Adventures in Windows Firewall Whitelisting

The user decides what web content is acceptable or not in their browser.

Raymond Hill, uBlock Origin Manifesto

The above quote is the reason I use browser extensions to protect my privacy on the web. I have them configured in an extreme fashion, where everything that I don’t explicitly allow is blocked. Banned. Voided.

But what about the operating system? What of the hundreds of apps, utilities & games that I have installed on my system? Unlike with the web browser, there is no extension API allowing me to easily deploy a tool to monitor how these apps connect to the web. There is however a firewall built into Windows.

The Windows 10 built-in firewall works really well, but the usability is absolutely terrible. My “hard-mode” configured browser extensions require a lot of maintenance to get them working right. You can spot extreme security because it breaks a lot of things. But the Windows firewall is not designed to be used like this. The menu layouts are confusing, accessing the UI to begin with is difficult, and adding new rules is a protracted process that would be impossible to do on-the-fly. There is a command line interface, but it’s not all that easier than the regular UI to use quickly.

Windows Firewall Notifier

Recently I found an app which does exactly what I want: Windows Firewall Notifier (WFN). Windows offers its own set of notifications for blocked connections, but these are quite odd. It only shows them when an app creates a block rule, and only for incoming connections. WFN goes further and can enable notifications for every blocked connection. This allows me to do the kind of micromanaging I have become accustomed to with uMatrix.

The WFN interface looks a lot cleaner than Windows’ Firewall manager. All the important firewall options exist on a single screen.

Notifications

WFN lets you allow a program easily and quickly when you are in default blocking mode. Like uMatrix, it leverages the Windows firewall to offer rules based on multiple criteria. You can allow a whole program, only allow for a specific protocol/port, or only for a particular destination.

Extras

WFN also offers some additional views which include graphs and an alternative logging and rule views of the firewall. But these feel a tad difficult to use, and other I think other programs dedicated to these tasks would perform better.

Summary

The WFN app isn’t perfect though. Right now, I’m using a beta, version 3, and it has some problems:

  • The UI of the console program is slow. The logging views are particularly sluggish.
  • There is a resource usage bug for certain types of program which spawns too many notifications.
  • I did have to use the bundled uninstall script in order to reset the app after it broke the notifications.

But I expect this from beta quality software. Generally the WFN app works well for what I need, and its authors continue to develop it in an open fashion on the WFN GitHub project.

Windows Firewall Control

After discussing this with some users on discord, I was pointed towards Windows Firewall Control (branded as Malwarebytes, but developed independently, as far as I can tell). This program also offers a lot of controls for configuring the system firewall.

Notifications

WFC also offers notifications on a per-app-block basis when using blocking mode. WFC runs as a service, unlike WFN, so once installed it’s possible to use block and allow directly from the notifications on a non-admin Windows account, which is super useful.

Extras

It offers a PDF manual, which is nice and old school. The rules that it adds to the Windows Firewall are grouped properly, unlike those rules added by WFN.

Summary

The WFC app seems more policed than the aforementioned WFN app. It doesn’t have as many bugs with showing notifications and offers a lot more customisation of how to show notifications, exception lists and more. Though the WFC interface is a bit more cluttered which starts to move in the wrong direction for my tastes. Luckily, it is very much a set-it-and-forget-it app after the initial learning curve.

As far as I can tell, WFC is closed source with an EULA instead of a normal open software license, which is a pity, particularly given the importance of being able to audit security software and maintain it should the original author move on. The ads all over it for Malwarebytes are also a bit disturbing and reduce my trust in it.

I have had some issues with authenticating into Windows Apps (getting an error “0x800704cf”). Toggling the WFC into the “Low filtering” profile temporarily solves this.


When I figured out I could make the Windows system firewall operate in a default blocking mode, I felt a whole lot safer using my PC, much like when I initially discovered noscript for Firefox all those years back.

The WFN and WFC apps are a little bonus on top, making things more usable. Next, I need to figure out how to do something similar for the filesystem. Though now that I can block apps from accessing the internet, file system access is less of a priority, as even if there are malicious apps, it will be much harder to send private data out over the web.

Join the Conversation

  1. I must agree completely regarding Windows Firewall.
    Third party apps to govern firewall settings, well I’m not so sure. Perhaps in my old age I am bit too paranoid…

    1. Yes, I’m very wary of 3rd party software. The ones I’ve reviewed seem to have a decent following on the net and no major security risks raised. They mostly seem to do little beyond adding a notification and a UI around the existing firewall tool, which is the bare minimum required.

      This is far better than most 3rd anti-virus/software security apps which go way too far in adding all sorts of bells and whistles that I would not want to go anywhere near.

  2. I was hoping you’d do a comparison, nice job.

    Binsoft have been making WFC for a long time so it is mature and trusted.
    I was annoyed when Malwarebytes bought it, but mostly the only big change is the UI.

    OK. so you want whitelisting for the OS for free next.
    In that case you should look here https://www.novirusthanks.org/products/

Comment

Vivaldi