Free, decent firewall for XP

Alliandre · Feb 10, 2005

As the title says, can anyone recommend a free yet decent firewall for use on a Win XP machine?

SilverHood · Feb 10, 2005

ZoneAlarm is pretty decent:

http://www.zonelabs.com/store/content/catalog/products/sku_list_za.jsp

Uriel · Feb 10, 2005

I'd not hesitate to recommend Sygate http://smb.sygate.com/products/spf_standard.htm

It's not incredibly friendly to use but it works and has some nice features like being able to set different settings for each NIC. Useful when you're using internet connection sharing in windows.

Catsby · Feb 10, 2005

Catsby used to use Kerio personal firewall.

However, Catsby has found that both Kerio and ZA can eat up cpu cycles when doing some things such as "save as" in IE.... So Catsby just uses the XP firewall, and it has passed every website he has found that purports to test the security of your computer.

Athan · Feb 11, 2005

Catsby said:
Catsby used to use Kerio personal firewall.

However, Catsby has found that both Kerio and ZA can eat up cpu cycles when doing some things such as "save as" in IE.... So Catsby just uses the XP firewall, and it has passed every website he has found that purports to test the security of your computer.

I use Kerio as well, as when I looked it was the only obviously free one I could find (Sygate Personal is like Realplayer of old in that it seems to hide the 'free' link as much as possible on the web pages).

I've not had trouble with it, although sometimes running programs seems to take ages to open. That was more an issue when I also had M$ Anti-Spyware beta installed though, seems ok since I removed that.

Also, you could try turning off the bits in Kerio that check if an executeable is allowed to run. Personally that's exactly why I like Kerio. Unless a trojan/virus finds a workaround they can't even run without a dialogue popping up giving me the chance to deny them

.

-Ath

Escape · Feb 11, 2005

I'm using the Sygate one. Though I have a hardware router/firewall, I'm using SPF to control internet access for programs. The same as what I've used Zonealarm for before, but SPF has a 'traffic' graph to show incoming/outgoing activity, which is usefull sometimes.

Athan · Feb 11, 2005

Actually that's a good point. So long as functionality doesn't suffer it's a good idea to use multiple firewalls, one on the machine, another on router etc. so that if you need to take one down for maintenance or because it's interfering with something you're not totally open in the meantime. I was protected by the firewalling on my linux router whilst I disabled Kerio PFW to see if it was the reason I couldn't register a Steam account the other week (turned our Steam was just being mega-crap that night), for instance.

Remember kiddies, block ports 135-139,445 inbound AND outbound unless you have a specific need, and then only open them for the specific 'required' IPs. On the other hand block every damned thing and only allow what you need

.

-Ath

TdC · Feb 11, 2005

Athan said:
block every damned thing and only allow what you need .

and make sure your girl/boyfriend doesn't have admin rights, no matter what they do to get you to give it to them

Xavier · Feb 13, 2005

kind've makes me glad I have a Pix 515E at home. It does cause a few headaches with certain games, having to manually open ports is a drag when you just want to play something new, but having to hop between different software firewalls because of vulnerability X or exploit Y would definately be more 'teh suck'.

Don't you use a pix too ath?

Athan · Feb 14, 2005

Xavier said:
kind've makes me glad I have a Pix 515E at home. It does cause a few headaches with certain games, having to manually open ports is a drag when you just want to play something new, but having to hop between different software firewalls because of vulnerability X or exploit Y would definately be more 'teh suck'.

That's more a 'use different anti-virus' thing. My point above was that using multiple ones means you still have SOME protection if you have to temporarily turn one off for some reason. In the case of a software firewall on a windows OS this might be necessary to see if it IS the cause of some other software not working (correctly), for instance. But with a(nother) firewall in front of the machine and The Internet[tm] you still have some protection in the meantime.
Why use the software firewall in this case? Because as well as actually blocking ports and net access many of them offer this additional protection of controlling what programs can run without user intervention, and which sub-programs an already running program can run. i.e. if my browser (yes *I* user Firefox, it is pretty well protected by its own code but no telling about future discovered exploits, and people do still use IE) gets tricked into running some downloaded file Kerio PFW should trap this and let me know, to which I go "fuck off" (ok, I click Deny

) and investigate how it happened, rather than the malware simply running.
Your PIX isn't going to do anything about that. Not even if it actually does content scanninf of all HTTP requests and replies, for instance. Because that would rely on it having 100% uptodate signatures/rules AND the vendor already knowing about whatever malware it is.
Given the inability to run Windows with a non-admin user sensibly (I play Battlefield 1942, which has punkbuster, I like punkbuster for some measure of anti-cheat protection, but it requires either the user running the game to be admin or for Local Policy to give them sufficient debug process rights that you may as well be admin anyway) I do want this kind of additional protection when running Windows.

Don't you use a pix too ath?

Linux box with iptables/netfilter in my case. I'd need to have acquired a PIX at some point to use it

. If I was more paranoid and didn't want my fw being a general file server too (I also IRC from it) then I'd just get an even more minimal x86 box and run a firewall off a CD. But even I am not quite paranoid enough to want to require a new CD burn to update configs.

-Ath

poisono · Feb 25, 2005

Athan said:
Linux box with iptables/netfilter in my case. I'd need to have acquired a PIX at some point to use it . If I was more paranoid and didn't want my fw being a general file server too (I also IRC from it) then I'd just get an even more minimal x86 box and run a firewall off a CD. But even I am not quite paranoid enough to want to require a new CD burn to update configs.

-Ath

Smoothwall if your completly new to Linux, its fast and it works wonders as said an old x86 box or sub 233mhz box and ure flying

PCI Linux compatiable modem will be needed thoo, I think aria.co.uk do them just do a search for PCI ADSL Modem.

Athan · Feb 26, 2005

poisono said:
PCI Linux compatiable modem will be needed thoo, I think aria.co.uk do them just do a search for PCI ADSL Modem.

Not necessarily, if you do your homework you can find some DSL routers that will pass the external IP through to be used directly on the machine on the LAN side of it. I do this with my Conexant AM-CA61E that I got from Aria a few years back. Just use the 'half bridge' mode. This assumes a dynamic IP assigned via DHCP. If it's static then you can just assign the same IP/network on both sides (WAN and LAN) and it'll work (it's what I'm doing with my Zen /28).

-Ath

Free, decent firewall for XP

Alliandre

Fledgling Freddie

SilverHood

FH is my second home

Uriel

Fledgling Freddie

Catsby

One of Freddy's beloved

Athan

Resident Freddy

Escape

Can't get enough of FH

Athan

Resident Freddy

TdC

Trem's hunky sex love muffin

Xavier

Can't get enough of FH

Athan

Resident Freddy

poisono

Fledgling Freddie

Athan

Resident Freddy

Users who are viewing this thread