Re: Best free firewall software

Sebastian Gottschalk wrote:
zzy wrote:
Thanks! I've downloaded, installed, and tried it.

Eh... didn't you want to scan your router or direct-dialup computer from
the WAN side?

Eventually, yes, to test the effectiveness of my router. But I'm frankly more worried about the effectiveness of the software firewall on my laptop, since it's my only defense when I travel.

Do you have some helper in a far-away ISP's network?

Not yet, anyway. I won't trouble someone else to scan me until I understand what the results mean.

That's why it's called online scan and why I refered to linux-sec.net
instead of Nmap's Homepage at insecure.org

What's called online scan? I went to linux-sec.net -- that's where I found NMap. What can I do at linux-sec.net? It says to download NMap, which I did, then to run NMap from my machine, which I did.

There seems to be a large amount of information about how to set the
many options, but almost nothing about how to interpret the results.

Right. So far this is exactly the point: There are bull*** online port
scans like grc.com, and there are good ones (exclusively based on Nmap)
with a bad web frontend which is mangling the output (naming "closed" as
"open! dangerous !!!11" and alike). Raw output like at linux-sec.net
isn't preferable either, but still better than a useless output.

Sorry, but an incomprehensible output is a useless output.

Here's what it reported for both my main computer and laptop, each of
which has a software firewall, but different kinds (with switches -A
-sT -P0):

From where did you scan?

I scanned my laptop from my desktop machine on my LAN, and vice-versa. I don't have access to another ISP, so I wasn't able to scan through my router. But as I said, I'm worried more about my laptop and its "useless" software firewall than my router.

Anyway, what about -sS, -sF, -sN, -sX, -sA, -sW, -sM, -sU, -sO, the
first with and without -f, all with -O. Not to mention auditing against
IP spoofing, MAC spoofing and IPv6.
Not all of these are available in online scans, and not all can expose
weaknesses in a router. Try a scan in a local subnet (each other, not
each themselves).

Sorry, I don't have a clue how to do that. Is there some documentation that explains how? I went through the tutorial, and if it said something about a subnet I missed it. You're suggesting that I do 18 more scans with various switches. But it doesn't seem to make any sense to do that until I understand the results of the one scan I did. What's an "online scan", and how do I do it?

(The 1672 ports scanned but not shown below are in state: filtered)

This is bad. They should be closed, not filtered, expect you like to
shoot yourself in the food.

How do I go about closing them, without the benefit of a hardware router? The laptop has to stand on its own.

Looks like I have a problem in that two ports are open. (A google
search on "tcpwrapped" didn't bring up anything which explained its
meaning and significance in this context, so I don't know whether
it's a Good Thing or Bad Thing.)

Well, it's just a registered port. What about "netstat -anbo" to see
what exactly is listening on those ports?

I don't see anything in the output which shows either of those port numbers.

So far I haven't been able to get the firewalls to close them, but
I'll work on it. Is this just more proof that the personal firewall
is indeed useless as you've said?

In this case: obviously.
Unless you didn't change the MaxUserport setting, emphemeral ports are
limited to range 1024 (or lower RPC service limit) - 5000, so the 5190
thing for sure isn't any intended connection between your PCs.

Or did you let a box scan itself?

I don't think so.

Hm, I was under the impression that my router works and isn't broken.

Hehe...

So how would working and not being broken be an advantage?

Well, your never tried to circumvent your router from the outside, did
you? Quite hard to notice the defects without auditing.

No. I don't know how.

[car comparison]

A car is usually tuned for best behavior or some predefined profiles.
However, there is no such thing like a preconfigured firewall.
Well, some example scripts exhibit some good ideas about how you should
do it.

Sorry, but I'm too ignorant to appreciate the benefits of having lots
of layer 7 NAT helper modules. Apparently this is something my router
doesn't have and something that enhances security.

Yes and no. It enhances connectivity without resorting to lowering security.

Is it important for us "Joe Average" users, or just for the folks who
need exceptional security?

You can use NetMeeting, WarCraft and Quake without messing with anything
like portforwarding or such? :-)

I have no idea. Never tried any of those.

Do I need lots of layer 7 NAT helper modules?

Depends on which protocols you want to utilize and how complex they are.
Almost any router now includes a (usually lousy implemented) NAT helper
for FTP and DNS, but H.32x is much more of a fuzz.

I'm willing to learn about some of these issues, but only to the
extent that they'll be useful to me. I've already got other hobbies
and have plenty of other things to do.

Eh... then why do you care about firewalling at all? It's kinda trivial
to disable any unwanted service on Windows, and a vulnerable service not
running or not binded to a network interface cannot be exploited.
Just make sure that your service config is still OK after installing a
patch. And, of course, running as a restricted user which protects
against almost any intentional or accidential damage of the system and
its configuration.

Well, I care about firewalling because I don't want any malware getting into my machine. It's not trivial to me to disable "any unwanted service" -- I've disabled one or another from time to time and later discovered that it's essential to some application. I've found it difficult and very time consuming to find out exactly what each service does, and I certainly don't know which might be "vulnerable" services. There are currently 104 services running on my machine. I'd love to disable unnecessary ones, but determining which are truly in that category isn't easy for me. How many do you think I'd have to disable to make my machine reasonably secure? And I'm not willing to run as a restricted user. I'll have to do the best I can as Administrator.

It sounds like you're recommending removing the firewall and protecting myself by restricting my ability to use my computer by shutting down services and running as a limited user. Or am I misinterpreting what you're suggesting?

So far, around 6 years with DSL and the computer on all day every day, running as Administrator, and with only a software firewall for about 3 of those years, I haven't gotten a single virus, worm, or trojan (that scans or activity have revealed) and only some relatively benign adware. I know this doesn't mean I'm safe from all attacks, but it's been adequate for me so far. I'd like to do what I can to keep at least this level of protection in the future or improve it, but I'm not willing to restrict the usability of my machine for the sake of being pure or to establish an unneeded level of protection. Learning to use tools like NMap looks like a way to help me improve what I've got and hopefully spot and close weak points before someone else does. So I'll keep working at it. Thanks for the pointer.

.