(First post here, and english is not my 1rst language, so please don't be to hard with me if I missed any rule proper to this forum...)
8Signs has recently released a new version of their firewall (http://www.8signs.com/firewall/newin3.cfm).
I did search the forum, but this one doesn't seem very popular around here. I'm after a good packet filtering fw and, by its numerous features (http://www.8signs.com/firewall/features.cfm), this 8SignsFW seems to me as a good candidate. This "Tarpits" feature is new to me, for example.

But note that it's not free, it works only inbound (outbound is no biggie for me in a firewall, anyway) and seems mainly geared for server protection and/or kinda power users. So this fw probably ask its users to already have at least a minimum grasp of networking's inners...

I intalled the 30-days demo last week and so far so good: lightweight, easier to configure than I thought (wizard, learning mode) and seems rock solid when pounded with the "Advanced Firewall Test" at http://www.auditmypc.com/firewall-test.asp. But considering its steep price tag ($49US), I would like to know what are the current similar alternatives, and how 8Signs compares to them. Searching the web for reviews and comparatives, I did not find much and it seems all pretty old stuff. And I did not even find a dedicated supported forum...

So, what's your opinion about this firewall? Does it weight its price tag ($49 US) vs alternatives? Does it have an active user base somewhere on the web or usenet? etc...

All opinions and links appreciated.

tia

From what i saw when i tried it, i think it's one of the best packet filters around.
Great detail, you can look at the individual packet's properties from the log, create rules right from the log also (right clicking), tarpits (cool even though i don't see real benefit).
It can be easy to create rules for a 'not so experienced user', and advanced for the others.

It lacks pseudo SPI for UDP at least, though i was told it's on the to do list.

I don't remember details right now, but i know you will like it. Plus it's an upgrade from the one i tried!

A small correction on your statement that it has no outbound control: it does, it just doesn't control programs.

Pedro, thanks for your reply
{QUOTE-> From what i saw when i tried it, i think it's one of the best packet filters around.
Great detail, you can look at the individual packet's properties from the log, create rules right from the log also (right clicking), tarpits (cool even though i don't see real benefit).
It can be easy to create rules for a 'not so experienced user', and advanced for the others.

It lacks pseudo SPI for UDP at least, though i was told it's on the to do list.

I don't remember details right now, but i know you will like it. Plus it's an upgrade from the one i tried! <-QUOTE}

Yes, after fine tweaking my ruleset, I can now explore and play with its numerous fonctionalities. And what my old pc like mostly is its very small footprint (2660k).
The packet analyser is a nice touch that I had overlooked, thanks, but I would just like to be able to decifer what's in there! About its lack of "pseudo SPI for UDP", I will need to go have a better understanding of it, but I seem to remember some write up saying that SPI is more of a gadgetry when talking of UDP and ICMP protocols...

{QUOTE-> A small correction on your statement that it has no outbound control: it does, it just doesn't control programs. <-QUOTE}


Yes, you're right, indeed.

So far, 8SignsFW and SSM pro are playing nicely together on my PC. For ex., I finally updated my BOClean yesterday (v4.22.02 -> v4.25). After the install/reboot, SSM's alert told me BOC wanted to connect to my localhost (proxomitron) and 8Signs keeps blocking my pc to connect out 74.52.200.146 on port 21 (tcp out FTP). I then right click this particular entry in the log, and ask to use its own included IP tracer to check what's up there. After verifying that this addy is the kosher one, I then allowed BOC to go perform its updating job from now on, by inserting 74.52.200.146 in one of my IP Group Addresses and inside an appropriated rule...


A cool feature is that we can use an option to configure this fw to block all trafic, when it's not running. So my PC is secure all along the booting process, and the same if the firewall is ever shut down or killed in any possible ways.

I'm almost sold to this firewall, but I will first use the trial period to experiment with it. The only con for me is that I would have to install the infamous .NET 2.0 framework if I want to use their new external log viewer application. I will probably check it ans see because the fw is very usable sans.

Thanks
RB

Thanks for heads-up, ruinebabine! I'll certainly try version 3 of this little gem. Awesome packet filter, it somewhat reminds me of CHX-I. Yes, it is geared towards users that run a server on their machines (thus the price), so that explains this feature

{QUOTE-> tarpits (cool even though i don't see real benefit) <-QUOTE}

That wouldn't be of much use on an average PC where all ports are closed and "stealthed". I actually tried it for a few hours (version 2.3, a few months ago), explored rules a bit, and I would have to run it for a few days to know how stable it is (I somehow find it hard to separate from my Jetico even for a few days ;D )

{QUOTE-> I did search the forum, but this one doesn't seem very popular around here. <-QUOTE}

Yeah, pity. But it does not do well on the "leaktests", so that's the main reason :P Besides, as I said, 8Signs is for a server machine.

Cheers.

{QUOTE->
Yeah, pity. But it does not do well on the "leaktests", so that's the main reason :P Besides, as I said, 8Signs is for a server machine.

Cheers. <-QUOTE}
Yep, 8Signs, like CHX-I, only handles inbound traffic, there is no outbound app control whatsoever, so in that respect, it would pretty much fail every leak-test ever invented.. :)

It's a nice firewall if all you're looking for is inbound protection. Course a router would render it pretty much useless, I suspect there really isn't much of a home market for 8Signs or CHX-I these days as a result.

True, but i can see why some people would use it on a host machine, just for the detail. Alongside something else that covers application control, for those who see a need for it (SSM, AppDefend etc).

About SPI: concerning UDP, it's not really SPI (as you seem to know), so they (some) call it pseudo. This is due to the characteristics of the UDP protocol.
Stateful firewall (http://en.wikipedia.org/wiki/Stateful_firewall)
UDP - User Datagram Protocol (http://en.wikipedia.org/wiki/Stateful_firewall)
(I think nothing substitutes the actual reading)

{QUOTE-> Yeah, pity. But it does not do well on the "leaktests", so that's the main reason :P Besides, as I said, 8Signs is for a server machine. <-QUOTE}

You're probably right on both count, but i wonder why they make available 2 somewhat different editions, Workstation vs Server.

I would also like if they included that "Ports Display" feature (seen at http://www.8signs.com/firewall/version_comparison.cfm) in the workstation version as well , even if there are available good little freebies for that job.

{QUOTE-> True, but i can see why some people would use it on a host machine, just for the detail. Alongside something else that covers application control, for those who see a need for it (SSM, AppDefend etc).

About SPI: concerning UDP, it's not really SPI (as you seem to know), so they (some) call it pseudo. This is due to the characteristics of the UDP protocol.
Stateful firewall (http://en.wikipedia.org/wiki/Stateful_firewall)
UDP - User Datagram Protocol (http://en.wikipedia.org/wiki/Stateful_firewall)
(I think nothing substitutes the actual reading) <-QUOTE}

Thanks, I saved that link and will read it shortly.

I was also reading that post http://www.wilderssecurity.com/showpost.php?p=1052055&postcount=43:

{QUOTE-> Got it, Stem. So that's how "pseudo-SPI" works. It only scans for packet specifications (port, IP) on a whitelist principle instead of the actual contents of a packet. This is in fact, one half of the full SPI. ;D Now I see why full SPI cannot be implemented for connectionless protocols. <-QUOTE}

{QUOTE-> You're probably right on both count, but i wonder why they make available 2 somewhat different editions, Workstation vs Server.

<-QUOTE}
Here's a comparison of the 2 versions from their site, shows OS version supported as well as features:

http://www.consealfirewall.com/firewall/version_comparison.cfm

Yea Kerodo, 8Signs is one of the few firewalls that support Remote Administration.
The others being... umm... CHX-I and InJoy? I am not sure on this...

{QUOTE-> About SPI: concerning UDP, it's not really SPI (as you seem to know), so they (some) call it pseudo. This is due to the characteristics of the UDP protocol. <-QUOTE}Yes, Pseudo SPI for UDP/ICMP. This is basically a table of outbound events by these protocols. It can, and does protect on unsolicited inbound. As example,.. some firewalls will have rules to allow inbound UDP from remote port 53, this is a possible problem. With Pseudo UDP SPI, the replies will be bound to the outbound packet and given a timeout to reply. From my last look at 8Signs beta, they where adding this SPI to ICMP (so at that time I presume this is added already to UDP), but I have not checked with this full release yet.

{QUOTE-> It's a nice firewall if all you're looking for is inbound protection. Course a router would render it pretty much useless, I suspect there really isn't much of a home market for 8Signs or CHX-I these days as a result. <-QUOTE}You would need to check the capability of the router SPI filter. I see a number of bad/illigal packets that are caught by filters such as Injoy/CHX (that have bypassed some of the most common routers/SPI). I admit I have not done much testing with 8Signs(yet)

{QUOTE-> From my last look at 8Signs beta, they where adding this SPI to ICMP (so at that time I presume this is added already to UDP), but I have not checked with this full release yet. <-QUOTE}
If i remember correctly, when i emailed them (btw, good reply, they answered everything i asked with detail and genuine concern to help), they said it was not for the next version (the current version probably), but it was on the to do list.

I would expect it on upcoming releases. :thumb:

{QUOTE-> If i remember correctly, when i emailed them (btw, good reply, they answered everything i asked with detail and genuine concern to help), they said it was not for the next version (the current version probably), but it was on the to do list.

I would expect it on upcoming releases. :thumb: <-QUOTE}Hi Pedro,

From the beta 3.01c release {QUOTE-> Added a registry value for ICMP stateful inspection timeout. <-QUOTE} link to info http://www.8signs.com/firewall/beta.cfm

Thank you Stem. It seems though that it's not integrated with the GUI yet. Well it's a beta, so that will work for testing.
You know, about the only thing i don't like it is the icon ;D , everything else is getting there.
I don't know why, but i think some things present in this firewall are what i would like to see in LnS, and the pseudo SPI. It would be reaching maturity imo.

{QUOTE-> It seems though that it's not integrated with the GUI yet. Well it's a beta, so that will work for testing. <-QUOTE}I would think the spi for ICMP (and UDP) is implimented, it is just a timeout via registry as been added. I will try to find time to look/check on this. (a simple check,.. do you need to allow inbound rules for DNS?)
{QUOTE-> You know, about the only thing i don't like it is the icon ;D , everything else is getting there. <-QUOTE}I admit I did not spend a lot of time with the beta releases, but I still have a problem with the inabilty to bind MAC with IP
{QUOTE-> I don't know why, but i think some things present in this firewall are what i would like to see in LnS, and the pseudo SPI. It would be reaching maturity imo. <-QUOTE}The more we learn, the more we find lacking in security software. (IMHO)

{QUOTE-> From my last look at 8Signs beta, they where adding this SPI to ICMP (so at that time I presume this is added already to UDP), but I have not checked with this full release yet. <-QUOTE}

{QUOTE-> From the beta 3.01c release link info
QUOTE:
"Added a registry value for ICMP stateful inspection timeout."[/url] <-QUOTE}

{QUOTE-> It seems though that it's not integrated with the GUI yet. Well it's a beta, so that will work for testing. <-QUOTE}

"Pseudo SPI" is not implemented in my version 3.015 (at least no trace in the gui, nor in the help file), only TCP SPI.

I'm also curious about this new registry value because this beta (3.01c) was released on june 11th, and the actual "final" v.3.015 on august 1st. So, logically, this beta should not have it either...

{QUOTE-> I still have a problem with the inabilty to bind MAC with IP <-QUOTE}

Sorry if i miss the obvious, but I don't understand when we would need this. I thought the purpose of MAC filtering was limited inside your own Ethernet network, outside of that the software fw should only be able to see your router MAC address, no?

{QUOTE-> You would need to check the capability of the router SPI filter. I see a number of bad/illigal packets that are caught by filters such as Injoy/CHX (that have bypassed some of the most common routers/SPI). I admit I have not done much testing with 8Signs(yet) <-QUOTE}
This is very true Stem, I have used CHX-I with my router in the past and CHX did indeed catch things that the router allowed in. Whether any of that matters practically speaking, I have no idea, but don't really worry about it now... Actually, one might argue that CHX is just being too strict in it's SPI settings or timings or whatnot, and hence it appears to be catching something when in fact, it's just being overly anal about things.. I also think there is a way to adjust these settings in the registry for CHX. But I am certainly no expert in all this, that's just my impression from playing with things...

{QUOTE-> I would think the spi for ICMP (and UDP) is implimented, it is just a timeout via registry as been added. I will try to find time to look/check on this. (a simple check,.. do you need to allow inbound rules for DNS?) <-QUOTE}

Hmm yes, as every connection is blocked if not specificaly permited (like in many fws, i think).
I'm using TreeWalk, and I have a rule to allow its process ("named.exe") to connect in/out on UDP port 53. And if any other process try to use this same port, SSM is there to ask me first.

EDIT: If i only allow outbound UDP Port 53, inbound connections back are blocked...

{QUOTE-> Sorry if i miss the obvious, but I don't understand when we would need this. I thought the purpose of MAC filtering was limited inside your own Ethernet network, outside of that the software fw should only be able to see your router MAC address, no? <-QUOTE}With a router (or gateway) in place yes, but not everyone uses a router.

{QUOTE-> With a router (or gateway) in place yes, but not everyone uses a router. <-QUOTE}

Ah, ok.
I was wrongly thinking you were behind a router.

{QUOTE-> I would think the spi for ICMP (and UDP) is implimented, it is just a timeout via registry as been added. I will try to find time to look/check on this. (a simple check,.. do you need to allow inbound rules for DNS?) <-QUOTE}
You know, it's so simple and obvious, but sometimes i don't think of it when the time comes.

{QUOTE-> I admit I did not spend a lot of time with the beta releases, but I still have a problem with the inabilty to bind MAC with IP <-QUOTE}
There were a few other minor bugs i found. One that i can remember was the feature to create rules from blocked packets (right clicking a log entry), the dialog didn't recognize properly what was being blocked. Should be fixed by now.
{QUOTE->
The more we learn, the more we find lacking in security software. (IMHO) <-QUOTE}
True. But supposing the firewall reached what i meant above (+support for IPV6). Then it's just to solve bugs, vulnerabilities, adding support for less used protocols, etc.
The main functions would be there, no? ("maturity")

I have a little more time to look at the latest release.

First, it is possible to bind IP to MAC (using the option (within a rule) to allow only trusted MAC(s)), but I have not checked this.

UDP state table (UDP Pseudo SPI) ~ not implimented.

ICMP state table (ICMP Pseudo SPI): On first look, from the ability to make the rule (for ping) outbound only, it would indicate state table, but the lack in logging of ICMP within 8signs makes this unclear at this time. (this was just a quick setup)
Example:-
From a default installation, I have allowed 8signs to create a default ruleset, from this if we look at the ICMP rules:-

192596

There is a rule to allow "Ping others". I can set this rule for outbound only and the ping replies are allowed, but the returned packets are not logged (full logging is enabled). If I ping the PC with 8signs installed, the last block rule will block and log this, but, if I send 8signs an unsolicited ping reply, there is nothing to show if the packet is allowed or blocked. I would expect the last rule to block and log an unsolicited inbound ICMP packet, so at this time it does appear that the packet is allowed.
I will try to find time to make a better setup to check on this further.

EDIT:
While still setup I had a quick look at the TCP SPI,.... this is either very bad at logging or bad at filtering.
Quick example,.. from an open connection I would expect bad/illagal packets (invalid flags/checksum, incorrect seq number etc.) to be filtered out and logged, but there is nothing to show this.