Beta-testing TinyWall

[ultim]

Hello, I am looking for people to help test my Windows Firewall controller, "TinyWall", freeware.

So, how is TinyWall different?
- Deliberately no-popup approach! Still simple to unblock apps
- Windows Firewall tinkering protection
- No knowledge of application ports is needed. In fact, you cannot edit rules in detail at all.
- Comes with a list of known applications and associated ports lists. TinyWall automatically recognizes your app and only allows what is needed instead of giving full acess.
- Firewall modes, special LAN access, temporary rules, open sockets listing, password lock, etc...

For a complete feature list, please have a look at the website: http://tinywall.pados.hu/features.php

Status: Seems to work fine, but needs more testing.

The list of recognized apps is currently quite small, so in addition of telling me your oppinion, sending bug reports and feature requests, you can also help out by sending me program descriptions to include (to do that, send me the XML output from "DevelTool").

NOTE: It is stated on the website, but here once more: To uninstall, you need to launch the UI as Admin (Elevate as necessary) then request uninstallation from the Maintenance tab in the settings.

Hope you'll find it usefull.
Download from http://tinywall.pados.hu/download.php.

[kerykeion]

This almost put a big smile on my face... until I found out it's only for Vista/7. But still, I believe this is a great non-intrusive firewall software for people who like it (got sold by its features)

I'm on XP.

[tony62]

I actually really like it, upon playing around in a VM.

Very intuitive with the 'Whitelist by -

executable
process
window (just click on the application window on your screen)

Here are some screens:





Thanks!

[tony62]

Few questions/suggestions:

A window or tray menu link to view blocked processes connections.
What is the 'Private zone'?
What is the 'Prompt for profile association for recognized applications check box for'?
Add application to allowed via connection's window
Have connections window remember size & include a maximize button

Thanks.

[kupo]

Does it play well with a standard user account?

[ichito]

Quote:

The download is available for Windows Vista and Windows 7 users (x86/x64).

I have XP...

[JoeBlack40]

It shows me pop-ups for new outgoing connections?If not,it's pretty useless for me.

[ultim]

Firts of all, thank you all very much for your input and feedback. I really appreciate it.

tony62:
Thanks for the screenshots. I see some small UI corruption in the connections dialog (checkbox sliding into the list), which doesn't happen on my development machine. I'll try to workaround that.

> A window or tray menu link to view blocked processes connections.
Currently there is no feature to show blocked connections, but I see that it would be helpful. I'll sure implement it, I'm only unsure if I will do it in the current 1.0 version or in 1.1 after that.

> What is the 'Private zone'?
That is just information showing you in which firewall/network zone you currently are. It doesn't do anything, it is only informational. All applications you unblock will be allowed in the same zone only that you unblocked them in. So for example, if you have a laptop and you're surfing on a public WiFi (which puts you into the Public firewall zone), you can have a different set of applications enabled than at home.

> What is the 'Prompt for profile association for recognized applications check box for'?
TinyWall has a built-in list of safe applications that it can recognize and knows which communication profiles to allow for them (for example, Internet Explorer will be allowed ports 80/443 outbound, which is the 'Web browser' profile). If you are unblocking a reocgnized application, TinyWall will not ask you for the profile because it already knows how to handle that application. On the other hand, if you are unblocking an application that TinyWall doesn't know yet, you will get an extra prompt where you can tighten the rules on that app instead of giving it full access to the network. So here is how this option comes into play: if 'Prompt for profile association for recognized applications' is checked, you will always be asked for the profiles, even for recognized/known applications. This is basically just a UI/comfort setting and does not influence firewall operation.

> Add application to allowed via connection's window
Already thought about that and I am willing to do it, but the current inner workings of the controller app inhibit such a feature. I need some time to rework things. At latest, I will definetely implement it in the first post-1.0 release.

> Have connections window remember size & include a maximize button
Will do that right away.


skudo12:
> Does it play well with a standard user account?
Yes, you can run the UI without Admin privileges and add new applications to the exceptions list. You will only be missing some minor features (Connections list, Uninstall capability, for these you need Admin rights). If you want to limit who can configure TinyWall, that's what the password lock feature is for. In relation to multiple user accounts, the only thing it doesn't like is fast user switching (that is, multiple users logged in at the same time). It will still work, but the tray app will only be usable from one account at a time. As soon as you quit the first instance you started, the other user's tray app will start to work.


JoeBlack40:
> It shows me pop-ups for new outgoing connections?
It does not show popups for new outgoing connecitons. That is on purpose and I truely believe it is better this way, becasue it is safer, less annoying, and through some other features (e.g. whitelist by window) is still just as easy to use.

[ultim]

'Prompt for profile association for recognized applications'
I guess I could rename it to just 'Always ask for profiles'. Would that be better?

[JoeBlack40]

Quote:

> It shows me pop-ups for new outgoing connections?
It does not show popups for new outgoing connecitons. That is on purpose and I truely believe it is better this way, becasue it is safer, less annoying, and through some other features (e.g. whitelist by window) is still just as easy to use.

I really appreciate your work and especially that your software is free.But i disagree with you.That's why i use third parties firewalls,because i want to be notified REAL TIME when a program asks for an outbound connection,that's all.Or you could implement a "learning mode" for those who don't want pop-ups.Just my opinion.

[ultim]

Quote:

Originally Posted by JoeBlack40

I really appreciate your work and especially that your software is free.But i disagree with you.That's why i use third parties firewalls,because i want to be notified REAL TIME when a program asks for an outbound connection,that's all.

That's fine. Different people use the same software for different purposes. In my case, I don't care about real-time notification. What I need is that only those applications access the internet that I have explicitly allowed, and otherwise the firewall should try to stay out of my way. If I allow only my web browser, I know that it will be allowed and all others will be blocked. I don't need notifications about the latter case.

[kupo]

I agree with the author about not having notifications, wish you the best for your application and goodluck!

[alexandrud]

1. While the program is in locked state you can delete rules from Manage window. What is locked, only the notifyicon menu items ?
2. What does the menu Public Zone ?
3. If you delete a rule from Application Exceptions the rule is not deleted from WFwAS, it still exists there.
4. Make the systray icon to show the menu also on the left mouse button click, not just on the right button.
5. Which method did you use to communicate from GUI to the service to avoid problems with standard user accounts ?
6. And the most annoying thing, I can't uninstall it because TinyWall.exe is running. If I end the process from Task Manager, it restarts itself. First I had to go to services.msc and disable the service, and only after that I could uninstall it.

Good work.

[Konata Izumi]

Does this firewall make use Windows DEP/ASLR etc?
Does it support IPv6?
Does it have self-protection from tampering and termination?

I suggest that it will have IP Blocking feature (ie Peerblock) and an easy way to import IP blocklists from Bluetack etc.

Quote:

Originally Posted by skudo12

I agree with the author about not having notifications, wish you the best for your application and goodluck!

I also like the author's approach! I will test sometime soon.

[ultim]

Quote:

Originally Posted by alexandrud

1. While the program is in locked state you can delete rules from Manage window. What is locked, only the notifyicon menu items ?
...
3. If you delete a rule from Application Exceptions the rule is not deleted from WFwAS, it still exists there.

Actually, both work. The mistake you are making is, changes are only applied when you click OK in the settings dialog. So you can remove or add multiple apps, and then click ok, then all your changes will be applied at once. This is also the point where you will be asked for a pssword if the firewall is locked down. Check it again, and it will be alright. In locked state, all configuration changes are locked.

Quote:

Originally Posted by alexandrud

2. What does the menu Public Zone ?

Does not do anything, it is only information showing which Windows Firewall zone you are currently in. Application changes will only be applied to the current zone.

Quote:

Originally Posted by alexandrud

4. Make the systray icon to show the menu also on the left mouse button click, not just on the right button.

Will do, thanks for the tip.

Quote:

Originally Posted by alexandrud

5. Which method did you use to communicate from GUI to the service to avoid problems with standard user accounts ?

Named pipes, setting ACL on them.

Quote:

Originally Posted by alexandrud

Good work

Thanks and good work on your Windows Firewall Control too.

[ultim]

Hi Izumi,

>Does this firewall make use Windows DEP/ASLR etc?
Yes, TinyWall is written using .Net technology, which automatically makes use of DEP. ASLR is not needed because by the nature of the JIT compiler it is impossible for an attacker to tell the exact layout of the binaries on a foreign computer. So I guess you could say that ASLR is also enabled, although it is not the same technology that is used for native binaries.

> Does it support IPv6?
Yes.

> Does it have self-protection from tampering and termination?
Yes. It is of course not bulletproof, but everyone in computer security can tell that nothing is. However, TinyWall will surely survive a process kill and also some other forms of attack too. The configuration files are encrypted with a dynamic password and are also locked during execution, and there are some other safety mechanisms too. Also, TinyWall also tries to protect not only itself but also the Windows Firewall service.

>I suggest that it will have IP Blocking feature (ie Peerblock) and an easy way to import IP blocklists from Bluetack etc.
I haven't thought of that until now, but not a bad idea. However, not in the 1.0 version. I'll have to do some more research on that topic.

[ViVek]

Hi ultim.
Do you have any plans to release XP version?

[ultim]

Quote:

Originally Posted by ViVek

Hi ultim.
Do you have any plans to release XP version?

Hi ViVek. I am really sorry to say this, but XP support is currently not planned.

[Konata Izumi]

Quote:

Originally Posted by ultim

Hi Izumi,

>Does this firewall make use Windows DEP/ASLR etc?
Yes, TinyWall is written using .Net technology, which automatically makes use of DEP. ASLR is not needed because by the nature of the JIT compiler it is impossible for an attacker to tell the exact layout of the binaries on a foreign computer. So I guess you could say that ASLR is also enabled, although it is not the same technology that is used for native binaries.

> Does it support IPv6?
Yes.

> Does it have self-protection from tampering and termination?
Yes. It is of course not bulletproof, but everyone in computer security can tell that nothing is. However, TinyWall will surely survive a process kill and also some other forms of attack too. The configuration files are encrypted with a dynamic password and are also locked during execution, and there are some other safety mechanisms too. Also, TinyWall also tries to protect not only itself but also the Windows Firewall service.

>I suggest that it will have IP Blocking feature (ie Peerblock) and an easy way to import IP blocklists from Bluetack etc.
I haven't thought of that until now, but not a bad idea. However, not in the 1.0 version. I'll have to do some more research on that topic.

Thank you. I'm very looking forward to the IP blocking feature

[ViVek]

Quote:

Originally Posted by ultim

Hi ViVek. I am really sorry to say this, but XP support is currently not planned.

Ok, thank you

[Konata Izumi]

you should put MD5 hash of the installer on the download page so we can verify the integrity of our download.

[Rilla927]

This looks promising. It seems like a broad database for the FW to know every applications ports rather than to notify on inbound and outbound connections. Just my 2 cents.

[m00nbl00d]

I just gave a quick reading at its features and I couldn't tell whether or not it's possible to define a hostname/domain as the remote address? It's handy for those times when IPs are constantly changing.

[ultim]

To forum admin: Please change the download link (last line in opening post) to http://tinywall.pados.hu/download.php instead of a direct link to the file. I cannot seem to edit the post anymore.

[ultim]

Quote:

Originally Posted by alexandrud

6. And the most annoying thing, I can't uninstall it because TinyWall.exe is running. If I end the process from Task Manager, it restarts itself. First I had to go to services.msc and disable the service, and only after that I could uninstall it.

As stated in the opening post, you have to uninstall by going to the Maintenance tab in Manage.
1) Elevate privileges from the menu if not done so already
2) Go to Manage
3) Select Uninstall under Maintenance