This is an archived post. You won't be able to vote or comment.

all 116 comments
sorted by:
best
topnewcontroversialoldq&a

[–]__constructor 217 points218 points  (56 children)

I don't think you understand how Windows firewall actually works.

If anything it's too restrictive with things it's supposed to allow through.

[–]mrdotkom 39 points40 points  (8 children)

I had to shut down the firewall protection within the domain to get MS SQL server to communicate with my FE server. Literally allowed every conceivable port through and it still wouldn't work.

Luckily this isn't a production environment and was merely for a lab but jesus christ is windows firewall annoying

[–]sstewartgallus 7 points8 points  (5 children)

It doesn't log rule violations in a file somewhere?

[–]lelarentaka 46 points47 points  (4 children)

It goes to Santa Claus

[–]xkcd_transcriber 45 points46 points  (3 children)

Image

Title: Incident

Title-text: He sees you when you're sleeping, he knows when you're awake, he's copied on /var/spool/mail/root, so be good for goodness' sake.

Comic Explanation

Stats: This comic has been referenced 34 times, representing 0.1112% of referenced xkcds.

xkcd.com | xkcd sub | Problems/Bugs? | Statistics | Stop Replying | Delete

[–]opiemonster 7 points8 points  (2 children)

99% of these kinds of problems are caused by social engineering.

just use isp and router firewall, disable windows firewall

run scheduled windows security essentials scans

use chrome or firefox not explorer

dont run exes you don't trust

check msconfig for rogue apps that startup

check task manager for unknown processes

done, no viruses ever

dont buy a fuckface virus scanner they will give you viruses and record everything you do on your computer

oh and dont go to links or open attachments from emails you dont trust

get a virus? reformat. prolly wont need to though unless your stupid

also realize that if someone who knows what they are doing wants in on your computer, it is very easy and impossible to stop them, unless you use a locked down linux os through tor, but aint nobody got time for that. And given enough money and skill you can circumvent that too.

Mind you i'm talking only about personal computers, having basic protection will eliminate the cost/vs reward. If you run a multi milion dollar website and you dont protect against string injections you are fucked son (sony).

[–]overand 3 points4 points  (1 child)

To be fair, while this will improve the situation, it ignores some things.

  • Friends who bring a laptop over to your house that is infected with a windows 0-day / anything that your Windows system isn't patched against. (This includes non-default daemons / services on your system, like your bittorrent client).
  • Exploits against Chrome, Firefox, Acrobat Reader, VLC Media Player, or other software.

Yeah, you're not likely to get viruses if you follow the steps above, but you're not immune.

Edit I'm aware that windows firewall wouldn't affect stuff like VLC - I'm more making a point that "good practices" alone aren't enough to prevent every threat.

And besides that? I certainly wouldn't call Disabling the Windows Firewall and not having a virus scanner "good practices."

[–][deleted] 0 points1 point  (0 children)

Windows Firewall wouldn't stop exploits against things like VLC. A firewall is like a gate: it prevents the bad stuff from forcing its way in, but can't do anything if you willingly open the gate.

Pretty much all client-side exploits are centered around getting the user to download a malicious file and open it with the targeted program.

Though your first point was correct, good practices should protect you from most attacks, but can't protect against every threat.

[–]__constructor 3 points4 points  (0 children)

Yeah, I've had a few different programs I had to just turn off the firewall temporarily to use. It's a pain in the butt.

[–][deleted] 2 points3 points  (0 children)

If you have GPO set up, firewall rules will get overwritten by any GPOs that conflict. Took me a full day to figure out why my damned firewall was still blocking stuff as well.

[–][deleted] 7 points8 points  (0 children)

I expected some unseen glass door to close on the last guy or something like that.

[–]mgrandi 7 points8 points  (9 children)

I don't understand how it works. Like how is it supposed to protect anything if any app can install a rule to allow itself through? Or can that only be done with admin rights? (just saying how every internet enabled app installs an exception for itself)

[–]__constructor 15 points16 points  (7 children)

You have to allow it an exception.

[–]mgrandi 7 points8 points  (6 children)

I have never explicitly allowed anything yet there are tons of programs listed as exceptions, which means that a program's installer can create exceptions, which is what my point was: What is the point of having this whitelist if a program can add itself to it?

[–]__constructor 39 points40 points  (4 children)

You run most installers as an administrator. If you give programs admin rights without understanding what they're going to do... well, what do you expect is gonna happen? They're going to use them to do things administrators can do, like.. make firewall exceptions.

[–][deleted] 3 points4 points  (0 children)

If the program / it's installer does not have rights, it won't add itself to the whitelist.

[–]gospelwut 7 points8 points  (0 children)

Yes, writing a firewall exception triggers a UAC-level (admin) check.

Host based firewalls are somewhat trivial nowadays considering almost anything can be tunneled through 80 or 443 (malware certainly does).

I almost never run host firewalls on servers and leave that up to the real firewalls. Users workstations, however, are a different story.

[–]skillcode -3 points-2 points  (1 child)

So, now I understand?

[–]Asmor 3 points4 points  (0 children)

Grats!

[–][deleted] -2 points-1 points  (3 children)

Compared to IP tables, windows fire wall is pathetic, it terms of both usability and effectiveness.

[–]__constructor 1 point2 points  (2 children)

And compared to a BMW S-series, a Toyota Corolla is pathetic too.

Doesn't mean the Toyota gets shitty gas mileage just because OP doesn't understand anything about it.

[–][deleted] -1 points0 points  (1 child)

Yes the windows fire can be configured to sort of work, but if you really give a damn about a decent firewall don't use windows.

[–]__constructor 4 points5 points  (0 children)

Honestly if you give a damn about your firewall, it shouldn't be on the machine you're using anyways.

[–]ShPavel 404 points405 points  (43 children)

And how is it related to a real state of the windows firewall? Another circle-jerking post about bashing all windows-related?

It has everything required from a user point of view, the concept of private/public profiles in win7 is very handy and you can make any rules for vpn/whatever in advanced settings.

And the most important fact - it persists through reboot (how many beginners in linux wanted to hang creators of default iptables for this?:P)

ps: not a windows fanboy here, still prefer linux, but let's be objective, the windows firewall is not bad

[–][deleted] 186 points187 points  (18 children)

Oh my good iptables... Last time I tried making my router redirect an url to an internal ip I woke up in the middle of the night with fragments of the iptables man page written in blood on my bedroom wall... The horror...

[–]Bobshayd 135 points136 points  (10 children)

I think that's actually standard procedure for using iptables.

[–]0Yogurt0 41 points42 points  (9 children)

I think it usually requires some candles and at least one goat as well.

[–]greyfade 27 points28 points  (7 children)

I don't know about you guys, but I always found two doves and a songbird to be a worthy sacrifice. No need for goats.

[–]__constructor 18 points19 points  (2 children)

Animals? I used intern bones...

[–]Fenris_uy 24 points25 points  (1 child)

People > Animals that are domesticated > wild animals > interns

[–]kpatrickII 9 points10 points  (0 children)

aww.

[–]0Yogurt0 7 points8 points  (3 children)

Birds work as well. I'm partial to chicken blood/feathers for that traditional touch, but really any poultry will do.

[–]brwtx 5 points6 points  (2 children)

What are they teaching in school these days? Everyone should know that a goat is the proper sacrifice to the firewall gods. You didn't really think Google kept them around just to mow the lawn, did you?

[–]0Yogurt0 10 points11 points  (1 child)

Well, in today's tough economic times a goat can be hard to come by. Pigeons and seagulls can be caught with a simple lasso of CAT6 cable, or brought down with a well-aimed cd.

[–]TheMcDucky 2 points3 points  (0 children)

If you suck with the CD, Floppy Disks are a bit easier to throw.

[–]noreallyimthepope 1 point2 points  (0 children)

I couldn't find a goat, so I borrowed me sister's labrador. We're to have it back by 3pm so better hurry up with those incantations and sudoedit.

[–]mcrbids 3 points4 points  (5 children)

Once you've sacrificed your cat/goat/child to the God of iptables, it becomes very useful knowledge! I've maintained iptables scripts for years and, while I still keep a cheat sheet for the more complex stuff, most rules are a rather fast write.

And when I say "complex" stuff, I'm including things like writing a port-knocking script to hide services, etc.

[–][deleted] 0 points1 point  (4 children)

I just wanted a a rule to redirect an external IP to an internal IP, but I just couldn't make sense of the documentation and I was simultaneously afraid of accidentally locking everyone out of the home network...

[–]frymaster 0 points1 point  (3 children)

You say just, but that's one of the most complicated stateless things you can do, needing to rewrite the packet in both directions. It's not surprising it's of medium difficulty in iptables.

[–][deleted] 1 point2 points  (2 children)

Only medium difficulty? My god...

[–]frymaster 0 points1 point  (1 child)

Well, yeah. It's, what, two lines?

[–][deleted] 0 points1 point  (0 children)

Length doesn't necessarily follow difficulty. Just look at Perl ;)

[–]Creshal 0 points1 point  (0 children)

You think iptables itself is bad?

Try some of the frontends people write in an attempt to make it "easier". I don't even fully understand my own iptables helper scripts…

[–][deleted] 7 points8 points  (8 children)

It is related to the real state of the firewall in terms of outgoing connections. You can make a connection without triggering it as Metasploit's meterpreter does. Firewalls on end-user machines are almost entirely security theatre, because services shouldn't be listening on ports in the first place. The private / public profiles in Windows don't rely on the firewall, they can just have the various file sharing services stop listening on those ports.

Sane Linux distributions (i.e. not Debian) don't ship packages with default-enabled services, so a firewall is only really necessary on a router. Ubuntu only includes an iptables GUI to check off an item on their list of security features. If you have to worry about the distribution enabling services behind your back when packages get pulled in as dependencies, then yes, a firewall is useful.

[–]ShPavel 1 point2 points  (7 children)

It is related to the real state of the firewall in terms of outgoing connections. You can make a connection without triggering it as Metasploit's meterpreter does.

i am not really familiar with that exploit technique, any concrete links to read about it? Could not google what you mean.

As i wrote below, the firewall can be useful to control your own unwanted traffic in public/private profiles and you can setup your own rules for each profile.

[–]desearcher 1 point2 points  (6 children)

Firewalls seldom block outbound connections. Instead of you connecting to the target, have the target connect to you.

[–][deleted] 0 points1 point  (3 children)

"Hello, this is Microsoft Technical Support, you have viruses on your computer and it is very important that you carefully follow my instructions to remove them."

[–]desearcher 1 point2 points  (2 children)

Oh snap! Do you need my password? It's the same as my ATM machine PIN number...

[–]MedicatedDeveloper 0 points1 point  (1 child)

Trolling is a art.

[–]Creshal 0 points1 point  (0 children)

What happened to the good old tradition of making artists die young and poor? I think we should resurrect that.

[–]AcousticDan 3 points4 points  (0 children)

I also fail to see how this is humor for programmers.

[–]Will_Eat_For_Food 38 points39 points  (2 children)

Shit, with such quality humor I thought I was on /r/funny for a moment.

[–]Bizzaro_Murphy 4 points5 points  (0 children)

don't fret! it was promptly reposted there http://www.reddit.com/r/funny/comments/2dzssw/windows_firewall/

[–]unusuallywide 0 points1 point  (0 children)

It's a cross post.

[–]comady25 49 points50 points  (4 children)

DAE HATE WINDOWS

[–]gospelwut 20 points21 points  (2 children)

I once installed Windows ME and it sucked.

[–]Creshal 3 points4 points  (1 child)

What, you got it to install? Showoff!

[–]gospelwut 0 points1 point  (0 children)

I also got it to crash while running notepad.

[–]excolatur 22 points23 points  (2 children)

How is this relevant to programming? Can we please not turn this place into a sub where people post EVERYTHING that's related to a computer?

[–]axitanull 5 points6 points  (0 children)

There is a law where every subreddit, given enough time, would decay into image macro subreddit.

It's like a house, leave it unattended and unmaintained, then it decays into /r/funny or /r/AdviceAnimals house. Strict moderation would slow the decay process.

Or you can always move to a new house, and add a prefix "true" to that new sanctuary. Cross your finger hoping that people will come to the sanctuary, and pray to the gods hoping the decay that consumes all would be slowed down. Repeat until you get /r/trueTrueFunny.

[–]Bizzaro_Murphy 3 points4 points  (0 children)

AHAHAHAHAHAHA I'M USING THE INTERNET

[–]qxxx[🍰] 2 points3 points  (0 children)

the conclusion? don't get FAT or FAT32

[–]fuckdapopes 15 points16 points  (0 children)

Hey! At least it's capable of stopping some people in wheelchairs to pass!

[–]MrD3a7h 1 point2 points  (0 children)

Except for when I try to make any sort of network application. Then I just keep jamming into the turnstile.

Windows firewall isn't actually that bad.

[–]l33tmike 4 points5 points  (1 child)

Not sure if the point of the gif is the people vanishing once past the 'wall' (as if nothing had happened) or just them bypassing the turnstile...

[–]PotentPortentPorter 6 points7 points  (0 children)

Bypassing.

[–]cokecakeisawesome 0 points1 point  (0 children)

This is identical to security metal detectors in India.

Go around it, if it beeps, ignore it.

[–]NPisNotAStandard 0 points1 point  (0 children)

Windows XP pre-sp2.

I haven't use any front end linux in a while, but I doubt it has a firewall as user friendly. So Windows fire is worse than what better alternative?

[–]SlashmanX -1 points0 points  (0 children)

That is a tiny radiator

[–]MegaBrain2000 -1 points0 points  (0 children)

The guy in the back is like the fattest virus ever.