Slashdot Mirror
Windows Software for Controlling Outgoing Packets?
non carborundum asks: "When using Windows I use Zonealarm because I like its ability to control outgoing packets. It's a good way to find out if some program is trying to call home. Zonealarm is much better than nothing, but 1 prefer open source solutions. Besides, it is overkill - I don't use it as a firewall, since I have a router, and it uses several megabytes of RAM. Better still would be a reverse honeypot - an app that catches outgoing requests, tests them against a database of known offending addresses and/or ports, and (optionally) tricks the offending application into thinking it has successfully phoned home. XP users in particular might be interested in such a tool."
TPF is great packet sniffing software. It allows you to determine which apps are allowed to receive incoming TCP connections, or make outgoing TCP connections, or receive incoming UDP connections... and which ones aren't. It also allows you to stop Net BIOS name resolution as well as other neat stuff. It gives you much more control then Zone Alarm does. Really a great piece of software.
TPF used to be freeware. You can pick up the shareware version here. You can still find the old freeware version (which I use) here.
For the record, I use both Zone Alarm and Tiny Personal Firewall.
$SIG{__DIE__};
I used to use e-safe and I've also used ZoneAlarm but with both these packages I experienced huge system instability over some time. The same goes for Cisco VPN software. It seems to me that anything you do to the Microsoft TCP stack makes it more instable. Guess that stack is 'part of the system that cannot be replaced' as of Windows XP?
sig not found
Just packet filtering won't trivially allow you to fake conversations between client software and servers anyway; it's very likely that the application wants to do much more than 'ping' the server so each solution would have to be custom made. Filtering is easy, talking back is hard.
Most of these custom solutions would probably involve stuff like hacking EverQuest, running your own unofficial Blizzard game servers, blocking Carnivore and stopping Bill from snooping around on your hard drive.
Now here's a controversial solution - if you are concerned about callback features, why not stick with open source software and operating systems in the first place? :-) I don't mean formatting your hard drive, as your packet filtering doesn't have to happen on the host machine. Wouldn't most people run this kind of software on the router, anyway?
That's what people hacking EverQuest usually do, anyway. :-)
Jouni
Jouni Mannonen | Game Designer, Consultant
Kerio Personal Firewall
It's simple and gets the job done. Rules can be set to allow or block incoming and outgoing TCP/UDP traffic. It verifies the MD5 of the applications. Also eats several megabytes of RAM though...
I don't use it as a firewall, since I have a router
:-)
As in "I just use the scroll wheel, I don't use my mouse as a mouse because I have a keyboard?"
Try NetBSD... safe,straightforward,useful.
http://www.samspade.org/d/firewalls.html I agree with pretty much everything the article says..
Blaming GW Bush for the Iraq war is like blaming Ronald McDonald for the poor quality of food.
Internet Explorer, the most ubiquitous and most exploited application of all time.
It's not free, or open, but Sygate's professional firewall is awesome. Much better than ZoneAlarm. There is a free personal version of the software, but it lacks the features that make the professional one so awesome. However, I would reccomend the personal one over ZoneAlarm. Try sygate, It can do almost anything you can think of.
The GeekNights podcast is going strong. Listen!
I am using XP right now, and I refuse to have my NIC card plugged in without a firewall running. It's silly: this is just another example of not being in control of your system, which is the most major reason I want to move to Linux. (I'm trying, really, it's very hard as a Windows coder.)
Taking this concept further, I am seeing that many Windows users are disgruntled with XP because it hides waay too much from them, and it becomes frustrating to use. It will be interesting to see how this plays out.
I think I've asked this before the last time this article got posted, but since there still doesn't appear to be an open-source windows personal firewall, does anyone know what API these programs normally use to get in on network packets in windows? Or is it a dummy network driver or a replacement winsock dll or what?
--
Benjamin Coates
It seems to me that, if you are using Windows XP and a hardware firewall, it is better to use the ZoneAlarm software firewall. Then you can run VisualZone, and quickly see whether anything has gotten through your hardware firewall. Don't worry about ZoneAlarm's RAM use. RAM is cheap.
ZoneAlarm works well with Windows XP. It is necessary to disable Microsoft's firewall, of course; you don't want the wolf to guard the henhouse. (See the section Windows XP connects to Microsoft's computers in at least 17 ways. in the article, Windows XP Shows the Direction Microsoft is Going..)
A lot of us need to run programs that don't have Linux or BSD versions. For us, Microsoft has an absolute monopoly. It's hopeless being involved in adversarial behavior with Microsoft. The company has $40 billion cash in the bank. I have
One way to cope with the situation is to use two computers connected to one keyboard, mouse and monitor. Run Mozilla on Linux on a computer that is connected to the Internet. Disable internet access on the other computer running Windows XP by removing the TCP/IP protocol. Use another protocol, such as NETBEUI, for file sharing. (IOGear seems to make the best KVM switch. My experience has been that there is no video degradation with IOGear KVMs.)
My experience, and the experience of others, is that Windows XP doesn't crash, it just becomes less usable. Windows XP becomes shaky when enough programs are loaded that all of the installed memory is in use. There are other situations where Windows XP begins malfunctioning, but these are not well characterized. (Can anyone help me here?) The symptoms of the malfunction are slowness to respond to the keyboard, and disk thrashing caused by virtual memory use that sometimes takes 45 seconds or more.
The consensus seems to be, however, that Windows XP is Microsoft's best OS. The only other candidate is Windows 2000. Any comments?
The single biggest cause of instability in a system that was once stable is bad connections. Just open up the case, pull out all connectors and adapter cards a few millimeters, and push them back. That cleans the contacts.
(Download ZoneAlarm FREE for personal use.)
Ad-Aware is excellent for use with Windows XP. It gives a list of all running processes, who made the software, and where it is located on the hard drive. It's main purpose is to check for spyware. (Virus program software does not check for spyware, so you need a separate program.)
In Portland, Oregon, USA, the best Internet connection is Hevanet DSL with a Cisco 675 router from the phone company, Qwest. The Cisco 675 can be put into mode in which it is a true hardware firewall, not just a NAT device. (My only connection with Hevanet is as a satisfied customer.)
Why is it that some people insist on saying that 'x' is not a firewall, but they can't clearly define what a firewall is without using marketing speak?
IMHO, if it sits between network A and network B and does anything from scan for viruses to block ports, and the guy who put together the network wants to call it a firewall, then it is a firewall. Not necessarily a good firewall or a bad firewall, but it is a firewall.
For a home user, a NAT device alone is a good firewall to block unexpected incoming connections. Personal Firewall software is a good firewall to block unexpected outgoing connections.
For all but the tiniest of corporate offices, this would of course be a laughable solution.
I very much need more information like this. Thanks.
Don't worry. We see that this was meant as a joke, even if the moderators can't.
The network stack of any reasonably up-to-date Microsoft operating system (say, Windows 98 or 2K on up) is impervious to the OOBNukes and Pings of Death of days yore. If you are concerned about possible trojan horses you should actually invest in a virus scanner and also install something like ad-aware.
If somebody actually wants to take you offline, any reasonably sized DDoS will flood your pipe and kill your connection--firewall or not.
There is no plausible need for a "personal firewall", period.
For those developers that may be interested - (and I'm sure there is code out there already that demonstrates this) - you can create your own shim dll to control IP networking accessible to applications. Sockcap32 does this in order to socksify non-socks applications under Windows.
If you want to filter any outgoing packets on your NIC - you'll need to look into writing your own filter driver. The DDK is freely available for download and the documentation should be enough to get an enterprising individual started.
That being said. Ditch ZoneAlarm (never worked correctly for me -- along with Norton Personal Firewall) and get Tiny Personal Firewall (v2.0 is free) or Kerio Personal Firewall. They are both free and provide pretty fine grained control via their ruleset on incoming/outgoing data.
Just my $0.07(US) worth (adjust for inflation)
Your use of the pseudo-technical and absolutely made-up "reverse honeypot" term confused the living snot out of me; I still can't wrap my head around the concept of what a "reverse honeypot" might do, but I'm sure it's nothing like what you're describing, which is just packet filtering and modification.
- A.P.
"Remember when the U.S. had a drug problem, and then we declared a War On Drugs, and now you can't buy drugs anymore?"
I run IE + ZA, and don't flame me (I would run only Linux if my devices were supported) and I am extremely frustrated at placing the cursor over the connection icon and discovering that 200K or more of outgoing data has left my box during a brief session. Surely no legit app has a need to send that much data. Surely there is an app which will tell me where the data is going, and why. Surely there should be a way to throttle the outgoing socket. Hellllp!!