TinyWall Firewall

Discussion in 'other firewalls' started by ultim, Oct 12, 2011.

  1. nimimerkki

    nimimerkki Registered Member

    Joined:
    Apr 11, 2021
    Posts:
    3
    Location:
    Finland
    Hello. I'm very new to using TinyWall, installed it a couple of days ago, on a Windows 7 machine. First of all, I'm very impressed by the efficiency and minimalism of this program. A couple of questions come to mind though, so maybe I could try asking them here.

    1. A couple of times when I've put TinyWall in learning mode for a short time, a bizarre entry has appeared at the end of the exceptions list. Its icon is a red X, it's listed as an executable, and the application name and path are both listed as "-". If I click it, it's listed in the window as "Unknown application". Well, I've just removed it from the list if it's appeared. So, what could it be? Seems like an invalid item of some kind. Could it have something to do with the fact that when I didn't know what I was doing (or, well, I still don't, which is why I'm asking questions), I was clicking "Unblock" on "System" in the "Show blocked apps" list, until I noticed it couldn't really be done. The mysterious red X hasn't reappeared lately, but then again I haven't needed to go back to learning mode for a while. I'll attach a screenshot here if I can: at the top of that picture is that mysterious last line of the exceptions list, and below that is the window that opens if I click it.
    https://imgur.com/a/f4ucVCD

    2. What to do about all this Windows traffic, block or allow? I realize this is potentially a gigantic topic, and I'm not expecting easy answers, but pointers / opinions / best practices would be helpful. I think my earlier firewall just let almost all Windows traffic through, and that seemed to be all right. I see that TinyWall on the other hand blocks a lot of Microsoft connections by default, but I guess that's all right too? I read in the FAQ that "System" and "svchost" can't even be categorically unblocked in TinyWall, for security reasons. I guess that in TinyWall choosing what Windows connections to allow happens mostly in the "Special Exceptions" tab, which I've left at defaults, and I suppose that's enough to let Windows work as expected. But yeah, whenever I look at the connections blocked in the last 5 min, it's always shown as blocking several system connections. What are those connection attempts all about, what things fall under the "System" heading there? Another thing I've noticed is that although "System" and "svchost" can't be unblocked, other Windows processes will eventually end up on the "Application Exceptions" list if learning mode is used - so far, "lsass.exe", "services.exe", "wininit.exe". And that's another question that confuses me somewhat, should I let those things be there or should I remove them from the list? Or does it make very little difference if any? Initially I let them be there, because I thought Windows knows what it's doing, but now I've removed them from the list, because I guess allowing only the Windows connections listed in "Special Exceptions" is enough and doesn't hamper Windows functioning in any way?

    3. This one's not a question really but more of an enhancement suggestion: how about adding another column to the application exception list that shows the type of exception (e.g. unrestricted / outgoing) in the list view without having to click each entry separately to see it?

    4. And this one's another feedback thing rather than a question: I notice there's a lot of useful information buried in this discussion thread that's not in the FAQ or anything, but this thread is rather long and some of the useful information might be buried too deep in here. One thing in particular that confused me for a while was whether to keep Windows Firewall on or off, that one's not in the FAQ and unfortunately there's conflicting information about it on the internet. Luckily I browsed this discussion far enough back to find the developer's post #1938, which has the information I was looking for (so, keeping the Windows Firewall also on). :)

    Thanks for a very fine firewall. :)
     
  2. ultim

    ultim Developer

    Joined:
    Oct 12, 2011
    Posts:
    650
    Location:
    Hungary
    Hello nimimerkki,

    1) You can ignore the "-" entries created often when using Autolearn. It is a result of a harmless bug in TinyWall, and will be solved in the next version. You can remove these entries if you'd like but there is no harm in them.

    2) Yes this is a huge topic so forgive me if I won't go into details. Also, of course you can unblock both System and svchost in Tinywall, it is only not recommended. But here are a couple of pointers:
    - Not all, but most of the connections you see from svchost and System are related to File and Printer Sharing and Network Discovery in a standard Windows setup.
    - If you want to find out what each blocked connection is, your best bet is to research what the port numbers in the connection are. If you cannot narrow down based on port number, process name and remote endpoint, there is not much else you can do to ind out.
    - If you unblock services, try not to do that from the Connection window, because it only let's you unblock files. So if a file is used by multiple services (such as svchost), you'd unblock all services using it, which is probably not what you want. Go into the Manage window and add a service-type exception manually to narrow down your rule
    - Due to a very unfortunately design decision on Microsoft's part, you cannot have Windows updates without unblocking all svchost services. So in TinyWall's standard configuration, which enables Windows updates, many services are actually allowed. You can "improve" this situation by turning off the Windows Update special exception, but then automatic Windows updates won't function.

    3) We'll see. Tbh you are not the first one requesting this feature, but atm I'm a bit hesitant to make large'ish changes to the visual aspects of the UI. Mostly because in the long term I want to give a new look to TinyWall and modernize its visual aspects, so any bit of major work on the UI front before that feels redundant. I know this is not so, but I still can't shake the feeling off.

    4) You are right, this should definitely go into the FAQ.
     
  3. nimimerkki

    nimimerkki Registered Member

    Joined:
    Apr 11, 2021
    Posts:
    3
    Location:
    Finland
    Thanks for a very informative summary about the system connections stuff. On the internet such information is hopelessly lost in the swamp of intensely opinionated debates about whether your Windows is spying on you and how evilly, so it's actually very valuable to find a rare level-headed fact-based introductory overview of what is actually going on with the system connection attempts.

    I checked that I have both "File and Printer Sharing" and "Network Discovery" turned off somewhere in Windows settings anyway. There are a couple of outgoing blocked connection attempts showing constantly in the connections view, those are the system connections that are listed as using IGMP and ICMPv6 protocols, and at least the IPv4 remote address is recognizable as my modem/router. Out of curiosity I also did Google searches for a couple of the occasional TCP connection attempts by the system which get blocked, but found nothing more useful than that port number 443 means https (yay, I'm learning something) and the remote addresses are generic places like Amazon, Akamai, Highwinds, in other words, big companies that host stuff for other big companies.

    So yeah, I settled on the Windows stuff being managed by the "special exceptions" settings only, and didn't add any Windows services to the "application exceptions" list. Out of the Windows executables that ended up on the list as a consequence of autolearn, I let only mrt.exe remain on the list.

    Since you're here and listening to long-term enhancement requests, I'll make another wish. I feel that it could be a great help in some situations if there was a list of blocked apps somewhere for a longer time period than the five minutes we currently have to see them. Like maybe a new tab in the interface, but it doesn't even have to be that much, even a log file listing blocked applications would be perfectly sufficient. Especially a log file would be a low-key solution that could allow TinyWall to be more informative about its actions while remaining true to its philosophy of no interruptions or popups. Because the consequences of a program getting silently blocked from the internet are not always obvious (could be something as subtle as an autoupdate silently failing for years before getting noticed), the current behavior introduces a psychological element of uncertainty that could be dispelled with more information.

    On the other hand, it could be that the five-minute window is enough and I'll find that out over time. Maybe it just feels odd at first and takes some getting used to.
     
  4. ultim

    ultim Developer

    Joined:
    Oct 12, 2011
    Posts:
    650
    Location:
    Hungary
    I've updated the FAQ. I've added in the information from post #1938 and did some minor updates to existing entries too.
     
  5. nimimerkki

    nimimerkki Registered Member

    Joined:
    Apr 11, 2021
    Posts:
    3
    Location:
    Finland
    Thanks. I re-read the FAQ and also followed its suggestion to enable the domain blocklist. I think by now I've got my settings sorted and can just be satisfied I've got a solid new firewall in place. :)
     
  6. g17

    g17 Registered Member

    Joined:
    Sep 30, 2017
    Posts:
    58
    Location:
    MI
    Hi - I have a quick question after looking at the "show connections" menu.

    I have an email notifier program called Pop peeper v4.5.2

    Under the manage menu, I have restricted that executable (and tried the child processes also), to the email ports 995 and 465.

    In spite of this, I see sometimes that the .exe is connected to 443 (https).

    Is this an admin/elevation issue, and how can I fix it? Thanks. I do run TW elevated most of the time.
     
  7. RoRoman

    RoRoman Registered Member

    Joined:
    Apr 16, 2021
    Posts:
    2
    Location:
    Bedroom
    Hi, I registered here to be able to seek support/advice for TinyWall, I hope this is the correct thread. I'm having an issue where whitelisted processes keep being blocked. Two examples I can give are avg.exe (Kaspersky Security Cloud) and expressvpnd.exe (ExpressVPN, obviously). In TinyWall, when I go to Show Connections and select show blocked apps, I see multiple instances of these processes, trying to connect through (or just checking) different ports. No matter how many times I select them there and click Unblock, the problem persists. Also, I noticed that when I go to Manage > Application Exceptions > Modify and select Apply same rules to child processes, that setting isn't preserved and the selection is not there after the next reboot. I'm using TW 3.0.10 on Windows 10.0.19041. Any way I can diagnose and/or fix this issue?
     
  8. g17

    g17 Registered Member

    Joined:
    Sep 30, 2017
    Posts:
    58
    Location:
    MI
    Are you sure you are saving the changes?

    Tinywall has an odd (to me) quirk, where, when you click OK after you modify the item, you still need to click on the apply button or your changes will be lost. I've done this more than a few times without thinking..

    I've had no luck with the unblock command either. Your best best would be to go into the manage tab, and add the actual .exe file. You may want to apply same rule to child processes because sometimes it is not apparent that child processes could be the issue if they run silent.

    Other than that you may have permission issues. Do you have an admin account?

    Hopefully some others will respond that are much, much smarter than me. :)
     
    Last edited: Apr 17, 2021
  9. RoRoman

    RoRoman Registered Member

    Joined:
    Apr 16, 2021
    Posts:
    2
    Location:
    Bedroom
    Thank you for getting back. Yes for all your check points -- I did click 'Apply', I did add the actual exes through Manage and it's an admin account.

    Perhaps it's worth adding that both KSC and Express VPN work anyway, it's just with those blocked processes I have no way of checking if they work to their full capacity and aren't open to vulnerabilities.
     
  10. ultim

    ultim Developer

    Joined:
    Oct 12, 2011
    Posts:
    650
    Location:
    Hungary
    No, administrative rights should not be a problem. Can you send me screenshot of your exception details window?
     
  11. ultim

    ultim Developer

    Joined:
    Oct 12, 2011
    Posts:
    650
    Location:
    Hungary
    Without knowing details or inspecting the process it is hard to tell why it would show up as blocked even though it connected. But vaguely, It wanted to do something that got blocked, but then obviously it tried something else and in the end it connected. The default rules in TinyWall only allow TCP and UDP connections. So one possible explanation is it first tried a VPN protocol that uses something else too (such as ESP/AH for IPSec or GRE for PPTP), and when it failed, it fell back to a TCP/UDP implementation. I'm really just guessing here, but especially for VPN clients, this is very plausible. Also, this is not necessarily a bad sign. PPTP for example is known to have security weaknesses, so, at least assuming this was the reason, you might be even better off this way.
     
  12. g17

    g17 Registered Member

    Joined:
    Sep 30, 2017
    Posts:
    58
    Location:
    MI
    Do you mean this?

    Capture.JPG

    It doesn't do it all the time, maybe phoning home on a schedule?

    I looked up the IP address, it appears to be a cloud email service (can't remember the name now).
     
  13. ultim

    ultim Developer

    Joined:
    Oct 12, 2011
    Posts:
    650
    Location:
    Hungary
    It could be phoning home, or maybe some feature, who knows. What I'd like to know is how it managed to connect over port 443 with your current rule setup. When you see it happen again, could you send me a screenshot of the Connections window too? Sorry for asking these things of you, I'm just looking for clues what might be happening.
     
  14. g17

    g17 Registered Member

    Joined:
    Sep 30, 2017
    Posts:
    58
    Location:
    MI
    No problem, I appreciate the help. Can't diagnose anything without information right?

    I haven't seen a 443 connection today but it just occurred to me, I see port 993 connections all the time, and they are not on my list either.

    993 is for IMAP which I do not use. Thanks.

    Capture.JPG

    I have another port monitoring utility from Nirsoft called CurrPorts, here is a detail window from that showing the 993 connection.

    Capture2.JPG

    OK, here is a 443 connection today 4/24.

    Capture.JPG

    That IP address is Zack's investment research. Oddly, in my PopPeeper inbox there was an email from them.

    I see other connections as blocked so I know Tinywall is working. Is this a setting I somehow clicked on that is allowing this?
     
    Last edited: Apr 24, 2021
  15. jimbomahoney

    jimbomahoney Registered Member

    Joined:
    Apr 23, 2021
    Posts:
    2
    Location:
    UK
    Hi all,

    Ever since installing TinyWall, I can no longer get VNC to work (incoming connections from local network).

    I also had TW set to allow local traffic.

    Here's what I've tried:

    1) Set TW to disabled.
    2) Uninstall TW.
    3) Reset Windows Defender Firewall to defaults.
    4) Reinstall RealVNC, which I expected to restore the exceptions necessary.
    5) Add an Exception manually to Windows FW to allow all VNCServer connections.
    6) Add an Inbound rule to Windows Firewall to allow 5900-5901 on Private and Domain.

    The computer I'm trying to access from can access another computer (a Raspberry Pi) using RealVNC, which suggests the problem is on the machine I'm trying to connect to, not the one I'm trying to connect from.

    Any ideas?
     
    Last edited: Apr 23, 2021
  16. jimbomahoney

    jimbomahoney Registered Member

    Joined:
    Apr 23, 2021
    Posts:
    2
    Location:
    UK
    Never mind, I've gone with TeamViewer, which is better than VNC for my purposes.

    I might try TinyWall again and see if I can get them playing together nicely.
     
  17. StealthyTrojan

    StealthyTrojan Registered Member

    Joined:
    May 18, 2020
    Posts:
    24
    Location:
    Portugal
    I've tried Malwarebytes Windows Firewall Control more than once, but I found always the same problem, it keeps blocking svchost.exe even after allowed. And surely it isn't very smart to allow svchost entirely and keep allowing every thing related to it, but even after allowing svchost.exe altogether, I still get some svchost blocked connections in the activity log, which is very strange!
    How does TinyWall deal with this?
     
    Last edited: Apr 26, 2021
  18. g17

    g17 Registered Member

    Joined:
    Sep 30, 2017
    Posts:
    58
    Location:
    MI
    Ultim - Here are some clearer screenshots of the port 443/80 connections. It does appear directly related to the emails I receive.

    Capture.JPG Capture3.JPG

    The IP's do not appear to be malicious or malware related, but there is still the issue of how they are connecting.

    I tried removing the POPPeeper entry from the exception list also. This should mean it has no network privileges at all, and the program connected and checked my email without any issue.

    Then I check the always block all traffic button and applied those changes. This worked and prevented the program from connecting.

    I think this is something I've done, but not sure what.
     

    Attached Files:

    Last edited: Apr 26, 2021
  19. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14,373
    Location:
    The Netherlands
    BTW, is it recommended to give system.exe unrestricted UDP and TCP access? I ask this because sometimes I wonder if my Devolo Powerline adapter loses the connection to my laptop because of certain blocked connections.
     
  20. ioniz

    ioniz Registered Member

    Joined:
    Dec 18, 2012
    Posts:
    4
    Hello! I'm using an encrypted removable drive for a lot of my applications, so my startup process is: get into windows (W7 64), connect drive, decrypt and finally run a batch file that opens my "startup" apps from that drive (telegram, thunderbird etc.)

    Unless I wait quite a long time between decrypting the drive and running my batch file, TinyWall blocks all apps on the removable drive from connecting to the internet. Their rules in "Manage -> Application Exceptions" are shown with a red X icon when their executables are not accessible, but TinyWall's knowledge of their accessibility doesn't refresh very often, hence the necessarry wait (I can, of course, manually open "Manage -> Application Exceptions", which refreshes the rules).

    Is there any way to a) make the rules work even if their executables are not found, or b) to refresh TinyWall's knowledge of the executables' accessibility via a batch file?
     
  21. ultim

    ultim Developer

    Joined:
    Oct 12, 2011
    Posts:
    650
    Location:
    Hungary
    @g17 Can you try disabling the Windows Update special exception? Can POPPeeper still make a 443 connection then?
     
  22. g17

    g17 Registered Member

    Joined:
    Sep 30, 2017
    Posts:
    58
    Location:
    MI
    Yes, it still made the connection when I did that.

    I did find something interesting last week though.

    This program is a email notifier. It checks my mail on the servers so I can view it and potentially delete any suspicious looking mail.

    Under the view tab in settings, if I choose HTML it open a 443 connection when I click on a message.

    If I choose rich text, it does not (and the mail format looks different obviously)

    This program seems to bypass most rules somehow. I tried removing it from my exceptions completely and it connected just fine and checked my mail, but if I choose block all connections, it does that. Head scratcher.
     
  23. g17

    g17 Registered Member

    Joined:
    Sep 30, 2017
    Posts:
    58
    Location:
    MI
    Could this have something to do with the fact that I sandbox this application with sandboxie? Is the path to the executable in the sandbox now and not in x86 program files?

    I noticed the other day also, Google Chrome has an annoying .exe called the software reporter tool, that I deleted from my computer, but when I run Google in the sandbox that damn thing shows up in there and runs.
     
  24. ultim

    ultim Developer

    Joined:
    Oct 12, 2011
    Posts:
    650
    Location:
    Hungary
    I installed POPPeeper in the hope of reproducing this. I installed the latest non-pro version (5.1.2) and pointed it at my IMAP mailserver. In TinyWall, I only allowed it to connect to TCP port 143 (my mailserver is setup to only allow IMAP with STARTTLS). POPPeeper synchronized my mailbox and can show me my mails, and of course if an HTML mail specifies an external resource it tries to fetch it using port 80 or 443 (depending on the URI in the message), but for me these connection attempts are blocked by TinyWall. POPPeeper is also constantly trying to access 192.0.73.2 even for text mails, which seems to be a gravatar server, so I guess this has to do with its "Profile Picture" plugin that got installed with the main application. I also saw it try to access a Google server once, no idea why. But anyway, all these got blocked and TinyWall never showed a single established connection over any other port than 143, which is the IMAP port I allowed.

    So the bad news is, I cannot reproduce the issue. Is it possible some other application on your computer is proxying these connections for POPPeeper? For example, some security products are known to do that. Though I have to admit usually that would show up in TinyWall under the name of the app that is proxying and not under POPPeeper, but who knows, maybe MS changed something again. The fact that in Block All mode POPPeeper does get completely blocked suggests the TinyWall isn't failing to block, just some rule (built-in or custom) lets these connections through when in Normal mode.
     
  25. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    3,953
    Location:
    Mexico
    I got pop peeper pro. Not willing to test anything myself lol
    Do you want a remote session?
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.