Broken free firewalls. One that actually works?

Discussion in 'other firewalls' started by DERV, Dec 31, 2013.

Thread Status:
Not open for further replies.
  1. DERV

    DERV Registered Member

    Joined:
    Aug 6, 2006
    Posts:
    35
    Location:
    England
    Although I'm a *nix veteran for various reasons our main desktop machine has been reverted to Windows 7 x64 Ultimate. Mostly because my wife needs access to Publisher and it's too flaky under Wine etc in Crunchbang and Mint. My network is a little more complex than most, and for some reason free firewalls I've tried are just plain broken and/or insecure.

    The Windows machine has an Intel Pro 1000MT NIC and is wired via cat6e ethernet cable to a cable modem (120Mbps down 12Mbps up). With no router in place, this means the PC gets assigned the WAN IP from the cable connection (82.xxx.xxx.xxx).

    With that connection established, the machine runs a permanent OpenVPN connection to a commercial VPN provider's network. This assigns the machine a local IP in the 10.xxx.xxx.xxx range.

    Finally, because we've no router and I'm loathe to buy a crappy consumer one, the PC has a spare wireless N dongle plugged in. This is used solely for Connectify software to act as a WAP so our laptops/tablets/phones can share the main internet connection (and specifically can transparently share the VPN into the deal).

    Although used to using iptables or ufw on Linux (albeit through GUIs like Firestarter and GUFW), I remembered Comodo firewall from my older days. The latest version was installed but plain refused to detect network connections. No popup dialogs asking to assign connections to zones (public, local/trusted) or anything of the sort. The app couldn't submit files because it thought the machine was offline (it isn't) and it showed no networks in the zones tab. A thread on their forum proved fruitless and as such the software was useless to me. The subnet of the VPN LAN IP changes with each connection (eg from 10.101.xxx.xxx to 10.104.xxx.xxx) and so manually entering rules/zones into Comodo after each reconnect is unfeasible. Hence, Comodo is broken and useless to me.

    I then tried ZoneAlarm av/firewall suite as I used to use ZA in the late 90s/early 00s. Aside from noting I had to avoid adware/spyware, it installed fine and, wonder of wonders, detected the cable WAN, VPN LAN, and local WAP IPs as separate networks! It also correctly identified the DHCP server (which Connectify runs for the WAP users). Great!! Unfortunately it asks what zone to assign them to in a pop up dialog, and I obviously chose as follows:

    Cable WAN > Public
    VPN > Public
    Connectify / WAP > Local/Trusted

    The problem is, although this is accepted by ZA and the dialog goes away when I click OK, upon checking the actual firewall zone settings in the main app, ZA has actually assigned those public networks as TRUSTED. :blink: Bad, bad, security flaw especially seeing as I have no router or other hardware NAT between this machine and the wider internet.

    So my question (finally!) is can someone please advise me on a decent - preferably free - firewall for Windows which can handle the above without freaking out, refusing to work (Comodo) or secretly perverting your settings to leave you exposed and insecure (ZA)? In a nutshell it needs to accommodate multiple connections/zones at once (preferably automatically via pop ups after connection rather than manual entry), and be both relatively easy to use and effective.

    I have installed a trial of Kaspersky IS for now and while it's running well, it does tend to overreact (blocking torrent traffic as SYN flood attacks despite the torrent app being whitelisted and trusted). It is also rather heavy on resources for this older machine (Core2Duo, 2GB DDR2 RAM).

    Thanks in advance to those who read this far, and who can offer some pearls of wisdom. I'm grateful! Hopefully I won't have to resort to no outbound firewall and retasking an old x86 as a hardware firewall (Smoothwall, M0n0wall, PFSense or similar).
     
  2. DERV

    DERV Registered Member

    Joined:
    Aug 6, 2006
    Posts:
    35
    Location:
    England
    Actually, having had a second read of the first few pages of this subforum, it seems I might be best served by a GUI for the Windows 7 firewall such as TinyWall or Windows Firewall Control 4?

    Windows 7's firewall can be operated inbound only or two-way, is light and built into the OS itself, recognises several simultaneous connections and allows them to be 'zoned' (public, private/trusted), and means no extra cost.

    Would this be feasible in my situation or would a different app protect my network better given the open WAN connection and VPN? Just thinking aloud. :)
     
  3. Q Section

    Q Section Registered Member

    Joined:
    Feb 5, 2003
    Posts:
    771
    Location:
    Headquarters - London & Field Offices -Worldwide
    Outpost Firewall Free works quite well and is not too difficult to set. The company - Agnitum - only deals with just a very few security programmes and has been doing this since 1999. Look 'n' Stop also works well but is worse than a royal pain to set and try to figure out how to configure it properly.

    The after-market GUI for Windows 7 firewall has not been tried here but is Microsoft trustworthy enough for your security?

    Best regards in your attempts.
     
  4. DERV

    DERV Registered Member

    Joined:
    Aug 6, 2006
    Posts:
    35
    Location:
    England
    Not especially. However, given that the OS itself is shown to have NSA backdoor keys, consumer ISP-supplied modem/routers have been shown to have separate hidden NSA/GCHQ VLANS issuing US DoD IPs for their undetected and unfettered remote access, and pretty much every US, UK and wherever-else-based 'security' programs can be assumed to be purposefully compromised based on Patriot Act/FISA subpoenas or other arm twisting and coercion, it does tend to narrow down the choices rather! :blink:

    I was vaguely aware of Outpost free but IIRC it suffers from being a version from circa 2011, making it now almost 3 years outdated? I'm happy to be corrected however, and would contemplate purchasing the pro version if I was happy with how easy it was to configure and use (and how effective it was, naturally).

    The more I think about it the easier a dedicated standalone pfsense box is beginning to sound! Many thanks for your contribution.
     
  5. dbrisendine

    dbrisendine Registered Member

    Joined:
    Jul 15, 2006
    Posts:
    51
    Location:
    BC, Canada
    Have you tried Emsisoft's Online Armor Free? When you install it, just select the free mode not the thirty day trial.
     
  6. DERV

    DERV Registered Member

    Joined:
    Aug 6, 2006
    Posts:
    35
    Location:
    England
    I'll have a look, thanks. :)
     
  7. Gullible Jones

    Gullible Jones Registered Member

    Joined:
    May 16, 2013
    Posts:
    1,461
    NB, I'm a *nix newbie, not a veteran. But my preference in your situation would be to purchase an obsolete old laptop or such, and set up a dedicated router/firewall distro on it. (e.g. IPFire: http://www.ipfire.org/ ) IPFire can handle wifi, OpenVPN, and of course firewalling, all controlled from a nice web GUI (which you can also strictly limit access to). That way you wouldn't have to have a Windows machine facing the Internet, let alone acting as a wireless access point.

    I have a similar setup on my home network actually - old Pentium 4 laptop (clocked down to 300 MHz) running Debian, with iptables and a bunch of services on the LAN side. It has served me well for a while now, and AFAIK has not been rooted yet. :)
     
  8. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    1,636
    Location:
    Toronto, Canada
    Honestly, I would simply recommend buying a second-hand WRT54Gx router at a thrift shop for under $5 and flash the DD-WRT firmware on it. The older WRT54G models tend to have more RAM and flash memory and with DD-WRT you've got control over your own device.

    I know, you weren't thinking of a router. But the reality is, free software firewalls are not quite what they used to be, say 6-8 years ago. I certainly wouldn't trust Microsoft either.

    This conversation now has me missing the good old days of Sygate Personal Firewall.
     
  9. DERV

    DERV Registered Member

    Joined:
    Aug 6, 2006
    Posts:
    35
    Location:
    England
    Yeah I'm starting to come around to that thinking. As an aside, wouldn't these make wonderful little Linux routers? An ARM quad core CPU, 2GB DDR3 RAM and a flash card for just over $100. All that and only 2" cubed. What more could you ask for? :D
     
  10. DERV

    DERV Registered Member

    Joined:
    Aug 6, 2006
    Posts:
    35
    Location:
    England
    I used to have a WRT54GL running Tomato when I had ADSL2+ (24Mbps down). Unfortunately, great though they were in their time, they can't possibly handle 120Mbps WAN throughput. They tend to crap out around 50Mbps unfortunately.

    While Windows firewalls may not be what they used to be, Linux and BSD are still producing the goods so I think a dedicated box would be a better idea after all. :)
     
  11. Q Section

    Q Section Registered Member

    Joined:
    Feb 5, 2003
    Posts:
    771
    Location:
    Headquarters - London & Field Offices -Worldwide
    As an additional thought - for those who are using a Windows-based firewall of any kind the following is a VERY prudent thing to do: When you are starting the computer have the LAN cable unplugged or your WiFi or 3G/4G or Satellite or any other Internet connection turned off until the OS has fully loaded and then perhaps about 30 seconds after that. Why? Some testing by a member has shown that some firewalls may not start to protect from the get go. If the Internet connection is delayed then the firewall has a better chance to fully start and protect and catch any un-authorised outbound (or inbound for that matter) traffic.

    Information on this issue can be found elsewhere (forgot where but perhaps within Wilderssecurity.)

    Best regards
     
  12. Q Section

    Q Section Registered Member

    Joined:
    Feb 5, 2003
    Posts:
    771
    Location:
    Headquarters - London & Field Offices -Worldwide
  13. act8192

    act8192 Registered Member

    Joined:
    Nov 9, 2006
    Posts:
    1,274
    This one?
    https://www.wilderssecurity.com/showthread.php?t=356387
     
  14. Q Section

    Q Section Registered Member

    Joined:
    Feb 5, 2003
    Posts:
    771
    Location:
    Headquarters - London & Field Offices -Worldwide
    Exactly that one! Thank you for finding it again!

    -> DERV - Since Outpost Firewall Pro 9.1 (current version) was found not to protect/operate satisfactorily upon starting the computer we would hope some hardware/chip developer might get the idea to create an on-motherboard solution for a firewall. Now that would seem to be a capital idea! (Asus, Gigabyte, MSI and others....are you reading this?)

    Yes a dedicated computer to act as a firewall seems to be a positive attempt at a solution. Also for those computers left on all the time-it would be wise to remember these findings when rebooting from an update etc: either unplug the ethernet cable or turn off the wireless adapter before rebooting until Windows is fully loaded as well as the firewall software (perhaps about 30-45 seconds). Then re-establish your network connection.
     
    Last edited: Apr 2, 2014
  15. Gullible Jones

    Gullible Jones Registered Member

    Joined:
    May 16, 2013
    Posts:
    1,461
    Firmware firewalls built into the mobos? Egads, no thanks. No offense but I would not trust such a thing, from what I've seen about the tendencies of hardware manufacturers.

    I don't see why this is such a big deal actually. How hard can it be on Windows to bring up the loopback interface, then the firewall, and only then the ethernet hardware? If you look at e.g. UFW on Ubuntu, it kicks in before ethernet or WiFi.
     
Loading...
Thread Status:
Not open for further replies.