Vista firewall outbound protection blocks Windows Update

Discussion in 'Windows Vista General Discussion' started by *^&%$$#*%!, Jan 15, 2008.

  1. *^&%$$#*%!

    *^&%$$#*%! Guest

    An issue I have come across with Vista's firewall outbound blocking is that
    it blocks Microsoft update. I have figured out how to fix it by unblocking
    wuapp.exe and svchost.exe. Vista complained about me unblocking svchost.exe
    though as it said it may conflict with it's own internal rules settings.
    What I am doing for now is enabling the rule for svchost.exe to check for
    updates and then disable the rule the rest of the time. Is that the best way
    around this issue? Why could'nt Microsoft have made Windows Update unblocked
    by default? Even some 3rd party Firewalls know to unblock certain apps by
    default.
     
    *^&%$$#*%!, Jan 15, 2008
    #1
    1. Advertisements

  2. *^&%$$#*%!

    Mr. Arnold Guest

    It's not a FW and neither are any of those 3rd party solutions you are
    talking about FW(s) either. A FW sits at the junction point between two
    networks. The network the FW is protecting from usually the Internet, and
    the network it's protection the LAN.

    A FW will have at least two network interfaces. One interface will face the
    WAN/Internet, and the other interface will face the LAN. Or in your case for
    a software FW solution running on a secured gateway computer, the computer
    will have two NIC(s) Network Interface Cards, with one facing the WAN, and
    the other one facing the LAN.

    What you're talking about is a machine level packet filter that protects
    services running on the computer at the machine level.

    The normal filtering rule that would be applied for outbound traffic on a
    FW, or in your case, the machine level packet filter that can stop outbound
    would be to set a rule to stop all outbound traffic on ports. You then set
    rules by services required (that you know you have to let outbound out)
    based on outbound ports used by those services.

    Svchost.exe is just the messenger. Svchost does the bidding for O/S programs
    and other programs, which can include malware, as malware too can use
    Svchost.exe as a *host* on its behalf. Svchost does nothing on its own. It
    always does the bidding for others programs.

    But you see, that's the errant action a home user will make is making rule
    to stop Svchost.exe with a packet filter and worthless application control
    in those solutions.

    You don't kill Svchost.exe (the messenger). You find out what is using the
    (messenger) and you kill that.

    http://www.vicomsoft.com/knowledge/reference/firewalls1.html
     
    Mr. Arnold, Jan 15, 2008
    #2
    1. Advertisements

  3. *^&%$$#*%!

    *^&%$$#*%! Guest

    I don't need a lecture on firewalls. I have a hardware firewall betwen my PC
    and the internet already. Windows firewall is what Microsoft calls their
    firewall so I will call it that too. I already told you what is using
    svchost. wuapp.exe needs it in order for Windows update to function. I made
    a rule to allow it and not block it! If you can't answer the question
    without being a condescending asshole then piss off back to your ivory
    tower.All you had to do was give me a few instructions on what I am doing
    wrong and tell me how to do it correctly but instead you chose to give me
    your usual shitty attitude that you post over in the firewall group.
    Um, yea, hello? Earth to Arnie-boy. As if I would know every port every
    service needs! Get a clue Einstein, it is much easier for me to block it at
    the apllication level than to spend hours of my time researching exactly
    which serrvices and which ports I need to let through. That's why Microsft
    put in controls for blocking at the application level in the first place and
    have already blocked all ports and allowed essentail services though. Except
    they forgot to let windows update through by default. Now I need to know
    what I need to do to make it function correctly without doing it the way I
    am and you are being no help at all. Instead you are lecturing and being
    condescending. No one likes that kind of attitude.
     
    *^&%$$#*%!, Jan 15, 2008
    #3
  4. *^&%$$#*%!

    *^&%$$#*%! Guest

    Hey, Mr. Arnold. That website you pointed me to says there are various types
    of firewalls and the top level is application control level so where do you
    get off telling me applkication level blocking is not a firewall at all? It
    goes on to further say, "it is recommended you begin with the methodology
    that denies all access by default. In other words, start with a gateway that
    routes no traffic and is effectively a brick wall with no doors in it." Gee,
    that's what I did and now I am allowing stuff at the application level. WTF
    is wrong with that method? Nothing! As stated, I already have a hardware
    fiurewall between my PC and the internet that is working at level 3 (SPI).
    If I want to take further steps that is my business. Messing about with this
    stuff is how we learn. Sounds to me like the only method you know is the
    rote method you paid way too much money for at some college for cadet
    network specialists.
     
    *^&%$$#*%!, Jan 15, 2008
    #4
  5. *^&%$$#*%!

    Mr. Arnold Guest

    FW(s) do not block applications. It's not a FW function. You no more know
    what you're talking about than a man in the Moon.

    And Application gateway and some junk you're talking about in Vista's packet
    filter or some 3rd party packet filter junk is not what an Application
    gateway is about.

    <copied>
    An application gateway/proxy is considered by many to be the most complex
    packet screening method. This type of firewall is usually implemented on a
    secure host system configured with two network interfaces. The application
    gateway/proxy acts as an intermediary between the two endpoints. This packet
    screening method actually breaks the client/server model in that two
    connections are required: one from the source to the gateway/proxy and one
    from the gateway/proxy to the destination. Each endpoint can only
    communicate with the other by going through the gateway/proxy.

    Yes that is correct. A FW denies all inbound traffic by default, unless you
    set rules to allow unsolicited inbound traffic or an application behind the
    FW running on a computer makes the solicitation for inbound traffic by
    sending outbound traffic to a remote IP. The FW will allow the solicited
    traffic to pass and will block unsolicited traffic by default.
    You're letting stuff in at the Application level are you? LOL

    You're talking about a router for *home usage* that's running SPI. A NAT
    router for home usage running SPI is not a FW solution. It's not running FW
    technology software. It's pretending to be a FW.
    You are absolutely clueless and ignorant of the facts. I suggest that you
    visit a FW and Security NG, and let them rip you a part with your lack of
    knowledge.

    I have been IT since 1971, and I am still going strong. I have forgotten
    more than you'll even know. :)

    Here is another link about FW(s) that you know nothing about. You're
    somewhere out there in left field with *home user* knowledge, and that's
    about it, when it comes to FW technology

    http://www.more.net/technical/netserv/tcpip/firewalls/
     
    Mr. Arnold, Jan 15, 2008
    #5
  6. *^&%$$#*%!

    John Candy Guest

    No, I am blocking out at the app l;evel as stated. You don't like that? TFB.
    Take it up with Microsoft as they are the ones that put that ability there.
    I don't usually bother with blocking out but decided to see what was there
    and now that I have I have found an issue with their update service and you
    are being a completely useless tit so screw off.
    My specific router has more than just SPI. You don't even know which router
    I have and yet here you are making out as if you already know what its
    capabilities are. Even home routers have been providing more than SPI for
    quite some time now. Do try to keep up.
    Been there many times and have tangled with you in the past too, everyone
    there knows you are a big fat asshole of a loser. Once again, and I'll say
    it nicely this time, please **** off.
     
    John Candy, Jan 16, 2008
    #6
  7. *^&%$$#*%!

    John Candy Guest

    That website you sent me to says otherwise. There are various levels of
    firewalls and more than one method of functioning as a firewall. It says at
    the application level it is a level 5 firewall. Did you even read what you
    yourself posted? Back to network specialist cadet school for you. Whether it
    is called a firewall or not I don't care and still want to block
    applications. Why is of no importance or any of your 'effing business. If
    you don't know the answer to my question then go bother someone else who
    might be impressed by your dorkinesss, I am not.
     
    John Candy, Jan 16, 2008
    #7
  8. *^&%$$#*%!

    Mr. Arnold Guest


    Do you think I really care? I am not going to bother with you, as you can't
    read and you don't know what you're talking about, basically you are some
    kind of a moron.

    A packet filter such a Vista or some 3rd party solution are not firewalls,
    they do NOT separate two networks, they do not have two interfaces that
    control the packets between the interfaces, and they do not have the
    snake-oil application/program control, the snake-oil junk in them that you
    lean on like a crutch -- your stops all and ends all security blanket.

    What's a level 5 FW? <g>

    <copied>

    Session (Layer 5)

    This layer establishes, manages and terminates connections between
    applications. The session layer sets up, coordinates, and terminates
    conversations, exchanges, and dialogues between the applications at each
    end. It deals with session and connection coordination.

    <copied>

    You have the Session (Layer 5) in the OSI model, which has nothing to do
    with snake-oil application control with Vista's packet filter or the
    snake-oil in 3rd party personal packet filters, or in your case, a 3rd party
    personal firewall. . It's talking about network traffic or inbound or
    outbound packets to/from the FW or ingress/degrees of packets.

    You can block all the programs you want with the snake-oil in the packet
    filters until the cows come home, which is NOT FW functionality, if that
    will make you happy in your security blanket. But that doesn't make them
    FW(s), and they are not working at layer 5 of the OSI model in the manner
    you think they are. :)

    And I told you what to do on outbound packet filtering on ports with a FW or
    Vista's packet filter. You're too stupid to put 2 + 2 together and you
    can't do it. However, the one thing you can play with is *application*
    control . You can can play with that, but really, you don't even know what
    you're doing with that either, when you stopped Svchost.exe (the
    messenger) -- you have no clue as to what you're doing -- not really. <g>

    BTW, I am impressed with your lack of knowledge, your inability to
    comprehend, your ability to mis-read, your ability to twist things to fit
    your needs, your ability to show your mental illness, and your
    incompetence, when it comes to FW technology.
     
    Mr. Arnold, Jan 16, 2008
    #8
  9. BTW, (assuming "SPI" means stateful packet inspection) why
    WOULDN'T a combination of NAT and stateful inspection make a good
    firewall? I mean, it's good enough for Checkpoint...
     
    the wharf rat, Jan 16, 2008
    #9
  10. *^&%$$#*%!

    Mr. Arnold Guest

    I think you had better learn what a FW is about and what FW technology is
    about. NAT is not FW technology. NAT is mapping technology.

    Checkpoint is a FW solution, and a solution that is a true FW solution will
    ensure that only HTTP traffic comes down port 80 TCP and block any other
    traffic trying to come down that port, as an example.

    Checkpoint, Watchguard, Sonicwall, Cisco, Snapgear, etc, etc, even the
    people who created the software in the link use NAT. But NAT is not FW
    technology.

    http://www.vicomsoft.com/knowledge/reference/firewalls1.html

    No router for home usage is running FW software. The router may have SPI
    running, and the SPI is a form of a FW. But the overall solution is NOT
    running FW software.

    I have learned from the best in the FW and Security NG, my home base NG the
    first NG I went to way back in 2000. I leaned from the best. I leaned from
    the ones who implement security and firewall solutions for a living.

    And I also suggest that you read the information in the link to find out who
    are the impersonators, which was explained to me by experts in the FW and
    Secuirty NG.

    http://www.more.net/technical/netserv/tcpip/firewalls/
     
    Mr. Arnold, Jan 16, 2008
    #10
  11.  
    Jon-Alfred Smith, Jan 16, 2008
    #11
  12. No single technology provides sufficient security to be called
    a "real firewall". But NAT is certainly one of the tools available to help
    secure a network.
    Bullshit. That kind of protocol fixup is not a requirement of
    a general firewall solution. You're overloading your terms. (The technical
    term for *that* is amphiboly, BTW. It's very bad.)

    A firewall is simply a device that manages and controls network
    traffic. A simple nat gateway is a firewall. (Not a *good* firewall...)
    So is an intelligent screening router that incorporates active response IDS.
    Look at it this way: a Chevette is a car, right? So is a Ferrari, right?
    It's like that.
    Pffffttt. That's an infomercial not a technical paper.
    Lol. "I'm a security expert. I read all about it on Usenet!"

    You're so funny.
     
    the wharf rat, Jan 16, 2008
    #12
  13. Sure. It'd be silly not to include that kind of capability.
    Also very non-competitive. But you can't tell me that an FW-1 or PIX
    solution as deployed circa 2003 wasn't a genuine firewall and wouldn't
    be one today.

    Why wouldn't you consider, say, a Linux box using netfilter
    a genuine firewall? That kind of basic setup is approximately equivalent
    to the "original" PIX and FW-1 setups. And to come back on topic, why
    wouldn't the MS firewall be considered a firewall? I don't completely
    agree that a "firewall" MUST be a separate physical box with separate
    physical interfaces. It does packet and application screening, and
    if you stretch a bit you could say it manages connections between two
    address spaces, the local socket space and the network socket space...
     
    the wharf rat, Jan 16, 2008
    #13
  14. *^&%$$#*%!

    Mr. Arnold Guest


    I suggest that you drop "the wharf rat" a road kill like a hot potato. He
    is loose again, and out of control.
     
    Mr. Arnold, Jan 16, 2008
    #14
  15. *^&%$$#*%!

    Jon Guest


    You may have 'learned from the best', but you've missed the point.

    The etymological purity of the term 'firewall' isn't the issue for the OP,
    nor whether a textbook definition should take precedence over a perfectly
    legitimate vernacular usage.
     
    Jon, Jan 16, 2008
    #15
  16. *^&%$$#*%!

    Mr. Arnold Guest


    In a limited sense, the moment you start to think that NAT is a security
    solution, you just landed on the wrong side with me, because I know better.

    And you really don't know anything about FW technology.

    Really Road Kill, because I talked with the experts about this, and
    I don't consider you to be one of them.
    Really Road Kill, you show me yours and I'll show you mine. I guess it
    done't matter that I use a Watchguard and know what they are about.
    LOL, you point out to me where I said I was a secuirty expert. You
    point the words out. I never clamied that, and I never said that. I will
    say that I know more that the average Joe Blow home user, which you fit
    in to that category.

    There is something wrong with you.

    Let me remind you of my take on you, you are yesterday's, today's and
    all days in the future *clown*, and don't you ever forget that.

    And you call yourself a computer man jack of all trades master of none
    do you, which you through up in my face about the expertise that you
    have starting with DRM and DVD(s) and who you are and I should respect
    that and you?

    Like I told you, the company you work for, they should have fired you
    long ago.

    You have no credibility with me based on your previous actions and lack
    thereof with knowledge.

    I think you have some real mental issues you need to address, because
    it's showing.

    I am real close to tossing you into the trash can, because once again,
    you are NOT talking about something that I don't already know, and you
    have gone out of control.
     
    Mr. Arnold, Jan 16, 2008
    #16
  17. *^&%$$#*%!

    Mr. Arnold Guest

    No I have not missed the point. I know exactly what is not a FW solution and
    what is a FW solution, And I know that Vista's packet filter and 3rd party
    FW solutions are not firewall solutions. A NAT router for home usage is not
    a true FW solution. It is an effective border device, but it's not a FW
    solution in the traditional sense.
    I'll go for the technical term of it, and what I know it to be.
     
    Mr. Arnold, Jan 16, 2008
    #17
  18.  
    Jon-Alfred Smith, Jan 16, 2008
    #18
  19. Well, you certainly have limited sense. What part of "But NAT is
    certainly one of the tools available to help secure a network" equates to
    "NAT is a security solution" in your mind?
    But I read all about it on Usenet!!!!
    Yes, and I'm sure the lurkers support you too.
    Hey, dude, grammar counts, k?
     
    the wharf rat, Jan 16, 2008
    #19
  20. For sure. Seems like the only thing you don't see on that one
    any more is HTTP.

    (That's a joke, Arnold, so don't get your panties in a wad, k?)
     
    the wharf rat, Jan 16, 2008
    #20
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.