How to configure Windows 7 firewall outbound rules for symlinked applications?

Question

I'm using Windows 7 Ultimate.

I have set the built in firewall in outbound white list mode (block unless allowed by a rule).

Now I'm trying to configure some outbound rules for the built in firewall. If I have

C:\Dir\app.exe

that tries to make outbound connections it gets blocked by default and if I add a rule specifically allowing it, it goes through. So far, perfectly fine. Everything works according to the fine manual. :)

The problem is the filesystem structure that I use is a bit more complex (flexible): I have various disk drives aside from the one windows is installed on. Each volume (partition)(that Windows can read) is mounted under

C:\mnt

like this:

C:\mnt\1

C:\mnt\2

C:\mnt\3

Then I use junctions (symlinks) from (for example):

C:\Apps to C:\mnt\1\^W7_Apps

C:\mnt\1\^W7_Apps has inside Network\Iron\Iron.exe so that makes

C:\Apps\Network\Iron\Iron.exe a valid path (that is used to start that particular browser).

This path is, for all intents and purposes (heh) as real a path as any. Windows Explorer sees it and is able to use it. Other file managers too.

Back to the firewall.

If I add a rule that allows C:\Apps\Network\Iron\Iron.exe to make outbound connections, it does not work. At all.

If instead I add a rule that allows C:\mnt\1\^W7_Apps\Network\Iron\Iron.exe (shouldn't make a difference but hey) to make outbound connections, it also does not work. At all.

I've installed Windows Firewall Notifier. This plugs into the Windows Firewall framework and adds some missing functionality. One missing function that it adds is notifications on outbound connection attempts from applications not already covered by a rule. When I then tested C:\Apps\Network\Iron\Iron.exe again, a popup asked me if I wanted to allow \device\harddiskvolume8\^w7_apps\network\iron\iron.exe to make that connection.

BINGO! I thought. Internally, the firewall sees the path to the binary in that Object Manager namespace notation. Thank you fine manual for never mentioning this.

But sadly, allowing that connection creates a rule that also doesn't work.

Help. :)

Not sure if this question is best posted here on SuperUser or should it go to ServerFault or StackOverflow or to [email protected]

Answer 1

While I'm not sure about Windows 7, in Windows 10 using the 'real' path - in our case using %ProgramFiles%\CompanyName\ProgramType\%Version%\program.exe - worked with the Windows Firewall. Note that in our case the system environment variable Version contains a version specific part of the path, e.g. V12.0.1.23.