PC Tools Firewall v3.0.0.25 beta

Hi Stem:

Good work. With M$ updates one never really knows what they are downloading, bit of an act of faith.
I'll keep PC Tools in the back of my mind, as you say it's a beta.

Bit off topic, but I'm still on Kerio working/learning with rules.

BTW, I do have backup software, happening to be Paragon for image backups.

At some point, I will want to do a comparison of CFW V3 final realease vs PC Tools vs Outpost against my criteria. But not today!

See you,

 

Hi Escalader,
I have noticed that you like to swap/change to check out various firewalls, of course nothing wrong with that. As long as you completely remove older versions (or other firewalls), or better, revert to image, then not a real problem.

I actually think you would like the new version of PCTF, certainly on its "advanced mode", which will alert to every connection, giving the ability to block/allow these connections, and the rules are then automatically added to each application.

Maybe I should make a post on the settings etc?

Regards,

 

Please do Stem! I do follow and appreciate your posts, there is always something new to learn. I am keeping my eys on PctoolsFw and the new version seems to be promising.

 

It certainly looks promising. I did have some problems at first, but rechecking did show this as possible problems with OS update on my system.(I do recheck at many points)

I would advise that any users of this firewall to, at minimal, to enable the "Stealth", as this blocks unsolicited inbound (and such as ports 135/445 are then filterd), certainly needed for users connected directly.

sukarof, I will put together a post over the weekend to show my settings for this firewall,.. due to its ability to show and then create rules per app, I think this is a good addition to the "free firewalls". But of course, time will tell.

 

That would be most welcome.
Thanks.
Doc

 

Hello,
I will try to put a post together later today, but first I want to find time to check out the TCP SPI (I have already looked at the UDP_pseudo SPI (due to a post at PCtools) which works correctly). I also want to check how the firewall will perform with a torrent/P2P client.

Regards,

 

Great Stem ,thats what i am interested in

 

Hello Stem and fellow FW posters:

Well once you have made your tests for TCP SPI and p2p that post would be great.

Yes Stem you are right I have switched FW's and each time for a reason or to better meet my goal to manage outbound packets stopping them shipping data from my PC without permission to the "home base". For the record here are the FW's I have tried and then cast aside;

1) ZA Pro calls home and tries to cover that fact up
2) CFW v2 jumbled up my rules and no rule backup built in
3) Earlier version of PCTools as a stop gap FW after ZA dropped

Currently, I'm using Kerio 2.4 but intereted in CFW V3, Outpost and newest PCTF pending Stems test and posted settings. BTW I did add PG 2 to block the ip's they list and my list from ZA days.

 

I have just been running a torrent client for 1.5 hrs with just under 500 connections. The firewall appeared to have no direct problem with this, cpu at zero memory for "firewallGUI"@ 6mb and "fwservice"@13mb, basically the same as before I started. I did note that my torrent client did start to max out my CPU(ath3200 on this box) which I have not seen before, so maybe a conflict there?

I also had to disable "Stealth" to allow the advanced rules (allow inbound) to work correctly. I need to take another look at this.

 

Hmmm... shows the value of real testing once again!

I don't personally use p2p, but do other main stream FW's force users to disable security features to work? Do they all go non stealth for torrent? If so why would that be the cases? This is a learning question.

ZA claimed it did OS component filtering does PC Tools do this?

 

I don't think PCTools has anything like the ZAP OS firewall, if that's what you mean...

 

PC Tools FW used to be based on Look'n'Stop 2.0x codebase.

I wonder what the v.3 series is now based on? It looks to be different from LnS?

 

No, usually a firewall will continue to stealth all other ports. I did look at this the other day, and I was able to connected in (with a test program) even with stealth enabled. I am just going to take another look at this. (it may be those windows updates again lol)

They have added some features, but I have not seen any component control.

If you look at post#17 you will see some control (memory injection etc), but while playin I was given a popup for system hook (keyboard global hook), but I do not know where this rule is kept. as there are no options for this. (I was not given an alert for hook from a screengraber program, I do not know if this is a bug, or the program is on a whitelist?)

 

As far as I know, it was the network drivers based on L`n`S code.

 

There is a difference between OS component control and memory injection. How significant is the OS component control to you Stem in selecting a FW?
My wild guess is not very since most users don't know how to decide if an OS component should be allowed or not? Is this correct?

Is stikes me as good you got a pop up on the keyboard hook, although a good AV should get rid of it given it is a virus/trojan put there on purpose? But does your screen grabber program ask for internet access?

White list? I thought you set that aside at set up?

 

PC Tools FW V3 has its roots in LnS .. but PC Tools have written and changed it. So it is not based on some other product.

 

Yes.

We see some firewalls with this control, but I personally think that is more of a monitor than control, as if the user blocks a component for a browser (even an addon) then the browser gets blocked. Most users either disable this, or leave it on a "learning" mode.

The screen grabber does not request direct internet connection, but intenet access is possble indirectly via a "Hook"

There is an option to "Automatically allow known applications" that uses a whitelist (that can be disabled). But the "Hook" warning gave me a bit of confusion, as there is no actual option to allow/block such an event (just the popup), that with the fact only one program as been flagged with this, while I know a nimber of programs do this on my setup, then my thoughts are either there is a bug, or some whitelist being used for this.

 

Due to lack of spare time I have only been able to make a quick test with the TCP SPI.

The "New Feature" of

would, to me, indicate a check of valid packet (valid flags/ sequence number), but I am certainly not seeing this. At this point in time I would say that there is just a TCP_pseudo implimentaion (check on IP/port), as invalid flagged/ out of sequence TCP packets will pass in through on an outbound connection.. I did attack an application with a current outbound connection, the packets where allowed, and this gave the firewall some problems, as it then allow inbound SYN packets (connections) to pass through. A re-boot was then needed.

I will wait for an update/ next build to this firewall.

Regards,

 

Hello nhamilton,

I cannot understand the direction being taken with PCTF. To me it seems to be a case of addons being made rather than an integration.

My confusion lies in the recent additions of "SPI" and also an option for "Stealth", we also see the addition of advanced rules per application, all of which actually appear to conflict with each other.

Personally, for a firewall with "Complete stateful packet inspection (SPI) functionality" I would expect this to determine correct packet filter for any packet, be it from an open connection (SPI interception) or from rules base for unknown/unsolicited packets.
What I am seeing is the ability to create rules per app, whos inbound "Allow" rules are blocked from the enabled "Stealth", surely this should be processed rather than this "blanket" approuch to blocking inbound.

Regards,

 

Stem:

For me I will stay with Kerio til these beta's PC Tools and CFW are NOT beta's and the bugs are out of them!

I'm impressed with your testing using one of your PC to mount an "attack" on a beta PC.

Seems to me you should be paid by PC Tool's for helping them sort their product out!

 

Probably the best direction.

Well as you should know, I do these test for the benifit of the forum and members (for info), not for payment.
I do report findings to vendors, but normally with no response.(I think I need to blog lol)

 

This is what Kerio 4.x did with their logging, it was added in a haphazard fashion after the fact so to speak, which resulted in a mess that still does not log some rules properly, even when you tell it to. For best results, I believe that things should be properly laid out and integrated into the project from the beginning, otherwise you usually wind up with undesirable results...

 

Hi Stem:

Yes, I do know.

I was making a "joke" ( a bad one?) in that you do all this work for the forum and even as you say "give" the vendors the results. It's quite revealing (to me anyway) that they rarely respond. Why not ask them next time in a different way. Say, I have findings for you Mr Vendor regarding xyz, if you want them please request them.

Just an idea.