Windows defender firewall IP blocking is not working in version 5.7

[ehii]

Hello everyone

I used hmailserver 5.6.8 on windows server 2019
and recently upgraded 5.7(GitHub Actions).

All settings are the same between 5.6.8 and 5.7.

In 5.6.7 and 5.6.8, windows defender firewall IP blocking is working well,
but 5.7 is not.

Does anyone have the same problem as me?
What am I missing?

[mattg]

What script are you using for Defender Firewall IP blocking?

(This really should be in ALPHA discussions)

[ehii]

I have no hmailserver script. I input some remote IP manually.
Other programs such as IIS work well, but hmailserver does not.

(Oh! I'm sorry about posting wrong place.)

[palinka]

Hmailserver does not do firewall blocking. What do you think was happening with 5.6?

[ehii]

I now realize that it happens on Windows server 2019.

1) windows defender firewall IP blocking(all programs, any protocol, all ports) on windows server 2019 - 110.70.47.142(test ip)

hmailserver 5.6.8 --> 110.70.47.142 cannot access the hmailserver

hmailserver 5.7 --> 110.70.47.142 can(!) access the hmailserver

2) windows defender firewall IP blocking on windows 10 - 110.70.47.142(test ip)

hmailserver 5.6.8 --> 110.70.47.142 cannot access the hmailserver

hmailserver 5.7 --> 110.70.47.142 cannot access the hmailserver

[mattg]

yes, windows default firewall on ALL windows systems by default blocks incoming connection to hMailserver

You shouldn't add exceptions for the program
you SHOULD only add exceptions for the ports that you will use, ie some of 25,110, 143, 485, 587, 993 and 995 in a typical install

[ehii]

Thank you for replies.

But I don't understand why the IP which I blocked can access my hmailserver. (screenshot)
Is the firewall setting wrong? If then, why these setting works well on windows 10 or hamilserver 5.6.8?
On windows 10 or hamilserver 5.6.8, the IP which I blocked cannot access my hmailserver. So the IP never logged.

Also I try blocking test IP for 25,465,587,993 ports, but it can access.

[johang]

Thank you for replies.

But I don't understand why the IP which I blocked can access my hmailserver. (screenshot)
Is the firewall setting wrong? If then, why these setting works well on windows 10 or hamilserver 5.6.8?
On windows 10 or hamilserver 5.6.8, the IP which I blocked cannot access my hmailserver. So the IP never logged.

Also I try blocking test IP for 25,465,587,993 ports, but it can access.

can you reach the ftp as well from 175.223.45.9 ?

[ehii]

can you reach the ftp as well from 175.223.45.9 ?

No, 175.223.45.9 cannot access iis webserver, ftp, etc.
But it can access only the hmailserver.

[johang]

can you reach the ftp as well from 175.223.45.9 ?

No, 175.223.45.9 cannot access iis webserver, ftp, etc.
But it can access only the hmailserver.

very strange
but you are sure there is not other rules that apply as well to this case? like you added special rule to:
c:\Program Files (x86)\hMailServer\Bin\hmailserver.exe .. and something else to
c:\Program Files \hMailServer\Bin\hmailserver.exe
and they are in separate dir ? or something similar ..

[mattg]

But I don't understand why the IP which I blocked can access my hmailserver. (screenshot)

Because you have allowed the hMailserver PROGRAM through your firewall

Block PORTS not programs

[ehii]

Because you have allowed the hMailserver PROGRAM through your firewall

Block PORTS not programs

Is this right your suggestion?
If right, I already did it. But same result.

Also I try blocking test IP for 25,465,587,993 ports, but it can access.

There are not other rules, only two custom rules in above screenshot.

[johang]

sometimes it is really hard to figure out why a microsoft software does the thing it does ...
And since it is not clear to me how microsofts firewall prioritizes.. ( because it does not go flow as for instance iptables .. as from what i have understood )
personally i have an IP BLOCK LIST in my Windows Defender Firewall

i put all non wanted IPs in that list...

[jim.bus]

The reason the Windows Defender Inbound Rule for hmailserver_test is not blocking the IP Address 175.223.21.196 is because the Rule is not ENABLED. It needs to have a Green Check Mark next to the Rule Name on the left which indicates the Rule has been Enabled. Your Inbound Rule does not have the Green Check Mark so no IP Blocking is done.

[johang]

The reason the Windows Defender Inbound Rule for hmailserver_test is not blocking the IP Address 175.223.21.196 is because the Rule is not ENABLED. It needs to have a Green Check Mark next to the Rule Name on the left which indicates the Rule has been Enabled. Your Inbound Rule does not have the Green Check Mark so no IP Blocking is done.

the "red ring" to the left is a graphical view for "action=BLOCK" ( the "green check mark is a graphical view for "Action= Allow" )
the 4th coulmn is enabled= yes/no

[jim.bus]

Sorry about the Green Check Mark but a Tutorial I read said that. I haven't used Windows Defender Firewall in years.

However, I don't believe he has told us how his hmailserver_test program is attempting to connect. I see in his earlier screen prints his hmailserver_test blocks 'any' Protocols and then his last Screen Print shows his hmailserver_test rule blocks only the one IP Address when it uses 'TCP' protocols. If his hmailserver_test program attempting to connect actually uses 'UDP' Protocols then the hmailserver_test Rule wouldn't block the IP Address attempting to connect. Don't know if this is the situation but there is this difference from what he showed earlier.

[mattg]

See 'rules store' here >> https://docs.microsoft.com/en-us/previo ... dfrom=MSDN

Rules are run from the top down
the Hmailserver rule take precedence to the block single IP rule

(In saying that, when I create a test block IP rule, with all ports, all programs, just a single IP address - it is auto listed at the top)

[palinka]

See 'rules store' here >> https://docs.microsoft.com/en-us/previo ... dfrom=MSDN

Rules are run from the top down
the Hmailserver rule take precedence to the block single IP rule

(In saying that, when I create a test block IP rule, with all ports, all programs, just a single IP address - it is auto listed at the top)

Ban those suckers programmatically!

[johang]

See 'rules store' here >> https://docs.microsoft.com/en-us/previo ... dfrom=MSDN

Rules are run from the top down
the Hmailserver rule take precedence to the block single IP rule

(In saying that, when I create a test block IP rule, with all ports, all programs, just a single IP address - it is auto listed at the top)

ehh ( i didnt read the entire microsoft link, so perhaps thats why i dont understand ) sooo..
if i do a sorting on first column by name ... it will run the rules in alfabetic order ? ( how do i know which one is added latest )

[mattg]

Rules Store

A rules store contains the list of rules used by a firewall to determine whether unsolicited incoming traffic is allowed or blocked. A typical rules store is created around the notion of “implicit deny,” which means that all unsolicited incoming traffic is blocked (denied) unless there is an explicit rule allowing the traffic through the firewall. Furthermore, a typical rules store is processed sequentially from top to bottom: that is, the firewall compares the characteristics of unsolicited incoming traffic against each rule, one at a time, until a rule is found that allows the traffic (in which case, the traffic passes through the firewall) or the end of the rules list is reached (in which case, the traffic is blocked). Creating and maintaining this type of rules store can be difficult because the order of the rules is important and it is relatively easy to create a rule that inadvertently allows all traffic through the firewall.

Windows Firewall uses the notion of implicit deny, but it does not use a strictly sequential or ordered rules store. When you turn on Windows Firewall in its default configuration, all unsolicited incoming TCP and UDP traffic is blocked. In other words, you must create explicit rules to allow unsolicited incoming traffic to pass through Windows Firewall. However, you do not need to create the rules in any particular order because the rules are not processed sequentially.

I think this is about 'rules stores' not necessarily the same as display.

Add a new block rule. Where does it go?

[johang]

Rules Store

A rules store contains the list of rules used by a firewall to determine whether unsolicited incoming traffic is allowed or blocked. A typical rules store is created around the notion of “implicit deny,” which means that all unsolicited incoming traffic is blocked (denied) unless there is an explicit rule allowing the traffic through the firewall. Furthermore, a typical rules store is processed sequentially from top to bottom: that is, the firewall compares the characteristics of unsolicited incoming traffic against each rule, one at a time, until a rule is found that allows the traffic (in which case, the traffic passes through the firewall) or the end of the rules list is reached (in which case, the traffic is blocked). Creating and maintaining this type of rules store can be difficult because the order of the rules is important and it is relatively easy to create a rule that inadvertently allows all traffic through the firewall.

Windows Firewall uses the notion of implicit deny, but it does not use a strictly sequential or ordered rules store. When you turn on Windows Firewall in its default configuration, all unsolicited incoming TCP and UDP traffic is blocked. In other words, you must create explicit rules to allow unsolicited incoming traffic to pass through Windows Firewall. However, you do not need to create the rules in any particular order because the rules are not processed sequentially.

I think this is about 'rules stores' not necessarily the same as display.

Add a new block rule. Where does it go?

yes.. where does it go.. and read the text ( that i also marked red above ):
"However, you do not need to create the rules in any particular order because the rules are not processed sequentially"
eeeeeeehh ??? .. so not processed sequentially .. ok - got it..

so the OP put in a "block" firewall rule that will be blanked out by his "allow" rule, because windows defender Firewall is built around “implicit deny,” all is good.. now we think we understand.. ( but i can assure you my "IP block list" rule works, but according to above it shouldnt,, cause i also have a rule saying to allow SMTP traffic.. but my IP Block list rule does its job.. just saying )

sometimes for me.. . this is not entirely clear

[palinka]

Maybe the OP should simply delete the block rule, then recreate it.

I just had a look at my rules list. My firewall ban project adds rules many times a day, then consolidates the previous day's rules, then at the bribing of the month consolidates the previous month's rules. So they're constantly being added, deleted, modified.

Anyway, as they appear when you first open the console, the sort order is alphabetical, but split into two levels: user created rules alphabetically at the top and windows default rules at the bottom. User created rules are sorted alphabetically by rule name no matter when the rule was created.

I don't know if this is pertinent to anything. Just an observation.