No Firewall here. How bout this?

Discussion in 'other anti-malware software' started by Sully, May 26, 2008.

Thread Status:
Not open for further replies.
  1. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    Greetings. I wish to get opinions on my current setup. First some history:

    I have tried probably every firewall that one can find, including using the likes of filehippo or wayback to get ones that are hard to find now. I have used many of the newer hips applications as well. I have tried all of the free AV apps for many years now, as well as many trial versions of some of the commercial ones. I have tried every browser (which if you don't include IE skins, is not many) I can find. I have tried many different packet sniffers and other network related tools.

    I run xp pro, slipstreamed RyanVM updates, Bashrats driverpacks and many custom tools and regtweaks to neuter xp into something benign. I live behind a router on a static ip dsl style. I have mulitple bootable drives and a network to store critical data on. I have used proxomitron for a very long time. I am not afraid to reformat, and in fact enjoy it quite a lot due to my unattended dvd. I refuse to use ghost images now. I consider my system to be complex to use for the average key pounder, yet for me it is sleek and streamlined. I have never had a virii, never had spyware/malware that I did not invite in my being stupid. I use sandboxie when needed, or if needed vmware.

    Outpost firewall v1.0 is my fw of choice. v1.0 Pro is better somewhat, but basically same beast. v1.0 is not compatible with my intel mobo/cpu combo, so I use v2.0 on that. Somewhat more bloat in there, but still managable.

    I use Opera or Kmeleon for browsers.

    I use AntiVir for AV.

    I am wishing to slim down even more. So, this is my current thought:

    Outpost v2 but not autostarting, only manual start when desired.
    AntiVir..
    Threatfire (played with since it was called Cyberhawk)
    Opera/Kmeleon/Proxomitron

    And that is it. No firewall at all really. In fact the only reason I even want one is for DNS logging. Many times I want to know what an app/game is doing or going to. The reason I love Outpost so much is that it has a really nice DNS cache thing with it. It is really nice to be able to set it to rules wizard, then start app in question, and easily see what it does. I have tried others that do name resolving, but they are either flaky (more so than OP) or just aren't up to snuff.

    As for AV, it is lean and does well on tests. And I don't have to see the ad anymore.

    Threatfire. I have a paid for ProcessGuard. I have tried others. I frankly don't care for all the work involved anymore. I would just a soon reformat. TF seems to catch all the nasties that I try to open. Oh yeah, when I fix peeps zombie computers I have a usb stick that I try to capture them onto. Tis great for testing out products.

    And browser, well, anything but IE works well enough. Opera has had me addicted since dialup @ 52,000. Then it was the 'Fastest Browser on Earth'.

    So, experienced users, what say you? For anything and everything utilizing the nic and going outside, what is your opinion? Bear in mind that any site that 'might' be nefarious will be used with sandboxie, I am not stupid, just tired of the complications that I don't feel are really needed for users who know what is going on.

    And now the real reason for this post. What I want, and cannot find, is a tool that monitors network traffic, perhaps in the same way that AppDefend does, and asks if it ok or not. Yeah, a firewall does that. But I just want to know about it. Or maybe just to have it logged.

    And, on top of that, I want to know where it was trying to go. I want the ip address and the resolved name if possible. Ports, protocols, directions etc would be ok to have in a log file, but really I just want to say 'yes or no', or just to be shown 'hey dude, some application went outside', with the associated data.

    Flushing dns cache or piping the cache to text files works ok. Host files work ok to stop a lot of stuff if you know about it.

    Anyone know of a tool for that? No bloatware. No 'suite'. I hate these new programs that do everything for you. I don't care if I do have 4gb of ram and multiple cores, I just don't want it. I want my process list to be lean and mean.

    Anyway, cheers to all. Hope someone as picky as myself can relate with some experienced information.

    Sul.
     
  2. hany3

    hany3 Registered Member

    Joined:
    Dec 2, 2007
    Posts:
    207
    when i 've red ur words , i really felt as if i am the man who wrote them
    u exactly think in same way as me and almost use my security setup
    i use the following
    #avira personal premuim
    #lavasoft firewall v 1.0 ( based on the light weighted outpost firewall v 3.5 instead of the bloated and buggy outpost v 4.0 and v 6.0 )
    shadow defender ( instead of sandboxie)
    opera

    most of the modern new firewall-hips
    they insure good outpound protection and leak proof "but on expence of some decrease in performance with memory usage plus the every day discovered bugs and the black period between the bug problem and its fix on next release )

    so if u are sure that ur pc is clean no trojans i think u only need inbound protection that can be easily established by a hardware firewall , router


    u can easily find a good leak proof firewall
    but the Q is " do u really need it ?"
    " can the firewall cause some problems to ur pc like many alarms , bugs , BSODs , considerable memory usage , slow pc with low performance "
    and ofcourse these problems will remain on ur pc all the time as long as this modern firewall is installed
    and the most important Q that u should ask
    "if some day u got hacked , would the hacker cause the same problems of the firewall ? and for how many minutes or even hours ?
    and how many times u can be got hacked a year ? or what is the possibility of being got hacked in one year 1% or less ?
    and how sensitive is the data u keep on ur pc ?
    do u have a code of an atomic bomb on it ?


    simply u can have the most powerfull firewall in the world
    then when a trojan is making a call to a hacker
    and ur kid is sitting in front of the pc just playing a game
    and then he now is facing a firewall alert
    an application is trying to connect to the internet
    or in a joke " a hacker is comming"
    allow or deny o_Oo_Oo_Oo_O
    then ur kid will innocently answers this difficult question from ur powerfull firewall by " allow him to come , welcome "
    congratulation
    now u have a hacker in ur pc
     
    Last edited: May 26, 2008
  3. Espresso

    Espresso Registered Member

    Joined:
    Aug 1, 2006
    Posts:
    975
    Try PC Tools firewall. You can turn off packet filtering and just use the application control if you like.
     
  4. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    I have used PCTools firewall. I have it on a few rigs, including my wifes. I don't mind the interface too much, but it is more cumbersome, much like Comodo's. I have played with it, but it fails the only reason I really want a firewall anymore, simple dns/ip/port logging for what is trying to get out.

    I much prefer the simple layout used in Outpost. I still use v1.0 free on a lot of peeps computers who are a bit older. At 10mb average footprint, with properly setup rules, I can set it and forget it for most peeps. For an outbound application filter it works well.

    I am pleased to see that I am not alone in my being tired of having to use 5 different security applications. If I were just beginning all over again, I would say I would still need some beefy help to stay safe. But then again, proper protocols for what to do and what not do goes a long way to staying germ free. Not everyone wants to know what a packet is. Nor should they have to. For those of us who really enjoy getting to the root level of things, it only helps us to stay germ free.

    No, it would be better if there were some kind of course required before being online. Simple online do's and don'ts would have gone a long way to stop the flood of problems seen today.

    And I agree, if one is sure that a system is clean, and one knows what to do and what not to do, why should one have to use sooo many different applications to only 'keep safe' your system that should have been safe in the first place if you knew what to do.

    Now again, I will say that I am happy to reformat if a problem ever arose. Maybe not everyone wishes to go to that extreme. So there is a place for these applications. But really, a fresh install is so fast, I do it a half dozen times a year.

    Now if I could just find the time to learn some more C and write a packet filter myself. Or better yet, write an OP plugin. Eh, kids suck up the extra time though.

    Thanks for the responses.

    Sul.
     
  5. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    Returnil or any other similar software will keep your system unchanged.

    Anti-Executable will protect your system against unauthorized executables, which means nobody in your family can download and install softwares anymore, not even screensavers and corrupt your system this way.
    As long you keep AE's password secret, nobody can turn it off, except you.
     
  6. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,700
    Hello,
    You say no firewall - but you use outpost ... decide?
    Mrk
     
  7. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    Yes.. and no. I think by now that I trust the applications I am using. New apps get thrown in a sandbox or vmware, which does happen to have a fw installed. Test new app to see what it tries to do behind scenes.

    Now, I do have OP installed, but it does not run as normal service. Actually in OP gui I set it to 'disabled', then in services set to 'manual'. So it is there, but not running. As I stated in start of thread, I am looking to have more of a logging effect for snooping and digging on something more than actually blocking or allowing in normal use. So yes, I use it, but no, not all the time, only on specific needs.

    In a little more thought, and playing with both pctools and op v2, I am now leaning towards just a global rule that passes my specific dns addresses only, rejecting all others. Then leaving firewall to basically allow traffic for any program. Global rule controls dns fine then, no questions. I looked for a way to do this alternatively, but did not find it. I think this dns rule is still good to have in effect and it is pretty easy.

    I found a new app for looking at dns records, called dnseye. It basically parses out the dns cache. I thought maybe that could be used to do my snooping, but it gives no ip, just resolved names. I could monitor ip's with the netstat -n or -an params, but did not see it was real efficient.

    In playing with pctools, as suggested as application filter only, (yes or no to an .exe), I like the feature to log or not on that .exe. Saves some resources, as logging is generally part of what slows a fw down IMO. But, the creation of global DNS rule in pctool fw is not as straight forward as OP.

    So, still messing with how to achieve a moderate level of protection without continually opening that box of Pandora's.

    Sul.
     
  8. Huupi

    Huupi Registered Member

    Joined:
    Sep 2, 2006
    Posts:
    2,024
    Some people goes that far as to use Sandboxie as their sole protection !

    Talking about slimming down. ;)
     
  9. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,700
    Hello,
    If you want reasonable protection without fuss - Linux.
    And if you wanna play with logging and such, then try: snort, tcpdump, wireshark.
    Mrk
     
  10. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    I have played with some linux distros, most recently ubuntu. They are neat for sure. However, as I don't do this for a living, and any cash I can make on the side always involves a ms box, I can't find the reason to dedicate much time to learning it. I wish it would take of mainstream so that it would be something that software and hardware vendors would take as seriously as ms.

    I have heard of wireshark but have not played with it. I tried snort years ago. Never heard of tcpdump. The packet sniffers I used are long since defunct with the current generation of hardware/software. I will check them out. Thanks for the tip.

    Sandboxie is good, but it does not do everything. I would think most software would work, but some sometimes there are conflicts, I assume at hooks are somewhere low level. It is a very nice way to segregate out though.

    Thanks for the replies.
    Sul.
     
Loading...
Thread Status:
Not open for further replies.