Windows Software for Controlling Outgoing Packets?

non carborundum asks: "When using Windows I use Zonealarm because I like its ability to control outgoing packets. It's a good way to find out if some program is trying to call home. Zonealarm is much better than nothing, but 1 prefer open source solutions. Besides, it is overkill - I don't use it as a firewall, since I have a router, and it uses several megabytes of RAM. Better still would be a reverse honeypot - an app that catches outgoing requests, tests them against a database of known offending addresses and/or ports, and (optionally) tricks the offending application into thinking it has successfully phoned home. XP users in particular might be interested in such a tool."

Router?

[OrangeSpyderMan]

I don't use it as a firewall, since I have a router

As in "I just use the scroll wheel, I don't use my mouse as a mouse because I have a keyboard?" :-)

Re:These packages make your windows instable

[borgboy]

I have several products like than installed on my WinXP .554.lin machine and I ha43n34 noticed any degradatiosafdjhbsf of my TCP/IP stack. So ,8-9,-09u off the FUD, eh? %

Re:The best article on the subject

[jsse]

Uhm, no. I know a whole bunch of network security and abuse staff. The response to any complaint with ZoneAlarm, BlackIce etc logfiles in it is to close the ticket, usually with an annotation like 'GWF' (Goober with Firewall). 99% of those reports are frivolous, about normal network traffic.

Some ill-knowledged network admins do produce a lot of such 'frivolous' reports.

I'm not by job a network admin or specialist, but I do a lot of networking stuffs. One day I've got a mail CC to me saying that one of our network was under attack. The alleged 'hacker' was able to go thru their firewall and started scanning the rest of the boxes within.

Though not directly for my action, I took this case seriously, but 7 sec later I found out it's just a false alarm: the 'hacker' address in question is in fact a 169.254.x.x address, the ports the 'hacker' was scanning is 137/139.

169.254.x.x is the 'link local' block, and it could never get pass the firewall from outside(no matter how lame it is) from outside. Also, even a layman know 137/139 are the netbios scanning for windows file sharing. Deeper in the log I found this 'hacker' attempted to access a DNS which is owned by ASL. Then I immediately know that this must be a absent-minded ASL technican who came to perform technical support, carrying a laptop with 169.254.x.x address, and it attempted to re-established windows shared and internet connection when he powered up the laptop.

I told my boss about my foundings, but I'm sure he'd ignore it. The report has already went thru 7 layers of management(forwarded 7 times, some of them are network admin and specialists) and each layer vowed to take serious action. The topest layer already held meeting for further action dealing with this 'most serious security hazard ever'.

It's not really in my position to tell them they are bunch of morons.