-
Notifications
You must be signed in to change notification settings - Fork 49
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
How to deal with >500 firewall entries #112
Comments
At some point it would make more sense to just replace windows firewall with a self made one or to integrate with another firewall product.
From: RickkeeC ***@***.***>
Sent: Monday, March 6, 2023 4:14 PM
To: devnulli/EvlWatcher ***@***.***>
Cc: Subscribed ***@***.***>
Subject: [devnulli/EvlWatcher] How to deal with >500 firewall entries (Issue #112)
500 seems to be the practical limit to a windows firewall rule, more than that it can take a long time to open Windows Firewall. Users are tempted to CTRL-ALT-DEL and crash out whilst filewall rules are loading, causing corruption in Windows Firewall, then it has to be reset.
When the EvlWatcher rule starts accumulating so many IP's,
is it possible to rename the EvlWatcher rule to something else? If so, will it recreate a new rule for the new entry?
As a feature request, please consider option to create another rule after :X number of entries.
Just for thought, we've looked at another product rdpguard, that creates a single rule for each IP address.
Would also like feature in nterface to view / download log files and ability to restart service from gui.
Also, how do we donate to the project, it works great.
—
Reply to this email directly, view it on GitHub <#112> , or unsubscribe <https://github.com/notifications/unsubscribe-auth/AFCDFRFDXH6ZYQQK6DBKXHLW2ZHRVANCNFSM6AAAAAAVRUJ7DA> .
You are receiving this because you are subscribed to this thread. <https://github.com/notifications/beacon/AFCDFRBVTT6TIUK3W5TSMN3W2ZHRVA5CNFSM6AAAAAAVRUJ7DCWGG33NNVSW45C7OR4XAZNFJFZXG5LFVJRW63LNMVXHIX3JMTHGAGDQ7M.gif> Message ID: ***@***.*** ***@***.***> >
|
Yes, a $600 - $1200 firewall with GEO blocking would cut down the attacks, but I haven’t worked with one in this price range that can detect and block unauthorized Windows login attempts.
A free PFSense would make sense too, but we’d have to charge $600 and install on an old-box to set it up and periodically monitor and update.
There is sweet spot in our IT universe servicing clients with 1 – 50 PC’s for a product like EvlWatcher that fits nicely between the Network edge protection and box protection.
1. Is it possible to rename the EvlWatcher rule to something else? If so, will it automatically recreate a new rule if one is not found on service restart?
-- easy enough to test, just thought I would ask. As a feature request, please consider option to rename and create another rule after X number of entries.
2. Would also like feature in interface to view / download log files. (Are any log files maintained from the console viewer that we can access?)
3. Ability to stop / start / restart service from gui would be convenient, buttons right down there where it says service is actie 😉
4. (Resolved) Also, how do we donate to the project, it works great. – I RTFM and bought cha a dozen coffees (or one at Starbucks) keep up the good work!
From: Jeremy R ***@***.***>
Sent: Monday, March 6, 2023 4:17 PM
To: devnulli/EvlWatcher ***@***.***>
Cc: Rick Cassel - R. A. Cassel & Associates ***@***.***>; Author ***@***.***>
Subject: Re: [devnulli/EvlWatcher] How to deal with >500 firewall entries (Issue #112)
At some point it would make more sense to just replace windows firewall with a self made one or to integrate with another firewall product.
From: RickkeeC ***@***.***<mailto:***@***.***>>
Sent: Monday, March 6, 2023 4:14 PM
To: devnulli/EvlWatcher ***@***.***<mailto:***@***.***>>
Cc: Subscribed ***@***.***<mailto:***@***.***>>
Subject: [devnulli/EvlWatcher] How to deal with >500 firewall entries (Issue #112)
500 seems to be the practical limit to a windows firewall rule, more than that it can take a long time to open Windows Firewall. Users are tempted to CTRL-ALT-DEL and crash out whilst filewall rules are loading, causing corruption in Windows Firewall, then it has to be reset.
When the EvlWatcher rule starts accumulating so many IP's,
Just for thought, we've looked at another product rdpguard, that creates a single rule for each IP address.
Would also like feature in nterface to view / download log files and ability to restart service from gui.
Also, how do we donate to the project, it works great.
—
Reply to this email directly, view it on GitHub <#112> , or unsubscribe <https://github.com/notifications/unsubscribe-auth/AFCDFRFDXH6ZYQQK6DBKXHLW2ZHRVANCNFSM6AAAAAAVRUJ7DA> .
You are receiving this because you are subscribed to this thread. <https://github.com/notifications/beacon/AFCDFRBVTT6TIUK3W5TSMN3W2ZHRVA5CNFSM6AAAAAAVRUJ7DCWGG33NNVSW45C7OR4XAZNFJFZXG5LFVJRW63LNMVXHIX3JMTHGAGDQ7M.gif> Message ID: ***@***.***<mailto:***@***.***> ***@***.***<mailto:***@***.***>> >
—
Reply to this email directly, view it on GitHub<#112 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/AJRYK6YQRXGBJIHAMLOOBP3W2ZH3BANCNFSM6AAAAAAVRUJ7DA>.
You are receiving this because you authored the thread.Message ID: ***@***.******@***.***>>
|
I was thinking more in line of a 3rd party software firewall that replaces Windows Firewall, but I agree pfsense or sophos would be much better, could even use a low cost nuc for it.
But yea originally was suggesting branching EvlWatcher into its own firewall or integrating with 3rd party ones like ZoneAlarm, GlassWire, TinyWall, etc
Also another very effect method that is overlooked quite a bit is changing the port numbers, most just doa quick scan for known ports and dont do a full port scan.
That or just switching to RustDesk or some other remote tool.
|
im afraid i cant fix that crappy ol windows firewall UI anyway. it just sucks. All i can do is splitting the IPs into several Rules.. like Rule1-10 or whatnot.. but i refuse to do that, its just stupid! Microsoft should fix it crappy firewall |
Hello, can you suggest a work-around? Maybe rename a firewall rule so the permanent IP's stay blocked, restart the service and let EVL recreate it?
Currently I have been hard-coding IP blocks in another rule for the offenders, then delete them from EVL.
It's the same firewall since Win2K that came out in 1998, so I doubt they will do anything about it.
|
ill come back to that issue once i had some time to think about it. maybe splitting Rules is really an Option |
Ok. So, if I :
Would that help? Also, because I find that interesting, might I ask why you intend to keep that perma bans for such a long time? I reckon that wiping them would not really make a big difference? Those who still try get banned again quickly, and you get rid of all who gave up, and dont bloat up on a lot of historic data. I ask that, because I actually got requests to implement the completely diametral approach as well, which is to disable permanent bans at all, or at least add date #105 , so ppl can remove old ones 😄 |
Where are the permanent bans stored? |
they are in the config.xml, stored in the service binary directory (C:\Program\blabla\EvlWatcher) |
Much appreciated and a cup of coffee "to go" |
thx |
500 seems to be the practical limit to a windows firewall rule, more than that it can take a long time to open Windows Firewall. Users are tempted to CTRL-ALT-DEL and crash out whilst filewall rules are loading, causing corruption in Windows Firewall, then it has to be reset.
When the EvlWatcher rule starts accumulating so many IP's,
is it possible to rename the EvlWatcher rule to something else? If so, will it recreate a new rule for the new entry?
As a feature request, please consider option to create another rule after :X number of entries.
Just for thought, we've looked at another product rdpguard, that creates a single rule for each IP address.
Would also like feature in nterface to view / download log files and ability to restart service from gui.
Also, how do we donate to the project, it works great.
The text was updated successfully, but these errors were encountered: