TinyWall Firewall

Discussion in 'other firewalls' started by ultim, Oct 12, 2011.

  1. NonGeek

    NonGeek Registered Member

    Joined:
    Dec 28, 2015
    Posts:
    41
    I read the last few pages of this long thread with great interest, and I'd like to try out TinyWall.

    However, it is not clear to me how to deal with the 'no pop-up' issue for program updates for Java, Flash, etc. If they get silently blocked with no pop-ups to prompt me to whitelist things, then the unpatched programs become a security risk OUCH

    How do you all deal with the issue?
    What is your setup to still get a reliable update prompt of some sort?
     
  2. Boblvf

    Boblvf Registered Member

    Joined:
    Aug 10, 2014
    Posts:
    141



    « However, it is not clear to me how to deal with the 'no pop-up' issue for program updates for Java, Flash, etc. »


    Yes, it's dangerous, especially with Windows 10 which has many new processes, use Windows firewall or Windows10firewallcontrol.

    http://sphinx-soft.com/Vista/order.html
     
  3. Jarmo P

    Jarmo P Registered Member

    Joined:
    Aug 27, 2005
    Posts:
    1,207
    I am not the right person to give a proper answer to this, myself having become such a hacking target. In the end if things go this bad, there is not much anyone can do against. Really sad this thing.

    But as a general advices for normal non targeted users, some programs if you trust them can check when for say browsers, flash etc. needs an update. Avast software updater is one. I see for instance now that Firefox needs again a new Flash version, sigh, updated for it to be "safe".
    I think you can also allow if you have set so the Adobe Flash, to notify when it needs an update. I have not, not exactly trusting any from Adobe to be safe.

    Best not to install Java for to work in your browsers, IMO. If you are a Java programmer it is not the same thing as JRE or what it is called these days.

    As to use some other firewall, what can you say how much it allows for svchost.exe? Tinywall uses Windows firewall, so that above comment is a moot.
     
  4. NonGeek

    NonGeek Registered Member

    Joined:
    Dec 28, 2015
    Posts:
    41
    Can you please elaborate? That's disconcerting to hear for me, a NonGeek.

    That's exactly what is not clear to me. How do you 'see' any updating prompts if TinyWall silently blocks those prompts? Note, that the program itself still works. For example, the AV still scans but it would scan with outdated virus definitions OUCH

    Unfortunately, there are websites that I need for work, these websites do not work without Java :-( It is therefore very important for me that Java updating prompts do not get silently blocked.

    Yes, I consider only Windows Firewall or its enhancements like TinyWall or Windows Firewall Control or Windows 10 Firewall Control (thanks Boblvf!), I don't consider third party firewalls to replace Windows Firewall. I am sure that those enhancements improve Windows Firewall in some aspects (like outbound rules and exceptions) otherwise people would not consider using them at all.

    However, the issue with TinyWall is that I will still need reliable prompts for important program updates or else, I will eventually end up with unpatched programs OUCH

    The issue with the other enhancements of Windows Firewall (or third party firewalls) is that I am often not sure that my own self-made rules and exceptions will improve security or make it worse OUCH

    I am still researching firewall issues and appreciate any help I am getting.
     
  5. Jarmo P

    Jarmo P Registered Member

    Joined:
    Aug 27, 2005
    Posts:
    1,207
    In my reply I never told that TinyWall should be left to "silently block" your program updates. You of course make your TW rules so that the AV updates. I mentioned that Adobe thing too. Any program you want, it is only that it might not be always in your knowledge to make the updating automatic.

    Strange how posters in this thread lately are seemingly "newcomers" to wilderssecurity. If TinyWall is suitable to your purposes depends of your computing habits. It might be too tight and hard to control for you and in that case some other less tight firewalls, some with snake oil too, might be better suited to you. Good luck.
     
  6. NonGeek

    NonGeek Registered Member

    Joined:
    Dec 28, 2015
    Posts:
    41
    Hey Jarmo, calm down, it was not my intention to upset you, and if I did, my apologies! I may not have explained the issue very well either, so I will give it another try, here goes.

    Say a browser has 2 executables, a browser.exe (the actual browser itself) and an updatebrowser.exe (to update the browser) which is set to automatic update as usual. After installing TinyWall, you notice that browser.exe is blocked and you whitelist it. But you don't notice that updatebrowser.exe is blocked (no pop up) and you don't whitelist it. Over time, you have an out of date (and possibly insecure) browser without you knowing it. This is the issue that I am trying to explain.

    TinyWall appears to do very well with blocking and whitelisting apps in the here and now, but TinyWall appears to lack a maintenance mechanism. The average user (like me) may know what executables to whitelist here and now, but they may not know what executables need to be whitelisted when those executables change over time. In the above example, the app developer may have added updatebrowser.exe after a year or two (perhaps to separate browser and browser update functionalities) and the poor TinyWall user would not notice that the browser does not get updated.

    I am just trying to do my homework before installing TinyWall, the above is thus an honest inquiry. I hope the ultim will show up.
     
  7. Jarmo P

    Jarmo P Registered Member

    Joined:
    Aug 27, 2005
    Posts:
    1,207
    All depends of your computing habits. TW is certainly the least minded security program on my computer. Except to answer in this thread.

    My AppGuard is in Locked Down mode. My approach to updating is an active one. I use that Avast software updater "module" to check what needs updating and then set AG to medium or even install mode if needed. Chrome and Firefox at least update manually using the "information from the program" approach. I think Avast can do that too or the flash.

    If you are a heavy installer of software, TW might cause you somewhat more work to make their internet connections run than the old fashioned popup approach. If your software installs are mostly done, that silent nature is a blessing and I think a safer one too.

    Try what works. Myself, I even complained from TW approach years ago, having been used to the popup approach. I left TinyWall, but came back later and have been stuck with it quite a long while.
     
  8. NonGeek

    NonGeek Registered Member

    Joined:
    Dec 28, 2015
    Posts:
    41
    Ah, I missed your point earlier about the tools for checking software updates http://www.digitalcitizen.life/best-tools-check-software-updates but now I get it.

    In the past, I always relied on automatic software updates with no outbound blocks from Windows Firewall, and I was therefore concerned that TinyWall's outbound blocks would interfere with the automatic software updates.

    But yes, with such a tool for checking software updates and making sure to whitelist the tool, I would certainly consider the combination of TinyWall & software update checking tool. There is some maintenance work to be done compared to zero in the automatic past, but my setup would also be a bit more secure.

    My software installs are mostly done, so that makes this approach look workable. Now what is the best software update checking tool for me, I may actually try things out :) Thanks!
     
  9. ultim

    ultim Developer

    Joined:
    Oct 12, 2011
    Posts:
    703
    Location:
    Hungary
    Hi again everybody! I'm very excited, but first let me just start by noting the release of 2.1.7. Nothing major this time so no need to rush, though depending on your monitor+resolution, the added HighDPI-support might come in handy. Of course you might also like the new localizations depending on where you're from. Oh, before I forget, the changelog:

    2.1.7 - Maintenance release (04.01.2016.)
    - Fix: GUI freezes if Application Finder is closed while scan is running
    - Added DPI-awareness (fixes blurry GUI with desktop scaling)
    - Add Polish and Turkish localizations
    - Updates to Spanish, French, and Brazilian Portuguese translations
    - Application database updates

    Boring? You decide. The small number of fixes (errm... 1?) is certainly an indication that I haven't received any valid/reproducible bug reports, which, I guess, is good. But 2.1.7 is not why I am excited.

    I've been quietly working on the next major version of TinyWall (and just tossed out 2.1.7 to make the wait more tolerable). I'm excited because 1) I've recently reached a major milestone where I can guarantee that the new technology will be able to provide at least feature-parity with the current version, and because 2) I've decided this is a good time to make it public at all that I am working on such a thing. And if you think "this is great, but the info's a bit vague", then yes, that's on purpose :p . Call it building a bit of hype, if you want. Anyway, this time it won't be just GUI fixes ;) . I'll resurface again when there's something to test. Until then, the takeaway of the story is that the lack of updates sometimes does mean something good.
     
    Last edited: Jan 5, 2016
  10. NonGeek

    NonGeek Registered Member

    Joined:
    Dec 28, 2015
    Posts:
    41
    Welcome back, ultim, and thanks for release 2.1.7 !
    ( BTW, the date of the release is 04.01.2016 )

    Looking ahead and speaking for myself, I would value ease of use of basic functionality much, much more than fancy new features.

    To build on the example that I gave in a previous post about programs with multiple executables: if you whitelist the main executable, then for some programs, TinyWall whitelists related executables as well. That's VERY good, but TinyWall does not always do that for many common programs :(

    That said, I realize that there are many thousands of common programs that a single individual cannot possibly test for himself within a reasonable timeframe. Moreover, most common programs are further developed, the groupings of executables that should be whitelisted together may change, thereby incurring maintenance work for the TinyWall developer.

    From a user perspective, a TinyWall update would automatically update those (changed) groupings of executables > even more work for you, the TinyWall developer.

    Did you consider open sourcing TinyWall?

    Or commercializing TinyWall? So you can hire help?

    If TinyWall had the above ease of use and automatic update mechanism, I would gladly pay a fair price for the software, even if it had only rock bottom basic features to help secure office productivity computers (which may well be TinyWall's main market segment)

    I am quite impressed with TinyWall :cool:
     
  11. Jarmo P

    Jarmo P Registered Member

    Joined:
    Aug 27, 2005
    Posts:
    1,207
    Happy New Year Karoly!

    Some of the posters have missed you etc. making their conclusions, for whatever motivative reasons. The update is good because of that too, "no cry the wolf, we are abandoned" syndrom hehe.
     
  12. ultim

    ultim Developer

    Joined:
    Oct 12, 2011
    Posts:
    703
    Location:
    Hungary
    Thx, corrected.

    I, too, want to keep the user interface simple. Balancing simplicity with power is not easy though, but I hope I am going in the right direction.

    You see it very correctly that keeping that database of known apps in TinyWall up-to-date is one of the hard points for me. I have plans to at least partially solve that problem, but even though I have given lots of thought about the design, I haven't started implementing that specific feature yet, it must wait until after my current progress.

    Yes, I received many requests over the years to open sources TW. For now I'd like to keep it closed though, sorry, so that I can keep the choices what happens with the project in the future.

    While I am certainly not against commercializing TinyWall, I have always kept it free, ad-free and full-version, and intend to do so in the future for the same target-audience. This however does not leave me with a lot of options for commercialization. There might be some development on this front though, but it is way too early to say anything about it.
     
  13. ultim

    ultim Developer

    Joined:
    Oct 12, 2011
    Posts:
    703
    Location:
    Hungary
    Hi Jarmo!
    Happy new year to you guys too :)
     
  14. NonGeek

    NonGeek Registered Member

    Joined:
    Dec 28, 2015
    Posts:
    41
    I thought this was merely an issue of populating the database and keeping it up to date? Tedium rather than genius?
     
  15. ultim

    ultim Developer

    Joined:
    Oct 12, 2011
    Posts:
    703
    Location:
    Hungary
    Not technically hard, but very tedious and time-consuming, or else very limited. Right now it is a completely manual process, where I have to install each app to its newest version and let the descriptor data be regenerated. Add to that that some apps can have multiple versions in common circulation. With the given current amount of applications in the database this is still manageable, but as you mentioned, optimally TinyWall should know about a lot more. Hundreds or more. That is prohibitive and is not feasible by hand anymore. So I hope to transition from "tedium" to "genius" in the future.
     
  16. NonGeek

    NonGeek Registered Member

    Joined:
    Dec 28, 2015
    Posts:
    41
    This transition from 'tedium' to 'genius' on your part will translate into the biggest gain in usability value for the end user, IMHO.

    Thanks for responding!
     
  17. NonGeek

    NonGeek Registered Member

    Joined:
    Dec 28, 2015
    Posts:
    41
    So, I downloaded from the tinywall.pados.hu site and IE warned me "The signature of TinyWallinstaller.msi is corrupt or invalid" I did not get the warning with FireFox or Chrome. virustotal.com yielded 0/54 so I double-clicked but "Windows protected your PC. Windows Smartscreen prevented an unrecognized app from starting. Running this app might put your PC at risk"

    This is in all likelihood a false positive, but this paranoid person (me) eventually recoiled :(

    Just want to let ultim know and rectify the issue :)
     
  18. chrcol

    chrcol Registered Member

    Joined:
    Apr 19, 2006
    Posts:
    982
    Location:
    UK
    I am currently evaluating my firewall configuration to go forward with, on my win7 machine i am currently trying out tinywall.

    Initially the lack of prompts almost made me uninstall it but then I found the feature where in the connections window you can display blocked applications, thats a really good way to see what might need whitelisting.

    However disappointingly if I whitelist applications using that interface, it is a full on whitelist * for in and out. No intelligence is used (like private firewall) and no customisation is offered. So the way to add tighter rules is either to add manually in the tiny firewall app excemption interface (after using the block log to see what needs whitelisting) or edit the rules afterwards in the windows filrewall applet (if you doing this tho the point of using tinywall reduces somewhat). The rule names it adds use some kind of random has for names as well.

    I was previously testing windows firewall notifier, that has a really good UI, but sadly is buggy as hell, buggy enough to the point it can crash the OS.

    Other options are (that use the windows firewall) are that sphinx firewall app, I remember trying that in the past and found it overly complicated as well as a bit buggy but that was well over a year ago, however the basic version which has the services lockdown is a bit pricy £11gbp per pc.

    Java and adobe seem to check for updates on boot, so for those updater apps best to check whats blocked after boot.

    The issue I have with using the windows firewall is on win 8.1 its hidden hardened rules block metro apps if dns client service is disabled.
     
  19. Jarmo P

    Jarmo P Registered Member

    Joined:
    Aug 27, 2005
    Posts:
    1,207
    You can surely customize your allowed application rules and ONLY by TinyWall interface. That would indeed be inconvenient if you had to go Windows firewall advanced settings interface and to try find the rules that the whitelisting from TW makes. Also any changes you might make with that interface won't even stick. Windows firewall rules can be only controlled by TW and no other app can make changes to it, a good security point.

    While TW whitelists an application initially as 'Unrestricted UDP and TCP traffic' to be sure the whitelisting really works in all cases, you can and should afterwards go to that rule (in TW interface) and mostly modify it to 'Allow outgoing UDP and TCP traffic'. Remember to click the Apply button after rule editing.

    Most important job of a firewall is to block everything unknown, but I agree with probably most users that I'd like not to whitelist incoming connections for known apps by default. Because modify rules is a bother to do, although in most cases it would not hurt to leave the incoming attempts allowed. And instead later modify those rare apps the rule to allow incoming connections when they need it.

    Other options are to make strict port based rules, like for a paranoid browser setting make 'Allow only specified ports' and then only out TCP 80,443. Or to make rule be restricted to local network. Or make an exception have a temporary lifetime (never used that one myself).
     
    Last edited: Jan 23, 2016
  20. ultim

    ultim Developer

    Joined:
    Oct 12, 2011
    Posts:
    703
    Location:
    Hungary
    Pro tip: There is a very simple way to customize/strengthen generic rules after they have been added, without having to open up the tray, going to manage, select tab etc-blablabla. When TinyWall gives you the popup that confirms the new rule has been added, you can just click on that popup to open up the settings for that rule ;) This works for the balloon popups, sadly not with Toast notifications, as they cannot be clicked, but those only happen with Metro-style apps.

    Pro tip 2: Alternatively, you can once select the "Prompt for exception details" in the settings, and after that you will automatically be prompted for detailed settings every time you add a new rule, without having to click on anything.


    Also, there is a rationale why unknown apps are added with inbound connections allowed: When a user selects to whitelist an app, they expect it not to be blocked by the firewall. In case the application is not known by TinyWall, TinyWall cannot know if it will receive incoming connections or not, so to make sure it can work after being whitelisted, the app gets outbound allowed too. Otherwise users could (IMHO justifiably) complain that an executable is still blocked even after they have whitelisted it.
     
  21. Jarmo P

    Jarmo P Registered Member

    Joined:
    Aug 27, 2005
    Posts:
    1,207
    I learned a new thing, thank you!
    I removed my browser from app rules as a test and yes! With the 'Prompt for exception details' ticked as it has never been before by me and 'whitelisting by a window' option I surely got an option to select what I wanted. The second of your pro tips worked for me.

    I've never much understood the balloon popups or if they work in Windows 7. Anyways the second tip worked :)
     
    Last edited: Jan 24, 2016
  22. chrcol

    chrcol Registered Member

    Joined:
    Apr 19, 2006
    Posts:
    982
    Location:
    UK
    I still like tinywall, but sadly it seems the windows firewall is buggy on windows 7 for outbound filtering (which makes me wonder if its the reason outbound filtering is off by default).

    I can give 2 clear examples.

    I allowed steam.exe to have full inbound and outbound udp and tcp access. If i checked the rule created manually tinywall did its job correctly.
    When I load steam about 80% of the time I cannot login/connect and either have to run it in offline mode or shut it down.
    When this happens tinywall reports lots of blocked outbound udp connections to 270xx ports. I also get a bar at the top of the window saying steam is possible compromised (it isnt, this is normal steam behaviour).
    I then manually check the firewall logs which show tinywall is reporting correctly.

    So basically the first problem is windows firewall blocks traffic when there is an allow rule matching that traffic. This maihnly seems to affect udp traffic.
    I also see random failures of chrome able to access tcp port 443, it seems random as I know its not blocking all the time else I Wouldnt be able to browse https sites, but it seems occasionally some requests get blocked.

    So I uninstalled tinywall temporarily but am about to reinstall it again.

    Also the allow rule issue, basically what I will do if I allow an app by right clicking on the blocked connections, I just immediatly after goto the manage page and edit it to tighter rules if needed e.g. outbound only.

    Since i have steam also on my windows 10 test machine I am going to install tinywall on that also and see when outbound starts been filtered if steam gets the same connectivity issues.
    I do know on windows 10 when filtering outbound traffic and if dns client is disabled, windows tore apps cannot do dns lookups even if you allow udp port 53 outbound. They get blocked I think by a hidden WSH rule. I wonder if its a hidden WSH rule causing the steam issues as well.
     
  23. Jarmo P

    Jarmo P Registered Member

    Joined:
    Aug 27, 2005
    Posts:
    1,207
    Aaah that steam again. It has been asked a few times in this thread and I think never a satisfactory solution found. Or if someone has found, he/she has not come back and help others in here. Myself I am too old for games and also am not using my computer to install and test any software I don't need. Karoly (ultim) is young and was here today, so I hope he can give some light of a situation. https://en.wikipedia.org/wiki/Steam_(software)
    Reading from the link I sort of think my AppGuard in locked down mode would also cause troubles. Automatic updates, huh.

    Don't tick on Manage/General The option 'Enable blocklists/port based malware blocklists, but I do doubt it is that, Just a reply because your blocked connection line. Anyways those might be just noise.

    From that same page, do tick 'Prompt for exception details'. It will give a popup window when 'Whitelisting by window' is used. Unfortunately on my Win7, ultim's first tip does not work. Perhaps AppGuard has something to do with it. Also with regarding to your unblocking from Connections window. It just whitelists also inbound connections to the app unblocked. No popup windows arises on my computer, even If I click that balloon. Might be Win7 or then it is AG thing, etc. No other to do than modify later.

    Regarding dnscache disabled. It might cause some issues and I don't know any about Win10. For windows update I made this rule for svchost.exe/wuauserv because I unticked that special exception from TinyWall. The reason being it allowed too much for my liking. Notice readers this is only for Win7: Out TCP *, Out UDP 53. That udp 53 is because disabling dns client service.

    Now to think, perhaps steam installs a service that wants to use svchost.exe and TW blocks it in blocking unknown? just an idea that comes to mind.
     
  24. JohnMult

    JohnMult Registered Member

    Joined:
    Mar 26, 2012
    Posts:
    133
    Location:
    Greece
    I recently installed TW and I must say is the concept I was looking for in a firewall. Just a silly question: What are the best settings for Google Chrome browser in order to work flawlessly?
     
  25. Jarmo P

    Jarmo P Registered Member

    Joined:
    Aug 27, 2005
    Posts:
    1,207
    'Allow outgoing UDP and TCP' for chrome.exe. Best 'whitelist by window' so that it might whitelist related executables too if any. Usually give that same out tcp *, out udp * treatment to any whitelisted executables for to not have necessary ports blocked to enable that "flawless working".
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.