Computer help. Filtering incoming and outgoing traffic in Windows Firewall with Advanced Security Configuring hamachi windows xp outgoing traffic is blocked

As I have said more than once in my articles on Windows Firewall with Advanced Security, starting with operating systems Windows Vista And Windows Server Windows Firewall 2008 R2, by default, improves the security of every computer in an organization by blocking all incoming traffic that has not been explicitly allowed. When you install an application or operating system component that requires incoming connections, the operating system automatically enables incoming firewall rules without you having to manually configure them in most cases. If you open the snap-in directly from the control panel or by running the command wf.msc in the dialog box "Run", or in command line, you will see that you already have some rules automatically enabled. For example, this could be a rule that is automatically created when the program is installed Windows Live Messenger or when you deploy the Hyper-V role, as shown in the following illustration:

Rice. 1. Automatically created rules for incoming connections

But not in all cases, Windows Firewall inbound rules are created automatically. For some applications that do not create inbound rules by default, you will have to create the rules manually. If such a program is installed on one computer or on several computers that are located in a workgroup, you can create rules directly in the snap-in "Windows Firewall with Advanced Security". But what to do if your employees’ computers are members of a domain and there are dozens, or even hundreds, of such computers? In this case, for the administrator to apply Windows Firewall rules in the organization, use group policy, which provides a similar interface.

In this article, you will learn how you can perform flexible management of Windows Firewall with Advanced Security using Group Policy, namely, creating incoming and outgoing connections for a specific group of users.

Create a GPO to manage Windows Firewalls with Advanced Security

Before you create inbound and outbound rules for Windows Firewalls in security mode for your organization's client computers, you need to find the OUs that contain Accounts computers in your organization and create a GPO, which will then contain a set of policies with settings targeted at a specific set of computers. After this, using the snap-in, you will need to configure the rules for incoming and outgoing connections. In the process of creating an object group policy There is nothing specific about Windows Firewall Management with Advanced Security. To do this, follow these steps:

Once you've completed all of the previous steps, you can start creating inbound and outbound rules for Windows Firewall with Advanced Security.

Setting up a rule for incoming and outgoing connections

In this step, we will create an inbound rule that applies to Windows Live Messenger on port 1900 for Windows Vista and Windows 7 64-bit operating systems, as well as an outbound rule that allows requests from Internet browser Explorer in the Group Policy Object that was created in the previous section of this article. By default, members of the local Administrators group can also create and edit rules for inbound and outbound connections in the snap-in "Windows Firewall with Advanced Security". These rules are combined with rules obtained from Group Policy and applied to the computer's configuration. To create an inbound rule in the GPO you created earlier, follow these steps:

1. At the node "Group Policy Objects" snap-in, select the GPO object you created earlier, in this case, the "Setting up Windows Firewall", click on it right click mice "Change";
2. In the snap "Group Policy Management Editor" In the console tree, expand Computer Configuration\Policies\Windows Configuration\Security Settings\Windows Firewall with Advanced Security\Windows Firewall with Advanced Security\Inbound Rules. Right click element "Rules for incoming connections" and from context menu select team "Create Rule", as shown in the following illustration:





Rice. 6. Create a new rule for incoming connections

3. On the first page "Wizards for creating a rule for a new incoming connection" you can choose one of the options, which are described in detail below:
   • For the program. This type of firewall rule creates a rule that allows or blocks connections for a specific executable file, regardless of the port numbers used. For most people, this type of rule may be the most useful, since not everyone knows which ports a particular program uses. It is best to use this type of rule in most cases, but it is worth noting that this type does not apply if a particular service does not contain its own executable file;
   • For port. This type of firewall rule is used to create a rule that allows or blocks communications for a specific TCP or UDP port, regardless of the program that generates the traffic. Creating a Rule of this type, you can specify several ports at the same time;
   • Predestined. This type of firewall rule creates a rule that controls connections for a specific operating system program or service, which appears in the corresponding drop-down list. Some programs, after installation, add their entries to this list to simplify the process of creating rules for incoming connections;
   • Customizable. This type of firewall rule allows you to create a rule that can combine program and port information at the same time.

In order to consider the maximum number of wizard pages, select the type "Custom Rule";




Rice. 7. Rule Type page of the New Inbound Connection Rule Wizard

4. On the page "Program" The New Inbound Connection Rule Wizard allows you to specify the path to a program that Windows Firewall with Advanced Security will check to ensure that network packets sent or received match the rule. In our case, set the switch to the option "Program Path" and in the corresponding text field enter "C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe" as below:



Rice. 8. “Program” page of the wizard for creating a rule for a new incoming connection

5. On the page "Protocol and Ports" In the Create a Rule for a New Incoming Connection wizard, you can specify the protocol and ports used in the network packet that will satisfy the current rule. If you need to specify multiple ports, you can enter them separated by commas. And if you need to specify an entire range of ports, separate the smaller and larger port values ​​with a hyphen. Let's briefly look at the local port parameters for incoming connection rules:
   • All ports. The rule applies to all incoming and outgoing connections via TCP or UDP protocols;
   • Special ports. In this case, you can specify specific ports that will be used for incoming or outgoing connections via TCP or UDP protocols;
   • RPC Endpoint Mapper. This value can only be selected for incoming connections using the TCP protocol. In this case, the computer will receive incoming RPC requests via TCP through port 135 in the RPC-EM request, where it is specified network service and the port number is requested on which this network service is listening;
   • Dynamic RPC ports. Same as for the previous value, given value can be selected for inbound TCP connections only, where the computer will receive incoming network RPC packets on ports that are assigned by the RPC runtime;
   • IPHTTPS. This value is only available for incoming TCP connections. In this case, it is allowed to receive incoming packets using the IPHTTPS tunneling protocol, which supports the injection of IPv6 packets into IPv4 HTTPS network packets from a remote computer;
   • Traversal of nodes. You can select this value only for incoming UDP connections, which allows you to receive incoming Teredo network packets.

For example, in order to indicate for Windows programs Live Messenger TCP ports 80, 443 and 1900, in the dropdown list "Protocol type" select "TCP", in the drop-down list "Local port" select value "Special ports", and in the text box located below the drop-down menu above, enter "80, 443, 1900". Leave the dropdown value "Remote port" no changes and click on the button "Further";




Rice. 9. “Protocol and Ports” page of the wizard for creating a rule for a new incoming connection

6. On the page "Region" this wizard, you can specify the IP addresses of local and remote computers, whose network traffic will be applied to the current rule. There are two sections available here: local and remote IP addresses to which this rule will apply. In both the first and second sections, network traffic will satisfy this rule only if the destination IP address is present in this list. When selecting the option "Any IP address", the rule will be satisfied by network packets with any IP address specified as the address local computer or which will be addressed from any IP address (in the case of an inbound rule). If you need to specify specific IP addresses, set the switch to the option "Specified IP addresses" and a specific address or subnet using a dialog box that opens by clicking a button "Add". In our case, let's leave this page no changes and press the button "Further";



Rice. 10. Scope page of the New Inbound Rule Wizard

7. On the page "Action" you can select the action to be performed on incoming or outgoing packets in this rule. Here you can choose one of the following three actions:
   • Allow connection. When you select this value, you allow all connections that meet the criteria specified on all previous pages of the wizard;
   • Allow secure connection. The current setting for the Windows Firewall with Advanced Security rule allows connections only if they meet the criteria you previously specified and are also protected by IPSec protocol. We will not dwell on this meaning, as it will be discussed in detail in my next articles;
   • Block connection. In this case, Windows Firewall with Advanced Security will drop any connection attempts that meet the criteria you specified earlier. Although all connections are initially blocked by the firewall, it is advisable to select this value if you need to block connections for a specific application.

Since we need to allow access for the Windows Live Messenger program, we set the switch to options "Allow connection" and press the button "Further";




Rice. 11. “Action” page of the New Rule Wizard for a new incoming connection

8. On the page "Profile" In the wizard for creating a rule for a new incoming connection, you can select the profile to which this rule will apply. You can choose one of three available profiles or several at once. Most often, either a profile is selected for an organization "Domain" or all three profiles. If your organization does not use domain services Active Directory or you configure firewall rules for home computer, you will only need to indicate your profile "Private". Profile Rules "Public" are created for public connections, which is, in principle, unsafe to do. In our case, check the boxes on all three profiles and click on the button "Further";



Rice. 12. “Profile” page of the wizard for creating a rule for a new incoming connection

9. On the page "Name" specify a name for the new Windows Firewall with Advanced Security inbound rule you created, enter a description for the current rule if necessary, and click the button "Ready".



Rice. 13. “Name” page of the wizard for creating a rule for a new incoming connection

By default, Windows Firewall with Advanced Security allows all outbound traffic, which essentially puts your computer at less risk of hacking than allowing inbound traffic. But, in some cases, you need to control not only incoming, but also outgoing traffic on your users’ computers. For example, such malicious software products how worms and some types of viruses can replicate themselves. That is, if the virus was successfully able to identify a computer, then it will try by all means available (to itself) to send outgoing traffic to identify other computers on the same network. There are quite a lot of such examples. Blocking outgoing traffic will definitely disrupt the operation of most built-in components of the operating system and installed software. Therefore, when you enable outbound filtering, you need to carefully test each installed user computers application.

Creating outbound rules differs slightly from the above procedure. For example, if you have blocked all outgoing connections on user computers, and you need to give users access to use the browser Internet Explorer, follow these steps:

1. If you need the Windows Firewall outbound rule to be assigned in a new GPO, follow the steps in "Create a GPO to manage Windows Firewalls with Advanced Security";
2. In the snap "Group Policy Management Editor" In the console tree, expand Computer Configuration\Policies\Windows Configuration\Security Settings\Windows Firewall with Advanced Security\Windows Firewall with Advanced Security\Outbound Rules. Right click element "Rules for outgoing connections" and from the context menu select the command "Create Rule";
3. On the wizard page "Rule Type" select option "For the program" and click on the button "Further";
4. On the page "Program", set the switch to option "Program Path" and enter in the corresponding text field %ProgramFiles%\Internet Explorer\iexplore.exe or select this executable file by clicking the button "Review";
5. On the page "Action" of this wizard, select the option "Allow connection" and click on the button "Further";
6. On the page "Profile" accept the default values ​​and click the button "Further";
7. On the final page, page "Name", enter a name for this rule, for example, "Rule for Internet Explorer browser" and click on the button "Ready".

In the details pane of the snap-in "Group Policy Management Editor" You should see the created rule as shown in the following illustration:

Rice. 14. Created rule for outgoing connection

Filtering assignment for the created rule

Now that you have created a GPO with an inbound and outbound connection rule, you need to pay attention to the following point. When we created the inbound rule, we specified the path to Windows Live Messenger for the 64-bit operating system. Are all computers in your organization equipped with 64-bit operating systems? If that’s all, then you are very lucky and you don’t need to do anything else. But if you have client computers with 32-bit OS, then you will encounter some problem. The rule simply won't work. Of course, you can create different departments for computers with 32-bit operating systems and for computers with 64-bit operating systems, but this is not entirely rational. In other words, you need to specify in the snap "Group Policy Management" that the GPO should only be used on computers with a 64-bit operating system. You can create such a restriction using a WMI filter. You will learn more about WMI filtering in one of the following articles, but now you just need to focus on creating such a filter. To specify a WMI filter to detect 64-bit operating systems, follow these steps:

Conclusion

In this article, you learned how you can create Windows Firewall with Advanced Security rules for incoming and outgoing connections using a snap-in "Windows Firewall with Advanced Security", as well as using group policies for organization computers that are members domain Active Directory. Preliminary work is described, namely the creation of a division with computers, as well as a group policy object. We looked at examples of creating a custom rule for an incoming connection, as well as a rule like "For the program" for outgoing connection.

While the Hamachi program is running, VPN creation-networks (virtual secure networks), the user may encounter the message “Blocked incoming traffic, check the settings firewall" This is usually due to the functionality of antivirus programs and firewalls blocking the correct operation of Hamachi, but there are cases when the cause of this dysfunction is incorrect work the program itself. In this article, I will tell you what the essence of this dysfunction is, what are its causes, and how to fix the “Hamachi incoming traffic blocked” error on your PCs.

Use Hamachi to create VPN networks

As you know, the Hamachi program is designed to create virtual private networks (VPN), allowing you to create secure networks on the Internet from remotely located computers, thereby simulating the connection between them on a regular local network.

This program is especially popular among users who actively use various game programs(Vikings, Red Alert 2, Dungeon Siege 3, Ludoria, etc.). With Hamachi you can play with each other online, and this is even the case when official servers games are closed for some reason.

The “incoming traffic blocked” error in Hamachi may have the following reasons:

How to fix "incoming traffic blocked" on Hamachi

After I explained what “Incoming traffic is blocked in Hamachi”, let’s move on to the question of how to get rid of the error “Incoming traffic is blocked, check your firewall settings.” I recommend doing the following:

Conclusion

The “Hamachi: Incoming traffic blocked” problem is usually caused by firewall functionality and antivirus program, blocking the incoming network connection of the user's PC. To fix the “Incoming traffic blocked” problem in Hamachi, I recommend temporarily disabling your firewall and antivirus, and if this does not help, use the alternative tips I suggested above. This usually allows for normal operation. the specified program, and continue to enjoy the stable functionality of “Hamachi” on your PC.

In contact with

– a convenient application for building local networks via the Internet, endowed with a simple interface and many parameters. In order to play online, you need to know its ID, login password and initial settings, which will help ensure stable operation in the future.

Now we will make changes to the operating system parameters, and then we will move on to changing the options of the program itself.

Windows setup

1. Find the Internet connection icon in the tray. Click below "Network and Sharing Center".

2. Go to "Change adapter settings".



3. Find the network "Hamachi". She should be first on the list. Go to the tab “Arrange” – “View” – “Menu Bar”. In the panel that appears, select "Extra options".



4. Select our network in the list. Using the arrows, move it to the beginning of the column and click "OK".



5. In the properties that open when you click on the network, right-click on "Internet Protocol Version 4" and press "Properties".



6. Enter in the field "Use the following IP address" Hamachi's IP address, which can be seen next to the program's enable button.

Please note that data is entered manually and the copy function is not available. The remaining values ​​will be entered automatically.



7. Let’s immediately go to the section "Additionally" and delete existing gateways. Below we indicate the value of the metric equal to "10". Confirm and close the windows.



Let's move on to our emulator.

Setting up the program

1. Open the window for editing parameters.



2. Select the last section. IN "Peer Connections" we make changes.



3. Immediately go to « Additional settings» . Let's find the line "Use a proxy server" and put it up "No".



4. In the “Traffic Filtering” line, select "Allow everything".



5. Then “Enable name resolution using mDNS protocol” put "Yes".



6. Now let's find the section "Online presence", choose "Yes".



7. If your Internet connection is configured through a router, and not directly via cable, enter the addresses "Local UDP address"– 12122, and "Local TCP Address" – 12121.



8. Now you need to reset the port numbers on the router. If you have TP-Link, then enter the address 192.168.01 in any browser and get into its settings. Login using standard credentials.



9. In section “Forwarding” – “Virtual Servers”. Click "Add new".



10. Here in the first line "Service port" enter the port number, then in "IP Address"– local IP address of your computer.

The easiest way to find out the IP is by entering in the browser "Find out your IP" and go to one of the sites to test your connection speed.

In field "Protocol" enter "TCP"(the sequence of protocols must be followed). Last point "State" leave unchanged. Save the settings.



11. Now we add the UDP port in the same way.



12. In the main settings window, go to "State" and rewrite it somewhere "MAC Address". Let's go to “DHCP” – “Address reservation” – “Add new”. We enter the MAC address of the computer (recorded in the previous section) from which the connection to Hamachi will be made in the first field. Next, we’ll register the IP again and save.



13. Reboot the router using the large button (do not confuse it with Reset).

14. For the changes to take effect, the Hamachi emulator must also be rebooted.

This completes the Hamachi setting operating system Windows 7 is complete. At first glance everything seems complicated, but following step by step instructions, all actions can be completed quite quickly.

Despite the efforts of the Hamachi developers to make this program as “friendly” and simple as possible, many users still have difficulty setting it up. By following the instructions below, you can easily configure Hamachi correctly for gaming or work.

General setup of Hamachi on Windows
In this article we will look at how to configure Hamachi 2.2.0.541 - the most available today. The example demonstrates the setting Hamachi for Windows 7, since this OS is the most common today.

In general, Hamachi does not require any additional configuration; all you need is to install the program, run it, and click on the “power” button (Fig. 1).

After this, you need to connect to the network of interest by clicking “connect to existing network"(Fig. 2) or "network" -> "connect to an existing network" (Fig. 3).

A network details window will appear in front of you, where you will need to enter the network ID and password (Fig. 4).

If there are enough free slots in the network, you will connect and see a window with a list of participants (Fig. 5).

Hamachi asks for registration, what should I do?
If Hamachi is launched on your PC for the first time, or information about previous launches is damaged, the program will display an authorization error message (Fig. 6).

In this case, you need to either register for free in the LogMenIn system (Fig. 7), or log in if you already have a LogMenIn account.

What to do if Hamachi won't connect?
First, you should check if everything is ok with the network you are interested in. To do this, enter “hamachi test network” into a search engine and try to connect using any of the details that appear in the search results.

If Hamachi does not connect to any network, click “system” -> “parameters” (Fig. 9).

Select the lowest item in the left panel - “Parameters”, find “Encryption” there and set the type to “Any” (Fig. 10).

Then click the “Advanced settings” item located at the bottom of the window (Fig. 11).

If you do not use a proxy server, set the corresponding attribute with the “no” flag (Fig. 12).

Please note that when using a proxy, connection problems may be caused by it.

Then resolve names using the mDNS protocol (Fig. 13).

Disable traffic filtering by selecting the “allow all” flag in the corresponding field (Fig. 14).

Enable presence in the Hamachi virtual network (Fig. 15).

Confirm the changes made (Fig. 16).

Close the program and enter it again.

If the above does not help, try temporarily disabling your antivirus.
Also, sometimes Hamachi does not connect due to the Firewall blocking it.
To turn it off, click " Start» -> Control Panel -> Firewall-> Enabling or disabling Firewall
(Fig. 17) (Fig. 18) (Fig. 19) (Fig. 20)

Setting up Hamachi via a router
Sometimes the source of problems is not incorrect setting Hamachi or overly “vigilant” Anti-Virus, but the port through which your router broadcasts.

Open two arbitrary free ports in your router settings (each specific model The router has its own specifics for opening ports - see the instructions). Then configure Hamachi to use them by specifying the local TCP address and local UDP address attributes in the already familiar “advanced settings” window (Fig. 21).

After that, restart the router and restart Hamachi. Important point- when “forwarding” ports, do not confuse the addresses for TCP and UDP protocols!

Special cases of Hamachi configuration
It is worth noting that this program is often used by gamers to build gaming networks, as well as various organizations to create corporate file sharing systems. In such cases, you should strictly follow the instructions of the gaming community or your company. However, at the same time, you must understand that if you decide to download and install a third-party unofficial Hamachi distribution, you are endangering the security of your PC - unless absolutely necessary, refrain from connecting to such networks.

How to set the language in Hamachi?
Unfortunately, there is no optional language selection in the program. In order not to run for a dictionary, it is enough that you have the Russian version of Hamachi. If for some reason you need a different language, reinstall the program after downloading the “hamster” localization corresponding to the language you are interested in.

notice, that Hamachi official website provides the ability to download only the English version of Hamachi. We can do it.

The popularity of the program, known as Hamachi, is determined by providing the user with a convenient and effective tool that allows you to create VPN networks. There is especially great demand for such software among gamers who prefer to conduct online battles between a certain circle of players, without using the official servers of the gaming application for this purpose. Unfortunately, sometimes it becomes impossible to use the provided functionality, as a message appears: “incoming traffic is blocked, check your firewall settings.”

Naturally, initially you can easily verify the problem that has arisen. To do this, just enable the traffic test:

1. Go to the network control center (via the control panel and the “Network and Internet” menu).
2. Select the connection that is used and, when activated, the above-described inscription appears.
3. The status menu will open, where you can see that incoming traffic is blocked.

To correct the situation, you will first need to know the possible root causes of its occurrence.

Why might a blockage occur?

There are several identified reasons that can lead to such trouble:

• Blocking software by a system firewall or antivirus program;
• Failure in the settings of the network equipment used (router);
• No startup this application with admin rights;
• Incorrect functioning of the program itself.

Based on this information, you can easily find a solution.

Correction

So, if Hamachi is not able to receive traffic, then it is recommended to do the following:

1. Initiate a restart of the computer and router to eliminate the possibility of being affected by a short-term failure.
2. Make sure that the software is activated with administrator rights.

The next stage is to temporarily deactivate the antivirus and firewall. Windows Defender turns off as follows:

1. Click on “Start” and go to the search bar.
2. Drive “Firewall” into it.
3. Go through the suggested option.
4. On the left side of the screen, click on the function that allows you to disable/disable the defender.
5. In the proposed list, activate shutdown modes. That is, out of four options, choose the second and last.
6. Save the changes and try to launch the program again.