I have strange blocking on my windows 8.1 I do not know if it is false positive or not. the Mcafee firewall installed on windows 8.1 blocks incoming UDP 53, and 389. The source is windows 8.1 and the destination is the domain controller(no firewall on the DC). The windows seams to be working fine I can run the outlook, and change password, but this blocked traffic is scary , I would like to know if it is a bug? Description:
Host Process for Windows Services (svchost)
Path: C:\Windows\System32\svchost.exe Message: Blocked Incoming UDP - Source 192.168.20.212 : (56006) Destination 192.168.20.251 : dns (53) Matched Rule: Block All Traffic
Description: Host Process for Windows Services (svchost)
Message: Blocked Incoming UDP - Source 192.168.20.212 : (52778) Destination 192.168.20.251 : ldap (389)
Matched Rule: Block All Traffic
The HIPS firewall is a statefull firewall, meaning its a table and when filtering traffic, it starts top to bottom and if it cannot match your traffic to a certain rule within the table, it will default to the "Block All Traffic" rule which is what it's hitting in your situation.
It looks like your traffic is internal that is being blocked, I would look at setting up a connection aware group as a firewall rule, it can greatly help out for internal traffic without having to create tons of rules. more info: https://kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/20000/PD20747/en_US/...
If any likes to see the blocking traffic you may use a vm or real windows 8.1 with HIPS firewall enabled, member of a domain, and dhcp must be enabled then wait for one or two hours the blocked traffic will appear in the activity log. if you do not want to wait just configure the tcp settings of windows 8.1 to be static ip(with your dns), then change it back to dhcp you will get the red traffic, if not just log off, and login again. The HIPS version is 8 with p4 and latest hot fixes.
I am sure that the HIPS firewall does not block 53 or 389, because if you enable log allowed traffic you will see 53 as a green traffic, but I do not know why it is showing us both colors!
There are no default Firewall rules to allow INBOUND port 53 and port 389 traffic. You will need to create firewall rules to allow this traffic in, if the operating systems requires it.
again I understand that these ports 53, and 389 are remote ports for DNS and DC, I like to know the reason why should I create rule for these ports locally for windows 8.1?
You'll need to ask Microsoft that question to determine why exactly this traffic is needed. If you wish to continue blocking the traffic, and lose whatever functionality is provided with this traffic, you can do so. If the network traffic is necessary for some functionality that you need, then you will need to allow the traffic in.