Serious Discussion Minimal Firewall

[piquiteco]

and take care; it missed with my Windows settings; changed notifications settings to snooze.

I understood more or less what you said, but that's okay. Be careful, posting too much without paying attention can lead to mistakes, like mixing apples and oranges. I assume you speak and write English fluently, right? If so, you shouldn't make mistakes, or you're tired or didn't sleep well, you have to rest your mind, it needs rest. Now, if you use a translator, you have to be very careful, as the chance of sending something wrong by mistake increases dramatically. But don't worry about it, we're only human.

 

[Parkinsond]

And CF doesn't like it? Does it have WFC too?

Was not you referring to Minimal firewall here?

 

[piquiteco]

Was not you referring to Minimal firewall here?

Yes, you suggested Minimal firewall to @dronefox1166 in post #27. But I only started talking to @dronefox1166 in post #31. FHi, when I suggested CF or WFC to him, did he understand? You can check my posts, I never mentioned Minimal Firewall. Oddly enough, I keep track of things, no matter how trivial they may be. Didn't you see that I remembered the case of @Gandalf_The_Grey the other day about the Osprey extension, the context menu bug that didn't appear in his browser? You weren't here yet, it was in early 2023. Ask @Andy Ful about an update that Microsoft released on January 13, on Friday the 13th. My shortcuts started taking over the desktop one by one. Why? Because I was using Hard_Configurator with ConfigureDefender in MAX related to ASR rules. If you want more, there's more.

 

[Parkinsond]

Yes, you suggested Minimal firewall to @dronefox1166 in post #27. But I only started talking to @dronefox1166 in post #31. FHi, when I suggested CF or WFC to him, did he understand? You can check my posts, I never mentioned Minimal Firewall. Oddly enough, I keep track of things, no matter how trivial they may be. Didn't you see that I remembered the case of @Gandalf_The_Grey the other day about the Osprey extension, the context menu bug that didn't appear in his browser? You weren't here yet, it was in early 2023. Ask @Andy Ful about an update that Microsoft released on January 13, on Friday the 13th. My shortcuts started taking over the desktop one by one. Why? Because I was using Hard_Configurator with ConfigureDefender in MAX related to ASR rules. If you want more, there's more.

I must have been confused by the inserted post of Minimal firewall in the middle of the unrelated thread; my apologies.

 

[piquiteco]

I must have been confused by the inserted post of Minimal firewall in the middle of the unrelated thread; my apologies.

So that I don't come across as a liar, this is a post from January 13, 2023, posted here. Microsoft Defender ASR rules remove icons and apps shortcuts from Taskbar You can read more information here about false positives for the Attack Surface Reduction (ASR) rule Block calls to the Win32 API from Office macros. These detections resulted in the deletion of files that matched the incorrect detection logic, primarily affecting Windows shortcut files (.lnk). You read all the posts from other members. I reacted, and there are several posts from me reporting the experience I had with the shortcuts starting to disappear one by one. I would click on the shortcuts, and they would disappear. You can see me talking to @Andy Ful and other forum members. I won't mention everyone involved because it's boring, it's over, it's no longer relevant, and it's part of the past. Just to emphasize that I haven't forgotten about it. I don't know why it was Friday the 13th, but I remember even finding the information on the Microsoft website. Don't worry, it was a misunderstanding. Let me test Vivaldi here and see if the K extension works.

 

[Parkinsond]

So that I don't come across as a liar

I have not called you anything like that; it is obvious there was some sort of misunderstanding; you were referring to some thing I though it was Minimal firewall suggested by dronefox1166.
You know I have great respect for you, your kind way of treating members, and your helpful tips.

 

[deminimis]

the programming language seems safer (C#) than Fort Firewall (C++) or simplewall (C)...



After Portmaster (GO) better!

C++ and C can be just as safe, as long as they are implemented correctly. Those apps deal with the Windows Filtering Platform, so they are more logical to use.
As for resources, C will always be the most efficient, but also difficult to keep secure.

I use C# because my app is a frontend, using .net 4.8 and the COM interop. I would prefer to use .net 9, as it's more efficient, but 4.8 is included by default on most W10/W11, and users will be more hesitant to download it from Microsoft for whatever reason.

 

[deminimis]

View attachment 289229
It is using 84 MB of RAM compared to less than 5 by simplewall; I am going to delete.

I am exploring ways to deal with it now. Ideally I would just create a system service and have a system tray icon that just deals in popups, but I don't want to have to give any more admin privileges than user privileges. I'll try removing icon support first (I accidentally hid from GUI anyways after v1.2 so I'll see if it makes much memory impact if not cached also). My program is probably fairly unique in the way it finds pending connections, by pulling from the system log. In order to keep the CPU minimal, it has to keep all the firewall rules in cache so it doesn't have to search through them each time. It's a tradeoff though in the end, between CPU and memory, as I designed it to use very little CPU, and instead keep things in cache. My task manager right now shows more cpu and similar memory usage (80mb is around 0.5% of 16gb ram).


If I can find a good way to reduce it, I will in v1.6. It will always be higher than Simplewall. That's part of the security trade-off between directly working with Windows Firewall and messing with sublayers or even worse as some third-party firewalls do, creating a homebrew driver and greatly opening up the attack surface and potential kernel level exploits. On the plus-side, my rules are the same persistent and deterministic rules that Windows Firewall uses. So if you completely close it with the lock in place, it still protects you exactly the same (of course, then you wouldn't be able to see if anything tried to connect, it would just fail). There is no filter that may or may not be on top of the default Windows Firewall, because it's essentially a frontend that hardens it by blocking everything rather than just known inbound.

 

[Parkinsond]

I am exploring ways to deal with it now. Ideally I would just create a system service and have a system tray icon that just deals in popups, but I don't want to have to give any more admin privileges than user privileges. I'll try removing icon support first (I accidentally hid from GUI anyways after v1.2 so I'll see if it makes much memory impact if not cached also). My program is probably fairly unique in the way it finds pending connections, by pulling from the system log. In order to keep the CPU minimal, it has to keep all the firewall rules in cache so it doesn't have to search through them each time. It's a tradeoff though in the end, between CPU and memory, as I designed it to use very little CPU, and instead keep things in cache. My task manager right now shows more cpu and similar memory usage (80mb is around 0.5% of 16gb ram).


If I can find a good way to reduce it, I will in v1.6. It will always be higher than Simplewall. That's part of the security trade-off between directly working with Windows Firewall and messing with sublayers or even worse as some third-party firewalls do, creating a homebrew driver and greatly opening up the attack surface and potential kernel level exploits. On the plus-side, my rules are the same persistent and deterministic rules that Windows Firewall uses. So if you completely close it with the lock in place, it still protects you exactly the same (of course, then you wouldn't be able to see if anything tried to connect, it would just fail). There is no filter that may or may not be on top of the default Windows Firewall, because it's essentially a frontend that hardens it by blocking everything rather than just known inbound.

At the beginning, I do like to congratulate you for this hard work.
I liked the most two things; the interactive mode with popup to allow or block the outbound (without inbound) connection, which is a defect in simplewall (allow or block both outbound and inbound all together).
The second thing is adding the rules directly to Windows firewall, not working side-to-side, as in the case with simplewall.

I just faced some weird bug; with each popup, Windows notifications settings changed spontaneously to "do not disturb" mode.

 

[deminimis]

At the beginning, I do like to congratulate you for this hard work.
I liked the most two things; the interactive mode with popup to allow or block the outbound (without inbound) connection, which is a defect in simplewall (allow or block both outbound and inbound all together).
The second thing is adding the rules directly to Windows firewall, not working side-to-side, as in the case with simplewall.

I just faced some weird bug; with each popup, Windows notifications settings changed spontaneously to "do not disturb" mode.

Thanks for the issue. I suspect the bug has to do with my popups being customized to have no borders and to show up on top, which makes Windows think it's full screen for some reason, and if you have something like game mode or study mode or whatever on, it can turn on do not disturb in some cases. So I tried adding a 1 pixel border. If that's not it, I'm not quite sure how to debug it.

I just released v1.6. I also tried to lower memory usage by deleting the cache of some lists when you close to taskbar, which should make it around 40-60mb.

 

[tnodir]

@deminimis "without requiring custom kernel modifications or disabling core isolation".

Why do you think the driver or disabling core isolation are needed?

--
Fort Firewall (FFw) requires driver to:
- effectively filter large IP lists (with thousands addresses) - Windows Firewall (WF) uses linear search, but FFw and PeerBlock use binary search
- filter ShcHost services (especially for Windows Update)
- speed limit apps
- pause connections to ask user's decision (not yet implemented)
- not allow to startup of specified apps (Kill Process)

You don't have any of the feature listed above, but you're proud that you don't use a driver?

--
Do you understand why FFw requires "core isolation disabling"?

Because I've no company to be a Partner of MS and sign the driver via Hardware Program.

If you're going to say that only companies should implement drivers, but not "homebrew developers", then remember Crowdstrike.

So blame MS that individual developers can't sign drivers and FFw requires "core isolation disabling".

 

[Parkinsond]

pause connections to ask user's decision (not yet implemented)

That what I was asking about

 

[piquiteco]

I have not called you anything like that; it is obvious there was some sort of misunderstanding; you were referring to some thing I though it was Minimal firewall suggested by dronefox1166.

Yes, you're right, it was a misunderstanding. I sincerely apologize, my friend.

You know I have great respect for you, your kind way of treating members, and your helpful tips.

Thank you very much, I appreciate your kind words, my friend. BTW, we're in this together.

 

[tnodir]

That what I was asking about

You've shown Simplewall's popup as example. But firewalls without driver can not pause connections.

Fort's current popup will not much change with this feature implemented: paused conns will be in the same panel of connections.

 

[Parkinsond]

You've shown Simplewall's popup as example. But firewalls without driver can not pause connections.

Fort's current popup will not much change with this feature implemented: paused conns will be in the same panel of connections.

simplewall has no driver and pauses connection until user response to ask.

 

[tnodir]

simplewall has no driver and pauses connection until user response to ask.

No, all firewalls without driver show popup about already blocked/allowed connection. See Simplewall's issue.

 

[Parkinsond]

No, all firewalls without driver show popup about already blocked/allowed connection. See Simplewall's issue.

simplewall, and windows firewall control, block the connection and show popup asking user to allow or block; that what I consider "paused" connection; as long as it is blocked until my decision, it is paused.

 

[tnodir]

as long as it is blocked until my decision, it is paused.

I'm talking about WFP's feature to pause connections.

The problem is with installers, which change their names randomly and try to connect only once.

 

[Parkinsond]

The problem is with installers, which change their names randomly and try to connect only once.

Everytime the installer changes its name, simplewall ask me again to allow or block connection, and until I decide, the connection is blocked; not facing any trouble with.

 

[tnodir]

Everytime the installer changes its name, simplewall ask me again to allow or block connection, and until I decide, the connection is blocked; not facing any trouble with.

Again, please see the above issue.

The installer tries to connect only once. And after you allowed it, a new Installer will start with other name.

So you have to disable the firewall completely to be able to run such installer.