3

I have one rule that opens FTP port for all connections.

I have second rule that blocks ALL connections on ALL protocols for some IP's.

However, connections from those IP's that are blocked can still connect to FTP port because that rule obviously takes preccedence.

How can I make this work, because I do not see how can I adjust order of rules on Windows Firewall.

vnuk
  • 506
  • 1
  • 8
  • 17
  • I found a solution, but it does not answer my question. I altered the block rule to apply only to FTP port. In that case, it takes preccedence over allow rule. Can someone confirm that there is no rule ordering on Windows Firewall? – vnuk Feb 28 '10 at 07:52

3 Answers3

1

Microsoft over the years has had security (be it file ACLs or firewall) where more specific rules override less specific rules - Instead of prioritization - So it would be reasonable to expect firewall is the same way - On file ACLs there's no prioritization - The logic is explained well in the Resource Kit - I remember seeing both the ordering AND logic for why this works better than prioritization for rules in one of the old resource kits (not sure what windows version).

One problem with firewalls with prioritization rules is I could accidentally put allow all at the higher priority and break my whole chain of rules. The same could happen here but it would be a little less likely IMHO.

Steve Radich-BitShop.com
  • 573
  • 3
  • 7
1

The rules are clearly and unambiguously specified on Technet:

Firewall rules are applied with the following precedence:

  • Allow this firewall rule to override block rules
  • Block connection
  • Allow connection
  • Default profile behavior (allow connection or block connection, as specified on the Profile tab of the Windows Firewall with Advanced Security Properties dialog)
bart
  • 111
  • 2
0

In Solaris, more specific file ACLs override less specific ones, in practice this means a user allow ACE will override a group deny ACE.

In windows file ACLs, a Deny ACE will ALWAYS WIN.

Deny ACEs are pretty unusual - the common practice is to allow access to groups, and make users members of groups who have the access required. There is no "Users Who Cant Vogue" group, you just don't make them a member of the "Users Who Can Vogue" group, then grant permission on "80s Songs" to that group. If that group contains almost everybody, so be it. Being in lots of groups is not a problem in Windows, I think it is a case which is specially optimised. (Some unixes limit you to 32).

In practice DENY ACEs are mostly used in Exchange, to stop Administrators from reading other people's mailboxes.