It turns out that my Thuraya issue was at least partly due to win8 being massively chatty. I can go to a little website which is just a few k, then exit IE10 and win8 continues to download another 200k or whatever. (Doesn’t explain why Thuraya told me they saw no activity on the earlier attempts to connect…).
I have disabled all known updates, removed the java update from the startup list (the update itself cannot be disabled – this one is all over the net), but the potentially handy “metered connection” feature is available only on wifi and built-in 3G adapters, and cannot be selected for the connections where it is most needed i.e. GPRS/3G stuff connecting over USB or bluetooth.
So I need to set up some firewall rules.
I need the following OUTGOING traffic to be allowed
DHCP (obviously)
DNS (so I can go to say my pop3 server, by name)
Several Port 80 URLs (I can use IPs for those if really necessary)
Anything on 25 or 225 (SMTP) – could limit this by IP but I doubt win8 is sending anything on these ports
Anything on 110 (POP3) – comment as above
Now, the real bonus would be if ALL traffic over wifi, bluetooth or ethernet would be allowed, but I can’t see any easy way to do that, especially as ethernet is done via USB.
Then, block all other outgoing traffic.
If the block rule above is not too hard to enable/disable then the wifi bit above it becomes irrelevant, of course, because if I disable that rule, the firewall will be fully open.
I can probably do all the above but I might have missed something. For example isn’t there some other UDP stuff?
This tablet (Lenovo Tablet 2) is rarely used outside the aircraft. The satphone is used only for the private wx sites, and posibly for email.
I would much appreciate any tips.
DHCP is UDP port 67 and DNS is UDP port 53.
I would set it up as follows:
- inbound connections: block
- outbound connections:
– allow udp port 67, 53
– allow tcp port 25, 225, 110
– allow port 80 to IP addresses: (list of IPs of the wx sites)
The Windows firewall is not bad at all and easy to setup. You can just enable/disable your ruleset as you see fit.
inbound connections: block
Won’t that block all incoming traffic, or will the firewall implicitly allow incoming traffic which is in the same session as the outgoing traffic that triggered it?
Won’t that block all incoming traffic
It will only block connection establishment from outside. Is probably already the default setting in Windows.
As a side note, you might want to switch from POP3 to IMAP over SSL if possible. Sending your username and password in clear text usually a bad idea these days, especially when connecting via public hot spots. Same goes for SMTP/Submission if you do auth there before sending.
It turns out it isn’t quite so simple as blocking all outgoing traffic except that on the obvious specific IPs.
Accessing a lot of websites involves accessing not just the IP of the base URL but also the IP of any object referenced on that page. For example if you go to a weather site which presents a radar image, and that radar image is presented in the HTML as a URL to its real source, you have to unblock that other IP also.
The only way around that, for say a private wx site, is to do all the processing on the server and present everything as if it coming from one place. And I don’t have that. Also I am moving a lot of stuff, including the whole of peter2000.co.uk (already moved) to a hosted server on which PHP isn’t going to be running at all.
The windows firewall also allows rules per application. I.e. allow only foo.exe (application) to make any out- and inbound connections, as opposed to cherry picking the ports to allow for a process. This is usually considered more secure, and easier to setup. However, I am not sure what exactly you are trying to do.
All I was trying to do was to block the various processes in win8 which go online. These were killing the satellite phone connection.
Under winXP this is not an issue. You just need to block the “obvious” stuff like windows updates, and then the apps like Adobe Reader, Firefox, Java, and not much else.
But win8 itself is massively chatty. I did use your method, Lucius, successfully, but with some of the traffic was going out under the name of a generic process which acts as a conduit for many others. Also the Java updates cannot be blocked; the checkbox for it restores itself immediately – even if one runs it as administrator – so one has to block java.exe in the firewall. Eventually I did manage to block just about everything, as described here.
The “perfect” solution means using a private proxy or some variation of that, say port 8080, and blocking everything else, but I wanted to retain general internet access if at all possible.
