Need PC Safety and Security Advice on Firewalls

Discussion in 'Application Software' started by MonarchX, May 7, 2017.

  1. MonarchX

    MonarchX MDL Expert

    May 5, 2007
    1,271
    199
    60
    I am seeking Firewall Software that is better (in terms of protection) than Windows 10 built-in Firewall, very easy on system resources, and also free. So far I came across Free Firewall and Windows 10 Firewall Control, but neither do I know much about them nor do I know much about Firewalls or PC Security or Networking, aside from Basic Networking. I just know I prefer to keep very few services in the background when I game.


    I apply a LOT of tweaks and literally have only the absolutely necessary services, driver-services, and tasks (only 2 out of 150-something Windows 10 background system tasks are enabled!) because I just need this PC for Gaming, Home-Theater, basic Internet network (directly hooked to cable router/modem with DMZ enabled for my MAC address), and I don't even plan to update it, unless its a full clean OS re-install. My tweaking also includes turning off some security holes in DCOM RPC, (port 135) + all tweaks from Windows Worms Doors Cleaner, disabling NetBIOS service, and turning off LMHOSTS lookup. Ethernet Status actually says I have no connection at all, yet somehow I am posting this!

    When it comes to browsing I stick to Chrome with uBlock Origin + uBlock Origin Extra + ScriptSafe + HTTPS (if possible) + a few hundred blocking entries in Hosts. I don't visit sketchy websites, I haven't had any spyware/malware or viruses on any of my PC's since 2009, and although I keep several anti-spyware/virus software like AdwCleaner, Hitman Pro, and Malware Bytes - I never have them running or even install them because my PC is always clean like that.

    Given that:
    - So much is disabled on my PC (including Windows Firewall Service)
    - DMZ enabled in router (but router Firewall is ENABLED)
    - My Internet safety habits / setup

    ...is there a high chance of me being hacked or attacked, assuming I won't piss anyone off? Should I even bother with that light firewall I am seeking (for "just-in-case" scenario)?
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  2. sebus

    sebus MDL Guru

    Jul 23, 2008
    5,866
    1,765
    180
    There is absolutely NOTHING wrong with build in Windows Firewall.
    If you must have easier interface then I do recommend Windows 10 Firewall Control

    There is no pint disabling it to just replace it with something else.

    Start again with proper design & then implement it
     
  3. °ツ

    °ツ MDL Addicted

    Jun 8, 2014
    572
    615
    30
    Comodo Firewall is really good ;)
     
  4. foxyrick

    foxyrick MDL Junior Member

    Aug 25, 2011
    62
    21
    0
    I've tried most personal firewalls over the years, both paid and free. The best I've ever found (by far and for numerous reasons) is Windows 10 Firewall Control, as Sebus mentioned. It uses the Windows' own Windows Filtering Platform (Base Filtering Engine service) and you can enable or disable the Windows Firewall, as you wish. W10FC does not depend on it but doesn't mind if it's also running. Everything else hasn't been worth the cost in headaches and/or has been less reliable and secure.

    It sounds like I use a similar-ish setup to yours. I don't have any AV installed either, because I've never found one of those that didn't give me a headache. My server even used to tell me that it had no internet connection (it did and worked perfectly) because of a rather tricky multiple-homed setup with multiple interfaces, a public-facing interface with public IP address and multiple (potential) routes to the internet on different VLANs and a VPN that only certain traffic was forced through. There was a way around that, iirc, something to do with using a bogus default route somewhere I think, and some static routing, to redirect Windows' connection detection. Anyway...

    W10FC should handle everything you need firewall-wise - it does here :D
     
  5. MonarchX

    MonarchX MDL Expert

    May 5, 2007
    1,271
    199
    60
    Its not the UI I am having an issue with, but whether I should bother with a firewall at all. I had a few people tell me "Windows Firewall does not provide all that much in terms of protection...". If that is true, then why bother running it in the background? IF and IF it does not provide much protection, then the only sensible solution is to have something that does (if one is worried about security/safety) or not run it all since you managed to get by for a long time without being well-protected. Again, I am NOT network and network security savvy.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  6. foxyrick

    foxyrick MDL Junior Member

    Aug 25, 2011
    62
    21
    0
    #6 foxyrick, May 8, 2017
    Last edited: May 8, 2017
    I suppose it depends what protection you need.

    I run two firewalls: one on my Mikrotik router (used to be BSD box then a big Cisco router but I needed something faster and lower power consumption) that I refer to as a 'hardware' firewall; and a 'personal' firewall on every PC in the house; W10FC now. In the main, they serve two different purposes. The hardware firewall stops things getting in from the internet. The personal firewall stops things getting out from the PC.

    Most people have their internet routers with a default configuration. In that state they usually provide sufficient incoming protection. That is due to NATing on IPv4 plus basic stateful inspection (things are only allowed in if something on the inside has already asked for it). Unfortunately of course, malware from the inside isn't stopped from getting out because the inside is usually 'trusted', or back in again once it's got out.

    That leaves personal firewalls...

    A few years ago I got some dodgy file on my PC from a compromised website. My AV (I was running one back then) never saw it even when pointed at the offending file later. My firewall caught the file trying to get out and blocked it, and alerted me. Even if you don't deliberately visit sketchy websites, they can always be compromised or be showing some dodgy advert with the latest exploit. I would trust a personal firewall (and regular backups) over an AV to keep me reasonably safe from that.

    I practice good 'internet hygiene' and, for instance, I never open unsolicited email attachments, I visit potentially sketchy places in a VM, etc. I still have to admit the possibility of something going wrong or me making a mistake. The personal firewall gives me a second line of defense, the first being common sense.

    The other main reason I've always used one is that I simply do not like software calling home, and wondering exactly what it is sending. Even when told not to in their settings, there is far too much software that still does so. I've even experienced software using bogus DNS requests to send and receive information from the internet, even though blocked (in another firewall I was testing). I caught that with Wireshark. I object in the strongest terms to all of that... and block it all with my firewall.

    Nothing gets out of my PC without me knowing about it, and Windows Filtering Platform (if not Windows Firewall itself) is as good as any. Better, IMO, because it is integrated in the system and the base filtering engine is running all the time for other network purposes anyway. W10FC has not failed me, many other firewalls have in some way or other. I have tried another free UI that works with Windows filter, but that failed because one application was still able to manipulate the firewall and get itself out.

    So, if you think you might need to stop any of the above, then perhaps you need a personal firewall. I would never run a PC of mine without one.

    Edit to add: Just one final point regarding your question on being hacked. Your router's firewall is what will (hopefully) stop that. You don't need to annoy anyone though to be a 'target'. I once turned all firewalling off during some testing, and logged incoming connections. It took less than ten minutes for someone to start hammering service ports and running a password brute-force on my router. The source IP address was in China. I still had incoming attempts from that IP address a week later (firewall back on, of course). Probes for open ports are flooding the internet, all the time! Never turn that firewall off.
     
  7. amanda

    amanda MDL Junior Member

    Nov 5, 2010
    91
    5
    0
    What about pfsense? Runs even on a 8 year old machine.
     
  8. pisthai

    pisthai Imperfect Human

    Jul 29, 2009
    6,746
    1,959
    210
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  9. foxyrick

    foxyrick MDL Junior Member

    Aug 25, 2011
    62
    21
    0
    I used Smoothwall for a while, on a modified thin client. It's a nice firewall. I also tried OpenBSD for quite a while too, when my network got quite complex.

    Depending on your modem/router, it might be possible to still utilise the wifi. On mine, I can create separate port groups and I allocate the bridged internet connection to one (call it PG1) along with one ethernet port, and the rest of the ports and wifi to the second, PG2. Thus for the rest of the ethernet ports (including the internal wifi 'port') on PG2, the modem/router is simply operating those as a switch. PG1 and PG2 are isolated from each other and the modem/router does not route between them (they are not quite the same thing as VLANs).

    The PG1 port obviously connects to my dedicated router/firewall (which could be a smoothwall box with enough ports). The router splits the inside into a few VLANs, one of which comes out on a port and goes back to the modem/router, connecting to a port in PG2. Clearly two cables are required, and fortunately I never put a single cable or socket in anywhere :D

    So, my wifi from the modem/router is now firewalled and routed through the dedicated router. A further benefit is that I can give SG2 an IP address on my LAN and connect to the modem/router that way to access its web dashboard and console; something that can be tricky when a modem/router is put into bridge mode.

    Why did I do it that way? Because my modem is in a cabinet in the hallway where the telecoms comes in, and it's also a good place for the wifi. The rest of my kit is in the attic in a rack, and that's a lousy place for the wifi, and too far for me to want to extend the sensitive telco line. Plus, why not :D
     
  10. Smokva

    Smokva MDL Novice

    May 13, 2017
    27
    16
    0
    I've been using Zonealarm for a while and am somewhat surprised that it hasn't got more coverage on this topic as it generally seems to rate right at the top.
    Not that I think it's the best.... in fact, this thread has been really helpful in pointing me to other alternatives that I may choose to try out with my new build.

    I will say that Zonealarm does seem to be pretty solid. I ran a test on one of the testing sites that attempt to penetrate it, and it scored beautifully.
    The draw backs are that it does tend to be somewhat invasive - always asking for what seem to be the same permissions even when you tell it to 'remember'.
    Ads to upgrade have also increased, but you can't really fault them for that. You are running the free version.
    And it isn't really that user friendly for a beginner - you get the idea you can do something more, or something better but clear directions just aren't there.

    So thanks to all for some great alternatives. I'm certainly going to take a closer look at Smoothwall among others. Most of these I've never even heard of before.
     
  11. foxyrick

    foxyrick MDL Junior Member

    Aug 25, 2011
    62
    21
    0
    I used Zonealarm (both free and paid) for many years and found it quite reliable. I stopped paying for it when Zonelabs' advertising/spamming and support policies became intolerable, along with a few other changes I didn't like. I still continued to use an older version (from just before it went to a web-installer) for a while.

    The main reason I changed from that (old) version of ZA and investigated newer options was the lack of support for IPv6. W10FC won over all the competition by a clear mile, and I think it's more flexible than ZA.

    I do recall that ZA occasionally seemed to 'forget' things too. Often after some system problem. At least it still blocked by default so it was just an annoyance.

    Keep in mind that smoothwall (which is a great firewall) doesn't necessarily protect you from malware outbound from the PC (or just programs that you don't want calling home) in the way that ZA or W10FC can; it protects your network from inbound attacks.
     
  12. Smokva

    Smokva MDL Novice

    May 13, 2017
    27
    16
    0
    :confused: Thank you for this. It would not have occurred to me to pay close attention to such a detail.
    I would have thought that by their very nature all firewalls would be able to control both inbound and outbound traffic.
    If true, I can't really agree that it can be considered a 'great' firewall.
     
  13. foxyrick

    foxyrick MDL Junior Member

    Aug 25, 2011
    62
    21
    0
    All firewalls can control both inbound and outbound traffic.

    Smoothwall is a great firewall for inbound protection (at the internet gateway), and outbound if you know what you want it to stop sending packets to. It's that last phrase that's the catch.

    You can, for instance, use firewalls like smoothwall (or many others, like my mikrotik hardware) to stop people on the LAN doing torrents, or connecting to facebook, or anything that you know in advance how the connection will work.

    The problem is that connections from inside the LAN tend to be trusted by default and unless you want to really lock down to 'allowed websites only', then you need to keep outbound fairly open on the gateway firewall. As such, it cannot stop some application on the PC from connecting to an internet address unless you know about it beforehand.

    That's where the personal firewall, the one on the PC itself, comes in. That can detect an application trying to make a connection and alert you to the fact, probably blocking the connection until you permit it. That's what you know ZA does.

    Really, any good modem/router can do the most important things that Smoothwall does; like basic security using stateful inspection. Smoothwall comes in handy when you want more control, IDS/IPS (intrusion detection/protection services), want to run external services and still be relatively safe, do more interesting routing or run things like a VPN for the whole LAN to work though. Possibly even a TOR gateway - not sure if Smoothwall can do that but I used to do it on BSD. Also when you want better control over what users on the LAN are allowed access to externally, as mentioned above.

    Personal firewalls and gateway firewalls are really two different things, for two different purposes. Which you need (maybe both, like me) depends on your situation.

    I've never in all my decades of PC career recommended a personal firewall to a commercial or industrial client; never installed one, and have uninstalled them (specifically ZA on one site). Any controlled infrastructure shouldn't need the personal firewall, whereas it might well need more of a gateway firewall than a simple modem/router can provide, both for inbound and outbound control. A 'normal' (non-geeky) home user likely doesn't need anything more than that simple modem/router's firewall, but would benefit from a personal firewall to protect from dodgy software/malware.
     
  14. Smokva

    Smokva MDL Novice

    May 13, 2017
    27
    16
    0
    @foxyrick Thank you for the detailed breakdown. You have given me a lot to consider. I do have a modem/router provided by the ISP that I believe is pretty good.
    My primary focus has always been on preventing apps from 'calling home' so to speak. Some, like Adobe and Google, can be quite stubborn and keep finding ways to circumvent settings. So I always considered a personal firewall that allows me clearly identify and block them a necessity. My Win 7 firewall just seemed a little limited in that regard - or perhaps it would be more accurate to say, not so user-friendly to set up. Although I have to be honest and say that perhaps I gave up on it too soon and allowed myself to believe I need more.
    Lots to consider.
    Lots to research.
    Thanks so much for your great post.