Free SPI capable firewall?

I don't see it advertized as SPI, so I'm assuming it is not. Do you know differently?



|||

 

A LinkSys router with ability to have Comodo/Jetico/Outpost automatically configure it would be one cool setup, eh?

 

The nice thing about a router is that you don't have to do squat to it as far as configuration. Just let it do it's job blocking inbound. If you need to open a port or two for p2p, just do it and close 'em when done. So much easier than messing with buggy software firewalls...

 

I would have a nervous breakdown if I had to log into my router every time I used software that acted a server :|

Has anyone mentioned CHX-I? It can be used soley for its SPI abilities along-side an application firewall with no issues.

 

Both versions implement SPI.

 

Aha!! Truth be told. Now, what's this about "various levels of stateful packet inspection" ?? Any short answers to that? |||

 

Very well said... like a breath of fresh air.

I personally haven't used any software firewalls for quite some time now, relying only on my router. I don't miss the wasted days of software firewalls one bit.

 

"Leak Protection" does absolutely nothing in helping protect you from inbound attacks.

Cheers,

Alphalutra1

 

I am not sure what "various levels of stateful packet inspection" is. People use these terms very loosely. I think the ambiguity comes from the fact that true SPI does not apply to connectionless protocols, e.g, UDP.

I guess it is safe to assume that all the mainstream desktop personal firewalls implement SPI for stateful protocols (e.g. TCP) straightforward.
But when it comes to UDP, there is no consensus as to what SPI-like or pseudo-SPI is.

Another related forum topic: Jetico 2: SPI & ARP SPI effectiveness?

 

No it's not because not all of them do, as I said in previous post

Pretty much the only type of "SPI" you can use for UDP and ICMP is to keep a certain time window open for packets to be allowed in as a response to packets sent out from your computer, as I said in a previous post.

Cheers,

Alphalutra1

 

It is actually the firewall vendors that change this terminology (or should I say "implementation"). It is a case of the depth (or what you say as Level) that inspection is made.
My personal opinion of a SPI, is for the firewall to check (for TCP) all header info~ IP/ports/flags/sequence numbers,.. anything less, for me, is not (full) SPI.

UDP header info is limited, but still this can be controlled with (header) info such as IP/port,.. this can be extended (as already mentioned) by the inclusion of a timeout for reply.

As for ICMP. this requires inspection on what is allowed out. For example, if a "PING" is allowed out, then certain replies need to be allowed, such as "Ping reply", "timeout" (Yes, before attempt to correct,.. we can look at this as "echo request", "Echo reply")

 

So it doesn't offer "something"? To use the same CPF 2.4 iteration: it must offer some level of in inbound protection, no?



|||

 

Any background/verification for that?

 

From Comodo 2.4 user guide:

As far as verification, I could only offer my own experience with CPF2.4, which doesn't mean much.

 

AFAIK, even Tiny Personal Firewall was an SPI firewall. Can you give me an example of a current "personal firewall" that isn't TCP-SPI capable?

Is this the same terminology as "deep packet inspection" or "Layer 3/4" or even "Layer 7" inspection?
For example, what term would be best to describe SPI support for active and passive FTP?

 

PCTools v2, but I'm not sure if I can call it current

 

Well seeing as though the old Tiny Personal Firewall was the exact same thing as Kerio 2.1.5, and the newer Tiny Personal Firewall was more advanced for its time, I would assume so . And as I have said in a previous post if you read carefully, Ghostwall is one, and I Look'n'Stop has an option that you can enable that used to not be enabled by default. I am sure there are plenty of others, but I will let you google for the information.

Let me encourage to think logically for a minute. What does "leak protection" do? It offers monitoring of all the sneaky ways an application already on your computer will try to connect out then ask you if you want it to connect outbounds. How would this help in inbound protection? It doesn't. Some of the best firewalls in the world have no leak protection, and I would rather have them protect me then other products, since I will use my common sense and other software to prevent me from ever acquiring any bad malware or malicious software.

Cheers,

Alphalutra1

 

This is packet content checking. Packets are checked for malformed etc.

Each layer represents various protocols. Example:
Layer 7 (Application Layer) is for DHCP DNS FTP HTTP HTTPS (and many others)
Layer 3 (Network Layer) is for ICMP IGMP GRE (and others)
Layer 4 (Transport Layer) is for TCP UDP (and others)

If for example, you wanted the firewall to control/filter ARP, then this would need to filter Layer 2 (Data link Layer)

This is really an addon, this is usually where a rule can be put in place to only allow the connection to remote port 21, any other ports needed are then allowed based on this one rule. Such a rule is needed mainly in packet filters (no application control) so that such an open rule needed for FTP does not need to be created, the ports are only allowed during the time the rule is active.

 

Your experience means a lot to me. Thanks for the swift & concise information. Aloha to thee & thine.

 

I think in the new COMODO Firewall Pro beta the application filter has a direct relation to the network filter thus adding automatic protection against inbound attacks without requiring network filter rules

 

AJohn you stole my job! Yes. Incoming connections are now alerts. Which means easier port setup for p2p apps.

 

That is not fair! They don't pay me

JK

Nice feature though, eh?

 

Firewalls are getting to be way more bloated and contain too many things then they are supposed to be in my opinion these days, but I still don't see how that is "leak proofing" or original. Windows built in firewall already will ask if you want an app to allow connections, and so does zone alarm and such when they ask if you want the app to act like a "server", or therefore listen on a port and receive connections.

First of all, the poster referenced version 2.4 of comodo, not the beta version.

Also, that sounds like a major pain in the you know what if every single incoming connection becomes an alert, and I would be very tempted to kill someone after the first 100 random bot scans that hit my computer.

Anyways, leak tests only involve trying to establish a connection outbound in any means possible, through various tactics such as hooking and injection. I don't see how this has anything to do with choosing which app has the ability to accept connections on a port, so the "leak proofing" doesn't really apply for inbound protection unless I am missing something, which I probably am since I don't follow al this fancy smanzy stuff these days (pf forever ), but feel free to enlighten me.

Cheers,

Alphalutra1

 

:

 

Once i get my hands on it, i will most likely put Global rules to deny inbound just as before.
Good that App control now has SPI on its own, but i don't want alerts from inbound. When i need it, i'll now what to do.

Alphalutra1, re leaktests, you're right of course, it's outbound.