About the order in which rules are applied
For connections that use rawsockets, only the global rules are checked.
For connections that do not use rawsockets, various rules are checked, depending on whether the connection is to a network address that is listed on the LAN tab or not.
If the network address is listed on the LAN tab, the following rules are checked:
- If the address has been marked as Trusted, all traffic on the connection is allowed with no further checks.
- If the address has been marked as NetBIOS, file and printer sharing on any connection that meets the following criteria is allowed:
If the network address is not listed on the LAN tab, other firewall rules are checked in the following order:
- The high-priority global rules are checked, in the order in which they are listed.
- If the connection has not already had rules applied to it, the application rules are checked.
- If the connection has still not been handled, the normal-priority global rules are checked, in the order in which they are listed.
- If no rules have been
found to handle the connection:
- In Allow by default mode, the traffic is allowed (if it is outbound).
- In Block by default mode, the traffic is blocked.
- In Interactive mode, the user is asked to decide. This mode is not available in Windows 8.
Note: If you have not changed the working mode, the firewall will be in Block by default mode.