Why the firewall?

[vrapp]

Does it make sense to enable the firewall on a single Windows computer connected to internet by the router?

Outside attackers won't reach this computer unless I publish the specific port on the router.
Malicious program trying to access internet from inside won't be blocked anyway because all outside connections are allowed by default.

If so, then it looks like the only purpose of the firewall it to protect from other devices in the same LAN?

 

[ColinTaylor]

Windows' Firewall is more versatile than that of a home gateway. So for example, it can block or allow incoming or outgoing connections based on the application and/or user account rather than simply a port or IP address.

 

[vrapp]

Understood - The user can create versatile rules. But it's probably safe to assume that 99.9% users don't, while the default firewall is enabled with default rules. So I wonder what sense does it make.

 

[ColinTaylor]

Understood - The user can create versatile rules. But it's probably safe to assume that 99.9% users don't, while the default firewall is enabled with default rules. So I wonder what sense does it make.

I guess the argument would be "why wouldn't you leave the firewall enabled"? I can't think of a reason not to have it enabled.

 

[drinkingbird]

Understood - The user can create versatile rules. But it's probably safe to assume that 99.9% users don't, while the default firewall is enabled with default rules. So I wonder what sense does it make.

Security is always a multi layer solution, redundancy is critical. Windows firewall is also application aware and can detect malicious traffic (inbound or outbound) based on the ports it knows should be in use.

Personally I prefer third party firewalls that prompt you when an app tries to do some new type of traffic, but most users would not want that.

And yes it also protects you from other devices/threats on your LAN, including your router should it become compromised.

 

[vrapp]

I'm more curious about Microsoft including it in Windows to begin with. As I remember, back in Windows XP the default outbound rule was to block, and it was showing a prompt for every new connection, just like drinkingbird said. But later it was removed. And I never heard a story about the firewall actually having saved anybody from anything. So I wonder if there's much reason to keep it besides the traditional/historical assumption that it must be important.

 

[ColinTaylor]

Personally I prefer third party firewalls that prompt you when an app tries to do some new type of traffic, but most users would not want that.

I was going to mention this when the OP said:

The user can create versatile rules. But it's probably safe to assume that 99.9% users don't...

Windows Firewall will prompt the user to create a new rule when it detects an application trying to enable unsolicited access. It asks you whether you want to block access, allow it on the LAN only, or allow it from everywhere.

 

[ColDen]

Understood - The user can create versatile rules. But it's probably safe to assume that 99.9% users don't, while the default firewall is enabled with default rules. So I wonder what sense does it make.

The impact on the Windows OS performance is really negligible but the benefits enabling it is very great. Your choice.

 

[vrapp]

Windows firewall will prompt the user to create a new rule when it detects an application trying to enable unsolicited access.

Not outbound access. Outbound access is enabled by default for everything. And any malicious program will have no problem to use TCP for anything it needs to do. As for inbound access, even if it really needed it, being behind the router not much it will do.

 

[drinkingbird]

I'm more curious about Microsoft including it in Windows to begin with. As I remember, back in Windows XP the default outbound rule was to block, and it was showing a prompt for every new connection, just like drinkingbird said. But later it was removed. And I never heard a story about the firewall actually having saved anybody from anything. So I wonder if there's much reason to keep it besides the traditional/historical assumption that it must be important.

I've never seen windows prompt for every outbound connection, but there was probably the option for it. I don't think it was ever a default. I've been using Norton and Symantec corporate for decades mostly due to the fact that it prompts for and gives detailed information about all new outbound connections. That is not the default but I turn it on.

You won't hear about the firewall saving someone from something. That's the point, means it has done it's job.

 

[ColinTaylor]

Not outbound access. Outbound access is enabled by default for everything. And any malicious program will have no problem to use TCP for anything it needs to do. As for inbound access, even if it really needed it, being behind the router not much it will do.

Given that you can't separate the inbound part of Windows Firewall from the outbound part, why wouldn't you leave it enabled? What problem are you trying to solve?

 

[drinkingbird]

I was going to mention this when the OP said:

Windows Firewall will prompt the user to create a new rule when it detects an application trying to enable unsolicited access. It asks you whether you want to block access, allow it on the LAN only, or allow it from everywhere.

Never seen it do that, then again I don't use it personally, but have done plenty of work on PCs with no third party firewall. Guess it is probably only if it sees something malicious, or maybe it is a feature that has to be enabled?

 

[drinkingbird]

Not outbound access. Outbound access is enabled by default for everything. And any malicious program will have no problem to use TCP for anything it needs to do. As for inbound access, even if it really needed it, being behind the router not much it will do.

It does plenty, as several of us have detailed, but shut it off if you want to.

Application aware endpoint security is one of several critical layers of overall security. There are 3rd party firewalls for windows which are better, but the built in one has come a long way and is far better than no protection. Considering it has little to no impact on performance, what is the goal of not having it?

 

[ColinTaylor]

Never seen it do that, them again I don't use it personally, but have done plenty of work on PCs with no third party firewall. Guess it is probably only if it sees something malicious, or maybe it is a feature that has to be enabled?

 

[L&LD]

The answer is yes, of course. Enable it. Always.

The pertinent point is 'when it's connected to the internet'.

 

[drinkingbird]

View attachment 51517

Yeah, guess I haven't used it enough to see something actually trigger it. Though my guess is it is actually the listener of iperf triggering it and not the outbound connection.

My company actually ditched 3rd party McAfee in favor of windows built in security a couple years ago. Haven't seen it ever prompt but then we can only install and run approved apps and my guess is they've already allowed those via group policy firewall rules.

 

[drinkingbird]

The answer is yes, of course. Enable it. Always.

The pertinent point is 'when it's connected to the internet'.

Or when any other machine on that network is connected to the internet, or has ever been connected to the internet....

 

[drinkingbird]

Heck I run Symantec endpoint protection which is very good and I still enable the option in windows to allow defender to do a periodic scan. While that is not related to the firewall portion, the point is more redundancy and more layers is always a good thing when it comes to security.

Maybe your question would be easier to answer if you told us what problem you're having?

 

[follower]

Does it make sense to enable the firewall on a single Windows computer connected to internet by the router?

Outside attackers won't reach this computer unless I publish the specific port on the router.
Malicious program trying to access internet from inside won't be blocked anyway because all outside connections are allowed by default.

If so, then it looks like the only purpose of the firewall it to protect from other devices in the same LAN?

Does it make sense to enable the firewall on a single Windows computer connected to internet by the router?
- Yes, it does.

Outside attackers won't reach this computer unless I publish the specific port on the router.
- Yes, they can reach your PC.

Malicious program trying to access internet from inside won't be blocked anyway because all outside connections are allowed by default.
- Malicious program can access outside even if all of your ports are blocked.

If so, then it looks like the only purpose of the firewall it to protect from other devices in the same LAN?
- No.

Is Windows Firewall good?
-No. But it's much better than Router Firewall. A Router Firewall is nothing. It's just a marketing tactic.

Then, what do you recommend?
- Noob Home Users: Nothing.

 

[coxhaus]

I know back when I worked, I blocked all high-level ports outbound using a Cisco PIX. You could get an exception, but you had to go through channels. I blocked some low-level ports and of course inbound ports. High level ports are above 1024 as I remember but it has been years since I did it.

This would cause issues with games at home. You could do it, but you would need to map out all your games and software. And only open ports for certain devices outbound. It just depends on how much time you want to spend securing your firewall.

Cisco firewalls back then blocked all inbound and all outbound ports from the start. You had to open it all up.