For connections that use rawsockets, only the global rules are checked.

For connections that do not use rawsockets, various rules are checked, depending on whether the connection is to a network address that is listed on the LAN tab or not.

If the network address is listed on the LAN tab, the following rules are checked:

• If the address has been marked as Trusted, all traffic on the connection is allowed with no further checks.
• If the address has been marked as NetBIOS, file and printer sharing on any connection that meets the following criteria is allowed:

  Connection	Port	Range
  TCP	Remote	137-139 or 445
  TCP	Local	137-139 or 445
  UDP	Remote	137 or 138
  UDP	Local	137 or 138

If the network address is not listed on the LAN tab, other firewall rules are checked in the following order:

1. Any NetBIOS traffic that has not been allowed using the LAN tab is dealt with according to the setting of the Block file and printer sharing for other networks check box:

   • If the check box is selected, the traffic is blocked.
   • If the check box is cleared, the traffic is processed by the remaining rules.
2. The high-priority global rules are checked, in the order in which they are listed.
3. If the connection has not already had rules applied to it, the application rules are checked.
4. If the connection has still not been handled, the normal-priority global rules are checked, in the order in which they are listed.
5. If no rules have been found to handle the connection:
   • In Allow by default mode, the traffic is allowed (if it is outbound).
   • In Block by default mode, the traffic is blocked.
   • In Interactive mode, the user is asked to decide. This mode is not available in Windows 8.
   Note: If you have not changed the working mode, the firewall will be in Block by default mode.