Deutsch | Français | Italiano
 


Domains (By-name permissions)
Name Usage
By-name rules can be used in the Domain pane, in zones of the Zone pane, in zones applied to applications in the Programs pane and the Zone for All the Applications of the Settings pane.
Name requirements
Windows 10 Firewall Control can create filtering rules using domain (web site) strict names and name patterns. "*", "?" and "[a-x]" (character intervals) are allowed for the patterns creation. Example the "*telemetry*" pattern matches all the domains that include the "telemetry" word inside, e.g. "telemetry.microsoft.com", "telemetry.mozilla.org".
The patterns are analyzed using "." (dot) strictly, so "*.a-name.com" is not equal to "*a-name.com" The first matches a-name"s sub domains, e.g. "something.a-name.com" and "somethingelse.a-name.com" only, but not "anythinga-site.com".
Patterns without a template sign (i.e. "*", "?") match the name itself and all the sub domains simultaneously, e.g. "a-site.com" as a pattern matches "a-site.com" itself and "anything.a-site.com" as well.
The filtering is made by strict domain/site names, not by URLs/links. No folders/protocols can be used for composing by-name rules. So "http://a-site.com" and "a-site.com/something" are syntactically incorrect and match nothing.
How it works
Windows 10 Firewall Controls protects applications by IP addresses (IPv4 and IPv6) finally anyway. Windows 10 Firewall Control just traces all the domain names changes and creates corresponding by-IP filters immediately in runtime. The tracing is precise and exhaustive, so multiple IP addresses for domains and IP addresses mutability are supported in full for the both IPv4 and IPv6 communications.
As the final protection is made on by-IP basis anyway, you should take into account that a single IP may match several domain names at once. For instance "www.a-site.com" and "a-site.com" may have the same single IP address or the same set of IP addresses, so please be aware of the possible clashing while creating mutually exclusive permissions for such domains. All the rules arbitration follows the rules precedence below.
Rules Precedence (ascending)
  • Universal (hidden) detection/guard block. Prevents networks access of any unknown/unlisted application.
  • ZoneResult of zone applied to application of the Programs pane requesting the network access.
  • Domains BelowApps Low (the Domains pane).
  • Domains BelowApps High (the Domains pane).
  • Settings/AllApplications zone (from top to bottom).
  • Per-application rules (from top to bottom ) as applied to applications of the Programs pane.
  • Domains AboveApps Low (*) (the Domains pane).
  • Domains AboveApps High (*) (the Domains pane.
  • Global Mode (TrayIcon/RightClick/Mode) (if the mode is not equal to Mode:Normal)
  • Virtual sub network items (Network/Cloud Edition) (**).
(*) AboveApps priority is higher than per-application rules, so any enabling rules at that priority overrides per-application rules. As the result, your applications may be accidentally too enabled. Please take care not to put widely enabling patterns (as "*") into AboveApps in the Domains pane.
(**) if a destination computer is encountered in a virtual sub network or AllApplications zone, a program access to the destination (virtual sub network) will not be detected and the program will not be inserted into the Programs List automatically. If the virtual sub network item decision is positive or the computer is not listed in a sub network, the arbitration continues. If the decision is negative, the connection attempt will be rejected finally. In other words disabling items are of the global precedence.(Network/Cloud Edition only)