search

tnodir / fort

Fort Firewall for Windows
GNU General Public License v3.0
1.56k stars 132 forks source link

LAN traffic not blocked #132

Closed YZgitter closed 11 months ago

YZgitter commented 11 months ago

I have filter mode set to "Block, if not allowed". All the programs and services are set to "Block" and I also unchecked "Restrict access to LAN only" for all of them.

And yet I'm able to ping another computer on the local network. (The only way to prevent that is if I add the LAN IP ranges to the included "Internet Addresses", but I don't think that's how it's supposed to work.)

Is that a bug?

YZgitter commented 11 months ago

I enabled that too and it's still not blocked. I can still ping the other PC.

And I thought that filter was for loopback stuff, for programs like Firefox. But, even with that enabled, Fort didn't detect Firefox. Another firewall always detects it making a connection to 127.0.0.1.

Emi-Emi-Emi commented 11 months ago

Oh yeah oops, now I remember. You have to remove the connections from Options -> IP addresses (Internet Addresses) and remove the IP you don't want your PC to use.

Also to stop stop the pinging in the other computer, you must block System or NT Kernel & System in the remote device, if not you also will block the pinging to remote devices, unless you allow the IP of the remote devices in the IP addresses (Internet Addresses).

Also, Restrict access to LAN only, does exactly that, restrict programs to only use LAN, so the option would have never stopped the ping BTW.

YZgitter commented 11 months ago

You have to remove the connections from Options -> IP addresses (Internet Addresses) and remove the IP you don't want your PC to use.

Yes, I can see that. But doing that affects all programs, so the per-program setting "Restrict access to LAN only" doesn't make sense and it doesn't work as it says (LAN access is blocked in that case).

Emi-Emi-Emi commented 11 months ago

But yes, IP Addresses feature affect all programs.

Internet Addresses = applies to blocked/not allowed programs. Allowed Internet Addresses = applies to Allowed programs.

That's why I said to block NT Kernel & System, because if you allow it, you allow all IPs for it, and if you block it, the Internet Addresses IPs would affect it. That means you would have to add the IP of your device to the Excluded list of the Allowed Internet Addresses, which would affect even more apps, since Blocked = you expect no connections.

So that's the difference between the two modes, and I decided to reword my comment to make it more clear the differences.

But this is why this issue exists https://github.com/tnodir/fort/issues/2 which would allow to tweak rules for individual programs, and including ports and IPs and if it is inbound or outbound and all that, because currently Fort doesn't do ports yet either, which is also important for some stuff as well.

And well, Restrict access to LAN only matters if a Program needs only LAN and that's it, since allowing a program = allowing all IPs for the program, you at least has a way to restrict it if it only needs to work on LAN, so it can be useful in some situations but rarely.

tnodir commented 11 months ago
  1. Please see the "Filtering steps".
  2. And what is the "Internet Addresses" tab.
YZgitter commented 11 months ago

Internet Addresses = applies to blocked/not allowed programs. Allowed Internet Addresses = applies to Allowed programs.

I don't think this is very accurate, because even if both "Internet Addresses" and "Allowed Internet Addresses" include a LAN range and a program is set to Allow with "LAN only", the program will be blocked completely.

Just to be clear, a simple question: Is it possible in Fort to block one program completely, from LAN too, while allowing another program to LAN only?

That's what I expect when I see that one program is "blocked" and the other is set to "LAN only".

But if this is not possible, the UI should change, because currently it's giving misleading information and may lead to security problems.

tnodir commented 11 months ago

@YZgitter The "LAN"'s addresses depends on global "Internet Addresses" option.

So, I'll rename the program's "Restrict access to LAN only" flag to "Block Internet traffic".

tnodir commented 11 months ago

Is it possible in Fort to block one program completely, from LAN too, while allowing another program to LAN only?

It's not possible now. It'll be possible with #2.

YZgitter commented 11 months ago

So, I'll rename the program's "Restrict access to LAN only" flag to "Block Internet traffic".

Yes, I think that's better, because it's more accurate. Also, if that setting doesn't do anything when the program is set to "Block" (that's how it works, right?), the checkbox should only be available when it's set to "Allow". So it might be better to move it to a different position as well, under the Allow/Block buttons.

tnodir commented 11 months ago

Also, if that setting doesn't do anything when the program is set to "Block" (that's how it works, right?), the checkbox should only be available when it's set to "Allow". So it might be better to move it to a different position as well, under the Allow/Block buttons.

Yes, that makes sense. Thanks.

tnodir commented 11 months ago

Fixed by 59bd6992.

tnodir commented 11 months ago

Fixed in v3.10.2.