Discussion in 'other firewalls' started by co22, Oct 25, 2016.
v3.2.2 (29 July 2020)
• user rules broken with 3.2.1 (issue #729)
Thanks Mood. The developer is VERY much on top of the task of keeping SW updated and progressing. He is very actively responding to questions & issues at GitHub. By the way, if someone joins GitHub & posts in the "issues" venue, GitHub sends email notices whenever there is activity concerning SW.
I installed 3.2.2 on-top of prior version. Smooth as silk!
I'm delighted with this firewall. It's user-friendly and extremely light on CPU and RAM.
I just had a crash with this version.I was running a HItmanpro-x64 scan, left it unattended for some minutes and a message on the screen was telling me that simplewall crashed.
The only new thing was a custom BLOCK All rule created for what is named "System".
Another thing to report, seen in beta as well, the "resolve network addresses" doesn t seem to be working.It was working with the old log type, but in the new log it doesn t as well as in the notifications.IP-s are not resolved.Simplewall.exe is blocked though, via a custom rule, as it was with 3.2.1.
The UAC bug is no more though.
@Sm3K3R -- 1- Have you posted these issues at GitHub?
2- I never block System. Why would you do so?
1.I have the impression that the developer reads here as well, I may do that
2.Why wouldn t I, if i can ?
I hope that you do post your issues at SW's "issues" site at GitHub.
By the way, I re-read this entire Wilders forum thread and could find no indication that SW's developer has ever participated in it. I doubt that he even knows this thread exists. Like many open-source developers, his "home-base" for seeking comments to improve & debug SW seems to be exclusively at GitHub. Bear in mind, Microsoft Corporation now "owns" GitHub, and does give some monetary support to those developers at GitHub who develop a strong base of Sponsors. That fact alone is a strong motivator for developers to home-base at GitHub.
I asked you an honest question. It was not intended as some sort of a challenge or attempt to start another off-topic debate. I don't do that sort of thing.
I asked that question with the hope of learning exactly which System file you were blocking, and why. I also hoped that you would share something more about that System file relative to the essentiality, or non-essentiality, of its being connected to the internet.
...look again: @henrypp
@mood -- Ach, you are sooo right! I didn't make the henrypp connection with SimpleWall.
His last post was March 2020, right? In recent weeks, it's a shame that one poster felt the need to bash SW's developer. I wonder if that's the reason why henrypp hasn't posted here in a while.
I still think it's a good practice to post bugs & other significant issues on SW's board at GitHub. I have seen that SW's developer is visiting & posting there rather frequently.
I gave you a honest answer as well.
I post in good faith.
I like to play with such software.
The "System" I am referring to is the one you can find under the Apps tab in the Simplewall FIrewall interface.
The " System" has a nice custom block all rule add-ed to it in my installation.
Furthermore, as with the beta, what is in the "apps with no internet access" or exes of the system that do not trigger a pop-up seem to be blocked to connect TCP, but the DNS calls seem to be made though.
As such I would recommend users that want to block as much as possible to add a custom block rule for any apps that go into the "app-s with no internet access" section.
Repeated the steps that were made when the crash occurred, but it seems I couldn t trigger it again.Maybe it was a glitch of some sort.
I think that the developer should implement the "apps with no internet access" properly and any app that falls into that section to be really internet blocked, with NO ability to do DNS (UDP) calls as well.
Ah so. The "System" file listed under SW's Apps tab is ntoskrnl.exe. Its role is explained HERE. Several years ago it was discussed at Wilders, in conjunction with the dearly departed Sygate FW, HERE.
I'm on Win7. I assume you are on Win10. May I ask why you blocked System with a custom rule instead of just clicking "block" when SW popped an alert?
I block System always - no exceptions.
Two honest questions:
2- When you say "System," you are talking about ntoskrnl.exe (NT Operating System Kernel), right? If not, what file(s) do you mean by "System".
I saw somewhere (can't remember where) that corruption or disruption of ntoskrnl.exe will almost certainly yield a screwed-up OS &/or BSOD. Ergo, I have just now structured EXE Radar Pro to put BOTH of the ntoskrnl.exe files (one in System32 & the other in SysWOW64) under "Vulnerable Processes." This is a "watch - report - don't interfere" setting.
I do hope that @wat0114 or @Sm3K3R (or whoever) will further explain why connections by this key Windows file should be blocked. From what I have read, ntoskrnl.exe is a gut file of the Windows OS. Thus, I am overly cautious about messing with its functioning. ~Comment removed~.
So you are using latest Simplewall version on a Windows 7 install ?
Yes. I am running SW 3.2.2 & sticking with Win7, awaiting the arrival of Win11 or Win12.
because it doesn't need to connect, at least in my case and for the majority of Windows users. See where it's trying:
System Blocked In UDP 192.168.1.254 48723 192.168.1.70 137
Port 137 is NetBIOS. I don't file or print share so not required to allow. 192.168.1.254 is my router LAN-side interface, 192.168.1.70 is my device's network interface.
The actual System process you will see when you launch Task manager.
System Blocked In UDP 192.168.1.254 48723 192.168.1.70 137
Thanks for the info, @wat0114 -- Reference HERE et alia:
***By "System" I assume @wat0114 is referring to PID 4, correct? Process Explorer will list PID 4 whereas Windows Task Manager on Win7 will not -- maybe different on Task Manager for Win10?
PID 4 System is responsible for the system memory and compressed memory in the NT kernel. This system is a single thread running on each processor. It is the host of all kind of drivers (network, disk, USB). The related file name is ntoskrnl.exe, as "System" is defined on SimpleWall.
@wat0114 -- Are you actually using Simplewall to block System or are you blocking by use of some other firewall? If you blocked System by Simplewall, please share the rule(s) you used.
I use a different firewall, all outgoing and incoming are blocked for System. If you are using a local network, then you need to create allowing rules for ports 135,137,138,139,445
Very clear & to the point -- thanks for the information.
I used to block "system" a year ago or so with this firewall and I didn't have any issues back then so it seems like a bug.
yes, that's correct
yes, it's very important in order for Windows to run properly, just not important in most cases to allow it network connectivity.
I use a different firewall.
some other Windows processes I block with the firewall:
C:\Windows\system32\svchost.exe - I block all in/out.
I use DNS service, but I restrict svchost to specific dns IP addresses and ports. Also to specific update server IP ranges and port 443
@wat0114 & @aldist -- Great information for SimpleWall folks... & for neophyte FW users in general. Many thanks.
At Everybody -- I for one am hesitant to use a firewall to totally block svchost.exe. I would like to do so because, as I understand it, malware can piggy-back on svchost.exe to access internet. However, svchost.exe is a key aspect of the operation of Windows so care must be taken not to interfere with its many *essential* functions. So far I have found that, if svchost.exe is overloading bandwidth at times, it seems okay to reduce that possibility by disabling Background Intelligent Transfer Service (BITS) as discussed HERE.
I do hope that others will chime in with their thoughts & experiences concerning the use & rules for having SW block SYSTEM &/or svchost.exe.
If you keep your O/S, your Browsers and email secure, any other Internet-facing apps as well, then you should have no concerns about piggybacking malware. It is a nice additional layer of security, however, to restrict processes and programs in how they can connect to the Internet, but you need to invest a lot of time and effort, and have a reasonably decent understanding of networking basics in building a granular ruleset that works for the firewall you're using. I've been working on mine for over a week, off and on, to get it close to where I want it.
OTOH, you can keep things really simple and allow out to any port, any address, and any protocol for all your programs and processes, and simply block most if not all inbound attempts. in that case, you would only need the built-in firewall. But is there any satisfaction in that?
I forgot to mention, most if not all 3rd-party firewalls do offer a basic yet half decent ruleset for common programs, offering rudimentary security, at least better than allowing outbound unleashed on all levels.
what firewall are you using?
Separate names with a comma.