Best free firewall for Windows 7


Recommended Posts

sc302 - every time this topics come up its like trying to have a discussion with a vegan on the finer points of a ribeye vs new york strip, or what is better beef or pork ribs.

user: You need a software firewall, which one should I get

admin: Why do you need that, your already behind a firewall at the border of your network.

user:___________

admin: Still waiting how does that software firewall add protection? What specifically are you trying to filter or prevent?

user: ___________

admin: Ok so you have no idea what the firewall actually does, but you need it?

user: YEAH! Yup companies X,Y and Z all told me I needed one!

admin: You do, and your behind it already - that firewall at the border of your network - are you trying to refine the restrictions set there? Do you have hostiles on your local segment you need to filter? Does the box leave your secure network and join hostile networks?

user: ___________

admin: BTW you also already have a host firewall on your box, that can be used to filter/block/restrict that you want to firewall. Why is 3rd party X better than that, what specific feature do you NEED to accomplish that it does not do?

user: I need a host firewall - which one should I get?

admin: [facepalm]

Link to comment
Share on other sites

"Well since only trackmania is allowed to listen on that port"

Dude you do understand that ONLY 1 thing can listen on a specific port at any specific time, on one IP.

Your router is not sending unsolicited traffic to your computer for your software firewall to do anything with on any of the other ports! So it may well be that your UPnP opened up trackmania port on your router.. But all the other ports would not be sent to your machine.

"using the network and what ports they have open" What?? I am not following your logic -- I can tell what is listening with a simple netstat command. What would be listening that I wouldn't want to listen? If I don't want it to listen - then I don't run it!

Still waiting for this example how your host filewall protects me when I have UPnP open.. Your software opened up port X on the router to send to its IP, trackmania -- so since you want traffic to get to trackmania because your running it and allowing it to open the port via upnp on your router. What is your host firewall doing?? Are you blocking IP xyz from talking to trackmania but allowing ip abc to do so? If not then your host firewall is not doing anything.

yes, but what happens when I'm not running trackmania then. it's not like I'll be running that 24/7. then the HW firewall will still send that port to the computer, granted the likelyhood of anything else being exploitable on that port is just as slim as trackmania being exploitable on that same port but still. personally I just run the windows firewall in default mode which means it'll just allow anything on the local network and anything that is installed is pretty much granted anything they ask for.

As for my firewall request, while Netstat is useful it's not as nice as a nice firewall app showing every app running and an expandable view of all ingoing ports and outgoing connections and what ports they use. in fact contrary to what you think. I'm more interested int he outgoing connections than the incoming ones. and this is primarily so I can see what ports the apps use so I can set up the QoS on my router better, while it's rare I need to find that specific info, it's nice to have it handy in a nice organizeable gui when I do need it.

Link to comment
Share on other sites

yep, I know and it is always funny that users have so much knowledge that they need something that they have no idea of what it does or understand what they have in place is more powerful than what they think they know, without even trying to be.

Link to comment
Share on other sites

yes, but what happens when I'm not running trackmania then. it's not like I'll be running that 24/7. then the HW firewall will still send that port to the computer, granted the likelyhood of anything else being exploitable on that port is just as slim as trackmania being exploitable on that same port but still. personally I just run the windows firewall in default mode which means it'll just allow anything on the local network and anything that is installed is pretty much granted anything they ask for.

As for my firewall request, while Netstat is useful it's not as nice as a nice firewall app showing every app running and an expandable view of all ingoing ports and outgoing connections and what ports they use. in fact contrary to what you think. I'm more interested int he outgoing connections than the incoming ones. and this is primarily so I can see what ports the apps use so I can set up the QoS on my router better, while it's rare I need to find that specific info, it's nice to have it handy in a nice organizeable gui when I do need it.

when you are not running trackmania, the port closes if you are running upnp. if not the port closes as there isn't anything listening any longer (in order to be open, something needs to listen)...have you ever tried to walk through a closed locked door even after the main door to the house is open? how does that work out for you? netstat shows every application based on executable if used with proper switches, it will show what dns or ip as well. it shows incoming and outgoing udp and tcp.

here are a few netstat commands

netstat -a

netstat -a -n

netstat -a -b

netstat -a -t 10

and if you want to be all fancy and what not

netstat -a -b -t 10 >%userprofile%\desktop\netstat.txt

then after a min or two check out the text file on your desktop.

Link to comment
Share on other sites

that is your point of view...takes me a second to run and a few seconds to see what is running. And if I am looking for something specific takes a split second to find. I can narrow down what end ports the app is getting stuck on and can open up the firewall based on that.

I don't need a fancy wrapper to show elegance, elegance is irrelative to the information required. easy, well I don't know what is so hard about typing in a command but if you must use a mouse you can batch file it. quick, it is relatively fast, if not faster than finding the logs in the software.

Link to comment
Share on other sites

"personally I just run the windows firewall in default mode which means it'll just allow anything on the local network and anything that is installed is pretty much granted anything they ask for."

Ok - then I have to ask why do you need a host firewall at all?

As sc302 pointed out already, if your using UPnP to open up the port on your router/firewall - then when that service is no longer running that port would be closed. That is if UPnP is working as it should. If not - again what would it matter if port is forwarded, your box is not even listening on that port. So nothing could be exploited. As to the odds of something else running on the trackmania port of 12345 in your example that could be exploited -- hmmm that would be like winning the lottery, and getting hit by a bolt of lightning as your standing on the stage excepting your big check on TV, while at the same time a meteorite is taking out your car in the parking lot.

Now sure if trackmania is not using port 12345, since it a high port and not being used - some other application could be using it as its random source port and therefore being listened for. But that application would be expecting response from only the dest IP and port it was using that source port to talk to, so a syn packet from another IP and a difference source port on their end more than likely would not even be responded to or processed. Of the top of my head I am not sure what would happen in that case to be honest. But again your talking some really long odds here, there are 65535 ports that your active applications could be using as their source ports, and they are dynamic and normally change per session as that application does what it wants to be doing.

And again normally UPnP should close the port when the application that requested the port is closed, and if it doesn't then it would time out and close on its own as well. This timeout would depend on the actual router - but it shouldn't be all that long.

Sounds more like your asking how to reserve a highport for only one application, even if said application is not running. That can be done with a registry key http://support.microsoft.com/kb/812873 How to reserve a range of ephemeral ports on a computer. I believe you can do it with netsh as well, depending on your OS you would need to look up the details.

netsh int <ipv4|ipv6> Add excludedportrange [protocol=]tcp|udp [startport=]<integer> [numberofports=]<integer> [[store=]active|persistent]

With this you could make sure that no other application could use port 12345, even when trackmania was not running. And completely remove any concerns of something else listening on that port because of dynamic use. if you were statically forwarding that traffic to your private ip on your router without the use of UPnP. But normally you forward ports for specific reason - and that reason would always be running, say a game server, ftp, ssh, http server, etc. And then again those services are normally reserved and would not be used by anything else anyway - and below the random dynamic range of 1024, etc.

I believe sc302 answered the other stuff about ease of access to the info, etc.

Link to comment
Share on other sites

Ok bad wording on my part, I was addressing the question about something else listening on the port when trackmania was not. An unsolicited traffic being forwarded to that IP at the router/firewall. How you would normally make sure that something else could not listen on a port you wanted to use for a specific service when said port is inside the ephemeral/dynamic range. Ie ports used as source when application makes a connection to some IP on specific service port. These are normally transient in nature, and only are listened on when the session is active, applications can run through these fairly quickly - watch say your web browser as you create new sessions to different websites, as the session is created a new source port will be used, and the previous sessions are closed then that port will be freed up and not listened on, etc.

In your scenario when your not running trackmania that was using 12345, it would be possible for some other application to for a short period to be listening on that port. So in theory if forwarded on your router, a packet would be seen at the host that was not part of actual session they were using the port for.

As to your point about ivp6 - I have to assume your talking a tunneling method of getting IPv6 to your host while using ipv4 on your router/firewall. Teredo for example, and yes this bypasses your router/firewall protection by creating a tunnel through it to some ipv4 external server and then tunneling the ipv6 through this tunnel to your host.

In essence you just directly placed your host on a hostile network - so sure where would your trust barrier be, yup line C in my previous drawing. Am not or have ever been a fan of teredo - it was and is a stopgap way of getting ipv6 to a host behind a ipv4 nat. But yes this is when you would actually require a host firewall - since your box directly exposed to a hostile network, which you already have - the firewall built into w7 will and does filter IPv6.

Now if you want to play with ipv6, what I would suggest is use the native ipv6 supplied by your ISP and filter that just like you do with ipv4 at your router/firewall - line A in my drawing. If your current router does not support ipv6 native dual stack connectivity - get a new router ;)

If your ISP does not supply native ipv6, then setup a ipv6 tunnel at your router. I would recommend hurricane electric, FREE and you can get even a /48 if you want. With endpoints all over the globe, set this up at your router and filter there as well. This is what I currently do. And I allow 2 ipv6 things, icmp (ping) to my ipv6 enabled hosts, and ntp to my ipv6 enabled ntp server that is a member of pool.ntp.org. Ipv6 is disabled on all hosts that I am not actively using it on, because running a protocol that is not actively used or managed is bad juju, and goes against all common security practice. If your not using a ftp server why would you run a ftp server. If your not using ipx, why would have it enabled, if your not using ipv6, why would you have it enabled? I am not actively using ipv6 on most of the devices on my network, so guess what its disabled on those devices.

Now my ipv6 host is no longer directly connected to a hostile network - there is a firewall between it and the hostile network. And I can manage this at a common point, vs having to manage each individual host firewall. So I can talk between my trusted ipv6 enabled hosts on ipv6 without the added management of a host firewall that has to be configured for anything I might want to do with ipv6 between them. And I know they are secured from unsolicited traffic from the hostile public internet on ipv6 at my trust border.

I have never said you should never have a host firewall, what I have said is depends on how your connected, to what kind of environment your connected, what exactly your trying to secure. If you want to filter traffic at all 3 lines in my drawing - hey more power to you. It is going to be much more overhead in management, for very little added security and maybe none depending on how they are configured - and quite often many problems again depending on how they are configured or lack of configuration.

So we are back to square one - what exactly is the user wanting to do, that he either does not know how to do with his built in host firewall or OS, or that is not possible and would require 3rd party.

Thinking you need a 3rd party host firewall, without being able to describe the reason or how it will provide protection above and beyond what is currently available is where I have questions.

If the users can describe the scenario that is of concern, we can discuss the best security practices to mitigate said concern. It may well be 3rd party X firewall -- but I highly doubt it to be honest.

Link to comment
Share on other sites

I try and post as many pictures as I can for the people at your reading level, but sometimes it's difficult describing big people topics with pictures of animals and what sounds they make.

Here is some shiny stuff you can stare at.

post-14624-0-41333000-1342843869.gif

Does it seem that we are discussing stuff you can understand now? ;)

I do like to include everyone in the discussions, but sometimes the big people need to talk with grownup words..

Why do I bother, your just staring at the nyan cat arn't you ;) And the words go over one line so your not even attempting to sound out the three syllable words like "discussion" I used.

Here this will keep you happy.

post-14624-0-51713000-1342844341.gif

Link to comment
Share on other sites

Ha, very funny! The original poster already has Firewall/AV IS from Kaspersky setup on 3 machines so I think he is kind of clued up on network security. Too bad for him, he's restricted to a 3 pc license so needs a simple firewall solution for an added layer of security to control outbound traffic for his 4th machine. I don't remember OP asking for ins and outs of UPnP/NAT & network topologies. Talk of beating around the bush..

You've scared the guy so much I doubt he'll be replying to his own thread!

Link to comment
Share on other sites

Ha, very funny! The original poster already has Firewall/AV IS from Kaspersky setup on 3 machines so I think he is kind of clued up on network security. Too bad for him, he's restricted to a 3 pc license so needs a simple firewall solution for an added layer of security to control outbound traffic for his 4th machine. I don't remember OP asking for ins and outs of UPnP/NAT & network topologies. Talk of beating around the bush..

You've scared the guy so much I doubt he'll be replying to his own thread!

How is he clued up on network security by buying into what these manufactures are pushing as a need to make your computer secure? No one ever asks why, they just assume that it is needed because that is what these companies say you need by ramming their marketing down your throat. It is dumb to give people false hope and a false sense of security. But here is a security blanket for you, it will do you as well as a software firewall in 90% of all networks.

A+blanket+for+Kumiko.jpg

Link to comment
Share on other sites

"I think he is kind of clued up on network security. "

Clearly - that must be the case :rolleyes:

My bad trying to actually discuss the security issues he might be concerned with, or asking questions in getting him to think about why he thinks he needs a host firewall, or how it actually does anything to mitigate his concerns.

Link to comment
Share on other sites

This topic is now closed to further replies.