[Bug] Block ip rules very limited

dougg0k commented 1 year ago

Checklist

[X] I have used the search function to see if someone else has already submitted the same bug report.
[X] I will describe the problem with as much detail as possible.

App version

3.7.2

Windows version

11 22H2

Steps to reproduce

Export
Add rule with many ips
Import

Expected behavior

To include every single IP in the rule.

Actual behavior

It only included very few of them. When I tried to add more manually, I was also not able to, I could not even edit the last addition to add one more number, it was like there was a character limit to the total amount of rules.

I've been trying to use geofence rules that involve big amount of ip blocking, but not only there are missing features, there is also limits to the amount you can do, even by batching it. Only some of the first ones were blocked.

<rules_custom>
  <item name="Overwatch2-GeoFence" rule="34.85.0.0-34.85.127.255;34.84.0.0-34.84.255.255;35.190.224.0-35.190.239.255;35.194.96.0-35.194.255.255;35.221.64.0-35.221.255.255;34.146.0.0-34.146.255.255;34.84.0.0/16;34.85.0.0/17;34.104.62.0/23;34.104.128.0/17;34.127.190.0/23;34.146.0.0/16;34.157.64.0/20;34.157.164.0/22;34.157.192.0/20;35.187.192.0/19;35.189.128.0/19;35.190.224.0/20;35.194.96.0/19;35.200.0.0/17;35.213.0.0/17;35.220.56.0/22;35.221.64.0/18;35.230.240.0/20;35.242.56.0/22;35.243.64.0/18;104.198.80.0/20;104.198.112.0/20;34.97.0.0/16;34.104.49.0/24;34.127.177.0/24;35.217.128.0/17;35.220.45.0/24;35.242.45.0/24;35.243.56.0/21;;34.124.0.0-34.124.255.255;34.124.42.0-34.124.43.255;34.142.128.0-34.142.255.255;35.185.176.0-35.185.191.255;35.186.144.0-35.186.159.255;35.247.128.0-35.247.191.255;34.87.0.0-34.87.191.255;34.143.128.0-34.143.255.255;34.124.128.0-34.124.255.255;34.126.64.0-34.126.191.255;35.240.128.0-35.240.255.255;35.198.192.0-35.198.255.255;34.21.128.0-34.21.255.255;34.104.58.0-34.104.59.255;34.124.41.0-34.124.42.255;34.157.82.0-34.157.83.255;34.157.88.0-34.157.89.255;34.157.210.0-34.157.211.255;35.187.224.0-35.187.255.255;35.197.128.0-35.197.159.255;35.213.128.0-35.213.191.255;35.220.24.0-35.220.25.255;35.234.192.0-35.234.207.255;35.242.24.0-35.242.25.255;34.126.128.0/18;34.87.128.0/18;34.21.128.0/17;34.87.0.0/17;34.87.128.0/18;34.104.58.0/23;34.104.106.0/23;34.124.42.0/23;34.124.128.0/17;34.126.64.0/18;34.126.128.0/18;34.142.128.0/17;34.143.128.0/17;34.157.82.0/23;34.157.88.0/23;34.157.210.0/23;35.185.176.0/20;35.186.144.0/20;35.187.224.0/19;35.197.128.0/19;35.198.192.0/18;35.213.128.0/18;35.220.24.0/23;35.234.192.0/20;35.240.128.0/17;35.242.24.0/23;35.247.128.0/18;34.101.18.0/24;34.101.20.0/22;34.101.24.0/22;34.101.32.0/19;34.101.64.0/18;34.101.128.0/17;34.128.64.0/18;35.219.0.0/17;;121.254.0.0-121.254.255.255;117.52.0.0-117.52.255.255;;34.64.0.0-34.64.255.255;121.254.0.0-121.254.255.255;34.0.96.0/19;34.64.32.0/19;34.64.64.0/22;34.64.68.0/22;34.64.72.0/21;34.64.80.0/20;34.64.96.0/19;34.64.128.0/22;34.64.132.0/22;34.64.136.0/21;34.64.144.0/20;34.64.160.0/19;34.64.192.0/18;35.216.0.0/17;34.22.64.0/19;34.22.96.0/20;;5.42.160.0-5.42.160.255;35.221.128.0/17;;34.88.0.0/16;34.104.96.0/21;34.124.32.0/21;35.203.232.0/21;35.217.0.0/18;35.220.26.0/24;35.228.0.0/16;35.242.26.0/24;;5.42.184.0-5.42.191.255;;104.155.0.0/17;104.199.0.0/18;104.199.66.0/23;104.199.68.0/22;104.199.72.0/21;104.199.80.0/20;104.199.96.0/20;130.211.48.0/20;130.211.64.0/19;130.211.96.0/20;146.148.112.0/20;146.148.16.0/20;146.148.2.0/23;146.148.4.0/22;146.148.8.0/21;192.158.28.0/22;23.251.128.0/20;34.104.110.0/23;34.104.112.0/23;34.104.126.0/23;34.105.128.0/17;34.107.0.0/17;34.118.244.0/22;34.118.254.0/23;34.124.46.0/23;34.124.48.0/23;34.124.62.0/23;34.127.186.0/23;34.140.0.0/16;34.141.0.0/17;34.141.128.0/17;34.142.0.0/17;34.147.0.0/17;34.147.128.0/17;34.154.0.0/16;34.155.0.0/16;34.157.12.0/22;34.157.136.0/23;34.157.140.0/22;34.157.168.0/22;34.157.176.0/20;34.157.208.0/23;34.157.220.0/22;34.157.36.0/22;34.157.40.0/22;34.157.48.0/20;34.157.8.0/23;34.157.80.0/23;34.157.92.0/22;34.159.0.0/16;34.163.0.0/16;34.65.0.0/16;34.76.0.0/14;34.89.0.0/17;34.89.128.0/17;34.90.0.0/15;35.187.0.0/17;35.187.160.0/19;35.189.192.0/18;35.189.64.0/18;35.190.192.0/19;35.195.0.0/16;35.197.192.0/18;35.198.128.0/18;35.198.64.0/18;35.203.210.0/23;35.203.212.0/22;35.203.216.0/22;35.204.0.0/16;35.205.0.0/16;35.206.128.0/18;35.207.128.0/18;35.207.64.0/18;35.210.0.0/16;35.214.0.0/17;35.214.128.0/17;35.216.128.0/17;35.219.224.0/19;35.220.16.0/23;35.220.18.0/23;35.220.20.0/22;35.220.44.0/24;35.220.96.0/19;35.230.128.0/19;35.233.0.0/17;35.234.128.0/19;35.234.160.0/20;35.234.64.0/18;35.235.216.0/21;35.235.32.0/20;35.235.48.0/20;35.240.0.0/17;35.241.128.0/17;35.242.128.0/18;35.242.16.0/23;35.242.18.0/23;35.242.192.0/18;35.242.20.0/22;35.242.44.0/24;35.242.64.0/19;35.246.0.0/17;35.246.128.0/17;5.42.168.0-5.42.175.255;5.42.184.0-5.42.191.255;8.34.208.0/23;8.34.211.0/24;8.34.220.0/22;34.22.128.0/17;34.104.116.0/22;34.116.128.0/17;34.118.0.0/17;34.124.52.0/22;34.157.44.0/23;34.157.172.0/23;34.164.0.0/16;34.175.0.0/16;34.22.112.0/20;34.17.0.0/16;34.157.124.0/23;34.157.250.0/23;34.0.160.0/19;34.157.121.0/24;34.157.249.0/24;;5.42.168.0-5.42.175.255;;24.105.40.0-24.105.47.255;8.34.210.0/24;8.34.212.0/22;8.34.216.0/22;8.35.192.0/21;23.236.48.0/20;23.251.144.0/20;34.16.0.0/17;34.27.0.0/16;34.28.0.0/14;34.66.0.0/15;34.68.0.0/14;34.72.0.0/16;34.118.200.0/21;34.121.0.0/16;34.122.0.0/15;34.132.0.0/14;34.136.0.0/16;34.157.84.0/23;34.157.96.0/20;34.157.212.0/23;34.157.224.0/20;34.170.0.0/15;34.172.0.0/15;35.184.0.0/16;35.188.0.0/17;35.188.128.0/18;35.188.192.0/19;35.192.0.0/15;35.194.0.0/18;35.202.0.0/16;35.206.64.0/18;35.208.0.0/15;35.220.64.0/19;35.222.0.0/15;35.224.0.0/15;35.226.0.0/16;35.232.0.0/16;35.238.0.0/15;35.242.96.0/19;104.154.16.0/20;104.154.32.0/19;104.154.64.0/19;104.154.96.0/20;104.154.113.0/24;104.154.114.0/23;104.154.116.0/22;104.154.120.0/23;104.154.128.0/17;104.155.128.0/18;104.197.0.0/16;104.198.16.0/20;104.198.32.0/19;104.198.64.0/20;104.198.128.0/17;107.178.208.0/20;108.59.80.0/21;130.211.112.0/20;130.211.128.0/18;130.211.192.0/19;130.211.224.0/20;146.148.32.0/19;146.148.64.0/19;146.148.96.0/20;162.222.176.0/21;173.255.112.0/21;199.192.115.0/24;199.223.232.0/22;199.223.236.0/24;34.22.0.0/19;35.186.0.0/17;35.186.128.0/20;35.206.32.0/19;35.220.46.0/24;35.242.46.0/24;107.167.160.0/20;108.59.88.0/21;173.255.120.0/21;;104.196.0.0/18;104.196.128.0/18;104.196.192.0/19;104.196.65.0/24;104.196.66.0/23;104.196.68.0/22;104.196.96.0/19;162.216.148.0/22;34.104.124.0/23;34.104.56.0/23;34.104.60.0/23;34.118.250.0/23;34.118.252.0/23;34.124.60.0/23;34.127.184.0/23;34.127.188.0/23;34.138.0.0/15;34.145.128.0-34.145.255.255;34.145.128.0/17;34.148.0.0/16;34.150.128.0-34.150.255.255;34.150.128.0/17;34.157.0.0/21;34.157.128.0/21;34.157.144.0/20;34.157.16.0/20;34.157.160.0/22;34.157.32.0/22;34.161.0.0/16;34.162.0.0/16;34.21.0.0/17;34.23.0.0/16;34.24.0.0/15;34.26.0.0/16;34.73.0.0/16;34.74.0.0/15;34.85.128.0-34.85.255.255;34.85.128.0/17;34.86.0.0-34.86.255.255;34.86.0.0/16;34.98.128.0/21;35.185.0.0/17;35.186.160.0-35.186.191.255;35.186.160.0/19;35.188.224.0/19;35.190.128.0/18;35.194.64.0/19;35.196.0.0/16;35.199.0.0-35.199.63.255;35.199.0.0/18;35.206.10.0/23;35.207.0.0/18;35.211.0.0/16;35.212.0.0/17;35.220.0.0/20;35.220.60.0/22;35.221.0.0/18;35.227.0.0/17;35.229.16.0/20;35.229.32.0/19;35.229.64.0/18;35.230.160.0/19;35.231.0.0/16;35.234.176.0/20;35.236.192.0-35.236.255.255;35.236.192.0/18;35.237.0.0/16;35.242.0.0/20;35.242.60.0/22;35.243.128.0/17;35.243.40.0/21;35.245.0.0-35.245.255.255;35.245.0.0/16;34.152.72.0/21;34.177.40.0/21;;24.105.8.0-24.105.15.255;34.124.0.0/21;;35.247.0.0/17;35.236.0.0/17;35.235.64.0/18;34.102.0.0/17;34.94.0.0/16;34.19.0.0/17;34.82.0.0/15;34.105.0.0/17;34.118.192.0/21;34.127.0.0/17;34.145.0.0/17;34.157.112.0/21;34.157.240.0/21;34.168.0.0/15;35.185.192.0/18;35.197.0.0/17;35.199.144.0/20;35.199.160.0/19;35.203.128.0/18;35.212.128.0/17;35.220.48.0/21;35.227.128.0/18;35.230.0.0/17;35.233.128.0/17;35.242.48.0/21;35.243.32.0/21;35.247.0.0/17;104.196.224.0/19;104.198.0.0/20;104.198.96.0/20;104.199.112.0/20;34.20.128.0/17;34.94.0.0/16;34.102.0.0/17;34.104.64.0/21;34.108.0.0/16;34.118.248.0/23;35.215.64.0/18;35.220.47.0/24;35.235.64.0/18;35.236.0.0/17;35.242.47.0/24;35.243.0.0/21;34.22.32.0/19;34.104.52.0/24;34.106.0.0/16;34.127.180.0/24;35.217.64.0/18;35.220.31.0/24;35.242.31.0/24;34.16.128.0/17;34.104.72.0/22;34.118.240.0/22;34.124.8.0/22;34.125.0.0/16;35.219.128.0/18;34.124.0.0/21;;37.244.42.0-37.244.42.255;34.87.192.0/18;34.104.104.0/23;34.116.64.0/18;34.124.40.0/23;34.151.64.0/18;34.151.128.0/18;35.189.0.0/18;35.197.160.0/19;35.201.0.0/19;35.213.192.0/18;35.220.41.0/24;35.234.224.0/20;35.242.41.0/24;35.244.64.0/18;34.104.122.0/23;34.124.58.0/23;34.126.192.0/20;34.129.0.0/16;34.0.16.0/20;;157.175.0.0-157.175.255.255;15.185.0.0-15.185.255.255;15.184.0.0-15.184.255.255;16.24.0.0/16;" dir="2" apps="C:\program files (x86)\steam\steamapps\common\overwatch\overwatch.exe" is_block="true" is_enabled="true"/>
</rules_custom>

bad_impl

Last one that was able to be added was 34.157.64.0/20 but if you see in the screenshot, the 0 was not allowed due to the hard limit.

Logs

No response

I requested this https://github.com/henrypp/simplewall/issues/1548 before, but the way it is, not even this would work due to the hard limit.

dougg0k commented 1 year ago

I was looking through the code, it seems the 256 char limit are intentional, just not sure for what reason.

Can you increase to how much anyone want to add in rules?

In my example there were almost 8000 IP characters.

In profile.c, editor.c and helper.c there were some code that seemed to be related, a bunch of arrays or stringbuilder with straight 256 number. Who knows if they have anything in common (rules and profile seem related to the issue), but just by not having anything to give meaning to the value or choice of the value, seems like bad code.

Simplewall are still the best option to use, it would be nice to have this fixed / changed.

First I thought it was related to windows 260 limit, but then the limit were exactly 256, and windows was already enabled to go beyond the limit.

This seem like it could it could be rewritten in Rust, to have a much less complex codebase to be better maintainable as to easily add new features or make changes. It would probably get more popular too because of it, if you were to be interested and able to.

@henrypp

It seems that Windows Firewall has a 10_000 ip range entries limit per rule.

Tharn commented 1 year ago

Adding long IP lists, such as simplewall's own blocker lists used to do (I don't know if it still does this) is no good for the WFP. It grinds Windows networking to a slog, I assume having to do something with DNS.

tnodir commented 1 year ago

That's why PeerBlock used custom driver to effectively handle huge IP lists.

I've influenced by it to implement the Fort Firewall.

dougg0k commented 1 year ago

If it's not good for perf, why would they make it possible with windows firewall?

If I had to answer my own question, it would be because it's not that bad or ms doesnt care.

Regardless, in the case that I needed for, it wouldnt be tons of requests happening, once you connect to a server, you would be good for a good amount of time.

Tharn commented 1 year ago

They make it possible but there's no default rule that behaves like this. All default rules are tightly defined. But a couple of third-party programs will define big IP ranges, usually against Windows telemetry.

It's not about whether a lot of these IPs get accessed; just having a long list in there is enough. Windows Networking has to parse this list whenever you input a URL into the browser, and suddenly requests take 20x as long.

I wonder if this would work better being set in a router directly. It's also possible it will work better for you than it did for me. YMMV.

dougg0k commented 1 year ago

It should only take that long in a browser if the executable associated with the rules were the browser(s). Not the case.

crazyyzarc commented 12 months ago

I don't want to allow svchost without IPs condition. Currently, only a certain number of IPs or no DNS names are allowed.

How can I allow all Windows Update 200 IPs/DNS?

2023-12-06_09-37-43-488_ejdsL

henrypp commented 12 months ago

@crazyyzarc u 0iq? to allow windows updates u dont need ip list,only allow windows update in menu

crazyyzarc commented 12 months ago

@crazyyzarc u 0iq? to allow windows updates u dont need ip list,only allow windows update in menu

This requires that I whitelist svchost.exe. Isn't that right?

henrypp commented 12 months ago

@crazyyzarc svchost not needed for WU

crazyyzarc commented 12 months ago

@crazyyzarc svchost not needed for WU

2023-12-06_11-25-52-546_N0VS3 In english: “We were unable to establish a connection with the update service. We will try again later. Alternatively, you can try now. Check your internet connection if it is still not working.”

After I deleted the log and clicked in Windows Update Window Reload, the Simplewall block log is displayed: 2023-12-06_11-24-53-485_xyByR

I have Windows 10 22H2 and I have blocked svchost.exe

henrypp commented 12 months ago

@crazyyzarc as i say it is complete 0iq

sshot-001

henrypp / simplewall