Win Firewall Inbound Rules (TCMD 16.x)

Jan 12, 2014
520
11
Switzerland, SO
Hi,

after install Take Command 16 64-bit, I have four automatically created INBOUND rules in Windows Firewall (Win 7 Ultimate 64-bit). So far so good. But are these not a bit oversized?

I have Allow rules for "tcmd.exe", "tcc.exe", "ide.exe" and "updater.exe" with ANY Ports and ANY protocol.

My question is now: how could these rules be restricted for incoming traffic?

Or in other words: are Inbound rules even necessary?

Thank you very much for answers in advance!

Greetings from Switzerland,
Alpengreis

PS: Sorry for my english ...
 
May 20, 2008
12,167
133
Syracuse, NY, USA
The only one I'm sure is necessary is TCC's rule. Without it, TCC can't open data channels for FTP. The last time I tried (v15, I believe), UPDATER.EXE worked fine with its rule disabled.
 

rconn

Administrator
Staff member
May 14, 2008
12,556
167
TCC needs it for internet access (FTP, SFTP, FTPS, etc.). IDE needs it if you want to debug any batch files that use the TCC internet routines. TCMD and UPDATER need it for registration & auto updates.

If you don't care about any of those, you can block them in Windows Firewall.
 
Jan 12, 2014
520
11
Switzerland, SO
Thanks!

... "needs it for internet access" but this is then outbound not inbound?

I mean, I have no server which need access from outside the local subnet.

... "for registration & auto updates" - ok, this make sense, if it's initiated through your server(s).

Would be this enough for Win 7 Firewall INBOUND?

TCC Protocol = TCP, Ports = 20,989 (for the ftp(s)-data channels)
TCC Protocol = UDP, Ports = 20,989 (for the ftp(s)-data channels)
TCMD Protocol = TCP, Ports = 80,443 (for registration and auto updates)
IDE = No inbound traffic allowed

20 = ftp-data
80 = http
443 = https
989 = ftps-data

OUTGOING of course has another rule set ...

Sorry for my persistence - but I do not want to simply allow all or block everything.

Kind regards,
Alpengreis
 

rconn

Administrator
Staff member
May 14, 2008
12,556
167
If you want to use HTTP, SFTP, SMTP, SMPP, SNMP, or SNPP from TCC you'll have to open ports for them too. If not, leave them closed.

There's no definitive set of firewall rules, because everybody has different needs. Experiment and see what works for you.
 
May 20, 2008
12,167
133
Syracuse, NY, USA
If you want to use HTTP, SFTP, SMTP, SMPP, SNMP, or SNPP from TCC you'll have to open ports for them too. If not, leave them closed.

There's no definitive set of firewall rules, because everybody has different needs. Experiment and see what works for you.
I don't know about the others, but I doubt there would be any inbound traffic on port 80 (HTTP) ... at least none expecting TCC to be listening. You didn't include a web server in the newest version, did you?
Code:
copy http://...
works fine with TCC firewall rule disabled
 
May 26, 2008
550
6
Agreed... I don't know why inbound rules would be needed. AFAIK, these rules are for new, unestablished connections only. (Like if you have a server listening for incoming connections.)
 
Jan 12, 2014
520
11
Switzerland, SO
Yes, I also don't understand your answer, rconn, sorry! Why for incoming traffic with (except for (s)ftp data channels and eventually for server-initiated auto updates with TCMD (from your server(s) on port 80,443)?

Outbound, ok, this is another thing, that is (and was) clear - I have extra rules for outgoing traffic for tcc, etc. ... and this can be a (very) different setting, that's right ...

Even if, for example, anyone have a mail server - WHY does TCC or require a permit for incoming traffic? Then the mail server requires this, but not TCC ...

Now, I'm really confused!
 
Jan 12, 2014
520
11
Switzerland, SO
Hi, I have now created the right rules for me personally.

Nevertheless, it would be nice if here comes a response regarding "why for incoming traffic", also in the sense of other users!

Thanks and greetings,
Alpengreis
 
Jan 12, 2014
520
11
Switzerland, SO
No, this is not helpful to share my setting.

I don't know, if it's right or not. I have make a decision for ME personally and change the rules.

But it's possible to have problem with this setting - even because I don't know, why Inbound rules were sets automatically through the TCMD setup.

Eventually also Inbound it's not possible to have a "global"/standard setting for all.

But as I said: I don't know the reason why Inbound could be necessary, and this is my question ...

Greetings,
Alpengreis

PS: And my Outbound setting is anyway individual and not to share.
 

Similar threads