I have a machine in a corporate network which has over 17 000 outbound and inbound firewall filters set. I can view them with the netsh command
netsh wfp show filters dir=OUT file=OutBoundFilters.xmlI have thousands of such filter rules for "InternetClientServer Outbound Default Rule"
<item> <filterKey>{3c45917d-eff9-4895-b36f-bec4efccbf95}</filterKey> <displayData> <name>InternetClientServer Outbound Default Rule</name> <description>InternetClientServer Outbound Default Rule</description> </displayData> <flags/> <providerKey>{4b153735-1049-4480-aab4-d1b9bdc03710}</providerKey> <providerData> <data>3303000000000000</data> <asString>3.......</asString> </providerData> <layerKey>FWPM_LAYER_ALE_AUTH_CONNECT_V4</layerKey> <subLayerKey>{b3cdd441-af90-41ba-a745-7c6008ff2300}</subLayerKey> <weight> <type>FWP_EMPTY</type> </weight> <filterCondition numItems="5"> <item> <fieldKey>FWPM_CONDITION_ALE_PACKAGE_ID</fieldKey> <matchType>FWP_MATCH_NOT_EQUAL</matchType> <conditionValue> <type>FWP_SID</type> <sid>S-1-0-0</sid> </conditionValue> </item> <item> <fieldKey>FWPM_CONDITION_IP_REMOTE_ADDRESS</fieldKey> <matchType>FWP_MATCH_RANGE</matchType> <conditionValue> <type>FWP_RANGE_TYPE</type> <rangeValue> <valueLow> <type>FWP_UINT32</type> <uint32>10.10.55.127</uint32> </valueLow> <valueHigh> <type>FWP_UINT32</type> <uint32>10.10.56.0</uint32> </valueHigh> </rangeValue> </conditionValue> </item> <item> <fieldKey>FWPM_CONDITION_ORIGINAL_PROFILE_ID</fieldKey> <matchType>FWP_MATCH_EQUAL</matchType> <conditionValue> <type>FWP_UINT32</type> <uint32>3</uint32> </conditionValue> </item> <item> <fieldKey>FWPM_CONDITION_CURRENT_PROFILE_ID</fieldKey> <matchType>FWP_MATCH_EQUAL</matchType> <conditionValue> <type>FWP_UINT32</type> <uint32>3</uint32> </conditionValue> </item> <item> <fieldKey>FWPM_CONDITION_ALE_USER_ID</fieldKey> <matchType>FWP_MATCH_EQUAL</matchType> <conditionValue> <type>FWP_SECURITY_DESCRIPTOR_TYPE</type> <sd>O:LSD:(A;;CC;;;S-1-15-3-2)(A;;CC;;;WD)(A;;CC;;;AN)</sd> </conditionValue> </item> </filterCondition> <action> <type>FWP_ACTION_PERMIT</type> <filterType/> </action> <rawContext>0</rawContext> <reserved/> <filterId>391334</filterId> <effectiveWeight> <type>FWP_UINT64</type> <uint64>225180806002261888</uint64> </effectiveWeight>
</item>These rules are for the Base Filtering Engine which is part of the Windows Firewall. There are not many firewall rules present in the MMC UI so I am a bit lost where the thousands of filters are coming from and which rule is responsible for them.
Now I want to get rid of some of the rules or at least find out where they are coming from. I have found the registry key
Computer\HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\BFE\Parameters\Policy\Persistent\Filter
where some guids are present but I am not able to correlate my filter rules with some specific registry key. Where are the rules finally stored? Registry, a file or are they pushed via group policies into the registry? I have found the issue by checking out CPU consumption in the kernel where some large amount of CPU is spent in
The high amount of CPU comes from these many firewall rules. How can I track things further. I have tried to do boot time logging into the firewall service when it consumes much more memory but I have found no indication who feeds the data into the firewall service. The actual data seems to be stored in a compact format which does not show up in CPU profiling which is an annoying issue.
2 Answers
In the Registry.
Firewall rules are stored under the Software\Policies\Microsoft\WindowsFirewall\FirewallRules key. Each value under the key is a firewall rule -
3I believe you can find the (many) firewall rules here:
HKLM\SYSTEM\CurrentControlSet\Services\BFE\Parameters\Policy\Persistent\Filter 1