Application Control: Ability to allow Applications without a packet filter rule. Would be nice - at the moment you have to to set up a packe
Ability to allow applications without a packet filter rule. Would be nice - at the moment you have to to set up a packet filter rule even if you have a Application Control rule that accepts the usage of a specific application.The current behaviour makes no sense for me.
The purpose of application control presently, is to give application level visibility or to restrict restrict application traffic on ports that are otherwise allowed. if port 443 is open, and Skype tries to use port 443 to get out of the network, application control will see Skype's connection, and after a few packets, determine that skype is using that port, then stop it. App control allow rules only exist presently, so that you could allow applications for some users, that you're blocking for others.
Application control can't always determine what the application is on the first packet. Firewall ports need to be open to allow some packet exchange, before application level control can identify the traffic and step in. If you create an application control rule to allow http or https traffic, it might be safe in most cases, to assume that you need to allow ports 80 and 443 traffic outbound, but what about skype? What ports should the firewall open? Skype has no fixed default port, and may randomly choose any port. I'm not sure how appcontrol could do this safely.
This would also make it easier to support firewall/unfriendly apps like Windows Remote Assistance (requiring outgoing ports TCP/UDP 49152:65535 open). This way, when the app is allowed for a specific user, it would trigger/autorise the "one" random TCP/UDP port used for that session, at that moment, instead of having to carve such a huge hole intro your firewall. And people would probably stop asking for UPnP support, since it wouldn't be required for that type of apps anymore. Also, when the application is not in use, no ports are opened and therefore can't be abused by other apps/users/malwares.
The documentation (in 9.006) is very confusing about this point; it implies that you don't need a PF rule, which is incorrect afaics.