Deficiencies of Private Firewall

[turtlesoup]

After reading many positive comments here about Private Firewall, I decided to give it a try, and I must say that I am disappointed, as it's missing a number of critical features.

Unconditional Port Blocking

The main feature that I really need that PF does not have is the ability to block ports unconditionally, no matter what application is trying to use them.

Please correct me if I'm wrong about this, but it seems PF aboslutely needs to associate port blocking/allowing rules with particular applications. I could not, for example, block access to all ports below and including 1024, no matter which application is trying to use them.

This feature is really important to me, and it's lack in PF is a deal-breaker.

Non-contiguous Ports in a Single Rule

Another feature I'd like to have is the ability to specify multiple non-continugous ports in a single rule. For example, I'd like to make a rule concerning ports "135,137,445". This can't be done in PF either, as far as I know.

Fortunately, you can specify port ranges, like "1-1024", and (of course) you can specify individual ports, like "135", but not both individual ports and ranges, like "135,137-139,445".

Undocumented XML Format

Though I am happy that PF can export and import rules in a relatively easy to understand XML format, that format needs to be thoroughly documented somewhere so that the XML file could be edited by hand or by external tools. I don't want to have to guess what 'Mode="2"' or 'Rule flags="122"' or 'Value="1"' are, or what the <AppsParent> section is for.

Too Much Clicking

Without thorough documentation, the XML file that PF imports is only really editable by PF itself, which brings me to my last complaint: creating rules in PF involves way too much clicking!

I know clicking a lot is the traiditional Windows GUI way, and that may be fine if you've got only a handful of rules to configure. But any more than a handful is going to become seriously painful to create in PF. I'm afraid to even imagine how many days or weeks it would take to create a few hundred rules in PF.

Such a large ruleset would still be pretty painful to make even if you could type it in using a capable text editor, but at least if PF's export/import XML format was well documented, it could be done and it would save you a monstrous amount of clicking.

Copying and Pasting Rules

Now, if click you must, at least PF should allow you to copy and paste existing rules. But no. All you can do is modify, add, or delete them.

Keyboard Shortcuts

If you're going to be creating a lot of rules through the PF GUI, you should at least have keyboard shortcuts for every possible action, and allow these shortcuts to be user-configurable.

Conclusion

Considering all these deficiencies, I really can't take PF very seriously. It may well be a good firewall, for what it does. But its configuration ability is sorely lacking.

[itman]

The firewall portion of PF is geared toward "newbies." People who really don't have the expertise to create advanced firewall rules.

You are correct as far as non-application rule creation. On the other hand, PF assumes everything that accesses the Internet requires an application. No application, no Internet access. You really can't get more secure than that.

As far as specifying the ports, you can enter in the local or remote port field of a firewall rule, anything in the 1-65535 range. The port option of 1024-65535(user) refers to your subnet. For example if you wanted to block inbound to ports 1-1023, you would manually enter 1-1023 in the local ports field of a firewall rule.

[TheMozart]

Why bother using it? Just use the windows firewall.

[turtlesoup]

Quote:

Originally Posted by itman

PF assumes everything that accesses the Internet requires an application. No application, no Internet access.

On a modern Windows PC today, there are probably thousands of "applications" (little programs installed as part of Windows that do god knows what). Do you really want to specify a seperate rule for each of them?

And what about those applications you don't know about, such as those some malware app will create without your knowledge? If you had to specify a seperate rule for each app, you couldn't specify one for these types of apps, because you won't even know they're there until too late (if at all).

No. What you really need is the ability to create port blocking rules that apply no matter which app is trying to connect.

For example, "block inbound ports 1-1024" -- as simple as that.

But PrivateFirewall won't let you.

You are forced to have to specify something like:

"block inbound ports 1-1024 for app A"
"block inbound ports 1-1024 for app B"
"block inbound ports 1-1024 for app C"
...
"block inbound ports 1-1024 for app AA"
"block inbound ports 1-1024 for app BB"
"block inbound ports 1-1024 for app CC"
...
"block inbound ports 1-1024 for app AAA"
"block inbound ports 1-1024 for app BBB"
"block inbound ports 1-1024 for app CCC"

for thousands of apps!

Quote:

Originally Posted by itman

You really can't get more secure than that.

You can get a lot more secure than what PrivateFirewall will allow.

Quote:

Originally Posted by itman

As far as specifying the ports, you can enter in the local or remote port field of a firewall rule, anything in the 1-65535 range. The port option of 1024-65535(user) refers to your subnet. For example if you wanted to block inbound to ports 1-1023, you would manually enter 1-1023 in the local ports field of a firewall rule.

But you can't specify something like "135,139,445" or "135,137-139,445" in one rule. That's the problem.

[fblais]

Ghostwall (now abandoned) and Sterjosoft (http://www.sterjosoft.com/portable-firewall.html) work with ports.
However, I don't feel comfortable with opening ports to everything.
But check them.

[itman]

PF works like the WIN 7 firewall with Outbound rules checking turned on. You create rules for anything you want to allow. Anything without a rule is auto blocked.

With default PF firewall settings, any application with a trusted publisher will have rule created for it and no alert is given. This can be changed to the level where you receive an alert for every outbound connection. Your choice.

PF documentation needs to be read multiple times and experimentation is required to fully understand it's capabilities. If PF does have a fault, it is not the easiest firewall/HIPS to understand; even for IT pros.

[ellison64]

Quote:

Originally Posted by turtlesoup

After reading many positive comments here about Private Firewall, I decided to give it a try, and I must say that I am disappointed, as it's missing a number of critical features.

Unconditional Port Blocking

The main feature that I really need that PF does not have is the ability to block ports unconditionally, no matter what application is trying to use them.

Please correct me if I'm wrong about this, but it seems PF aboslutely needs to associate port blocking/allowing rules with particular applications. I could not, for example, block access to all ports below and including 1024, no matter which application is trying to use them.

This feature is really important to me, and it's lack in PF is a deal-breaker.

Non-contiguous Ports in a Single Rule

Another feature I'd like to have is the ability to specify multiple non-continugous ports in a single rule. For example, I'd like to make a rule concerning ports "135,137,445". This can't be done in PF either, as far as I know.

Fortunately, you can specify port ranges, like "1-1024", and (of course) you can specify individual ports, like "135", but not both individual ports and ranges, like "135,137-139,445".

Undocumented XML Format

Though I am happy that PF can export and import rules in a relatively easy to understand XML format, that format needs to be thoroughly documented somewhere so that the XML file could be edited by hand or by external tools. I don't want to have to guess what 'Mode="2"' or 'Rule flags="122"' or 'Value="1"' are, or what the <AppsParent> section is for.

Too Much Clicking

Without thorough documentation, the XML file that PF imports is only really editable by PF itself, which brings me to my last complaint: creating rules in PF involves way too much clicking!

I know clicking a lot is the traiditional Windows GUI way, and that may be fine if you've got only a handful of rules to configure. But any more than a handful is going to become seriously painful to create in PF. I'm afraid to even imagine how many days or weeks it would take to create a few hundred rules in PF.

Such a large ruleset would still be pretty painful to make even if you could type it in using a capable text editor, but at least if PF's export/import XML format was well documented, it could be done and it would save you a monstrous amount of clicking.

Copying and Pasting Rules

Now, if click you must, at least PF should allow you to copy and paste existing rules. But no. All you can do is modify, add, or delete them.

Keyboard Shortcuts

If you're going to be creating a lot of rules through the PF GUI, you should at least have keyboard shortcuts for every possible action, and allow these shortcuts to be user-configurable.

Conclusion

Considering all these deficiencies, I really can't take PF very seriously. It may well be a good firewall, for what it does. But its configuration ability is sorely lacking.

What current software firewalls have all these features that you mention?

[turtlesoup]

Quote:

Originally Posted by ellison64

What current software firewalls have all these features that you mention?

I don't know about Windows firewalls, but on Linux you could use iptables, and on BSD you could use PF.