Print

Please login or register.
1 Hour 1 Day 1 Week 1 Month Forever
Login with username, password and session length

[Weaver]

On the Windows box, were you logged in as an administrator? I would be interested to know if a normal user without privileges can do the same? (I haven’t seen a Windows box in 12 years, so I’m completely out of touch.)

[Chrysalis]

Steam can and does routinely add firewall rules for games, there is no notification, no ability to turn it off, no UAC prompt (so isnt escalated).

An app called windows firewall control which I use the developer recognised the issue and it has a feature where rules not added by WFC itself will be either automatically disabled or automatically deleted depending on the behaviour you select.  This is how I found out what steam was doing.

So I expect its trivial for malware to modify windows firewall rules.

The IPv6 Xbox issue, I'm not a fan of the privacy nonsense features implemented in IPv6, auditing and accountability should always be a priority over that, and the Xbox implementation of IPv6 sadly is just poor.  Even a locked down mobile phone gives you more control then that.  If I really wanted my XBOX to be locked to one ip, I would give it a VLAN to itself with only one ip that can be allocated.

[Alex Atkin UK]

On the Windows box, were you logged in as an administrator? I would be interested to know if a normal user without privileges can do the same? (I haven’t seen a Windows box in 12 years, so I’m completely out of touch.)

So I expect its trivial for malware to modify windows firewall rules.

It wasn't Windows Firewall it was modifying, it was the router (or possibly both simultaneously).   I've never seen it myself, but apparently it is a thing with some routers that Windows can remotely configure them.  No idea if its related to uPNP or some other zeroconf service.  See https://linustechtips.com/topic/1441853-new-routermodem-new-problems/#comment-15471645

The IPv6 Xbox issue, I'm not a fan of the privacy nonsense features implemented in IPv6, auditing and accountability should always be a priority over that, and the Xbox implementation of IPv6 sadly is just poor.  Even a locked down mobile phone gives you more control then that.  If I really wanted my XBOX to be locked to one ip, I would give it a VLAN to itself with only one ip that can be allocated.

Indeed, I really will need to look into that.  Would also mean I COULD monitor the traffic as a VLAN should show up in SNMP.

[aesmith]

Normal practice on a "guest" network would be to enable Client Isolation, so wireless clients can't talk to each other but can only talk to the LAN.  Depending on the AP you can normally restrict what they can reach on the LAN as well either at L2 or L3.

[Weaver]

@Alex I think manipulating the router might be something that is done by UPnP but I need to read up on it, all that was a long time ago for me. I always made certain to disable UPnP in routers and later on I didn’t have any NAT a way, from after the time I got a /29 from Demon then went to Zen and A&A (simultaneously, two sites).

[Alex Atkin UK]

@Alex I think manipulating the router might be something that is done by UPnP but I need to read up on it, all that was a long time ago for me. I always made certain to disable UPnP in routers and later on I didn’t have any NAT a way, from after the time I got a /29 from Demon then went to Zen and A&A (simultaneously, two sites).

The reason I was thinking it wasn't uPNP is usually uPNP is dynamic (the ports are forwarded when required and removed when not), whereas the screenshot appear to be manually setting a port forward.  If it was dynamic, then doing it by clicking on the router makes no sense as the Windows Firewall should be handling it automatically.

Still, I've never that interface before in Windows so have no idea, can't find anything about it on Google.  The standard, as it should be IMO, is to login to the router directly, which is what I tried to explain to that person in the thread.  Windows being able to do it for you is a security risk IMO.

On pfSense I have my gaming PC and consoles whitelisted for uPNP as games can use a frustratingly diverse number of ports, disabled for everything else.

[Chrysalis]

Alex do you remember that issue I posted on a while back where I ended up turning on STP?

That was caused by uPNP when I had no games running, so in theory there should have been no traffic in getting in my LAN, I ended up disabling it again, and will only enable it selectively now when I play a game that insists on only working with uPNP.

[Alex Atkin UK]

I've honestly not looking into it too deeply as I've not had any problems.  To be fair, its not like I even really play online games other than The Crew 2 which is server based so likely doesn't need it anyway, probably the case for most modern games.

I do remember a few years back it would crash on pfSense, the Xbox didn't like that.  Certainly no denying its safer with it off, but I just checked as I had the gaming PC on earlier and it seems only Steam had opened the GameStream ports, nothing else.