Free SPI capable firewall?

Yes, & the same is true for Ghostwall -- free & excellent. Windows firewall & Ghostwall are incoming protection only, however.

 

Unless I am mistaken, almost EVERY software firewall uses some form of SPI, else it wouldn't know what to allow back in. There are probably better and lesser implementations, Stem obviously knows a lot about that, but I think pretty much any Vista compatible firewall will do the trick.

 

I have not tested if Ghostwall performs SPI filtering or not. There's a difference between "basic" SPI (inspecting the three-way handshake) and deep inspection of packets (more flags than SYN, other protocols, content inspection, etc)

 

Unless you are a road warrior with a notebook, why not let your router do the heavy lifting?

 

I posted in this thread!

 

Agree. However, firewalls differ on implementation of SPI-like handling of stateless protocols.

 

Actually, Ghostwall is state-less, the same applies for some other firewalls such as Kerio 2.1.5 (kerio 2.1.5 does use SPI according to its helpfile, I was wrong), and for look 'n' stop it is an option you can accept to use. Usually an easy way to see if it is stateful or not is how many rules you have, with stateful generally having much fewer rules, but I will let the OpenBSD PF FAQ do a much better description than I can write:

However, there are also some forms of "Pseudo-SPI" which are used for stateless protocols like UDP and ICMP, which the firewall will keep track of how long it has been since a packet left the pc and only let in another packet within a certain window from the address it was bound, and this window can usually be lengthened or shortened.

Cheers,

Alphalutra1

 

Alphalutra1,
Thanks for confirming my suspicions about Ghostwall
A stateful firewall isn't more secure than a stateless firewall.

 

Are you sure that Kerio 2.1.5 is not a SPI firewall?
It can distinguish between incoming and outbound connections. That needs SPI or at least 'pseudo-SPI'.

 

Yes I am pretty sure (edit, according to the help file it seems like it does have it so I was wrong). SPI is not just being able to look at packets and see whether they are inbound or outbound. It is keeping information about a TCP connection in a table, so that all the packets from your computer as well as those from the other persons computer that you are connected to can be allowed to pass through the firewall without having to be processed through rules, thus making it faster and more secure.

Pseudo-SPI is for stateless protocols, which includes ICMP and UDP, but not TCP.

Cheers,

Alphalutra1

 

@Alphalutra1- An informative & educational post. THANK you very much!

 

It does say this in the Kerio 2.1.5 Help file under the Security Settings:

How does Kerio Personal Firewall work?
All communication on the Internet is carried out using TCP/IP protocol set. These protocols are usually also used for communication within local networks. The main (carrier) protocol is IP (Internet Protocol), whose packets carry all other information (they enclose other protocols). A true firewall must have complete control over all IP packets — that is, it must be able to catch them, find all necessary information within them and then let them pass or filter them. And, of course, it must be able to keep record of all performed actions, detected attacks, etc.

The main principle behind a firewall such as KPF is stateful inspection. This means that a record is made on every packet going from your computer and only a packet corresponding with this record is let pass back through. All other packets are dropped. This ensures that Personal Firewall only allows communication initiated from within the local network.

The user / administrator can further specify conditions for packet filtering in filtering rules. Only packtes complying with given criteria are accepted.

However if this just packet inspection or stately packet inspection, I do not know.

12fw

 

Sounds like SPI to me, so I was wrong about Kerio 2.1.5 then.

Man, I wonder why people use so many friggin' rules with it then? Seems to just over complicate matters if you ask me, but always be cognizant when you use Kerio 2.1.5 of the fragmented packet vulnerability (any fragmented packet will not be inspected )

Cheers,

Alphalutra1

 

"By setting the proper MTU for remote hosts, Windows avoids generating fragmented packets, which reduce performance and increase the chance of lost data and retransmissions. Fragmented packets can be a security risk as well; fragmented packet handlers are ripe source of buffer overflows, and the ability to filter out fragments at the border can reduce a lot of attacks. Path MTU Discovery should be left enabled but will require ICMP type 3, code 4 to be routed through the firewalls. Use the following registry keys to set this value:

HKLM\SYSTEM\CurrentControlSet\Services\
Tcpip\Parameters\EnablePathMTUDiscovery (REG_DWORD):•
1 = Enabled (default, recommended)
•
0 = Disabled


A value of 0 sets the MTU size to 576 bytes for all traffic outside of configured local subnets. Additionally, with this setting, Windows will not honor requests to change the MTU."

http://www.microsoft.com/technet/security/guidance/networksecurity/legsgch3.mspx

Does this help to prevent fragmented packets from entering?
12fw

 

This is a bit off-topic, but I didn't want to just answer in a PM and leave everyone else wondering so:

No, if you read what it says:

The key word is generating. No matter what, the fragmented packets will enter and directly be processed by windows. There is a registry tweak that will cause windows to drop all fragmented packets

But the packets still have to be processed and this could lead to a possible DDoS if an exploit is discovered in how windows processes packets. You may think this impossible, but one of OpenBSD's only two remote holes in its lifetime came from incorrect handling of ICMP6. If you are behind a router, don't worry, the router will catch everything, but if you are just using kerio 2.1.5, then you could possibly run CHX-I v 2 and just check the disallow fragmented packets box or run a filtering setup through its much better SPI.

Cheers,

Alphalutra1

 

Looks like that is only for NT and 98.

 

Thank you Alphalutra1

12fw

 

Vista introduced "outgoing" protection. XP is incoming only.

A free SPI capable firewall? Low resource usage?

How about "zero" PC resource usage? Check out many of the FREE linux router distros out there. Quite a few of them have deep SPI, as well as added antivirus scanning and spam removal. And...they'll outperform any off the shelf router you can purchase for under 5 thousand bucks. For those of you who worry about routers slowing down your connection, or constantly having to power cycle your router because it locks up under heavy usage (those P2P/torrent users )
www.ipcop.org
www.copfilter.org
www.endian.it
and my favorite... www.untangle.com

 

don't most routers handle SPI well enough??

do you really also need a software SPI also if your router does SPI?? is there a marginal benefit?? how/why??

 

2 things:

1- who tests routers?

2- laptops

 

I would rather be able to configure my software firewall for applications that need to act as a server (gaming) rather than have to edit the router's settings each time I install something with new requirements. I believe that is one big advantage of software firewalls over routers.

 

A really good place to check out how firewalls stand-up to leak testing etc goto : www.matousec.com

Eric

 

I'm the other way around...to me, admin of a router is much easier than naggy software firewalls. Plus..the router gives my PCs NAT...it will not fail as a service..which some software firewalls can do. So...my PC won't suddenly be unprotected one day..the hardware NAT is always there hiding it.

 

From what I understand Comodo 2.4 is *not* SPI, but Comodo 3 *is*/will be in release format.

Question: how important is SPI? For example, if running CPF 2.4, what dangers exist if it does not have SPI? Doesn't the high level of leak-prevention of 2.4 offer something, even if technically not an SPI firewall??



|||

 

Why do you think it's not?