fort/README.md

# Fort Firewall

[![Release](https://img.shields.io/github/release/tnodir/fort.svg)](https://github.com/tnodir/fort/releases/latest)
[![Downloads](https://img.shields.io/github/downloads/tnodir/fort/total.svg?maxAge=86400)](https://github.com/tnodir/fort/releases)
[![Screenshots](https://img.shields.io/static/v1.svg?label=screenshots&message=11&color=yellow&logo=imgur)](https://imgur.com/a/fZbAbfy)
[![License](https://img.shields.io/github/license/tnodir/fort.svg?logo=gnu)](https://www.gnu.org/licenses/gpl-3.0)
[![Crowdin](https://badges.crowdin.net/fort-firewall/localized.svg)](https://crowdin.com/project/fort-firewall)

Fort is a simple firewall for Windows 7+.

## Features

  - Filter by network addresses, application groups
  - Filter by `SvcHost.exe` service names
  - Support wildcards in program path names
  - Application group speed limits
  - Blocklists via "Zones"
  - Stores traffic statistics
  - Graphical display of bandwidth
  - Has own kernel driver, based on Windows Filtering Platform (WFP)

## Supported OS versions

 Asset                  | OS      | Version           | Architectures | Description
------------------------|---------|-------------------|---------------|---------------------------------------
 \*-windows-x86.\*      | Windows | 7 SP1 and later   | x86, x64      | 32/64-bit Windows 7, 8, 8.1, 10, 11
 \*-windows-x86.\*      | Windows | 10 and later      | ARM64         | ARM64 Windows 10, 11
 \*-windows10-x86_64.\* | Windows | 10 2004 and later | x64           | 64-bit Windows 10 2004-21H2, 11

-----

## Restrictions

### "Apply same rules to child processes" option

The "Apply same rules to child processes" option affects only new processes.

Fort Firewall checks the whole tree of parent processes at first attempt of any (child) process to connect.
So the parent process with the checked "Apply same rules to child processes" option should be alive, when (child) process connects to Internet.

## FAQ

### Windows 7 SP1 64-bit fails to install not digitally signed drivers

See "[SHA-2 Code Signing Support for Windows 7](https://docs.microsoft.com/en-us/security-updates/SecurityAdvisories/2015/3033929)".

### What the difference is between "Internet Addresses" and "Allowed Internet Addresses" on the IPV4 Addresses tab?

1. All FW rules act on "Internet Addresses" only.
LAN addresses are immediately allowed by FW and not checked by app groups or speed limiter.

For example here you can describe Internet addresses as:
- "Include All" addresses,
- but exclude 127.0.0.0/8, 192.168.0.0/16.

2. "Allowed Internet Addresses" may be used for example:
- to block only some addresses:
    - "Include All" addresses,
    - but exclude facebook.com: "31.13.72.36".
- to allow only some addresses:
    - "Exclude All" addresses,
    - but include wikipedia.com: "91.198.174.192".

### Do the App rules take precedence over the Allowed Internet rules?

#### Filtering steps:
1) If **address** is 127.* or 255.255.255.255 and "Filter Local Addresses" is turned off, then _**PERMIT**_
2) If "Filter Enabled" is turned off, then _**PERMIT**_
3) If "Stop Traffic" is turned on, then _**BLOCK**_
4) If **address** is not from "Internet Addresses", then _**PERMIT**_
5) If "Stop Internet Traffic" is turned on, then _**BLOCK**_
6) If **address** is not from "Allowed Internet Addresses", then _**BLOCK**_
7) If **app path** is allowed, then _**PERMIT**_
8) _**BLOCK**_ or _**PERMIT**_ due to default App Groups settings (Block/Allow All)

### What does the "Make trackable" button do in Services?

It modifies the selected Service's settings in the registry "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\\\<SERVICE-NAME\>":
- changes the "Type" value to "16" (Own Process),
- adds "-s \<SERVICE-NAME\>" argument to "ImagePath" value,
- stores old "Type" & "ImagePath" values into "_Fort*" values.

For the new values to take effect, you must restart the changed services or restart the computer.

(Some services already run with "-s \<SERVICE-NAME\>" argument by `SvcHost.exe`, so it's not necessary to explicitly make them trackable.)

## Code Quality Monitor

[![Code quality status](https://codescene.io/projects/5344/status.svg)](https://codescene.io/projects/5344/jobs/latest-successful/results)

--
Nodir Temirkhodjaev, <nodir.temir@gmail.com>
Update README.md 2019-03-10 04:03:04 +00:00			`# Fort Firewall`

README: Improve badges 2022-01-12 05:41:52 +00:00			`[![Release](https://img.shields.io/github/release/tnodir/fort.svg)](https://github.com/tnodir/fort/releases/latest)`
			`[![Downloads](https://img.shields.io/github/downloads/tnodir/fort/total.svg?maxAge=86400)](https://github.com/tnodir/fort/releases)`
README: Add logo to Screenshots badge 2022-01-12 05:51:08 +00:00			`[![Screenshots](https://img.shields.io/static/v1.svg?label=screenshots&message=11&color=yellow&logo=imgur)](https://imgur.com/a/fZbAbfy)`
README: Improve badges 2022-01-12 05:41:52 +00:00			`[![License](https://img.shields.io/github/license/tnodir/fort.svg?logo=gnu)](https://www.gnu.org/licenses/gpl-3.0)`
			`[![Crowdin](https://badges.crowdin.net/fort-firewall/localized.svg)](https://crowdin.com/project/fort-firewall)`
Update README.md 2019-03-10 04:03:04 +00:00
			`Fort is a simple firewall for Windows 7+.`

README.md: Supported OS versions. 2019-03-10 05:34:45 +00:00			`## Features`

Update README.md 2019-03-10 04:03:04 +00:00			`- Filter by network addresses, application groups`
README: Minor fixes 2022-02-12 11:13:55 +00:00			- Filter by `SvcHost.exe` service names
README: Add feature. 2020-02-24 08:40:08 +00:00			`- Support wildcards in program path names`
Update README.md 2019-03-10 04:03:04 +00:00			`- Application group speed limits`
README: Note about blocklists feature and implicitly trackable services 2022-02-14 05:50:23 +00:00			`- Blocklists via "Zones"`
Update README 2020-02-02 08:26:32 +00:00			`- Stores traffic statistics`
Update README.md 2019-03-10 04:03:04 +00:00			`- Graphical display of bandwidth`
README: Note about own kernel driver 2022-01-13 14:57:18 +00:00			`- Has own kernel driver, based on Windows Filtering Platform (WFP)`
Update README.md 2019-03-10 04:03:04 +00:00
README.md: Supported OS versions. 2019-03-10 05:34:45 +00:00			`## Supported OS versions`

README: Add description to supported OS versions table 2022-01-01 08:00:12 +00:00			`Asset \| OS \| Version \| Architectures \| Description`
README: Add Windows 8.1 to supported OS versions table 2022-01-06 12:25:09 +00:00			`------------------------\|---------\|-------------------\|---------------\|---------------------------------------`
README: Minor fix 2022-01-06 12:26:55 +00:00			`\-windows-x86.\ \| Windows \| 7 SP1 and later \| x86, x64 \| 32/64-bit Windows 7, 8, 8.1, 10, 11`
README: Add ARM64 arch.; Add Restrictions paragraph 2022-02-21 11:01:20 +00:00			`\-windows-x86.\ \| Windows \| 10 and later \| ARM64 \| ARM64 Windows 10, 11`
README: Fix description of supported OS versions table 2022-01-03 18:55:29 +00:00			`\-windows10-x86_64.\ \| Windows \| 10 2004 and later \| x64 \| 64-bit Windows 10 2004-21H2, 11`
README.md: Supported OS versions. 2019-03-10 05:34:45 +00:00
README: Minor fix. 2019-04-05 13:42:43 +00:00			`-----`

README: Add ARM64 arch.; Add Restrictions paragraph 2022-02-21 11:01:20 +00:00			`## Restrictions`

			`### "Apply same rules to child processes" option`

			`The "Apply same rules to child processes" option affects only new processes.`

			`Fort Firewall checks the whole tree of parent processes at first attempt of any (child) process to connect.`
			`So the parent process with the checked "Apply same rules to child processes" option should be alive, when (child) process connects to Internet.`

README.md: Add FAQ. 2019-03-13 07:39:28 +00:00			`## FAQ`

README: FAQ: SHA-2 Code Signing Support for Windows 7. 2019-04-09 10:47:01 +00:00			`### Windows 7 SP1 64-bit fails to install not digitally signed drivers`

			`See "[SHA-2 Code Signing Support for Windows 7](https://docs.microsoft.com/en-us/security-updates/SecurityAdvisories/2015/3033929)".`

README.md: Add FAQ. 2019-03-13 07:39:28 +00:00			`### What the difference is between "Internet Addresses" and "Allowed Internet Addresses" on the IPV4 Addresses tab?`

			`1. All FW rules act on "Internet Addresses" only.`
			`LAN addresses are immediately allowed by FW and not checked by app groups or speed limiter.`

			`For example here you can describe Internet addresses as:`
			`- "Include All" addresses,`
			`- but exclude 127.0.0.0/8, 192.168.0.0/16.`

			`2. "Allowed Internet Addresses" may be used for example:`
			`- to block only some addresses:`
			`- "Include All" addresses,`
			`- but exclude facebook.com: "31.13.72.36".`
			`- to allow only some addresses:`
			`- "Exclude All" addresses,`
			`- but include wikipedia.com: "91.198.174.192".`

			`### Do the App rules take precedence over the Allowed Internet rules?`

			`#### Filtering steps:`
			`1) If address is 127.* or 255.255.255.255 and "Filter Local Addresses" is turned off, then _PERMIT_`
Driver: "Stop Traffic" is effective, when "Filter Enabled" is turned on. 2021-03-09 14:25:35 +00:00			`2) If "Filter Enabled" is turned off, then _PERMIT_`
			`3) If "Stop Traffic" is turned on, then _BLOCK_`
			`4) If address is not from "Internet Addresses", then _PERMIT_`
			`5) If "Stop Internet Traffic" is turned on, then _BLOCK_`
			`6) If address is not from "Allowed Internet Addresses", then _BLOCK_`
			`7) If app path is allowed, then _PERMIT_`
README: Minor fix 2022-02-24 09:19:54 +00:00			`8) _BLOCK_ or _PERMIT_ due to default App Groups settings (Block/Allow All)`
README.md: Add FAQ. 2019-03-13 07:39:28 +00:00
README: Note about "Make trackable" button in Services 2022-02-13 10:45:09 +00:00			`### What does the "Make trackable" button do in Services?`

			`It modifies the selected Service's settings in the registry "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\\\<SERVICE-NAME\>":`
			`- changes the "Type" value to "16" (Own Process),`
			`- adds "-s \<SERVICE-NAME\>" argument to "ImagePath" value,`
			`- stores old "Type" & "ImagePath" values into "_Fort*" values.`

			`For the new values to take effect, you must restart the changed services or restart the computer.`

README: Note about blocklists feature and implicitly trackable services 2022-02-14 05:50:23 +00:00			(Some services already run with "-s \<SERVICE-NAME\>" argument by `SvcHost.exe`, so it's not necessary to explicitly make them trackable.)
README: Note about "Make trackable" button in Services 2022-02-13 10:45:09 +00:00
README: Add "Code Quality Monitor" section. 2019-08-07 08:57:20 +00:00			`## Code Quality Monitor`

			`[![Code quality status](https://codescene.io/projects/5344/status.svg)](https://codescene.io/projects/5344/jobs/latest-successful/results)`

Update README.md 2019-03-10 04:03:04 +00:00			`--`
			`Nodir Temirkhodjaev, <nodir.temir@gmail.com>`