Happy PFD!...?
January 15, 2004 2:27 PM   Subscribe

Anyone in the mood for a celebration!? Today is Personal Firewall Day! Who's bringing drinks?
posted by bhayes82 (38 comments total)
 
[strikes match]
[lights wall]
[roasts smores]
posted by thomcatspike at 2:38 PM on January 15, 2004


*raises a glass of OpenBSD, from the finest 3.4 vintage* Hear hear!

Actually, I hope this catches on, even though I know it won't.
posted by Ryvar at 2:43 PM on January 15, 2004


Every day should be Personal Firewall Day. Wearing seatbelts day. Using "protection" day. Crossing at crosswalks day. Not eating old mayonaise day.

So many empty spots on my calendar to fill...
posted by Ogre Lawless at 2:56 PM on January 15, 2004


I have to admit that I've never seen any real need to install a firewall on either of my computers.

As far as I'm concerned, firewalls are like spyware removal software: not really necessary as long as you're fairly careful and keep your OS and browsers updated. Even on Windows.
posted by kickingtheground at 3:18 PM on January 15, 2004


Kickingtheground, are you on broadband? If so you should run, not walk to get one. Your a prime target for spammers and a host of nasty viruses. Sure you update (which is great) but new flaws are discovered every day and exploited EXTREMELY fast. Just my opinion of course, but with so many software files like zonealarm and tiny firewall it's worth the time.
posted by madmanz123 at 3:26 PM on January 15, 2004


Yeah, if you run Windows you need a firewall. No question.

/me drinks a toast to Kerio Personal Firewall, the best of the lot.
posted by sfenders at 3:39 PM on January 15, 2004


Of course, if you're behind a NAT router the need for a software firewall is greatly diminished, unless you've got port forwarding turned on.

The protection offered by NAT is, of course, limited. It will only block unauthorized inbound traffic, while allowing outbound traffic, even if unauthorized. That's where the "safe computing practices," a firewall, and a virus scanner come in.
posted by monju_bosatsu at 3:44 PM on January 15, 2004


Speaking of firewalls, and stop me if this is more fit for the green instead of the blue, but is anyone else having problems getting the new free ZoneAlarm 4.5 to work? All it does for me is stop all internet traffic, and I've tried uninstalling and reinstalling. The old version works fine though.
posted by ALongDecember at 3:58 PM on January 15, 2004


You might want to give up on ZA and start using Kerio.
posted by five fresh fish at 4:20 PM on January 15, 2004


kickingtheground, I agree. I have run 2-3 computers without firewalls at home with a DSL connection for 4 years now. No problems whatsoever. That I know of :-)
posted by Triplanetary at 4:42 PM on January 15, 2004


What does Kerio give me over Tiny Personal Firewall?

Ahh, which I've just noticed doesn't appear to be free anymore....
posted by inpHilltr8r at 4:44 PM on January 15, 2004


Triplanetary, have you tried running AdAware or equivalent recently?
posted by inpHilltr8r at 4:45 PM on January 15, 2004


Thanks for the tip. After a few restarts and some tinkering, it appears to be working. And appears to be a smaller footprint than ZA.
posted by ALongDecember at 4:46 PM on January 15, 2004


While I'm the type who prefers to use an old Pentium running a security-oriented OS for my firewall (hence the OpenBSD comment above), if you simply MUST use an application firewall for Windows, do NOT use ZoneAlarm. It has a long, terrible history.

The following list is from least to most secure, and from most to least user-friendly:

1. Any application firewall (ie ZoneAlarm, BlackICE, Kerio)
2. A Linksys router for NAT
3. Just about any other router for NAT (they don't get as much attention)
4. A dedicated Linux box running ipchains
5. A dedicated NetBSD, FreeBSD, or Solaris box running the firewall software of your choice
6. A dedicated OpenBSD box running pf

There are options beyond OpenBSD for security (certain specialized hardware pieces that conduct realtime transaction verification), but my knowledge - and the needs of anybody who isn't a government - end about there. Let me echo earlier posters: if you are on broadband you NEED a firewall. I know people on Microsoft's Security Response Team, and some holes are in the wild prior to their knowledge of said bug's existence - not often, but it does happen.
posted by Ryvar at 4:48 PM on January 15, 2004


Is there any place on that site where they give the date of Personal Firewall Day? I'm going to use it as my all-purpose holiday.
posted by theora55 at 6:06 PM on January 15, 2004


Kickingtheground, are you on broadband? If so you should run, not walk to get one.

Yes. Yes. A thousand times yes. Broadband requires a firewall - it just does. It is not that much trouble to set things up. I've got BlackIce on all of my personal PC's and laptops, and my wired/wireless router at home restricts network access by MAC address.

Thing is, until the first time you have a personal firewall, or some sort of IDS at home, you don't realize how often you are scanned. (BlackIce, and - I assume - others, keep logs ... on average, my broadband connection is subject to automated port scanners a dozen or so times a day, and at least 3 or 4 times a month the logs show a more concerted, hands-on effort by someone to attempt some sort of exploit).

Thing is, it is really a sort of "Grizzly Bear" scenerio (i.e., how fast to you need to run to get away from a Grizzly? only slightly faster than the guy you're with). Putting even basic security in place (a decent firewall, closing the obvious unused ports & etc.) is enough to make most script kiddies pass you by (because there are such a huge number boxes out there that take no effort to crack).

But have no illusions ... if you have a broadband connection, you are being sniffed.
posted by MidasMulligan at 7:47 PM on January 15, 2004


Re: Kerio -- I dunno what's up with those guys. I'm running a fully-featured freeware version that does strictly firewalling. And quite powerfully, too; much better than my old ZA did.

But I've seen the new Kerio is some godawful graphical thing that does a bunch more than just firewalling. It looks a whole lot more like ZA now. And the brief experience I had with it placed it in that "pain in the ass" category of software -- it was popping up crap all the time, even when nothing was accessing the network. Ugh.

I'll vouch for the excellent engine v2/driver v3 edition of Kerio. The latest version, I dunno.
posted by five fresh fish at 7:59 PM on January 15, 2004


Kerio... that thing is awesome. I was using ZA for awhile, but my subscription ran out a few days ago.

... I guess I'm celebrating personal firewall day after all.
posted by ph00dz at 9:16 PM on January 15, 2004


huh. It looks like the latest version of Kerio might have suffered from some form of the dreaded "second system" effect. Version 2.1.5 is the one I'll stick with, still available at the various download sites.
posted by sfenders at 9:25 PM on January 15, 2004


we also need a Turn-Off HTML Email day
posted by titboy at 9:29 PM on January 15, 2004


I've got Kerio Firewall 2.1.5/30-Apr-2003 and Driver 3.0.0/15-Apr-2002.

I'm wondering what the most up-to-date version of the *OLD STYLE* Kerio is.

What do you have, sfenders? Anyone else?
posted by five fresh fish at 10:08 PM on January 15, 2004


there's nothing wrong with old mayonnaise.
posted by quonsar at 10:42 PM on January 15, 2004


...do NOT use ZoneAlarm. It has a long, terrible history.

What’s wrong with ZoneAlarm? I’m using it and I’d like to learn more about this.
posted by Termite at 10:50 PM on January 15, 2004


I use Zone Alarm. Always have done. Only a few minor and resolveable problems to report.
posted by Blue Stone at 2:22 AM on January 16, 2004


>I’m using it and I’d like to learn more about this.

I dunno, but last time I had to use a computer with it on, ZoneAlarm nearly drove me insane.

Application 'ping' is trying to use the internet. Block?
Application 'iexplore' is trying to use the internet.
Application 'tracert' is trying to use the internet.
Application 'ZoneAlarm' is trying to use the internet.
Application 'OHMYGOD_ITS_OUTHOUSE_LOOKOUT!" is trying to use the internet.
Application 'of_toilet_paper_to_software" is trying to use the internet. Flush?

I only hate ZoneAlarm because it's authors (at least at the time) were too stupid to put together a "reccomended" allow list.
posted by shepd at 3:58 AM on January 16, 2004


And the above is why personal firewalls have yet to catch one. Most, if not all, come by default to scan outgoing traffic and after the 50th 'do you want xxxx.exe to access the internet' (especially when you can't see that little box when running a game) its going to be uninstalled.

Firewalls for end-users should come by default 'allow all traffic out' and the computer should be protected by an anti-virus to protect it from trojans. After a while it doesn't matter, if people don't uninstall it they'll just hit yes everytime. At least in my experience.
posted by skallas at 6:37 AM on January 16, 2004


Also, if you're infected its trivial for the trojan author to replace your copy of ping.exe with his.
posted by skallas at 6:39 AM on January 16, 2004


fff, the version you've got is the last of the old Kerio pf. No known problems with it have been reported, and lots of people still use it, so it's a relatively safe choice. I'd actually trust it more than the latest version 4, which hasn't yet had much time to mature.

I think allowing all outbound traffic is a bad idea, but I guess it's acceptable as a default setting for those who don't care much. Too many programs, including some from Microsoft, want out for no good reason. My filter is set to silently deny them unless I tell it otherwise.
posted by sfenders at 7:07 AM on January 16, 2004


Shepd, Skallas, I have to say, that's all nonsense.
You cite an easily resolvable issue: set the software you need to access the internet permission to do so, rather than request permission every time: Program Control> little ticks, question marks, and commas for your three options. Piece of cake.

If something keeps asking and you don't want it to access the net, or ask you everytime, select a cross in the Program Control options.

Even easier: select you preference in the dialogue window (allow or deny) and then check the box that says keep this setting.

For what it's worth, the one and only trojan that I've had (thanks to a java game I played via Metafilter!) was stopped accessing the internet by ZoneAlarm. My Antivirus, despite being totally up-to-date, did nothing.

A program that's been changed from the previous program, is flagged by ZA as such, with a RED dialogue opening, and a statement that the program has changed. If you haven't upgraded something, how obvious is that?

Finally, no software is sophisticated enough to stop uninformed users from being the victim of their own foolishness.
There's little in real life, other than education, to protect a person, and it's the same with accessing the internet.

People take lessons to drive a car, learn the highway code, have to pass a test; considering the bad things that can happen via the internet (stolen passwords, identities, credit card numbers) maybe it's time people were forced to take care of themselves (and others) as they are when they want to drive.
posted by Blue Stone at 7:11 AM on January 16, 2004


"[...] little ticks, question marks, and commas for your three options."

commas -> crosses
posted by Blue Stone at 7:13 AM on January 16, 2004


I only hate ZoneAlarm because it's authors (at least at the time) were too stupid to put together a "reccomended" allow list.

you dork, shepd! you answer exactly once for each program you run.
posted by quonsar at 7:14 AM on January 16, 2004


Except for Java. It's very unfortunate that the Kerio firewall can't identify the source. Because Java is an interpreted language, the Java compiler is what tries to access the net. If you give it open access to the net, every Java app gets access... which makes it easy for Java trojans to get out.
posted by five fresh fish at 9:12 AM on January 16, 2004


And there are how many Java trojans?
posted by kindall at 10:17 AM on January 16, 2004


I only hate ZoneAlarm because it's authors (at least at the time) were too stupid to put together a "reccomended" allow list.

And the above is why personal firewalls have yet to catch one. Most, if not all, come by default to scan outgoing traffic and after the 50th 'do you want xxxx.exe to access the internet' (especially when you can't see that little box when running a game) its going to be uninstalled.


As long as I’ve had ZoneAlarm, there has been the option of setting allow/block/ask for every program.
posted by Termite at 10:58 AM on January 16, 2004


And there are how many Java trojans?

Beats me. My firewall wouldn't recognize them as such!

I'm using Azureus BitTorrent. In order for it to be at all useful, I need to allow it outgoing port access to all ports, because there are other users out there who have assigned an oddball incoming port range for their torrent.

It is impractical to say "yes" on a case-by-case basis. This means I've had to give it full outgoing rights. This, in turn, means ALL Java applications now have outgoing rights. That is Not A Good Thing.

To which I can only say, and I quote myself, "Poop."
posted by five fresh fish at 11:42 AM on January 16, 2004


Also, if you're infected its trivial for the trojan author to replace your copy of ping.exe with his.

Unless your firewall hashes the executable in question. Tiny gives me a prompt the first time a changed executable tries to contact the outside world.
posted by inpHilltr8r at 6:04 PM on January 16, 2004


I'd like to see consumer-level ISPs offer firewalling at the gateway, manageable by the user via a simplistic web interface. Most users are not (and shouldn't have to be) competent to stay on top of the constantly evolving risks. A simple checkbox list of blocking options, with some sensible defaults in place, would make life a lot better for everyone on the internet.

For example, if ISPs by default didn't allow port 25 connectivity to any SMTP server but their own (and you could turn this off if you knew what you were doing, i.e. you have your own server elsewhere in the world) all these spam zombies would be stopped in their tracks.

If in addition to the firewall you could review a log of what sort of traffic were being blocked from your machine, you'd have a clear indication of whether you were infected by an outbound worm and know you need to do something about it -- something most people don't have a clue about right now.
posted by George_Spiggott at 11:27 AM on January 17, 2004


Oh, and if they blocked standard windows RPC and NETBIOS services, it'd make things even better. Again, you'd be able to turn if off, but in this case, why should you? If you're doing windows networking over a WAN and you're not using a tunnel you're a freakin' idiot anyway.
posted by George_Spiggott at 11:31 AM on January 17, 2004


« Older Oak Island Mystery   |   Brother, can you spare a dime? Newer »


This thread has been archived and is closed to new comments