Re: Best free firewall software

zzy wrote:
Sebastian Gottschalk wrote:
zzy wrote:
Al Dykes wrote:
. . . There are a bunch of internet port scanner services that
can test you from the outside. They'll tell you if you have any
ports open.
Can you recommend a couple? I mentioned grc.com a couple of days
ago and got only a long list of diatribes against the site and
its author, but no suggestions for alternates.

I know, Usenet is asynchronous, but in
<news:4docbcF1aj3joU1@xxxxxxxxxxxxxx> I already suggested Nmap on
linux-sec.net

Thanks! I've downloaded, installed, and tried it.

Eh... didn't you want to scan your router or direct-dialup computer from
the WAN side? Do you have some helper in a far-away ISP's network?

That's why it's called online scan and why I refered to linux-sec.net
instead of Nmap's Homepage at insecure.org

There seems to be a large amount of information about how to set the
many options, but almost nothing about how to interpret the results.

Right. So far this is exactly the point: There are bull*** online port
scans like grc.com, and there are good ones (exclusively based on Nmap)
with a bad web frontend which is mangling the output (naming "closed" as
"open! dangerous !!!11" and alike). Raw output like at linux-sec.net
isn't preferable either, but still better than a useless output.

Here's what it reported for both my main computer and laptop, each of
which has a software firewall, but different kinds (with switches -A
-sT -P0):

From where did you scan?

Anyway, what about -sS, -sF, -sN, -sX, -sA, -sW, -sM, -sU, -sO, the
first with and without -f, all with -O. Not to mention auditing against
IP spoofing, MAC spoofing and IPv6.
Not all of these are available in online scans, and not all can expose
weaknesses in a router. Try a scan in a local subnet (each other, not
each themselves).

(The 1672 ports scanned but not shown below are in state: filtered)

This is bad. They should be closed, not filtered, expect you like to
shoot yourself in the food.

Looks like I have a problem in that two ports are open. (A google
search on "tcpwrapped" didn't bring up anything which explained its
meaning and significance in this context, so I don't know whether
it's a Good Thing or Bad Thing.)

Well, it's just a registered port. What about "netstat -anbo" to see
what exactly is listening on those ports?

So far I haven't been able to get the firewalls to close them, but
I'll work on it. Is this just more proof that the personal firewall
is indeed useless as you've said?

In this case: obviously.
Unless you didn't change the MaxUserport setting, emphemeral ports are
limited to range 1024 (or lower RPC service limit) - 5000, so the 5190
thing for sure isn't any intended connection between your PCs.

Or did you let a box scan itself?

Hm, I was under the impression that my router works and isn't broken.

Hehe...

So how would working and not being broken be an advantage?

Well, your never tried to circumvent your router from the outside, did
you? Quite hard to notice the defects without auditing.

[car comparison]

A car is usually tuned for best behavior or some predefined profiles.
However, there is no such thing like a preconfigured firewall.
Well, some example scripts exhibit some good ideas about how you should
do it.

Sorry, but I'm too ignorant to appreciate the benefits of having lots
of layer 7 NAT helper modules. Apparently this is something my router
doesn't have and something that enhances security.

Yes and no. It enhances connectivity without resorting to lowering security.

Is it important for us "Joe Average" users, or just for the folks who
need exceptional security?

You can use NetMeeting, WarCraft and Quake without messing with anything
like portforwarding or such? :-)

Do I need lots of layer 7 NAT helper modules?

Depends on which protocols you want to utilize and how complex they are.
Almost any router now includes a (usually lousy implemented) NAT helper
for FTP and DNS, but H.32x is much more of a fuzz.

I'm willing to learn about some of these issues, but only to the
extent that they'll be useful to me. I've already got other hobbies
and have plenty of other things to do.

Eh... then why do you care about firewalling at all? It's kinda trivial
to disable any unwanted service on Windows, and a vulnerable service not
running or not binded to a network interface cannot be exploited.
Just make sure that your service config is still OK after installing a
patch. And, of course, running as a restricted user which protects
against almost any intentional or accidential damage of the system and
its configuration.
.