My experience with ZA 4.5.594 is similar - no problems from this source - although I only use the Ad blocking Banner and Popups. However FWIW, I _have_ found that the Delayed Popup blocker in AdShield3 will interfere with
and must be unchecked for it to Scan. Using Win2kSP4R1|IE6.
As far as I remember, I've always had to turn off Privacy controls to get Microsoft Update to work. That's a given. I'm still using
4.5.594 because of issues with later versions. Win 98 isn't supported for later versions anyway. The more bells and whistles, the more complications, I've found. As long as my ports are stealth, and it blocks the bad stuff, I'm happy.
Ah, Volker, what has a good Firewall ever done to you to make you hate them so? I'll just keep on using mine, in the hopes that it's "better than nothing", if you don't mind. I'm just on dial-up. Highspeed internet might make me a lot more paranoid.
Nothing is stealth. Your ports are filtered, and everybody, who uses nmap -P0 i.e., will see that.
Your "Personal Firewall" just violates the Internet Protocol by nor sending RST (see RFC 793 / STD 0007, section 3.4), nor sending ICMP Destination Unreachable Message with code 3 (port unreachable, see RFC 792 / STD 0005).
Say: your "Personal Firewall" has a broken implementation of the Internet Protocol, but this is not resulting in making anything "stealth".
For lowest overhead, just use Torsten's script, and switch off any listening server. This means: no overhead at all. Then you don't need filtering at all.
Then abandon to use Internet Explorer; just use any other browser.
The problem with Internet Explorer is not that it has security holes - every browser has this from time to time; OK, Internet Explorer had unfixed holes for years, this is worst case. But also Mozilla from time to time are not perfect in security, to say the minimum. The problem is the ActiveX technology, Internet Explorer uses as the plugin concept. The problem with this is, that ActiveX / COM is a system wide concept without any security if a control is running. There is no sandbox concept, and, once marked "scripting sage", any control in the complete system is a possible flaw, which can be abused. The unfortunate zone concept of Internet Explorer was refitted, it's a flub, one could say.
Keep your software up to date. Use Windows-Update, and keep any other software up to date, which you're using in the Internet.
When you're installing new software, don't forget to use netstat -an to check, if there are new servers started, you should stop again.
It is a good idea to use an AV software regulary. Please keep in mind, that AV software only works good, if it's malware signatures are bleeding edge. Unfortunately, the heuristics to detect unkown malware are not functioning very well.
And keep in mind, that the best AV software is your brain - no-one wants to make your dick longer, no-one want's to offer pr0n for free by mail, and no bank sends you login or password request by mail ;-)
Unfortunately, AV software is not reliable - that means, it can help, it's useful, but you should not bank on it.
And: if you're detecting an infection, please have a look on the type of malware - if it's loading code through the Internet or if it's offering access to your box for somebody in the Internet, it's im- possible to get a clean box again, but with flatten and setup the system again.
I don't know, if you need tweeking a port filter. I don't know, if you need a port filter at all.
I know the D-Link and the Linksys devices. Both seem to be OK.
If you're using such a router, don't forget to configure it for filtering. NAT is not enough, because NAT primary is not a security feature, so usually, the NAT implementations are not secure.
Especially, filter away any packet, which reaches your router at the outside interface, but has a source IP adress, which seems to be inside (say: source 0.0.0.0/8, 127.0.0.0/8, 192.168.0.0/16, 10.0.0.0/8,
172.16.0.0/12 and non-used blocks like 169.254.0.0/16, 192.0.2.0/24 or
192.168.0.0/16, see RFC 3330).
If your router is filtering, perhaps it's not so important any more, if your box uses a port filter or not ("firewall") or even is offering servers or not.
And beware of mail attachements ;-) Think about it.
Hm... had no problems with this device so far. Perhaps another hardware revision?
Since you know so much about these things, so go ahead.
I would be interested especially how to secure Windows 2000 at lowest possible system overhead using firewall program and firewall box combo. In 100 Mbps Ethernet connection. I already run F-Secure Anti-Virus Client Security 5.55 in Windows 2000, containing a software firewall (F-Secure Internet Shield). Are there any good sources of tweaking instructions to it? I also have run Kerio 2.1.5 in Windows 98SE, and have adjusted its behaviour.
While at it, could you and others too give opinion of following router/firewall boxes? They all seem be available here at affordable prices. I would be interested of their ability to provide a reliable connection to a small *n*x web server, besides 1-2 Windows 98SE/2000 PC:s.
DI-604 (Rev. B 1.82) seems to require occasional power cutout between couple of days, in this network, possibly because it gets confused of network overload or some other reason, who knows. It seems not to be the most stable choice here.
ZAPRO makes it easy to configure security settings and cookie and ad control on a site by site basis. Allow Active X on trusted sites that need it, and block for all others. It monitors traffic in and out, and blocks when I tell it to. Spyware Blaster provides extra security. I stay off dodgy sites and only download free apps recommended by MVP's in newsgroups. My AV is updated daily. This machine has never been infected or compromised.