4

The only rule against port 9000 can be seen with the following command;

C:\>netsh advfirewall firewall show rule name=all | grep 9000 -B 10 -A 3

Rule Name:                            MyRule
----------------------------------------------------------------------
Enabled:                              Yes
Direction:                            In
Profiles:                             Domain,Private,Public
Grouping:
LocalIP:                              Any
RemoteIP:                             Any
Protocol:                             TCP
LocalPort:                            9000
RemotePort:                           Any
Edge traversal:                       No
Action:                               Allow

However, windows firewall stills drops packets from this port as can be seen in the logs;

2017-01-17 19:34:31 DROP TCP 192.168.2.10 192.168.2.20 46793 9000 60 S 2693136347 0 29200 - - - RECEIVE
2017-01-17 19:41:34 DROP TCP 192.168.2.10 192.168.2.20 46813 9000 60 S 4150828470 0 29200 - - - RECEIVE

Possibly occured after last Windows 10 update? What else can I do to troubleshoot this?

Stafford Williams
  • 427
  • 3
  • 5
  • 16
  • There's no other rule _before_ yours, is there? Like "drop all" or something? – Lenniey Jan 17 '17 at 08:54
  • Not sure - how do you determine the order of the rules? – Stafford Williams Jan 17 '17 at 09:21
  • [Technet link](https://technet.microsoft.com/en-us/library/f1207683-3d4e-4382-91ac-36b1dde432cb) `Block rules. This type of rule explicitly blocks a particular type of incoming or outgoing traffic. Because these rules are evaluated before allow rules, they take precedence. Network traffic that matches both an active block and an active allow rule is blocked.` – Lenniey Jan 17 '17 at 09:24

1 Answers1

6

You definitely have a previous rule that denies something (like the IP itself). Check the complete rule list and put your port rule at the top so it is hit before any deny ones. In the case of Windows Firewall, a block rule overwrites an allow one, so if something is both allowed and blocked it will be blocked. Make sure it is not.

Overmind
  • 9,924
  • 4
  • 25
  • 38
  • 1
    I don't think Windows Firewall works with rule ordering, unlike any other firewall / filter implementation anywhere. – Lenniey Jan 17 '17 at 12:31
  • It can't be simplified like that in the case of WF. You may want to check how Advanced Security Rules Evaluation works. Anyway, a block rule overwrites an allow one. So if something is both allowed and blocked it will be blocked. Updating answer. – Overmind Jan 17 '17 at 12:55
  • 2
    In this case there was a block rule against a program that covered all ports. The program was node.js, which is what was listening on the port. Not sure how the rule got there. – Stafford Williams Jan 17 '17 at 13:19
  • Good thing you detected it. With a lot of rules, things can be hard to track. – Overmind Jan 17 '17 at 13:26
  • You can always (well, in most cases) check which rule blocked your traffic. See: http://superuser.com/questions/1130078/how-to-tell-which-windows-firewall-rule-is-blocking-traffic – Lenniey Jan 18 '17 at 08:23
  • In my case, reboot Windows (Server 2019) helps to apply the firewall rules setting correctly. – Ivan Chau Dec 09 '22 at 02:25