Could someone please recommend a good firewall that meets the following requiements?

- It has both packet control *and* outgoing application control, like Kerio, ZA Pro

- It can keep track of both Trusted and Internet zones and the applications can have individual settings for each zone (e.g. allow connections from the Trusted zone but deny connections for the Internet zone) - e.g. like ZA Pro

- No extra bloatware in the firewall. I don't care for HIPS or antivirus or antispyware or web filtering, etc. to be built-in. All I want is just a very good powerful firewall, nothing more.

- I'd prefer FREE or very cheap to purchase.

So far I tried Sunbelt Kerio, ZA 7, Comodo and none worked well for me or had the control I needed or were too bloated with extra crap that I don't need (some let you disable some features, but I don't even want the code there, sometimes they leave their hooks in and they still get invoked but just do nothing or so they claim, until they cause problems).

Does something like this exist as a standalone firewall? Even an older version I'm fine with as long as it's stable, has no major bugs and works well with XP Pro SP2.

Thank you for your help.

Jetico v1. It requires a above-average knowledge and some patience, but it's perhaps the best firewall.

{QUOTE-> Jetico v1. It requires a above-average knowledge and some patience, but it's perhaps the best firewall. <-QUOTE}

I tried Jetico, way too complicated for my taste. Even though I'm an advanced user, it's a pain to use it and configure it on multiple computers.

The closest one for my taste was Kerio. The problem with it was that it had problems with Firefox, it would slow down Firefox, pages would not fully load, requests would be messed up, etc. Yes, I disabled the web filtering, HIPS and application interaction control. Still no luck with it. I think it's just plain buggy, I got no answer from their support, you can't easily find a change list, etc.

Long time ago I used something called Tiny/Kerio I believe version 2.1.5 or something that I really liked, too bad it's no longer maintained.

Why can't someone just build a simple to use, good firewall? Just a firewall with outgoing app control, nothing more ...

Try Sygate Personal Firewall, Filseclab, or Kerio 2.15.

Sir D. What didn't you like about ZA-Free? It's extremely easy to use, has all of the ougoing granular program-control you could want and you can't beat the price!

{QUOTE-> Sir D. What didn't you like about ZA-Free? It's extremely easy to use, has all of the ougoing granular control you could want and you can't beat the price! <-QUOTE}

No expert rules. In the free version I cannot get NTP time synchronization to work, or my Cisco VPN client or my Cisco IP Communicator (VOIP) or TFTP. It seems that there is no way to configure applications that rely on UDP. If it allowed advanced rules, it would be perfect.

{QUOTE-> Try Sygate Personal Firewall, Filseclab, or Kerio 2.15. <-QUOTE}

Do Sygate and Kerio 2.1.5 still work well with XP SP2? I assume I would not get any integration with the SP2 Security Center, right? Not that it adds any security value anyway but it's useful in case the firewall crashes, at least I'd know it's dead.

I'm asking because I don't want to keep trying software and turn my computer into a mess (uninstallers never work completely).

I've been using Kerio 2.1.5 on one of my machine with XP SP2 for over a year without any problems.

I have Security Center turned off as I find it useless anyway.

Together with this I have SSM paid and Antivir and as I said no conflicts whatsoever.:)

If you want no HIPS, IDS or anything, nowadays is hard.
Comodo comes with some extras, like Application Behavior Analysis, but you can turn it off easily.
Comodo divides into 2 sepparate monitors: Network Monitor (packet filter) and Application Monitor. Network Monitor is king, and it's the one with SPI. If something is not allowed in it, it's blocked.

Version 2, present, can't be password protected, nor backup the rules. Version 3 should have that (and optional HIPS lol).

It identifies source and destination, instead of local and remote. This can be confusing at start. I hope ver.3 brings this too, but i don't know if it will.

I forgot to add, Kerio 2.1.5 and Sygate are good too. Different. You should try these too.

Comodo doesn't seem to be flexible with the application control. The rules for the same app pile up like there's no tomorrow, depending on the mode. No trusted/internet zone either that I can quickly get prompted for and save a rule (or create an advanced rule right there during an alert). Comodo looks very promising, maybe I should wait until v3.

{QUOTE-> Do Sygate and Kerio 2.1.5 still work well with XP SP2? I assume I would not get any integration with the SP2 Security Center, right? <-QUOTE}
- Yes, both work well. However, their application control is "weak" compared to what Jetico or Comodo can provide if this is what you are looking for. Other options could be Online Armor, Outpost Firewall, LnS.
- I don't care about the Security Center. I disable it.
{QUOTE-> I'm asking because I don't want to keep trying software and turn my computer into a mess (uninstallers never work completely). <-QUOTE}
Three solutions:
- Use a install monitor.
- Use a imaging software and do backups before installing anything.
- Test software in a virtual or spare machine

{QUOTE-> I forgot to add, Kerio 2.1.5 and Sygate are good too. Different. You should try these too. <-QUOTE}

I tried Comodo a couple of month ago but I came back to Kerio 2.1.5. But again this is personal.:)

{QUOTE-> Long time ago I used something called Tiny/Kerio I believe version 2.1.5 or something that I really liked, too bad it's no longer maintained. <-QUOTE}True, but until IPv6 becomes standard, Kerio 2 should work fine on anything pre-Vista. (I use on both Win2K and WinXP)

{QUOTE-> Why can't someone just build a simple to use, good firewall? Just a firewall with outgoing app control, nothing more ... <-QUOTE}The question of the ages. This question can apply to lots of other software.


regards,

-rich

________________________________________________________________
"Talking About Security Can Lead To Anxiety, Panic, And Dread...
Or Cool Assessments, Common Sense And Practical Planning..."
--Bruce Schneier

{QUOTE-> Comodo doesn't seem to be flexible with the application control. The rules for the same app pile up like there's no tomorrow, depending on the mode. No trusted/internet zone either that I can quickly get prompted for and save a rule (or create an advanced rule right there during an alert). Comodo looks very promising, maybe I should wait until v3. <-QUOTE}
Trusted zone is easy to make. Security- Tasks if you want a wizard.
Alternatively, if you know what you're doing, build rules for trusted zone in NetMon.

I've highlighted what's wrong with the rules. You also can change them at will, i don't follow you on that.

{QUOTE-> - Yes, both work well. However, their application control is "weak" compared to what Jetico or Comodo can provide if this is what you are looking for. Other options could be Online Armor, Outpost Firewall, LnS.
<-QUOTE}

All I want is to have control on a per app basis for the Trusted and Internet zones. I want this to keep an eye on what's connecting where and when. I practice safe Internet browsing so I'm not too worried about spyware that's already installed trying to phone home. If I get that far, something else has failed and I should be addressing that problem instead.

LnS doesn't seem to make the difference between trusted/internet zones. I want to allow some apps to only connect to my LAN but not interenet, or act as servers just for my LAN, but not the Internet zone.

Seems that Kerio 2.1.5 is what you need. Control on a per app basis (path, name of executable, MD5 checksum), local/remote IP/ports, low footprint.
It's a pity that the open source project created to improve Kerio 2.1.5 seems inactive.

Not wanting to change the subject, but I would recommend forgetting firewalls for a few days until you buy and become familiar with a good disk imaging program. You might want to format first...create an image...then configure/install apps a few at a time, making lots of images along the way...installing your most stable/trusted/long-term apps first. Then make an image and go testing some firewalls, restoring the "no-firewall" image inbetween tests.

You may have to prioritize your requirements, since it is impossible to find all those things in one firewall. Also, they all have bugs...your tolerance of each specific bug will be different from other users, so you have to try them yourself and make sure they don't interract badly with whatever other software and hardware you have on the system.

In the past few years, the only software firewalls I have been (mostly) satisfied with that MIGHT meet your requirements have been:

Zonealarm Plus 4.5.594
Kerio 2.1.5
Norton Personal Firewall 2004

However, all of the above have at least one thing that bothers me. They are also all "old versions" although they are all still available in various places and are for the most part better than their newer replacements.

Hello,
Sounds to me like Kerio 2.1.5 or Sygate.
Mrk

{QUOTE-> Hello,
Sounds to me like Kerio 2.1.5 or Sygate.
Mrk <-QUOTE}

As suggested, I'm trying this stuff in a vmware now.

Sygate is out of the race, it doesn't make it easy to distinguish between Trusted and Internet zones and also between server and client. It seems that if you allow it, by default it allows everything for that app, both incoming and outgoing, you'd have to go edit the rule after the fact, when it could be too late. I like to be prompted 4 times per app, for the combination trusted/internet zone, client/server for each zone.

I'll keep posting back my findings and what I decided to possibly use.

Thanks everyone for your responses, very informative as usual.

{QUOTE-> Sygate is out of the race, it doesn't make it easy to distinguish between Trusted and Internet zones and also between server and client. It seems that if you allow it, by default it allows everything for that app, both incoming and outgoing, you'd have to go edit the rule after the fact, when it could be too late. <-QUOTE}
Neither does kerio 2.1.5 so one does have to make some research how to do if having a LAN with many computers, but I am no expert to help you on that. I like both SPF and kerio 2.1.5.

Yes to second one, unfortunately SPF allows server access by default. It is a bother. To delete all the app rules that come after install is recommended and then when running it block first after a prompt and go editing to deny 'Act as Server' is one way for a paranoid user. A paranoid user could do better though with something like Comodo or even adding HIPS to that.
A paranoid user could also get more paranoid with Comodo, heh.

Kerio 2.1.5 is out for the same reasons: no easy trusted/internet zones.

Hello,

Making a trusted zone in Sygate, as simple as milk:

Tools > Advanced Rules
New
General > Allow this traffic
Hosts > IP address of the second PC, ex. 192.168.44.2
Ports and Protocols > All
Scheduling > not needed
Applications > select nothing, just click OK

There you have a trusted zone.

Now you can play with which app you want to allow, when, which ports etc...

Mrk

{QUOTE-> Do Sygate and Kerio 2.1.5 still work well with XP SP2? I assume I would not get any integration with the SP2 Security Center, right? Not that it adds any security value anyway but it's useful in case the firewall crashes, at least I'd know it's dead.
<-QUOTE}

The final 2 builds of sygate are recognized by security center. the final build is 3408. Sygate has excellent logs.

{QUOTE-> I tried Jetico, way too complicated for my taste. Even though I'm an advanced user, <-QUOTE}You mention that you are an advanced user, also the fact that ZA free does not include "Expert rules", which would indicate some knowledge of rule creation. Why not then use Jetico and create your own rulesets for each zone?. This is very simple to do.

Jetico, Kerio 2.1.5, Sygate, Comodo and maybe others - I know I can make trusted zones by hand. However, I'd like the firewall to detect the new networks and also prompt me on new connections to the trusted zone whether to allow or deny. I do NOT want an app to ask for permission to connect to the trusted zone, allow it and then the firewall to automatically allow the app to connect to the Internet zone also and then have to go in and track down the rule and edit it by hand. There's nothing wrong with the apps above, it's all about convenience.

I looked at Filseclab - didn't leave a good impression.

I think my choices would be ZA 5.5 or 4.5 How did I get here? Well, I bought ZA 7 Suite a few days ago and I'm very disappointed, very bloated, some things don't work right (no need to list them, I tried to get help in the ZA forums and from their tech support which is close to useless, they send back some generic answers and it seems the solution is always uninstall/re-install). I'm considering either asking for a refund for ZA7 or if I like ZA 4.5 or 5.5 to maybe convince ZA to give me a key for 4.5 or 5.5 instead of my ZA 7 key.

I didn't mention ZA7 earlier because I didn't want to let it influence any recommendations.

{QUOTE-> I know I can make trusted zones by hand. However, I'd like the firewall to detect the new networks and also prompt me on new connections to the trusted zone whether to allow or deny. I do NOT want an app to ask for permission to connect to the trusted zone, allow it and then the firewall to automatically allow the app to connect to the Internet zone also and then have to go in and track down the rule and edit it by hand. There's nothing wrong with the apps above, it's all about convenience.

<-QUOTE}
If you look at Jetico1, this gives what you mention. Take time to correctly check a firewalls abilty. Rules within Jetico, such as "Allow outbound to Trusted zone", the trusted zone is a variable, depending on the entries within this zone (Loopback/LAN automatically entered on boot/connection,.. depending on settings)

{QUOTE-> If you look at Jetico1, this gives what you mention. Take time to correctly check a firewalls abilty. Rules within Jetico, such as "Allow outbound to Trusted zone", the trusted zone is a variable, depending on the entries within this zone (Loopback/LAN automatically entered on boot/connection,.. depending on settings) <-QUOTE}

I just felt Jetico offered too much and not straight forward to configure. I like simple stuff with advanced features only when I need them. I liked the current Sunbelt Kerio to give you an idea of what I'm looking for in terms of interface and features (I turned off HIPS and application interaction though) but the thing is just too buggy, it trashed my Firefox connections for some reason. In my opinion Sunbelt had the chance to make a great firewall, along the lines of Comodo and they just blew it. Very few updates over the past year (and not that Kerio doesn't need updates because it's perfect) and it seems to be worse now than the previous versions.

Hello,

Never had a problem with Kerio. Very solid. Trashed Firefox? Sounds severe. You should explore and see why and how and when.

Firewalls don't need weekly updates - their job is to filter traffic. Last I remember, the web protocols have not changed much in the last 15 years. So a firewall is a firewall is a firewall...

Mrk

{QUOTE-> ...In the past few years, the only software firewalls I have been (mostly) satisfied with that MIGHT meet your requirements have been:

Zonealarm Plus 4.5.594
Kerio 2.1.5
Norton Personal Firewall 2004

However, all of the above have at least one thing that bothers me. They are also all "old versions" although they are all still available in various places and are for the most part better than their newer replacements. <-QUOTE}

Just wanted to add that Zonealarm Plus can be hard to find. It is like Zonealarm Pro but with just the firewall features and the last version made as such. It's filename can be Googled, it's:

zaplusSetup_45_594_000.exe

md5 as follows http://www.toast442.org/md5/:

97a5e6f9bf810214d92d43d760907d34

(this is the 30 day trial and can be turned into the full version with a key)

{QUOTE-> Just wanted to add that Zonealarm Plus can be hard to find. It is like Zonealarm Pro but with just the firewall features and the last version made as such. It's filename can be Googled, it's:

zaplusSetup_45_594_000.exe

md5 as follows http://www.toast442.org/md5/:

97a5e6f9bf810214d92d43d760907d34

(this is the 30 day trial and can be turned into the full version with a key) <-QUOTE}

Unfortunately this 4.5.594 version doesn't work on 2 computers with XP SP2 latest patches. Right after install it crashes with a BSOD and upon reboot it keeps doing the same.

It's actually not hard to find, it's right on the ZA history page:

http://download.zonelabs.com/bin/free/information/znalm/zaReleaseHistory.html

{QUOTE-> Unfortunately this 4.5.594 version doesn't work on 2 computers with XP SP2 latest patches. Right after install it crashes with a BSOD and upon reboot it keeps doing the same.

It's actually not hard to find, it's right on the ZA history page:

http://download.zonelabs.com/bin/free/information/znalm/zaReleaseHistory.html <-QUOTE}

That's the Free, not the Plus. Plus is no longer downloadable from Zonelabs. No probs for me on XPSP2, but have only installed needed patches and always wait for feedback on each one.

{QUOTE-> That's the Free, not the Plus. Plus is no longer downloadable from Zonelabs. <-QUOTE}

Not true. After installing it, it asks if you want to start a trial in Pro mode or Free. Anyway, I also tried the one from betanews (the installer has the checksum you posted), and same problem.

http://fileforum.betanews.com/detail/ZoneAlarm_Plus/1023831973/2

{QUOTE-> Unfortunately this 4.5.594 version doesn't work on 2 computers with XP SP2 latest patches. <-QUOTE}
Works fine on mine(+ version) and has for some time(XP SP2).



snowbound

{QUOTE-> Works fine on mine(+ version) and has for some time(XP SP2).
<-QUOTE}

who knows ... maybe the installation conflicts with some latest patches or something. if you had it installed and then applied windows patches maybe it's fine. i'm just speculating.

{QUOTE-> Not true. After installing it, it asks if you want to start a trial in Pro mode or Free. <-QUOTE}

Pro or Free does not equal Plus. Like I said, Plus is no longer downloadable from Zonelabs.

{QUOTE->
Anyway, I also tried the one from betanews (the installer has the checksum you posted), and same problem.
<-QUOTE}

Sorry about your luck.

{QUOTE-> who knows ... maybe the installation conflicts with some latest patches or something. if you had it installed and then applied windows patches maybe it's fine. i'm just speculating. <-QUOTE}
Quite possible. I've had that version of ZA+ since it's release which was long before i ever installed SP2.



snowbound

{QUOTE-> Unfortunately this 4.5.594 version doesn't work on 2 computers with XP SP2 latest patches. Right after install it crashes with a BSOD and upon reboot it keeps doing the same. <-QUOTE}

4.5.594 works great on one of my xp boxes with all xp patches up to date.

If you have ever had a later version of ZA installed, uninstalling it leaves some traces that are not compatible with 4.5.594, they need to be removed manually before installing 4.5.594

instructions for complete uninstall of later versions:
http://forums.zonealarm.com/zonelabs/board/message?board.id=AllowAccess&message.id=103

{QUOTE->
If you have ever had a later version of ZA installed, uninstalling it leaves some traces that are not compatible with 4.5.594, they need to be removed manually before installing 4.5.594
<-QUOTE}

I just have no luck with it. I tried it on 2 real computers and also a VMware image, they all result in BSOD right after install. All these were clean, never had ZA before. There must be something in common that has a conflict.

I'd love to hear from others whether they can install ZA 4.5.594 on a clean XP machine with SP2 and all current updates installed first.

Meanwhile, ZA 5.5.094.000 works fine and it seems to be light enough, though it comes with a little bit of crap that I have to turn off.

{QUOTE-> I just have no luck with it. I tried it on 2 real computers and also a VMware image, they all result in BSOD right after install.
<-QUOTE}

Have you gone to Control Panel-System-Advanced-Startup and Recovery and unchecked the option to automatically reboot after system failure and made sure that memory dump is checked? Then checked the Event Viewer (Control Panel-Administrative Tools-Event Viewer) for a description of the error?

I guess graphics drivers and other security software are some of the usual suspects.

{QUOTE-> Have you gone to Control Panel-System-Advanced-Startup and Recovery and unchecked the option to automatically reboot after system failure and made sure that memory dump is checked? Then checked the Event Viewer (Control Panel-Administrative Tools-Event Viewer) for a description of the error?

I guess graphics drivers and other security software are some of the usual suspects. <-QUOTE}

Not worth the extra trouble. If it just doesn't work right away, I can't feel good about it. ZA 5.5 is fine though.

{QUOTE->
Firewalls don't need weekly updates - their job is to filter traffic. Last I remember, the web protocols have not changed much in the last 15 years. So a firewall is a firewall is a firewall...

Mrk <-QUOTE}

Well, there does seem to be concerns voiced over many posts when a program has not been updated for a lengthy period of time. It is presumed that the authors have either abandoned the program, sold it to another company which absorbed it, or gone into working on something else. Antivirus and antispyware programs are considered "obsolete" and "outdated" when it hasn't been updated in a few months. I've used an older version of McAfee VirusScan for many years and haven't had any serious infection on one of my PCs. Firewalls are a slightly different creature. You wouldn't think that they need updating, but since other security functions have been added into many new programs of these types, it is expected that you need to update them as well or else it would be considered vulnerable.