Simplewall-Firewall

Discussion in 'other firewalls' started by co22, Oct 25, 2016.

  1. Floyd 57

    Floyd 57 Registered Member

    Joined:
    Mar 17, 2017
    Posts:
    299
    Location:
    Europe

    Tell me about it, man... Today I changed ISPs (that's why I was using 3g) and the new "device" that they gave me has sooooo many options and stuff, 95% of which I don't understand. It's not a "router" for sure. I think it's an EPON ONU https://www.fiberoptictel.com/what-is-epon-olt-and-epon-onu-2/ , I got to that page by googling the weird device model and one of the first few links was for EPON ONU. I've made an album with some of the pages - https://imgur.com/a/yIz9FaF (start from the bottom) Each of the main tabs above has its own mini tabs below it, each of them has their own mini-tabs on the left side. And yesterday with the 3g I didn't have those connections attempts in the album, they came with the new device. I also got connections to 192.168.1.4 through port 5353 (forgot source), and to 127.0.0.1 through port 5901, but unsure if the latter was for chrome or system. I haven't had problems with reappearing connections if they have been allowed as a rule, unless they have also been blocked as a rule (either only blocked, or both allowed and blocked as a rule). So no, the port 5353 connection does not appear again if I allow it as a rule for chrome. Some of the connections in the album are inbound, not outbound, my first inbound connections ever. Asides from all those connections, I also get connection to riot games server when I run LoL (riot games is the company making LoL), which is the top-most connection in the album, the address ranges from .72.x to .79.x, but blocking it does not seem to do anything, as is for all the connections. Also I'm not quite sure what the " :8 " means after 192.168.1.4 in that connection
     
  2. Seer

    Seer Registered Member

    Joined:
    Feb 12, 2007
    Posts:
    1,927
    Location:
    Serbia
    The notifications you see (all except the first one) are IGMP. This is the group messaging protocol, and is most likely used by your ISP to check availability of nodes in a LAN. But I have no experience with IGMP and do not know how it is exactly used.
    The first notification you show is ICMPv4 protocol. The address is that of your PC, and the number 8 signifies the Type 8 ICMP packet (echo), popular 'ping'.
    These are not unsolicited packets. The inbound you see was requested by the outbound (if you look carefully you will see that an outbound igmp packet preceedes each inbound). Since igmp protocol is by design stateless a firewall can't know what has been requested and needs an inbound rule to pass the packets. Different remote IPs are the way in which multicast messaging (igmp) works.
    I hope this was (kinda) clear.
    Both of those are for System. As I said 192.168.1.4 is your IP and the direction is outbound for both of them. 127.0.0.1 is a loopback address that your PC uses to communicate with itself, this is how certain services work.
    [EDIT] This is not true, 5353 certainly is from either svchost or chrome, but here I'm guessing svchost.
    This is strange as it does here. What happens when you block 5353? Does simplewall ask again?
     
    Last edited: Dec 10, 2018
  3. __Nikopol

    __Nikopol Registered Member

    Joined:
    Aug 13, 2008
    Posts:
    588
    Location:
    Germany
    This is very misleading. There is no indication that this checkbox would do that. Well, now I know, but other might make the same mistake.
     
  4. Seer

    Seer Registered Member

    Joined:
    Feb 12, 2007
    Posts:
    1,927
    Location:
    Serbia
    I agree. We are wrestling with this multicast on Chrome and needed rules.
    A user's manual is needed, I am suspecting that many will just tick the box (as Floyd and you did), as at first glance that makes sense.

    [EDIT]... and basically allow everything for an app.
     
  5. __Nikopol

    __Nikopol Registered Member

    Joined:
    Aug 13, 2008
    Posts:
    588
    Location:
    Germany
    I finally did that and I do have internet when the VPN is disconnected and I block System.
    I don't know what the real issue is here. The VPN goes through IPSEC/IKEv2 which should be a service and indeed the VPN-traffic comes from svchost.exe. (Over port 4500 and 500) :confused:

    I also found that svchost.exe is sending DHCP requests over 255.255.255.255:67 and 68. This is a broadcast address, like 127.0.0.1. I do not use DHCP myself and it's not used inside the VPN.
    I found that the DHCP service was on, as well as Network List Service and Network Location Awareness. Something must have activated them again. You just don't have any control over your device... grrr
     
    Last edited: Dec 10, 2018
  6. Floyd 57

    Floyd 57 Registered Member

    Joined:
    Mar 17, 2017
    Posts:
    299
    Location:
    Europe
    Yes, this is for ALL rules. If I block them, even as a rule, next time simplewall will ask again, even when the user rules are excluded from the dropped packets notifications. Also, the port 5353 connection seems to be both inbound and outbound https://i.imgur.com/gZtnvtx.png https://i.imgur.com/RpGGmhp.png. However, it seems like chrome only asks for these connections once at start-up, haven't tested it.
    Try setting the permissions for those services so that it won't randomly get changed again - https://michlstechblog.info/blog/windows-set-permissions-on-a-service/ though if it did, likely something needed it, and next time something that needs those services will fail, though maybe that's what you want
     
    Last edited: Dec 11, 2018
  7. __Nikopol

    __Nikopol Registered Member

    Joined:
    Aug 13, 2008
    Posts:
    588
    Location:
    Germany
    Regarding this:
    I made a Github issue. https://github.com/henrypp/simplewall/issues/274 He wont change anything.
    Seems like he doesn't like people who ask for improvement. Was I rude?

    Edit:
    Thank you ;)
     
  8. anonskii

    anonskii Registered Member

    Joined:
    Dec 16, 2016
    Posts:
    15
    Location:
    UK
    i really do love this program, have it installed on all my PCs. excellent job Henry.
     
  9. Seer

    Seer Registered Member

    Joined:
    Feb 12, 2007
    Posts:
    1,927
    Location:
    Serbia
    You weren't, this may be just a simple language barrier. henry is not very expressive in English.
    This may be misleading to many (not-so-advanced users, to put it like that), but there is just a need to understand how this 'logic' works. I was able to immediately tell that you should not tick the box next to the app (as was the other poster in the other thread). So this is not really a big concern.
    ...
    What puzzles me here are these multicast comms on Chrome. There are no problems allowing (or blocking) these comms when svchost is concerned (Windows services make the same comms on default install). But when it comes to Chrome, the rules simply do not work. This may be something specific to Chrome which we do not understand.
     
  10. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    9,512
    simplewall v2.3.11 (14 December 2018)
    https://www.henrypp.org/product/simplewall
    Download
    Changelog
    sha256 checksum
    v2.3.11 (14 December 2018)
    • added "/install" argument for install filtering
    • added cache auto clean up (to prevent overflow)
    • changed minimum size of main window (issue #269)
    • changed installation message
    • increased rule parsing speed (issue #276)
    • memory optimization
    • fixed notification window appears on taskbar (regression)
    • fixed exclude user rules option was not working
    • cosmetic fixes
    • fixed bugs
     
  11. Floyd 57

    Floyd 57 Registered Member

    Joined:
    Mar 17, 2017
    Posts:
    299
    Location:
    Europe
    Let's see how many of the bugs are fixed, I'm excited!
     
  12. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    9,512
  13. henrypp

    henrypp Registered Member

    Joined:
    Jul 27, 2017
    Posts:
    40
    Location:
    Nowhere
    v2.3.13 (3 January 2019)
    - added dns resolver caching
    - added dns resolver winsock fallback (issue #290)
    - avoid window flickering on window sizing
    - revert refresh filters on device arrival
    - fixed access rights for wfp provider and sublayer
    - fixed allocated strings dereferencing (issue #285)
    - fixed parsing hosnames with dashes (issue #271])
    - fixed localization (issue #288)
    - fixed bugs

    simplewall-2.3.13-bin.zip
    simplewall-2.3.13-setup.exe
    simplewall-2.3.13-setup.sig
    simplewall-2.3.13.sha256
     
  14. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    3,442
    Location:
    Mexico
    @henrypp

    This new version 2.3.13 seems to run a new netsh.exe command line as per my anti-exe detects when launching simplewall:
    Code:
    netsh advfirewall set allprofiles state off
    Is that correct and new?
     
  15. co22

    co22 Registered Member

    Joined:
    Nov 22, 2011
    Posts:
    354
    Location:
    router
  16. henrypp

    henrypp Registered Member

    Joined:
    Jul 27, 2017
    Posts:
    40
    Location:
    Nowhere
    It's old, but now it executed in every start
     
  17. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    3,442
    Location:
    Mexico
    Got it, thanks. Now whitelisted.
     
  18. lunarlander

    lunarlander Registered Member

    Joined:
    Apr 30, 2011
    Posts:
    181
    Hi,
    If I select WhiteList mode, then all that's needed is Allowed Programs ? Meaning all other programs will be block outbound and will not be allowed to receive traffic inbound ?

    The bad thing I found with ZoneAlarm Free is that at first run, it recognized 56 programs, and set them to Auto. Then at next program run, it recognized 80 programs. I just wonder if this list will keep on growing. And what is going to happen when a program it does not recognize when incoming or outgoing traffic arrives. I am hoping that SimpleWall whitelist will stop everything outgoing or incoming if I don't have an allow rule.
     
    Last edited: Jan 8, 2019
Loading...
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.