Block Internet Traffic, Allow LAN Traffic

Hi,

I discovered Glasswire yesterday and was so impressed I purchased a license right away.

However, I quickly discovered a shortcoming in the Firewall that I think would be trivial to implement an enhancement for.

Because there are currently no host-based rules one must make a binary decision: “Do I wish to to Allow or Deny this application?”

From a user interface perspective, this is nice and simple. But unfortunately this is not quite a particularly robust implementation. For example, I have IP camera software and printer software which “phones home” over the internet. I cannot allow this traffic. So I DENY the application.

But, in denying the application, I have now prevented that same software from accessing the LAN. The IP cam software thus cannot access cameras on the LAN, and the printer software cannot access the printer! So now I need to go and unblock them…and guess what? First thing they do is phone home to undesirable addresses over the internet.

I believe there is a very simple solution and I’ve seen it implemented in TinyWall with a single checkbox.

  1. Enumerate all network devices and determine their default gateway and netmask to determine all the accessible LAN subnets.
  2. Add a checkbox option to Settings -> General: “Exclude LAN traffic.”
  3. In Linux, iptables applies the rule that matches first. So I would add a whitelist rule for each of the local subnets at the top of my rules. Local traffic simply passes uninhibited. Then any block rules come after. I am unfamiliar with Windows Firewall, but I imagine it works similarly.

The reason why I propose this simple solution is because I think it would conflate the UI when users are prompted to “Allow” or “Deny” to add more options, or more buttons. There is obviously quite a bit of thought in your UI design and users would be distracted or confused by too many options in the Allow/Deny popup. Instead – let them Deny the questionable program – same as they do now, and just let LAN traffic pass uninhibited via a global setting, if they so chose.

Thanks for listening!

1 Like

@loopforever

Thanks for your feedback.

We will work to improve our “ask to connect” mode in the future.

Hi Ken, thanks for your response.

I’m sure you have a very long list of features and enhancements to add. I was wondering, in the meantime, is it possible for a user to add explicit Windows Firewall rules to allow the traffic as described?

That is to say, can I continue to “Deny” the applications in Glasswire, and then manually add a rule to Windows Firewall that would permit the LAN traffic without Glasswire taking ownership/deleting/“managing” that manually entered rule?

@loopforever

GlassWire used to work this way, but we received complaints from users and changed it because they did not like how other apps could change GlassWire’s own rules where some rules would suddenly no longer work with no explanation.

Perhaps there is some optional setting we could consider for this for the future. Thanks for your feedback.

1 Like