tiny 2005?? as complicated as it used to be??

Thanks mlr1m and yahoo, both. I went ahead and reformatted anyway, but next time I hose things, I'll do as you both suggested above. That would have saved the day. I guess I should have thought to disable the services in safe mode at the very least. That would have done it.

I don't know why I removed everything from Trusted. I guess I had the idea that Tiny would prompt me for anything it needed, but no such luck.

Tiny puts many things in Trusted that can or should be removed perhaps. One is Outlook. I had to remove it from Trusted so I could create more strict rules for it, i.e. just allow it out to my mail servers on 25/110 and so on, instead of allowing it to connect to any port anywhere.

Lesson learned. And I should have realized that if I removed Explorer then I'd get some bad results.

In spite of that little disaster, I've reinstalled it and I'm liking it more as I learn more about it. It's really quite configurable, even the firewall, it's just a matter of learning and getting familiar with something different.

Now I'm ready for the next user error...

 

Looks like we are breeding some Tiny Guru's here. I fell so far behind the curve, have not even looked at Netveda or Kerio 1.56. Ditched LnS until their next version.

 

If you change all the network rules to "ask user" then it wont matter what group they are in. You will be prompted to allow or deny for any access.
That ways trusted apps and trustedservices apps can have the proper file and registry access. But i would still remove any internet app from the trusted group.
Also in the tiny forum they reccomend removing cscript.exe and wscript.exe from the trusted group.

I sure hope you guys get the hang of this firewall so i can start askin you for help.

Michael

 

I'm getting pissed off at it this morning. But it's just my ignorance I'm sure. I can't figure out how to make it only use my dns servers for dns. Seems like whatever I do, it allows dns lookups, even if I create a rule to block dns in the network rules section. Very odd. I'm going to play with it more today, and if I can't make it do what I want, I'll probably go back to Jetico again.

It IS very impressive though. Apparently it does what BlackIce does and examines the actual network data stream for threats. Unless I misunderstand the docs. Pretty cool. I'd say if you want to lock down your system then it's the best way to do it.

If only I can figure out some of the simple basics..

 

Ok, I did as you mentioned above and changed some network rules to "ask user" and sure enough, Tiny begins asking for permission to do DNS lookups. So I've created rules then for DNS to only my DNS servers. That's what I wanted, so I'm making some headway.

But now, it's also asking for permission for some NetBios lookups or something, traffic on 137/138. But it doesn't offer any permanent settings. You can either allow or deny it for this session only, or Trust it. I don't think I should Trust it, Netbios being what it is. Any ideas on that one?

 

Kerodo,

You may want to Google "NetBIOS" to find out what it is. For a lot of people, NetBIOS is not needed. Below are two rules that other people made for NetBIOS blocking with Kerio 2.x. With some modifications, you can use them with Tiny 6.5.

Description: Block Inbound NetBIOS TCP UDP (Notify)
Protocol: TCP and UDP
Direction: Incoming
Port type: Port/Range
First Port: 137
Last Port: 139
Local App.: Any
Remote Address Type: Any
Port type: Any
Action DENY

Description: Block Outbound NetBIOS TCP UDP (Notify)
Protocol: TCP and UDP
Direction: Outgoing
Local Port: Any
Local App.: Any
Remote Address Type: Any
Port type: Port/Range
First Port: 137
Last Port: 139
Action DENY

 

Thanks Yahoo.. I figured out the Netbios stuff here and played with things for a while, but unfortunately I'm seeing some bugs in Tiny now. I told Tiny to ask user for outbound TrustedServices and got DNS set up ok. But it continuously asks me for Netbios traffic, sometimes listing the source as "Unknown" and sometimes as "System" (one bug there).

It also fails to accept what I tell it to do. If I tell it to Deny the traffic and create a rule, it does so, but continues to ask me later. IF I create a rule to deny Netbios to all remote addresses on 137-139, it ignores my rule and continues to ask and create new (redundant) rules. Even if I Allow the Netbios traffic, it continues to plague me and ask me again, over and over again. I rebooted and tried going to a backup of my policy and starting over several times, but no change. It asks me over and over, ignoring the rules it creates. Even when I say Trust It, it still ignores that even, and asks me again.

So I'm concluding that there are some bugs there. I want to be able to have it ask about things, so this isn't going to work for me right now. I don't want to just allow all traffic from Trusted services and programs. It's way too open and loose by default. I want to specify exactly where they can connect to and on what ports. The only other way is to take programs out of the Trusted Group, but then things begin to not work.

So for now, I'm going to put Tiny aside and go back to Jetico.

Thanks for all the help though.. I appreciate it.

 

Kerodo -

I am sorry that Tiny 6.5 does not work for you. It works so well for me here. Anyway, I will be out of town next a few days, so I will leave Tiny alone for several days.

 

The odd part is, it appeared to be working ok at first. Then it started doing that redundant asking stuff later. Perhaps something got corrupted? Not sure. I restored from a previous config just in case, and rebooted several times, but no luck.

Oh well...

 

Kerodo...

Do You have all groups set as ask user?
I use this as a base for my network rules.

PREVENTS all TCP/UDP traffic for Trusted group
Application runs under system account=no

$PREVENTS ALL TCP/UDP for TrustedServices group
Application runs under system account=yes

$PREVENTS all IGMP traffic
Application runs under system account=yes

$PREVENTS all GRE traffic
Application runs under system account=yes

$PREVENTS all non-TCP/UDP/ICMP traffic
Application runs under system account=yes

Asks for every new TCP/UDP connection started by unassigned application
Application runs under system account=no

I then deleted all the other Low Priorty rules.
I watch the Activity monitor, and make rules from that. My system is set up differently from yours im sure but this might be a start. Do incrimental backs using Tinys backup feature for quick fixes.

Michael

 

That pretty much looks like what I had here. I had it asking for TrustedService apps particularly, so I could have it create DNS rules. There seemed to be some kind of bug that made it keep asking for permissions, even when I ok'd or denied previously, and it had a rule in place to follow, but it didn't. Only way to stop it from asking was to turn ask user off, which defeats the whole purpose of what I wanted to do, which was to make more restrictive firewall rules instead of just "trusting" everything and giving apps free reign to the internet.

I'm running Jetico again now, but maybe I'll try again with the next release of Tiny Pro. Aside from that problem, I did like it a lot.

 

DAMN!! and i was hoping you were going to figure this thing out so You could help me! lol

Michael

 

Figuring it out is fun, but when it starts cheating and playing by its own rules, then I have to quit...

 

It's just like driving a car. If you know how to drive a car, then it is you that drive a car. If you do not know how to drive a car, then it is the car that drives you.

People who know how to use Tiny LOVE it; people who do not know how to use Tiny HATE it. So many choices out there, one can always find one good for him/her.

 

I have to remember that. Definitely one of the pearls of wisdom.

 

Yahoo.. In this case, I don't know how to use Tiny, and I love it, AND it has bugs.. Go figure...

Maybe it'll be nicer to me next time around..

 

Tiny never seems to play fair,,when i think i got it figured out all hell breaks loose. But its teaching me alot about computers.

Michael

 

Haha, yeah, I decided to try the latest Tiny on my laptop (I use Outpost on my desktop) and did just that. Luckily I had another PC with internet access to I could look up some troubleshooting tips to get an emergency uninstall going (though the steps didn't quite work for me, and I had to take some additional measures, like removing all the KMX servicess from all the Control Sets in the registry).

It pissed me off a bit that it let me screw up my system so easily (first time I tried Tiny) so I uninstalled it fully once I got logged in proper again. Reading this thread makes me intrigued though, so I might give it another pop.

Wish me luck! Woof-woof!

 

When Tiny doesnt seem to follow your network rules:

A couple of things may be at fault.
For instance,
When you make a rule for DNS from the activity monitor (svchost.exe in win xp), Tiny may have created it as a non system app. therefor it wont work.
(I have mentioned this problem in the tiny forums)

Also on startup my anti-virus (avast) wants permission to update as it was started by the system i allow it as a system app.
then i do a manual update, the above rule wont work because it is now being started by the user, (a non-system rule)
Instead of making 2 rules just edit and change the rule to both system and non system.

Michael

 

That's part of the power of it, the fact that it lets you do almost anything. But I have to admit, after hosing things, it might be nice if they popped up a warning when you were about to do something dangerous, and give you the chance to change your mind first...

 

I'm not sure if I actually found a bug or two, or if it was just lack of Tiny knowledge that gave me the problems. Seemed to be a bug to me. It appeared to be creating rules based on my answers to the prompts, and then ignoring those rules and asking again.

Don't know though. Tiny is one tough cookie to decipher...

 

Kerodo...

I consider atleast the first item i mentioned in my last post to be a bug. It can be dangerous. My mail proxys through avast so it had full access outbound till i caught this.

Michael

 

A General Guide To Those Who Want To Try Tiny

Part 1: Bugs of Tiny - Really?

I have had bad experience with Tiny 6.5 several times. The first time was when I installed Tiny 6.5 and tried to load my Tiny 6.0 policy files, my computer stopped working. I thought it must be a bug of Tiny. Later on, I found the notice at Tiny's download site saying that old policy files can not be used with Tiny6.5. Well, when I downloaded Tiny, the notice was not there or I must have ignored it at that time. The second time was when I tried to delete the Trusted Group. Everytime, I deleted it, I got the same problem as you did, my computer stopped working. Fortunately, I managed to disable the Tiny services and avoided more troubles. I thought it must be a Tiny bug. I tried several times, and finally found out the reason and managed to delete the Trusted Group. What can I say about these difficulties with Tiny? Are they really Tiny's bugs? Well, it is hard to say. Strictly, they are not. However, from the point view of user friendly design, they might be looked as bugs. At least, Tiny should do something to avoid getting users into such difficulties. For example, when user tries to import old policy files, Tiny can give a warning; when the Trusted group is deleted, Tiny's application (say cfgtool.exe) can no longer start another Tiny's application (say amon.exe), Tiny should also give out a warning or something else instead of getting the system into a dead lock.

What I am trying to say here is that, a lot of times, it may not really a Tiny bug but a user error causes the problem. However, Tiny should still take the blames. Tiny should not expect users to be Tiny firewall experts at the very beginning of using their products. Everyone needs sometime to learn something. If the system gets blocked without warning everytime when the user makes a minor mistake, it's too much for the users, especially new users.

I have been trying Tiny 6.5 for a while now. After solving the difficulties mentioned prevously, Tiny 6.5 runs quite well on my computer. I have not found any obvious bugs so far, although I am sure there must be somewhere. It is one of the best and most powerful firewalls I have tried so far, and I believe that I will continue to stick with it.

I would say that Tiny firewall is most likely suitable for computer security professionals or computer geeks/hobbiests. For some other users, it might only bring troubles instead of security. There are a lot other powerful, yet easy to use, firewalls out there in the market. A thing good for one person may not be good for another one at all. There are always so many factors in choosing a good firewall.

Part 2: Tips - How to try Tiny with less pain

1) Think about it seriously before you try Tiny. If you have some other firewall suitable for you, you do not really need to try Tiny. It is quite possible that Tiny will turn out to be nothing else but a disaster to you. If you really want to take the risk, please continue to read. Otherwise, jump to the end of this post.

2) Start with the default settings of Tiny. For most users, the default settings are good enough for security, at least at the very beginning of using Tiny.

3) Read the manual. Although Tiny 6.5 manual might be kind of junk for users of Tiny 5.0 or 6.0, it is still valuable for users who are not so familiar with Tiny.

4) Explore the default settings. Try to get a picture of what default groups are defined and their rights of access to resources, and also try to understand those default rules. Later on, when you want to make your own rules, it is most likely that you just need to make those default rules more restrictive, or those default groups more refined. So exploring and understanding default settings are important.

5) When you want to tighten up the default rules, I would suggest you to start with firewall rules instead of windows security rules. This is because that net security is the foundamental function that you want from a firewall, and also it's easier to setup than windows security for most users. You might want to remove net applications from the Trusted Group and make rules to control their net traffic.

6) When making rules, watch out what groups that an application is enrolled in. As an application can be enrolled into multiple groups, it's possible that the behavior of an application is implicitly controlled by the rules of several groups. The rule actually in effect is important, and it can be the cause of many problems. For the PRO version, you may also want to distinguish a system and a non-system application. You also need to watch out the priority of rules. These things make Tiny more complicated. However, once you know how to use them, they really make things much easier for you.

7) Small step each time when you make modifications on rules. Backup your configurations frequently, and always remember to keep a working configuration available so that you can restore it back when you get troubles with new configurations.

8 ) Write down the procedures of emergency uninstallation or disabling Tiny services, so that you have something to save you from reformatting Windows.

9) Visit and ask questions at Tiny's support forum. There are quite a few Tiny gurus there. They can answer your questions. You can also learn from other users' lessons there.

10) Always have a strong heart ready. A small mistake in Tiny configuration can lock your system up. Although we hate this fact of Tiny, we have to live with it so far

These are what I have learned from my troubles with Tiny. Hopefully, they can be of some help to you.

Part 3: Pros and Cons - Make your own choice

I list the pros and cons of Tiny from my point of view (they may not be right to you at all, so forgive me if ...):

Pros:
1. Very fast firewall engine. Tiny claims it to be the fastest in the market. From my personal experience, it is fast. However, I have not done any actual measurement, so I am not sure if it is the fastest.
2. Very strong security to the system if it is configured correctly. It controls the access to registry, file systems, processes, and more, plus the firewall. It has the functions of ProcessGuard, SSM, Prevx, AbtrusionProtect, Kerio 2.15, RegDefend, name a few, and much more in a single application.
3. It is quite easy on memory considering what it can do. On my computer, it takes about about 40M (virtual + physical) total when GUI is opened. It sometimes falls to around 30M. Other firewalls can easily take more than 30M memory easily with fewer things done.

Cons:
It is hard to set up for many users for some reasons.
1. Although the GUI design of Tiny 6.5 is much better than previous versions, there are still much to be desired. For example, as mentioned before, some warning messages may prevent some user errors.
2. The Tiny firewall is a rule based firewall. Like other rule based firewalls, some understanding of net protocols is needed to set it up properly.
3. Some understanding of Windows file system, registry, processes is needed to set up the sandbox(windows security) properly.

No pain, no gain. It all depends on how much pain you can take, how much gain you want to get, and how much you know about net protocols and Windows OS. For a lot of users, the pain may be too much although the gain is great. For some others, especially those who already know something about net protocols and Windows OS, configuring Tiny is not really that a big deal.

 

Yahoo-

That is a great story. It hits one of my main themes. If you do not understand the firewall or security app, it can wind up being worse than nothing at all.

 

Great post Yahoo.. I'm drawn to Tiny because it is a challenge to understand, and when I'm in the mood for that, I like to tinker with it. However, when I'm looking for something good with minimal fuss, then Tiny is too much for me.

I'm not so sure I agree with you about it being good and secure out of the box though. However, things work fine that way for most users, and in that sense it's a lot like Outpost Pro. But things should probably be tightened up in both for best results and security.

I think I did run into some genuine bugs, and given that Tiny is difficult enough already without bugs, the bugs just pushed it over the edge for me. I can't be trying to deal with difficult software when it isn't playing by the rules.

At any rate, it seems to me that Tiny is probably the most complex firewall out there at the moment, and as such, it's mostly for professionals or those who really have the time and patience to explore it fully.

And I agree, they should definitely pop up and warn the user when the user is about to do some very unwise config changes. That wouldn't take much coding, and could save some folks a lot of time and pain.