TinyWall Firewall

Discussion in 'other firewalls' started by ultim, Oct 12, 2011.

  1. ultim

    ultim Developer

    Joined:
    Oct 12, 2011
    Posts:
    650
    Location:
    Hungary
    Sorry, not interested. As I just said, such uninstallers have hard and narrow technical limitations, and IMHO they have very little right to exist. One might work for some applications, or even many (considering that "most" applications just do basic file copying when installed), but from an end-user's perspective it will still be a hit-and-miss, with a relatively high chance of actually doing some damage. 3rd-party uninstallers are dinosaurs from the Win9x-XP era, where both software and hardware had problems we don't have any more today. They also used to work better back then because their job used to be a lot easier/simpler.
     
  2. Rainwalker

    Rainwalker Registered Member

    Joined:
    May 18, 2003
    Posts:
    2,597
    Location:
    USA
    OK, understand and thank you for your fine work.
     
  3. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14,369
    Location:
    The Netherlands
    LOL, seems like firewalls like Little Snitch don't work correctly anymore on the new macOS. So seems like these "system extensions" aren't really ready for prime time. The Windows Filtering Platform is definitely a better solution and you don't even have to develop your own driver, if I understood correctly.

    https://twitter.com/patrickwardle/status/1318440769154240513
    https://developer.apple.com/support/kernel-extensions/
    https://en.wikipedia.org/wiki/Windows_Filtering_Platform
     
  4. g17

    g17 Registered Member

    Joined:
    Sep 30, 2017
    Posts:
    58
    Location:
    MI
    Hi - can anyone verify if Tinywall does now (or is planned to) recognize and handle the HTTPS/3 or QUIC network protocol?

    It sounds like QUIC is UDP in essence so it may be handled currently. Thanks.
     
  5. ultim

    ultim Developer

    Joined:
    Oct 12, 2011
    Posts:
    650
    Location:
    Hungary
    Exactly. QUICK is built on UDP, and HTTP/3 is built on QUICK. For TinyWall all these are just UDP in the end and are naturally supported.
     
  6. g17

    g17 Registered Member

    Joined:
    Sep 30, 2017
    Posts:
    58
    Location:
    MI
    Thanks ultim.

    Sorry in advance for asking another simple question here but...

    Need some guidance on the settings for "prevent modifications to the host file", and "enable block lists".

    Enable block lists
    - Where are these file(s) located, or do I need to create them?
    - How do I add URL's to them?
    - Is this just the hosts file?
    - Is it is the same file for domain and port based blocking?

    Prevent modifications to the host file
    - Why would you do this?
    - is this a hijack protection only?
    - If you enable block lists, should this be disabled so it can be dynamically updated (if the block list is the hosts file)?

    If someone could just point me in the right direction, much appreciated.
     
  7. ultim

    ultim Developer

    Joined:
    Oct 12, 2011
    Posts:
    650
    Location:
    Hungary
    Hi g17,

    Let's go through the question one by one.

    You don't need to create them, TinyWall comes with its own blocklists. They are kept up to date periodically.

    In current TinyWall versions you cannot. This will change in the not too distant future.

    Yes. More specifically, the MVPS hosts file, with explicit permission of its creator.

    The ports blocklist is found inside the profiles.xml database of TinyWall, while the domain blocklist is the already named hosts file. My official recommendation is to not use the ports-based blocklist in TinyWall anymore. It is kept around for some degree fo compatiblity with older versions, but as I've already said on this forum a couple of times, I do not consider it useful anymore and will be removed in a future version.

    To increase your computer's security. The hosts file can be used to redirect known sites to malicious content.

    Yes.

    My advice is to always enable this protection, unless you are trying to use an external program to manage the hosts file. You can even use this feature if you want to use a custom hosts file manually. In this case you would disbale the protection to be able to install your own hosts file, then enabled it again. Then your custom hosts file will be protected.
     
  8. g17

    g17 Registered Member

    Joined:
    Sep 30, 2017
    Posts:
    58
    Location:
    MI
    Thank you!
     
  9. ultim

    ultim Developer

    Joined:
    Oct 12, 2011
    Posts:
    650
    Location:
    Hungary
    New version 3.0.9 is up! If I had to, I'd highlight a couple of important changes. First of all, it turns out automatic rule creation for child processes was broken since 3.0.7, that is now fixed. Then there was a performance issue which resulted in the service becoming unresponsive for many seconds (in some cases up to a minute or so) on some computers when network parameters changed. Fixed. Lastly, password locking is now much more comfortable to use, because you do not have to explicitly select "Unlock" anymore from the tray menu before performing a privileged operation. Instead, you will simply be automatically asked for the password whenever necessary. If a password is set and TinyWall is currently unlocked, the "Lock" menu option is still available to avoid having to wait out the 10min auto-lock period. @mroek: The issue you reported is also fixed.

    The actual number of changes is somewhat larger, but the other stuff is either relatively uninteresting or completely invisible to the user, like stuff that makes my life easier during debugging that I didn't even include in the release notes.

    I consider TinyWall 3.0.9 to be in a very good state now as far as stability and correctness are concerned, so I can highly recommend everybody to upgrade to 3.0.9. Teething problems of v3 should all be gone, and in case you're still on 2.1... well, the upgrade is way overdue.

    Here's the full changelog for the current version:

    Official download as always can be found on the website. The new version will be available over the built-in updates checks too shortly. As always, don't hesitate to ask if you have questions and to report any issues.
     
    Last edited: Nov 2, 2020
  10. Rainwalker

    Rainwalker Registered Member

    Joined:
    May 18, 2003
    Posts:
    2,597
    Location:
    USA
    Should the need arise will TinyWall protect against NAT Slipstreaming?
     
    Last edited: Nov 2, 2020
  11. ultim

    ultim Developer

    Joined:
    Oct 12, 2011
    Posts:
    650
    Location:
    Hungary
    This might be an interesting topic to discuss now, so I'll go into a bit more detail than maybe necessary, but at the same time I think this will be useful information for many users. Not just the part about TinyWall.

    TLDR; Just like any other software firewall on a client machine, TinyWall will not prevent NAT slipstreaming. Not TinyWall, and not any other free or commercial software firewall. I do think though that TinyWall users are in general somewhat better protected, not because it prevents NAT slipstreaming, but because you will have less open ports with TinyWall and so you will have less attack surface when victimized.

    Long version:

    Some background first:
    Nowadays, a user's computer is rarely connected directly to the internet. Typically the computer first connects to a router in the user's own territory, and it is only this router that is directly visible from the internet. These routers do a thing called NAT (network address translation), which is a way to map local IP addresses theoretically only known to the user to public internet addresses. They do this to allow multiple devices (computers, smart TVs, smart speakers, laptops, telephones etc.) to all connect to the internet at the same time while still only consuming a single internet address. One of the consequences of NAT is that a computer on the internet cannot access open ports on the user's machine by default, because the router first needs to be configured to forward IP connection requests from the internet to specific devices in the user's home. This means only a user device can make connections to the internet, but not the other way around. Two exceptions to this general rule are 1) when the user manually configures the router to forward specific ports directly to the user's machine, and 2) when the router runs software protocols to "smartly" start forwarding ports based on traffic patterns. One such example for the latter is the SIP protocol, typically used in real-time audio and video communications (such as chat software or IP-telephony).

    What is NAT slipstreaming:
    NAT slipstreaming is a way to trick routers to make them think they are seeing an SIP packet, to make them start forwarding packets to arbitrary devices and applications inside the user's home. An attacker still needs to figure out what is the internal IP address of a user's computer inside the home, and this is where the browser comes into play. NAT slipstreaming is actually a chaining of multiple bugs: 1) using the browser to figure out where to forward malicious packets from the internet in the home, and 2) using it and the address to trick the router to actually "slip" those packets into the home.

    The role of TinyWall:
    If you read the above carefully, it should be evident that a firewall running on the user's computer has not much role to play during NAT slipstreaming. To put everything I've written before into the perspective of your local computer, a software firewall running on the user's computer has no way to determine if an incoming connection request from the internet is a connection that passed through the router because it was explicitly and willingly configured by the user, or if it passed through the router as a consequence of NAT slipstreaming. Hence, software firewalls on a victim's computer generally won't prevent NAT slipstreaming. However, even if you fall victim to NAT slipstreaming, you still need to have open ports on your local machine that the attacker can start attacking, otherwise NAT slipstreaming in and of itself is useless to an attacker. Said differently, NAT slipstreaming by itself is not so bad as long as it cannot be chained to yet another security vulnerability directly on your computer. For the latter an open port is usually needed. This is where local software firewalls can have a saying. TinyWall will simply block applications from opening ports (unless the user configures TinyWall for that application differently), hence an attacker cannot really exploit NAT slipstreaming even when it was used to get past the router. Other firewalls, on the contrary, will ask the user for every application when they want to open a port, and users will often say "yes" even when they didn't actually need to, just because they recognize the program or service running on the computer, but this makes that application unnecessarily vulnerable to NAT slipstreaming.

    EDIT: I expect that some so called WAFs (web application firewalls) will include rules to undermine NAT slipstreaming, but these are typically only deployed on corporate networks and usually run on separate machines. In any case, they all require expert knowledge for configuration and are definitely not suitable for the typical end-user.

    How to protect yourself from NAT slipstreaming:
    As written above, NAT slipstreaming is by itself not really dangerous, it only becomes bad when chained to another vulnerability inside your home network. This is fortunate, because NAT slipstreaming itself will be hard to prevent. It can only be fully prevented for sure by disabling SIP in your router, but not many routers provide this option. If your router has this option, go ahead and disable SIP in its settings. If you do this, your audio- and video-chat applications will most likely continue to function without problems, but they may experience reduced bandwidth as they will need to reroute multimedia calls over public servers in the internet. Some (most) applications will give you the option of using a pre-determined fixed port for incoming connections, in this case you should disable SIP and configure the router to forward that fixed port to your application's computer. This should prevent the bandwidth reduction.

    Browser manufacturers will probably soon patch their software to limit the exposure of internal IP addresses, so that NAT slipstreaming cannot make use of it. This, unfortunately, does not provide real protection, because in reality, local IP addresses in your home network are highly predictable. So even if attackers will not be able to use the browser to get your private IP anymore, they will be able to easily predict it anyway with good success rates for most users.

    If you are unlucky enough so that SIP cannot be disabled, you cannot really prevent NAT slipstreaming. This will actually be the case for most users. [Note: I am not entirely sure if it is possible to leave SIP turned on and at the same time be protected against NAT slipstreaming. As far as my current understanding goes, it should be possible by not accepting specific SIP packets that are fragmented, so you can try asking your router manufacturer if you are affected at all and if so, whether they plan to release a fix for this. It is also possible your router does not support SIP at all, in this case you are unaffected of course.] In this case the only way to protect yourself is to prevent NAT slipstreaming from being chained to a local vulnerability on your computer, and you do that by traditional good security practices. Keep your software (and other smart devices in your home!) up-to-date and patched against known security bugs, secure your local services with good passwords, and don't run applications that you don't need. And as a last line of defense (or first, depending on your view), use a software firewall like TinyWall to keep open ports limited.

    Important takeaways, IMHO:
    1. Don't panic, NAT slipstreaming is not the end of the world, and is not as dangerous as media publicity suggests. To protect yourself from NAT slipstreaming, I recommend you disable SIP on your router if it offers you this option. If it does not, you may have luck contacting your router manufacturer for official guidance.
    2. As usual, use general security best-practices, such as those laid out in the last paragraph above, and you should be fine. In the case of NAT slipstreaming, it is important to try patch not just your computer, but any embedded, smart, or IP devices in your home. Typical examples include IP cameras, TVs, phones, and of course all computers. Note that you are not patching against NAT slipstreaming, so you will not find it in any firmware release notes, except maybe for your router. You are simply patching against security vulnerabilities that could not be exploited previously without NAT slipstreaming.
    3. Security software on your computer will never give full protection from anything. Do not try to compensate user awareness with software, it doesn't work. Software is just one piece of tool in a toolbox called "layered security". As far as NAT slipstreaming is concerned, no software can prevent it per se, but they can limit the consequences.
     
    Last edited: Nov 2, 2020
  12. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    3,952
    Location:
    Mexico
    Just after installing v3.0.9 my Android phone can't see or browse network shares. Didn't move any setting.

    Quick test: disabled TW and network sharing is fine again.
     
  13. ultim

    ultim Developer

    Joined:
    Oct 12, 2011
    Posts:
    650
    Location:
    Hungary
    There wasn't actually any change related to network shares in 3.0.9. Also, I am using network shares on multiple computers without any problems. Does this problem persist if you try again? Windows sometimes tries to cache network share connectivity state too much for his own good. And of course, make sure the corresponding special exception in TinyWall is enabled.
     
  14. Rainwalker

    Rainwalker Registered Member

    Joined:
    May 18, 2003
    Posts:
    2,597
    Location:
    USA
    Thank you ultim for a well written and very helpful response.
     
  15. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    3,952
    Location:
    Mexico
    Yes it does.
    Lets arrange a remote session if needed no?
     
  16. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    3,952
    Location:
    Mexico
    Trying to install previous version 3.0.8

    nodowngrade.png

    I had to uninstall then install previous version. An in-place downgrade capability would be nice if you added it.

    Version 3.0.8 is working well, no network shares issues at all.
     
  17. Toshvan

    Toshvan Registered Member

    Joined:
    Nov 21, 2008
    Posts:
    16
    Upgraded to 3.0.9 and also got the problem with network shares.
    Can't see or browse network shares on the Windows 10 PC the minute after upgrading to 3.0.9. Tried from both Windows 10 and Windows 7 PC-s.

    I can ping that PC via IP, but not via the host name. After disabling Tinywall all is functioning as before, network sharing and all.
    This is Windows 10 OS on older machine, and Tinywall is the only firewall (win10 firewall is disabled).
     
  18. ultim

    ultim Developer

    Joined:
    Oct 12, 2011
    Posts:
    650
    Location:
    Hungary
    Hi,
    Yes, thanks to MrX's great help the problem has already been debugged and there will be a hotfix for this very shortly.
     
  19. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    3,952
    Location:
    Mexico
    Hotfix is working fine, success!
     
  20. Toshvan

    Toshvan Registered Member

    Joined:
    Nov 21, 2008
    Posts:
    16
    Splendid. :)
    Cheers, and thanks.

    In retrospect I should have provided more info (Win10 version is LTSC Enterprise, 1809.1131, Microsoft .NET Framework 4.8, etc), but it seems you are way ahead in solving this. :thumb:
     
  21. ultim

    ultim Developer

    Joined:
    Oct 12, 2011
    Posts:
    650
    Location:
    Hungary
    3.0.10 is out with a sole fix for the above issue.
     
  22. Toshvan

    Toshvan Registered Member

    Joined:
    Nov 21, 2008
    Posts:
    16
    Confirming that 3.0.10 works fine.
    Thanks again, Tinywall is a fine piece of software and a pleasure to use.
     
  23. suta

    suta Registered Member

    Joined:
    Oct 27, 2012
    Posts:
    12
    Location:
    Australia
    which file/folder/registry I need to exclude when using TinyWall with Shadowdefender? To save the rules applied during shadow mode?
     
  24. ultim

    ultim Developer

    Joined:
    Oct 12, 2011
    Posts:
    650
    Location:
    Hungary
    All the executable files of TinyWall are installed to the chosen installation folder, while the firewall rules are saved inside C:\ProgramData\TinyWall. There are other places TinyWall can write to too though, such as for saving user-specific settings and the hosts file.
     
  25. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14,369
    Location:
    The Netherlands
    Quick question, I installed TW on Win 10 and I noticed that when you exit TinyWall, it keeps blocking outbound connections right? And if you disable TW via the tray-icon, it won't disable the Windows Firewall, is this correct? Another question, do you need to make a special rule in order to make Win SmartScreen work?
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.