1

I've googled around, but don't see any answer or any similar questions here. There is some content about how the Windows Advanced Firewall matches rules, but what I don't understand is, what happens if you have conflicting subnet/port/application path rules? Say I have a program which talks across port 5555 over on a specific interface/subnet. If I allow outgoing traffic across port 5555, and allow all traffic across the subnet that it's using, sometimes windows firewall will automatically create block rules for the program, so then I end up with rules like "allow all traffic across relevant subnet", and "allow outbound tcp traffic over 5555", but then I end up with a rule "block C:\Path\to\application", and sometimes the application doesn't behave correctly.

So how does Windows Firewall deal with conflicting rules? Is there an order? Does it prefer one type (subnet vs port vs path)? I can add rules for the application path, but I guess I don't understand why if I already have defined a subnet rule and a port rule, why I still get the windows firewall/defender window popup when a new application is opened, and if I don't click allow, usually a block rule gets added, as an 'application rule', with the path to the application being the block criteria. Why doesn't it search for, and find, a matching subnet rule or a port rule?

Any decent diagnostic tools or information or links to content about conflicting rules would be great...thanks!

Improve this question

1 Answer 1

Reset to default
2
+100

Windows Advanced Firewall rules are evaluated in a strict order.

All rules are divided into four groups. Within each category, rules are evaluated from the most specific to the least specific. For example, a rule that specifies four criteria is selected over a rule that specifies only three criteria. The evaluation is satisfied and stops with the first rule that matches within the group.

The four groups are as follows:

  1. Authenticated bypass
    These are rules in which the "Override block rules" option is selected together with "Allow if secure", to allow network traffic that would otherwise be blocked. They are intended for allowing through highly authorized network administrators and maintenance.

  2. Block connection
    The Block rules have a higher priority than all other rules.

  3. Allow connection
    Rules that allow inbound network traffic. This rules are required since the default behavior is to block unsolicited inbound network traffic.

  4. Default profile behavior
    The default behavior is to block unsolicited inbound network traffic, but to allow all outbound network traffic. This default behavior can be changed via the Domain Profile, Private Profile, and Public Profile tabs of the Firewall rule details.

For your specific example, the "block application" rule takes absolute precedence. Then comes the more specific "allow outbound tcp traffic over 5555", with the last in priority the general rule of "allow all traffic across relevant subnet".

References:

Improve this answer
1
  • 1
    Thanks for the info and references
    – prelic
    Commented Jun 13, 2020 at 16:28

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .