I am kind of baffled by a HIPS 8 firewall block I am seeing. The event details are below and in the attached image.
IP Address/User: 127.0.0.1
Application: Host Process for Windows Services (svchost.exe)
Message: Blocked Incoming UDP - 127.0.0.1 : (56006) Destination 184.108.40.206 : (1900)
Matched Rule: Block All Traffic (default implied block rule at bottom of firewall)
I already have the "allow loopback" rule in my firewall (not in any LAG) as described in KB71230. I am unsure how to create a firewall rule to allow this traffic. Can anyone help?
For this traffic, you would need to have:
Remote IP: 127.0.0.1
Source IP = Remote Network, since this is Inbound traffic. I suspect your Loopback rule allows Local Network 127.0.0.1 (as that's the rule from the HIPS Catalog), which doesn't apply to this blocked traffic.
FYI, the HIPS Catalog rule uses 127.0.0.1 and ::1 only. I've see applications use any number of different IPs in the 127.x.x.x range. You'll need to adjust your Loopback rule according to any blocked network traffic in the 127.x.x.x range, if necessary.
Thanks, this actually seems to work. I tried this a couple hours ago, and rebooted a few times, and sure enough, I got traffic to pass with a "reversed" loopback rule.
I'm trying to understand why this rule is needed, though. It seems like the loopback rule from the KB would have sufficed, since the source traffic was still 127.0.0.1. Wouldn't this have counted as the local network? Or, is this reversed because the traffic was inbound?
Should the KB be updated to include this caveat? This seems like it applies to that same situation.
Would HIPS 7 have treated this traffic any differently? I recall that HIPS 7 had these loopback rules built in by default.