Best free firewall for Windows 7


Recommended Posts

We recently bought a fourth PC at my house so my three-user Kaspersky license can't be used. I used to use ZoneAlarm Free but it seems they bundle an Anti-Virus in with their free firewall offering these days and I want to stick with Microsoft Security Essentials. What's the best free firewall out there? At the moment I'm just using Windows Firewall but I'd prefer something more.

Link to comment
Share on other sites

Why do you want more than Windows Firewall?

There's this tool for Windows, that extends the built-in firewall with a ton of options and actually makes it a full blown product.

It costs a little bit, but there is also a free version, might want to check it out:

http://www.sphinx-soft.com/Vista/index.html

Other than that, don't trust opinions like mine, check reviews and tests.

Usually, the best firewall is the one that's configured the best, so that is tons more important than the product itself - albeit very truly an important factor, too! :yes:

Please consider changing your AV solution, it's a horrible pick and should only be used when "better than none" cases of "keeping it out of the way for a noob" cases arise.

Please check a variety of tests, never rely on forum opinions only.

I used to trust Avast, they are still good, but I heard at the moment others are rocking the test charts.

Glassed Silver:mac

Link to comment
Share on other sites

"We recently bought a fourth PC at my house"

So your behind a nat router I would assume - your not all 4 of your pcs connected to the internet with public IPs are they?

So your home network is a wild west type hostile environment where you need to firewall each machine from the other machines on the network? If so then sure I can see the need of a software firewall.

Now if the machines are all under your supervision and secured or operated by you or someone you trust, etc. I fail to see the need of software firewalls on them in the first place.

What is it exactly are you trying to do that you feel you need some extra 3rd party firewall to accomplish? How is this 3rd party firewall providing you with extra protection? Behind a nat router/firewall there should be no unsolicited inbound traffic from the internet to any of your machine. All traffic from the internet would be controlled by who manages the border device. Is that you? So what have you opened to these machines that no requires another firewall to control?

What traffic are you controlling on your lan side? Do you only allow say machine 1 to talk to machine 3 and block all access from 2?

I personally think that users just do not really understand what a firewall does, and have been so hammered from the vendors that you NEED a Firewall, that they don't really know any better. And just think that the one that comes with the OS can not be as good as brand X or Y, etc.. So let me spend money on Y so I can be safe ;)

I have yet in all the years here on neowin actually seen someone post a scenario or even a log that shows that their 3rd party firewall protected them from anything. What I do see is thread after thread after thread of "I can not get this to work" because of their misconfigured 3rd party firewall ;)

Its your money and your machines, you can do with it what you will -- but unless the device on your local lan are considered hostile, or the machines leave your network. You could debate the need of any software firewall on them, and for damn sure the one it comes with more that satisfies said requirement for when it leaves your network, or how to secure it from possible hostiles on your local network.

  • Like 2
Link to comment
Share on other sites

You really, really don't need a firewall if you have Windows Firewall and are behind a NAT. The only thing a firewall will do is annoy you by asking if every single application could perhaps access the internet. Aside that, there are hardly any threats out in the wild a firewall would protect you against. So just don't bother.

Link to comment
Share on other sites

You already have a good anti-virus with MSE. Your router most likely has a hardware firewall and with Windows 7 built in software firewall that is all you should really need.

Link to comment
Share on other sites

For the people who says he doesn't need a firewall because he's behind a NAT. Maybe he's not a network nut and don't feel like changing forwarding rules every time he runs and app that needs forwarding to work properly and runs the network with UPnP like most people.

granted chances are small someone will peak in trhough an open UPnP port at just the right time, but it's possible, especially with known normal ports in games and patchers and such.

  • Like 1
Link to comment
Share on other sites

^ problem with that logic is, if the ports are open via upnp for something to work (say a game server he is running), then the host firewall would have to be setup to allow the traffic. So the local firewall would not be blocking anything anyway.

So your saying that his software opens up the port via Upnp - and then he gets prompted by his software firewall to allow connections? So how does he know the remote IP is valid to allow. Is he talking with the people he is allowing to connect and get their IPs?

If you have some software open up ports to your box on your border firewall via upnp, why do you need the software firewall? If you are allowing the unsolicited traffic - one would have to assume you want to allow traffic inbound. So are you going to limit the IPs that can access this port - after its been open on the nat router? If not - then no it serves no purpose.

Here is the thing - please describe the scenario on what you want to allow and not allow. If you want to control which remote IPs can access your service you have open to the pubic on your router, then do that at the router. Why would you move this security border to the host? Unless you need to allow some public and "some" local - if your going to allow all local, then the boundary at your router is correct. If you going to want to control both local and public and pick and choose which IPs you trust both from public and local - then yes your security boundary would need to move to the host.

Software firewalls, lets call them host firewalls - because even that firewall running on your router is really still just software running on the router. Do have valid scenarios where they make sense. From a management point of view for overhead in control, you need to determine where your your trust border is, and place your security boundary there.

So we have this - typical home network.

post-14624-0-24317500-1342453028_thumb.j

Where do you place the security boundary? Depends on what risks your looking to mitigate, what management overhead your willing to have, where your trust borders are. Do you not trust the other devices on your local network? Do you not trust some of them? It may will be that you need controls at all three points - A, B and C.

The point I am trying to make is, unless you can describe the risk your mitigating or wanting to mitigate how can you determine if extra controls at B or C are needed?

The built in firewall gives you the control at C if you so desire. So what does spending money on or installing 3rd party get you that you don't already have? If you can not explain or understand this - then its unlikely you need this 3rd party firewall.

If you TRUST all the devices on your network - then you more than likely do not even need firewall/control at B or C since you have it at A. Placing controls there can and do things that are more than likely not desired - extra cost, extra management, frustration in getting simple things to work like file sharing since you did not put the time or the effort into the extra management required to configure B and C, etc. etc. And depending on the risk your trying to mitigate - more than likely these extra controls at B and C will not even be effective or used, and only causing you cost, time, frustration.

If the OP would be good enough to describe the risk they are worried about, I would be more than happy to discuss the best ways to handle said risk. It may well be that C is required, it may will be that the built in firewall may be able to do it - it may not. But without understanding the risk the OP is worried about - there is no way to even discuss the matter to be honest.

Saying you need C, and not only C but something extra and beyond what is part of the OS without knowing what we are trying to accomplish is where I have a problem.

Link to comment
Share on other sites

You are in luck you are already using the best free firewall for windows 7 congrats. (its included in the OS)

Link to comment
Share on other sites

Whilst I think some of these replies are terrible in their delivery, their content is right.

The Windows firewall is more than acceptable. It's a server firewall and it's brilliant. I have heard some people suggest the sphinx solution, but I have never used it personally (I like powershell <3)

Link to comment
Share on other sites

I have the built-in Firewalls on all my machines disabled, the NAT Firewall on even the most basic router is MORE than enough.

Link to comment
Share on other sites

^ I agree disable is not desirable mode. Configured to allow all traffic on your "trusted" network is better setup - to be honest I don't even think you can "disable" the firewall service on box without breaking some other features.

But what you can do is turn it off for you local trusted connection. Now if for some reason your computer determines that this is no longer your trusted network, then it will come up in a blocking mode. Which would be desired, for example if you move your laptop around networks.

When you configure it to allow all traffic from your trusted network - off I believe is the term they use for the specific network your on. This removes that added overhead and frustration that most home users run into when they want to access some service. Be it file sharing, game they are running, etc. If you trust all the devices on your network - then this is a valid choice that remove all the extra managment of having to configure each and every host filewall to allow the specific traffic you want to allow.

Link to comment
Share on other sites

^ problem with that logic is, if the ports are open via upnp for something to work (say a game server he is running), then the host firewall would have to be setup to allow the traffic. So the local firewall would not be blocking anything anyway.

So your saying that his software opens up the port via Upnp - and then he gets prompted by his software firewall to allow connections? So how does he know the remote IP is valid to allow. Is he talking with the people he is allowing to connect and get their IPs?

upnp opens port 12345 for your p2p part in trackmania to allow showing your car skin and other stuff, random internet thug tries to access your computer through open port 12345 and gets blocked by software firewall that says "hey, only trackmania is allowed to use this port".

Link to comment
Share on other sites

What??

""hey, only trackmania is allowed to use this port".

What else do you think would be listening on that port???

So in your scenario there, what does the firewall do? When I exploit trackmania on port 12345??

Link to comment
Share on other sites

hey .. i am using MSE .

and abt your firewall problem .... You should use " TinyWall " ... its free,small and really easy to handle and yes effective app.

You can use that.

:)

Link to comment
Share on other sites

I'm using the built in firewall with this very light extension:

http://www.binisoft.org/wfc.php

I've been using it for a long time and for the money they ask (next to nothing) it fulfils my needs for Windows. You can use it for free (but with less functionality) too if you like.

Link to comment
Share on other sites

Why do you want more than Windows Firewall?

There's this tool for Windows, that extends the built-in firewall with a ton of options and actually makes it a full blown product.

It costs a little bit, but there is also a free version, might want to check it out:

http://www.sphinx-so...ista/index.html

Other than that, don't trust opinions like mine, check reviews and tests.

Usually, the best firewall is the one that's configured the best, so that is tons more important than the product itself - albeit very truly an important factor, too! :yes:

Please consider changing your AV solution, it's a horrible pick and should only be used when "better than none" cases of "keeping it out of the way for a noob" cases arise.

Please check a variety of tests, never rely on forum opinions only.

I used to trust Avast, they are still good, but I heard at the moment others are rocking the test charts.

Glassed Silver:mac

Yeah,

I use that Sphinx firewall but DON'T have windows firewall enabled even. Works just as good!! Use it simply to monitor what might try connecting out. Hate things like CrapCleaner insatller trying to connect or that askstub(?) thing that comes with some other programs.

Agree with most of what Budman says, but if you know what you're doing with a firewall, I'd still recommend a third party one over windows firewall. I don't install third party one's on customers computers but make sure the windows one is turned on. Do agree that with a router/NAT properly configured, no firewall is really needed, except for curiosity sake and your own peace of mind.

  • Like 1
Link to comment
Share on other sites

Well since only trackmania is allowed to listen on that port through the firewall (something a hardware firewall can't limit), You severely limit the attacks possible since not only do the hackers need to find an open port, they need to know what software is using that port, and the software must have an open invulnerability that is exploitable by their tools, and so on.

Link to comment
Share on other sites

on another note is there any windows firewall extensions that allows you to list what apps are using the network and what ports they have open. it's the one thing I miss from the firewall I used to use back in the day (don't remember the name, but it got bought up by those scientologists or something and changed name)

Link to comment
Share on other sites

"Well since only trackmania is allowed to listen on that port"

Dude you do understand that ONLY 1 thing can listen on a specific port at any specific time, on one IP.

Your router is not sending unsolicited traffic to your computer for your software firewall to do anything with on any of the other ports! So it may well be that your UPnP opened up trackmania port on your router.. But all the other ports would not be sent to your machine.

"using the network and what ports they have open" What?? I am not following your logic -- I can tell what is listening with a simple netstat command. What would be listening that I wouldn't want to listen? If I don't want it to listen - then I don't run it! Then again what does it matter, my router is would be blocking access to any of these ports anyway - like file and print sharing, all the ports on my machine that would be listening - router/firewall blocks! Unless I have set it to be open, or upnp has opened it up for me -- which since you have upnp running, and ran the software I assume you want to allow. So what is your host firewall doing for you?

C:\Windows\system32&gt;netstat -an

Active Connections

  Proto  Local Address		  Foreign Address	    State
  TCP    0.0.0.0:80			 0.0.0.0:0			  LISTENING
  TCP    0.0.0.0:135		    0.0.0.0:0			  LISTENING
  TCP    0.0.0.0:443		    0.0.0.0:0			  LISTENING
  TCP    0.0.0.0:445		    0.0.0.0:0			  LISTENING
  TCP    0.0.0.0:1025		   0.0.0.0:0			  LISTENING
  TCP    0.0.0.0:1026		   0.0.0.0:0			  LISTENING
  TCP    0.0.0.0:1027		   0.0.0.0:0			  LISTENING
  TCP    0.0.0.0:1029		   0.0.0.0:0			  LISTENING
  TCP    0.0.0.0:1030		   0.0.0.0:0			  LISTENING
  TCP    0.0.0.0:1055		   0.0.0.0:0			  LISTENING
  TCP    0.0.0.0:1057		   0.0.0.0:0			  LISTENING
  TCP    0.0.0.0:3389		   0.0.0.0:0			  LISTENING
  TCP    0.0.0.0:5938		   0.0.0.0:0			  LISTENING
  TCP    0.0.0.0:17500		  0.0.0.0:0			  LISTENING

These are the ports that are currently "listening" on my computer - none of them are open to the public net, because I have not forwarded them on my firewall, nor do I allow this machine to use UPnP. And even if I did - lets say teamviewer opened up those ports for me. Since I am running that service - and upnp to allow it to auto open them. What would my host firewall be doing for me?

I can view what is listening on those specific ports with a simple -b on the end of my netstat command. And an -o and I can see the PID of the actual process, example

C:\Windows\system32&gt;netstat -anbo

Active Connections

  Proto  Local Address		  Foreign Address	    State		   PID
  TCP    0.0.0.0:80			 0.0.0.0:0			  LISTENING	   3848
 [TeamViewer_Service.exe]

  TCP    0.0.0.0:135		    0.0.0.0:0			  LISTENING	   976
  RpcSs
 [svchost.exe]

   TCP    0.0.0.0:1026		   0.0.0.0:0			  LISTENING	   368
  eventlog
 [svchost.exe]

  TCP    0.0.0.0:3389		   0.0.0.0:0			  LISTENING	   1492
  CryptSvc
 [svchost.exe]

So I snipped out a few and made it easier to read -- those are the tcp ports that "listening" and what program is doing the listening. But none of them are open to the public net, because my router is not set to allow that. Now I want for example all the boxes on my local lan to be able to access 3389 (remote desktop) and the teamviewer port. So why would I need a host firewall to block that? Now if say I had hostile boxes on my local network. And only wanted say a known good IP on my network 192.168.1.42 to be able to access it - then sure a host firewall would make sense. See my previous drawing on where I draw the trust barrier.

Now I do allow a box to use UPnP on my router - that is my son's ps3, he might host something on it, etc. So I allow it to open up ports to itself. "allow 1024-65535 192.168.1.209/32 1024-65535"

Oh shoot -- his ps3 doesn't have a firewall, what??? How can that be ;) You mean I allow traffic to the ports I have open - and I don't need a firewall on the actual box to do that..

So still waiting for this example how your host firewall protects you when I have UPnP open.. Your software opened up port X on the router to send to its IP, trackmania -- so since you want traffic to get to trackmania because your running it and allowing it to open the port via upnp on your router. What is your host firewall doing?? Are you blocking IP xyz from talking to trackmania but allowing ip abc to do so? If not then your host firewall is not doing anything.

Link to comment
Share on other sites

subscribed for the funnies...

funnies = noob users that think they need a firewall when in fact they don't understand what it does or what their router does and insists that it protects them because the router doesn't do what it was designed to do.

nat is a firewall first and foremost and every home router on the face of the earth is a nat firewall.

http://www.networkclue.com/routing/firewalls/nat.aspx

How a nat firewall works is that it uses one ip to connect to the internet (your outside ip if you will) and masks everything behind the firewall as the outside ip. This is how you can get a billion computers to be seen as 1 ip to everyone on the internet. A side effect of this billion to 1 is that it provides security. Outside cannot come in due to the fact that there needs to be a physical tunnel between the outside and the inside, this would be mapping a port from outside to in manually. Another way would be to use upnp but this also only triggers a single port to open based on the requesting computer...it doesn't open the whole world up in case another computer needs to use a different port to allow access to another service. The way a nat firewall works is that in order to establish communication the computer on the secure end (the inside if you will) needs to request something on the non secure end which causes a secure request to the outside. How malware gets installed is that they piggy back on this secure request and infect your computer via an infected script you run or execute on the remote end...even with a software firewall, this is where it fails... The difference that people like is that it interfaces with their os level and can produce an alert when unauthorized communications happens. But this does not protect you any better than proper prevention methods in the first place, it only masks the individuals own stupidity in that it tells you after you have been infected that your computer is communicating with whatever on the internet...What did it exactly do to prevent anything? Nothing in itself, it just gave you a security blanket to make you feel that you are in control when the user requesting this has absolutely no clue on what is going on with their network.

So I need to ask what is a software firewall going to do for you? If you answer protect you from incoming attack, your hardware firewall already does that without you doing anything. If you answer protects you from infection, your antimalware portion of that firewall already does that. If you answer it is better than your hardware firewall, I am afraid you have missed the point that you are already protected and you could run without any software firewall on your private network as you probably aren't going to hack your own hardware maliciously. Please go ahead and attack your own network from the outside trying to get in.

You want to see if you are protected from the internet, look here and run it.

https://www.grc.com/x/ne.dll?bh0bkyd2

Link to comment
Share on other sites

This topic is now closed to further replies.