Beta-testing TinyWall

Discussion in 'other firewalls' started by ultim, Oct 12, 2011.

  1. ultim
    Offline

    ultim Registered Member

    Jarmo P:
    Autolearn gives full rights to unknown applications at the moment to ensure that an auto-learned application will work for sure even if it uses randomized ports. But yes, basically it can be made more secure without loosing functionality. I'll see if I can make it more secure for 2.0 (depends on how much changes it needs, if the risk of introducing new bugs is too high, I'll leave it for later).

    I couldn't fully understand your other problem with Holdem Manager, can you try formulating it once more please?

    Seven64:
    About fixing VPN, I'm a bit short on spare time these days (and I'm doing TinyWall in my spare time) but I'll try to make a fixed release soon.
  2. Jarmo P
    Offline

    Jarmo P Registered Member

    I mean't it would be great if it is possible with Autolearn mode to differentiate between allowing outgoing and incoming listening connections instead both as I see now. The ports I could not care less in a firewall control designed for basic users in a learning mode.

    The Holdem Manager was just a story Karoly I wanted you hear. Keep on the good spare time work in this, think it already is fine as it is I think.
    Last edited: Apr 21, 2012
  3. Melf
    Offline

    Melf Registered Member

    For "smart" learning mode I agree with Jarmo, the ports don't matter, just the IPs/domains. e.g. if Microsoft Excel likes to connect to www.microsoft.com this would be fine with me no matter what the port.... but if some script later makes it connect on the same port but to www.virus.ru, we'd have a problem :)
  4. SirDrexl
    Offline

    SirDrexl Registered Member

    I was under the impression that Avast's web shield was for scanning files as they download. Would a different DNS replace that?
  5. Seven64
    Online

    Seven64 Guest

    It would be nice to post the progress of TinyWall, either positive or negative.
    Thanks.
  6. ultim
    Offline

    ultim Registered Member

    Sorry for no updates in a long time. This week I had my most difficult exam in my whole studies (I'm at the end, pretty much all that's left is my final thesis) and I was occupied by learning for it. Add that to my other mandatory responsibilities that I have in my student-organization, and I had zero time (or more like negative) left.

    Anyway, that stress is now over and the RC shouldn't be long due. The only thing "in the way" is me going home for the weekend, but I might be able to solve even that. (I do have a laptop but the development environments on my laptop and on my main computer have diverged quite a bit).

    So to sum up, stay tuned... :D
  7. Jarmo P
    Offline

    Jarmo P Registered Member

    Thx for your reply, myself I am like wtf when ever something changes in my life. But if you absolutely must then keep them adjustments Karoly, we love you!

    Jarmo
  8. EboO
    Offline

    EboO Registered Member

    Good luck for your exam :)
  9. kupo
    Offline

    kupo Registered Member

    Good luck! It's one reason why I don't join organizations in my university, it takes away my time, :D
  10. ultim
    Offline

    ultim Registered Member

    Hello Everybody!

    Here are the fruits of my latest work. Changelog for 1.9.5 follows.

    - Avoid unnecessary inbound rules while auto-learning
    - Do not create firewall exceptions for local communication while auto-learning
    - Profile updates for antivirus software
    - Memory savings and faster rule merging in service
    - Fix: Broken VPN support
    - Fix: Accessability issues

    The VPN fix has been long due but there are also some other interesting changes. First of all, the memory usage improvements are impressive in this build, I've managed to shave off almost 5MB of dynamic memory usage. Two other changes improve the security of auto-learned rules. First, inbound rules are only created if an app actually received an inbound connection request, otherwise it will be learned as outgoing only. This improves security of applications that act only as clients. Second, since Windows Firewall is incapable of filtering local-to-local connections anyway, TinyWall will not create exceptions anymore for applications whose both communication endpoints are on the local machine. This means applications will not get exceptions if they are not trying to get out of the machine even if they communicate over the network stack, which makes sense. This also improves security.

    The last thing is, there has been some changes to improve support for accessability, like better support for screen readers, making sure that everything is accessible using keyboard-only, correcting tab-order and so on. The reason is, I've received note that unlike other firewalls, TinyWall can be used very well for example by blind people, but there were still a few things to be adjusted to make it even better in this respect. So I am now announcing that I intend not to forget these users and I will try to keep TinyWall accessible to them in the future.

    To update to the latest version, get it from http://tinywall.pados.hu/download.php (bottom of page). If you are using 1.9.3 or newer you can just install the new one and it will update while keeping your settings. If you use a pre-1.9.3 version, be absolutely sure that you've uninstalled it first before installing this one. Starting from the *next* version, I am enabling automatic updates.
  11. Seven64
    Online

    Seven64 Guest

    Update (Vpn) working fine, thanks.
    Question, setting browser for maximum security (Http(s) client) is this correct? o_O

    Attached Files:

    • TW.png
      TW.png
      File size:
      47.4 KB
      Views:
      837
  12. ultim
    Offline

    ultim Registered Member

    Yes, that should be fine for most websites, assuming you are not using some kind of proxy or tor. You might also get some problems on a small number of streaming-media sites. But unless you see problems, the settings you show are a very good starting point.
  13. Seven64
    Online

    Seven64 Guest

    What about PeerBlock, what ports is "Out TCP *"

    Thanks.

    Attached Files:

  14. ultim
    Offline

    ultim Registered Member

    An asterix means "all ports". So your picture means that peerblock is allowed to make outgoing TCP connections to all ports.
  15. Jarmo P
    Offline

    Jarmo P Registered Member

    I had some problems with Avast sandboxing the tinywall.exe. I downloaded the file and excuted it. Then tinywall.exe or something got put into a sandbox. Then i repaired the install from control panel. But no tinywall icon. So i removed the Tinywall from windows control panel and installed again, this time no problems.

    Now it seems to work great :) There is no cumulative damage done I hope?

    I noticed there was also the update button on 1.9.4 Manage/Maintenance panel, but is that for the program update or some white listing updates?
  16. lordraiden
    Offline

    lordraiden Registered Member

    Hi, I have being using today the latest version 1.9.5, I have noticed that the learning mode create the rules always allowing all the traffic.
    I would be nice if the learning mode would be able to create the specific rules allowing only the connections that the programs have established during the learning mode period.
    It's this possible?

    what the option "promt for exception details" does?"
  17. kupo
    Offline

    kupo Registered Member

    When you whitelist something, instead of using the default rule, a window will pop-up for you to "fine-tune" the rule.
  18. ultim
    Offline

    ultim Registered Member

    There shouldn't be any "cumulative damage". Sanboxing should prevent exactly that :D In general, trying to sandbox a security app is always a bad idea. But a reinstall outside the sandbox should solve it.
  19. ultim
    Offline

    ultim Registered Member

    That's a very old option. It will make TinyWall pop up the exception's settings dialog whenever you whitelist something.

    No, not possible. TinyWall as of 1.9.5 will create two kinds of auto-learned rules. For programs that do not accept connections it will allow only but any outbound traffic, for programs that have also been connected to during learning mode it will also allow incoming traffic. There is no possibility to create stricter rules based on ports, remote machines etc in the learning mode.
  20. ultim
    Offline

    ultim Registered Member

    Make sure "prompt for exception details" is disabled in the options.
  21. ultim
    Offline

    ultim Registered Member

    I've passed the exam! Thank you for wishing me good luck! :D
  22. EboO
    Offline

    EboO Registered Member

    Congratulations :)
  23. alexandrud
    Offline

    alexandrud Developer

    Windows Firewall contains already pop-ups for relevant software in case they need inbound connections. Like Skype, Internet Explorer, uTorrent, etc. You should not create inbound rules for any of the programs. 98% of the programs that a user uses will not even require inbound connections to be allowed. Why should an application to be opened to connect to it from outside ?
  24. ultim
    Offline

    ultim Registered Member

    First, this only happens in the auto-learning mode, so it is not the default behavior of TinyWall. The goal of this learning mode is to make sure that programs that want to access the internet work correctly, so creating inbound rules is a must for server programs. When entering the learning mode, users already get a warning dialog about the dangers of this mode.

    Second, when TinyWall is installed, there are no firewall popups at all. So you cannot argue that Windows Firewall already has popups for this case.

    Third, it is still more secure than the Windows Firewall popup, because Windows Firewall wants to create an inbound rule whenever an application starts listening for connections. TinyWall will ony create inbound rules if there has actually been at least one inbound connection. TinyWall will not create inbound rules if an application listens without actually receiving at least one connection.
  25. alexandrud
    Offline

    alexandrud Developer

    Yes, for programs that want to access the internet. Not for programs from internet that tries to access your computer.
    But, why would need TinyWall accepting inbound connections to my computer ?
    Svchost.exe listens a lot and receives hundreds of inbound connections. Will you automatically create an inbound rule to allow everything for svchost.exe ? How do you handle with this case ?

    In my opinion, creating inbound rules is a wrong thing. Even torrent clients don't require inbound rules for them. It is the developers task to design their applications to fit with Windows and also with Windows Firewall.

    I have a question. If the rules list is blocked and the rules cannot be deleted or modified from WFwAS, when you install a new program, like uTorrent which have a checkbox where users allows it to auto register itself to Windows Firewall, this installer can register a new rule or it is denied by TinyWall ?

    Nice work with TinyWall. It is good to have competition. :)