[Question/Feature Request] Are Rules Applied Before Simplewall Is Launched?

[seniorm0ment]

Was curious, on computer startup, if applications that start before Simplewall, does that mean everything is not behind a firewall (given you disabled Windows Firewall), and is free range-until Simplewall finishes launching?

If this is the case, this is an issue, is there any way to fix this? Ideally all communications, inbound, outbound, forwarding, should be blocked until Simplewall rules are applied.

[NullCryp70]

Simplewall uses WFP rules.

[seniorm0ment]

Can you please elaborate on what that implies to my question?

[NullCryp70]

Sure, take a look at the WFP features.

https://docs.microsoft.com/en-us/windows/win32/fwp/about-windows-filtering-platform

[TontyTon]

Simplewall rules are working as soon as WFP service starts, it doesn't depend on whether simplewall has started or not. So, if before start of WFP service all connections are allowed, which I highly doubt, then it is windows issue.

[pwn0r]

Simplewall rules are working as soon as WFP service starts, it doesn't depend on whether simplewall has started or not. So, if before start of WFP service all connections are allowed, which I highly doubt, then it is windows issue.

technically speaking, it starts even earlier before any network service starts.

There is a feature called boot-time filters, natively implemented by windows, which you can also enable in simplewall (in settings/rules). Also it is a technicality but an important one -- windows filtering is not done by WFP service. Actual filtering is done by the BFE service; the Defender Firewall (as it is called in W10) is a management system for it. On older versions of windows you can entirely disable the firewall service and simplewall would manage filtering just perfectly (since 1809 w10 it is not easy to stop WDF).

During normal operation (simplewall not used and Windows Firewall is enabled) the following happens:

1. During boot time the TCP/IP stack starts, boot-time filters are enabled automatically.
2. When BFE service starts during boot process, these boot-time filters are replaced with persistent filters.
3. When WDF starts, it adds dynamic filters on top as well, which are session-only.

And yes, windows does have native boot-time filters, they block (nearly all) inbound traffic by default (though actual implementation may vary among different versions, so actual details should be in some serious system-level docs).
Obviously the points above only apply from W7 to W10, older versions had things completely different but thats irrelevant nowadays anyway, we should not care about that.

[seniorm0ment]

Thank you very much for the clarity everyone.

[TontyTon]

@pwn0r Ya it is BFE, I got confused thats why said WFP. And about boot time filters, I tested more than a year ago, after starting of windows, I started a network monitering app and saw connections being made, even when everything was blocked in SW. Then I found out that it was BFE service that started late. Maybe it was a windows bug, I have not tested recently.

[pwn0r]

after starting of windows, I started a network monitering app and saw connections being made, even when everything was blocked in SW. Then I found out that it was BFE service that started late. Maybe it was a windows bug, I have not tested recently.

Interesting. Would be nice to test this thing. I obviously not in the know regarding what is actually implemented in simplewall boot time filters, this is a question only the developer can answer.

[TontyTon]

The issue was discussed here - https://github.com/henrypp/simplewall/issues/292 Henry closed the issue, so maybe did whatever could have been done from SW side.