TinyWall Firewall

Discussion in 'other firewalls' started by ultim, Oct 12, 2011.

  1. Sm3K3R

    Sm3K3R Registered Member

    Joined:
    Feb 29, 2008
    Posts:
    600
    Location:
    Wallachia
    Would it be possible to add an option ?

    An auto-switch that toggles Block all mode when the monitor turns-off.

    If i am using the Normal Mode ,for example, and i leave the computer, Tiny firewall would switch itself to Block all for the time the monitor is turned off.
    Or if the computer is left unattended , for some defined time, the Block All preset to kick in?
     
  2. Orlok

    Orlok Registered Member

    Joined:
    May 4, 2017
    Posts:
    12
    Location:
    Nigeria
    Wouldn't setting an appropriate sleep time do the same?
     
  3. nadim

    nadim Registered Member

    Joined:
    Apr 17, 2020
    Posts:
    5
    Location:
    ufo
    @ultim
    In Show connections window, [x] Show blocked apps (in last 2mins), it's showing blocked apps in last 5mins, not 2mins.
     
  4. ultim

    ultim Developer

    Joined:
    Oct 12, 2011
    Posts:
    648
    Location:
    Hungary
    Yes, that's actually a feature that is coming in 3.1, as I wrote about it earlier.

    Correct. It used to be 2mins in v2.1, then I changed it to 5min in v3 but forgot to update the UI texts.
     
  5. nadim

    nadim Registered Member

    Joined:
    Apr 17, 2020
    Posts:
    5
    Location:
    ufo
    @ultim, thanks for reply,
    usually I allow/enable the service called Dhcp[svchost.exe] in Tinywall exception, Is it equivalent to [x]Windows DHCP Client in Special Exceptions tab?
    same for Dnscache[svchost.exe] service --> [x]Windows DNS Client?
    Because sometimes my Windows doesn't acquire ip for wifi/eth when using two exceptions Dhcp, DnsClient manually.
    however, Windows can acquire IP automatically without a problem when I enable [x]Windows DHCP Client, [x]Windows DNS Client.
     
  6. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14,004
    Location:
    The Netherlands
    Sorry Ultim, I was being stupid. I forgot that I had made a block rule in WFC, and even if it's in "low filter" mode, it will still block it. So TinyWall works just fine, but still a good tip to check the blocked connections. But what did you mean with "the ad-blocklist integrated in TinyWall", is this some kind of new feature?
     
  7. ultim

    ultim Developer

    Joined:
    Oct 12, 2011
    Posts:
    648
    Location:
    Hungary
    For DHCP you also need the lmhosts service in addition. So dnscache, dhcp and lmhosts should be sufficient. The built-in rules in TinyWall are just a bit more complex because they constrain these services to specific ports instead of just giving them unrestricted network access.

    And THAT is exactly why people are discouraged from installing multiple firewalls. Even if they can work together in specific cases (technically), there will be confusion who blocks what and only trouble comes out of that.

    I meant the domain-based blocklist.
     
  8. ultim

    ultim Developer

    Joined:
    Oct 12, 2011
    Posts:
    648
    Location:
    Hungary
    One of the changes in the upcoming 3.0.5 is a reworked communication between the GUI and the service, and that's a change that comes with some risks regarding regression. Of course it works fully well on my computer, but because the problem it is trying to solve didn't manifest on my computer in the first place, I cannot be absolutely sure. Can I ask a few of you to try this pre-release and let me know if there are any issues?

    IMPORTANT: Because this is a test version, the following procedure must be followed for correct installation if version 3.0.4 is already installed:
    1) Optional: Export current settings to avoid losing them
    2) Uninstall current version
    3) Reboot the computer
    4) Install test version
    5) Optional: Import settings that were saved in the first step

    Test version download link:
    https://cloud.pados.hu/index.php/s/ykD4jxHwBBA5bK8
     
  9. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14,004
    Location:
    The Netherlands
    I have now removed all of my blocking rules in WFC, so I don't expect any more problems. I use WFC only for the logging and Secure Rules feature, but I see TW as my primary firewall.

    Weird, I didn't even notice this ad-blocking feature.
     
  10. Sm3K3R

    Sm3K3R Registered Member

    Joined:
    Feb 29, 2008
    Posts:
    600
    Location:
    Wallachia
    That' s good news :)

    @ Rasheed187
    As i ve already experimented and reported here, on the WFC+Tiny combo, keep in mind that :

    1.If the Secure Rules is Enabled in WFC, you may see around 20% CPU usage for the defender network service - this may cost you half of the game performance in BF1 for example;
    2.TinyWall works fine without WFC installed or with the Windows Firewall fully off;
    3.If the Windows Firewall is off (the one the WFC controls) you are still protected and i have doubts that an app can create it s own rules in TinyWall (hence the need for Secure Rules option when using WFC) from the experience had, for some weeks already.
     
    Last edited: May 31, 2020
  11. JASTECH

    JASTECH Registered Member

    Joined:
    Oct 23, 2007
    Posts:
    40
    I'll download beta on my W10 machine and give it a try.
     
  12. JASTECH

    JASTECH Registered Member

    Joined:
    Oct 23, 2007
    Posts:
    40
    Just downloaded and installed on two W10 machines. I'll find out tomorrow.
     
  13. Heimdall

    Heimdall Registered Member

    Joined:
    Jul 29, 2009
    Posts:
    185

    I'm guessing this test build contains the fix for the rule dialogue not showing when unblocking from the Connections window? If so, it seems to be working as it should for me.
     
  14. ultim

    ultim Developer

    Joined:
    Oct 12, 2011
    Posts:
    648
    Location:
    Hungary
    Yes, that too. The build has a lot more improvements and fixes than just the changes to the inter-process communication I mentioned, but IMHO that is the only one that needs public testing. Basically, if the status is shown correctly and you can make changes to the configuration, then it works. I'm hesitating to release this until some positive test reports come in. So thanks for giving it a test drive.
     
  15. Sm3K3R

    Sm3K3R Registered Member

    Joined:
    Feb 29, 2008
    Posts:
    600
    Location:
    Wallachia
    I have installed the test version.
    The "ghost" dialog shows up now :).
    So now, when you unblock an app, from the Connections window, a new window, to customize the APP connections, shows up.
    Keep in mind I am still on version 1909 of W10Pro, so i do not know (yet) how it behaves on latest W10 version.

    Installation steps were the following: saved the configuration of the official 3.0.4, uninstalled it, restarted the PC, then installed the new 3.0.4 test version and finally loaded the previously saved configuration.

    Behaviour seems to be a little different though, filtering wise as well (maybe installation went different for some reason).I have observed a few things.

    Now the firewall catches the svchost better it seems, judging by behaviour of the DNS service.I have no ideea if it s because of the new version or due to something else, as Kaspersky Free was already installed now.The original version 3.0.4 was installed when Windows Defender was On, no KAV installed at that time.

    After loading the saved configuration, to be able to make a Firefox connection, a rule for UDP Out port 53 had to be added in the Firefox Custom Rule.
    Keep in mind the DNS Client service is Always ON in W10 and that before installing the test version this Allow UDP remote 53 rule was not needed (Windows Updates beeing off in the panel).

    To test the fix for the window i have deleted the HitmanPro existing rule and tried to do a scan.As no DNS was allowed for the svchost.exe, no connection was made from the HitmanPro.exe either.
    I ve also observed something strange though, comparing with the previous experience, the HitmanPro.exe was not showing up in the Connection window at all, so to make some rules from there.Giving Svchost.exe a UDP 53 Out rule fixed the issue, (only) then HitmanPro.exe showed up in the Connection window and a rule was added for HTTP manually, from there.

    The first impression is that this version is better.

    I ll see how it goes for a few days more.

    LE:Other:The version name in this test build is still 3.0.4 :)
    LE2:Forgot to add something.In the Recommended Section within the general settings, the DNS and the DHCP services are checked of course.So they were allowed.
    LE3:I have uninstalled it and reinstalled the official version after a few hours.:)The dialog window works.
     
    Last edited: Jun 5, 2020
  16. ultim

    ultim Developer

    Joined:
    Oct 12, 2011
    Posts:
    648
    Location:
    Hungary
    @Sm3K3R: Thanks for the feedback. It is a bit unfortunate you already uninstalled the test version, I'd have asked you to compare the remote address of the blocked DNS packets with your system-configured DNS servers (for example, by running "ipconfig /all"). The built-in DNS rules are set up so that even on port 53, connections are allowed only to the configured DNS serves. It would have been important to know if these were blocked (before you added the manual rule) because of a mismatching IP address or another problem.
    Also: You say your impression is the new version is better. Did you maybe run into other issues? I ask because you uninstalled it already.

    @JASTECH: Did you get a chance to try it out?
     
  17. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14,004
    Location:
    The Netherlands
    Thanks for the feedback.

    About 1: I don't use crappy Win Defender.
    About 2: I'm aware of this, I could turn Win Firewall off, but I'm not sure if the logging will continue to work.
    About 3: Are you sure about this? Apps should NOT be able to create rules in TinyWall regardless of Secure Rules, because it protects only against apps manipulating the Win Firewall.
     
  18. ultim

    ultim Developer

    Joined:
    Oct 12, 2011
    Posts:
    648
    Location:
    Hungary
    I think you misunderstood. What Sm3K3R meant is that WFC has Secure Rules option because apps can manipulate Win Firewall, but this option is not needed for TinyWall as its manages its own separate and private ruleset. Which is completely true.
     
  19. megaman123

    megaman123 Registered Member

    Joined:
    May 21, 2020
    Posts:
    2
    Location:
    earth

    Hi, what do I do? I test 3.0.5? where to download? right now its 857mb usage o_O

    Edit: I saw the link, do I download and install it?
     
  20. Heimdall

    Heimdall Registered Member

    Joined:
    Jul 29, 2009
    Posts:
    185
    Just a couple of points. I'm on Windows 10 2004 and have not seen any issues running the test build of TinyWall.

    Regarding DNS. Under 'Special Exceptions' I've unchecked Windows Update and Store Update. My pfSense router is the configured DNS server (Unbound) and the Windows PC is passing all DNS queries to that box as usual. No additional firewall rules were required.
     
    Last edited: Jun 8, 2020
  21. ultim

    ultim Developer

    Joined:
    Oct 12, 2011
    Posts:
    648
    Location:
    Hungary
    Yes, please download it from this post to make sure I resolved your problem. I'll wait for your results before publishing the final release.

    @Heimdall: Thanks for testing.
    @Everybody else: Please try the test release above if you can. There are some bigger-than-usual changes so some testing doesn't hurt.
     
  22. Orlok

    Orlok Registered Member

    Joined:
    May 4, 2017
    Posts:
    12
    Location:
    Nigeria
    The test version still reads 3.0.4. Is that normal?
     
  23. Sm3K3R

    Sm3K3R Registered Member

    Joined:
    Feb 29, 2008
    Posts:
    600
    Location:
    Wallachia
    With the official 3.0.4 i see no issues in relation to the DNS calls, as the software and it s settings are designed to manage them.
    I only have checked the ICMP Filtered, the DNS and the DHCP services on that page.I enable the updates in there only if i manually check for updates.
    New W10 version is not yet offered though for my system :(

    With the official 3.0.4, in my usage scenario i have the following behavior :
    If the the DNS service rule is unchecked, in the router (NAT or traffic) log there is no DNS call made, during, at start or when restarting the PC.
    If i add an Allow UDP remote port 53 for Firefox, i can navigate the internet, even if the DNS Service is unchecked/blocked in the firewall, via that option.
    No other software without an Allow UDP Remote port 53 can connect at this time.So the OS is contained well and settings work as they should.

    With the TEST 3.0.4, in my usage scenario, i have had to make a rule for Firefox to Allow connection to remote port UDP 53, to be able to connect, even though the DNS service was checked as allowed in there.
    Hitman Pro was also NOT detected as trying to Connect in Connections page, until I've added an Allow remote UDP port 53 for svchost.exe.
    So there is something different, no doubt about it, but i have no idea if it s related to the rule-set imported from the official one or something else, there is something changed in the new version.

    It would be interesting to see if others observe lack of connectivity after install.
     
  24. ultim

    ultim Developer

    Joined:
    Oct 12, 2011
    Posts:
    648
    Location:
    Hungary
    Yep, that's intended. That is the reason why that uninstall/reinstall procedure must be followed when installing the test release. Calling the test release already 3.0.5 would have brought the same problem except not now but when installing the final release, and adding a revision number like 3.0.4.xx does not help either due to how MSI (Windows Installer) handles upgrades in relation to version numbers.
     
  25. ultim

    ultim Developer

    Joined:
    Oct 12, 2011
    Posts:
    648
    Location:
    Hungary
    That's very true, the whole algorithm how user exceptions get translated to WFP filters has changed, but more about that in the release notes later on. I can be basically sure that the difference stems from there.

    Trying to analyze your following two observations:
    1.
    This would indicate Firefox uses its own in-process DNS client and not Windows' built-in client.

    2.
    This again, just like above, indicates that Firefox does its own DNS-resolving.
    1&2 are further supported by the presence of DNS caching options in Firefox's about:config

    So it seems whether TinyWall's behavior (in the test version) is correct depends on how your rule for Firefox is setup. Did you constrain Firefox to specific ports or do you use the default "Unrestricted TCP and UDP" rule for it? With the advance of WebRTC in the past years, limiting browsers to common ports such as 443, 80 or 8080 is not practical/workable anymore for many website.

    This is not enough info to go on, and doesn't even look like an issue to me. It could very well be that Hitman Pro does not try to connect as long as the DNS resolution does not finish successfully, and the latter is attributed ofc to Windows' client. And this is quite plausible, expected even, I mean how could any application (that uses domain names and not hardcoded IP addresses) possibly try to connect to a remote machine if it couldn't resolve the remote domain to an IP address.

    Yep, please help with testing everybody. Did I mention that earlier? :)
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.