TinyWall Firewall

Discussion in 'other firewalls' started by ultim, Oct 12, 2011.

  1. mroek

    mroek Registered Member

    Joined:
    Mar 11, 2020
    Posts:
    11
    Location:
    Norway
    Thanks for the explanation. The weird thing is that the .exe in my installation does not appear to be signed. If I run this command in a powershell window:

    PS C:\Program Files\DB Browser for SQLite> Get-AuthenticodeSignature -FilePath '.\DB Browser for SQLite.exe'

    I get the status "NotSigned". Right-clicking on the .exe and checking the properties also does not show a "Digital signatures tab", so it really appears to be unsigned. Very odd indeed, because if my computer lacked some root certificates I guess it should still say the file was signed? And if it really is unsigned, why does TinyWall show it as "possibly compromised"?

    Edit: I figured it out, and it seems it's a packaging problem when they created the installers. I used the 64-bit MSI installer, but I now checked the files in the .zip-version, and in that package the files are actually signed. So I just replaced the exe in my installation with the one from the zip, and now TW recognizes it and gives the green banner.

    Still doesn't explain the red banner in TW with the unsigned files, though. It should have been blue, I think, as per your explanation.
     
  2. geckosstick

    geckosstick Registered Member

    Joined:
    Sep 18, 2020
    Posts:
    3
    Location:
    Australia
    A newbe has two questions...
    1. How to set a rule to only allow an app to send/receive through FTP but deny both UDF + HTTP protocls (in and out)?
    2. How to only allow both in and out for an I.P. address range for HTTP or UDF for a selected app.
    And a big thank-you Károly Pados for making TinyWall freely available.
     
  3. ultim

    ultim Developer

    Joined:
    Oct 12, 2011
    Posts:
    650
    Location:
    Hungary
    This happens on some Win7 machines (Win10 seems unaffected) for an unknown reason. The issue is relatively old but I never could reproduce it (neither on real nor in virtual machines) or solve it simply through experiments, although I've tried. I'd need a willing and affected user to let me remote log into their computer and debug the issue while it is happening, but so far nobody stepped up.
     
  4. ultim

    ultim Developer

    Joined:
    Oct 12, 2011
    Posts:
    650
    Location:
    Hungary
    You need to click Apply in the Manage window for any changes (not just exceptions) to take effect. Of course, when making multiple changes or multiple exceptions, you need to Apply only once at the end.
     
  5. ultim

    ultim Developer

    Joined:
    Oct 12, 2011
    Posts:
    650
    Location:
    Hungary
    Ok, now I've got it. I downloaded and installed the .msi instead of the .zip, and now I also get the red banner. For some reason the code manages to extract a certificate issued by "justin" at DBHub.io, but then correctly determines it is not valid on our computers. So the question is, is this .exe really signed or not? Cross-checking it with SignTool says it isn't. Hmmm... I need to dig deeper, but it seems you might have found a bug in TinyWall.
     
  6. ultim

    ultim Developer

    Joined:
    Oct 12, 2011
    Posts:
    650
    Location:
    Hungary
    Hi geckosstick,

    By UDF I assume you meant UDP? Anyway, you select "Allow only specified ports" and then enter your comma-delimited list of ports into the TCP fields for FTP and HTTP. To make this work effectively without having to open up most local ports, you need to set up FTP for passive mode instead of active mode (this is important, and is true not only for TinyWall but for all end-user firewalls). You need to consult the docs of your FTP client and server about how to do that. But! A far better solution would be ditch FTP altogether and use SFTP or SCP instead. These provide much higher security by default (FTP's practically deprecated and nobody should be using it anymore), while also being easier to set up in the firewall as they only need a single outgoing port.

    You cannot define IP address ranges in TinyWall.
     
  7. asilesoft

    asilesoft Registered Member

    Joined:
    Nov 29, 2019
    Posts:
    20
    Location:
    spain
    Many thanks fpr ypur answer, with 2.99 version it does not happen. For make debugging we will wait ...
     
  8. geckosstick

    geckosstick Registered Member

    Joined:
    Sep 18, 2020
    Posts:
    3
    Location:
    Australia
    Hi ultim, thank you for your answer. Yes I did mean to say UDP! I will look into setting SFTP for the app and only allowing the port 22.

    OK, so in that case can I set a scope rule in windows firewall to only allow through a range of IP's and setup TinyWall to allow the app. I mean can TinyWall run alongside with windows firewall - would that work?
     
  9. ultim

    ultim Developer

    Joined:
    Oct 12, 2011
    Posts:
    650
    Location:
    Hungary
    That wouldn't work. If you run TinyWall in parallel with Windows Firewall, you'll only be able to use Windows Firewall to add blocking rules, allow-rules in Windows Firewall will not have any effect.
     
  10. geckosstick

    geckosstick Registered Member

    Joined:
    Sep 18, 2020
    Posts:
    3
    Location:
    Australia
    I see, thanks again utim.
     
  11. ultim

    ultim Developer

    Joined:
    Oct 12, 2011
    Posts:
    650
    Location:
    Hungary
    Yoohooo, finally I've got my new certificate on Friday. And you know what that means... that's right, a new TinyWall release! Okay, there is actually not much exciting about this release, it's just a bunch of quality and stability fixes. But that also means it's a safe version and all users are recommended to upgrade. Changelog follows:

    Code:
    3.0.8 - Maintenance release (27.09.2020.)
    - Add workaround for "grey icon on Win7" issue
      Note: On affected systems icon will appear with considerable delay after boot.
            This is expected and does not affect start of firewall protection.
    - Fix WMI leak when mountpoints change
    - Fix GUI crash if mountpoints change after changing the GUI language
    - Fix service crash if pipe command results in uncaught exception
    - Fix windows are potentially invisible if virtual desktop size changes
    - Fix text placement in pt-BR localization
    - Make dependency on eventlog service optional
    - Updated Italian localization
    - Updated application database
     
    Last edited: Sep 27, 2020
  12. Spartan

    Spartan Registered Member

    Joined:
    Jun 21, 2016
    Posts:
    1,042
    Location:
    Dubai
    I have the Windows Security service disabled as I want 0 nags from it for example if I temporarily disable my AV

    Now, is it ok to disable the Windows built in firewall completely including its service? Would TinyWall still do its job just fine?

    Also, why did TinyWall v3.08 install itself in the Program Files (x86) folder rather than Program Files since it is 64-Bit?
     
    Last edited: Sep 27, 2020
  13. Less

    Less Registered Member

    Joined:
    Dec 24, 2008
    Posts:
    281
    As this is a pretty long thread, it not easy to prowl through for answers.
    How do i block or allow different services using svchost? Please do let me
     
  14. ultim

    ultim Developer

    Joined:
    Oct 12, 2011
    Posts:
    650
    Location:
    Hungary
    Completely fine. There is no effect on TinyWall if you disable Windows Firewall, it will work without limitations. The Windows Security Center would falsely nag you about a missing firewall but you've solved that already by disabling it.

    Because even if TinyWall is 64-bits, it is still installed by a 32-bit installer, and Windows enforces that 32-bit installers can only install apps to Program Files (x86) (when they want to install to Program Files). I assume this begs the question why the installer is 32-bits? So that I can distribute both 32-bit and 64-bit versions with the same installer. Otherwise I would have to create and release two different installers and provide two separate downloads.
     
  15. ultim

    ultim Developer

    Joined:
    Oct 12, 2011
    Posts:
    650
    Location:
    Hungary
    In TinyWall's Normal operating mode, they are blocked by default so you only need to create allow-rules. Go into the Manage window, in the Application Exceptions tab select Add. Then click "Choose a service...".
    https://malwaretips.com/attachments/service-jpg.235579/
     
  16. Spartan

    Spartan Registered Member

    Joined:
    Jun 21, 2016
    Posts:
    1,042
    Location:
    Dubai
    Got it! Thanks a lot for this awesome firewall! I feel my internet webpage loading is snappier now, probably because there is no telemetry and other crap calling home. Cheers
     
  17. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14,422
    Location:
    The Netherlands
    Is it the certificate for the driver? I'm asking because I see that the developer of Sandboxie Plus couldn't get one, he needs money for this. BTW, aren't you interested in developing a fork of Sandboxie? But anyway, thanks for the new TinyWall, I will soon upgrade.
     
  18. ultim

    ultim Developer

    Joined:
    Oct 12, 2011
    Posts:
    650
    Location:
    Hungary
    TinyWall doesn't have a driver, and its certificate is not suitable for signing drivers. I did think of getting one for that (then the first step would be to get an EV certificate), but just like David said, it is prohibitively expensive unless there are enough donations. Since the additional benefits for TinyWall would have been marginal (it could be used to register with Windows' Security Center) and there are not nearly enough donations for it (currently only 51% of an EV certificate is covered), I opted for a "traditional" one.

    I don't see a reason for me to fork SB+. I think David is doing well and is being active both as a developer and also on the forums to support his users. At this point I don't think SB+ should be forked at all. Users who want to contribute should do so by sending David pull requests to concentrate the efforts. IMHO the only real problem now with SB+ is the missing certificate for its driver (which, unlike for TinyWall, is vital for SB+). I think a supporting company should step in and donate a certificate for SB+.

    [rant start] Another interesting option could be for multiple projects to band together and finance a "collective" certificate that all of them can use. Something like Sandboxie + Peerblock (maybe even TinyWall). But this obviously needs people to trust each other very well, and might not even be practical due to the hardware token requirement of an EV certificate (this needs more research). Though if something like this would come to fruition, I could imagine an even tighter "alliance" down the road with a partially shared infrastructure, distribution and "marketing". Theoretically the synergy could be great, as all these projects are related security-wise, yet all of them provide solutions for different tasks but have to put up with similar problems. But this is just my own fantasy going wild, I have absolutely no idea how the others see this.[/rant end]
     
    Last edited: Oct 3, 2020
  19. asilesoft

    asilesoft Registered Member

    Joined:
    Nov 29, 2019
    Posts:
    20
    Location:
    spain
    Hello Ultim, whit the last release ( 3.08 ) this issue is solved! Many thanks
     
  20. ultim

    ultim Developer

    Joined:
    Oct 12, 2011
    Posts:
    650
    Location:
    Hungary
    Yes, this is the first item in the changelog. Although 3.0.8 is just collection of fixes and improvements, I was quite hyped for 3.0.8 exactly because of this fix. It is nice to get further confirmation that the remedy is really working, thanks!
     
  21. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14,422
    Location:
    The Netherlands
    OK, my bad. I think you already explained this, but I keep forgetting that a third party firewall like TW doesn't need to use a driver. I guess it simply interacts with the Windows Filtering Platform? I also think it's weird that you actually have to buy a code signing certificate for Windows 64 bit, this will stop small time developers from developing advanced security tools.

    Perhaps Windows should go for a similar model as macOS which has now switched to "system extensions" which replace kernel extensions. I'm not sure if you have to pay anything though. About Sandboxie, the problem is that there aren't enough developers to develop it. I was thinking, you could charge a yearly fee, I believe there are still plenty of Sandboxie supporters to make it worthwhile.

    https://developer.apple.com/system-extensions/
     
  22. hayc59

    hayc59 Updates Team

    Joined:
    Feb 9, 2002
    Posts:
    2,843
    Location:
    KEEP USA GREAT
    where is the download for the latest version 3.08? thank you
     
  23. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    39,487
    TinyWall v3.0.8 (September 27, 2020)
    Download (or: https://tinywall.pados.hu/ccount/click.php?id=4)
    Changelog: #1986
     
  24. hayc59

    hayc59 Updates Team

    Joined:
    Feb 9, 2002
    Posts:
    2,843
    Location:
    KEEP USA GREAT
    thank you mood you da man
     
  25. ultim

    ultim Developer

    Joined:
    Oct 12, 2011
    Posts:
    650
    Location:
    Hungary
    Hi mroek,
    This is now fixed in my sources and the fix will be released as part of 3.0.9 (the next version).
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.