I'm pretty familiar with networking and firewalls but theres something really simple I'm trying to do and its not working.

I wrote a simple websockety web game thats a service currently running on PC1 and listening on port 8000.
I tried connecting to it from a different computer on my network and the browser couldnt find it. Of course it was the firewall, so I disabled the firewall completely on the host machine and immediately I could access the game from other computers.

Since I dont want the firewall completely disabled, I turned it back on and instead added some rules.

I made inbound and outbound rules allowing my gameservice.exe full access to any protocol, any port on public, domain and private networks. Surprisingly, this did not work! I could not access the game with these rule enabled.

So I tweaked the rules slightly from gameservice.exe to "any program", and now the game works again. So what is the problem here? I'm 100% sure that I had the correct path to my gameservice.exe in the firewall rules because if I go to task manager, services tab, locate GameService, and look at properties, it shows me the exact path to gameservice.exe.

So why is it that specifying the exact executable does not work, but saying "any program" does? The service is very simple and does not invoke any other executables. Is windows secretly moving my gameservice.exe when it registers it as a service? That cant be it because I can see the path as I mentioned above.

This is pretty frustrating because I want my firewall to be as tight as possible but I'm tempted to just open it up because it seems like its doing something wrong.

"What is the problem?"
That depends on what firewall you're using.
Which in turn depends on what OS you're using.
You're not giving us much to go on, here :-)

If this is Windows, and you're running your game server as a service, then perhaps this is a problem where it runs under different credentials and the firewall doesn't apply your config -- that depends on what firewall you're using I guess.

Well the title of my post was "Windows firewall troubles" and I mentioned Windows in the question itself too, so yeah its Windows ;)

Fair point though, here's more detail:
Its Windows 10 Pro N 64 bit's built in "Windows Firewall with Advanced Security".

I dont really see anything about credentials or permissions - just the service path, the ports, etc.

Also I just did a test with a new version of the game server that is NOT a service. Its just an EXE that you run. Same problem. Telling the firewall about the specific EXE does not allow connections, but disabling the firewall altogether of course works, and so does enabling the firewall but creating a more relaxed rule for "all programs".

So it really seems like my game.exe is not the program that needs to be allowed.. the question is, what the hell program is doing the communication??

If your program is the one doing the socket(), bind(), and recvfrom() calls, then that's the program that needs to be listed in the firewall.
It's more likely that the "allowing" of the firewall is somehow incorrectly configured for you.
Maybe you're configuring IPv6 and it's using IPv4, or vice versa?

Are you using the "advfirewall" command?

netsh advfirewall firewall add rule action=allow profile=any protocol=any enable=yes direction=[in|out] name=[exception name] program=[program path]

You can also make a program with admin privileges, or a plug-in for your installer, install the exception rule using the firewall APIs:
INetFwManager and friends: https://msdn.microsoft.com/en-us/library/aa365287(v=vs.85).aspx