CODEWITHSUNDEEP
c#tcpwindows-serviceswindows-firewall
khargoosh
khargoosh

Reputation: 1520

Windows Service (TCP Client/Listener) Firewall Exception Blocks Traffic

I have a TcpClient and TcpListener based Windows Service running on two machines on my network. Both client and server nodes operate from the same Windows service. The service runs as Local System and PC01 is Win7 x64 and PC02 is Win7 x86.

The application was throwing a SocketException 10060 (connection timed out) during connection attempts from client to server, and I have found that the Windows firewall exceptions generated by the application's automatic firewall configuration code are not allowing TCP traffic to pass through.

Taking a step back, I tried the following tests sequentially on PC01 with the firewall on PC02 permanently disabled to remove it as a variable:

  1. Disabled the firewall on PC01 - this worked.
  2. Enabled the firewall on PC01 and manually added an exception to allow all inbound TCP traffic on port 12345 - this worked.
  3. Further restricted the exception to allow remote traffic from the local subnet only - this worked.
  4. Further restricted the exception to allow (all) services only - this worked.
  5. Further restricted the exception to allow the specific service by selecting from the list of services or by entering service short name - this failed.
  6. Attempted instead to restrict the exception to the specific service by selecting the myservice.exe executable - this failed.

What is it about my Windows service that prevents this from working when the exception is restricted to the specific service? Is there a caveat for Windows services that I should be aware of? Is opening the port for all services the only solution?

EDIT: I've used netstat -a -n -b to collect info regarding active connections and listening ports. The below excerpt details the information regarding my service:

Active Connections

Proto  Local Address          Foreign Address        State
TCP    0.0.0.0:12345          0.0.0.0:0              LISTENING
[myservice.exe]
...
UDP    0.0.0.0:12344          *:*                    
[myservice.exe] (listening for UDP broadcast packets)
...
UDP    0.0.0.0:62794          *:*                    
[myservice.exe] (this is an outbound broadcast packet)

Thanks everyone for any insights you can offer.

Upvotes: 2

Views: 2031

Answers (1)

Harry Johnston
Harry Johnston

Reputation: 36308

In order for selecting a specific executable to work, the path to the executable must match the path the firewall is expecting. Apparently the firewall GUI for some reason was converting the path so that is was relative to %USERPROFILE% ; I suspect this constitutes a bug in Windows.

(If I remember correctly, the firewall can in general cope with paths that use environment variables, e.g., %SystemRoot%, but obviously a per-user environment variable won't work, since the firewall rules are not evaluated in the correct user's context.)

Upvotes: 1

Related Questions