TinyWall Firewall

Discussion in 'other firewalls' started by ultim, Oct 12, 2011.

  1. fblais

    fblais Registered Member

    Joined:
    Jul 31, 2008
    Posts:
    1,340
    Location:
    Québec, Canada
    FWIW, I feel exactly the same as @TerryWood about your comments here.
    Season’s Greetings nevertheless.
     
  2. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    Well it's not worth anything to me, that's what I was trying to explain to TerryWood. So you guys don't care about column-size, good for you, but others do care. But yeah, Season’s Greetings nevertheless.

    I have upgraded to the newest version and it does indeed remember columsize and screenposition, awesome stuff. :thumb:
     
  3. ultim

    ultim Developer

    Joined:
    Oct 12, 2011
    Posts:
    703
    Location:
    Hungary
    Changing the exe properties to always run as admin (like you do) will still cause the UAC-prompt to kick in. I admit I haven't researched this yet, but my guess is, this might make Windows treat it differently when run as part of the autostart apps. At least, when you close the TW menu and start the TinyWall Controller from the Start Menu with right-click -> "Run as Admin", it works as expected, so it must have something to do with running as such at startup. AFAIK this is not due to TinyWall's behavior.

    You can set up a scheduled task in Windows to start TinyWall as admin at login, and this will work (tried and tested). The only problem with this is that you'll get two instances of TinyWall's GUI running, and if you remove the native autostart entry from the registry so you only get one, TinyWall will eventually add it back as part of its self-repair procedures. In the end, for fully a working and frustration-free solution (to run the GUI as admin at boot) you'll need a bit of support from TinyWall, which is not currently there. Good news it it soon will be and will be the default behavior.
     
  4. TerryWood

    TerryWood Registered Member

    Joined:
    Jan 14, 2006
    Posts:
    1,037
    Hi Rasheed187

    No you did NOT report a possible bug. You didn't listen. You are are a prolific proponent of your views on many sites, BUT you do not accept constructive criticism. Moreover, you do not listen/read what is presented to you by more informed individuals, such as developers.

    Less verbosity, more listening = greater comprehension. You are simply tying up a developers time. Why is this so difficult for you to understand.?

    Terry
     
  5. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    TerryWood, don't you worry about the developers, they can speak up for themselves. And you are probably talking about the WFC vs TW discussion, and now I finally understand what Ultim means, why it might be a bad idea to combine them, so yes I DO listen. About the columsize, of course it wasn't a true bug, it was more of an annoyance. Also, I'm not active on that many sites, so what are you talking about? If you got something to say to me, PM me and let's stop cluttering this topic. :)
     
  6. g17

    g17 Registered Member

    Joined:
    Sep 30, 2017
    Posts:
    101
    Location:
    MI
    Hi and happy new year all,

    I have a quick question about access control and child processes.

    Under the application exceptions tab, when I double click an item, options are presented for how that item communicates with the internet. One of the options is "apply same rules to child processes"

    Let's say I give Google update permission of unrestricted TCP and UDP traffic, and I check the "apply same rules to child processes" box.

    Can that service now spawn a child process that would have these same privileges because that box is checked, where normally it would not be able to communicate at all?

    Not knowing what child processes are created by what services - is there a best practice for the use of this option? Thanks.
     
  7. ultim

    ultim Developer

    Joined:
    Oct 12, 2011
    Posts:
    703
    Location:
    Hungary
    That's exactly what this option does. If the process of executable X has no rules defined but Y does, then if Y spawns X and Y has this option enabled, then X will get the same rules as Y. Okay, this might sound complicated, but since you had it right the first time I'm sure you'll understand :D

    As for best practice when to use it: I personally would not generally use it in every exception (which is why this option is disabled by default when you create a new exception in TinyWall). But sometimes there are apps that tend to spawn child processes that need access to the internet, and the children don't have a window/GUI and are even short lived so it is very hard to whitelist them. This option is a godsend in those cases. It is also useful if you cannot figure out which processes the main executable launches, or if it creates temporary executables so it launches a different executable every time (like many online/web installers).
     
  8. caspez

    caspez Registered Member

    Joined:
    Jan 6, 2021
    Posts:
    2
    Location:
    italy
    Hi,
    I'm unable to update TinyWall anymore.
    I tried updating both from the "Manage" panel and manually downloading the installer from the official website.
    In both cases the installation seems to proceed successfully, but at the end I get a popup with the message:
    '''
    There is a problem with this Windows Installer package.
    A program required for this install to complete could not
    be run. Contact your support personnel or package
    vendor.
    '''
    I'm on windows 7 professional 64 bit.
    I tried disabling the antivirus real-time protection, but it still fails.
    I haven't tried uninstalling the old version I'm running 3.0.4, because I'm afraid I wouldn't be able to install the program anymore.
    Thanks.
     
  9. ultim

    ultim Developer

    Joined:
    Oct 12, 2011
    Posts:
    703
    Location:
    Hungary
    Hi caspez,

    TinyWall still support Windows 7, so unless you have a local problem on your computer, there is no reason why you shouldn't be able to install TinyWall again. Actually, that is exactly what you have to do to update. There is a known issue when upgrading from 3.0.4 (or earlier) to newer versions. The workaround is to uninstall the old version first, and then install the newer one. To avoid losing your settings and rules, you can export them from the Manage window before the uninstall. Then you can import your settings again after installing the new version.
     
  10. caspez

    caspez Registered Member

    Joined:
    Jan 6, 2021
    Posts:
    2
    Location:
    italy
    Solved. Thank you. I guess I should have tried that before asking for help, but I was afraid there was something going on that would have prevented me to install it again.
     
  11. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    BTW, I have noticed a couple of things, perhaps you can change them if it isn't a lot of work. When you open the "Manage" window it won't remember the last active tab. And when you click on Apply when you changed certain settings, the window minimizes, it's a bit unhandy sometimes. Also when you choose "whitelist by window" you can't cancel it, you will have to click on a window. Of course this is all minor stuff.
     
  12. ultim

    ultim Developer

    Joined:
    Oct 12, 2011
    Posts:
    703
    Location:
    Hungary
    You mean, "closes", not "minimizes", right? Making the Manage window behave more like the standard OK/Apply buttons in traditional applications is actually quite a popular request, but the request is usually to rename "Apply" to "OK", instead of not closing the window when Apply is clicked.

    There is a cancel actually, albeit somewhat hidden. The general problem with cancelling "Whitelist by window" is that by definition, anything you click when it is activated should be interpreted as choosing a window, instead of cancellation or any other action. But the trick is, if TinyWall's hotkeys are enabled and you press the action's hotkey (Ctrl+Shift+W) while choosing a window, "Whitelist by window" gets cancelled. Yes, this also means there is no way to cancel ATM if the hotkeys are disabled. Maybe I could make clicking on TinyWall's own popup when the action is activated a special exception and interpret it as "cancel", but that popup disappears after a couple of seconds. What do you think?
     
    Last edited: Jan 13, 2021
  13. ultim

    ultim Developer

    Joined:
    Oct 12, 2011
    Posts:
    703
    Location:
    Hungary
    Sorry, I just realized I missed one answer:

    It is remembered when you save settings (Apply) instead of clicking Cancel.

    Should window position and active tab be remembered when after cancelling too?
     
  14. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    4,796
    Location:
    .
    If I may answer that question too then yes. I'd like to see such behavior.
     
  15. ultim

    ultim Developer

    Joined:
    Oct 12, 2011
    Posts:
    703
    Location:
    Hungary
    Anybody may answer. The more the better, so that I can see what the general consensus is. For all current and future questions.
     
  16. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    Yes correct, I mean close. Sometimes you might change your mind after clicking on apply, so that's why it would be handy if it wouldn't close.

    Yes, but to be honest, normally I just click on the close button.

    I almost never use this function, but the other day I clicked on it by accident and it would have been handy if you could simply click on Escape for example. Now I clicked on the taskbar and explorer.exe got whitelisted. And I don't use the hotkeys function. BTW, what do you think about adding a context menu similar to WFC, which allows you to allow apps to connect out?
     
  17. AlphaUMi

    AlphaUMi Registered Member

    Joined:
    Jan 23, 2021
    Posts:
    2
    Location:
    127.0.0.1
    I have an annoying problem with TinyWall, that persists through updates, and is still there now. Basically, the programs that I run from an external hard drive are blocked after every reboot or cold boot, even if they are whitelisted, so I keep re-adding them every time i boot my laptop. I mean apps like Steam and Playnite, RetroArch and Kodi. This happens only with these apps because (I suppose) they reside on two different external usb drives. The programs installed on C: are not affected at all.
    The strange thing in that these apps are saved in the whitelisted tab, but are also shown in the "blocked connections" window, and I need to re-add them at least after every boot.
    How can I solve this issue, please?
     
  18. ultim

    ultim Developer

    Joined:
    Oct 12, 2011
    Posts:
    703
    Location:
    Hungary
    Hi AlphaUMi, I'm very sorry for the late answer. I'll be investigating this, unfortunately I have no useful info right now.
     
  19. Sm3K3R

    Sm3K3R Registered Member

    Joined:
    Feb 29, 2008
    Posts:
    611
    Location:
    Wallachia
    @ultim

    There is an issue, on my machine.
    It needs to be verified, of course, by some other users as well.

    LLMNR traffic goes thru the firewall, at OS start-up.
    LLMNR traffic can be exploited in some network configurations, from what i ve read.A laptop could be exposed i think.
    It is happening on my machine, even when Block All policy is enabled.


    I have discovered this recently, due to the logging of some pre-routing chain rule in my router firewall.The computer was sending packets from/toward 5353 and 5355 UDP ports, via DHCP IP or hardware ip, at start-up.
    So the firewall does not seem to load fast enough for me ?!
    Happens with W10 x64 or W7 x64.Tinywall latest - 3.0.10.

    It s not an unique issue though, with software firewalls.I have also observed that this happens, as well, in W7 or W10, with Outpost Firewall Pro 9.3 installed, if port block rules for 5353 or 5355 UDP ports, applied before application rules, are not defined (and by default they are not).Even if svchost.exe is locked, with a proper block rule.In such situation Outpost firewall will log the connection with a No Rule observation, traffic passing thru as well.

    I had to disable LLMNR, via gpedit.msc policy -> Computer Configuration > Administrative Templates > Network > DNS Client -> Enable 'Turn Off Multicast Name Resolution', by default is Disabled and traffic towards 5353,5355 UDP allowed.

    Tinywall 3.0.10 , svchost.exe - with no special rules and, on the special rules page, with only: ICMP, DNS and DHCP checkboxes enabled.All optionals off.No antivirus or the built in one.
     
  20. ultim

    ultim Developer

    Joined:
    Oct 12, 2011
    Posts:
    703
    Location:
    Hungary
    LLMNR is enabled as part of the "DNS" special exception. I chose this because I figured when most users want to enable DNS, in truth they really want "name resolution" to work in general, and LLMNR is also for the purpose of name resolution, in the local network. For completeness sake, let me mention the same exception also enables mDNS. So in TinyWall, the DNS special exception equals DNS, mDNS and LLMNR.

    Given all the above info, could you try and see if LLMNR traffic still reaches your firewall if you disable the DNS rule? Make sure the Windows Update is rule is also disabled. And if disabling DNS doesn't help, what if you create an explicit blocking rule for port 5355, like you did Outpost? It is strange that Block All didn't help, that's supposed to be the nuclear option, but I'd like to investigate the issue from every angle.
     
  21. Sm3K3R

    Sm3K3R Registered Member

    Joined:
    Feb 29, 2008
    Posts:
    611
    Location:
    Wallachia
    Thank you for the fast feedback !

    Some testing :
    DNS unchecked + Normal Policy = No llmnr start-up traffic
    DNS checked + Block All = start-up traffic (i can see more lines logged for this )
    DNS unchecked + Block All = No start-up traffic
    DNS checked + svchost.exe with allow UDP 53 Out (i presume that the rest of the udp traffic should be denied and only the one towards the 53 port is allowed) = llmnr traffic
    DNS unchecked + Allow Outbound = enhanced :) start-up traffic .Along the outputs toward UDP 5355 and 5353 i also see protocol 2/igmp traffic towards 224.0.0.22
    DNS checked + Allow Outbound = llmnr traffic + the one towards the dummy 224.0.0.22 (more lines logged)
    Windows Updates checkbox doesnt seem to be doing anything in relation to the issue.

    It seems that the Block All "gets sticky" random bug (observed on my system with 3.0.4 i think) showed up again, during this mini tests..No matter the policy set-up, randomly at the time the desktop loads, the Block All preset may be loaded, instead of the one selected before restart.It s not a bad thing though, in case it starts early.

    Tinywall 3.0.10 on Windows 10 x64 all updates prior to the 9 Feb 2021 big one.

    It s strange that the Block All policy doesnt seem to load fast enough.Maybe other users could take a look and check this.

    As without the ~normal~ DNS, under W10 , u can t do to much, maybe a separate llmnr checkbox could be added ? Or a ~simple~ DNS checkbox ?
    I have no idea why the Block All is not doing it s magic though.
     
  22. ultim

    ultim Developer

    Joined:
    Oct 12, 2011
    Posts:
    703
    Location:
    Hungary
    Ok, this doesn't seem so bad, most of the cases are expected.

    Perfect.

    This is the only test case that that doesn't provide the expected results. We'll get back to this further down.

    Again, expected.

    Also expected, because checked DNS lets LMMNR through intentionally.

    Both cases are OK too. The first generates traffic because of Allow Outbound, and the second because DNS is checked.

    My bad, you are right. I checked the rule definitions for Windows Update and it shouldn't make a difference. When your software is so old you forget how it works :D


    So judging by the results, the only case when things aren't alright is when DNS is enabled but TinyWall was set to Block All. In this case Block All should have blocked the traffic. I glimpsed over the code of Block All and cannot spot any problems yet. But I'm thinking, it might be better to investigate your "sticky Block All" problem first. Because that problem means your firewall settings might not always get saved and loaded correctly,.and without that working reliably, we cannot rely on other test results. For example, it might be the case that Block All does work and blocks DNS even when enabled, but the firewall just simply didn't start in the Block All mode even though you set it to it.
    So to summarize, it would be best to get to the bottom of your "sticky" modes first, because it might be masking your other issue. Is there anything in your C:\ProgramData\TinyWall\logs that you can send to me (to tinywall--at--pados.hu)?

    I'd rather leave it as it is to be honest, because this is more practical for most users. In your case you can add explicit blocking rules to remove LLMNR from the mix if you want. Blocking rules take precedence over allow rules. However, you are right that to avoid confusion, the rule probably should be renamed from simply "DNS" to "Name resolution" (or something similar).
     
  23. Sm3K3R

    Sm3K3R Registered Member

    Joined:
    Feb 29, 2008
    Posts:
    611
    Location:
    Wallachia
    Of course, the design choices are yours.
    In my view, a user view, a special switch for the LLMNR would have been nice.Or a nice " clean" DNS option, that applies to only port 53 stuff.

    I am not a coder myself, but i presume that, in relation to the Block All/global policies saving issues, you could add, maybe, a pop-up dialog that double checks if the setting was properly saved.
    I do remember though that in 3.0.4 , the Block All policy, was really blocking at start-up.
     
  24. kenw

    kenw Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    145
    Location:
    Brighton, Colorado
    Knock Knock anyone home ? Kind of quiet lately
     
  25. ultim

    ultim Developer

    Joined:
    Oct 12, 2011
    Posts:
    703
    Location:
    Hungary
    Hi there :)
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.