PDA

View Full Version : ot - suggestions for a decent free firewall?



rantbot
08-19-2009, 05:18 PM
I used to use ZoneAlarm Free Firewall, which worked well enough, but since maybe two months ago I haven't been able to install it on any of my machines. The installer itself downloads ok, but when I run it, it can't connect to CheckPoint Software home base to download the other files it needs for installation.

So, maybe it's time to use something else. My machines operate on XP, and I've been running free versions of Ad-Aware, Spybot, and avast! without any problems. Any suggestions for a suitable replacement for ZoneAlarm?

Ohio Mike
08-19-2009, 06:00 PM
I don't run anything except the Vista firewall on my machines. However have all my stuff behind a D-Link router. Nothing ever makes it to the PCs. That doesn't work well if you are trying to block outbound connections as some folks do.

Falcon67
08-19-2009, 06:05 PM
If you are current on patches, the XP firewall is good enough. The most common threats do not involve direct penetration to your system, they will come though software intervention - trojan web sites, email, etc. Firewalls are useless against things like "I opened that email attachment like you told me not to". Sophos, McAfee, things like that are what you need to pay for and keep current.

dp
08-20-2009, 11:14 PM
This sounds more complicated than it is, but all you need is a spare computer, Linux or Windows, and a VMware virtual machine firewall. These things do it all - real-time virus testing of web pages, anti-spam/anti-virus email server, true firewall with packet filtering, port and IP mapping, web caching proxy for very improved performance, NAT for your local network PCs and robustness that Unix is famous for.

All you pay for is the Windows part if you choose to go that route. Otherwise everything else is free.

Parts list:
Spare PC (probably free)
Linux (Free)
VMware firewall appliance (Free)
VMware Player for Linux (Free)
Your spare time to set it up (Priceless)

lazlo
08-20-2009, 11:16 PM
Dennis, if you're going to configure the spare computer as a dedicated software firewall, what's the point of the virtual machine?

Gerryrig
08-20-2009, 11:41 PM
Just a thought. Wonder if your adware programs could be blocking the downloading of Zone Alarm. Both Ad-Aware and SpyBot are running in the background to stop adware. Have you tried shutting them off?

RKW
08-20-2009, 11:48 PM
A agree, firewalls should be a dedicated machine/box.


This sounds more complicated than it is, but all you need is a spare computer, Linux or Windows, and a VMware virtual machine firewall. These things do it all - real-time virus testing of web pages, anti-spam/anti-virus email server, true firewall with packet filtering, port and IP mapping, web caching proxy for very improved performance, NAT for your local network PCs and robustness that Unix is famous for.

All you pay for is the Windows part if you choose to go that route. Otherwise everything else is free.

Parts list:
Spare PC (probably free)
Linux (Free)
VMware firewall appliance (Free)
VMware Player for Linux (Free)
Your spare time to set it up (Priceless)

dp
08-20-2009, 11:52 PM
Dennis, if you're going to configure the spare computer as a dedicated software firewall, what's the point of the virtual machine?

If it is penetrated and compromised you shut it off, delete it (it is all stored in a single directory on the host), and turn on the backup, and you're back in business. Downtime: 5 minutes. And it comes pre-configured and is shovel-ready so it's good for the economy :).

And the host itself is still useful for other things like a backup server, file server, print server - all running in full isolation from the VM.

airsmith282
08-21-2009, 12:12 AM
fire walls are a joke and do not work at all

rule one as long as you got an internet connection you can get hacked

rule 2 if you do not belive rule one then you will get hacked

most virusis are created by the same companys that sell you the cure

dp
08-21-2009, 12:18 AM
fire walls are a joke and do not work at all

rule one as long as you got an internet connection you can get hacked

rule 2 if you do not belive rule one then you will get hacked

most virusis are created by the same companys that sell you the cure

Amazing. Wrong, and amazing. :rolleyes:

RKW
08-21-2009, 12:28 AM
At all? Isn't that a bit strong? I have had the same custom-ruled firewall for 10 years with no problems (and many many attempts). I have the rules so tight I'm lucky to get in or out!




fire walls are a joke and do not work at all

rule one as long as you got an internet connection you can get hacked

rule 2 if you do not belive rule one then you will get hacked

most virusis are created by the same companys that sell you the cure

Oldguy
08-21-2009, 01:27 AM
I've been using Sunbelt Personal Firewall for several years and am happy with it. You download the free trial version and after a while (30 days?) it loses a couple functions, but remains as a free firewall. Here is the link to the download page:

http://www.sunbeltsoftware.com/home-home-office/sunbelt-personal-firewall/

Another firewall that I have heard good things about is from Comodo. I haven't tried it and it looks like it now comes bundled with an anti-virus program. Here is the link to take a look:

http://personalfirewall.comodo.com/

Here is an interesting site that rates many different types of (mostly) freeware, including firewalls:

http://www.techsupportalert.com/

Glenn

tumutbound
08-21-2009, 02:05 AM
fire walls are a joke and do not work at all

rule one as long as you got an internet connection you can get hacked

rule 2 if you do not belive rule one then you will get hacked

most virusis are created by the same companys that sell you the cure

It depends on the firewall you're running as to its effectiveness.
If you run a software firewall, you're already letting the traffic get on to your network.
I run a hardware firewall that stops any traffic getting to any of my computers from the Internet. The computers can establish connections to an external site as required.

The firewall logs show all manner of intrusion attempts being stopped. None of these attempts get as far as the computers themselves.

I also run Linux which reduces the likelihood of being hacked, it has certainly stopped me from being infected by any viruses.

Richard-TX
08-21-2009, 03:41 AM
Ubuntu Linux, and fwbuilder.

Evan
08-21-2009, 06:10 AM
One needs to recognize the main job of a firewall. It isn't to stop virii or malware. It's job is to make sure that the connections made to your machine are authorised and correspond to connections made by your machine. For every incoming packet there had better be a previous outgoing request for same. The firewall monitors the "ports" on the internet connection and either disables them entirely, refuses to respond to external attempts to connect, or only allows the receipt of data that has a correct sequence number. Other jobs such as watching for malicious software are properly the job of other programs.

It is common now for all the security jobs to be integrated into a single suite which is often called a firewall but that is a misnomer. The internal firewall in XP and Vista are actual firewalls and do nothing to stop your computer from responding to evil webpages or malware that you just told it to access, like that new porn site or serialz and warez site.

I run with no security software, firewall turned off. My router is set up with a series of rules as to what is allowed and what isn't. I don't surf porn sites or hacked software pages and I have some pretty strict settings enabled about what is permitted to run in a webpage. I disable nearly all the 3rd party IE addons.

More importantly, I use a premade hosts file that disallows access to a wide variety of sites that have been determined to be unhealthy or undesirable. It's easy to use, free, requires no installation and can be reversed in seconds.

See here:

http://www.mvps.org/winhelp2002/hosts.htm

lazlo
08-21-2009, 08:26 AM
Dennis, if you're going to configure the spare computer as a dedicated software firewall, what's the point of the virtual machine?If it is penetrated and compromised you shut it off, delete it (it is all stored in a single directory on the host), and turn on the backup, and you're back in business. Downtime: 5 minutes.

But running in a Virtual Machine is a considerable performance hit, so you're slowing down all your network traffic through the box.

Most folks just run one of the OpenSource Linux Firewalls like FirewallBuilder or SmoothWall on a dedicated machine. I don't think any of those specialty Linux Firewall distro's has been hacked...

J Tiers
08-21-2009, 08:49 AM
Actually, the Zonealarm firewall is probably still the best software firewall.

if you cannot install or run it, it may be because you still have viruses on the system that are programmed to zap any new installation of it. That's pretty common, and true of Norton, AVG, etc, all the biggies are blocked from installation by many viruses.

As for Zonealarm not working with Spybot or whatever, it is certainly possible and even probable that mcaFEE and Symantec are programmed to kill it.... that sounds like them, but I run zonealarm with spybot, adaware, malwarebytes, and AVG. Works fine.

The other possibility is that you have the XP /vista firewall ON. But since I don't believe they block any outgoing, I would be slightly surprised... possibly if they are running the install does not complete correctly.

You definitely do NOT want to be running BOTH Zonealarm and ANY otehr firewall.




fire walls are a joke and do not work at all

rule one as long as you got an internet connection you can get hacked

rule 2 if you do not belive rule one then you will get hacked

most virusis are created by the same companys that sell you the cure

This statement is insane, brought to you by the same type folks who believe you need tinfoil hats to block government mind control, and that there are additives to jet fuel that are intended to descend to earth and pacify the citizens into "sheeple".

lazlo
08-21-2009, 08:53 AM
fire walls are a joke and do not work at all

rule one as long as you got an internet connection you can get hacked

rule 2 if you do not belive rule one then you will get hacked

most virusis are created by the same companys that sell you the cure

This statement is insane, brought to you by the same type folks who believe you need tinfoil hats to block government mind control, and that there are additives to jet fuel that are intended to descend to earth and pacify the citizens into "sheeple".

That's hilarious -- I printed that out and put it up on my cube wall.

Airsmith: are you a Birth'er too? :D

J Tiers
08-21-2009, 08:54 AM
One needs to recognize the main job of a firewall. It isn't to stop virii or malware. It's job is to make sure that the connections made to your machine are authorised and correspond to connections made [I]by your machine.
Other jobs such as watching for malicious software are properly the job of other programs.



Even plain free Zonealarm seems to have SOME malware detection capability...... but mostly you are correct.

Not only does it BLOCK intrusions, it also gives no indication there is actually a machine present on any of the "ports" which may be used to deliver malware outside of the direct communications path through IE or Firefox connections etc.

If you want to find out how your firewall does, go to grc.com (Gibbs research) and try their intrusion test.

The "suites" combine it all, but suffer the same issues as any "bundle", you use it all or none of it, in many cases. Some allow portions to be enabled, but if you don't want large parts of it, why get the suite?

lazlo
08-21-2009, 08:59 AM
Even plain free Zonealarm seems to have SOME malware detection capability...... but mostly you are correct.

That's one of those corner-cases where firewalls and virus checkers overlap: a firewall should be doing stateful packet inspection*, but technically a firewall doesn't scan the payload looking for malware. But many hardware and software firewalls do.

On the flip side, a virus checker traditionally scans files looking for malware, but most install a form of software firewall that scans incoming network traffic for malware.

If you turn both on (firewall scanning for malware and virus checkers scanning incoming network connections), then you're basically wasting CPU time, assuming that both scanners are of equal quality. But some folks like belt and suspenders...

*reading the headers on the network traffic to ensure the packets it's receiving are a response to requests sent from it's sub-net.

J Tiers
08-21-2009, 09:04 AM
Airsmith: are you a Birth'er too? :D

SHOW US THE PACKET ORIGIN!

lazlo
08-21-2009, 09:06 AM
LOL!!!! Good one Jerry! :)

oldtiffie
08-21-2009, 09:12 AM
That's hilarious -- I printed that out and put it up on my cube wall.



And which wall of which cube are you referring to?

http://images.google.com.au/images?hl=en&q=pablo+picasso+cubism+images&revid=1338211741&resnum=0&um=1&ie=UTF-8&ei=3JqOSrjeKork7AOGrYngCg&sa=X&oi=image_result_group&ct=title&resnum=1

Its a worry - especially if living/working in a cube. Is that because cubists prefer it?

Is it like being a battery hen?

I was encouraged NOT to "lay an egg" at work.

Is your phone a cell phone?

Seems like a "Cuckoo's nest" to me.

oldtiffie
08-21-2009, 09:21 AM
Originally Posted by lazlo
Airsmith: are you a Birth'er too?


SHOW US THE PACKET ORIGIN!

Airsmith may have a BIG "Bertha" in his arsenal which he may stick in your arsenal:
http://images.google.com.au/images?hl=en&um=1&sa=1&q=big+bertha&btnG=Search+images

http://en.wikipedia.org/wiki/Big_Bertha_(howitzer)

http://en.wikipedia.org/wiki/Paris_Gun

dp
08-21-2009, 11:37 AM
But running in a Virtual Machine is a considerable performance hit, so you're slowing down all your network traffic through the box.

Most folks just run one of the OpenSource Linux Firewalls like FirewallBuilder or SmoothWall on a dedicated machine. I don't think any of those specialty Linux Firewall distro's has been hacked...

VM's don't suffer major performance issues as firewalls because firewalls don't put much of a load on the machine, and with 15K rpm spindles, even disks are rarely an issue. Unless it's a Java vm you're not likely to have a problem, particularly with multi-core CPUs. Sun Microsystem's containers are very brisk as there's no hypervisor, and VMware's hypervisor overhead is 3%-10%. Video is the largest issue and firewalls don't require video - or a keyboard/mouse, for that matter. Dedicated machines are obsolete and wastes of power for many roles.

lazlo
08-21-2009, 11:40 AM
VM's don't suffer major performance issues as firewalls because firewalls don't put much of a load on the machine.

A virtual machine servicing a network stack is a worst-case scenario for performance impact: each network access is a kernel call which must be intercepted by the Hypervisor, checked, and then conditionally re-routed. That's why you need a virtual network device driver in VMWare and/or Parallels.

A virtual machine for a dedicated firewall doesn't make sense, unless you expect it to be repeatedly hacked and rebuilt. In which case, the administration should probably persue another career path. :p

Rich Carlstedt
08-21-2009, 12:06 PM
Thanks Evan for that neat reference to a hosts file.
I will try to use it, if I can get this old brain to understand the flow
Rich

dp
08-21-2009, 12:38 PM
A virtual machine servicing a network stack is a worst-case scenario for performance impact: each network access is a kernel call which must be intercepted by the Hypervisor, checked, and then conditionally re-routed. That's why you need a virtual network device driver in VMWare and/or Parallels.

A virtual machine for a dedicated firewall doesn't make sense, unless you expect it to be repeatedly hacked and rebuilt. In which case, the administration should probably persue another career path. :p

Keep your day job - this is working perfectly in a fast-growing market all over the world.

lazlo
08-21-2009, 12:40 PM
Keep your day job - this is working perfectly in a fast-growing market all over the world.

That is my day job, I designed Intel's virtualization hardware :)

The reality is that virtual machines have a strong market segment, and there are many excellent uses for virtual machines, but a firewall is not one of them.

This is from VMWare's paper they presented at ASPLOS 2006. VMWare's highly optimized network virtualization software runs the Apache (web server) benchmarks at 40% of native performance on Linux. On Windows, they run the web server benchmarks at 50% of native performance, and 65% of native performance with VT (Intel's virtualization hardware). Raw network bandwidth takes a similar hit:

http://www.vmware.com/pdf/asplos235_adams.pdf
http://i164.photobucket.com/albums/u15/rtgeorge_album/vmware.png

dp
08-21-2009, 01:11 PM
That is my day job, I designed Intel's virtualization hardware :)


But apparently not any vm-based firewalls. This is not the same brutal load that Oracle would impose.


The reality is that virtual machines have a strong market segment, and there are many excellent uses for virtual machines, but a firewall is not one of them.

In what market place? I'm not recommending Boeing do this - for the mom and pop shop and most normal homes in America and beyond the simplicity and cost savings plus the amazing time to restore are compelling.

And I should have made it clear earlier, the host does the IP filtering, not the VM. It is the only part the host is responsible for, and that is to afford it protection in addition to any virtual machines it may be running.

dp
08-21-2009, 01:18 PM
One needs to recognize the main job of a firewall. It isn't to stop virii or malware. It's job is to make sure that the connections made to your machine are authorised and correspond to connections made by your machine. For every incoming packet there had better be a previous outgoing request for same. The firewall monitors the "ports" on the internet connection and either disables them entirely, refuses to respond to external attempts to connect, or only allows the receipt of data that has a correct sequence number. Other jobs such as watching for malicious software are properly the job of other programs.

It's been a very long time since that regimented view of firewalls was valid. The modern, broader view predates TCP/IP on Windows.

http://www.fwtk.org/fwtk/docs/documentation.html#1.1

And the role of firewalls has continued to grow with ever more features such as QOS to ensure reliable VOIP and video, for example. In practice it has become a catch-all term synonymous with IP traffic management of all kinds.

lazlo
08-21-2009, 02:58 PM
A virtual machine for a dedicated firewall doesn't make sense, unless you expect it to be repeatedly hacked and rebuilt.
In what market place? I'm not recommending Boeing do this - for the mom and pop shop and most normal homes in America and beyond the simplicity and cost savings plus the amazing time to restore are compelling.

Why would you need to restore a dedicated Linux firewall?

To add some numbers, VMWare is saying they get, at best, 65% of the throughput of non virtualized hardware. So if Mom & Pop have a 1 MBit/sec Comcast cable connection, by virtualizing the Linix Firewall Distro, they can only get 650 KBits/sec through the firewall.

Like Richard recommended, it doesn't get much simpler than Ubuntu Linux, and fwbuilder, and it'll run a lot faster...

tumutbound
08-21-2009, 03:11 PM
I agree, it's hard to go past Linux and fwbuilder for a cheap, reliable firewall.
I've installed a number of these for customers who probably don't even know they're running Linux.

I wish that fwbuilder produced scripts to use on my Juniper firewall. I make changes so infrequently, it's a relearning exercise every time I do.

dp
08-21-2009, 03:21 PM
Why would you need to restore a dedicated Linux firewall?

Because a hard drive died? Or the mother board died? Because a new exploit emerged that has day-1 advantage over the installed firewall base?


To add some numbers, VMWare is saying they get, at best, 65% of the throughput of non virtualized hardware. So if Mom & Pop have a 1 MBit/sec Comcast cable connection, by virtualizing the Linix Firewall Distro, they can only get 650 KBits/sec through the firewall.

Like Richard recommended, it doesn't get much simpler than Ubuntu Linux, and fwbuilder, and it'll run a lot faster...

Then by golly that's what it should be then. Accept no substitutes.

airsmith282
08-21-2009, 09:02 PM
Amazing. Wrong, and amazing. :rolleyes:

lucky for me iam never wronge

iam a programmer and you are trying to tell me iam wronge

sorry man i been around computers sence the first home based system was realeased ,

if you have a connection to the net and you can surf you can be hacked 100% gaurntee, most if not all fire wall programs have in them a self generated hack that makes you belive you are being hacked so you will buy the program and use it, also same for anti spyware and anti virus programs.

even windows firewall is a joke and it dont work either, i dont care of you have a gzillionfire wallprograms running you have no protection as long as you can still surf,also when you have more then 1 anti virus program installed they will creat viruses and crashes and all kinds of funky stuff, same for anti spyware programs they do the same sort of thing and will report all kinds of false stuff to happen,

but oh welll belive what you like..

Evan
08-21-2009, 09:38 PM
It's been a very long time since that regimented view of firewalls was valid. The modern, broader view predates TCP/IP on Windows.


That "regimented view" describes the Windows XP firewall precisely.


lucky for me iam never wronge

iam a programmer and you are trying to tell me iam wronge


Part of programming is documentation. How do you manage that part with your atrocious spelling and grammar? In fact, how do you manage to avoid constant problems with syntax errors?

RKW
08-21-2009, 09:47 PM
Just curious, but is English your 2nd or 3rd language?


lucky for me iam never wronge

iam a programmer and you are trying to tell me iam wronge

sorry man i been around computers sence the first home based system was realeased ,

if you have a connection to the net and you can surf you can be hacked 100% gaurntee, most if not all fire wall programs have in them a self generated hack that makes you belive you are being hacked so you will buy the program and use it, also same for anti spyware and anti virus programs.

even windows firewall is a joke and it dont work either, i dont care of you have a gzillionfire wallprograms running you have no protection as long as you can still surf,also when you have more then 1 anti virus program installed they will creat viruses and crashes and all kinds of funky stuff, same for anti spyware programs they do the same sort of thing and will report all kinds of false stuff to happen,

but oh welll belive what you like..

dp
08-21-2009, 11:37 PM
That "regimented view" describes the Windows XP firewall precisely.

It does, actually. But there are far more complete and robust firewalls than what XP provides. When the CTO asks us to build a proper firewall it isn't Windows we think about as the tool - it's what we think about as the victim.


Part of programming is documentation. How do you manage that part with your atrocious spelling and grammar? In fact, how do you manage to avoid constant problems with syntax errors?

Might just explain why his firewalls don't work.

airsmith282
08-21-2009, 11:42 PM
Just curious, but is English your 2nd or 3rd language?


neither auctually its my first, but my point is no fire wall anti virus or anti spy ware program is safe or going to keep you safe, the only way not to have problems is not to be on the internet at all.

kinda like safe sex the only safe sex is not to have it at all..

a fool and his money are very soon parted

dp
08-21-2009, 11:56 PM
neither auctually its my first, but my point is no fire wall anti virus or anti spy ware program is safe or going to keep you safe, the only way not to have problems is not to be on the internet at all.

kinda like safe sex the only safe sex is not to have it at all..

a fool and his money are very soon parted

I've got to assume that you are very bad and firewall implementation if this is your experience. It certainly does not compare to my own, and I've been doing IT work since the 1970's.

dp
08-22-2009, 12:15 AM
Why would you need to restore a dedicated Linux firewall?

To add some numbers, VMWare is saying they get, at best, 65% of the throughput of non virtualized hardware. So if Mom & Pop have a 1 MBit/sec Comcast cable connection, by virtualizing the Linix Firewall Distro, they can only get 650 KBits/sec through the firewall.

Like Richard recommended, it doesn't get much simpler than Ubuntu Linux, and fwbuilder, and it'll run a lot faster...

What does this tell us?

Mac perf at speedtest.net

http://thevirtualbarandgrill.com/machinery/mac_speedtest.png

Windows XP Virtual Machine Speed Test
http://thevirtualbarandgrill.com/machinery/XP_VM_speedtest.png

planeman
08-22-2009, 11:53 AM
I would like to suggest a FREE firewall and virus protection source that a friend who works for a software company put me on to. He uses it and likes it and I do too. It is Avast virus protection available at http://www.avast.com. It automatically upgrades with the latest virus protection every day. They give an individual a basic version with the hope you will pay to upgrade to the Professional version if you own or run a company. Not a bad sales strategy.

Planeman

jkilroy
08-22-2009, 12:39 PM
You have got to start with a NAT'ing (Network Address Translation) router, thats the first and best step.

rantbot
08-30-2009, 10:47 PM
Another firewall that I have heard good things about is from Comodo. I haven't tried it and it looks like it now comes bundled with an anti-virus program. Here is the link to take a look:

http://personalfirewall.comodo.com/
Just what I was looking for - thanks.