Private fw for the non tweeker?

[elstupido]

I am running win 7 64 with Chrome, winpatrol and Sandboxie off of a standard user account. So would it be enough protection to leave PFW at default levels since im not a tweeker? Also would the hipps end up conflicting with winpatrol?
Thanks for the help.

[HKEY1952]

Quote:

Originally Posted by elstupido

I am running win 7 64 with Chrome, winpatrol and Sandboxie off of a standard user account. So would it be enough protection to leave PFW at default levels since im not a tweeker? Also would the hipps end up conflicting with winpatrol?
Thanks for the help.

Welcome To Wilders Security Forums elstupido!

We can get you started using Privatefirewall by first introducing you to the User Guide.
The User Guide should answer most of your questions.
Take note to Page thirty (30) of the User Guide: Privatefirewall Settings

Privatefirewall Version 7 User Guide .pdf by Privacyware:
-http://www.privacyware.com/PF_User_Guide.pdf

Yes, the default settings of Privatefirewall should provide efficient firewall security and protection.

Other Wilders Security Members using the Google Chrome Web Browser, WinPatrol, and Sandboxie in combination with
Privatefirewall can better answer those questions for you.


May God Bless and Good Luck be with you!


HKEY1952

[Rilla927]

I beg to differ. This FW is sitting wide open just like OutPost. You have to know how to tweak it to close the holes.

[HKEY1952]

Quote:

Originally Posted by Rilla927

I beg to differ. This FW is sitting wide open just like OutPost. You have to know how to tweak it to close the holes.

The simplest and most reliable firewall rule is to allow all outbound traffic and block all inbound traffic.

The default setting for Privatefirewall by Privacyware is to: Filter Internet Traffic (page four (4) of user guide)
The default setting allows for Internet access while maintaning maximum protection from incoming intrusion attempts.

In regards to Agnitun Outpost.....well.....there is simply nothing to defend there, Outpost is an superior firewall,
right out of the box.


HKEY1952

[Kees1958]

Easiest would be to use the default Levels of PFW. WinPatrol really is a barking puppy compared to the solid watchdog PFW is, de-install WP is my advise.

PFW + Standard (Limited) User + Sandboxie + Chrome =

HIPS + OS-protection + Application Virtualisation + Policy Containment (they call it a sandbox at Google)

= 4x times protected on the internet (Chrome+SBIE+LUA+PFW), 3 times on other threat entry gates (SBIE+LUA+PFW), 2x times on Admin space (LUA+PFW), 1x on user space (PFW)

= enough, have not heard of a malware which is able to take these hurdles IMO

[Blues7]

Nice post, Kees!

[elstupido]

Thanks everyone, i think ill take your advise kees.

[bellgamin]

Quote:

Originally Posted by Kees1958

WinPatrol really is a barking puppy compared to the solid watchdog PFW is

I agree. In fact I would go further & call WP a toothless, barking puppy.

[kupo]

Quote:

Originally Posted by bellgamin

I agree. In fact I would go further & call WP a toothless, barking puppy.

Specially if it's under the use of a Standard User Account

[kupo]

Quote:

Originally Posted by Kees1958

Easiest would be to use the default Levels of PFW. WinPatrol really is a barking puppy compared to the solid watchdog PFW is, de-install WP is my advise.

PFW + Standard (Limited) User + Sandboxie + Chrome =

HIPS + OS-protection + Application Virtualisation + Policy Containment (they call it a sandbox at Google)

= 4x times protected on the internet (Chrome+SBIE+LUA+PFW), 3 times on other threat entry gates (SBIE+LUA+PFW), 2x times on Admin space (LUA+PFW), 1x on user space (PFW)

= enough, have not heard of a malware which is able to take these hurdles IMO

After reading this, it makes me want to install PFW

[Rilla927]

Quote:

Originally Posted by HKEY1952

The simplest and most reliable firewall rule is to allow all outbound traffic and block all inbound traffic.

The default setting for Privatefirewall by Privacyware is to: Filter Internet Traffic (page four (4) of user guide)
The default setting allows for Internet access while maintaning maximum protection from incoming intrusion attempts.

In regards to Agnitun Outpost.....well.....there is simply nothing to defend there, Outpost is an superior firewall,
right out of the box.


HKEY1952

You must not read Stems instructions then! Oh, I forgot, I don't think he has previewed PF; but it doesn't matter anyway because the same thing that was taught (OutPost Thread, there are two) goes for all firewalls. FW's out of the box stem has ruled on what should be blocked and shouldn't be depending if you have other PC's that use that network. Any FW will try to sell you on the default settings; it's whether you know it or not yourself. When I used it the manual didn't say that.

I used to use PF and I would have to go through every setting with my modem shut off (to make sure it would not connect) and disable 99% of the stuff that was not needed. And yes, the FW worked fine; it didn't blow up! All I was trying to say was any FW I tried had to be modified heavly in order for it to be safe to use.

[HKEY1952]

Quote:

Originally Posted by Rilla927

I used to use PF and I would have to go through every setting with my modem shut off (to make sure it would not connect) and disable 99% of the stuff that was not needed. And yes, the FW worked fine; it didn't blow up! All I was trying to say was any FW I tried had to be modified heavly in order for it to be safe to use.

I have contemplated on this, and here is my assessment.

My ideal in regards to network and computer security is based on effective security. If the security implamentation,
whether it be hardware or software, mitigates the attack surface it is designed for, then that implamentation is
effective security for the targeted attack surface. The security tools must be of course manufactured and coded by
an reputable vender.

Effective network security starts at the networks edge.

The first and most important security implamentation is an reliable, reputable, and effective firewall router to be
positioned at the networks edge, even if the network exists only one computer. In other words, the modem is the edge
device of the network, the router is positioned behind the modem at the networks edge, acting as the gateway between
the local area network and the wide area network (the Internet). The computers and other devices are positioned
behind the protection of router.

The local area network can be considered, and configured, as an trusted network when protected by an router.

The wide area network must be considered, and configured, as an untrusted network even in the absence of an router.

The routers sole purpose is to protect the local area network from the wide area network in two ways.

One, the router uses network address translation (NAT), meaning, the Internet side of the router displays to the
World only the Internet Providers assigned IP Address of the client to the wide area network. The router uses non
routable IP Address for the local area network, meaning, non routable IP Addresses will not work on the Internet.

Two, the routers firewall is an hardware firewall designed to stop most of the common threats traveling inbound from
the wide area network through the modem. Without getting into details, such as: Block Anonymous Internet Requests,
Filter Multicast, Filter Internet NAT Redirection, Filter IDENT(Port 113), and more.

The second and most improtant security implamentation is an reliable, reputable, and effective software firewall
to be installed on every computer in the local area network.

As I have stated:
"The simplest and most reliable firewall rule is to allow all outbound traffic and block all inbound traffic"

The Microsoft Windows 'Windows Firewall' by default:
Allows all outbound traffic and blocks all inbound traffic.
Is configured to trust the local area network.

So the Microsoft Windows 'Windows Firewall' together with an router, is effective security.



So now lets install an third party firewall solution, Privatefirewall by Privacyware.

Privatefirewall by default:
Allows for Internet access while maintaning maximum protection from incoming intrusion attempts.
Is configured to trust the local area network.

So Privatefirewall by Privacyware together with an router, is effective security.

It is irrelevant if Privatefirewall allows program 'X' outbound Internet access.
It is irrelevant if the ninety nine percent of the 'stuff' you disabled is enabled or not.
The most effective security in regards to firewall security is to block all inbound traffic.


Speculating from the words in your Quote, your network does not appear to be behind an firewall router, that missing
security variable would and does have an major affect in regards to effective network security. No software firewall
alone is effective network security without an router.


HKEY1952

[Stem]

Quote:

Originally Posted by HKEY1952

The local area network can be considered, and configured, as an trusted network when protected by an router.

I cannot agree on such a blanket statement. There are other considerations, such as having control of what is/can be installed, what security is in place on the other nodes on LAN.

Quote:

Originally Posted by HKEY1952

The simplest and most reliable firewall rule is to allow all outbound traffic and block all inbound traffic

That would block all Internet access.
I presume you are referring to "Block all unsolicited inbound"?
So is the "Unsolicited inbound" only unsolicited if from the WAN? or would unsolicited also refer to unsolicited from other Nodes on LAN? Would a viri infection from one node on LAN propagating to your node be classed as unsolicited, or would it be classed as solicited due to rules allowing all from trusted LAN?

Quote:

Originally Posted by HKEY1952

So Privatefirewall by Privacyware together with an router, is effective security.

So are you inferring that Privatefirewall without it being behind a router is ineffective?

Quote:

Originally Posted by HKEY1952

the routers firewall is an hardware firewall

It is still a software firewall. It is just software on dedicated hardware.

Quote:

Originally Posted by HKEY1952

No software firewall alone is effective network security without an router.

Sorry, but that is total nonsense.


From my own point of view, there have been too many firewall vendors putting out inadequate packet filtering firewalls (far too concentrated on leak test prevention, and containing malware on the PC rather then stopping it getting there in the first place), so then put forward the "need" for a router.
If a vendors firewall requires a router to protect it, then the firewall is sadly lacking.

All IMHO of course.

- Stem

[moontan]

Quote:

Originally Posted by elstupido

I am running win 7 64 with Chrome, winpatrol and Sandboxie off of a standard user account. So would it be enough protection to leave PFW at default levels since im not a tweeker? Also would the hipps end up conflicting with winpatrol?
Thanks for the help.

if you are a "non tweaker" i would stay with the standard Win 7 firewall.

it gets the job done.

[Seven64]

Quote:

Originally Posted by Stem

From my own point of view, there have been too many firewall vendors putting out inadequate packet filtering firewalls (far too concentrated on leak test prevention, and containing malware on the PC rather then stopping it getting there in the first place), so then put forward the "need" for a router.
If a vendors firewall requires a router to protect it, then the firewall is sadly lacking. All IMHO of course.- Stem

Give your opinion on the recommened firewalls to use, since your the "Firewall Expert". Spread the knowledge, isn't that what were here for?

[HKEY1952]

One not having the understanding between the differences of an Outbound Connection and an Inbound Connection and
how those two seperate connections are initiated and carried out explains the misunderstanging most people have
in regards to firewall rules. Such as the misunderstanding that was exposed here.

Quote:

Originally Posted by HKEY1952

The simplest and most reliable firewall rule is to allow all outbound traffic and block all inbound traffic.

Quote:

Originally Posted by Stem

That would block all Internet access.

No, it would not block all Internet access.

The only TRAFFIC blocked would be TCP TRAFFIC DATA STREAMS traversing INBOUND, WITHIN AN INITIATED INBOUND CONNECTION from an remote system or server that is not part of the Local Area Network.



The Transmission Control Protocol (TCP) is BIDIRECTIONAL, therefore, in an individual unique manner, the TCP flow:
for INITIATED Outbound Connections will exist both components, outbound and inbound TCP TRAFFIC data streams.
INITIATED Inbound Connections will also exist both components, outbound and inbound TCP TRAFFIC data streams.

Outbound CONNECTIONS are INITIATED by the local system.
Inbound CONNECTIONS are INITIATED by an remote system.

In other terms:
Outbound CONNECTIONS are INITIATED from an source on the LAN to the WAN.
Inbound CONNECTIONS are INITIATED from an source on the WAN to the LAN.

Both LAN to WAN and WAN to LAN INITIATED CONNECTIONS, each individually exist internal BIDIRECTIONL TCP TRAFFIC,
outbound and inbound TCP TRAFFIC data streams, within the respective INITIATED CONNECTION.

TCP TRAFFIC, outbound and inbound data streams, within the INITIATED Outbound Connection from the higher security
interface, the Local Area Network, to the lower security interface, the Internet, WILL NOT BE BLOCKED.

TCP TRAFFIC, outbound and inbound data streams, within the INITIATED Inbound Connection from the lower security
interface, the Internet, to the higher security interface, the Local Area Network, WILL BE BLOCKED.



There are two security interfaces of an firewall, the higher security interface and the lower security interface.

The higher security interface is always the inside interface, the Local Area Network.

The lower security interface is always the outside interface, the Wide Area Network.

Outbound Connections, or states, are allowed, except those specifically denied by Access Control Lists (ACLs)
Inbound Connections, or states, are denied, except those specifically allowed by Access Control Lists (ACLs)

An outbound Connection, is an connection where the originator, or client, is on an higher security interface than
the receiver or server, that is on the lower security interface, LAN to WAN.

An Inbound Connection, is an connection where the originator, or client, is on an lower security interface than
the receiver or server, that is on the higher security interface, WAN to LAN.

All Internet Control Message Protocol (ICMP) packets are denied unless specifically permitted.

Any attempts to circumvent the above rules are dropped.



The policy rules of the Access Control List is an expression of the information that is allowed to flow through the network.
As an example, the Access Control List policy states:

If the data stream was INITIATED by someone on the INSIDE, (the higher security interface = LAN) Let it pass.
If the data stream was INITIATED by someone from the OUTSIDE (the lower security interface = WAN) Block it.

When an Outbound Connection is INITIATED, from the Local Area Network, to the Internet, TCP TRAFFIC returning to
that INITIATED Outbound Connection is allowed to traverse back from the lower security interface to the higher
security interface through that INITIATED Outbound Connection, via the BIDIRECTIONAL properties of the Transmission
Control Protocol (TCP). THE RETURING INBOUND TCP DATA STREAM WILL NOT BE BLOCKED.



Example of the BIDIRECTIONAL Communications for an INITIATED OUTBOUND CONNECTION:
When an Internet Browser opens an Web page, the process involves an "dance" between the Internet Browser, on the
higher security interface, and the Server, on the lower security interface.

First, through the INITIATED Outbound Connection of the Internet Browser, there is an "handshake", TCP TRAFFIC,
(outbound and inbound data streams) between the Internet Browser and the Server to initialize the connection.

Then an "get", TCP TRAFFIC, (outbound data stream) request from the Internet Browser to the Server to specify the
data being requested.

Then an "responce", TCP TRAFFIC, (inbound data stream) from the Server back to the Internet Browser through the
Internet Browsers INITIATED Outbound Connection, to say if the data is available, then followed by the actual data
itself being transferred back to the Internet Browser, through the Internet Browsers INITIATED Outbound Connection,
TCP TRAFFIC, (inbound data stream) to the Internet Browser.

The firewall rule of the Access Control List Policy, Allows All Outbound Traffic, and the Web page is displayed in
the Internet Browser.

The firewall rule of the Access Control List Policy, Blocks All Inbound Traffic, and the Web page WOULD BE BLOCKED
if the Server attempted to send the data to the Internet Browser through an INITIATED Inbound Connection that was
NOT INITIATED by the Internet Browser itself but INITIATED by the Server itself that is located outside of the Local
Area Network in the lower security interface of THE WIDE AREA NETWORK.


EDIT: clarity


HKEY1952

[Stem]

Quote:

Originally Posted by HKEY1952

One not having the understanding between the differences of an Outbound Connection and an Inbound Connection and
how those two seperate connections are initiated and carried out explains the misunderstanging most people have
in regards to firewall rules. Such as the misunderstanding that was exposed here.

You did not mention connections. You put forward:-

Quote:

Originally Posted by HKEY1952

block all inbound traffic.

Quote:

Originally Posted by HKEY1952

No, it would not block all Internet access.

Blocking all inbound traffic would also block all inbound solicited(replies)

Quote:

Originally Posted by HKEY1952

The only TRAFFIC blocked would be TCP TRAFFIC DATA STREAMS traversing INBOUND, WITHIN AN INITIATED INBOUND CONNECTION from an remote system or server that is not part of the Local Area Network.

Data streams within an initiated inbound connection! If you have initiated inbound streams, that means the 3 way handshake as been allowed and connection made.

You are referring to blocking inbound SYN packets. The TCP SYN packet is the first packet for the initialization (3 way handshake) of a connection.
For a firewall to determine a packet that is currently within an initiated inbound or outbound traffic stream, it would need to keep track of TCP sequence numbers. There are no windows firewalls (that I have seen mentioned on this forum) that currently do that.(well, not for the full stream).

Any of the firewalls mentioned on this forum, I can easily send an unsolicited inbound stream simply by spoofing the IP/ports. They will allow the traffic based on IP/port and only filter out TCP SYN packets based on rule. (edit: That is an unsolicited inbound stream send down a current outbound connection, which would also bypass most routers)


- Stem

[datarishik]

I'm only a noob when it comes to Firewall, but this is getting interesting: didn't really expect someone trying to counter Stem, who has years of knowledge and expertise on ins and outs of Firewall, on a respectable forum such as wilderssecurity.

@HKEY1952: With all due respect, it would be in the interest of the community, if you could provide valid reasons or evidence in support of your conclusion.

On a side note, I'm of the belief that one's expertise cannot span every subject area in the world, and that's why we have experts. Thanks.

[fax]

I think some users here, orange or not, are a bit picky on wording been used. You seem both right and broadly on the same line but with some slightly different English style and degree of precision in the definition used with little flexibility in understanding each other.

So relax, its not a PhD in firewall communication but a nice exchange of approaches to security.
May be if you will move to actual implementation into PFW things will be clearer

Cheers,
Fax

[datarishik]

Here's what I found regarding Internet Connection Firewall (ICF) on Microsoft Technet:

Quote:

How ICF Works

ICF is considered a stateful firewall. To prevent unsolicited traffic from the public side of the connection from entering the private side, ICF keeps a table of all communications that have originated from the ICF computer. When used in conjunction with ICS, ICF tracks all traffic that has originated from the ICF/ICS computer and all traffic that has originated from private network computers. ICF compares all inbound traffic from the Internet against entries in the table. ICF allows inbound Internet traffic to reach the computers in your network only when there’s a matching entry in the table that shows that the communication exchange originated from your computer or private network.

[Stem]

Hi fax,

sorry, I missed your edit.

Quote:

Originally Posted by fax

So relax, its not a PhD in firewall communication but a nice exchange of approaches to security.

I agree it is not PhD, however, firewall rules are very specific. If you set a rule to "block all inbound", then that is exactly what it will do, unless the firewall is buggy or badly implemented.

Quote:

Originally Posted by fax

May be if you will move to actual implementation into PFW things will be clearer

I will see if I can find time tomorrow.
I could always set a rule to "block all inbound" and see if it works.

- Stem

[fax]

No problem Stem. I think its more about the other users to show the implementation of rule in practise then you trying it. You are right about your strict interpretation of "block all incoming". However also the others contributors could be right. All boils down to the way this is implemented in the referenced software firewalls. Probably just a small misunderstanding around the term "ALL".

[Stem]

Hi fax,

In most cases a firewall will by default "block all inbound TCP SYN packets"(or as most would term it "block all inbound connections"), which is what I believe is actually being referred to by others.


- Stem

[sparviero]

Block all inbound firewall rule is wery simple: Block any, any, any... or -A INPUT -j DROP, this block all packet.

Ok, since read more than two lines becomes a problem, read only this:

http://www.wilderssecurity.com/showp...1&postcount=26

Be careful on this:allows inbound traffic only when communication exchange originated from your computer, more simple you can not say.(one line)

Now actually end up here, I do not want to feed FTT.

[bellgamin]

Stem - I have been (&still am) a long-time follower of your excellent advice concerning firewalls. I have just two suggestions:

1- don't feed the trolls.

2- illegitimi non carborundum.