Oldies

Discussion in 'other firewalls' started by Diver, Jun 15, 2008.

Thread Status:
Not open for further replies.
  1. Diver

    Diver Registered Member

    Joined:
    Feb 6, 2005
    Posts:
    1,444
    Location:
    Deep Underwater
    Over the weekend I tried a few oldies:

    CHX-I 3.0: Previously I had trouble using this one with WPA2. Adding a rule to force allow 888e gets wireless working, but it is very slow to connect when the computer wakes up. As notebooks go to sleep a lot, I had to move on.

    Jetico 1: I had high hopes for this one, but it is not compatible with SuRun which I use to temporarily elevate to administrative rights on my machine. Too bad, and time to move on.

    Kerio 2.15: Much to my surprise this old bit of code worked flawlessly. I guess its the same old XP and the same old TCP & UDP despite 6 years of "progress".

    Why bother? I was using Comodo 3 with D+ turned off. Each of the above produced a commit charge that was 30 to 40 MB less than Comodo. When running GMER, the reduction in how the system was invaded was dramatic. By the way, individual line items in task manager don't mean anything. You have to look at the whole thing (commit charge) on a with and without basis.

    There have been many comments in this forum about how Comodo 3 is totally dependent on D+. D+ is too noisy for many users. It might quiet down after a while, but it never shuts up completely. For example, Comodo 3 has no protection against substitution of an executable when D+ is off.

    I am really not into the whole leaky firewall thing, but the point is, Comodo 3 is a rather complex piece of code. With D+ off, it might not be worth messing with, YMMV.

    What's the downside of going with the old stuff? As I mentioned above, there can be severe compatibility problems. Either you get a pass or not. No one will fix it for you.

    In the defense of Comodo 3, I have tested a lot of firewalls, and it has very low CPU usage when D+ is off. Not just low CPU usage by the firewall components that show up in task manager, but the system task as well, where several firewalls offload their work at the driver level. However, Kerio 2.15 manages to do a bit better. I would not go so far as to say Comodo 3 is bad, but the performance of old Kerio 2.15 continues to amaze me.
     
  2. farmerlee

    farmerlee Registered Member

    Joined:
    Jul 1, 2006
    Posts:
    2,585
    I guess one of the main concerns could be vulnerabilities. Seeing as they're not being updated anymore they will remain insecure in those areas.
     
  3. Dark Shadow

    Dark Shadow Registered Member

    Joined:
    Oct 11, 2007
    Posts:
    4,553
    Location:
    USA
    Speaking of oldies.Do I miss Tiny firewall. Imo nothing now even comes close.:( Even ZA around the time of Tinys Days was a good one.Sad but not forgotten.
     
  4. noway

    noway Registered Member

    Joined:
    Apr 24, 2005
    Posts:
    351
    My favorite 3 firewalls compatible with XP are all oldies:

    Norton Personal Firewall 2004
    Kerio 2.1.5
    Zonealarm Plus 4.5.594
     
  5. dave88

    dave88 Registered Member

    Joined:
    Feb 2, 2007
    Posts:
    177
    Oldie but a goodie for sure. I use it on my laptop in combination with Processguard (another oldie?). Very lightweight and imo very secure setup.
     
  6. Diver

    Diver Registered Member

    Joined:
    Feb 6, 2005
    Posts:
    1,444
    Location:
    Deep Underwater
    Do you know of a problem, or are you imagining one?
     
  7. Fuzzfas

    Fuzzfas Registered Member

    Joined:
    Jun 24, 2007
    Posts:
    2,753
    I agree with your view Diver. I think that nowdays there are so many security applications available that one can use any firewall and still be safe.

    Kerio 2 is still the no1 firewall in lightness and intelligent on-the-fly rule creation. If you want to run it, there is nothing wrong with it, you can add other security apps to "help" it.

    Oldie perhaps, but GOLDEN oldie...

    As soon as i get bored by Comodo's alerts, i will certainly go back to it. :D

    My main concern about Kerio 2 isn't vulnerabilities , but its habbit to lose the rule set sometimes after a system crash. Sometimes you don't realise it happened.

    As for vulnerabilities (apart the fragmented packets, never exploited), even if they do exist, you can add more layers (router, execution control, Returnil etc), that can make the vulnerability vain.
     
  8. Seer

    Seer Registered Member

    Joined:
    Feb 12, 2007
    Posts:
    1,596
    Location:
    Singidunum
    It is still not an issue, but global IPv6 utilization will be the ultimate death of the oldies you speak about.

    As for vulnerabilities, every code ever compiled has them. Even the latest build of your favorite.
     
  9. Diver

    Diver Registered Member

    Joined:
    Feb 6, 2005
    Posts:
    1,444
    Location:
    Deep Underwater
    Managed to get CHX-I running right. The DHCP rule was borked, causing the delay. I can now stealth a bittorrent server port when it is not in use by using a conditional rule. The contidion is outbound UDP on the server port.

    IPV6 will eventually kill of a lot of stuff. CHX-I does not support it, AFAIK. I don't know if there is a way to do it with "other", but I suspect not. So far Its not a problem. When it becomes a problem remind me, but for now I don't care.

    If you like worrying, the eventual obsolescence of XP will kill off a lot of things, and probably in the same time frame as IPV6. There are only 10 months of mainstream support left for the venerable XP. It takes another year or two of extended support before things get frustrating. After that, I just hope there is something better than Vista. Retail sales of XP end in only two weeks.
     
  10. Fuzzfas

    Fuzzfas Registered Member

    Joined:
    Jun 24, 2007
    Posts:
    2,753
    Oh, i think XP will be around in large numbers until the next Windows comes out. My hardware is certified Vista Premium and i have tried both 32 and 64 bit version (using 4GB RAM on it). I was back to XP after a day. Problems, stability issues and everything sluggish. It was only somewhat close to XP when i disabled Aero (i would guess that my NV6600 512MB RAM is too "slow" for Aero).

    There are many people that don't like seeing their PC's "response time" increasing just because "aero is cool". Because honestly, the only think that i really liked in Vista was the thumbnail previews (for which i found a proggie for XP) and the outbound firewall. I was also impressed to see my dual core 3800 going up to 80% for just about anything! Even opening a window was skyrocketing the CPU!

    Vista? Well, unless i upgrade everything and 64bit becomes mainstream, i will stay with XP. Vista 32 with 2GB RAM is almost suffering. On the other hand x32 can't "see" 4GB RAM (in my case, it sees only 2,7GB because of the large VGA RAM amount), so it's wasted money to upgrade your hardware just to use Vista x32... Not to mention how many programs don't work in Vista and many of them are security ones.
     
  11. Diver

    Diver Registered Member

    Joined:
    Feb 6, 2005
    Posts:
    1,444
    Location:
    Deep Underwater
    OK, Vista is a weak OS, shall we say. Tell me something I don't already know.

    Back to oldies. There are various schools of thought. One assumes the machine is alone or on a trusted network behind a router. The main function of the software firewall in that case is outbound filtering. If outbound filtering is not important to you (and there are hundreds of posts discussing the value, or lack of value thereof) a software firewall is redundant. Those of us with notebook computers have to deal with public networks, so we go back to the original function of the software firewall, which is to prevent attacks over the network.

    Chances are, if I did not need file sharing on my home network, the built in XP firewall would do the job. However, I want to be able to limit file sharing to the machines on my network without having to remember to turn off file sharing whenever I leave the house with my notebook. For me, that is where the software firewall comes in.

    My network is set up on 192.168.xx.0/255.255.255.0 where xx is an unusual number. If the firewall does not allow MAC address filtering, I rely on the low probability of hitting the lucky number on the road. Kerio would be set up that way. CHX-I allows for MAC address filtering, so I use that. Some contemporary firewalls like Comodo V3 also allow for MAC address filtering, but the user has to be comfortable with going under the hood to change the default rules.

    Not every router will allow the user to change from the very common 192.168.1.0/255.255.255.0 to anything else. Replacement firmware like DD-WRT does allow it. If your router can run DD-WRT, I highly recommend it.

    Anyway, there are a lot of old favorites out there. Not only these three light ones, but the later versions of Tiny, and Sygate as well.
     
  12. glentrino2duo

    glentrino2duo Registered Member

    Joined:
    May 8, 2006
    Posts:
    310
    Just browsing along and found this post and became interested as I am one of the few remaining CHX-I users. :) Can you please elaborate on this conditional rule for bittorrent ports? Thanks!
     
  13. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    Are you referring to Tiny Personal Firewall 2.0.15? I have a copy if you're interested. Kerio is derived from that version of Tiny and will import its rulesets.
    Compatibility issues can arise with any security app, old or new. It's more likely that they'll be found with the newer security suites when they're used with another app that works at a kernel level.

    Other than the fragmented packet issue, Kerio 2.1.5 doesn't have any real vulnerabilities as it relates to its function. It does have a few bugs, but if the user is aware of them, they're not a problem. I've installed it on many PCs from 98 thru XP and it hasn't failed any of them.
    I haven't seen Kerio actually lose its ruleset, but I have seen the driver not load properly and Kerio not be able to utilize the existing ruleset. I'm at a loss as to how the user would be unaware of it though. With no rules, Kerio would start prompting for everything, which would be a good indicator of a problem. Since Kerio can export rulesets, this would be easy to fix if the user saved a backup copy of the rules.

    What impresses me most about Kerio is how well handles loopback connections and the control it gives users over them. Kerio 2.1.5 will remain viable for pre-Vista systems as long as IPv4 is in use.
     
  14. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    This thread makes me smile. I am not alone in the thoughts that a firewall can be a very small and efficient application, without the need for the 'suite' of tools.

    It is my belief that you can live without a software firewall. But it gives a layer of protection that is only about 'knowing' what is happening for me. I still like that though, as well as the log files.

    IMO the only thing that seperates why you like firewall A and I like firewall B is it's INTERFACE EXPERIENCE. I don't think NoClueSec's (lol I just thought of that for Matousec) supposed tests mean diddly when it comes right down to it.

    How chatty is it? How many tabs do I have to open? How many buttons to press? Before I get to making my rules. How easy are the rules to make. How are they displayed? How can I manage them.

    These are the things that make each person like/dislike any product. Many of us are so anal that we prefer very small footprints when we have mammoth computers with no fear of overpowering them. Just preference.

    I personally cannot pry myself away from Outpost v2. I would still use v1 Pro if it worked on my C2Duo. And the reason? It is afterall only a firewall. It may not pass bogus leak tests, but it does what I need it to. And most importantly it fits my need for getting to the meat of the problem quickly when it comes to the rules etc.

    But then, your Tiny may be your 'holy grail', so which firewall is best? New, old, bloated, lean? So long as it keeps you safe from your weaknesses, get what you feel the best about using I say.

    Out.

    Sul.
     
  15. vijayind

    vijayind Registered Member

    Joined:
    Aug 9, 2008
    Posts:
    1,413
  16. YeOldeStonecat

    YeOldeStonecat Registered Member

    Joined:
    Apr 25, 2005
    Posts:
    2,345
    Location:
    Along the Shorelines somewhere in New England
    It does happen. There are some worms/trojans/viruses out there..which are coded to knock out/disable some of the more popular security software packages out there (both antivirus, and software firewall protection). They have been out there for many years already. I have, in my IT career, run across computers that have had this happen to them.

    Thus forming my rule...hardware firewall is a must (because I have never seen one disabled in my career), and a lack of trust of software firewalls.
     
  17. Einsturzende

    Einsturzende Registered Member

    Joined:
    Apr 14, 2008
    Posts:
    390
    Location:
    neubauten
    hardware firewall can not filter on application level, so there is no use of it when software FW disabled your personal data will flow anyway hardware FW is active or not...
     
  18. YeOldeStonecat

    YeOldeStonecat Registered Member

    Joined:
    Apr 25, 2005
    Posts:
    2,345
    Location:
    Along the Shorelines somewhere in New England
    Only outbound on "some" most hardware firewalls is allowed out, it's the unknown inbound traffic that's important to block, hide computers behind NAT to OS exploits out there on the wild side can't touch it unless a user invites them in. 99% of the problems stem from computers sitting on a public IP address without being behind NAT.

    If your personal data is flowing...surprise..you already have a problem on your PC, fix it first.

    Stick a computer without using it on a public IP address for 5 minutes..with no firewall at all. Now go ahead and use it as your personal computer...I wouldn't, I'd format that surely infested rig before I wanted to use it.

    Now take a computer and stick it behind a NAT router for 5 minutes..don't use it.just let it sit there. Now use it with some basic common sense. Hey..wow..it's nice 'n safe, no desparate need to format it.

    And there are some hardware/UTM firewalls that do only allow certain allowed traffic on layer 7.
     
  19. doktornotor

    doktornotor Registered Member

    Joined:
    Jul 19, 2008
    Posts:
    2,047
    Well, "hardware" firewalls can filter perfectly fine on application level, just not the $$ DSL routers but rather $$$$ rack-sized iron. :p

    (And, "hardware" firewall is a complete misnomer, dedicated perhaps or whatever.)
     
  20. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    I dont quite understand that statement. You certainly do not need to be behind NAT to block all unsolicited inbound. Simply use the windows firewall with no exceptions. This also has the benefit if you travel with a laptop, easier to have the installed firewall than carrying a router.


    Why would anyone do that? I know I did play by disabling windows services and then connected directly, but I disabled windows services so there where no open ports, so how could I be infected?

    I cannot understand this "Instant Doom" if you are not behind a router. It make me laugh more than "Stealth"

    - Stem
     
  21. doktornotor

    doktornotor Registered Member

    Joined:
    Jul 19, 2008
    Posts:
    2,047
    +1; seriously this is like claiming that every single Windows-based server is malware-infested machine that floods Internet w/ zillions of viruses etc. I for one run multiple public services on W2003 R2 server with public IP on DMZ (such as IIS, IMAPS/POP3S/SMTP/SMTPS mailserver - and can assure everyone the box in clean and works just fine.

    You need some kind of exploit/vulnerability in order to get hacked/infected. FUD and extreme paranoia for sure. o_O :rolleyes:
     
  22. Einsturzende

    Einsturzende Registered Member

    Joined:
    Apr 14, 2008
    Posts:
    390
    Location:
    neubauten
    yeah, I believe that server is not for porn surfing, and cracks finding and similar etc.:rolleyes:
     
  23. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    I find a grain of salt goes a long way in these discussions.

    I agree whole-heartedly that sticking a machine on a live connection does not mean squat. I will not have to reformat or any other such nonsense.

    However, I bet if you stick 98% of the windows boxes in the world on a dmz, a very large share would become compromised given enough time.

    So I see it as a level of knowledge issue here, not so much as it will or won't happen. Given that I understand what a vulnerability would be, I can correct the issue and tout 'I go online without protection ... and love it'.

    If I were not to fully realize if I was vulnerable, then I have only to say 'I go online without protection ... does anyone know where a clinic is closeby ?'

    Sul.
     
  24. doktornotor

    doktornotor Registered Member

    Joined:
    Jul 19, 2008
    Posts:
    2,047
    Well, NAT won't help you at all in case you are surfing pr0n/warez sites, you'll be no more or no less secure with public, non-NATed IP - which was the original point here.
     
  25. Einsturzende

    Einsturzende Registered Member

    Joined:
    Apr 14, 2008
    Posts:
    390
    Location:
    neubauten
    Off course it won't
     
Thread Status:
Not open for further replies.