Best free firewall software

Is there any goog free firewalls out there?

Reply to
Stewart
Loading thread data ...

I guess you mean for Windows?

Well, Windows Firewall is pretty fine. IPsec doesn't work stateful, and IPFilter is pretty lousy to configure.

Of third-party products Wipfw (Win-IPFW) is the only serious one, even though it doesn't offer packet generation/manipulation yet.

Comodo has an OpenBSD's 'pf' port, but they messed it up with bundling application control.

Reply to
Sebastian Gottschalk

If the box that connects you to your DSL or cable internet does NAT it makes an effective brick wall firewall for incomming connections unless you screw with the factory settings and let something in.

There are a bunch of internet port scanner services that can test you from the outside. They'll tell you if you have any ports open.

If you can dedicate an old PC to the tast there's IPCop and m0m0.

Reply to
Al Dykes

Sadly this is not true. Especially low and medium cost SOHO products do incorperate a lot of NAT helpers (f.e. FTP) and certain heuristics (DNS, P2P, certain game protocols) to do best-guess forwarding of unrelated packets (in terms of Layer 4). If just the router does DHCP and only one client is connected, some are even doing a full 1:1-NAT forwarding. Which is technically correct and a good thing, because NAT should provide and not hinder connectivity - it is not intended and usually not suitable for firewalling.

There are few usable online port scan services. Actually, I only know one that is not known to be f***ed up.

A Linksys router with an alternate firmware is usually cheaper in terms of cost for electricity. For extensive self-build variants, take a look at the mini PCs at Soekris.

Beside that, this is usually not worth the money. Not having any firewall or just using a host-based packet filter is usually sufficient for almost any SOHO scenario. And this only applies if you've got a serious clue about TCP/IP and firewalls, as a normal user you won't need any packet filtering at all.

Reply to
Sebastian Gottschalk

I'm talking about a NAT box at factory defaults blocking any incomming connections.

Are you saying that there is a way to exploit that? (If the manufacturer has ports open by default, you're right but I've never seen it.)

Reply to
Al Dykes

And I'm talking that this is usually not the case and there are various tricks and/or situations when this assumption fails.

Yes.

formatting link
Same applies to flash, injected FTP commands on MSIE, transmission inside HTTP requests, ... is this is just for FTP NAT helpers. Ever tried sending a packet with source address in a RFC1192 private network to the WAN port (if your ISP doesn't employ ingress filtering)?

Hehe... you're not getting around very often, hein?

Reply to
Sebastian Gottschalk

Can you recommend a couple? I mentioned grc.com a couple of days ago and got only a long list of diatribes against the site and its author, but no suggestions for alternates. If GRC is unable to tell me I'm secure from port scans, it's sure been able to tell me a couple of times when I wasn't.

I looked over the IPCop site, and it looks like the only advantage of IPCop over my current router is that it's cheap -- assuming you have an old unused computer and either are familiar with Linux or consider the time to locate and install Linux, learn to use it, and install and learn to use IPCop as being of no value. None of these is true for me, so I'm happy to use a router instead. Or is there some other advantage to IPCop?

Reply to
zzy

I have a pix 520 running 4.2(2)

Below is my configuration. First 3 octets of the outside IP?s have been changed to 0.1.2

Problem:

When accessing

formatting link
from a NAT?ed workstation on the inside of the pix, the web browser gets its DNS from the primary DNS server returning the real (Outside IP) address. This never works. My temporary solution was to build an internal DNS server that resolves with the inside IP?s allowing me to get to our hosted websites, mail, etc.

Is their another way to do this without relying on a separate internal DNS server? Maybe a static (outside,inside) directive? Or something else?

Any help would be appreciated.

: Saved : PIX Version 4.2(2) nameif ethernet0 outside security0 nameif ethernet1 inside security100 fixup protocol http 80 fixup protocol http 443 no failover failover timeout 0:00:00 failover ip address outside 0.0.0.0 failover ip address inside 0.0.0.0 no names no pager no logging console no logging monitor no logging buffered logging trap notifications logging facility 17 logging host inside 192.168.168.19 interface ethernet0 auto interface ethernet1 auto ip address outside 0.1.2.221 255.255.255.240 ip address inside 192.168.168.1 255.255.255.0 arp timeout 14400 global (outside) 1 0.1.2.220-0.1.2.220 netmask 255.0.0.0 nat (inside) 1 192.168.168.0 255.255.255.0 0 0 static (inside,outside) 0.1.2.209 192.168.168.10 netmask 255.255.255.255 0 0 static (inside,outside) 0.1.2.210 192.168.168.11 netmask 255.255.255.255 0 0 static (inside,outside) 0.1.2.211 192.168.168.16 netmask 255.255.255.255 0 0 static (inside,outside) 0.1.2.212 192.168.168.19 netmask 255.255.255.255 0 0 static (inside,outside) 0.1.2.213 192.168.168.14 netmask 255.255.255.255 0 0 static (inside,outside) 0.1.2.214 192.168.168.15 netmask 255.255.255.255 0 0 static (inside,outside) 0.1.2.215 192.168.168.17 netmask 255.255.255.255 0 0 static (inside,outside) 0.1.2.217 192.168.168.60 netmask 255.255.255.255 0 0 static (inside,outside) 0.1.2.216 192.168.168.51 netmask 255.255.255.255 0 0 conduit permit tcp host 0.1.2.209 eq domain any conduit permit udp host 0.1.2.209 eq domain any conduit permit tcp host 0.1.2.209 eq www any conduit permit tcp host 0.1.2.209 eq 443 any conduit permit tcp host 0.1.2.209 eq 8081 any conduit permit tcp host 0.1.2.209 eq 8444 any conduit permit tcp host 0.1.2.210 eq ident any conduit permit tcp host 0.1.2.210 eq 1080 any conduit permit tcp host 0.1.2.210 eq 6014 any conduit permit tcp host 0.1.2.210 range 6660 6670 any conduit permit tcp host 0.1.2.210 eq 1024 any conduit permit tcp host 0.1.2.210 eq 7000 any conduit permit tcp host 0.1.2.210 eq 7443 any conduit permit tcp host 0.1.2.210 eq 6443 any conduit permit tcp host 0.1.2.210 eq domain any conduit permit udp host 0.1.2.210 eq domain any conduit permit tcp host 0.1.2.210 eq www any conduit permit tcp host 0.1.2.211 eq smtp any conduit permit tcp host 0.1.2.211 eq www any conduit permit tcp host 0.1.2.211 eq pop3 any conduit permit tcp host 0.1.2.211 eq ident any conduit permit tcp host 0.1.2.211 eq 443 any conduit permit tcp host 0.1.2.211 eq 587 any conduit permit udp host 0.1.2.211 eq 6277 any conduit permit tcp host 0.1.2.213 eq 8767 any conduit permit udp host 0.1.2.213 eq 8767 any conduit permit tcp host 0.1.2.213 eq 51234 any conduit permit udp host 0.1.2.213 eq 51234 any conduit permit tcp host 0.1.2.215 eq 6014 any conduit permit tcp host 0.1.2.215 range 6660 6670 any conduit permit tcp host 0.1.2.215 eq 1024 any conduit permit tcp host 0.1.2.215 eq 7000 any conduit permit tcp host 0.1.2.215 eq 7443 any conduit permit tcp host 0.1.2.215 eq 6443 any conduit permit icmp any any echo-reply conduit permit tcp host 0.1.2.211 eq nntp any conduit permit udp host 0.1.2.211 eq ntp any conduit permit tcp host 0.1.2.209 eq ftp any conduit permit tcp host 0.1.2.209 eq ftp-data any conduit permit tcp host 0.1.2.212 eq 22 any conduit permit udp host 0.1.2.214 eq 27960 any conduit permit tcp any eq 1723 host 209.234.162.131 conduit permit gre any host 209.234.162.131 conduit permit icmp any any time-exceeded conduit permit icmp any any unreachable route outside 0.0.0.0 0.0.0.0 0.1.2.222 1 timeout xlate 3:00:00 conn 1:00:00 udp 0:02:00 timeout rpc 0:10:00 h323 0:05:00 timeout uauth 0:00:00 absolute snmp-server host inside 192.168.168.19 telnet 192.168.168.0 255.255.255.0 mtu outside 1500 mtu inside 1500 Smallest mtu: 1500 floodguard 1 tcpchecksum verbose

Reply to
Sebastian Gottschalk

Thanks! I've downloaded, installed, and tried it. But I see that it'll take much more than the hour or so I spent before I'm able to make any use of it. There seems to be a large amount of information about how to set the many options, but almost nothing about how to interpret the results. Here's what it reported for both my main computer and laptop, each of which has a software firewall, but different kinds (with switches -A -sT -P0):

-----------

Starting Nmap 4.03 (

formatting link
) at 2006-05-26 16:01 Pacific Daylight Time Warning: OS detection will be MUCH less reliable because we did not find at least 1 open and 1 closed TCP port Insufficient responses for TCP sequencing (0), OS detection may be less accurate Insufficient responses for TCP sequencing (0), OS detection may be less accurate Insufficient responses for TCP sequencing (0), OS detection may be less accurate Interesting ports on 192.168.1.102: (The 1672 ports scanned but not shown below are in state: filtered) PORT STATE SERVICE VERSION

4444/tcp open tcpwrapped 5190/tcp open tcpwrapped MAC Address: [shown] (Askey Computer) Too many fingerprints match this host to give specific OS details

Nmap finished: 1 IP address (1 host up) scanned in 102.813 seconds

------------

Looks like I have a problem in that two ports are open. (A google search on "tcpwrapped" didn't bring up anything which explained its meaning and significance in this context, so I don't know whether it's a Good Thing or Bad Thing.) So far I haven't been able to get the firewalls to close them, but I'll work on it. Is this just more proof that the personal firewall is indeed useless as you've said?

Hm, I was under the impression that my router works and isn't broken. So how would working and not being broken be an advantage?

Flexibility can surely be an advantage, but only to those who are knowledgeable enough to take advantage of it, and in circumstances which require it. Otherwise, especially if it doesn't default to some reasonable settings, it can be a distinct disadvantage. Would manual adjustments for RPM, torque, acceleration, and speed for each gearshift point; spark timing adjustment; valve timing adjustment; gas mixture adjustment; and so forth be an advantage to the average driver? If all cars came out of the factory with all adjustments set to one extreme, it would definitely be a disadvantage.

Sorry, but I'm too ignorant to appreciate the benefits of having lots of layer 7 NAT helper modules. Apparently this is something my router doesn't have and something that enhances security. Is it important for us "Joe Average" users, or just for the folks who need exceptional security? Do I need lots of layer 7 NAT helper modules?

I'm willing to learn about some of these issues, but only to the extent that they'll be useful to me. I've already got other hobbies and have plenty of other things to do.

Reply to
zzy

Eh... didn't you want to scan your router or direct-dialup computer from the WAN side? Do you have some helper in a far-away ISP's network?

That's why it's called online scan and why I refered to linux-sec.net instead of Nmap's Homepage at insecure.org

Right. So far this is exactly the point: There are bullshit online port scans like grc.com, and there are good ones (exclusively based on Nmap) with a bad web frontend which is mangling the output (naming "closed" as "open! dangerous !!!11" and alike). Raw output like at linux-sec.net isn't preferable either, but still better than a useless output.

From where did you scan?

Anyway, what about -sS, -sF, -sN, -sX, -sA, -sW, -sM, -sU, -sO, the first with and without -f, all with -O. Not to mention auditing against IP spoofing, MAC spoofing and IPv6. Not all of these are available in online scans, and not all can expose weaknesses in a router. Try a scan in a local subnet (each other, not each themselves).

This is bad. They should be closed, not filtered, expect you like to shoot yourself in the food.

Well, it's just a registered port. What about "netstat -anbo" to see what exactly is listening on those ports?

In this case: obviously. Unless you didn't change the MaxUserport setting, emphemeral ports are limited to range 1024 (or lower RPC service limit) - 5000, so the 5190 thing for sure isn't any intended connection between your PCs.

Or did you let a box scan itself?

Hehe...

Well, your never tried to circumvent your router from the outside, did you? Quite hard to notice the defects without auditing.

[car comparison]

A car is usually tuned for best behavior or some predefined profiles. However, there is no such thing like a preconfigured firewall. Well, some example scripts exhibit some good ideas about how you should do it.

Yes and no. It enhances connectivity without resorting to lowering security.

You can use NetMeeting, WarCraft and Quake without messing with anything like portforwarding or such? :-)

Depends on which protocols you want to utilize and how complex they are. Almost any router now includes a (usually lousy implemented) NAT helper for FTP and DNS, but H.32x is much more of a fuzz.

Eh... then why do you care about firewalling at all? It's kinda trivial to disable any unwanted service on Windows, and a vulnerable service not running or not binded to a network interface cannot be exploited. Just make sure that your service config is still OK after installing a patch. And, of course, running as a restricted user which protects against almost any intentional or accidential damage of the system and its configuration.

Reply to
Sebastian Gottschalk

Eventually, yes, to test the effectiveness of my router. But I'm frankly more worried about the effectiveness of the software firewall on my laptop, since it's my only defense when I travel.

Do you have some helper in a far-away ISP's network?

Not yet, anyway. I won't trouble someone else to scan me until I understand what the results mean.

What's called online scan? I went to linux-sec.net -- that's where I found NMap. What can I do at linux-sec.net? It says to download NMap, which I did, then to run NMap from my machine, which I did.

Sorry, but an incomprehensible output is a useless output.

I scanned my laptop from my desktop machine on my LAN, and vice-versa. I don't have access to another ISP, so I wasn't able to scan through my router. But as I said, I'm worried more about my laptop and its "useless" software firewall than my router.

Sorry, I don't have a clue how to do that. Is there some documentation that explains how? I went through the tutorial, and if it said something about a subnet I missed it. You're suggesting that I do 18 more scans with various switches. But it doesn't seem to make any sense to do that until I understand the results of the one scan I did. What's an "online scan", and how do I do it?

How do I go about closing them, without the benefit of a hardware router? The laptop has to stand on its own.

I don't see anything in the output which shows either of those port numbers.

I don't think so.

No. I don't know how.

I have no idea. Never tried any of those.

Well, I care about firewalling because I don't want any malware getting into my machine. It's not trivial to me to disable "any unwanted service" -- I've disabled one or another from time to time and later discovered that it's essential to some application. I've found it difficult and very time consuming to find out exactly what each service does, and I certainly don't know which might be "vulnerable" services. There are currently 104 services running on my machine. I'd love to disable unnecessary ones, but determining which are truly in that category isn't easy for me. How many do you think I'd have to disable to make my machine reasonably secure? And I'm not willing to run as a restricted user. I'll have to do the best I can as Administrator.

It sounds like you're recommending removing the firewall and protecting myself by restricting my ability to use my computer by shutting down services and running as a limited user. Or am I misinterpreting what you're suggesting?

So far, around 6 years with DSL and the computer on all day every day, running as Administrator, and with only a software firewall for about 3 of those years, I haven't gotten a single virus, worm, or trojan (that scans or activity have revealed) and only some relatively benign adware. I know this doesn't mean I'm safe from all attacks, but it's been adequate for me so far. I'd like to do what I can to keep at least this level of protection in the future or improve it, but I'm not willing to restrict the usability of my machine for the sake of being pure or to establish an unneeded level of protection. Learning to use tools like NMap looks like a way to help me improve what I've got and hopefully spot and close weak points before someone else does. So I'll keep working at it. Thanks for the pointer.

Reply to
zzy

That's a good motivation, but that's not really the way malware travels. The vast majority is carried in e-mail attachments and Active-X or Java code on bad websites. Your best defense against viruses and worms is:

a) Use a browser that *doesn't* run Active-X. You are already doing that. Be careful about allowing javascript to run except from sites you really trust (like your bank).

b) Spam filter. A lot of the bad e-mail attachments arrive as spam.

c) Be careful of e-mail attachments even if they are from friends or relatives. Their system may have been compromised and that email from Mom might actually contain a virus as an attachment.

d) Use a good anti-virus scanner. I don't know if any of them are any better than any others, but I haven't seen much evidence that the ones you pay for are any better than the free ones. I personally use AVG. Scan (c), above, before you open it. And for god's sake, let the AV

*phone* *home*!! New viruses are discovered every day and that's the only way to keep your protection current.

Go to

formatting link
and use Volker's nice little program.

As long as you understand that you're locking the doors and leaving all your windows wide open. I mean this most sincerely; if *all* you did was run as limited without doing anything else, you would be safer than doing everything else and running as Administrator. You are totally undermining all your other efforts. At the very least, restrict yourself to a limited account when you're using Internet applications.

Running as limited really isn't that restricting. I have a grand total of one program (MSMoney 2001) that won't run for some stupid reason as limited. For that, I just right click and choose "Run As..." and run that *one* program as Admin. I don't even have to switch users.

I ran as Administrator using Norton Internet Security Suite for about 3 years, too. Full package, paid for the subscription every year. One night I'm doing a bit of housekeeping -- clearing out old files, defragging, etc. I run the Disk Cleanup tool to clear out old Internet files and other crap. It asks me if I want to delete unused Win 98 files.

When I originally installed XP it was an upgrade and I chose to keep the old files because I wasn't sure if I wanted to use XP. At that point I knew I was going to stick with it and I had been curious about how to best clean out the old stuff and reclaim the disk space. So I clicked OK.

A few minutes later I looked back up at the screen and my icons were disappearing! I clicked cancel but it was too late. *Everything* was

*gone*. It had started with my data files, then the program directories, and finally the system files. By the time I saw something weird was happening I had only about 50 MB left out of over 10 GB on my disk. I lost everything. The OS and programs were easy to re-install but I lost about two years worth of digital photos that I can never replace.

I'll never be able to prove it, but the only thing I can figure is that a trojan replaced my disk cleanup utility and NIS was totally clueless. So I'm not a big fan of Norton, I'm not a big fan of "Internet Security" suites, and I *am* a big fan of regular backups. :) And if I had been running as limited user I don't believe any of that could have happened.

Reply to
Rod Engelsman

Simpler than that, they had an error in the delete statement that ended up feeding it the wrong path so it started from the root.

McAfee (enterprise) did that once on their uninstall.

And people trust them implicitly for virus defense...

-Russ.

Reply to
Somebody.

A firewall is a concept any serious firewall concept includes host security, so far that the host inself should not be vulnerable even if the packet filtering part of the concept fails.

Claiming that your firewall is the only defense is either technically wrong (e.g. your host is already secure and you're just misunderstanding the hole issue) or logically wrong (if your host is vulnerable, then you're insecure and your packet filter won't change that).

There's a link "OpenPorts Audit". This is an online port scan based on Nmap, and supposed exactly what you want: someone else scanning you from the WAN side, but with the full flexibility of Nmap command line.

Incomprehensible to you != someone with clue can't help you interpreting it

As long as your "firewall" didn't oppose any trust relationsship between these machines, this should be quite effective to audit the machine's security itself. Sorry for asking, a lot of people get this wrong and are either scanning local loopback or the router.

sS - TCP-SYN scan, good for discovering open ports sF, sN, sX - good for scanning the behaviour of the TCP/IP stack, just try some few ports sA, sW - good for scanning the firewall's behaviour sM - good for checking sU - UDP scan, as TCP is not your only problem sO - IP protocol scan for expsoing other potentially vulnerable protocols (ICMP, ESP, AH, EPIP are typical) f - doing the TCP SYN scan with fragments exposes firewall problemls as is usually very good for bypassing the router from the WAN side O - useful output with fingerprinting IP-Spoofing, MAC-Spoofing - for circumvention IPv6 - just in case you're using it

Now better read a good book about typical TCP/IP and firewall weaknesses, or got someone for has a clue to do this auditing for you.

A good firewall offers to respond with a TCP-RST or ICMP-DestinationUnreachable instead of DROPing the packets. Most (reads: every known) "personal firewalls" don't.

A hardware router usually won't help your either, it will rather make it pretty impossible - this and the NAT thing is why I prefer direct dial-up. Better connectivity!

Now either there's a serious network problem or you've got a rootkit. Repeat the scan.

Disabling a network doesn't necessarily mean disabling the service program, but just disabling its network binding. So far this is pretty painless even on Windows.

Huh? Actually it's pretty well documented. "Controlling Communication in a managed environment", downloadable at Microsoft, has a detailed description on services, network communication and configuration. And we've written a nice tutorial at

formatting link

WTF?

No, exactly. This is quite usual on Linux, but not likely on Windows.

What about user's mistakes?

This is not about protection, this is about least privilege which is generally a good idea.

Reply to
Sebastian Gottschalk

That's because he's a snake oil salesman. Do your own research if you weren't provided with any URLs on the subject; there's a pile of stuff out there. For a quick scan tool try this one:

formatting link
As for Win32 firewalls, you might try Kerio as it's ICSA Labs certified:
formatting link
I'm sure I'll catch hell for this but ZoneLabs still has a free offering:
formatting link
But if you're wanting to build your own easy to use Linux firewall, I'd recommend finding a 486 with a floppy drive and using something like Coyote Linux or floppyw:

formatting link
Also see m0n0wall based on FreeBSD:
formatting link
Another option if you still want to build your own but use something backed by ICSA certification and tech support is GNAT Box:
formatting link
Getting back to free, I highly recommend OpenBSD's pf plus something like firewall builder if you're not up to learning to edit rules from the command line:
formatting link
and
formatting link

-Gary

Reply to
Gary

I forgot to mention Core Force, a free Windows security project based on OpenBSD's pf et al:

formatting link
You could also use Firewall Builder with the Win32 port of ipfw.

-Gary

Reply to
Gary

Well, it was certified as shit, wasn't it?

Bundled with application control and therefore pretty insecure.

Reply to
Sebastian Gottschalk

Windows? Yeah, that's why I'm a unix admin. As for Kerio, perhaps they'll hire you to improve their product with more FUD.

Please enlighten us. I've read a million rants like yours and they're all the same;

formatting link
Welcome to the modern era in which every IP enabled device needs to have a firewall on it if you ever plan to use it outside of your home or office

-- or anywhere you don't have control over the security appliance between the LAN and the Net. I suppose when you travel, you bring your PIX 515E or [insert fw appliance here] stowed in your luggage? Or is there any room left after packing in your ego and hubris?

-Gary

Reply to
Gary

Sorry, I'm not good at FUDing. Would you please read the ICSA evaluation report yourself to get a clue how lousy the Kerio packet filtering kernel is?

Adds unnecessary complexity and usually privilege escalation paths (by privileged processes opening windows, which can receive un-authenticated IPC messages), doesn't help against almost any modern malware (even Real Player knew how to write a html file to %temp% and then calling ShellExecute() on it), is trivial to circumvent (hint: IPC and scripting of trusted programs) and leads to a lot of errors, deadlocks and crashes (which is quite common if you're intercepting a lot of system functions with lousy code).

Eh... no? I'm usually only utilizing a host-based packet filter and merely for security reasons. Guess what? The mantra of not binding network services does actually hold in practice. Admitted, I prefer hardening the TCP/IP stack a little bit, but I don't think it's really necessary.

Well, your comprehension should still fit in.

Reply to
Sebastian Gottschalk

Just use nmap in your LAN and/or netstat locally. By concept it is not possible to do this job in a good way from remote, because there may be temporary filtering "on the way" while testing, and a remote scanner has no chance to detect this.

Yours, VB.

Reply to
Volker Birk

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.