My views on Ghostwall

Discussion in 'Other Ghost Security Software' started by TrueAudio, Nov 7, 2005.

Thread Status:
Not open for further replies.
  1. TrueAudio

    TrueAudio Guest

    Hello, I'm a new member here =) I've worked with most of the popular firewalls out there (and many of the lesser known and/or harder to configure ones). I have used Tiny Personal Firewall, Kerio 2.xx, 8Signs firewall, Jetico (didint work with BitTorrent no matter what I did) as well as the bloatware ones: Zonealarm, Kerio 4.xx, Outpost, Norton, etc

    Ghostwall seems like a Godsend in contrast to all of the other bloatware firewall programs out there. It is the most transparent application I have ever seen, congrats on creating a super small footprint firewall which is also easy to understand and configure. There is however a few very strange issues with it that make absolutely no sense to me as to how it could be possible.

    I will explain--1st off I use an IP blacklist program called Protowall, which like Ghostwall, uses its own NDIS driver to block unwanted IP addresses. Ghostwall has somehow been letting through *some* packets (UDP.TCP, ICMP, and even IGMP protocol) because with the default settings, I am still getting blocked notices on ports that are closed according to the firewall rules in Ghostwall (like I said default settings).

    Incoming packets pass (TCP and UDP) through Ghostwall on the following ports: 6881 (BT), 3166 from various different companies IP addresses (not necessarily consistently the same ones). What is VERY strange is that if a deliberate scan is done by online scanning tools at websites grc.com and also auditmypc.com, both of those ports show up as stealthed. I know that Protowall has NEVER ended up blocking any packets whatsoever when I was not using my PC (i.e. no traffic at all initiated by me) when I had my hardware SPI firewall/router hooked up (I don't have the router atm because it had developed a problem and I had to send it in to get replaced.)

    Bottom line is there should be no reason that any packets from any IP address are passing through Ghostwall on ports 6881 and 3166 (I have NOT forwarded them, nor do I have any other firewall or Internet security software installed that might have been causing a conflict--I know what I am doing). I know there are some sophisticated and very advanced portscanning methods, such as those implemented by Nessus or NMAP, which can send many typed of TCP SYN, NULL, Half Open, etc and many many others that perhaps Ghostwall isn't "bulletproof" enough to recognize these as unsolicited, unwanted communication and stop them.

    Other than that this looks like it would be a must have firewall provided that what I have mentioned is carefully investigated. If I may offer a humble suggestion in regards to the desire for others to want application control, personally, I would rather have a dedicated, separate application for that. This would provide greater flexibility, providing people with more options if they wanted one program vs. the other, and may result in greater stability being preserved between the two.

    Thanks for a great product nonetheless, I hope to see an update to it in the near future.

    -TrueAudio
     
  2. TrueAudio

    TrueAudio Guest

    Here is a log of Protowall showing both allowed and blocked IP's THROUGH Ghostwall on port 6811. Why is port 6881 not being blocked when the rules are not setup to allow anything to go through 6881?


    2005/11/07 15:24:42 [->] non-hostile source (83.237.106.6), access granted [Protocol: UDP - src: 6899 / dst: 6881]
    2005/11/07 15:24:57 [->] REJECTED - Source is America Online, (050422) W32.Gaobot 1434, (05032... (172.213.54.87) [Protocol: UDP - src: 6881 / dst: 6881]
    2005/11/07 15:25:04 [->] non-hostile source (83.240.160.122), access granted [Protocol: UDP - src: 6881 / dst: 6881]
    2005/11/07 15:25:05 [->] non-hostile source (81.18.217.103), access granted [Protocol: UDP - src: 6881 / dst: 6881]
    2005/11/07 15:25:07 [->] non-hostile source (58.136.149.133), access granted [Protocol: UDP - src: 49152 / dst: 6881]
    2005/11/07 15:25:08 [->] non-hostile source (69.221.38.153), access granted [Protocol: UDP - src: 29113 / dst: 6881]
    2005/11/07 15:25:09 [->] non-hostile source (82.82.73.106), access granted [Protocol: UDP - src: 6881 / dst: 6881]
    2005/11/07 15:25:27 [->] non-hostile source (85.76.136.15), access granted [Protocol: UDP - src: 6881 / dst: 6881]
    2005/11/07 15:25:38 [->] non-hostile source (80.51.226.222), access granted [Protocol: UDP - src: 6881 / dst: 6881]
    2005/11/07 15:25:44 [->] non-hostile source (222.104.36.163), access granted [Protocol: UDP - src: 6881 / dst: 6881]
    2005/11/07 15:25:45 [->] non-hostile source (83.44.16.122), access granted [Protocol: UDP - src: 8888 / dst: 6881]
    2005/11/07 15:25:51 [->] non-hostile source (200.77.193.89), access granted [Protocol: UDP - src: 21973 / dst: 6881]
    2005/11/07 15:25:58 [->] non-hostile source (68.14.129.46), access granted [Protocol: UDP - src: 6666 / dst: 6881]
    2005/11/07 15:26:07 [->] non-hostile source (71.224.54.123), access granted [Protocol: UDP - src: 65000 / dst: 6881]
    2005/11/07 15:26:17 [->] non-hostile source (84.101.214.233), access granted [Protocol: UDP - src: 6666 / dst: 6881]
    2005/11/07 15:26:46 [->] non-hostile source (84.9.67.175), access granted [Protocol: UDP - src: 10989 / dst: 6881]
    2005/11/07 15:27:03 [->] non-hostile source (83.83.145.70), access granted [Protocol: UDP - src: 2789 / dst: 6881]
    2005/11/07 15:27:06 [->] REJECTED - Source is Hochschule fuer Technik, Wirtschaft und Kultur Lei (141.57.17.60) [Protocol: UDP - src: 6881 / dst: 6881]
    2005/11/07 15:27:14 [->] non-hostile source (62.194.144.190), access granted [Protocol: UDP - src: 49501 / dst: 6881]
    2005/11/07 15:27:18 [->] REJECTED - Source is IANA - Private Use [RFC1918], A.D.Vision.Iana (10.210.184.1) [Protocol: UDP - src: 67 / dst: 68]
    2005/11/07 15:27:18 [->] REJECTED - Source is IANA - Private Use [RFC1918], A.D.Vision.Iana (10.210.184.1) [Protocol: UDP - src: 67 / dst: 68]
    2005/11/07 15:27:32 [->] non-hostile source (69.92.253.190), access granted [Protocol: UDP - src: 49152 / dst: 6881]
    2005/11/07 15:27:38 [->] non-hostile source (85.72.69.100), access granted [Protocol: UDP - src: 6881 / dst: 6881]
    2005/11/07 15:27:43 [->] non-hostile source (65.49.139.176), access granted [Protocol: UDP - src: 62295 / dst: 6881]
    2005/11/07 15:27:44 [->] non-hostile source (88.111.52.31), access granted [Protocol: UDP - src: 6881 / dst: 6881]
    2005/11/07 15:28:00 [->] non-hostile source (202.89.171.119), access granted [Protocol: UDP - src: 18438 / dst: 6881]
    2005/11/07 15:28:12 [->] non-hostile source (195.56.8.82), access granted [Protocol: UDP - src: 6881 / dst: 6881]
    2005/11/07 15:28:19 [->] non-hostile source (80.220.212.5), access granted [Protocol: UDP - src: 9883 / dst: 6881]
    2005/11/07 15:28:21 [->] non-hostile source (64.230.106.41), access granted [Protocol: UDP - src: 60561 / dst: 6881]
    2005/11/07 15:28:34 [->] non-hostile source (62.57.37.120), access granted [Protocol: UDP - src: 6881 / dst: 6881]
    2005/11/07 15:28:40 [->] REJECTED - Source is IANA - Private Use [RFC1918], A.D.Vision.Iana (10.210.184.1) [Protocol: UDP - src: 67 / dst: 68]
    2005/11/07 15:28:40 [->] REJECTED - Source is IANA - Private Use [RFC1918], A.D.Vision.Iana (10.210.184.1) [Protocol: UDP - src: 67 / dst: 68]
    2005/11/07 15:28:41 [->] non-hostile source (218.212.67.129), access granted [Protocol: UDP - src: 52800 / dst: 6881]
    2005/11/07 15:28:50 [->] non-hostile source (24.92.86.123), access granted [Protocol: UDP - src: 33766 / dst: 6881]
    2005/11/07 15:29:03 [->] non-hostile source (210.49.186.1:cool:, access granted [Protocol: UDP - src: 1138 / dst: 6881]
    2005/11/07 15:29:16 [->] non-hostile source (84.60.6.209), access granted [Protocol: UDP - src: 49152 / dst: 6881]
    2005/11/07 15:29:18 [->] non-hostile source (65.93.9.39), access granted [Protocol: UDP - src: 6881 / dst: 6881]
    2005/11/07 15:29:20 [->] non-hostile source (202.144.45.18:cool:, access granted [Protocol: UDP - src: 3646 / dst: 6881]
    2005/11/07 15:29:21 [->] non-hostile source (24.213.159.161), access granted [Protocol: UDP - src: 6881 / dst: 6881]
    2005/11/07 15:29:24 [->] non-hostile source (84.85.63.133), access granted [Protocol: UDP - src: 8999 / dst: 6881]
    2005/11/07 15:29:35 [->] non-hostile source (82.148.125.203), access granted [Protocol: UDP - src: 8877 / dst: 6881]
    2005/11/07 15:29:53 [->] non-hostile source (213.96.28.225), access granted [Protocol: UDP - src: 61940 / dst: 6881]
    2005/11/07 15:30:01 [->] non-hostile source (24.181.199.141), access granted [Protocol: UDP - src: 16881 / dst: 6881]
    2005/11/07 15:30:06 [->] non-hostile source (84.9.164.165), access granted [Protocol: UDP - src: 33021 / dst: 6881]
    2005/11/07 15:30:07 [->] non-hostile source (24.239.145.127), access granted [Protocol: TCP - src: 51533 / dst: 6881]
    2005/11/07 15:30:18 [->] non-hostile source (195.204.155.217), access granted [Protocol: UDP - src: 10922 / dst: 6881]
    2005/11/07 15:30:31 [->] non-hostile source (201.250.117.27), access granted [Protocol: UDP - src: 6882 / dst: 6881]
    2005/11/07 15:30:41 [->] non-hostile source (24.16.179.214), access granted [Protocol: UDP - src: 6881 / dst: 6881]
    2005/11/07 15:31:02 [->] non-hostile source (202.22.168.53), access granted [Protocol: UDP - src: 49961 / dst: 6881]
    2005/11/07 15:31:02 [->] non-hostile source (70.33.49.130), access granted [Protocol: UDP - src: 6881 / dst: 6881]
    2005/11/07 15:31:08 [->] non-hostile source (210.213.127.66), access granted [Protocol: UDP - src: 50120 / dst: 6881]
    2005/11/07 15:31:14 [->] non-hostile source (220.245.110.5), access granted [Protocol: UDP - src: 6881 / dst: 6881]
    2005/11/07 15:31:22 [->] non-hostile source (83.209.9.115), access granted [Protocol: UDP - src: 38188 / dst: 6881]
    2005/11/07 15:31:22 [->] non-hostile source (83.173.172.47), access granted [Protocol: UDP - src: 26881 / dst: 6881]
    2005/11/07 15:31:52 [->] non-hostile source (217.10.38.23), access granted [Protocol: UDP - src: 8127 / dst: 6881]
    2005/11/07 15:32:40 [->] non-hostile source (71.113.168.6), access granted [Protocol: UDP - src: 50027 / dst: 6881]
    2005/11/07 15:32:45 [->] REJECTED - Source is DoD Network Information Center, Mediacom Communi... (12.208.100.100) [Protocol: UDP - src: 6881 / dst: 6881]
    2005/11/07 15:32:50 [->] non-hostile source (65.31.198.13), access granted [Protocol: UDP - src: 6875 / dst: 6881]
    2005/11/07 15:33:04 [->] non-hostile source (80.140.147.110), access granted [Protocol: UDP - src: 6881 / dst: 6881]
    2005/11/07 15:33:09 [->] non-hostile source (64.228.78.119), access granted [Protocol: UDP - src: 6881 / dst: 6881]
    2005/11/07 15:33:32 [->] non-hostile source (24.247.241.5:cool:, access granted [Protocol: UDP - src: 6882 / dst: 6881]
    2005/11/07 15:33:46 [->] REJECTED - Source is The Pointe at State College (66.253.219.82) [Protocol: UDP - src: 6511 / dst: 6881]
    2005/11/07 15:33:47 [->] non-hostile source (84.136.203.129), access granted [Protocol: UDP - src: 6881 / dst: 6881]
    2005/11/07 15:33:55 [->] non-hostile source (82.120.151.156), access granted [Protocol: UDP - src: 6882 / dst: 6881]
    2005/11/07 15:33:56 [->] non-hostile source (193.77.159.37), access granted [Protocol: UDP - src: 6881 / dst: 6881]
    2005/11/07 15:34:07 [->] non-hostile source (70.94.229.22:cool:, access granted [Protocol: UDP - src: 6881 / dst: 6881]
    2005/11/07 15:34:43 [->] non-hostile source (68.147.196.249), access granted [Protocol: UDP - src: 6881 / dst: 6881]
    2005/11/07 15:34:48 [->] non-hostile source (82.112.151.173), access granted [Protocol: UDP - src: 6881 / dst: 6881]
    2005/11/07 15:34:50 [->] non-hostile source (87.74.48.107), access granted [Protocol: UDP - src: 6881 / dst: 6881]
    2005/11/07 15:34:59 [->] non-hostile source (203.158.60.160), access granted [Protocol: UDP - src: 83 / dst: 6881]
    2005/11/07 15:35:09 [->] non-hostile source (69.86.132.183), access granted [Protocol: UDP - src: 6881 / dst: 6881]
    2005/11/07 15:35:14 [->] non-hostile source (84.83.171.109), access granted [Protocol: UDP - src: 6881 / dst: 6881]
    2005/11/07 15:35:19 [->] non-hostile source (81.225.47.190), access granted [Protocol: UDP - src: 6878 / dst: 6881]
    2005/11/07 15:35:24 [->] non-hostile source (81.86.135.197), access granted [Protocol: UDP - src: 6881 / dst: 6881]
    2005/11/07 15:35:48 [->] non-hostile source (24.83.230.216), access granted [Protocol: UDP - src: 6881 / dst: 6881]
    2005/11/07 15:35:49 [->] non-hostile source (80.25.46.217), access granted [Protocol: UDP - src: 6881 / dst: 6881]
    2005/11/07 15:36:02 [->] non-hostile source (66.1.194.15), access granted [Protocol: UDP - src: 1204 / dst: 6881]
    2005/11/07 15:36:13 [->] non-hostile source (84.48.123.110), access granted [Protocol: UDP - src: 6881 / dst: 6881]
    2005/11/07 15:36:42 [->] non-hostile source (209.210.177.79), access granted [Protocol: UDP - src: 20252 / dst: 6881]
    2005/11/07 15:36:50 [->] non-hostile source (69.207.77.166), access granted [Protocol: UDP - src: 6881 / dst: 6881]
    2005/11/07 15:36:50 [->] non-hostile source (67.68.55.251), access granted [Protocol: UDP - src: 6881 / dst: 6881]
    2005/11/07 15:37:11 [->] non-hostile source (217.186.165.189), access granted [Protocol: UDP - src: 6881 / dst: 6881]
    2005/11/07 15:37:11 [->] non-hostile source (193.137.126.243), access granted [Protocol: UDP - src: 32383 / dst: 6881]
    2005/11/07 15:37:13 [->] non-hostile source (200.122.14.177), access granted [Protocol: UDP - src: 56969 / dst: 6881]
    2005/11/07 15:37:17 [->] non-hostile source (193.90.53.15:cool:, access granted [Protocol: UDP - src: 6881 / dst: 6881]
    2005/11/07 15:37:22 [->] non-hostile source (71.141.240.227), access granted [Protocol: UDP - src: 6882 / dst: 6881]
    2005/11/07 15:37:24 [->] non-hostile source (70.49.221.75), access granted [Protocol: UDP - src: 6881 / dst: 6881]
    2005/11/07 15:37:54 [->] non-hostile source (137.186.222.29), access granted [Protocol: UDP - src: 6881 / dst: 6881]
    2005/11/07 15:38:08 [->] non-hostile source (68.13.134.116), access granted [Protocol: UDP - src: 6881 / dst: 6881]
    2005/11/07 15:38:09 [->] non-hostile source (86.133.165.201), access granted [Protocol: UDP - src: 6881 / dst: 6881]
    2005/11/07 15:38:10 [->] non-hostile source (218.111.223.172), access granted [Protocol: UDP - src: 6881 / dst: 6881]
    2005/11/07 15:38:15 [->] non-hostile source (71.132.6.191), access granted [Protocol: UDP - src: 41536 / dst: 6881]
    2005/11/07 15:38:20 [->] REJECTED - Source is IANA - Private Use [RFC1918], A.D.Vision.Iana (10.210.184.1) [Protocol: UDP - src: 67 / dst: 68]
    2005/11/07 15:38:20 [->] REJECTED - Source is IANA - Private Use [RFC1918], A.D.Vision.Iana (10.210.184.1) [Protocol: UDP - src: 67 / dst: 68]
    2005/11/07 15:38:27 [->] non-hostile source (82.149.183.64), access granted [Protocol: UDP - src: 6881 / dst: 6881]
    2005/11/07 15:38:37 [->] non-hostile source (84.63.16.250), access granted [Protocol: UDP - src: 49162 / dst: 6881]
    2005/11/07 15:38:47 [->] non-hostile source (24.109.231.152), access granted [Protocol: UDP - src: 63502 / dst: 6881]
    2005/11/07 15:38:55 [->] non-hostile source (82.224.182.34), access granted [Protocol: UDP - src: 6881 / dst: 6881]
    2005/11/07 15:38:57 [->] non-hostile source (24.232.11.59), access granted [Protocol: UDP - src: 49160 / dst: 6881]
    2005/11/07 15:39:07 [->] non-hostile source (200.25.150.6), access granted [Protocol: UDP - src: 6881 / dst: 6881]
    2005/11/07 15:39:07 [->] non-hostile source (82.39.105.212), access granted [Protocol: UDP - src: 6881 / dst: 6881]
    2005/11/07 15:39:17 [->] REJECTED - Source is IANA - Private Use [RFC1918], A.D.Vision.Iana (10.210.184.1) [Protocol: UDP - src: 67 / dst: 68]
    2005/11/07 15:39:17 [->] non-hostile source (65.167.92.73), access granted [Protocol: UDP - src: 52915 / dst: 6881]
    2005/11/07 15:39:19 [->] REJECTED - Source is IANA - Private Use [RFC1918], A.D.Vision.Iana (10.210.184.1) [Protocol: UDP - src: 67 / dst: 68]
    2005/11/07 15:39:31 [->] non-hostile source (68.70.168.125), access granted [Protocol: UDP - src: 55930 / dst: 6881]
    2005/11/07 15:39:40 [->] non-hostile source (69.12.134.170), access granted [Protocol: UDP - src: 6881 / dst: 6881]
    2005/11/07 15:39:49 [->] non-hostile source (80.39.119.83), access granted [Protocol: UDP - src: 6881 / dst: 6881]
    2005/11/07 15:39:59 [->] non-hostile source (24.22.34.22), access granted [Protocol: UDP - src: 6881 / dst: 6881]
    2005/11/07 15:40:00 [->] non-hostile source (70.29.85.232), access granted [Protocol: UDP - src: 6881 / dst: 6881]
    2005/11/07 15:40:01 [->] non-hostile source (68.124.190.73), access granted [Protocol: UDP - src: 18432 / dst: 6881]
    2005/11/07 15:40:12 [->] non-hostile source (201.133.171.200), access granted [Protocol: UDP - src: 33250 / dst: 6881]
    2005/11/07 15:40:31 [->] non-hostile source (84.156.26.70), access granted [Protocol: UDP - src: 6881 / dst: 6881]
    2005/11/07 15:40:35 [->] non-hostile source (80.202.136.:cool:, access granted [Protocol: UDP - src: 6881 / dst: 6881]
    2005/11/07 15:40:36 [->] non-hostile source (216.254.120.73), access granted [Protocol: UDP - src: 6881 / dst: 6881]
    2005/11/07 15:40:39 [->] REJECTED - Source is IANA - Private Use [RFC1918], A.D.Vision.Iana (10.210.184.1) [Protocol: UDP - src: 67 / dst: 68]
    2005/11/07 15:40:39 [->] REJECTED - Source is IANA - Private Use [RFC1918], A.D.Vision.Iana (10.210.184.1) [Protocol: UDP - src: 67 / dst: 68]
    2005/11/07 15:40:45 [->] non-hostile source (85.18.136.75), access granted [Protocol: UDP - src: 55238 / dst: 6881]
    2005/11/07 15:40:51 [->] non-hostile source (88.105.226.216), access granted [Protocol: UDP - src: 16881 / dst: 6881]
    2005/11/07 15:40:59 [->] non-hostile source (84.48.86.84), access granted [Protocol: UDP - src: 6881 / dst: 6881]
    2005/11/07 15:41:01 [->] non-hostile source (212.254.141.184), access granted [Protocol: UDP - src: 6881 / dst: 6881]
     
  3. notbeef

    notbeef Guest

    could be related to somekind of pseudo stateful packet inspection for udp.?
     
  4. 23rwesf

    23rwesf Guest

    I use all the features included with Outpost. My computer is quite capable of handling it without noticing so called "bloat"
     
  5. Jason_R0

    Jason_R0 Developer

    Joined:
    Feb 16, 2005
    Posts:
    1,038
    Location:
    Australia
    Hi TrueAudio,

    you seem to know a lot about firewalls. :)

    One thing you might not understand is how "firewalls" on the same machine interact. In essense protowall is also a firewall, and on Windows if multiple firewalls are installed, it is like a chain of events. Protowall might be the first one to see the packet and "allow" it, later on GhostWall then blocks the same packet.

    The same might happen in reverse, GhostWall "allows" something, then something else blocks it. If you are worried about GhostWall protecting your system, you can do some tests like runing particular servers on various ports, then remotely trying to connect to them. If the applications actually work as a client and server then you would know that GhostWall has failed. Showing logs from another firewall installed on same machine unfortunately isn't conclusive that GhostWall is ineffective or needs fixing in this regard.

    Hope that helps. :)
     
Thread Status:
Not open for further replies.