Beta-testing TinyWall

[ultim]

Quote:

Originally Posted by jnthn

Is there a way to add rules to allow inbound for certain applications?

Yes.

In a bit more detail, there are basically three cases:

1. If an application is recognized by TinyWall, then TinyWall will automatically unblock the inbound and unbound ports that the application needs.
2. If an application is not recognized, but a built-in profile for that type of application exists, you can manually pair the application with the right profile. Example: You are running a WAMP server but TinyWall does not recognize it. You can still assign WAMP the "Web server" profile and WAMP will have inbound ports 80 and 443 unblocked.
3. The application is not recognized and there is no tight profile for it. You can still assign the "Blind trust" profile which will open all inbound and outbound ports to that application. So the application will still work as expected and your other programs will still be protected. The only limitation here is that you cannot unblock applications on a port-by-port basis if there is no better profile that will do.

Also note: The upcoming beta has a new meta-profile that allows outbound but blocks inbound connections. For unknown applications that do not need to accept incoming connections this is a much more secure choice than the "Blind trust" profile. It is also the new default profile for unrecognized applications in the upcoming beta.

[kupo]

Cool, can we still use the advanced windows firewall for editing rules? Like allowing windows update, or will you add default profile for windows update, etc?

[ultim]

Quote:

Originally Posted by skudo12

Cool, can we still use the advanced windows firewall for editing rules? Like allowing windows update, or will you add default profile for windows update, etc?

A special exception for Windows Update is already part of the upcoming beta. I am also including profiles for updaters for some antivirus software.

To answer your question, no, you cannot edit rules over the standard Windows GUI. As part of the firewall tampering protection, if anything other than TinyWall changes the Windows Firewall settings, TinyWall will reset the rules.

[ultim]

To supplement my previous post, you can still add an exception for Windows Update (or any other service) in the current beta without having to wait for the next release. The only difference is that the next version can do this automatically for you.

In the current beta, go to: Manage->Application Exceptions->Add->Choose service
There you can select the Windows Update service ("wuauserv"). It only needs the "Web browser" profile.

[jnthn]

Quote:

Originally Posted by ultim

1. The application is not recognized and there is no tight profile for it. You can still assign the "Blind trust" profile which will open all inbound and outbound ports to that application. So the application will still work as expected and your other programs will still be protected. The only limitation here is that you cannot unblock applications on a port-by-port basis if there is no better profile that will do.

Thanks for clearing it. This Blind trust profile is sufficient for my needs. But would there be plans to let users create their own profiles as well as configure which ports to open for that specific profile?

[ultim]

Quote:

Originally Posted by jnthn

... But would there be plans to let users create their own profiles as well as configure which ports to open for that specific profile?

Not yet, not until more people ask for it, because I'm not convinced that it is worth implementing. However, if you tell me what application you are trying to use or what its port requirements are, I'd gladly add it to the built-in supported profiles.

As a general note, TinyWall supports more profiles than only those that get listed for an unknown application in the "Add application exception window". If you are trying to unblock an unrecognized app, TinyWall will only list the available "generic" profiles. However, as an example, if you are whitelisting Steam, you will notice that a "Steam" profile magically appears and is usable. - The reason for this is to prevent polluting the list with all kinds of profiles that only get used by a single application anyway.

[Hillsboro]

Can the whitelist be edited to tighten up control of what apps can call home/access the net unfettered and which ones can't? In other-words is there a user option to require all applications to ask permission to access the net that allows the user to set ports and IP's?

Thanks

[Konata Izumi]

@ultim
Do you have profile for P2P apps like Bittorrent/uTorrent? these programs may use random ports

[jnthn]

Quote:

Originally Posted by ultim

However, if you tell me what application you are trying to use or what its port requirements are, I'd gladly add it to the built-in supported profiles.

No biggie really as long as the blind trust profile is there. I have xfire and just recently started using a voip app named brosix which the ports are portforwarded on the router already.

[ultim]

jnthn:
Xfire is already included (I don't know if it was already there in beta2, but it is there in beta3), and I'll take a look at brosix.

Hillsboro:
Yes, you can tighten up apps calling home by profiles. By default all apps are blocked and you need to whitelist app-by-app. So they all need permission from you. In TinyWall you don't work with ports directly, but with profiles. Profiles abstract knowledge about ports (and some other things). Basically a profile is a collection of firewall rules.

Izumi:
uTorrent is recognized by default, but becuase of the wide range of ports it uses Blind trust. I'll take a look Bittorent.

[ultim]

It has been brought to my attention by some people that there used to be a firewall called TinyWall by Tinysoftware. So, I'd like to make some things clear. Some of these points were probably already clear to people of this forum, but I'm putting these out for new visitors also:

• When I've chosen the name "TinyWall", I had no idea about Tinysoftware's TinyWall. I came up with this name 100% on my own. I have absolutely no intention to ride on the {f/n}ame of a previous product.
• The "original" TinyWall used to be developed around 2002, neither the software nor the company exists anymore.
• I'm not going to let myself be bothered by software that's been dead for almost 8 years now.
• The old TinyWall's more recent descendants seem to be "Tiny Personal Firewall" and "Tiny Firewall". The similarity in naming with these two products is entirely coincidential. "TinyWall" is a separate product from those two, with different product names, different developers and different goals. TinyWall is not affiliated with the others in any way.

I'm just a hobby developer making my own software.

[kupo]

Yup, just don't mind it. Just a question, when will the next beta be ready?

[ultim]

Quote:

Originally Posted by skudo12

Just a question, when will the next beta be ready?

I just need to finish my exercizes in stochastic, and then a couple of hours to empty my to-do list. No guarantees though. Something might pop up that needs more time fixing than I anticipated.

[Konata Izumi]

Quote:

Originally Posted by ultim

1. The application is not recognized and there is no tight profile for it. You can still assign the "Blind trust" profile which will open all inbound and outbound ports to that application. So the application will still work as expected and your other programs will still be protected. The only limitation here is that you cannot unblock applications on a port-by-port basis if there is no better profile that will do.

Also note: The upcoming beta has a new meta-profile that allows outbound but blocks inbound connections. For unknown applications that do not need to accept incoming connections this is a much more secure choice than the "Blind trust" profile. It is also the new default profile for unrecognized applications in the upcoming beta.

how about this:

If application is not recognized and there is no tight profile for it. You can still assign the "Blind Checking" option which will learn what port(s) a program uses for a certain period of time and unblock the port(s) used, then block everything not learned during blind checking.

pardon my bad english

P.S: I'm still anticipating the IP blocking feature

[ultim]

Quote:

Originally Posted by Konata Izumi

P.S: I'm still anticipating the IP blocking feature

Since you've brought it up, here is the status on IP blocking:
When I told you last time that I'm gonna look into this, I really did. Actually, I wanted to implement it for the 1st stable release, so I did some tests. This is where it gets unfortunate: The Windows Firewall w/aS does not scale all that well, and it cannot handle a few million IP addresses in a timely fashion.

So, the consequence is that IP blocking from blocklists won't be possible until a custom kernel driver is implemented, which is exactly what other IP blocker programs do. I'm looking into this alternative, but this will take time (a lot) to get it right, which also means don't be counting on this feature for now. I'd recommend to use PeerBlock for now in addition to TinyWall. They can get along well together and you can have both active and running at the same time.

[ultim]

Hello everybody, I've uploaded Beta3. This time, unlike in the previous version, we have some major new features and I really hope you'll like it.
The changelog is also longer than before, and it is not even everything. This changelog only lists the user-visible changes, but on the inside quite a lot has changed too. Of course it also means a higher risk of regressions, but what can I say... let's just hope for the best.

Changelog:
- New feature: new firewall mode: Allow all outgoing connections (still blocks inbound)
- New feature: Automatic detection of installed software (needs to be started manually)
- New feature: Self-update capability
- New feature: Recognition of applications has been extended to services also
- More reliable and faster sync between controller and service
- Update without losing existing settings (if possible)
- "Allow outbound" is the new default profile instead of "Blind trust" for unknown applications.
- New "Block" metaprofile
- Metaprofiles are hard-coded now so that TinyWall stays usable even with a corrupted database.
- Refactored "Machine Exceptions" page into the "Special Exceptions" page
- Sometimes settings window could show up behind other windows. Bring to front when shown.
- Removed duplicate icon resources
- Fix: Controller crashes if trying to modify an exception for which there is no executable
- Some misc. issues resolved I didn't track in the changelog
- New application profiles

You will lose your settings when upgrading to Beta3, this was unavoidable as the database format for the settings has changed. However, future updates should preserve your settings (unless I break the database format again, but I'll try to avoid that).

Let me know how Beta3 works out for you, and as always I'll listen to your feedback. You have been really helpfull all along, even without telling me what bugs you or what requests you have, I can see where to improve just by listening to your questions. So please stay with me and your're reward is going to be a polished little TinyWall that you're waiting for. Again, thanks for helping me.

http://tinywall.pados.hu/download.php

[kupo]

I'm having this error when running the installer.
"ShellExecuteEx failed; code 786.
Access to %1 has been restricted by your Administrator by policy rule %2".
I'm running it as administrator in my admin user.

[ultim]

Quote:

Originally Posted by skudo12

I'm having this error when running the installer.
"ShellExecuteEx failed; code 786.
Access to %1 has been restricted by your Administrator by policy rule %2".
I'm running it as administrator in my admin user.

You have some kind of software restriction policy activated on your computer. Maybe some other software is causing it? HIPS? Anyway, something on your system is interfering with installations.

[kupo]

Only security software installed that is running real-time is MSE, and I have a Windows 7 Home Premium, so I don't have access to gpedit, and can't make software restriction policy

[ultim]

I just checked it on two of my computers and there are no problems at installing. I also see no reason for this to happen. I am sure that it is not caused by TinyWall. TinyWall is *not* messing with GPO, policies or any of that stuff. I assume you'll be seeing this error with some other installers too.

Anyway, even if it is not related to TinyWall, I'd like to help you, but googling didn't turn up much useful information. The most useful seems to be this: http://answers.microsoft.com/en-us/w...5-87ac6f5d57cb

In short, reboot and make sure to login as admin first before logging in as any other user. Or else computer-wide restrictions may be applied. Let me know if it helped.

[kupo]

Got it working!, BTW, what's the difference between outbound and allow outbound in the profiles? Working good!

[ultim]

That's a bug Please use "Outbound" because "Allow outbound" will be removed.

[kupo]

Ok thanks, working nicely with my standard user account

[ultim]

I just fixed the "Allow outbound" bug. Just use the Updater in the Maintenance tab, running elevated.

[Rilla927]

Quote:

Originally Posted by Konata Izumi

how about this:

If application is not recognized and there is no tight profile for it. You can still assign the "Blind Checking" option which will learn what port(s) a program uses for a certain period of time and unblock the port(s) used, then block everything not learned during blind checking.

I would like to see this if it isn't there already