From cec4f40f1ee317c7affe32b690994c331c29fc89 Mon Sep 17 00:00:00 2001 From: Kleissner Date: Tue, 16 Nov 2021 03:55:14 +0100 Subject: [PATCH] Add documentation on Windows User Privileges and Firewall. #5 #7 --- README.md | 45 +++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 45 insertions(+) diff --git a/README.md b/README.md index f7dac38..2044396 100644 --- a/README.md +++ b/README.md @@ -149,3 +149,48 @@ The application exits in case of the errors listed below and uses the specified | 8 | ExitBlockchainCorrupt | Blockchain is corrupt. | | 9 | ExitGraceful | Graceful shutdown. | | 0xC000013A | STATUS_CONTROL_C_EXIT | The application terminated as a result of a CTRL+C. | + +## Windows User Privileges + +This application is supposed to run and connect to Peernet on Windows regardless if admin/non-admin and elevated/non-elevated. + +The user running the application must have write access to the relevant local files (including the config, log, warehouse folders, blockchain folders). + +## Firewall + +It is advised to configure any firewalls to explicitly allow any traffic to the application. Users with NATs (typically with home routers) may manually enable port forwarding, although this application supports UPnP. + +The Windows Firewall can be configured via the below command-line command (the path needs to be adjusted). Such rule will take "precedence over the default block setting" according to [Microsoft documentation](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-firewall/best-practices-configuring). This action requires elevated admin rights. + +``` +netsh advfirewall firewall add rule name="Peernet Cmd" dir=in program="C:\Users\User\Desktop\Peernet\Cmd.exe" profile=any action=allow +``` + +If such a rule is not set, Windows will open the dialogue "Windows Defender Firewall has blocked some features of this app" (Windows 11). The "Public networks" setting is checked by default, but the "Private networks" is not. Confirming the firewall exception requires admin rights, otherwise Windows create a "block" firewall entry. + +* Windows 11: Listening on the default UDP port 112 or a random one (if 112 is already used) is itself not restricted for non-admin users. However, the Windows Firewall may block incoming traffic for non-admin users (see below). + +### Impact to firewalled users + +As non-admin user, the "Allow access" button opens the User Account Control window which requires an admin login. Failure to provide an admin login (or hiting the Cancel button) creates two inbound "block" rules (one for UDP, another for TCP) in the Windows Firewall based on the executable path for the public profile. The rules block both UDP/TCP traffic on all local/remote ports for any local/remote IP address. The Edge traversal setting is set to "Block edge traversal" which has the description "Prevent applications from receiving unsolicited traffic from the Internet through a NAT edge device". + +This effectively means that Windows is likely block incoming traffic from uncontacted peers. This can be overcome via UDP hole punching. + +In the current implementation this turned out to be a problem for users with non-admin rights on a server which do not use NAT (the public IP is directly assigned to the network adapter); in that case the reported internal and measured external ports are matching, and peers do not flag that peer as NAT (the N flag will not be set in the peer table output). + +A potential fix for that would be a new self-reporting Firewall flag indicating that the peer believes it is behind a firewall and that the Traverse message (UDP hole punching) is required for connections from unknown peers. + +### Windows Firewall Debugging + +The Windows Firewall supports enabling a log file (by default the setting is disabled). This [article](https://www.howtogeek.com/220204/how-to-track-firewall-activity-with-the-windows-firewall-log/) shows how to enable the log. Following is a real log entry generated by the firewall when an external peer fails to contact the local peer due to the Windows Firewall: + +| date time | action | protocol | src-ip | dst-ip | src-port | dst-port | size | path | pid | +| ------------------- | ------ | -------- | --------------- | --------------- | -------- | -------- | ---- | ------- | ---- | +| 2021-11-16 00:49:08 | DROP | UDP | [IPv6 redacted] | [IPv6 redacted] | 112 | 112 | 143 | RECEIVE | 8924 | + +### Expert Users + +Expert user may manually edit the network listen config settings. Beware that invalid settings will negatively impact connectivity and might result in blacklisting by other peers. Make sure to manually configure any firewalls (including OS firewalls and network devices) according to your settings; only incoming and outgoing UDP traffic on the specified listening port is required for Peernet. +* Static public IP assigned to your network adapter (usually only servers): Set the `Listen` to the fixed public IP:Port. `EnableUPnP` must be false and `PortForward` must be 0. +* Dynamic public IP in home network but manual port forwarding on your router: Set `Listen` to your internal IP:Port from your network adapter that provides the connection to your router. Set `PortForward` to the external port. `EnableUPnP` must be false. +* For any other case, don't touch the default config!