When an application which has server rights in Application Control
starts listening to a port, Application Control automatically creates a dynamic
firewall rule allowing the traffic inbound. Dynamic firewall rules are created
before any rule that denies all traffic (the firewall service "All traffic")
and after any other rule.
It is worth noting that even if you have denied server rights of all
known applications, svchost.exe still has server rights in Application Control.
Svchost.exe is the host process for services that run from DLLs, so it can
listen to some ports for those services.
Limiting access to a port that Application Control opens dynamically
is possible by creating a rule denying traffic to that port. The rule goes
automatically above the dynamic rules, and as rules are evaluated from top to
bottom, the dynamic rule is no longer effective.
If you need to have total control over the rules, you may create a
rule that denies all inbound TCP traffic and all inbound UDP traffic. This kind
of rule goes above dynamic rules, as it does not use the firewall service "All
traffic". Please note that if this is implemented, you must create rules
allowing traffic through to all ports that the computer needs to listen to.
Checking the ruleset in use
When you are creating a very restrictive rule set, it is recommended
that you check the active rules in the F-Secure product's local user interface.
There you can also see all the dynamic rules (for the time being), and you will
also get an overview of the rule set being used.