unfortunately the first attempt fail. It looks like obvious things are not working as expected. :-(
So, decided to ask...
Situation is following:
1) Windows 7 x64. Computer connected to internet via router, router connected to modem (38MBit)... which maybe is not important here at all, so this is just for information.
2) Usually I'm working on a VPN (CheckPoint EndPoint Connect R73 HFA1). Inside a VPN I'm usually get the address like 10.22.128.x (where X is a number from 1 to 32).
VPN is configured to route all traffic through the VPN, so there should not be any influence of router and modem on way...
Inside a remote network (to which I connected to via VPN) we have addresses like 10.22.2.x, 10.22.5.x, 10.22.9.x and so on - up to 20 variants for different subsystems (all in the 10.22.x.x).
3) So, I need to allow all incoming connections from the 10.22.x.x addresses.
The problem. In windows firewall I have created a rule: Custom -> All Programs -> Protcol=Any -> Scope: LocalAddresses=10.22.0.0/16, RemoteAddresses=10.22.0.0/16.
I can do some remote tests from a 2 remote computers (one 10.22.2.x, second 10.22.9.x) I see that PING to my computer works fine and it is controled by the rule I just created. If I enable/disable the rule I see that ping is work or not work. The same with FTP - when rule enabled I can open FTP to my computer. So, it seems that rule is correct in general... BUT(!!!)
The client-server software that want to connect to a random port on my computer is not able to connect!
In particular it works like this: client application create a local TCP socket and start to listen on some (random) port number, then it send request to a server and put a own IP address + socket port number into the request. The server application prepare data and try to connect the specified IP+port to send the data. But that does not work if firewall is ON! Which makes me think that my rule is not covering this case. But why?!
In a log file on server I see messages:
Unable to connect to remote address 10.22.128.9 port 50667 tcp/ip error 10060
Unable to connect to remote address 10.22.128.9 port 53227 tcp/ip error 10060
Unable to connect to remote address 10.22.128.9 port 53995 tcp/ip error 10060
The problem is exactly in the firewall because when if I turn it OFF all things start to work fine.
What also should I configure there to enable such incoming connections? I mean - to such "random ports".
Why it is not enough to specify that all 10.22.0.0/16 addresses allowed to do any connections?
Is it a bug in Windows 7 Firewall? Or did I miss something in configuration?...
PS. I'm a developer, not a system or network administrator, so I'm a bit not familiar with such network stuff. I know the basic things but do not understand such situations. That is why I need some help with it. Please.