TinyWall Firewall

Discussion in 'other firewalls' started by ultim, Oct 12, 2011.

  1. nadim

    nadim Registered Member

    Joined:
    Apr 17, 2020
    Posts:
    8
    Location:
    ufo
    Thanks for this great app.
    1- What's Tinywall Compat[xXxXx] rule on Windows Firewall? despite my Windows firewall is disabled, I cannot delete that rule.
    2- In the past I didn't use Tinywall, So when I install any app, the app will add firewall rules on Windows firewall automatically, how to prevent it?
    Thanks again!
     
  2. ultim

    ultim Developer

    Joined:
    Oct 12, 2011
    Posts:
    703
    Location:
    Hungary
    It is created by TinyWall, and you cannot delete it because TinyWall is protecting it. This rule's job is to make sure you can unblock applications in TinyWall in case Windows Firewall (WF) is enabled. If WF is disabled, it has no effect. If WF is enabled, it let's TinyWall work as intended.

    You cannot but there is no need to prevent it. With TinyWall installed, any rules created by apps in WF will be "ignored", because TinyWall has its separate rules, which will block the apps even if they are unblocked in WF. In other words, when TinyWall is installed, you can ignore WF and think about your computer as if TinyWall was your only firewall.
     
  3. Sm3K3R

    Sm3K3R Registered Member

    Joined:
    Feb 29, 2008
    Posts:
    611
    Location:
    Wallachia
    Congrats for the work.The suppression of Windows start-up network activity seems to be working at first look.

    My suggestions, as i ve installed Tiny 3.0.3 on Win 10 latest build, along the Malwarebytes WFC interface tool:

    -when in the Connections window a blocked application is selected - to Unblock it - via contextual right click menu, a create full custom rule option should be given and not only a generic "unblock" option, because choosing this makes a full blown unrestricted traffic rule.As such, when unblock is selected the unrestricted traffic option is automatically selected and additional clicks are required to make a proper restrictive firewall rule.A choice could be given here in my opinion.
    -I would also like additional ICMP settings to be given and not only the 2 generic ones.


    There are some bugs regarding windows and rules creation, discovered them playing around with App Exceptions and Connection window - they ve played some tricks on me.I ve saved the rules clicking OK and Apply, for checking afterwards to see that no change has been done and settings were as before editing them :).Unable to see a pattern though.Depending of the order you open the program windows sometimes some Apps Exception rules do not get saved, even if you hit Apply or OK.Also if the App Exception rules window is opened first and in the Connections window - opened afterwards, you unblock something, then in the App Exceptions page the items are not refreshed.
    Maybe Tinywall Firewall Settings and Connections page should be independent of each other, and a change should be reflected as made, in the App Exceptions window i should see the change i think.Also the Connections page should have some silent list items autorefresh option, to see apps as they show up in real time.
    Exactly when writing this it happened to see a Firefox rule not being saved, after clicking OK and Apply.It was still in the App Exceptions, but the custom rule options (where i ve selected custom ports) reverted to unrestricted :) Reopening the windows and doing the settings again got it fixed. :)
    It s related to the Connections window, if previously opened, in some way.

    At start up a time will pass until some dynamic WFC rules are created for connectivity to work.I like the delay though.

    Good work ! If i see no crash i will remove WFC for more testing.
     
    Last edited: Apr 18, 2020
  4. ultim

    ultim Developer

    Joined:
    Oct 12, 2011
    Posts:
    703
    Location:
    Hungary
    Hi @Sm3K3R,
    You are completely right and you pointed out two UI issues that I know can be confusing. Here is what I think is happening in your case and how to avoid the problem in the current version. It is one or both of the following (and I intend to fix them now):

    The first issue has to do with having both the Manage and Connection windows open. This was never really intended. If you open the Manage window, then add a rule using the Connections window, then "Apply" the settings in the Manage window, the latter overwrites whatever changes you made in Connections. Short-term workaround: Don't add or edit rules while the Manage window is open, unless ofc you are doing it in inside/from the Manage window. I intend to fix this in 3.0.4, probably by disabling all other UI while Manage is opened.

    The second possible reason you might be seeing rules "lost" is actually an intended feature, though I admit it might have been a bad idea to implement it. Basically, whenever you add a new exception for an application, but that application already has a rule in TinyWall, TinyWall will merge the new rule with the old one so that you get a single new rule that encompasses the union of both. An example will clear this up: If you have a pre-existent rule for "application A" which whitelists TCP port 80, and you then add a new rule for the same "application A" and specify TCP port 443, instead of two separate rules, you will get a single rule that whitelists both TCP ports 80 and 443. This is intuitive up until now. But where it gets confusing is when the earlier rule is, for example, all TCP ports (or unrestricted as another example), and then you add a new rule for TCP port 443. "All ports" already encompasses port 443, so the resulting merged rules is still "all ports", which gives the impression the new rule didn't get saved.

    So, here is a question to all readers: What is the most natural way to handle this?
    Option A: Leave it as its, merge old rule with new one.
    Option B: Let the new rule completely replace the old one.
    (Option C: Save both rules separately.)
    I have to mention though I don't like Option C, at least not with the current UI. The Application Exceptions list in the Manage window is not suited to presenting multiple rules referring to the same application. This is not a technical limitation, I can do it if necessary, but I find it a bad idea because the present information in that list does not currently allow to visually differentiate between such rules, if they existed. You would have to guess which one is which if you had multiple separate rules for the same app, not to mention completely unnecessarily, since most meaningful combinations should be able to be represented by a single rule - this is why TinyWall does its merging in the current version.

    Short-term workaround: When editing a rule for an application and you already have a rule for it, don't just add a new rule to avoid confusion. Go into Manage and edit it.
    Long-term fix: Depends on "voting results" to the above question.
     
    Last edited: Apr 18, 2020
  5. Sm3K3R

    Sm3K3R Registered Member

    Joined:
    Feb 29, 2008
    Posts:
    611
    Location:
    Wallachia
    So, practically, i was having, with the program windows opened around 2 rules competing in same time and the program was choosing to save the most generic of them, silently, ignoring the one with the specific ports ?

    Maybe the software should save the last change, or it should ask for what change to save, like when you want to do another rule or customize the generic " unblock" one (the main reason windows are kept both open) a pop-up message should say : " Overwrite the previous rule setting ?"

    This issue could also be minimized by implementing the optional choice i ve talked about.
    When you select and right click on the "X.exe" in the Connection window, under the option "Unblock", another field should/could point the user to create a new customized network rule for the X.exe file in question.
    Most of the users would use the "unblock" and move on.
    Another suggestion in context.
    Maybe the default action for "unblock" should be to Allow only Outbound for TCP and UDP and not bidirectional.Or for the "Unblock" selection a program menu should allow a predetermined action, like a preset. Predermined action for "unblock" to have in the menu more choices (all, out, custom), like in Outpost Pro on some decisions.Newbees would keep the default action for "unblock" (the actual default one is bad for security in my view), while the others would take another choice, like Outbound or Custom.

    I would personally see the "Connection" window independent of the others.It happens that some X.exe to be somewhere in a place you don t have the time to search for, as such having the Connection windows around makes the troubleshooting of finding the path of some exe easier.This makes the rule creation easier.

    You are the one making the design choices though, so i will be waiting for the new version.
    No crash yet , like i ve seen with version 2 in the past.
    You are almost there :)
     
  6. gmw

    gmw Registered Member

    Joined:
    Aug 24, 2019
    Posts:
    21
    Location:
    Australia
    The most natural (to me) way would be: when I go to add a new exception for an application that already has a rule - that TinyWall would load that rule so it's visible and I can see what I'm changing.

    Otherwise ... probably Option A.

    (With Option B you risk having set up something convoluted in the past, forgotten about it, and then with the new rule accidentally losing all that work. With Option C you get lots of clutter and I'm against clutter - except on my desk ;) )
     
  7. ultim

    ultim Developer

    Joined:
    Oct 12, 2011
    Posts:
    703
    Location:
    Hungary
    Well, TinyWall said: "You already have a rule that unblocks all ports, so adding an additional new rule that explicitly whitelists a specific port doesn't make a difference, so I'm gonna simplify your rule set." And I kind of have to note it isn't wrong about this. Had it not merged the two rules and kept them separate, the effect on the system would still have been the same (still allowing all ports in the end). In other words, it didn't introduce any unwanted behavior. The merging merely makes it look like as if a rule was lost, but it was never lost, in reality the user is at fault, because he added two rules where one of them was effectively redundant.

    Yes, loading the previous settings for a new rule when an earlier one for the same app already exists is better for clearing up this confusion, but it is not a full solution. Because it doesn't help when no dialog is shown at all (when "Prompt for exception details" is disabled).

    By the way, @Sm3K3R, since you were missing additional customization options when adding rules over the Connections window: Just turn on "Prompt for exception details" on the first tab in Manage, and you'll get all the options when whitelisting something.
     
  8. gmw

    gmw Registered Member

    Joined:
    Aug 24, 2019
    Posts:
    21
    Location:
    Australia
    In the case of no dialog I think Option A is a clear winner.
     
  9. Sm3K3R

    Sm3K3R Registered Member

    Joined:
    Feb 29, 2008
    Posts:
    611
    Location:
    Wallachia
    Other Observations - last ones for the moment.I ll be waiting for next releases now, still using 3.0.3 - it s ok, no serious drawbacks and no crashing..

    When using Tinywall 3.0.3 and WFC 6.0.2 together (I am using them on a W 10 Pro 1909 up to date machine), i ve observed the following (maybe some users may find this useful):
    -Usage of High Filtering preset WFC (related to Secure Boot option as well) will lead to no connectivity no matter the Tinywall settings, it works like a network lock practically;
    -Usage of "Secure Rules" option for WFC will lead to a high CPU load .On my AMD FX 6300 six core, the CPU usage translated into a 20-25% CPU time at any moment..Tinywall is able to create passtrough rules in WFC in spite of the Secure Rules purpose, but with this CPU usage issue.This is not a real issue though security wise as TInywall seems to be blocking anyway apps without rules.
    As such, I consider, that, when using both firewalls, one should disable Secure Rules (which solves the CPU usage) in WFC to minimize CPU impact and Event Viewer logging flood.Users that tend to play 3D games will have an impact in this case ,depending on the total CPU power, Battlefield series for example or COH.
    Disabling "Secure Rules" option in WFC will allow usage of both interfaces with no further problems.

    I will also add another non-issue practically, on a list of optional design enhancements, enhancements in my view of course .For example would be much more logical that the Apply button to be in the customizing rule window and the OK in the main one.It would be also nice that, when clicking the Apply (as it is now), the window would not get automatically closed as well.Maybe the user intends to create rules for more apps and clicking Apply, which closes the window, leads to another click on the taskbar icon for Manage, to reopen.

    My usage scenario: I start a new App, go to Connections to discover it , check Unblock , open management window for the custom app port settings, ad the customized rule, click OK and then Apply and that s it.
     
  10. ultim

    ultim Developer

    Joined:
    Oct 12, 2011
    Posts:
    703
    Location:
    Hungary
    WFC+TinyWall together is not supported in general. If it works for you, good, but count this as luck. For a start, it is clear that securing rules needs to be disabled in WFC. As far as I understand it prevents external modifications to WF but TinyWall needs to add its own "Compat" rules to WF, so they will clash. This clash is probably also the reason for the high CPU usage in this case. And I don't know what else might cause other compatibility problems, so this is unsupported.

    What's the use of closing and reopening the Manage window after each new rule if you know you are creating multiple ones? As for your usage scenario, see next paragraph...

    Oh, you can customize new rules much-much simpler in TinyWall :) You even have two option, both avoid having to go to the Manage window.
    1) When you add a new rule, TinyWall will show you a popup in the system tray confirming a new rule has been added. You can click on this popup to open the customization dialog for the new rule directly.
    2) You can enable the "Prompt for exception details" option in the Manage window. Then every time you add a new rule the customization dialog will appear automatically.
     
  11. ultim

    ultim Developer

    Joined:
    Oct 12, 2011
    Posts:
    703
    Location:
    Hungary
    Then I'd leave it as it is because if this behavior depends on other options it will become more confusing.
     
  12. Sm3K3R

    Sm3K3R Registered Member

    Joined:
    Feb 29, 2008
    Posts:
    611
    Location:
    Wallachia
    A little clarification for the readers of my previous post, regarding the CPU usage.I was a little unclear referring to the CPU usage in the scenario of using both interfaces, whatever the reason of the scenario.
    In the Task Manager , Processes window, the user would see this service taking more CPU time

    LocalServiceNoNetworkFirewall
    --Base Filtering Engine
    --Windows Defender Firewall

    @ ultim
    Thank you for your prompt feedback and clarifications.Looking further for new versions.
     
  13. ultim

    ultim Developer

    Joined:
    Oct 12, 2011
    Posts:
    703
    Location:
    Hungary
    Soon ;) The only thing left for 3.0.4 is implementing what we discussed in #1754 about the Manage window.
     
  14. ultim

    ultim Developer

    Joined:
    Oct 12, 2011
    Posts:
    703
    Location:
    Hungary
    Anybody here speaks Russian? How do you translate "Enable global hotkeys" in TinyWall's settings? Thx.
     
  15. tnodir

    tnodir Registered Member

    Joined:
    Oct 21, 2017
    Posts:
    229
    Location:
    etc
    "Включить глобальные горячие клавиши"
     
  16. ultim

    ultim Developer

    Joined:
    Oct 12, 2011
    Posts:
    703
    Location:
    Hungary
    Thx!
     
  17. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    OK, I now understand, so it's related to packet sniffing. I've used such a tool in the past, can't remember its name, but I was checking it out to see if SpyShelter could stop it from sniffing SSL traffic.
     
  18. Orlok

    Orlok Registered Member

    Joined:
    May 4, 2017
    Posts:
    12
    Location:
    Nigeria
    Assuming I enable port based blocking and have an app that is blocked, how do I now unblock it? I tried allowing traffic for the ports it uses via the UI, but it still remains blocked.
     
  19. guest

    guest Guest

    TinyWall v3.0.4 (April 26, 2020)
    Website
    What's New (detailed changelog)
    Download
    3.0.4 - Maintenance release (26.04.2020.)
    - Make language changes take effect without a GUI restart
    - Handle WMI errors gracefully in service
    - Wait longer for service availability after loading desktop
    - Avoid harmless exception being logged during system shutdown
    - Prevent opening the Manage window when other windows are active
    - Fix wrongly positioned GUI elements in Dutch and Russian localizations
    - Fix potential race condition of UI timer during exit
    - Fix traffic rate text ignores selected GUI language
    - Updated Russian and Spanish localizations
     
  20. Rainwalker

    Rainwalker Registered Member

    Joined:
    May 18, 2003
    Posts:
    2,712
    Location:
    USA
    Not clear on - Wait longer for service availability after loading desktop. I presume this means the service is not available for me to tinker with as soon as it once was, but the firewall is loading as soon as always and working. Is this correct?
    TIA
     
  21. FredB

    FredB Registered Member

    Joined:
    Apr 27, 2020
    Posts:
    11
    Location:
    Australia
    Hey just installed latest version.
    Can anyone tell me how to get wireshark to work. It doesn't appear to detect any adapters.
     
  22. TerryWood

    TerryWood Registered Member

    Joined:
    Jan 14, 2006
    Posts:
    1,037
    Hi @ Wilders

    I am trying TinyWall but I am having problems getting it set up.

    The scan mode produces a few Internet facing applications such as Chrome and Firefox but nothing else. But I have quite a number of other applications such as BitDefender Disk imaging software, Driver Update software etc. and any other apps that need an update connection.

    Identifying the appropriate processes and adding them as exceptions is taking an inordinate amount of time. Surely setting up for the first time must be simpler than this.

    Can some kind person help me?

    Thanks

    Terry
     
  23. Rainwalker

    Rainwalker Registered Member

    Joined:
    May 18, 2003
    Posts:
    2,712
    Location:
    USA
    @TerryWood....Aside from the three whitelist options you could go into Autolearn Mode, open internet facing apps, then switch back to Normal Protection and then into Manage to see if things are as you would like them. Yes, depending on your OS setup there might be some risk.
     
  24. ultim

    ultim Developer

    Joined:
    Oct 12, 2011
    Posts:
    703
    Location:
    Hungary
    Yes, the firewall is active from the start Windows begins to boot, not only when the service is loaded. And no, the service startup time is the same as before and has not changed. Usually the TinyWall service starts way before the desktop is loaded. But I've got 2 reports per e-mail where it loads very late for some reason on the user's computer, and the GUI thinks there is no service even though it only needs to wait a bit longer. These are the cases this change tries to address. It doesn't affect you at all if you never had the problem in the first place.

    If Wireshark cannot even detect your network adapters, I highly doubt the problem is TinyWall, as it only filters network packets. Nevertheless, an unrelated suggestion, for Wireshark be sure to edit the default rule created by TinyWall and set it to "Unrestricted", so that it is not constrained to UDP and TCP only.

    The Autodetect function that you can start from inside the Manage window is not magic. It is based on a small-ish database of apps that TinyWall knows from the start, and this database is not very comprehensive, it is only meant to give you basic net access so that you don't get stuck without internet and to give a little bit of comfort by whitelisting extremely widely used (and known-to-be-safe) apps.
    As @Rainwalker said correctly, if you don't want to setup everything by hand, your main go-to option is the Autolearn mode, which can learn even apps not in TinyWall's database as long as you use them a little while the mode is active. Note though not even this is almighty, in the end you may still be left with some software on your computer that you need to unblock by hand, but most should be taken care of.
     
  25. ultim

    ultim Developer

    Joined:
    Oct 12, 2011
    Posts:
    703
    Location:
    Hungary
    Uhhm... that's a TinyWall limitation currently. Blocklists have priority basically over everything, so if something gets blocked by them unwantedly, you'll probably need to disable the blocklist. Some software can be reconfigured to use other ports, if you can do that (thereby avoiding collision with the blocklist), that is an alternative option.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.