Need a good firewall -- not a crapwall

Moderator of Wilders advise me to stop to calling you a "troll". I agree.

This is a rules set ready to import.
This rules set was create to be used in almost any configuration from a standalone PC to a local network.

The other purpose of this rules set is to provide rules based on Requests for Comments as standard.

And finally it allow almost any application to be used with LnS and the way to easily create new rules for applications such as VoIP, Games, etc.

Like any software, LnS required a learning curve.
IMHO this rules set help user to understand the "how to" easily.
Each rule is commented and I'm always ready to answer to question about it...

Insecure? A better rules set?
By Jove! LnS allow you to create rules at a very low level including Ethernet packets.
Isn't "granular" enough ?

Okay.
It's time here to say somethings about this so-called distinction between "software firewall" and "hardware firewall".
For many poeple "HW FW" are better than "SW FW" because "Harware" looks stronger than "SOFTware"...
Hard is stronger than soft therefore it's better: right? WRONG.

An Hardware Firewall, to be more accurate, a FW in a router IS a SOFTware firewall.
This software is embedded in the router. PERIOD.

The only advantage of a router (as security device) is to add an other security layer for your system
and this is a good idea. Not because it's "HARD" but because it's a supplemental LAYER.
And I recommend it even for a standalone PC. Just in case. Right?

No Sir. This rules is reasonably secure because the rule is triggered only by the email client, only from the standard local ports , to the standards remote ports and , if you want it, the IP addresses of the POP3 and SMTP server may be added to this rule.

I have two remarks about this:

1- The security value of this rule depend not only on the parameters of that rule
but also from the other rules in the rules set (and the Stateful Packet inspection too)

Rules set FW are not a collection of independant rules like potatoes in a bag but
they are to be understood as a logical list of rules working on a logical way.

Like any rules set FW in the universe:

Each rule is the logical equivalent of a Universal Proposition in mathematical logic:
It's a combination of criterias linked by a logical AND.
Each packet examinded is compared to the rule criterias.
If all criterias matched all characteristics of the packet then that rule is apply on this packet.
Else the next rule is used to parse this packet until a rule matched the examined packet.

The logical relations between the rules is a continuous XOR, therefore one rule and only one is applied per packet.

And like any rules set FW there is at least a final and mandatory rule to catch all "outlaws" packets...

2- Computer security is based upon layered defenses.

Did your rely only on FW to protect your email client? For sure no.
The client have to be updated, the security parameters must be correct.
Your email have to be protected against virus with an AV and it's also a good idea to have an anti-spam.
And so on... The security for the email rely on many security layer, not only the FW.

A FW is ONE of the protection layer , not a "swiss knife".
And certainly not a HUGE patch for a bad coded Operating System.

The Matousec tests are interesting but they have to be undesrstood as experimental leak tests assuming that a FW is the only layer present in the checked system. This include also the absence of the most important factor in security:
the user itself and this common sense. (The Safe-Hex)

Matousec poeple believed that a FW MUST HAVE also the function of an HIPS.
I don't agree with this especially if n00bZ rely on this to choose a FW.

I'm an "old Unix monkey" and I still believe that each tool of an O.S. must do ONE specific job.
I prefer to base my system security on different security programs instead of one "security suite"
or any "all in one" softwares. I never put all my eggs in the same basket...

"Security is not a product, it's a process" say Bruce Schneier.

No security system are 100% safe. No one. But the most important factor is the user itself and his common sense.
The lack of common sense drive some poeple either in the way of the interNUT or the way of CyberParanoiac and both are dead end for security matters.

I already answer these issues.

I create a rules set allowing a REASONABLE security as far the FW is concerned.

As far as I'm concerned, it's easy for any LnS user to create such "granular" rule in two minutes.
The fun with rules set FW is to allow user to choose the level of "granularity" of their rules.
There is a "learning mode" in such FW: the learning curve of the user itself.
I'm sure a skilled LnS user may create such granular rule in a few steps.

If not, there is the official forum at Wilders. Problem resolution rate near 100%. Free.

Best regards,

 

Unless you have a notebook and use public Wifi, I consider a router to be mandatory.

I honestly doubt the average user could contend with either of the HIPS utilities you mention. The main problem is these things are not smart. The HIPS does not know if the activity is from a harmless program or malware so the user is presented with frequent confusing prompts and has an excellent chance of messing things up. The same could be said of Jetico firewall.

If you have Vista, just leave UAC on. The possibility of user confusion exists here as well, but it is an order of magnitude less complex than any HIPS. While very few XP users do it, XP should be run from a limited account. The problem is Microsoft made it difficult to do, and a lot of tweaking is necessary to get a limited account to work right.

The ultimate resource for running with limited privileges:

http://nonadmin.editme.com/

 

Hi Diver

Totally agree with this.

 

A safe LNS ruleset allow svchost.exe to establish outgoing connects.

 

Hi ktango

Just one remark:

this application setup deny the access in TCP to all remote ports for svchost.

How can you make the Windows Update with this?
IMHO the access to ports 80 (HTTP) and 443 (HTTPS) is required.

 

Hi Climenole

Thank you for teaching me a lots of LNS knowledge.

I allow ports 80 (HTTP) and 443 (HTTPS) If Windows Update is required.

 

Hi Ktango

You're welcome Ktango.

 

Have a look at Jetico, both version 1 (free) and version 2 (licence) will give you this control.

Example from Jetico 1

Firefox outbound connection attempt:-

Popup from jetico, with options to Allow/Block/Handle as(use template)/ or edit rule



If you select to edit, then a popup with the options:-



Jetico2 editor is a little more advanced

Regards,

 

1.
Will try Jetico and ZAP.

2.
Apparently, I'm not the only one who has problems with Outpost: http://www.outpostfirewall.com/forum/showthread.php?t=18176&page=10

Cr*p

3.
@Climenole

I partially agree to your statements re HW routers, security concepts etc. But I will make any comments because this would be off topic.

It seems to me that we agree that "my" rule for the email client is more granular than "yours". You believe that your less granular rule is reasonably safe. I believe it is not safe enough. Maybe you need less security than I do (e.g., you do not seem to be afraid of MS phoning home and therefore suggest create MS autoupdate rules). Maybe you are careless. Or maybe I am paranoid. Doesn't matter. Everybody can individually decide whether s/he needs granular rules or not.

From my perspective, the most important statement is: "As far as I'm concerned, it's easy for any LnS user to create such "granular" rule in two minutes." Based on my experience with LnS, I believe that this is a fair estimate. By contrast, I need about 5 seconds to create such a rule with KAH or Outpost.

I want to have granular rules. But I am not going to waste 2 minutes to create a single rule. Taking into account the number of rules I need, it would take me more than an hour to set up the firewall. This is completely unacceptable to me. Too burdensome. Painful. In my opinion, there is a significant risk that LnS users will NOT use granular rules because it is so burdensome to create them (i.e., the bad GUI of LnS causes insecurity).

 

Have tried Jetico.

First impression: very bad. The entire GUI is not intuitive at all. I would actually have to read the manual in order to understand it. Why is that? Why do they need to implement a strange, clumsy GUI that reminds me of good 'ol Tiny Personal Firewall (after it became a flawed system firewall). Why are there so many pre-configured rules? How do I get rid of them? I want a clean start.

If I can't find a better, more intuitive wall, I may look at Jetico in more detail. At least it allows you to create on-the-fly rules. In the Jetico forum there are many complaints about instability. Has this been fixed? For sure??

 

It has been a few years since I used Jetico (since I got the router I left software firewalls behind pretty much). It has always been slightly awkward and yes the interface is pretty bizarre at first glance. But once you work with it for a while, it becomes more "normal"..

If it's not for you, then I pretty much think that the only other one you can do rules like you want is probably good old Kerio 2.1.5. It certainly had the killer interface, I loved it. I did try it recently and noticed some oddities in XP that I never saw in 2k though. I was wondering why you will not use it, but I guess you have your reasons. If it's just Kerio's age though, I wouldn't let that stop me from using it. Basic firewall functionality doesn't change much with time, and you don't seem that interested in all the leak-test stopping features in the newer ones...

 

Have installed Zone Alarm Pro on a virtual machine. After I rebooted the machine...the first DAMN thing Zap wants to do is phoning home. This is crazy!! I want to install a firewall in order to prevent phone home and now this crap wall acts itself like spyware.

Have removed any pre-configured rules (they are cr*p anyway). Rebooted the machine. And AGAIN ZAP wants to phone home. And no ZAP alert window pops up. It does not ask me for my permission (although there is a question mark and not a green exclamation mark set for the ZAP client).

Now I have manually blocked ZAP from connecting to the net. An alert window pops up and asks me not to do this (because this would disable autoupdate function). I do it nevertheless and reboot the machine. The block rule is in place. But again, ZAP tries to connect to the internet.

This firewall is DAMN SPYWARE.

 

@Kerodo I have used Kerio for many years. In principle, it is nice. But I am not so sure whether it supports RAW sockets etc. I would prefer KAH over Kerio. It is less outdated, has also a good GUI and is stable. Only problem. How to obtain a new key for abandon ware ...

 

Hi ,.-

Keeping the O.S. up to date is one of the basic rules of computer security.
If you don't trust Microsoft why are you still using Windows ?

 

I do update windows. But manually. Did you know that recently a criminal complaint was filed against MS because it modified the updater WITHOUT notifying the user? Did you know that MS disabled thousands of Vista copies for no other reason than a buggy WGA routine. Genuine advantage, eh? Do you know that this company was recently fined for EUR 500 million because it deliberately violated the law?

One thing is for sure, I will NEVER EVER trust MS.

 

What's not to trust with Micro$oft ?

 

Im sorry, but I have to say this-you seem such a knowall, that I wonder why you are bothering to ask the questions in the first place!!

 

There is a long standing issue about ZA "phoning home" because it seems to be set up to automatically attempt to look for program updates. Zone Alarm supposedly made an update regarding this issue, but apparently it may not be working?

 

Have you got a pic for proof? Is it only v3?

 

You may want to send Escalader a private message to enquire about this. A while ago he had a quite lengthly thread on ZA phoning home. I would dump it if you can successfully do a clean uninstall.

 

Alert- very high.
Then open GUI and generalize where needed to silence pop-ups (eg. edit 1 rule created for browser and generalize port 80 to any IP for each parent - all other port 80 rules will collapse under this rule).

 

Here's one I don't like, and this attempt occurs even though I have Automatic updates turned off! one of several good reasons for using an application filtering fw I expect some detractors to chime in about how harmless this is and that I'm being paranoid, but I simply don't like this devious M$ crap occuring on my system.

 

Ok, I've read over this thread and I'm curious. If, as you stated, you have so much experience with firewalls why are you asking for advice on which one to choose? Shouldn't you already know which firewalls are not crapwalls?

Also, I'm having a hard time understanding how you can have so much experience with firewalls and yet you have just today tested Jetico and ZAP. These have been around for awhile; and while Jetico is not a mainstream firewall, Zone Alarm is probably one of, if not the most, well known consumer firewalls around.

 

Well, for those who don't like MS or it's practices, there IS always the Linux or BSD alternative. Many Linux distros are approaching the ease of use and functionality of Win. PCLinuxOS is a good example of a good out of the box experience. Nice thing is, for those who finally get fed up with MS, there is an alternative.. I personally don't spend any time or energy worrying about any of that phoning home behavior, I just don't care, mostly because I do think it's all harmless, much like most of the inbound internet noise you see in your firewall logs.. It's there, but does it every really hurt you in any way? IMO, the answer is no.. So I use Xp and am happy, and never bother trying to block any phoning home...

 

Manually updating doesn't make you any safer ,as microsoft has apparently "patched" parts of its OS (xp and vista at least)even when auto updates are off,so i fail to understand your paranoia here.As already stated ,the only firewalls that will do what you want(make a rule on the fly)is outpost which you consider crap (of course many would agree and countless others would not).Kerio which you consider to old and outdated (again many would not agree) and jetico which is obviously far to advanced for you even though you claim that you are fairly proficient in firewalls.Personally id give it up and concentrate on a layered approach to security ,and forget trying to make the firewall the be all and end all of security.Of course you could persevere with jetico ,read the extensive help files and ask the experts here for help ,however i suspect you ll end up spending more time achieving that ,than actually enjoying the Internet .
ellison