Beta-testing TinyWall

[ultim]

Jarmo P:
Autolearn gives full rights to unknown applications at the moment to ensure that an auto-learned application will work for sure even if it uses randomized ports. But yes, basically it can be made more secure without loosing functionality. I'll see if I can make it more secure for 2.0 (depends on how much changes it needs, if the risk of introducing new bugs is too high, I'll leave it for later).

I couldn't fully understand your other problem with Holdem Manager, can you try formulating it once more please?

Seven64:
About fixing VPN, I'm a bit short on spare time these days (and I'm doing TinyWall in my spare time) but I'll try to make a fixed release soon.

[Jarmo P]

I mean't it would be great if it is possible with Autolearn mode to differentiate between allowing outgoing and incoming listening connections instead both as I see now. The ports I could not care less in a firewall control designed for basic users in a learning mode.

The Holdem Manager was just a story Karoly I wanted you hear. Keep on the good spare time work in this, think it already is fine as it is I think.

[Melf]

For "smart" learning mode I agree with Jarmo, the ports don't matter, just the IPs/domains. e.g. if Microsoft Excel likes to connect to www.microsoft.com this would be fine with me no matter what the port.... but if some script later makes it connect on the same port but to www.virus.ru, we'd have a problem

[SirDrexl]

Quote:

Originally Posted by skudo12

If the user still wants to have web protection, he could use Comodo DNS, Norton DNS, or Open DNS. Disable the webshield of Avast and enable the the other Avast shields. . Now with that you still have the protection of Avast and the security of other company without the added overhead in using system resources of your computer.

I was under the impression that Avast's web shield was for scanning files as they download. Would a different DNS replace that?

[Seven64]

It would be nice to post the progress of TinyWall, either positive or negative.
Thanks.

[ultim]

Sorry for no updates in a long time. This week I had my most difficult exam in my whole studies (I'm at the end, pretty much all that's left is my final thesis) and I was occupied by learning for it. Add that to my other mandatory responsibilities that I have in my student-organization, and I had zero time (or more like negative) left.

Anyway, that stress is now over and the RC shouldn't be long due. The only thing "in the way" is me going home for the weekend, but I might be able to solve even that. (I do have a laptop but the development environments on my laptop and on my main computer have diverged quite a bit).

So to sum up, stay tuned...

[Jarmo P]

Thx for your reply, myself I am like wtf when ever something changes in my life. But if you absolutely must then keep them adjustments Karoly, we love you!

Jarmo

[EboO]

Good luck for your exam

[kupo]

Good luck! It's one reason why I don't join organizations in my university, it takes away my time,

[ultim]

Hello Everybody!

Here are the fruits of my latest work. Changelog for 1.9.5 follows.

- Avoid unnecessary inbound rules while auto-learning
- Do not create firewall exceptions for local communication while auto-learning
- Profile updates for antivirus software
- Memory savings and faster rule merging in service
- Fix: Broken VPN support
- Fix: Accessability issues

The VPN fix has been long due but there are also some other interesting changes. First of all, the memory usage improvements are impressive in this build, I've managed to shave off almost 5MB of dynamic memory usage. Two other changes improve the security of auto-learned rules. First, inbound rules are only created if an app actually received an inbound connection request, otherwise it will be learned as outgoing only. This improves security of applications that act only as clients. Second, since Windows Firewall is incapable of filtering local-to-local connections anyway, TinyWall will not create exceptions anymore for applications whose both communication endpoints are on the local machine. This means applications will not get exceptions if they are not trying to get out of the machine even if they communicate over the network stack, which makes sense. This also improves security.

The last thing is, there has been some changes to improve support for accessability, like better support for screen readers, making sure that everything is accessible using keyboard-only, correcting tab-order and so on. The reason is, I've received note that unlike other firewalls, TinyWall can be used very well for example by blind people, but there were still a few things to be adjusted to make it even better in this respect. So I am now announcing that I intend not to forget these users and I will try to keep TinyWall accessible to them in the future.

To update to the latest version, get it from http://tinywall.pados.hu/download.php (bottom of page). If you are using 1.9.3 or newer you can just install the new one and it will update while keeping your settings. If you use a pre-1.9.3 version, be absolutely sure that you've uninstalled it first before installing this one. Starting from the *next* version, I am enabling automatic updates.

[Seven64]

Update (Vpn) working fine, thanks.
Question, setting browser for maximum security (Http(s) client) is this correct?

[ultim]

Quote:

Originally Posted by Seven64

Question, setting browser for maximum security (Http(s) client) is this correct?

Yes, that should be fine for most websites, assuming you are not using some kind of proxy or tor. You might also get some problems on a small number of streaming-media sites. But unless you see problems, the settings you show are a very good starting point.

[Seven64]

What about PeerBlock, what ports is "Out TCP *"

Thanks.

[ultim]

Quote:

Originally Posted by Seven64

What about PeerBlock, what ports is "Out TCP *"

Thanks.

An asterix means "all ports". So your picture means that peerblock is allowed to make outgoing TCP connections to all ports.

[Jarmo P]

Quote:

To update to the latest version, get it from http://tinywall.pados.hu/download.php (bottom of page). If you are using 1.9.3 or newer you can just install the new one and it will update while keeping your settings. If you use a pre-1.9.3 version, be absolutely sure that you've uninstalled it first before installing this one. Starting from the *next* version, I am enabling automatic updates.

I had some problems with Avast sandboxing the tinywall.exe. I downloaded the file and excuted it. Then tinywall.exe or something got put into a sandbox. Then i repaired the install from control panel. But no tinywall icon. So i removed the Tinywall from windows control panel and installed again, this time no problems.

Now it seems to work great There is no cumulative damage done I hope?

I noticed there was also the update button on 1.9.4 Manage/Maintenance panel, but is that for the program update or some white listing updates?

[lordraiden]

Hi, I have being using today the latest version 1.9.5, I have noticed that the learning mode create the rules always allowing all the traffic.
I would be nice if the learning mode would be able to create the specific rules allowing only the connections that the programs have established during the learning mode period.
It's this possible?

what the option "promt for exception details" does?"

[kupo]

When you whitelist something, instead of using the default rule, a window will pop-up for you to "fine-tune" the rule.

[ultim]

Quote:

Originally Posted by Jarmo P

I had some problems with Avast sandboxing the tinywall.exe. I downloaded the file and excuted it. Then tinywall.exe or something got put into a sandbox. Then i repaired the install from control panel. But no tinywall icon. So i removed the Tinywall from windows control panel and installed again, this time no problems.

Now it seems to work great There is no cumulative damage done I hope?

I noticed there was also the update button on 1.9.4 Manage/Maintenance panel, but is that for the program update or some white listing updates?

There shouldn't be any "cumulative damage". Sanboxing should prevent exactly that In general, trying to sandbox a security app is always a bad idea. But a reinstall outside the sandbox should solve it.

[ultim]

Quote:

Originally Posted by lordraiden

Hi, I have being using today the latest version 1.9.5, I have noticed that the learning mode create the rules always allowing all the traffic.
I would be nice if the learning mode would be able to create the specific rules allowing only the connections that the programs have established during the learning mode period.
It's this possible?

That's a very old option. It will make TinyWall pop up the exception's settings dialog whenever you whitelist something.

Quote:

Originally Posted by lordraiden

Hi, I have being using today the latest version 1.9.5, I have noticed that the learning mode create the rules always allowing all the traffic.
I would be nice if the learning mode would be able to create the specific rules allowing only the connections that the programs have established during the learning mode period.
It's this possible?

No, not possible. TinyWall as of 1.9.5 will create two kinds of auto-learned rules. For programs that do not accept connections it will allow only but any outbound traffic, for programs that have also been connected to during learning mode it will also allow incoming traffic. There is no possibility to create stricter rules based on ports, remote machines etc in the learning mode.

[ultim]

Quote:

Originally Posted by skudo12

When you whitelist something, instead of using the default rule, a window will pop-up for you to "fine-tune" the rule.

Make sure "prompt for exception details" is disabled in the options.

[ultim]

I've passed the exam! Thank you for wishing me good luck!

[EboO]

Congratulations

[alexandrud]

Quote:

Originally Posted by ultim

For programs that do not accept connections it will allow only but any outbound traffic, for programs that have also been connected to during learning mode it will also allow incoming traffic.

Windows Firewall contains already pop-ups for relevant software in case they need inbound connections. Like Skype, Internet Explorer, uTorrent, etc. You should not create inbound rules for any of the programs. 98% of the programs that a user uses will not even require inbound connections to be allowed. Why should an application to be opened to connect to it from outside ?

[ultim]

Quote:

Originally Posted by alexandrud

Windows Firewall contains already pop-ups for relevant software in case they need inbound connections. Like Skype, Internet Explorer, uTorrent, etc. You should not create inbound rules for any of the programs. 98% of the programs that a user uses will not even require inbound connections to be allowed. Why should an application to be opened to connect to it from outside ?

First, this only happens in the auto-learning mode, so it is not the default behavior of TinyWall. The goal of this learning mode is to make sure that programs that want to access the internet work correctly, so creating inbound rules is a must for server programs. When entering the learning mode, users already get a warning dialog about the dangers of this mode.

Second, when TinyWall is installed, there are no firewall popups at all. So you cannot argue that Windows Firewall already has popups for this case.

Third, it is still more secure than the Windows Firewall popup, because Windows Firewall wants to create an inbound rule whenever an application starts listening for connections. TinyWall will ony create inbound rules if there has actually been at least one inbound connection. TinyWall will not create inbound rules if an application listens without actually receiving at least one connection.

[alexandrud]

Quote:

Originally Posted by ultim

First, this only happens in the auto-learning mode, so it is not the default behavior of TinyWall. The goal of this learning mode is to make sure that programs that want to access the internet work correctly, so creating inbound rules is a must for server programs. When entering the learning mode, users already get a warning dialog about the dangers of this mode.

Yes, for programs that want to access the internet. Not for programs from internet that tries to access your computer.

Quote:

Originally Posted by ultim

Second, when TinyWall is installed, there are no firewall popups at all. So you cannot argue that Windows Firewall already has popups for this case.

But, why would need TinyWall accepting inbound connections to my computer ?

Quote:

Originally Posted by ultim

Third, it is still more secure than the Windows Firewall popup, because Windows Firewall wants to create an inbound rule whenever an application starts listening for connections. TinyWall will ony create inbound rules if there has actually been at least one inbound connection. TinyWall will not create inbound rules if an application listens without actually receiving at least one connection.

Svchost.exe listens a lot and receives hundreds of inbound connections. Will you automatically create an inbound rule to allow everything for svchost.exe ? How do you handle with this case ?

In my opinion, creating inbound rules is a wrong thing. Even torrent clients don't require inbound rules for them. It is the developers task to design their applications to fit with Windows and also with Windows Firewall.

I have a question. If the rules list is blocked and the rules cannot be deleted or modified from WFwAS, when you install a new program, like uTorrent which have a checkbox where users allows it to auto register itself to Windows Firewall, this installer can register a new rule or it is denied by TinyWall ?

Nice work with TinyWall. It is good to have competition.