Simplewall: #555135 error for future reference

Created on 1 May 2018  ยท  11Comments  ยท  Source: henrypp/simplewall

Just keeping here for future reference. This problem been here a while on this 1607 Windows 10 system, but I dont have that on other Windows 10 machines.

line logged when attempted to RDP into machine from another machine (note that I'm using this machine locally so outbound connections work nonetheless)

โ€Ž01/โ€Ž05/โ€Ž2018 โ€โ€Ž12:10:39,NT AUTHORITY\NETWORK SERVICE,C:\windows\system32\svchost.exe,192.168.1.30:61769 (Remote),192.168.1.22:3389 (Local),TCP,Microsoft Windows Firewall Provider\,#555135,OUT

as you can see the problem is that with filtering enabled simplewall logs dropped connection but the reason for that connection dropped is _WindowsFirewallProvider_ :lol: which is supposedly disabled.

This problem happens after computer restart and a workaround is disable/enable filtering in simplewall.

PS. Possibly releated to #120 though I don't use windscripe or other VPN per se. However I have AVG free edition installed and also VMware.

PS2. Of course the issue is not just RDP. For instance again same remote machine on the same LAN, attempt to ping my machine would generate the following lines in the log:

โ€Ž01/โ€Ž05/โ€Ž2018 โ€โ€Ž12:24:26,NT AUTHORITY\SYSTEM,System,192.168.1.30 (Remote),192.168.1.22:8 (Local),ICMP,Microsoft Windows Firewall Provider\,#555135,OUT โ€Ž01/โ€Ž05/โ€Ž2018 โ€โ€Ž12:24:26,NT AUTHORITY\SYSTEM,C:\windows\syswow64\vmnat.exe,192.168.1.30 (Remote),192.168.1.22:8 (Local),ICMP,Microsoft Windows Firewall Provider\,#555135,OUT

question
Source
picture pwn0r

All 11 comments

#555135 isn't error, this is filter id, it seems you do not disabled WF.

henrypp picture henrypp on 1 May 2018
👍1

  1. not so fast -- who's responsibility is to disable. I did mention that problem back in february btw in comments for #122 but was lazy to create an actual issue.

  2. the WF is not disabled but it does not run. Told you it is related to #122. As this only happens after restart. After I disable/enable filtering in simplewall it will work until next restart.

capture

pwn0r picture pwn0r on 1 May 2018
  1. so you CAN'T disable WF in Win 10 RS2 and above, and it's obvious that you see this entries in log only _after_ enable filtering, because dropped packets logging worked _only_ when filters are enabled. And as i say "_Microsoft Windows Firewall Provider_" is WF provider who blocks your traffic (not simplewall).
henrypp picture henrypp on 1 May 2018
👍1

you can technically, just that creates issues with other stuff.

the whole point of this bugreport is that the filtering is enabled, but WF provider blocks nonetheless. In short, simplewall in this case on this machine does not properly disable WF on restart.

pwn0r picture pwn0r on 1 May 2018

If it is actually the case that WF can't be disabled, then shouldn't all default Windows firewall rules be removed in order to use simplewall effectively? More specifically, if I use simplewall in whitelist mode, would any of the default WF rules overrule this and still allow certain traffic without my being able to even see this traffic being allowed?

ltGuillaume picture ltGuillaume on 2 May 2018

More specifically, if I use simplewall in whitelist mode, would any of the default WF rules overrule this and still allow certain traffic without my being able to even see this traffic being allowed?

Yes.

henrypp picture henrypp on 4 May 2018
👍1

Really? But that would be horrible! There is no visual feedback to the user of
this, no way of monitoring this (applications can add their own rules
outside of simplewall, no way to tell from within simplewall) and it's
completely unforeseen behavior when compared to previous versions...

But simplewall still disables the Windows firewall as far as I see, so now I'm really confused.

ltGuillaume picture ltGuillaume on 4 May 2018

applications can add their own rules outside of simplewall, no way to tell from within simplewall

@ ltGuillaume, applications can add their own rules only for WF, not simplewall. this feature have lot of windows software.

netsh advfirewall etc...

henrypp picture henrypp on 5 May 2018
👍1

so you CAN'T disable WF in Win 10 RS2

@pwn0r, sorry, you CAN disable WF profiles, but not a WF service. And one thing i did not understand is why all disabled profiles restored on reboot? Do you have any 3-rd party AV software installed ?

henrypp picture henrypp on 5 May 2018
👍1

@henrypp So, what if a program like Windscribe adds another sublayer, as can be seen in HKLM\SYSTEM\CurrentControlSet\Services\BFE\Parameters\Policy\Persistent\SubLayer. Is simplewall fully compatible with that?

ltGuillaume picture ltGuillaume on 8 May 2018
👍1

Duplicate of #

@pwn0r, sorry, you CAN disable WF profiles, but not a WF service. And one thing i did not understand is why all disabled profiles restored on reboot? Do you have any 3-rd party AV software installed ?

yes, i mentioned that before -- AVG AV and also VMware Workstations are installed on the same system (which is 1607 W10 Pro).

But worry NOT <3
I devised a workaround, which I think is worth considering for simplewall as well (as an optional extra? this will work on pro or higher edition of W7/W8/W10 only). I just added firewall disable for all profiles on local policy (via gpedit.msc).

pwn0r picture pwn0r on 8 May 2018
👍1
Was this page helpful?
0 / 5 - 0 ratings

Related issues

UNDEFINED-BEHAVIOR picture UNDEFINED-BEHAVIOR  ยท  3Comments
Chaython picture Chaython  ยท  4Comments
ghost picture ghost  ยท  4Comments
c-rilaun picture c-rilaun  ยท  3Comments
pwn0r picture pwn0r  ยท  3Comments