TinyWall Firewall

Discussion in 'other firewalls' started by ultim, Oct 12, 2011.

  1. Sm3K3R

    Sm3K3R Registered Member

    Joined:
    Feb 29, 2008
    Posts:
    600
    Location:
    Wallachia
    Ok, i ve got it.
    I now know why on my machine the TEST build is working strange. :)

    So, i have re-downloaded Tiny Test build and re-installed it, after uninstalling the official build and after most of the remaining tinywall registry keys were removed manually.
    Being a fresh install i have not imported the previous configuration.
    At first i have had a glitch with the settings not being saved, but this went away after a few modifications and apply clicks.

    Checked the DNS issue and it was still there, Firefox needed a special DNS rule to work .Additionally i ve seen that Block All preset was practically not working fully, AVP was connecting at PC start-up.
    So i ve first removed VoodooShield Free, and it made no difference.

    Then i ve uninstalled Kaspersky Free and everything went back to normal.

    The question is why the official build seems to be working properly along Kaspersky Free, while the TEST BUILD is being over-rided by the Kasperksy network filtering side.
    By behavior it seems that Kaspersky is first in the filtering pipe while TEST tiny goes after ?
    Most probable many apps will go around tiny own rules if kaspersky is installed.Could be happening with other AV-s.
    Keep in mind the test build was installed when KAV was already in the system.

    As i want KAV in my PC i will revert to official build most probable.

    LE:
    I have re-installed Kaspersky Free, over the TEST build, to see what happens.
    Behavior is normal now, no issues.Block All mode works, the "recommended" settings work normal.
    As such i ll keep it installed for more days.

    So, in the past, i ve first had Tinywall 3.0.4 Official installed and then Kaspersky Free installed, and all seemed ok.Tinywall was installed first without a 3-rd party AV active in.
    Then reinstalling Tinywall 3.0.4 Official with Kaspersky Free installed was OK
    Uninstalling Official build and Installing Tinywall TEST build , with Kaspersky Free already installed, gave issues
    Uninstalling Kaspersky Free fixed my problems, with Tinywall TEST build kept installed.
    Re-Installing Kaspersky Free over the Tinywall TEST build looks OK, no issues.
    I don t get it :) Where is the glitch ?!

    Most probable, if no 3-rd party AV is installed, there may be no issues.
     
    Last edited: Jun 8, 2020
  2. ultim

    ultim Developer

    Joined:
    Oct 12, 2011
    Posts:
    648
    Location:
    Hungary
    Wow, if it's really due to KAV, this is great help. I'm going to install KAV to reproduce the issue myself ASAP and get back with the results.

    It is not completely impossible but Kaspersky would have to actively go out of their way to mis-use the Windows Filtering Platform in a way not intended by Microsoft, and also it wouldn't explain why it depends on the installation order or the difference between release and test builds. At this point it is better not to overthink this or come up with theories, and instead install KAV on my computer to search for reasons/evidence
     
  3. Sm3K3R

    Sm3K3R Registered Member

    Joined:
    Feb 29, 2008
    Posts:
    600
    Location:
    Wallachia
    As I am very sure some Windows updates installed over the Kaspersky Free + Tinywall 3.0.4 official combo i will post the KB-s installed over them as well.Maybe this is relevant in some way.
    Updates installed were : KB 4497165 ,KB 4556799 & KB 4552931
     
  4. ultim

    ultim Developer

    Joined:
    Oct 12, 2011
    Posts:
    648
    Location:
    Hungary
    Hi,
    I tried to reproduce the issues but without much luck. The test setup:
    - (Almost freshly installed) Windows 7 with most recent public patches (up to including febr. 2020).
    - I installed KAV Free first, then updated virus definitions, and left other settings at default
    - Rebooted
    - Installed TW test build (same one you had)

    I had no problems with Firefox or IE accessing the internet and I did not have to create manual rules for port 53. Removing / adding exceptions for applications produced the correct results (blocked and allowed respectively). I also played around a bit with different modes, starting apps at different times, reboots etc. and results were always as expected.

    I also looked at the issue where according to your report avp.exe would connect after a boot even though TW is in Block All mode. In my test, the only connections avp made in Block All mode were loopback connections (even after a reboot). TW does not filter loopback traffic on purpose because they are not a threat for privacy or security but would only cause problems for apps if filtered. If what you saw with avp after a boot were also loopback connections, then there is nothing wrong with that. Is it possible you missed the fact that they were loopback connections? In this case you can tell by the remote address being 127.0.0.1.
     
  5. Sm3K3R

    Sm3K3R Registered Member

    Joined:
    Feb 29, 2008
    Posts:
    600
    Location:
    Wallachia

    The issues reported by me here, in relation to the TEST build, are for a Windows 10 Pro x64 1909 installation :)

    I have also took a look at the services that run, in relation to the Windows Security,.The Windows Defender Firewall Service is still running, even though the 3 zone build in windows firewall is disabled via Advanced Settings and the Windows is reporting it as off, for all zones in the Notifications.
    So there are practically 3 "hooks" on the network pipe, on my W10Pro machine.One is the Windows Defender Firewall Service, then it s the Kaspersky Free network filtering and of course Tiny Firewall.God knows whats the order of packet processing, who s first and when.

    I am not using Tiny Wall on my Windows 7 installation, so i have no idea if the behavior would be similar to the Windows 10 1909 installation.

    KB-s specified are for a Windows 10 Pro x64 1909.

    I am not pointing a finger to any of the vendors, but i think that Windows 10 looks messy.We can see the trend in the security area in relation to the security software.Not many serious Windows firewall makers/vendors left out there.

    As i always try to find my workarounds, i have no problem to reinstall the AV after each Tiny wall upgrade, if needed.

    In my opinion, a user opinion, the TEST build is ready to be published.It will fit the default user configuration in most cases.
    My feedback was given in good faith.
     
    Last edited: Jun 9, 2020
  6. ultim

    ultim Developer

    Joined:
    Oct 12, 2011
    Posts:
    648
    Location:
    Hungary
    My main machine (which is also my main development machine) is Windows 10 v1909, but I don't want to install KAV here. The Win7 machine I tried with KAV is a VM that I already had, that's why I used that. I will install another VM with Win10 1909 and redo the experiments with KAV there.

    The order of firewall filter evaluation is actually very well defined in Windows, even between multiple firewall products. It only depends on how the firewall products were written, and the part by Windows is not only deterministic but is also publicly documented by Microsoft. If I could see every filter of KAV I would be able to tell clearly who and when has priority, KAV or TinyWall. I did inspect that too in my test with KAV and Win7, but unfortunately KAV has hidden many filtering operations behind kernel drivers instead of firewall filters so I couldn't see everything. I could make TW always have priority irrespective of what KAV does in its drivers, but that comes with its own risks regarding RPC and some other technologies, so that is not appropriate at this point in time. Not to mention it would only last until Kaspersky also decides to make KAV first "guaranteed" in a future update, and then I would do it again, and then KAV would do it again, and we could keep playing this game update-to-update until we run out of priority levels (or "weights", as WFP calls it) :D So instead I'll be just hoping that KAV does nothing out of the ordinary or unexpected in its drivers, in which case the same cooperation results as with Windows Firewall: a packet gets blocked if any firewall blocks it. This is, by the way, also Microsoft's intention and recommendation (which is why I hope KAV will stick to it).

    Thanks, you are a great help and I really appreciate it.
     
  7. Orlok

    Orlok Registered Member

    Joined:
    May 4, 2017
    Posts:
    12
    Location:
    Nigeria
    I had lots of connectivity problems with the test version. After unblocking some apps, it would still not allow them through. Importing my previous unblock list had the same effect. I reverted back to 3.0.4 stable and all is working as usual.
     
  8. ultim

    ultim Developer

    Joined:
    Oct 12, 2011
    Posts:
    648
    Location:
    Hungary
    Sorry to bother you, but please-please-please send me the following stuff (with the non-working version) so that I can properly investigate:
    1. In an administrative command prompt (start cmd.exe with admin privileges), the file created by "netsh wfp show state"
    2. An export file of your TinyWall configuration
    3. A screeenshot of the Connections window showing the blocked lines that should have been allowed

    These things together should give me all the info I need to recreate and analyze the situation.
     
    Last edited: Jun 11, 2020
  9. kenw

    kenw Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    134
    Location:
    Brighton, Colorado
    Is it possible to have Autolearn turned on until I turn it off ? It can take a long time to run my programs and a few call home and are blocked.

    Thanks
     
    Last edited: Jun 10, 2020
  10. Orlok

    Orlok Registered Member

    Joined:
    May 4, 2017
    Posts:
    12
    Location:
    Nigeria
    I sent it to you.
     
  11. ultim

    ultim Developer

    Joined:
    Oct 12, 2011
    Posts:
    648
    Location:
    Hungary
    @Sm3K3R : I've repeated the tests on a fully updated Win10 v1909 now, but I came up with the same results as on Win7. No problems found with Kaspersky.
    Can you please send me the files I asked from Orlok earlier? wfpstate.xml, Connections screenshot with the wrongly blocked port 53 entries, and (optionally but would be great) your TinyWall settings export.
    Alternatively, please compare if the remote address of the blocked DNS packets in the Connections window is one of the DNS servers listed by "ipconfig /all", but the above files would be better since then I can check a lot more things.
     
  12. Rainwalker

    Rainwalker Registered Member

    Joined:
    May 18, 2003
    Posts:
    2,588
    Location:
    USA
    I have been running the test version since June 1 on my Win10 v. 2004. No problems and very smooth.
     
  13. Heimdall

    Heimdall Registered Member

    Joined:
    Jul 29, 2009
    Posts:
    185
    @ultim

    You might want to look at this if not already known.

    I was installing wireshark but on launch it failed to find any interfaces. After trying several things, including installing the latest npcap, I was still in the same position. TW wasn't showing anything in connections but npcap was failing to load. After uninstalling TW, and rebooting, wireshark worked correctly. I then reinstalled TW and WS still worked. Seems TW was preventing npcap from loading somehow...
     
  14. ultim

    ultim Developer

    Joined:
    Oct 12, 2011
    Posts:
    648
    Location:
    Hungary
    Thanks, already known, here's how to set up rules for WireShark.
     
  15. ultim

    ultim Developer

    Joined:
    Oct 12, 2011
    Posts:
    648
    Location:
    Hungary
    @Sm3K3R , @Orlok
    Thanks guys for your help. I believe I've found the cause and fixed everything I've found. Here's a new build, and if your problems are solved then I'll go ahead with the release.

    @megaman123
    Did you get a chance to look at the test build to see if memory usage is back to normal? I believe it should be.

    Test version download link:
    https://cloud.pados.hu/index.php/s/ykD4jxHwBBA5bK8

    IMPORTANT: Because this is a test version, the following procedure must be followed for correct installation if version 3.0.4 is already installed:
    1) Optional: Export current settings to avoid losing them
    2) Uninstall current version
    3) Reboot the computer
    4) Install test version
    5) Optional: Import settings that were saved in the first step
     
  16. Orlok

    Orlok Registered Member

    Joined:
    May 4, 2017
    Posts:
    12
    Location:
    Nigeria
    New test version works well, so far.
     
  17. Sm3K3R

    Sm3K3R Registered Member

    Joined:
    Feb 29, 2008
    Posts:
    600
    Location:
    Wallachia
    I have installed the new test version and, at a first glance, it looks ok.

    I have saved the previos config, uninstalled previous test version, then did some manual clean-up for remnants, restarted PC and, afterwards, I installed the new test version, loading the saved configuration as well.
    All this was done over the Kaspersky install.After some banal Recommended settings tests, with HitmanPro, DNS, Windows Updates and such it seems to be ok.
    Some Windows pre W10 2004 update arrived over the install also.

    There is an observation though.It s on the positive side of things.
    With the previous official version, the Bing Weather App had a strange behavior, for which i have not payed to much attention.With older versions it would need help to connect for weather updates, along it s own custom rule.As such, enabling the Windows Update in the Recommended section, allowed for a weather update.On the other hand, with this new test version, the Connections window shows me that the Bing Weather App (Allowed in a custom app rule) finally links properly with the .exe that does the connection for the weather updates.
    I have no idea if it s the new version in itself or not, but it looks like a fix for a small issue on my PC.

    I ll keep an eye on the build behavior in the week-end and report if anything.It looks ok for now.
     
    Last edited: Jun 12, 2020
  18. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14,004
    Location:
    The Netherlands
    Correct, I now see that I misread it, we are actually saying the same. However, the reason I like to keep Secure Rules enabled is because let's say I have to disable TW for whatever reason, then WFC can still protect the system and you never know if certain shady apps have added rules to the Win Firewall.
     
  19. ultim

    ultim Developer

    Joined:
    Oct 12, 2011
    Posts:
    648
    Location:
    Hungary
    The problem with that is, the Secure Rules feature of WFC is exactly one of the features that should be incompatible with TinyWall. Anyway, you've been warned. You've already run into problems earlier for not taking our advice on this.
     
  20. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14,004
    Location:
    The Netherlands
    Can you perhaps explain it to me, or point me to the post where you already explained it? Because I don't see how it should cause any problems now that TW is not a front-end for the Win Firewall anymore. You would think that TW doesn't care about the Win Firewall.
     
  21. ultim

    ultim Developer

    Joined:
    Oct 12, 2011
    Posts:
    648
    Location:
    Hungary
    TinyWall is independent from WF. So in the case when WF is not disabled, TinyWall and WF would clash (in the sense that the rules created in TinyWall by the user wouldn't give the expected results). So to ensure they don't clash, if TinyWall sees WF is enabled, it will add a few rules to WF to negate its effects. This of course would be prevented by WFC's Secure Rules. Earlier explanation.
     
  22. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14,004
    Location:
    The Netherlands
    Thanks, I now understand. But I haven't seen any problems so far, everything works just fine. Outbound connections are being blocked by TW, and inbound connections are probably being blocked by both TW and Win Firewall.

    SpyShelter can also block outbound connections, but it doesn't auto-block, it always alerts, so that's a no go. BTW, SpyShelter can also block apps from receiving incoming connections, but that's not the same as blocking all inbound traffic of course.
     
  23. Sm3K3R

    Sm3K3R Registered Member

    Joined:
    Feb 29, 2008
    Posts:
    600
    Location:
    Wallachia
    Bug latest TEST version.

    Kaspersky removed.
    Sandboxie 5.33.6
    Recommended rules: Filter ICMP, Windows DHCP, DNS CLient (+/-) checked.The rest are unchecked on Special Exceptions.
    DNS Google servers used and added to network properties to the Network Card.
    Apps have the Allow Only specific UDP/ TCP option kind of rules.Firefox has TCP remote ports 80,443 added.No Sandboxie executable has a rule of any sort.
    Only Firefox executable itself has a rule

    Firefox Sandboxed, DNS Client (recommended rules) checked/enabled -> needs Out UDP remote port 53 rule added, in Firefox app, to connect to internet
    Firefox Normal, DNS Client (recommended rules) checked/enabled -> works without a specific Firefox app rule for remote UDP 53 (DNS) UDP fields are blank
    DNS Client unchecked, Firefox Sandboxed -> works with an Out UDP remote port 53 rule added
    DNS Client unchecked, Firefox Normal -> does not work even with 53 UDP port rule added
     
  24. ultim

    ultim Developer

    Joined:
    Oct 12, 2011
    Posts:
    648
    Location:
    Hungary
    Yes, I can reproduce it, but it doesn't look like a bug in TinyWall. Clearly, in the case when Firefox gets blocked, it tries its own DNS resolution over port 53 but you only whitelisted 80 and 443, so no surprise that it fails. See attached screenshot. But when not in the sandbox, Firefox uses Windows' DNS client instead of its own, so it succeeds because that was allowed in the Special Exceptions tab. Something in Sandboxie (probably one of the restrictions?) causes Firefox to switch to its internal DNS client.

    Workaround is easy: allow port 53 (or all ports) for Firefox. That's the default btw.

    sandboxie-firefox.png
     
  25. ultim

    ultim Developer

    Joined:
    Oct 12, 2011
    Posts:
    648
    Location:
    Hungary
    Alright! TinyWall 3.0.5 is officially released, up and available. [Website]

    3.0.5 is a lot bigger update than any previous version since 3.0.0, and I strongly recommend everybody to update due to the importance of some of the improvements. For this reason, I'd like to personally describe some of the changes instead of just simply showing the release notes.

    Important fixes:

    First of all, there are two very important fixes that concern TinyWall's engine. One resulted in being unable to whitelist certain Windows services, so if you ever wondered why unblocking a certain service doesn't seem to work while others do, this was probably the reason. The other bug resulted in not always updating the firewall rules when certain parameters of a network adapter (such as DNS settings) changed, so this might have resulted in connectivity issues in some cases. Concerning the UI, there are also two fixes that I consider important: The "Ask for exception details" did not work in about half the contexts, and editing a newly added rule by clicking on the resulting tray popup seemed to work but in reality it didn't. Also, a memory leak was fixed which could result in TinyWall taking up many-many hundreds of megabytes according to the Task Manager, though to be honest this wasn't a "real leak" as the leaked memory was still marked as unused, and .Net would still return it to the OS either on the next garbage collection cycle or under high memory pressure. But I understand if it looked scary :)

    New features:

    There are also some nice new features in 3.0.5 that were often requested. One is that now the columns widths in lists are preserved and remembered next time you open a window, so you don't have to resize them again every single time anymore. Furthermore, when you edit, add or remove an application exception in the Manage window, the list will preserve its scroll position and selection, making it much more friendly to work with multiple rules in series. Last but not least, support for x86 systems is once again restored, so users who couldn't upgrade to TinyWall 3 earlier due to having a 32-bit Windows system can now also install the latest version.

    Performance improvements:

    TinyWall 3.0.5 brings significant performance improvements that aren't just measurable, but people with old and slow computers will feel it. The main improvement is the new algorithm which is now used to convert user-defined rules to primitive filters for the Windows kernel. Each rule a user defines needs to be broken down to dozens of simple filters to be usable, and this "conversion" step is now much more intelligent and does optimization. The result is that about 2.4x less kernel filters are created. Since we are talking about many thousands of filters on a normal system, this is a significant improvement when applying new rulesets. Note however, this only concerns the setting of firewall rules, actual rule evaluation (traffic filtering performance) is almost completely independent from this. Another area which received significant optimization is the monitoring of sub-processes, a feature available since Tinywall 3.0. When a lot of processes come and go (for example when compiling software from source code), this feature was responsible for some non-trivial system load. Now this feature consumes a lot less CPU cycles, and is even completely disabled when not needed by the current settings. Lastly, it was determined that the traffic rate display in the GUI had a noticeable effect on performance on slow systems due to the usage of WMI. The traffic rate display has now been reimplemented using an alternate method and has become over 6x faster.

    Full changelog (source):
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.