I have read much of the posting re. firewalls and came across a series of posts on this Forum about GHOSTWALL. The posts dealing with this firewall were very complimentary and said many nice things. It looked highly impressive so I would like to try it.

I have Windows XP Home, SP3, IE7, OE6. My firewall is COMODO IS which is a very good "professional" type of firewall, the free edition of course. I will not dump it, since it is very comprehensive, also includes an anti-virus and defense + features.

So, a QUESTION ?
===
In engineering successive filters in series are a standard means of ultra-cleaning any fluid, be it air, gases, water, oils etc etc. including electric current and just about every other substance on Earth.

THEN - WHY SHOULD RUNNING TWO FIREWALLS OR MORE IN SERIES BE IN ANY WAY DETRIMENTAL, OR POSE ANY TECHNICAL PROBLEMS ?
GHOSTWALL + COMODO IS ?
=====

I know that SECURITY is an indeterminate commodity and you only get what you pay for. But it is also relative and subject to the law of diminishing returns.

Example - Security at Fort Knox involving a Marines battalion, Special Forces and an astronomic high-tech profile costs $Billions and is 99.999% successful. Security at my home costs little - food for my huge Alsatian dog and ammunition for that old Chinese AK47 - result 99.99%. Not bad eh ?

Hence there is nothing wrong with using FREEBIES, why pay more ?

I would like to add a million thanks to CaixFang for all the extremely comprehensive help given to me on other matters I have raised. Truly amazing !
KAS

-{ Quote: "...In engineering successive filters in series are a standard means of ultra-cleaning ...THEN - WHY SHOULD RUNNING TWO FIREWALLS OR MORE IN SERIES BE IN ANY WAY DETRIMENTAL, OR POSE ANY TECHNICAL PROBLEMS ?
GHOSTWALL + COMODO IS ?" }-

Because the firewalls are not running in series - they are competing at the same time and same point in the network interface to do the same action. If you took all your engineering filters and mashed them together (not in series) they would leave some spaces where particles would get around the smallest filter size...

Unlike physical filtering devices, there's no way to be certain that you are truly connecting them in series. There's also a big difference in how they function. An internet firewall either allows a specific traffic or it blocks it. How well it does this is solely dependent on the rules it enforces. There is nothing gained by adding another software firewall, but there is much to lose. Two firewalls trying to filter the same traffic can interact and cause all kinds of unexpected problems. Even if they get along, you're still using up resources, disk space and processor time and getting nothing in return. If those firewalls contain kernel level components, 2 can cause conflicts at a kernel level, resulting in BSODs, system lockups, and similar behaviors. You'll get much better results learning to tighten the firewall you like and taking full control over the traffic in and out of your system.

If you really want 2 firewalls, use one hardware and one software firewall.

-{ Quote: "So, a QUESTION ?
===
In engineering successive filters in series are a standard means of ultra-cleaning any fluid, be it air, gases, water, oils etc etc. including electric current and just about every other substance on Earth." }-

Generally this is a very bad idea. But I see no reason why you couldn't try to having good backup software :)

This is a two edge coin. From one side you can get the troubles you didn't expect to. From the other side the only valuable and true experience is experience you get as a result of your own mistakes. With "others" experience you can never be as confident as with your own one.

-{ Quote: "Because the firewalls are not running in series - they are competing at the same time and same point in the network interface to do the same action. If you took all your engineering filters and mashed them together (not in series) they would leave some spaces where particles would get around the smallest filter size..." }-
===
Nice one Mem. In parallel eh ? Can`t mash them up - they have to be one or the other, in series or parallel. So the flow either all goes through ONE, which is what I have now, or it disproportionately divides between the TWO.

That means, as the two filters are of different "mesh" i.e different data bases, what one does not stop, the other does or may stop. Either way, there is nothing lost. Two barrels are better than one.

Surely the only way they can become embroiled in a personal battle, is if they are technically and electronically incompatible, such that the electronic interplay results in a coup-de-gras, which lets all of China into your living room.
KAS

Kas, here it is... from the horse's mouth: Will running two firewalls together be better than one? (https://support.comodo.com/index.php?_m=knowledgebase&_a=viewarticle&kbarticleid=713&nav=0,2,13)

-{ Quote: "===
Nice one Mem. In parallel eh ? Can`t mash them up - they have to be one or the other, in series or parallel....That means, as the two filters are of different "mesh" what one does not stop, the other does or may stop. Either way, there is nothing lost. .. " }-
No they don't. You are only thinking in straight mechanical terms in your analogy but it doesn't equate to the firewall issue (Two personal firewalls do not operate in series or parallel on a PC. A router firewall and a personal firewall are operating in series.) Take your analogy a little farther - two industrial water cartridge filters of differing filter partical size that were in one stream in series, mash them down and force them into one cartridge space side by side. You now have material in the same space and time as the original filter but they are inefficient and the finest particle filter will not have all the water flowing through it. Larger particles than you would expect will get through. You have lost efficiency and effectiveness of the filtering.

You best answer is by noone_particular - use one and learn it well.

Well, if you want2 FW's in series make one a H/W Firewall and the next in series will be your S/W firewall. The H/W one is a router or something like an AlphaShield.

-{ Quote: "Kas, here it is... from the horse's mouth: Will running two firewalls together be better than one? (https://support.comodo.com/index.php?_m=knowledgebase&_a=viewarticle&kbarticleid=713&nav=0,2,13)" }-

Thanks JRV+, guess it looks grim. Mind you, a firewall provider WOULD say that, they all do, but I accept it is generally condemned as bad practice by experienced users like yourself and other members.

Not technically satisfied why, but you do not always need proof to believe. Somebody says you`ll get hurt if you step in front of a train - YOU BELIEVE IT - NO PROOF NEEDED !
KAS
Ah well - looks like GHOSTWALL will have to disappear back into the ectoplasm.

Kas, sorry to disappoint you. The technical point of view is that using 2 "software" firewalls end up with driver conflicts, yet you can have your cake and eat it too, by using a router (hardware firewall) plus Comodo, thus satisfying your "2 barrels are better than one" analogy. :)

-{ Quote: "Kas, sorry to disappoint you. The technical point of view is that using 2 "software" firewalls end up with driver conflicts, yet you can have your cake and eat it too, by using a router (hardware firewall) plus Comodo, thus satisfying your "2 barrels are better than one" analogy. :)" }-

Thanks again JRV+. All good stuff eh ? You are fast becoming an icon in my beleaguered relationship with this cyber nightmare.

Just a point, Windows XP 2002, my personal piece of aggro has a firewall which is ON all the time. Is this a kind of poor mans consolation, you know, a filter with big holes in it, or is it any good ?

Anyway, as it is ON and I have my Delta Force COMODO IS on guard, surely I AM running two firewalls in harmony at present and have been doing for ages now. What does this mean ? Am I suffering some unforeseen calamity I am not aware of ?

Do you reckon I should disable the Windows firewall ?
KAS

-{ Quote: "Kas, sorry to disappoint you. The technical point of view is that using 2 "software" firewalls end up with driver conflicts, yet you can have your cake and eat it too, by using a router (hardware firewall) plus Comodo, thus satisfying your "2 barrels are better than one" analogy. :)" }-

I agree with JRViejo.
The hardware + software firewall is a better choice IMO.
I can attest to the software conflict resulting from installing two software firewalls.

Several years ago, I tried running 2 software firewalls. Back then, most firewalls were strictly internet traffic control software, not the combined suites with kernel level components that we have now. I used Tiny Personal Firewall and Zone Alarm. The 2 seemed to work as you were hoping for, with traffic having to be allowed by both before it could pass. Configuring the 2 was a nightmare. It wasn't always clear which one was blocking the traffic I wanted to allow. Even when I did get them configured, the double filtering noticably slowed my internet speed. On more than one occasion, each firewall lost its entire ruleset for no obvious reason. I had to start over more times than I want to admit. Firewalls aren't like physical filters. If you have a firewall rule that blocks TCP packets to and from a certain application, it blocks 100% of those packets.

IMO, the only reason one would want to run more than one software firewall is if they didn't trust one to do the job. Multiple firewalls is for the movies. In reality, one firewall, properly configured will filter and control traffic as well as many. I'd suggest that you direct your energy into learning the basic internet protocols, the IP address system, ports, etc, and concentrate on working with the rules of one firewall to tailor the traffic flow to exactly what you want. Properly configured, a good firewall can actually speed up your internet experience by enabling you to more efficiently use your bandwidth. Writing good firewall rules is becoming a lost art. With most firewalls being combined security suites with some form of automatic rule creation, most users have forgotten how to write strong rulesets.

-{ Quote: "Just a point, Windows XP 2002, my personal piece of aggro has a firewall which is ON all the time. Is this a kind of poor mans consolation, you know, a filter with big holes in it, or is it any good ?

Anyway, as it is ON and I have my Delta Force COMODO IS on guard, surely I AM running two firewalls in harmony at present and have been doing for ages now. What does this mean ? Am I suffering some unforeseen calamity I am not aware of ?

Do you reckon I should disable the Windows firewall ?
KAS" }-
Kas, well, to answer your first question, some people dismiss the Windows Firewall as Swiss Cheese, yet Stem, one of our Firewall Moderators, has written an excellent tutorial about the Windows XP firewall (http://www.wilderssecurity.com/showthread.php?t=218517) that you should read.

I use an old 5.5.094.000 version of Zone Alarm, and as noone_particular has aptly stated, it is strictly an internet traffic control program, without any hooks into my system, yet everything I read informs me that COMODO is an excellent firewall, however, and I hope a COMODO user pipes in, I thought that COMODO automatically disabled the Win XP firewall during installation? :-\

To answer the 2nd question, no cataclysm to speak of while it's ON, but my suggestion would be to disable the Windows firewall and let COMODO protect you. :)

I will agree that most always running two firewalls together are bound to make things, erm, sticky.

However, that does not mean it is written in stone.

I will give you an example of 2 software firewalls that will work in unison, and have posed no problems every time I try them.

Windows XP Firewall (everyones most favorite)
and
SoftPerfect Personal Firewall (one of my favorites)

I can and have ran both together. There have never been any problems on many different machines. Rules match for either. While they are different beasts, they play well together.

Now you ask, why would you need two? Neither is really an application firewall, unable really to give much insight as to what is asking connection. XP will sort of tell you something is trying to recieve or be a server, but beyond that, nothing.

And that is precisely why I use it. While I could throw up Outpost for testing purposes, I have found that using XP firewall daily is easy. When I really want protection I would use an ipsec rule anyway. So why SoftPerfect? Mainly because it is small and does not mind being installed but not ran. And starting it up poses no problem. It does not hook itself in as deep as some of the larger suites today. But then it does not do near what most today do either.

I use them in tandem to test. Sometimes to block outbound if I don't want a static ipsec rule. Sometimes I use it for the log it can create. Sometimes I use it for mac rules. Sometimes I just want more resolution without stopping XP firewall to see what is happening.

If I really want to know what program is requesting outbound traffic I start SoftPerfect and then start openports.exe logging. Between these programs I can see what is going on with a new program or a new problem without needing a current 'heavy' firewall.

Just my opinion on the matter. Try it out and see if it does the same for you. Might be suprised how well they work together.

Sul.

-{ Quote: "Example - Security at Fort Knox involving a Marines battalion, Special Forces and an astronomic high-tech profile costs $Billions and is 99.999% successful. Security at my home costs little - food for my huge Alsatian dog and ammunition for that old Chinese AK47 - result 99.99%. Not bad eh ?" }-
I like your examples. :)

Security at Fort Knox. They are all working toward the same goal as a team which yields those high results. What happens when the team work breaks down, say the Marines trying to out do the Special Forces and they the same to the Marines. Eventually something is going to give way and a breech of security occurs.

Your security. Huge Alsatian and AK47. Say you decide to beef up your security and add another huge Alsatian. If they get along great, if they don't get along not so great.

Same goes for firewalls, if they get along with each other great, if they don't no so great. Like with the dogs, you'll never really know if they will get along until they meet. :)

-{ Quote: "
I use an old 5.5.094.000 version of Zone Alarm, and as noone_particular has aptly stated, it is strictly an internet traffic control program, without any hooks into my system, yet everything I read informs me that COMODO is an excellent firewall, however, and I hope a COMODO user pipes in, I thought that COMODO automatically disabled the Win XP firewall during installation? :-

" }-
It doesn't,at least during my experience,which is an oversight on their behalf.

-{ Quote: "Anyway, as it is ON and I have my Delta Force COMODO IS on guard, surely I AM running two firewalls in harmony at present and have been doing for ages now. What does this mean ? Am I suffering some unforeseen calamity I am not aware of ?" }-

When looking at possible software firewall conflicts, we are (well I am) looking at 3rd party firewalls.

When a 3rd party firewall developer creates a firewall it must be compatible with the OS it is to run on, that includes it being fully compatible with the low level network drivers of that OS, which would include the network drivers of the windows firewall, if it was not, then it would be unusable. However, 3rd party firewall developers are not going to take the time and resources to create network drivers that are compatible with other 3rd party firewalls, so conflicts can take place.


- Stem

Hello playmates,
I have read all the replies so far and I respect and am very grateful for every one of them. They show a general pattern of opinion regarding this issue.

Bottom line - I need to know the technical reason why two firewalls cannot operate with harmony. Currently, apart from a wealth of experienced viewpoints, I am not being given a precise technical explanation. OK, I accept that everybody says that two firewalls in unison make life a pain. BUT WHY ?
Ignore what firewall suppliers say - THEY ARE SELLING the item and obviously do not want competitors to sit in the passenger seat with them.

As said earlier. I have operated with Windows/MS firewall ON and another firewall of MY choice for years with no problems. AND, so have hundreds of millions of other users globally. Most of these users are simply unaware that the Windows/MS firewall is up and running and install another firewall of their choice, just like I have.

At one time I had THREE firewalls running - Windows/MS + Zone Alarm + PCGuard (NTL) and at no time did I sense any controversial pulse fights going on between micro-chips and incoming signals. The screen did not melt with internal micro-chip conflict.

Are we simply becoming paranoid about an electronic circuit and too observant of old wives tales which is in practice not a problem at all ?

If multiple firewalls do in fact cause immense problems within our beloved PC and cause drives to engage in fisty-cuffs then WHY is it that millions of users do not get blasted out of their seats by this cybernetic Apocalypse ? It does not happen.
Conclusion - it does not matter about multiple firewalls, there are no ill effects.

Looks a little like saying BOO to the goose before the goose has actually pecked, simply because the goose LOOKS threatening.

If anybody can negate these argumentative and logical points, then please do so. I really want to know whether this multiple firewall prospect is simply a myth or is a safe practice.
KAS

Mainly, the technical reason for not running multiple firewalls is that some of them might hook the same windows kernel API functions and this could generate conflicts. If we would live in a perfect world, where there are no bugs or bad programmers, hooking the same kernel API could be done multiple times without problems. But because we are not living in such a perfect world, and because hooking kernel is not documented very well (or not documented at all), you can't be certain that multiple programs that hook the same function will work together well.
There are cases when you can run multiple firewalls without any conflict though. For instance, Windows XP Firewall and Kerio 2.1.5 are not hooking the same functions so they will work together very well. However, there is one more problem that arises here: for incoming packets, the NDIS part of Kerio will act first, then Windows firewall, then the TDI part of kerio; for outgoing packets it's TDI, Win firewall, NDIS. This makes rule creation when running multiple firewalls a real nightmare.

-{ Quote: "Bottom line - I need to know the technical reason why two firewalls cannot operate with harmony." }-
Kas, I believe Stem and Nebulus have both stated the technical reason as to why. However, if both your present firewalls are like two peas in a pod, why upset the apple cart, let them live together until they disagree, then get a firewall marriage counselor to intervene. ;)

-{ Quote: "It doesn't,at least during my experience,which is an oversight on their behalf." }-
andyman35, thank you for confirming that COMODO does not auto disable the Win firewall. Take care.

-{ Quote: "It doesn't,at least during my experience,which is an oversight on their behalf." }-

During installation of any 3rd party FW's they should keep the windows FW active until installation is completed. That is how they should behave as users don't need to lower their guard and thus security during install.

After they are installed and running, they should automatically turn the windows FW off thus avoiding the double FW conflicts discussed in this thread.

If they have a feature to turn off the FW for some reason, then they should turn the windows fw back on providing some coverage against incoming.

This seems a no brainer to me, but I'm sure I missed something.

Sure, you can use two firewalls (besides routers).

You just need two computers.

Computer 1: entirely dedicated to the software firewall. All connections to the internet go through this machine.

Computer 2: the computer you use for work, to visit the internet, where you're running your security software, including a firewall.

Connect both computers by cable/wire.

It's possible.

Hi everybody who has responded to this thread.

I would like to thank you all for a very thorough, technically explanatory and dedicated response. The subject has been covered very well indeed and I am satisfied with the variety of comments made.

Obviously, the overwhelming opinion is that more than ONE firewall is bad news and I accept the general explanations given for this.

My COMODO IS serves me 100% and I will keep it until such time that an equivalent or better prospect arises - that could take some considerable time.

I will as suggested, disable my Windows firewall and see what happens.
A comment was made rather sarcastically and extremely patronising about this thread that it was a "no brainer".
I can only point out that on the contrary it is a complicated electronic issue quite commonly raised globally that even the most knowledgeable expert finds it difficult to explain.

If it IS a "no brainer" then we must join that universally exclusive fraternity of many hundreds of millions of users, engineers and technicians who obviously have "no brain".

My condolences to half the worlds Internet users who do use two firewalls and do not even know it - Windows + A.N.Other

Again I thank every one of you.
KAS

-{ Quote: "Hi everybody who has responded to this thread.

I would like to thank you all for a very thorough, technically explanatory and dedicated response. The subject has been covered very well indeed and I am satisfied with the variety of comments made.

Obviously, the overwhelming opinion is that more than ONE firewall is bad news and I accept the general explanations given for this.

My COMODO IS serves me 100% and I will keep it until such time that an equivalent or better prospect arises - that could take some considerable time.

I will as suggested, disable my Windows firewall and see what happens.
A comment was made rather sarcastically and extremely patronising about this thread that it was a "no brainer".
I can only point out that on the contrary it is a complicated electronic issue quite commonly raised globally that even the most knowledgeable expert finds it difficult to explain.

If it IS a "no brainer" then we must join that universally exclusive fraternity of many hundreds of millions of users, engineers and technicians who obviously have "no brain".

My condolences to half the worlds Internet users who do use two firewalls and do not even know it - Windows + A.N.Other


Again I thank every one of you.
KAS" }-


Hey Kas:

I was the guy with the "no brainer" comment. In context I was alluding to the turning on and off of the windows FW feature during and after installation NOT the whole thread as you unfortunately assumed.

FWIW your thread was interesting!

-{ Quote: "===
... Either way, there is nothing lost. Two barrels are better than one.
..." }-That depends. In series, it will cost you pressure drop, in parallel it will cost you efficiency since you're not staging. Same applies metaphorically for the PC context.

-{ Quote: "..... overwhelming opinion ....KAS" }-

Opinion? It is not simply an opinion it is factually the case and technical reasoning behind it has been presented.
Keep insisting on it will not change a fact... :P

Cheers,
Fax

I give in, please be gentle with me.

Fully accepted ; more than ONE firewall is bad news.

All that stuff about series and parallel, which I am quite conversant with - Yes buddy I know that series filters result in lower pressure, it is all a question of resistance, but it is done in practice to achieve a more pure substance. Booster pumps are provided if need be.

Don`t tell me about engineering. The comparison was just an analogy.

I have disabled my Windows firewall and am running on COMODO IS alone.

I thank you all for your contributions and kindness in replying to my thread.
KAS

Hi Kas,

If you want to run the windows firewall along side a 3rd party firewall, then why not. As I put forward earlier in this thread, 3rd party firewall developers will ensure that there are no driver conflicts with the windows firewall.
What should be avoided is installing 2 3rd party firewalls, as example, if you where to install ZA and Comodo, then the chances are you will get BSOD due to drivers conflicts.


- Stem

-{ Quote: "...Don`t tell me about engineering. The comparison was just an analogy.
..." }-Nothing in here about engineering. YOU stated the analogy and I only extended it to say there IS A COST to having two firewalls, it will chew up your CPU time and system functionality, the way MORE THAN THE ECONOMIC amount of filtration will needlessly chew up your horsepower. It's overkill, period. So just forget about the analogy and read what others have posted. I'm done, not going to continue the maintenance contract.

-{ Quote: "there IS A COST to having two firewalls, it will chew up your CPU time and system functionality," }-
I disagree. I do believe though you stretched that statement beyond what can be concluded without solid proof.

Given the right combination, I don't believe it will chew up cpu time or system functionality.

Incorrect combination, I would agree that your assessment is very likely. But so many different combinations of hardware/software available, only testing will reveal it.


Sul.

-{ Quote: "I disagree. I do believe though you stretched that statement beyond what can be concluded without solid proof.

Given the right combination, I don't believe it will chew up cpu time or system functionality.

Incorrect combination, I would agree that your assessment is very likely. But so many different combinations of hardware/software available, only testing will reveal it.


Sul." }-
I would say that with 2 firewalls there is at least double (redundant) filtering that is unnecessary and to that extent it's wasting resources. How much is another story. Even a router with the XP firewall is redundant and wasting cpu cycles, but is there any practical impact? Probably not.

-{ Quote: "I would say that with 2 firewalls there is at least double (redundant) filtering that is unnecessary and to that extent it's wasting resources. How much is another story. Even a router with the XP firewall is redundant and wasting cpu cycles, but is there any practical impact? Probably not." }-
Too true. But can we really look at it as redundant and wasting resources? After all, how many 'security' or 'network' related programs do many peeps use? What is the overlap? Do we consider that redundant and wasteful? I would say most call it 'layering' of securiyt. Yet you can probably find combinations where they 'overlap', or do the same thing, but in a different manner. Much like using 2 firewalls together that don't oppose each other.

I don't argue the principle that 2 firewalls may not give you anything extra, but I don't see how 2 firewalls that probably operate (or must) differently are any different than having 2 resident hips/ids/nids etc etc.

Do you?

Sul.

In a layered package, each app serves a unique purpose. They're selected and configured to support and complement each other. Each provides a function the others don't. Overlap is kept to a minimum. Installing 2 firewalls, HIPS, file integrity checkers, etc is building a pile of security apps, not building a layered package.

-{ Quote: "I disagree. I do believe though you stretched that statement beyond what can be concluded without solid proof.

Given the right combination, I don't believe it will chew up cpu time or system functionality.

Incorrect combination, I would agree that your assessment is very likely. But so many different combinations of hardware/software available, only testing will reveal it.


Sul." }-No, I have no proof for you, Sul. Perhaps the way you read what I said was a stretch for you - if so, I take responsibility for the imprecise wordsmithing.

My "assessment" was more on what had come before in the thread combined with a little analogizing. Based on what the experts said, there can be a cost. I don't think the odds are in Kas' favor that the cost will be justified.

I'm not an expert, so I'll try to overcome the impulse to participate and antagonize Kas any further. *puppy*


P.S. And, no, I won't "tell you about engineering", even though I'm "conversant" in fluid dynamics, hydraulics, and process economics and optimization, simply because this is neither an engineering thread nor an engineering forum.

-{ Quote: "In a layered package, each app serves a unique purpose. They're selected and configured to support and complement each other. Each provides a function the others don't. Overlap is kept to a minimum. Installing 2 firewalls, HIPS, file integrity checkers, etc is building a pile of security apps, not building a layered package." }-
Yep, I would agree with this, well said. :thumb:

Redundancy (and overlap) needs to be kept to a minimum. Installing 2 of something for the same task implies that you don't trust either one of them to do the job. If not, then get rid of the ones you don't trust, and put in something you do trust. A layered approach means layers of different kinds of security apps that together will hopefully cover the whole situation, not layers of the same thing like layers of paint.

Fair enough. I would agree that 2 of the same thing would not be layered. However, let is say in respect to this firewall conversation, that most likely (I would hope) one would use 2 because they would compliment each other. Take for example the combo that I have used often. XP firewall with no real outbound, and SoftPerfect with much more granular control. Router, XP, SP, that makes 3 inbound packet filters. But, you can allow all inbound and only monitor outbound. True, you could install one 3rd party firewall.

But now you must ask yourself (if you are fanatically resource stingy) if xp firewall and softperfect (as an example) were to only consume 2-3% cpu cycles and only 12mb ram (if you can trust how much xp fw is using, hard to do),under heavy packet load, that is not much. Toss in most major firewalls, and you will probably be above that. Most I have tried are definately above that. And often, under same loads, the 3rd party firewall is doing sooo much it is using more cpu cycles than the xp/sp combo.

So now, which is more efficient? As always, user preference and hardware/software dependent.

Funny though, I have tried so many firewalls, and so many combinations. I have ran tests myself to try and see, under load, light load, whatever, what each firewall does. How multiple firewalls do. Waht if you run wireshark or tdimon, or even constant ping, how does that effect the system with X brand firewall under X percent load. Things like that, useless really, but still interesting to know. So I pose these questions not to say 'you are wrong' etc, but to say, evidence is inconclusive. Generalizations at best. If there were an all-inclusive 'official' test, we would know.

When I see absolutes thrown about with computers, or indeed anything electronic, or,even hydraulic ;) I can't help but think of all the 'anomolies' to the absolute I have found over the years.

BTW, @crofttk, do you really know a lot about fluid dynamics? A very sincere question I would like to know.

Sul.

-{ Quote: "...BTW, @crofttk, do you really know a lot about fluid dynamics? A very sincere question I would like to know." }-Enough to size a control valve without cavitation, restriction orifices that stay subcritical , relief valves that don't allow equipment to rupture, and have developed a proprietary reactor feed flow distribution device but I can't run Fluent and am not a CFD expert. I guess whether that's alot depends on what you know about it.;)

That, is very nice to know. Having to apply it myself at times, much respect going your way. Flow is full of anomolies I find.

Sul.

-{ Quote: "That, is very nice to know. Having to apply it myself at times, much respect going your way. Flow is full of anomolies I find.

Sul." }-Indeed, anomalies keep it interesting and make for lifelong learning.:thumb:

-{ Quote: ".

I'm not an expert, so I'll try to overcome the impulse to participate and antagonize Kas any further.

P.S. And, no, I won't "tell you about engineering", even though I'm "conversant" in fluid dynamics, hydraulics, and process economics and optimization, simply because this is neither an engineering thread nor an engineering forum." }-

Hi Crofty,
Luv ya dialogue and WOW all that vast engineering experience, breathtaking - Gee man, how on Earth did you manage to learn all that complicated scientific stuff in only one lifetime ?

Fluid dynamics and all that jazz ! I`ve spent a whole life messing around with that, plus of course those other elementary subjects like Advanced Mathematics, Thermodynamics, Structural Science, Stress Analysis, Guided Weapon design and God knows what else. All to degree standard.

But, alas all that is gone now, I get my kicks from irrelevant chatter on Forums. Much more exciting and infinitely less demanding.

Are you trying to impress us ? OK, we are impressed.

OH, go on please ! Antagonise me more, I love the adulation..
KAS

Grow up, I was talking to Sully.

Hello,

Please keep on topic.

If you want to chat about engineering, then please find an appropriate forum, or you can chat via PM.


- Stem

-{ Quote: "Hello,

Please keep on topic.

If you want to chat about engineering, then please find an appropriate forum, or you can chat via PM.

- Stem" }-

WELL DONE CHIEF, KEEP US ON TRACK. I PROBABLY CHANGED THE POINTS OVER UNINTENTIONALLY - SORRY.
KAS

-{ Quote: "However, let is say in respect to this firewall conversation, that most likely (I would hope) one would use 2 because they would compliment each other. Take for example the combo that I have used often. XP firewall with no real outbound, and SoftPerfect with much more granular control. Router, XP, SP, that makes 3 inbound packet filters." }-
The router doesn't qualify as a software firewall or a packet filter. The firewall in a router protects the entire network, not just the one PC unless that's all there is. Routers and hardware firewalls are not generally aware of individual apps on a PC.

I haven't used SoftPerfect but I see no advantage to leaving the XP firewall running with it. No matter what combination of software firewalls are used, they all use CPU power to process the individual packets each one filters. I don't see where there is anything to be gained by running more than one software firewall. I definitely wouldn't do it just to make use of some extra feature that one has and the other doesn't. If that "feature" is really that important, use an app that's designed just for that purpose. I'd like to see an example where 2 firewalls complement each other more than they duplicate each others coverage.

-{ Quote: "The router doesn't qualify as a software firewall or a packet filter. The firewall in a router protects the entire network, not just the one PC unless that's all there is. Routers and hardware firewalls are not generally aware of individual apps on a PC.

I haven't used SoftPerfect but I see no advantage to leaving the XP firewall running with it. No matter what combination of software firewalls are used, they all use CPU power to process the individual packets each one filters. I don't see where there is anything to be gained by running more than one software firewall. I definitely wouldn't do it just to make use of some extra feature that one has and the other doesn't. If that "feature" is really that important, use an app that's designed just for that purpose. I'd like to see an example where 2 firewalls complement each other more than they duplicate each others coverage." }-

We all do have a different point of view. A router running a *nix mini OS is a packet filter. True, it is not aware of apps, but the definition of a firewall does not have to include apps at all. A firewall in it's truest sense is capable of blocking incoming or outgoing packets or both. A router these days definately falls into that category, as does iptables and ipsec. Term the word 'firewall' what you will, but I see them as firewalls.

I did not say there was really an advantage to using softperfect. But I did say the two play well together. And I also said if you can guage what is happening by cpu usage and the different memory usages specs, that xpfw and sp together have less usage than some larger 3rd party that are popular today.

To put this into context, using xpfw as in inbound firewall is simple with little resources used. Sometimes you wish to know more than what xpfw tells you. You can run wireshark or tdimon, or other tools. Or, since softperfect and xpfw play well together, you can use SP to get more info. Many times I have it running alongside xpfw, to see a finer resolution. To make rules and see what is happening, and sometimes to see what xpfw can do in cerain situations.

Regardless of why someone wants to use 2 firewalls, it can be done. While not a software engineer, I have spent my fair share of time using a computer. I cannot say whether or not running 2 is as bad as you might say, but I can say that I know how to tell when a program puts a load on a system. Comodo for instance puts way more of a load on systems I have tested, than using xpfw and softperfect.

But in the end, unless you have some sort of absolute fact, it is your preference and opinion that using more than 1 firewall is absurd. Thats cool. I can see where you are coming from. But I don't agree 100%.

Sul.