UFW Firewall Equivalent for Windows

Discussion in 'other firewalls' started by driekus, Oct 14, 2015.

  1. driekus

    driekus Registered Member

    Joined:
    Nov 30, 2014
    Posts:
    489
    I currently use UFW on my linux boxes where I have only select IP addresses and ports open and Deny All for incoming and outgoing unless specified.
    Is there an equivalent program for windows. I have a windows 7 box that is currently air gapped. Time to time though I need internet access for a single site. I dont want to enable internet access to the greater internet or let windows dial home.
    Any suggestions?
     
  2. amarildojr

    amarildojr Registered Member

    Joined:
    Aug 8, 2013
    Posts:
    1,982
    Location:
    Brasil
    A Windows air gapped machine? :(
     
  3. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,516
  4. driekus

    driekus Registered Member

    Joined:
    Nov 30, 2014
    Posts:
    489
    Yes I have a single windows machine that I use for gaming and I typically dont connect it to internet. It would be handy to be able to connect it to my work VPN and do my work my big TV. Qubes OS is good but running remote desktop within a VM is not the greatest experience on a 12.5 inch screen. My only concern is controlling the outgoing traffic to a single IP address.

    I use a Ubiquiti router; I am sure it is possible in the router. I just lack the ability to configure it correctly without messing anything else. Great router but not user friendly. I may look into a low cost dd-wrt router but would prefer software solution.
     
  5. amarildojr

    amarildojr Registered Member

    Joined:
    Aug 8, 2013
    Posts:
    1,982
    Location:
    Brasil
    For what I know, no matter what you do, Microsoft will still be able to crack into your computer (because of pre-built backdoors); but you can almost guarantee that no blackhat cracker can get into your system. Having this in mind, you must know that there's almost nothing you can do to prevent Windows from connecting to Microsoft, unless you actually use another firewall that is not installed in Windows itself (like your router's firewall). If this is a concern, I recommend you to set up a separate firewall like pfsense.

    However, if blackhats are your main concern, there are numerous firewalls that can do similar to what GUFW does, as @J_L pointed. You'd have to test each one of them in a virtual machine to see which has the best configuration for expert users.

    Saying from personal experience, COMODO is by far the best firewall I tested. You can actually do more with COMODO than GUFW, like allowing only certain apps to connect to the internet to certain IP's to certain connection types (ICMP, UDP, TCP, etc).
     
    Last edited: Oct 15, 2015
  6. driekus

    driekus Registered Member

    Joined:
    Nov 30, 2014
    Posts:
    489
    My goal is to 99% of the way there. Highly unlikely that I am a target for MS, more looking to reduce data leakage. The computer will also be only connected briefly (once or twice a month).
    I will give Comodo a shot and probably keep an eye with traffic on wireshark. Thanks for the advice.
     
  7. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,029
    If you're going to use Windows, just accept that everything will leak, and plan accordingly.

    That is, make sure that the system doesn't know anything that you don't want Microsoft etc to know.
     
  8. Boblvf

    Boblvf Registered Member

    Joined:
    Aug 10, 2014
    Posts:
    103
    Salut,


    Windows leak a little, but sends no personal data, it is a lie.


    Windows firewall is enough, with Windows 8 block explorer.exe outbound TCP and UDP, with Windows 10, block :

    Background Task Host: backgroundtaskhost.exe

    Windows SQM Consolidator: wsqmcons.exe

    Microsoft Compatibility Telemetry: compattelrunner.exe

    Microsoft Feedback Imus Deployment Manager Client: dmclient.exe

    Host process for Windows tasks: taskhostw.exe

    Search and Cortana application: searchui.exe C:\windows\systemapps\microsoft.windows.cortana_cw5n1h2txyewy\searchui.exe

    Windows Problem Reporting: C:\windows\system32\wermgr.exe


    Comodo is a bad choice, it is complicated, and it send your personnal data, look in the EULA.
     
  9. amarildojr

    amarildojr Registered Member

    Joined:
    Aug 8, 2013
    Posts:
    1,982
    Location:
    Brasil
    Can you point me exactly to where it says so?
     
  10. driekus

    driekus Registered Member

    Joined:
    Nov 30, 2014
    Posts:
    489
    Windows leaks a lot of data. That was my initial source of concern. I use Wireshark and traffic monitoring on my Ubiquiti router. Windows leaks like a sieve as does Android and iOS.

    I played around with Comodo and agree that it is relatively complicated. It does clearly give you the option under custom settings to prevent Comodo sending information home and the setting does work. I can confirm that fully enabled there is no data leakage. In the end I probably will go down the DD-wrt path but Comodo was a good option.
     
  11. Boblvf

    Boblvf Registered Member

    Joined:
    Aug 10, 2014
    Posts:
    103
  12. Boblvf

    Boblvf Registered Member

    Joined:
    Aug 10, 2014
    Posts:
    103

    " Windows leaks a lot of data "

    What is this traffic ? personal data or no ? Ubuntu leak to Canonical, that is personal data ?


    " I use Wireshark and traffic monitoring on my Ubiquiti router "

    24 h ? ... pfff ! you cannot block svchost traffic to Windows (Msn bot, Diag track, etc ... ) , the IP change.
     
    Last edited: Oct 16, 2015
  13. Boblvf

    Boblvf Registered Member

    Joined:
    Aug 10, 2014
    Posts:
    103
    If you want no leaks, use Tails, or Debian with UFW, Wireshark, Tor, and Nmap, nothing else, NSA watch over you ...
     
  14. amarildojr

    amarildojr Registered Member

    Joined:
    Aug 8, 2013
    Posts:
    1,982
    Location:
    Brasil
    From the website:
    I've used COMODO for years and not once was asked for handing over personal information. Like @driekus stated, COMODO offers it's users the option to not send any info at all, and it actually works. You can test that if you want. COMODO respects the users' privacy.

    You mentioned Google, right? It's easy to not allow Google Analytics to run on the web browser and to not allow Google to store browser cookies. If the user really cares about Google's invasions, then this users must have in-place measures that affects all websites that use Google Analytics, not only COMODO's. It's not like COMODO is the only website that uses Google services and API's, many websites do it as well. Most people, like OP, don't care about this kind of stuff and they shouldn't be guided to not use such magnificent product as COMODO's.

    Was there a dot between UFW and Wireshark? If so, you didn't seem to get the point. Do you even know WHY one would use Wireshark?

    And your comment about Tor? "LOL", literally. I wonder if you know that Tails use the Tor network as much as possible :argh:

    Debian has an open port by default, IIRC is 110. Not only that, but Debian is known for having bad crypto management, and it's developers are not as good as people make they look. Debian, for a good part, is a poorly managed distro. I wouldn't use it; instead, I'd use Parabola or even Arch with a few Parabola packages like your-privacy, your-freedom, and Iceweasel.

    GUFW requires a package called "Geo-Location". I'm not sure what are the implications, but I don't use GUFW because of this. Instead, I use my own custom firewall ruleset (look at my signature).

    Yeah, Canonical really did a nasty move with Ubuntu. However, I think non-Unity Ubuntu releases (like UbuntuMATE or Kubuntu) are safe from the spyware.
     
    Last edited: Oct 16, 2015
  15. Boblvf

    Boblvf Registered Member

    Joined:
    Aug 10, 2014
    Posts:
    103
    We must use Comodo, and not UFW ... Debian has port 111 open ... ok ok ! continue alone.
     
    Last edited: Oct 16, 2015
  16. amarildojr

    amarildojr Registered Member

    Joined:
    Aug 8, 2013
    Posts:
    1,982
    Location:
    Brasil
    I never said that :) I don't like when people put false words into my mouth, it shows their true character.

    It does, but I'm not sure it's 110. I'm not saying that an open port a bad thing (it's a terrible thing for home users), but that is one oportunity for crackers to find a vulnerable service and thus attack the machine. I like all my ports closed.
     
  17. Boblvf

    Boblvf Registered Member

    Joined:
    Aug 10, 2014
    Posts:
    103
    08:08:01 SVCHOST.EXE OUT TCP 65.55.44.109 443 Generic Host Process HTTPS connection 6264 4693

    L'utilisateur de l'adresse IP 65.55.44.109 (65.55.44.109 - Microsoft Corp) est situé à Redmond (United States - Washington).


    Windows 10 reporting is normally blocked on my PC ( in parameters and firewall ) , but if Cortana is blocked, wermgr.exe or other sends to the same Windows IP or its servers, if I block wermgr, svchost sends to this IP ... impossible to block svchost if the IP change.


    Windows leak a little, but it is not personal data.

    People do not read the EULA, so Comodo leak personal data.


    Dont be marketing or NSA victims.
     
  18. amarildojr

    amarildojr Registered Member

    Joined:
    Aug 8, 2013
    Posts:
    1,982
    Location:
    Brasil
    You didn't seem to read the EULA, not to mention you didn't refute any argument I made on this post.

    Can you actually prove that COMODO leaks data?

    Says the guy who uses Windows, an operating system proven to have numerous backdoors :argh: This is comedy gold right here.
     
  19. Jarmo P

    Jarmo P Registered Member

    Joined:
    Aug 27, 2005
    Posts:
    1,186
    Comodo used to be such a leaking firewall unless you used the hips and wanted to get into a popup hell. It was like svchost was allowed open wide to all windows services that use it. I have no knowledge of current versions, nor interested, but I suspect it is still the same.

    TinyWall on the other hand even today prevented me from one unnecessary windows update KB that I searched and that seems to have caused problems with users. Might be one to force feed win 10. Something that needed extra svchost.exe allowance. TW gives no popups for such things, just blocks them. Normal updates come fine with my win 7.

    TW does not give an option to control some remote IP for perverse? uses like the OP wanted. It is seldom needed to control remote IPs for a normal user for sure. Gives restricted environment for home normal users. Zero CPU, no drivers installed.
     
  20. driekus

    driekus Registered Member

    Joined:
    Nov 30, 2014
    Posts:
    489
    Thanks for the advice Jarmo. I played around with TinyWall and I can make it work for my application. I can just restrict by application rather than IP. Yes it does open me up to general browser leakage but I can live with that. Looked on Wireshark and can confirm the leakage is a minimum.

    Boblvf: The concept of leaking personal data is one of perspective. I know this post has been moved from the privacy forums so hope this thought is still appropriate here.
    Most data transmitted from your computer is to some degree personal. Information on what apps you use in what order, what times you are using your computer are all in my eyes personal information. I greatly limit my external facing data leakage in Qubes OS. The only external facing applications I have on my PC is my Web Browser and that is run through a TOR and VPN. The remainder of my computer is isolated within VMs with no external internet access. I dont use Ubuntu VMs, only Debian, Fedora and Whoinx.
     
  21. Brummelchen

    Brummelchen Registered Member

    Joined:
    Jan 3, 2009
    Posts:
    1,732
    Are you new to windows (7) or at least somehow experienced?

    ofc you can use a deny/allow policy but for windows itself i wont recommend this.
    you can lock out telemetrie or gwx patches (cortana is only available since win10).
    windows updates are important! (even if it brakes some software:rolleyes: for a day or so)

    3rd-party firewalls - i also use one of those. TinyWall may fit your needs but be aware that it is still over 2 years old and windows has change some code and security. i dont expect it working at 100% wether or not you notice errors
    http://tinywall.pados.hu/reviews.php

    btw have you tried the windows firewall (with advaced settings) itself?
    what about "windows firewall control" from binisoft?
    https://www.wilderssecurity.com/threads/windows-firewall-control-4.347370/
    anyway a router is the best method for connectivity, i think you already know.

    the logfile for direct a connected windows will grow anyway. you can give 2ct on each entry or set and forget. i remember my time with outpost firewall, at least it was annoying to read about pointless port attacks.

    HTH
     
  22. Jarmo P

    Jarmo P Registered Member

    Joined:
    Aug 27, 2005
    Posts:
    1,186
    Brummelch, have you ever bothered to go look at the rules made in the Windows firewall?

    I would not risk my firewalling to some fancy interface that is always updating it's GUI. Added this and that for greedy audience to get payed.
    It might be good, but I would not risk my security when not knowing the actual rules made. So I suggest when you have time from your hacking activities to go check them rules.

    And spreading false information that too: Beta-testing TinyWall

    I agree that it is best to keep Windows updated as well as browsers and other software connecting to internet.
     
  23. driekus

    driekus Registered Member

    Joined:
    Nov 30, 2014
    Posts:
    489
    This post was originally posted in the Privacy section of the forum but moved to the firewall section. My interest in doing this was in the context of privacy. As such with Windows 7 I do not use Windows updates or generally allow Windows access to the Internet. The only time I require network access to my system is to access my work VPN. For all intensive purposes my system is airgapped. I am definitely not a new Windows user but I run things on the paranoid side and do not trust Microsoft at all. Personal preference and people are free to make their own decision.
     
  24. Brummelchen

    Brummelchen Registered Member

    Joined:
    Jan 3, 2009
    Posts:
    1,732
    ok, then i'm out of that. my free decision ;) anyway i am not sure if you can block important windows services and features completely. thats something microsoft coded very deep into windows nature for security reason. thats why i am not sure if you can block this with a firewall because bypassing the windows net stack. if you can configure programs to use vpn and windows not, you will have chance. gl.
     
Loading...