Last active
January 25, 2022 05:03
-
-
Save JustinChristensen/77b1496331a59940342c577233046a49 to your computer and use it in GitHub Desktop.
firewall security policy - apply local firewall rules
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
########################### allowed dhcp ########################### | |
- other settings set to: no | |
- apply local firewall rules: yes | |
- hns rules not added | |
2022-01-23 21:23:01 ALLOW UDP 0.0.0.0 255.255.255.255 68 67 0 - - - - - - - RECEIVE | |
2022-01-23 21:23:01 ALLOW UDP 172.31.128.1 172.31.142.141 67 68 0 - - - - - - - SEND | |
Log Name: Security | |
Source: Microsoft-Windows-Security-Auditing | |
Date: 1/23/2022 9:23:01 PM | |
Event ID: 5156 | |
Task Category: Filtering Platform Connection | |
Level: Information | |
Keywords: Audit Success | |
User: N/A | |
Computer: marshes | |
Description: | |
The Windows Filtering Platform has permitted a connection. | |
Application Information: | |
Process ID: 3616 | |
Application Name: \device\harddiskvolume4\windows\system32\svchost.exe | |
Network Information: | |
Direction: Inbound | |
Source Address: 0.0.0.0 | |
Source Port: 68 | |
Destination Address: 255.255.255.255 | |
Destination Port: 67 | |
Protocol: 17 | |
Filter Information: | |
Filter Run-Time ID: 78480 | |
Layer Name: Receive/Accept | |
Layer Run-Time ID: 44 | |
Log Name: Security | |
Source: Microsoft-Windows-Security-Auditing | |
Date: 1/23/2022 9:23:01 PM | |
Event ID: 5156 | |
Task Category: Filtering Platform Connection | |
Level: Information | |
Keywords: Audit Success | |
User: N/A | |
Computer: marshes | |
Description: | |
The Windows Filtering Platform has permitted a connection. | |
Application Information: | |
Process ID: 3616 | |
Application Name: \device\harddiskvolume4\windows\system32\svchost.exe | |
Network Information: | |
Direction: Outbound | |
Source Address: 172.31.128.1 | |
Source Port: 67 | |
Destination Address: 172.31.142.141 | |
Destination Port: 68 | |
Protocol: 17 | |
Filter Information: | |
Filter Run-Time ID: 79732 | |
Layer Name: Connect | |
Layer Run-Time ID: 48 | |
<item> | |
<filterKey>{df2cb33f-78ba-4500-94c9-7765b010b810}</filterKey> | |
<displayData> | |
<name>Interface Un-quarantine filter</name> | |
<description/> | |
</displayData> | |
<flags/> | |
<providerKey>{decc16ca-3f33-4346-be1e-8fb4ae0f3d62}</providerKey> | |
<providerData/> | |
<layerKey>FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V4</layerKey> | |
<subLayerKey>{b3cdd441-af90-41ba-a745-7c6008ff2302}</subLayerKey> | |
<weight> | |
<type>FWP_UINT8</type> | |
<uint8>0</uint8> | |
</weight> | |
<filterCondition numItems="3"> | |
<item> | |
<fieldKey>FWPM_CONDITION_INTERFACE_QUARANTINE_EPOCH</fieldKey> | |
<matchType>FWP_MATCH_EQUAL</matchType> | |
<conditionValue> | |
<type>FWP_UINT64</type> | |
<uint64>10000005</uint64> | |
</conditionValue> | |
</item> | |
<item> | |
<fieldKey>FWPM_CONDITION_IP_ARRIVAL_INTERFACE</fieldKey> | |
<matchType>FWP_MATCH_EQUAL</matchType> | |
<conditionValue> | |
<type>FWP_UINT64</type> | |
<uint64>1689399683186688</uint64> | |
</conditionValue> | |
</item> | |
<item> | |
<fieldKey>FWPM_CONDITION_FLAGS</fieldKey> | |
<matchType>FWP_MATCH_FLAGS_NONE_SET</matchType> | |
<conditionValue> | |
<type>FWP_UINT32</type> | |
<uint32>1</uint32> | |
</conditionValue> | |
</item> | |
</filterCondition> | |
<action> | |
<type>FWP_ACTION_PERMIT</type> | |
<filterType/> | |
</action> | |
<rawContext>0</rawContext> | |
<reserved/> | |
<filterId>78480</filterId> | |
<effectiveWeight> | |
<type>FWP_UINT64</type> | |
<uint64>2251834173423632</uint64> | |
</effectiveWeight> | |
</item> | |
########################### blocked dhcp ########################### | |
- other settings set to: no | |
- apply local firewall rules: no | |
- hns rules not added | |
- guest could have previous dhcp lease, so release with ipconfig /release after setting apply local firewalls back to no, and then request a new one with ipconfig /renew | |
2022-01-23 21:13:47 DROP UDP 0.0.0.0 255.255.255.255 68 67 328 - - - - - - - RECEIVE | |
Log Name: Security | |
Source: Microsoft-Windows-Security-Auditing | |
Date: 1/23/2022 9:13:47 PM | |
Event ID: 5157 | |
Task Category: Filtering Platform Connection | |
Level: Information | |
Keywords: Audit Failure | |
User: N/A | |
Computer: marshes | |
Description: | |
The Windows Filtering Platform has blocked a connection. | |
Application Information: | |
Process ID: 3616 | |
Application Name: \device\harddiskvolume4\windows\system32\svchost.exe | |
Network Information: | |
Direction: Inbound | |
Source Address: 0.0.0.0 | |
Source Port: 68 | |
Destination Address: 255.255.255.255 | |
Destination Port: 67 | |
Protocol: 17 | |
Filter Information: | |
Filter Run-Time ID: 78140 | |
Layer Name: Receive/Accept | |
Layer Run-Time ID: 44 | |
Log Name: Security | |
Source: Microsoft-Windows-Security-Auditing | |
Date: 1/23/2022 9:13:47 PM | |
Event ID: 5152 | |
Task Category: Filtering Platform Packet Drop | |
Level: Information | |
Keywords: Audit Failure | |
User: N/A | |
Computer: marshes | |
Description: | |
The Windows Filtering Platform has blocked a packet. | |
Application Information: | |
Process ID: 3616 | |
Application Name: \device\harddiskvolume4\windows\system32\svchost.exe | |
Network Information: | |
Direction: Inbound | |
Source Address: 0.0.0.0 | |
Source Port: 68 | |
Destination Address: 255.255.255.255 | |
Destination Port: 67 | |
Protocol: 17 | |
Filter Information: | |
Filter Run-Time ID: 78140 | |
Layer Name: Receive/Accept | |
Layer Run-Time ID: 44 | |
<item> | |
<filterKey>{4ee27303-b593-402e-96da-f433c24dc6a1}</filterKey> | |
<displayData> | |
<name>Query User</name> | |
<description>Prompt the User for a decision corresponding this Inbound Traffic</description> | |
</displayData> | |
<flags/> | |
<providerKey>{decc16ca-3f33-4346-be1e-8fb4ae0f3d62}</providerKey> | |
<providerData> | |
<data>7501000000000000</data> | |
<asString>u.......</asString> | |
</providerData> | |
<layerKey>FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V4</layerKey> | |
<subLayerKey>{b3cdd441-af90-41ba-a745-7c6008ff2301}</subLayerKey> | |
<weight> | |
<type>FWP_UINT8</type> | |
<uint8>8</uint8> | |
</weight> | |
<filterCondition numItems="1"> | |
<item> | |
<fieldKey>FWPM_CONDITION_ORIGINAL_PROFILE_ID</fieldKey> | |
<matchType>FWP_MATCH_EQUAL</matchType> | |
<conditionValue> | |
<type>FWP_UINT32</type> | |
<uint32>1</uint32> | |
</conditionValue> | |
</item> | |
</filterCondition> | |
<action> | |
<type>FWP_ACTION_BLOCK</type> | |
<filterType/> | |
</action> | |
<rawContext>0</rawContext> | |
<reserved/> | |
<filterId>78140</filterId> | |
<effectiveWeight> | |
<type>FWP_UINT64</type> | |
<uint64>9223372036854783488</uint64> | |
</effectiveWeight> | |
</item> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
########################### allowed dns ########################### | |
- other settings set to: no | |
- apply local firewall rules: no | |
- hns rules added to inbound rules | |
2022-01-23 21:44:17 ALLOW UDP 172.31.142.141 172.31.128.1 52535 53 0 - - - - - - - RECEIVE | |
Log Name: Security | |
Source: Microsoft-Windows-Security-Auditing | |
Date: 1/23/2022 9:44:17 PM | |
Event ID: 5156 | |
Task Category: Filtering Platform Connection | |
Level: Information | |
Keywords: Audit Success | |
User: N/A | |
Computer: marshes | |
Description: | |
The Windows Filtering Platform has permitted a connection. | |
Application Information: | |
Process ID: 3616 | |
Application Name: \device\harddiskvolume4\windows\system32\svchost.exe | |
Network Information: | |
Direction: Inbound | |
Source Address: 172.31.142.141 | |
Source Port: 52535 | |
Destination Address: 172.31.128.1 | |
Destination Port: 53 | |
Protocol: 17 | |
Filter Information: | |
Filter Run-Time ID: 78480 | |
Layer Name: Receive/Accept | |
Layer Run-Time ID: 44 | |
<item> | |
<filterKey>{df2cb33f-78ba-4500-94c9-7765b010b810}</filterKey> | |
<displayData> | |
<name>Interface Un-quarantine filter</name> | |
<description/> | |
</displayData> | |
<flags/> | |
<providerKey>{decc16ca-3f33-4346-be1e-8fb4ae0f3d62}</providerKey> | |
<providerData/> | |
<layerKey>FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V4</layerKey> | |
<subLayerKey>{b3cdd441-af90-41ba-a745-7c6008ff2302}</subLayerKey> | |
<weight> | |
<type>FWP_UINT8</type> | |
<uint8>0</uint8> | |
</weight> | |
<filterCondition numItems="3"> | |
<item> | |
<fieldKey>FWPM_CONDITION_INTERFACE_QUARANTINE_EPOCH</fieldKey> | |
<matchType>FWP_MATCH_EQUAL</matchType> | |
<conditionValue> | |
<type>FWP_UINT64</type> | |
<uint64>10000005</uint64> | |
</conditionValue> | |
</item> | |
<item> | |
<fieldKey>FWPM_CONDITION_IP_ARRIVAL_INTERFACE</fieldKey> | |
<matchType>FWP_MATCH_EQUAL</matchType> | |
<conditionValue> | |
<type>FWP_UINT64</type> | |
<uint64>1689399683186688</uint64> | |
</conditionValue> | |
</item> | |
<item> | |
<fieldKey>FWPM_CONDITION_FLAGS</fieldKey> | |
<matchType>FWP_MATCH_FLAGS_NONE_SET</matchType> | |
<conditionValue> | |
<type>FWP_UINT32</type> | |
<uint32>1</uint32> | |
</conditionValue> | |
</item> | |
</filterCondition> | |
<action> | |
<type>FWP_ACTION_PERMIT</type> | |
<filterType/> | |
</action> | |
<rawContext>0</rawContext> | |
<reserved/> | |
<filterId>78480</filterId> | |
<effectiveWeight> | |
<type>FWP_UINT64</type> | |
<uint64>2251834173423632</uint64> | |
</effectiveWeight> | |
</item> | |
########################### blocked dns ########################### | |
- other settings set to: no | |
- apply local firewall rules: no | |
- hns rules not added | |
2022-01-23 21:38:10 DROP UDP 172.31.142.141 172.31.128.1 60920 53 77 - - - - - - - RECEIVE | |
Log Name: Security | |
Source: Microsoft-Windows-Security-Auditing | |
Date: 1/23/2022 9:38:10 PM | |
Event ID: 5157 | |
Task Category: Filtering Platform Connection | |
Level: Information | |
Keywords: Audit Failure | |
User: N/A | |
Computer: marshes | |
Description: | |
The Windows Filtering Platform has blocked a connection. | |
Application Information: | |
Process ID: 3616 | |
Application Name: \device\harddiskvolume4\windows\system32\svchost.exe | |
Network Information: | |
Direction: Inbound | |
Source Address: 172.31.142.141 | |
Source Port: 60920 | |
Destination Address: 172.31.128.1 | |
Destination Port: 53 | |
Protocol: 17 | |
Filter Information: | |
Filter Run-Time ID: 80144 | |
Layer Name: Receive/Accept | |
Layer Run-Time ID: 44 | |
<item> | |
<filterKey>{7bf5e407-a954-467a-a440-675b30b73574}</filterKey> | |
<displayData> | |
<name>Query User</name> | |
<description>Prompt the User for a decision corresponding this Inbound Traffic</description> | |
</displayData> | |
<flags/> | |
<providerKey>{decc16ca-3f33-4346-be1e-8fb4ae0f3d62}</providerKey> | |
<providerData> | |
<data>da02000000000000</data> | |
<asString>........</asString> | |
</providerData> | |
<layerKey>FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V4</layerKey> | |
<subLayerKey>{b3cdd441-af90-41ba-a745-7c6008ff2301}</subLayerKey> | |
<weight> | |
<type>FWP_UINT8</type> | |
<uint8>8</uint8> | |
</weight> | |
<filterCondition numItems="1"> | |
<item> | |
<fieldKey>FWPM_CONDITION_ORIGINAL_PROFILE_ID</fieldKey> | |
<matchType>FWP_MATCH_EQUAL</matchType> | |
<conditionValue> | |
<type>FWP_UINT32</type> | |
<uint32>1</uint32> | |
</conditionValue> | |
</item> | |
</filterCondition> | |
<action> | |
<type>FWP_ACTION_BLOCK</type> | |
<filterType/> | |
</action> | |
<rawContext>0</rawContext> | |
<reserved/> | |
<filterId>80144</filterId> | |
<effectiveWeight> | |
<type>FWP_UINT64</type> | |
<uint64>9223372036854783488</uint64> | |
</effectiveWeight> | |
</item> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
PS C:\Users\wroathe\Desktop> ipconfig /all | |
Windows IP Configuration | |
Host Name . . . . . . . . . . . . : marshes | |
Primary Dns Suffix . . . . . . . : | |
Node Type . . . . . . . . . . . . : Hybrid | |
IP Routing Enabled. . . . . . . . : No | |
WINS Proxy Enabled. . . . . . . . : No | |
DNS Suffix Search List. . . . . . : ------- | |
Ethernet adapter vEthernet (Default Switch): | |
Connection-specific DNS Suffix . : | |
Description . . . . . . . . . . . : Hyper-V Virtual Ethernet Adapter | |
Physical Address. . . . . . . . . : 00-15-5D-11-84-74 | |
DHCP Enabled. . . . . . . . . . . : No | |
Autoconfiguration Enabled . . . . : Yes | |
Link-local IPv6 Address . . . . . : fe80::8c0b:4011:2059:c20a%18(Preferred) | |
IPv4 Address. . . . . . . . . . . : 172.31.128.1(Preferred) | |
Subnet Mask . . . . . . . . . . . : 255.255.240.0 | |
Default Gateway . . . . . . . . . : | |
DHCPv6 IAID . . . . . . . . . . . : 301995357 | |
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-29-7E-81-8B-00-0D-3A-98-98-2A | |
DNS Servers . . . . . . . . . . . : fec0:0:0:ffff::1%1 | |
fec0:0:0:ffff::2%1 | |
fec0:0:0:ffff::3%1 | |
NetBIOS over Tcpip. . . . . . . . : Enabled |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<netEvent> | |
<header> | |
<timeStamp>2022-01-25T03:55:11.510Z</timeStamp> | |
<flags numItems="9"> | |
<item>FWPM_NET_EVENT_FLAG_IP_PROTOCOL_SET</item> | |
<item>FWPM_NET_EVENT_FLAG_LOCAL_ADDR_SET</item> | |
<item>FWPM_NET_EVENT_FLAG_REMOTE_ADDR_SET</item> | |
<item>FWPM_NET_EVENT_FLAG_LOCAL_PORT_SET</item> | |
<item>FWPM_NET_EVENT_FLAG_REMOTE_PORT_SET</item> | |
<item>FWPM_NET_EVENT_FLAG_APP_ID_SET</item> | |
<item>FWPM_NET_EVENT_FLAG_USER_ID_SET</item> | |
<item>FWPM_NET_EVENT_FLAG_IP_VERSION_SET</item> | |
<item>FWPM_NET_EVENT_FLAG_PACKAGE_ID_SET</item> | |
</flags> | |
<ipVersion>FWP_IP_VERSION_V4</ipVersion> | |
<ipProtocol>17</ipProtocol> | |
<localAddrV4>255.255.255.255</localAddrV4> | |
<remoteAddrV4>0.0.0.0</remoteAddrV4> | |
<localPort>67</localPort> | |
<remotePort>68</remotePort> | |
<scopeId>0</scopeId> | |
<appId> | |
<data>5c006400650076006900630065005c0068006100720064006400690073006b0076006f006c0075006d00650034005c00770069006e0064006f00770073005c00730079007300740065006d00330032005c0073007600630068006f00730074002e006500780065000000</data> | |
<asString>\.d.e.v.i.c.e.\.h.a.r.d.d.i.s.k.v.o.l.u.m.e.4.\.w.i.n.d.o.w.s.\.s.y.s.t.e.m.3.2.\.s.v.c.h.o.s.t...e.x.e...</asString> | |
</appId> | |
<userId>S-1-5-18</userId> | |
<addressFamily>FWP_AF_INET</addressFamily> | |
<packageSid>S-1-0-0</packageSid> | |
<enterpriseId/> | |
<policyFlags>0</policyFlags> | |
<effectiveName/> | |
</header> | |
<type>FWPM_NET_EVENT_TYPE_CLASSIFY_ALLOW</type> | |
<classifyAllow> | |
<filterId>80466</filterId> | |
<layerId>44</layerId> | |
<reauthReason>0</reauthReason> | |
<originalProfile>1</originalProfile> | |
<currentProfile>1</currentProfile> | |
</classifyAllow> | |
<internalFields> | |
<internalFlags/> | |
<remoteAddrBitmap>0000000000000000</remoteAddrBitmap> | |
<capabilities/> | |
<fqbnVersion>0</fqbnVersion> | |
<fqbnName/> | |
<terminatingFiltersInfo numItems="2"> | |
<item> | |
<filterId>80466</filterId> | |
<subLayer>FWPP_SUBLAYER_INTERNAL_FIREWALL_QUARANTINE</subLayer> | |
<actionType>FWP_ACTION_PERMIT</actionType> | |
</item> | |
<item> | |
<filterId>88952</filterId> | |
<subLayer>FWPP_SUBLAYER_INTERNAL_FIREWALL_WF</subLayer> | |
<actionType>FWP_ACTION_PERMIT</actionType> | |
</item> | |
</terminatingFiltersInfo> | |
</internalFields> | |
</netEvent> | |
<item> | |
<filterKey>{d98fe0b1-d076-4af7-af93-33cc67c33118}</filterKey> | |
<displayData> | |
<name>Interface Un-quarantine filter</name> | |
<description/> | |
</displayData> | |
<flags/> | |
<providerKey>{decc16ca-3f33-4346-be1e-8fb4ae0f3d62}</providerKey> | |
<providerData/> | |
<layerKey>FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V4</layerKey> | |
<subLayerKey>{b3cdd441-af90-41ba-a745-7c6008ff2302}</subLayerKey> | |
<weight> | |
<type>FWP_UINT8</type> | |
<uint8>0</uint8> | |
</weight> | |
<filterCondition numItems="3"> | |
<item> | |
<fieldKey>FWPM_CONDITION_INTERFACE_QUARANTINE_EPOCH</fieldKey> | |
<matchType>FWP_MATCH_EQUAL</matchType> | |
<conditionValue> | |
<type>FWP_UINT64</type> | |
<uint64>10000006</uint64> | |
</conditionValue> | |
</item> | |
<item> | |
<fieldKey>FWPM_CONDITION_IP_ARRIVAL_INTERFACE</fieldKey> | |
<matchType>FWP_MATCH_EQUAL</matchType> | |
<conditionValue> | |
<type>FWP_UINT64</type> | |
<uint64>1689399683186688</uint64> | |
</conditionValue> | |
</item> | |
<item> | |
<fieldKey>FWPM_CONDITION_FLAGS</fieldKey> | |
<matchType>FWP_MATCH_FLAGS_NONE_SET</matchType> | |
<conditionValue> | |
<type>FWP_UINT32</type> | |
<uint32>1</uint32> | |
</conditionValue> | |
</item> | |
</filterCondition> | |
<action> | |
<type>FWP_ACTION_PERMIT</type> | |
<filterType/> | |
</action> | |
<rawContext>0</rawContext> | |
<reserved/> | |
<filterId>80466</filterId> | |
<effectiveWeight> | |
<type>FWP_UINT64</type> | |
<uint64>2251834173423632</uint64> | |
</effectiveWeight> | |
</item> | |
<item> | |
<filterKey>{dda1d20d-cd2d-44ec-8dbf-868e73e21e59}</filterKey> | |
<displayData> | |
<name>Internet Connection Sharing (DHCP Server-In)</name> | |
<description>Inbound rule for Internet Connection Sharing to allow use of the IPv4 DHCP Server. [UDP 67]</description> | |
</displayData> | |
<flags numItems="1"> | |
<item>FWPM_FILTER_FLAG_INDEXED</item> | |
</flags> | |
<providerKey>{decc16ca-3f33-4346-be1e-8fb4ae0f3d62}</providerKey> | |
<providerData> | |
<data>2806000000000000</data> | |
<asString>(.......</asString> | |
</providerData> | |
<layerKey>FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V4</layerKey> | |
<subLayerKey>{b3cdd441-af90-41ba-a745-7c6008ff2301}</subLayerKey> | |
<weight> | |
<type>FWP_UINT8</type> | |
<uint8>9</uint8> | |
</weight> | |
<filterCondition numItems="5"> | |
<item> | |
<fieldKey>FWPM_CONDITION_ALE_APP_ID</fieldKey> | |
<matchType>FWP_MATCH_EQUAL</matchType> | |
<conditionValue> | |
<type>FWP_BYTE_BLOB_TYPE</type> | |
<byteBlob> | |
<data>5c006400650076006900630065005c0068006100720064006400690073006b0076006f006c0075006d00650034005c00770069006e0064006f00770073005c00730079007300740065006d00330032005c0073007600630068006f00730074002e006500780065000000</data> | |
<asString>\device\harddiskvolume4\windows\system32\svchost.exe</asString> | |
</byteBlob> | |
</conditionValue> | |
</item> | |
<item> | |
<fieldKey>FWPM_CONDITION_ALE_USER_ID</fieldKey> | |
<matchType>FWP_MATCH_EQUAL</matchType> | |
<conditionValue> | |
<type>FWP_SECURITY_DESCRIPTOR_TYPE</type> | |
<sd>O:SYG:SYD:(A;;CCRC;;;S-1-5-80-2009329905-444645132-2728249442-922493431-93864177)</sd> | |
</conditionValue> | |
</item> | |
<item> | |
<fieldKey>FWPM_CONDITION_IP_LOCAL_PORT</fieldKey> | |
<matchType>FWP_MATCH_EQUAL</matchType> | |
<conditionValue> | |
<type>FWP_UINT16</type> | |
<uint16>67</uint16> | |
</conditionValue> | |
</item> | |
<item> | |
<fieldKey>FWPM_CONDITION_IP_ARRIVAL_INTERFACE</fieldKey> | |
<matchType>FWP_MATCH_EQUAL</matchType> | |
<conditionValue> | |
<type>FWP_UINT64</type> | |
<uint64>1689399683186688</uint64> | |
</conditionValue> | |
</item> | |
<item> | |
<fieldKey>FWPM_CONDITION_IP_PROTOCOL</fieldKey> | |
<matchType>FWP_MATCH_EQUAL</matchType> | |
<conditionValue> | |
<type>FWP_UINT8</type> | |
<uint8>17</uint8> | |
</conditionValue> | |
</item> | |
</filterCondition> | |
<action> | |
<type>FWP_ACTION_PERMIT</type> | |
<filterType/> | |
</action> | |
<rawContext>0</rawContext> | |
<reserved/> | |
<filterId>88952</filterId> | |
<effectiveWeight> | |
<type>FWP_UINT64</type> | |
<uint64>10379531328327516160</uint64> | |
</effectiveWeight> | |
</item> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<netEvent> | |
<header> | |
<timeStamp>2022-01-25T04:50:48.866Z</timeStamp> | |
<flags numItems="9"> | |
<item>FWPM_NET_EVENT_FLAG_IP_PROTOCOL_SET</item> | |
<item>FWPM_NET_EVENT_FLAG_LOCAL_ADDR_SET</item> | |
<item>FWPM_NET_EVENT_FLAG_REMOTE_ADDR_SET</item> | |
<item>FWPM_NET_EVENT_FLAG_LOCAL_PORT_SET</item> | |
<item>FWPM_NET_EVENT_FLAG_REMOTE_PORT_SET</item> | |
<item>FWPM_NET_EVENT_FLAG_APP_ID_SET</item> | |
<item>FWPM_NET_EVENT_FLAG_USER_ID_SET</item> | |
<item>FWPM_NET_EVENT_FLAG_IP_VERSION_SET</item> | |
<item>FWPM_NET_EVENT_FLAG_PACKAGE_ID_SET</item> | |
</flags> | |
<ipVersion>FWP_IP_VERSION_V4</ipVersion> | |
<ipProtocol>17</ipProtocol> | |
<localAddrV4>255.255.255.255</localAddrV4> | |
<remoteAddrV4>0.0.0.0</remoteAddrV4> | |
<localPort>67</localPort> | |
<remotePort>68</remotePort> | |
<scopeId>0</scopeId> | |
<appId> | |
<data>5c006400650076006900630065005c0068006100720064006400690073006b0076006f006c0075006d00650034005c00770069006e0064006f00770073005c00730079007300740065006d00330032005c0073007600630068006f00730074002e006500780065000000</data> | |
<asString>\.d.e.v.i.c.e.\.h.a.r.d.d.i.s.k.v.o.l.u.m.e.4.\.w.i.n.d.o.w.s.\.s.y.s.t.e.m.3.2.\.s.v.c.h.o.s.t...e.x.e...</asString> | |
</appId> | |
<userId>S-1-5-18</userId> | |
<addressFamily>FWP_AF_INET</addressFamily> | |
<packageSid>S-1-0-0</packageSid> | |
<enterpriseId/> | |
<policyFlags>0</policyFlags> | |
<effectiveName/> | |
</header> | |
<type>FWPM_NET_EVENT_TYPE_CLASSIFY_DROP</type> | |
<classifyDrop> | |
<filterId>89392</filterId> | |
<layerId>44</layerId> | |
<reauthReason>0</reauthReason> | |
<originalProfile>1</originalProfile> | |
<currentProfile>1</currentProfile> | |
<msFwpDirection>MS_FWP_DIRECTION_OUT</msFwpDirection> | |
<isLoopback>false</isLoopback> | |
<vSwitchId/> | |
<vSwitchSourcePort>0</vSwitchSourcePort> | |
<vSwitchDestinationPort>0</vSwitchDestinationPort> | |
</classifyDrop> | |
<internalFields> | |
<internalFlags/> | |
<remoteAddrBitmap>0000000000000000</remoteAddrBitmap> | |
<capabilities/> | |
<fqbnVersion>0</fqbnVersion> | |
<fqbnName/> | |
<terminatingFiltersInfo numItems="2"> | |
<item> | |
<filterId>80466</filterId> | |
<subLayer>FWPP_SUBLAYER_INTERNAL_FIREWALL_QUARANTINE</subLayer> | |
<actionType>FWP_ACTION_PERMIT</actionType> | |
</item> | |
<item> | |
<filterId>89392</filterId> | |
<subLayer>FWPP_SUBLAYER_INTERNAL_FIREWALL_WF</subLayer> | |
<actionType>FWP_ACTION_BLOCK</actionType> | |
</item> | |
</terminatingFiltersInfo> | |
</internalFields> | |
</netEvent> | |
<item> | |
<filterKey>{d98fe0b1-d076-4af7-af93-33cc67c33118}</filterKey> | |
<displayData> | |
<name>Interface Un-quarantine filter</name> | |
<description/> | |
</displayData> | |
<flags/> | |
<providerKey>{decc16ca-3f33-4346-be1e-8fb4ae0f3d62}</providerKey> | |
<providerData/> | |
<layerKey>FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V4</layerKey> | |
<subLayerKey>{b3cdd441-af90-41ba-a745-7c6008ff2302}</subLayerKey> | |
<weight> | |
<type>FWP_UINT8</type> | |
<uint8>0</uint8> | |
</weight> | |
<filterCondition numItems="3"> | |
<item> | |
<fieldKey>FWPM_CONDITION_INTERFACE_QUARANTINE_EPOCH</fieldKey> | |
<matchType>FWP_MATCH_EQUAL</matchType> | |
<conditionValue> | |
<type>FWP_UINT64</type> | |
<uint64>10000006</uint64> | |
</conditionValue> | |
</item> | |
<item> | |
<fieldKey>FWPM_CONDITION_IP_ARRIVAL_INTERFACE</fieldKey> | |
<matchType>FWP_MATCH_EQUAL</matchType> | |
<conditionValue> | |
<type>FWP_UINT64</type> | |
<uint64>1689399683186688</uint64> | |
</conditionValue> | |
</item> | |
<item> | |
<fieldKey>FWPM_CONDITION_FLAGS</fieldKey> | |
<matchType>FWP_MATCH_FLAGS_NONE_SET</matchType> | |
<conditionValue> | |
<type>FWP_UINT32</type> | |
<uint32>1</uint32> | |
</conditionValue> | |
</item> | |
</filterCondition> | |
<action> | |
<type>FWP_ACTION_PERMIT</type> | |
<filterType/> | |
</action> | |
<rawContext>0</rawContext> | |
<reserved/> | |
<filterId>80466</filterId> | |
<effectiveWeight> | |
<type>FWP_UINT64</type> | |
<uint64>2251834173423632</uint64> | |
</effectiveWeight> | |
</item> | |
<item> | |
<filterKey>{2475897d-8c6d-4f08-afb2-bea660c3e0a2}</filterKey> | |
<displayData> | |
<name>Query User</name> | |
<description>Prompt the User for a decision corresponding this Inbound Traffic</description> | |
</displayData> | |
<flags/> | |
<providerKey>{decc16ca-3f33-4346-be1e-8fb4ae0f3d62}</providerKey> | |
<providerData> | |
<data>6606000000000000</data> | |
<asString>f.......</asString> | |
</providerData> | |
<layerKey>FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V4</layerKey> | |
<subLayerKey>{b3cdd441-af90-41ba-a745-7c6008ff2301}</subLayerKey> | |
<weight> | |
<type>FWP_UINT8</type> | |
<uint8>8</uint8> | |
</weight> | |
<filterCondition numItems="1"> | |
<item> | |
<fieldKey>FWPM_CONDITION_ORIGINAL_PROFILE_ID</fieldKey> | |
<matchType>FWP_MATCH_EQUAL</matchType> | |
<conditionValue> | |
<type>FWP_UINT32</type> | |
<uint32>1</uint32> | |
</conditionValue> | |
</item> | |
</filterCondition> | |
<action> | |
<type>FWP_ACTION_BLOCK</type> | |
<filterType/> | |
</action> | |
<rawContext>0</rawContext> | |
<reserved/> | |
<filterId>89392</filterId> | |
<effectiveWeight> | |
<type>FWP_UINT64</type> | |
<uint64>9223372036854783488</uint64> | |
</effectiveWeight> | |
</item> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Host: | |
Ethernet adapter vEthernet (Default Switch): | |
Connection-specific DNS Suffix . : | |
Link-local IPv6 Address . . . . . : fe80::128:dc49:cd08:2f95%23 | |
IPv4 Address. . . . . . . . . . . : 172.23.32.1 | |
Subnet Mask . . . . . . . . . . . : 255.255.240.0 | |
Default Gateway . . . . . . . . . : | |
Guest: | |
Ethernet adapter Ethernet 2: | |
Connection-specific DNS Suffix . : mshome.net | |
Link-local IPv6 Address . . . . . : fe80::680d:c4ff:ce73:97%5 | |
IPv4 Address. . . . . . . . . . . : 172.23.40.51 | |
Subnet Mask . . . . . . . . . . . : 255.255.240.0 | |
Default Gateway . . . . . . . . . : 172.23.32.1 | |
<netEvent> | |
<header> | |
<timeStamp>2022-01-25T04:19:11.485Z</timeStamp> | |
<flags numItems="9"> | |
<item>FWPM_NET_EVENT_FLAG_IP_PROTOCOL_SET</item> | |
<item>FWPM_NET_EVENT_FLAG_LOCAL_ADDR_SET</item> | |
<item>FWPM_NET_EVENT_FLAG_REMOTE_ADDR_SET</item> | |
<item>FWPM_NET_EVENT_FLAG_LOCAL_PORT_SET</item> | |
<item>FWPM_NET_EVENT_FLAG_REMOTE_PORT_SET</item> | |
<item>FWPM_NET_EVENT_FLAG_APP_ID_SET</item> | |
<item>FWPM_NET_EVENT_FLAG_USER_ID_SET</item> | |
<item>FWPM_NET_EVENT_FLAG_IP_VERSION_SET</item> | |
<item>FWPM_NET_EVENT_FLAG_PACKAGE_ID_SET</item> | |
</flags> | |
<ipVersion>FWP_IP_VERSION_V4</ipVersion> | |
<ipProtocol>17</ipProtocol> | |
<localAddrV4>172.23.32.1</localAddrV4> | |
<remoteAddrV4>172.23.40.51</remoteAddrV4> | |
<localPort>53</localPort> | |
<remotePort>65056</remotePort> | |
<scopeId>0</scopeId> | |
<appId> | |
<data>5c006400650076006900630065005c0068006100720064006400690073006b0076006f006c0075006d00650034005c00770069006e0064006f00770073005c00730079007300740065006d00330032005c0073007600630068006f00730074002e006500780065000000</data> | |
<asString>\.d.e.v.i.c.e.\.h.a.r.d.d.i.s.k.v.o.l.u.m.e.4.\.w.i.n.d.o.w.s.\.s.y.s.t.e.m.3.2.\.s.v.c.h.o.s.t...e.x.e...</asString> | |
</appId> | |
<userId>S-1-5-18</userId> | |
<addressFamily>FWP_AF_INET</addressFamily> | |
<packageSid>S-1-0-0</packageSid> | |
<enterpriseId/> | |
<policyFlags>0</policyFlags> | |
<effectiveName/> | |
</header> | |
<type>FWPM_NET_EVENT_TYPE_CLASSIFY_ALLOW</type> | |
<classifyAllow> | |
<filterId>80466</filterId> | |
<layerId>44</layerId> | |
<reauthReason>0</reauthReason> | |
<originalProfile>1</originalProfile> | |
<currentProfile>1</currentProfile> | |
</classifyAllow> | |
<internalFields> | |
<internalFlags/> | |
<remoteAddrBitmap>0000000000000000</remoteAddrBitmap> | |
<capabilities/> | |
<fqbnVersion>0</fqbnVersion> | |
<fqbnName/> | |
<terminatingFiltersInfo numItems="2"> | |
<item> | |
<filterId>80466</filterId> | |
<subLayer>FWPP_SUBLAYER_INTERNAL_FIREWALL_QUARANTINE</subLayer> | |
<actionType>FWP_ACTION_PERMIT</actionType> | |
</item> | |
<item> | |
<filterId>88857</filterId> | |
<subLayer>FWPP_SUBLAYER_INTERNAL_FIREWALL_WF</subLayer> | |
<actionType>FWP_ACTION_PERMIT</actionType> | |
</item> | |
</terminatingFiltersInfo> | |
</internalFields> | |
</netEvent> | |
<item> | |
<filterKey>{d98fe0b1-d076-4af7-af93-33cc67c33118}</filterKey> | |
<displayData> | |
<name>Interface Un-quarantine filter</name> | |
<description/> | |
</displayData> | |
<flags/> | |
<providerKey>{decc16ca-3f33-4346-be1e-8fb4ae0f3d62}</providerKey> | |
<providerData/> | |
<layerKey>FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V4</layerKey> | |
<subLayerKey>{b3cdd441-af90-41ba-a745-7c6008ff2302}</subLayerKey> | |
<weight> | |
<type>FWP_UINT8</type> | |
<uint8>0</uint8> | |
</weight> | |
<filterCondition numItems="3"> | |
<item> | |
<fieldKey>FWPM_CONDITION_INTERFACE_QUARANTINE_EPOCH</fieldKey> | |
<matchType>FWP_MATCH_EQUAL</matchType> | |
<conditionValue> | |
<type>FWP_UINT64</type> | |
<uint64>10000006</uint64> | |
</conditionValue> | |
</item> | |
<item> | |
<fieldKey>FWPM_CONDITION_IP_ARRIVAL_INTERFACE</fieldKey> | |
<matchType>FWP_MATCH_EQUAL</matchType> | |
<conditionValue> | |
<type>FWP_UINT64</type> | |
<uint64>1689399683186688</uint64> | |
</conditionValue> | |
</item> | |
<item> | |
<fieldKey>FWPM_CONDITION_FLAGS</fieldKey> | |
<matchType>FWP_MATCH_FLAGS_NONE_SET</matchType> | |
<conditionValue> | |
<type>FWP_UINT32</type> | |
<uint32>1</uint32> | |
</conditionValue> | |
</item> | |
</filterCondition> | |
<action> | |
<type>FWP_ACTION_PERMIT</type> | |
<filterType/> | |
</action> | |
<rawContext>0</rawContext> | |
<reserved/> | |
<filterId>80466</filterId> | |
<effectiveWeight> | |
<type>FWP_UINT64</type> | |
<uint64>2251834173423632</uint64> | |
</effectiveWeight> | |
</item> | |
<item> | |
<filterKey>{fbb1ad8d-6fb5-4c00-8102-64e2929f2eb6}</filterKey> | |
<displayData> | |
<name>HNS Container Networking - DNS (UDP-In) - AE220698-065F-4093-9C58-31CEC2E384E6 - 0</name> | |
<description>HNS Container Networking - DNS (UDP-In) - AE220698-065F-4093-9C58-31CEC2E384E6 - 0</description> | |
</displayData> | |
<flags numItems="1"> | |
<item>FWPM_FILTER_FLAG_INDEXED</item> | |
</flags> | |
<providerKey>{decc16ca-3f33-4346-be1e-8fb4ae0f3d62}</providerKey> | |
<providerData> | |
<data>1206000000000000</data> | |
<asString>........</asString> | |
</providerData> | |
<layerKey>FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V4</layerKey> | |
<subLayerKey>{b3cdd441-af90-41ba-a745-7c6008ff2301}</subLayerKey> | |
<weight> | |
<type>FWP_UINT8</type> | |
<uint8>9</uint8> | |
</weight> | |
<filterCondition numItems="3"> | |
<item> | |
<fieldKey>FWPM_CONDITION_IP_LOCAL_PORT</fieldKey> | |
<matchType>FWP_MATCH_EQUAL</matchType> | |
<conditionValue> | |
<type>FWP_UINT16</type> | |
<uint16>53</uint16> | |
</conditionValue> | |
</item> | |
<item> | |
<fieldKey>FWPM_CONDITION_IP_ARRIVAL_INTERFACE</fieldKey> | |
<matchType>FWP_MATCH_EQUAL</matchType> | |
<conditionValue> | |
<type>FWP_UINT64</type> | |
<uint64>1689399683186688</uint64> | |
</conditionValue> | |
</item> | |
<item> | |
<fieldKey>FWPM_CONDITION_IP_PROTOCOL</fieldKey> | |
<matchType>FWP_MATCH_EQUAL</matchType> | |
<conditionValue> | |
<type>FWP_UINT8</type> | |
<uint8>17</uint8> | |
</conditionValue> | |
</item> | |
</filterCondition> | |
<action> | |
<type>FWP_ACTION_PERMIT</type> | |
<filterType/> | |
</action> | |
<rawContext>0</rawContext> | |
<reserved/> | |
<filterId>88857</filterId> | |
<effectiveWeight> | |
<type>FWP_UINT64</type> | |
<uint64>10379530503693795328</uint64> | |
</effectiveWeight> | |
</item> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<netEvent> | |
<header> | |
<timeStamp>2022-01-25T04:52:12.176Z</timeStamp> | |
<flags numItems="9"> | |
<item>FWPM_NET_EVENT_FLAG_IP_PROTOCOL_SET</item> | |
<item>FWPM_NET_EVENT_FLAG_LOCAL_ADDR_SET</item> | |
<item>FWPM_NET_EVENT_FLAG_REMOTE_ADDR_SET</item> | |
<item>FWPM_NET_EVENT_FLAG_LOCAL_PORT_SET</item> | |
<item>FWPM_NET_EVENT_FLAG_REMOTE_PORT_SET</item> | |
<item>FWPM_NET_EVENT_FLAG_APP_ID_SET</item> | |
<item>FWPM_NET_EVENT_FLAG_USER_ID_SET</item> | |
<item>FWPM_NET_EVENT_FLAG_IP_VERSION_SET</item> | |
<item>FWPM_NET_EVENT_FLAG_PACKAGE_ID_SET</item> | |
</flags> | |
<ipVersion>FWP_IP_VERSION_V4</ipVersion> | |
<ipProtocol>17</ipProtocol> | |
<localAddrV4>172.23.32.1</localAddrV4> | |
<remoteAddrV4>172.23.40.51</remoteAddrV4> | |
<localPort>53</localPort> | |
<remotePort>49509</remotePort> | |
<scopeId>0</scopeId> | |
<appId> | |
<data>5c006400650076006900630065005c0068006100720064006400690073006b0076006f006c0075006d00650034005c00770069006e0064006f00770073005c00730079007300740065006d00330032005c0073007600630068006f00730074002e006500780065000000</data> | |
<asString>\.d.e.v.i.c.e.\.h.a.r.d.d.i.s.k.v.o.l.u.m.e.4.\.w.i.n.d.o.w.s.\.s.y.s.t.e.m.3.2.\.s.v.c.h.o.s.t...e.x.e...</asString> | |
</appId> | |
<userId>S-1-5-18</userId> | |
<addressFamily>FWP_AF_INET</addressFamily> | |
<packageSid>S-1-0-0</packageSid> | |
<enterpriseId/> | |
<policyFlags>0</policyFlags> | |
<effectiveName/> | |
</header> | |
<type>FWPM_NET_EVENT_TYPE_CLASSIFY_DROP</type> | |
<classifyDrop> | |
<filterId>89392</filterId> | |
<layerId>44</layerId> | |
<reauthReason>0</reauthReason> | |
<originalProfile>1</originalProfile> | |
<currentProfile>1</currentProfile> | |
<msFwpDirection>MS_FWP_DIRECTION_OUT</msFwpDirection> | |
<isLoopback>false</isLoopback> | |
<vSwitchId/> | |
<vSwitchSourcePort>0</vSwitchSourcePort> | |
<vSwitchDestinationPort>0</vSwitchDestinationPort> | |
</classifyDrop> | |
<internalFields> | |
<internalFlags/> | |
<remoteAddrBitmap>0000000000000000</remoteAddrBitmap> | |
<capabilities/> | |
<fqbnVersion>0</fqbnVersion> | |
<fqbnName/> | |
<terminatingFiltersInfo numItems="2"> | |
<item> | |
<filterId>80466</filterId> | |
<subLayer>FWPP_SUBLAYER_INTERNAL_FIREWALL_QUARANTINE</subLayer> | |
<actionType>FWP_ACTION_PERMIT</actionType> | |
</item> | |
<item> | |
<filterId>89392</filterId> | |
<subLayer>FWPP_SUBLAYER_INTERNAL_FIREWALL_WF</subLayer> | |
<actionType>FWP_ACTION_BLOCK</actionType> | |
</item> | |
</terminatingFiltersInfo> | |
</internalFields> | |
</netEvent> | |
<item> | |
<filterKey>{d98fe0b1-d076-4af7-af93-33cc67c33118}</filterKey> | |
<displayData> | |
<name>Interface Un-quarantine filter</name> | |
<description/> | |
</displayData> | |
<flags/> | |
<providerKey>{decc16ca-3f33-4346-be1e-8fb4ae0f3d62}</providerKey> | |
<providerData/> | |
<layerKey>FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V4</layerKey> | |
<subLayerKey>{b3cdd441-af90-41ba-a745-7c6008ff2302}</subLayerKey> | |
<weight> | |
<type>FWP_UINT8</type> | |
<uint8>0</uint8> | |
</weight> | |
<filterCondition numItems="3"> | |
<item> | |
<fieldKey>FWPM_CONDITION_INTERFACE_QUARANTINE_EPOCH</fieldKey> | |
<matchType>FWP_MATCH_EQUAL</matchType> | |
<conditionValue> | |
<type>FWP_UINT64</type> | |
<uint64>10000006</uint64> | |
</conditionValue> | |
</item> | |
<item> | |
<fieldKey>FWPM_CONDITION_IP_ARRIVAL_INTERFACE</fieldKey> | |
<matchType>FWP_MATCH_EQUAL</matchType> | |
<conditionValue> | |
<type>FWP_UINT64</type> | |
<uint64>1689399683186688</uint64> | |
</conditionValue> | |
</item> | |
<item> | |
<fieldKey>FWPM_CONDITION_FLAGS</fieldKey> | |
<matchType>FWP_MATCH_FLAGS_NONE_SET</matchType> | |
<conditionValue> | |
<type>FWP_UINT32</type> | |
<uint32>1</uint32> | |
</conditionValue> | |
</item> | |
</filterCondition> | |
<action> | |
<type>FWP_ACTION_PERMIT</type> | |
<filterType/> | |
</action> | |
<rawContext>0</rawContext> | |
<reserved/> | |
<filterId>80466</filterId> | |
<effectiveWeight> | |
<type>FWP_UINT64</type> | |
<uint64>2251834173423632</uint64> | |
</effectiveWeight> | |
</item> | |
<item> | |
<filterKey>{2475897d-8c6d-4f08-afb2-bea660c3e0a2}</filterKey> | |
<displayData> | |
<name>Query User</name> | |
<description>Prompt the User for a decision corresponding this Inbound Traffic</description> | |
</displayData> | |
<flags/> | |
<providerKey>{decc16ca-3f33-4346-be1e-8fb4ae0f3d62}</providerKey> | |
<providerData> | |
<data>6606000000000000</data> | |
<asString>f.......</asString> | |
</providerData> | |
<layerKey>FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V4</layerKey> | |
<subLayerKey>{b3cdd441-af90-41ba-a745-7c6008ff2301}</subLayerKey> | |
<weight> | |
<type>FWP_UINT8</type> | |
<uint8>8</uint8> | |
</weight> | |
<filterCondition numItems="1"> | |
<item> | |
<fieldKey>FWPM_CONDITION_ORIGINAL_PROFILE_ID</fieldKey> | |
<matchType>FWP_MATCH_EQUAL</matchType> | |
<conditionValue> | |
<type>FWP_UINT32</type> | |
<uint32>1</uint32> | |
</conditionValue> | |
</item> | |
</filterCondition> | |
<action> | |
<type>FWP_ACTION_BLOCK</type> | |
<filterType/> | |
</action> | |
<rawContext>0</rawContext> | |
<reserved/> | |
<filterId>89392</filterId> | |
<effectiveWeight> | |
<type>FWP_UINT64</type> | |
<uint64>9223372036854783488</uint64> | |
</effectiveWeight> | |
</item> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
- Firewall log: C:\Windows\System32\LogFiles\Firewall\pfirewall.log | |
- Events from Filtering audit events in Event Viewer | |
- Filters from wfp show state | |
- See: https://gist.github.com/JustinChristensen/bb6d15cee90da4e38db9f73161152308 | |
- in the "public" connection profile in the Local Security Policy | |
- other settings besides "apply local firewall rules" set to no | |
- Core Networking rules and Remote Desktop rules added to the policy and enabled | |
- when apply local firewall rules is set to yes | |
- dhcp allowed | |
- dns allowed | |
- when apply local firewall rules is set to no | |
- when the machine does not yet have a dhcp lease, and no HNS (Host Networking Service) rules added to policy: | |
- dhcp denied | |
- dns denied | |
- I haven't been able to determine which firewall rules govern DHCP, but DNS is governed by the HNS rules | |
- when the HNS rules have been added to the policy | |
- dns allowed | |
- dhcp calls not made when it has a lease (obviously), but if released with ipconfig /release, | |
and then renewed with ipconfig /renew, dhcp is denied | |
TODO: | |
* HNS rules appear to be dynamic and contain varying fields, and so adding static rules to the policy won't be effective | |
- need a way to allow the HNS to apply local firewall rules | |
* I haven't been able to figure out yet which of the local firewall rules govern allowing inbound DHCP broadcasts | |
Capture Net Events and Filters: | |
netsh wfp capture start keywords=19 | |
netsh wfp capture stop | |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
WindowsBuildLabEx : 19041.1.amd64fre.vb_release.191206-1406 | |
WindowsCurrentVersion : 6.3 | |
WindowsEditionId : Professional | |
WindowsInstallationType : Client | |
WindowsInstallDateFromRegistry : 1/23/2022 3:20:24 AM | |
WindowsProductId : 00331-10000-00001-AA265 | |
WindowsProductName : Windows 10 Pro | |
WindowsRegisteredOrganization : | |
WindowsRegisteredOwner : | |
WindowsSystemRoot : C:\Windows | |
WindowsVersion : 2009 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment