Vista firewall outbound protection blocks Windows Update

An issue I have come across with Vista's firewall outbound blocking is that
it blocks Microsoft update. I have figured out how to fix it by unblocking
wuapp.exe and svchost.exe. Vista complained about me unblocking svchost.exe
though as it said it may conflict with it's own internal rules settings.
What I am doing for now is enabling the rule for svchost.exe to check for
updates and then disable the rule the rest of the time. Is that the best way
around this issue? Why could'nt Microsoft have made Windows Update unblocked
by default? Even some 3rd party Firewalls know to unblock certain apps by
default.

"*^&%$$#*%!" <> wrote in message
news:a9%ij.10179$wx.1505@pd7urf1no...
> An issue I have come across with Vista's firewall outbound blocking is
> that it blocks Microsoft update. I have figured out how to fix it by
> unblocking wuapp.exe and svchost.exe. Vista complained about me unblocking
> svchost.exe though as it said it may conflict with it's own internal rules
> settings. What I am doing for now is enabling the rule for svchost.exe to
> check for updates and then disable the rule the rest of the time. Is that
> the best way around this issue? Why could'nt Microsoft have made Windows
> Update unblocked by default? Even some 3rd party Firewalls know to unblock
> certain apps by default.

It's not a FW and neither are any of those 3rd party solutions you are
talking about FW(s) either. A FW sits at the junction point between two
networks. The network the FW is protecting from usually the Internet, and
the network it's protection the LAN.

A FW will have at least two network interfaces. One interface will face the
WAN/Internet, and the other interface will face the LAN. Or in your case for
a software FW solution running on a secured gateway computer, the computer
will have two NIC(s) Network Interface Cards, with one facing the WAN, and
the other one facing the LAN.

What you're talking about is a machine level packet filter that protects
services running on the computer at the machine level.

The normal filtering rule that would be applied for outbound traffic on a
FW, or in your case, the machine level packet filter that can stop outbound
would be to set a rule to stop all outbound traffic on ports. You then set
rules by services required (that you know you have to let outbound out)
based on outbound ports used by those services.

Svchost.exe is just the messenger. Svchost does the bidding for O/S programs
and other programs, which can include malware, as malware too can use
Svchost.exe as a *host* on its behalf. Svchost does nothing on its own. It
always does the bidding for others programs.

But you see, that's the errant action a home user will make is making rule
to stop Svchost.exe with a packet filter and worthless application control
in those solutions.

You don't kill Svchost.exe (the messenger). You find out what is using the
(messenger) and you kill that.

http://www.vicomsoft.com/knowledge/r...irewalls1.html

"Mr. Arnold" <MR. > wrote in message
news:...
>
> "*^&%$$#*%!" <> wrote in message
> news:a9%ij.10179$wx.1505@pd7urf1no...
>> An issue I have come across with Vista's firewall outbound blocking is
>> that it blocks Microsoft update. I have figured out how to fix it by
>> unblocking wuapp.exe and svchost.exe. Vista complained about me
>> unblocking svchost.exe though as it said it may conflict with it's own
>> internal rules settings. What I am doing for now is enabling the rule for
>> svchost.exe to check for updates and then disable the rule the rest of
>> the time. Is that the best way around this issue? Why could'nt Microsoft
>> have made Windows Update unblocked by default? Even some 3rd party
>> Firewalls know to unblock certain apps by default.
>
> It's not a FW and neither are any of those 3rd party solutions you are
> talking about FW(s) either. A FW sits at the junction point between two
> networks. The network the FW is protecting from usually the Internet, and
> the network it's protection the LAN.
>
> A FW will have at least two network interfaces. One interface will face
> the WAN/Internet, and the other interface will face the LAN. Or in your
> case for a software FW solution running on a secured gateway computer, the
> computer will have two NIC(s) Network Interface Cards, with one facing the
> WAN, and the other one facing the LAN.
>
> What you're talking about is a machine level packet filter that protects
> services running on the computer at the machine level.
>
> The normal filtering rule that would be applied for outbound traffic on a
> FW, or in your case, the machine level packet filter that can stop
> outbound would be to set a rule to stop all outbound traffic on ports. You
> then set rules by services required (that you know you have to let
> outbound out) based on outbound ports used by those services.
>
> Svchost.exe is just the messenger. Svchost does the bidding for O/S
> programs and other programs, which can include malware, as malware too can
> use Svchost.exe as a *host* on its behalf. Svchost does nothing on its
> own. It always does the bidding for others programs.
>
> But you see, that's the errant action a home user will make is making
> rule to stop Svchost.exe with a packet filter and worthless application
> control in those solutions.
>
> You don't kill Svchost.exe (the messenger). You find out what is using the
> (messenger) and you kill that.
>
> http://www.vicomsoft.com/knowledge/r...irewalls1.html

I don't need a lecture on firewalls. I have a hardware firewall betwen my PC
and the internet already. Windows firewall is what Microsoft calls their
firewall so I will call it that too. I already told you what is using
svchost. wuapp.exe needs it in order for Windows update to function. I made
a rule to allow it and not block it! If you can't answer the question
without being a condescending asshole then **** off back to your ivory
tower.All you had to do was give me a few instructions on what I am doing
wrong and tell me how to do it correctly but instead you chose to give me
your usual shitty attitude that you post over in the firewall group.

>You then set rules by services required (that you know you have to let
>outbound out) based on outbound ports used by those services.

Um, yea, hello? Earth to Arnie-boy. As if I would know every port every
service needs! Get a clue Einstein, it is much easier for me to block it at
the apllication level than to spend hours of my time researching exactly
which serrvices and which ports I need to let through. That's why Microsft
put in controls for blocking at the application level in the first place and
have already blocked all ports and allowed essentail services though. Except
they forgot to let windows update through by default. Now I need to know
what I need to do to make it function correctly without doing it the way I
am and you are being no help at all. Instead you are lecturing and being
condescending. No one likes that kind of attitude.

Hey, Mr. Arnold. That website you pointed me to says there are various types
of firewalls and the top level is application control level so where do you
get off telling me applkication level blocking is not a firewall at all? It
goes on to further say, "it is recommended you begin with the methodology
that denies all access by default. In other words, start with a gateway that
routes no traffic and is effectively a brick wall with no doors in it." Gee,
that's what I did and now I am allowing stuff at the application level. WTF
is wrong with that method? Nothing! As stated, I already have a hardware
fiurewall between my PC and the internet that is working at level 3 (SPI).
If I want to take further steps that is my business. Messing about with this
stuff is how we learn. Sounds to me like the only method you know is the
rote method you paid way too much money for at some college for cadet
network specialists.

"*^&%$$#*%!" <> wrote in message
news:hb1jj.71417$EA5.66533@pd7urf2no...
>
> Hey, Mr. Arnold. That website you pointed me to says there are various
> types of firewalls and the top level is application control level so where
> do you get off telling me applkication level blocking is not a firewall at
> all?

FW(s) do not block applications. It's not a FW function. You no more know
what you're talking about than a man in the Moon.

And Application gateway and some junk you're talking about in Vista's packet
filter or some 3rd party packet filter junk is not what an Application
gateway is about.

<copied>
An application gateway/proxy is considered by many to be the most complex
packet screening method. This type of firewall is usually implemented on a
secure host system configured with two network interfaces. The application
gateway/proxy acts as an intermediary between the two endpoints. This packet
screening method actually breaks the client/server model in that two
connections are required: one from the source to the gateway/proxy and one
from the gateway/proxy to the destination. Each endpoint can only
communicate with the other by going through the gateway/proxy.

<copied>


> It goes on to further say, "it is recommended you begin with the
> methodology that denies all access by default. In other words, start with
> a gateway that routes no traffic and is effectively a brick wall with no
> doors in it."

Yes that is correct. A FW denies all inbound traffic by default, unless you
set rules to allow unsolicited inbound traffic or an application behind the
FW running on a computer makes the solicitation for inbound traffic by
sending outbound traffic to a remote IP. The FW will allow the solicited
traffic to pass and will block unsolicited traffic by default.

> Gee, that's what I did and now I am allowing stuff at the application
> level. WTF is wrong with that method? Nothing! As stated, I already have a
> hardware fiurewall between my PC and the internet that is working at level
> 3 (SPI).

You're letting stuff in at the Application level are you? LOL

You're talking about a router for *home usage* that's running SPI. A NAT
router for home usage running SPI is not a FW solution. It's not running FW
technology software. It's pretending to be a FW.

> If I want to take further steps that is my business. Messing about with
> this stuff is how we learn. Sounds to me like the only method you know is
> the rote method you paid way too much money for at some college for cadet
> network specialists.

You are absolutely clueless and ignorant of the facts. I suggest that you
visit a FW and Security NG, and let them rip you a part with your lack of
knowledge.

I have been IT since 1971, and I am still going strong. I have forgotten
more than you'll even know.

Here is another link about FW(s) that you know nothing about. You're
somewhere out there in left field with *home user* knowledge, and that's
about it, when it comes to FW technology

http://www.more.net/technical/netserv/tcpip/firewalls/

"Mr. Arnold" <MR. > wrote in message
news:...
> You're letting stuff in at the Application level are you? LOL

No, I am blocking out at the app l;evel as stated. You don't like that? TFB.
Take it up with Microsoft as they are the ones that put that ability there.
I don't usually bother with blocking out but decided to see what was there
and now that I have I have found an issue with their update service and you
are being a completely useless tit so screw off.

> You're talking about a router for *home usage* that's running SPI. A NAT
> router for home usage running SPI is not a FW solution. It's not running
> FW technology software. It's pretending to be a FW.

My specific router has more than just SPI. You don't even know which router
I have and yet here you are making out as if you already know what its
capabilities are. Even home routers have been providing more than SPI for
quite some time now. Do try to keep up.

> You are absolutely clueless and ignorant of the facts. I suggest that you
> visit a FW and Security NG, and let them rip you a part with your lack of
> knowledge.

Been there many times and have tangled with you in the past too, everyone
there knows you are a big fat asshole of a loser. Once again, and I'll say
it nicely this time, please **** off.

"Mr. Arnold" <MR. > wrote in message
news:...
> FW(s) do not block applications. It's not a FW function. You no more know
> what you're talking about than a man in the Moon.

That website you sent me to says otherwise. There are various levels of
firewalls and more than one method of functioning as a firewall. It says at
the application level it is a level 5 firewall. Did you even read what you
yourself posted? Back to network specialist cadet school for you. Whether it
is called a firewall or not I don't care and still want to block
applications. Why is of no importance or any of your 'effing business. If
you don't know the answer to my question then go bother someone else who
might be impressed by your dorkinesss, I am not.

"John Candy" <> wrote in message
news:klgjj.74316$EA5.17813@pd7urf2no...
>
> "Mr. Arnold" <MR. > wrote in message
> news:...
>> FW(s) do not block applications. It's not a FW function. You no more
>> know what you're talking about than a man in the Moon.
>
> That website you sent me to says otherwise. There are various levels of
> firewalls and more than one method of functioning as a firewall. It says
> at the application level it is a level 5 firewall. Did you even read what
> you yourself posted? Back to network specialist cadet school for you.
> Whether it is called a firewall or not I don't care and still want to
> block applications. Why is of no importance or any of your 'effing
> business. If you don't know the answer to my question then go bother
> someone else who might be impressed by your dorkinesss, I am not.


Do you think I really care? I am not going to bother with you, as you can't
read and you don't know what you're talking about, basically you are some
kind of a moron.

A packet filter such a Vista or some 3rd party solution are not firewalls,
they do NOT separate two networks, they do not have two interfaces that
control the packets between the interfaces, and they do not have the
snake-oil application/program control, the snake-oil junk in them that you
lean on like a crutch -- your stops all and ends all security blanket.

What's a level 5 FW? <g>

<copied>

Session (Layer 5)

This layer establishes, manages and terminates connections between
applications. The session layer sets up, coordinates, and terminates
conversations, exchanges, and dialogues between the applications at each
end. It deals with session and connection coordination.

<copied>

You have the Session (Layer 5) in the OSI model, which has nothing to do
with snake-oil application control with Vista's packet filter or the
snake-oil in 3rd party personal packet filters, or in your case, a 3rd party
personal firewall. . It's talking about network traffic or inbound or
outbound packets to/from the FW or ingress/degrees of packets.

You can block all the programs you want with the snake-oil in the packet
filters until the cows come home, which is NOT FW functionality, if that
will make you happy in your security blanket. But that doesn't make them
FW(s), and they are not working at layer 5 of the OSI model in the manner
you think they are.

And I told you what to do on outbound packet filtering on ports with a FW or
Vista's packet filter. You're too stupid to put 2 + 2 together and you
can't do it. However, the one thing you can play with is *application*
control . You can can play with that, but really, you don't even know what
you're doing with that either, when you stopped Svchost.exe (the
messenger) -- you have no clue as to what you're doing -- not really. <g>

BTW, I am impressed with your lack of knowledge, your inability to
comprehend, your ability to mis-read, your ability to twist things to fit
your needs, your ability to show your mental illness, and your
incompetence, when it comes to FW technology.

In article <1egjj.74272$EA5.50331@pd7urf2no>,
John Candy <> wrote:
>
>> You're talking about a router for *home usage* that's running SPI. A NAT
>My specific router has more than just SPI. You don't even know which router

BTW, (assuming "SPI" means stateful packet inspection) why
WOULDN'T a combination of NAT and stateful inspection make a good
firewall? I mean, it's good enough for Checkpoint...

"the wharf rat" <> wrote in message
news:fmkt66$krr$...
> In article <1egjj.74272$EA5.50331@pd7urf2no>,
> John Candy <> wrote:
>>
>>> You're talking about a router for *home usage* that's running SPI. A
>>> NAT
>>My specific router has more than just SPI. You don't even know which
>>router
>
> BTW, (assuming "SPI" means stateful packet inspection) why
> WOULDN'T a combination of NAT and stateful inspection make a good
> firewall? I mean, it's good enough for Checkpoint...
>

I think you had better learn what a FW is about and what FW technology is
about. NAT is not FW technology. NAT is mapping technology.

Checkpoint is a FW solution, and a solution that is a true FW solution will
ensure that only HTTP traffic comes down port 80 TCP and block any other
traffic trying to come down that port, as an example.

Checkpoint, Watchguard, Sonicwall, Cisco, Snapgear, etc, etc, even the
people who created the software in the link use NAT. But NAT is not FW
technology.

http://www.vicomsoft.com/knowledge/r...irewalls1.html

No router for home usage is running FW software. The router may have SPI
running, and the SPI is a form of a FW. But the overall solution is NOT
running FW software.

I have learned from the best in the FW and Security NG, my home base NG the
first NG I went to way back in 2000. I leaned from the best. I leaned from
the ones who implement security and firewall solutions for a living.

And I also suggest that you read the information in the link to find out who
are the impersonators, which was explained to me by experts in the FW and
Secuirty NG.

http://www.more.net/technical/netserv/tcpip/firewalls/