Serious Discussion Minimal Firewall

[Parkinsond]

About tnodir and Fort Firewall on his Github webpage are listed some contributors but I don't know if/how they currently contribute to the project GitHub - tnodir/fort: Fort Firewall for Windows . I can say that Fort Firewall is a well established project, the first release dates back to March 2019 and tnodir actively updates it. About deminimis and Minimal Firewall on his GitHub webpage there aren't other contributors GitHub - deminimis/minimalfirewall: Minimal Firewall is a portable Windows firewall frontend that alerts users to internet connections without requiring custom kernel modifications or disabling core isolation, striking a balance between Window Defender's security and SimpleWall's functionality. . It's a new project as the first release dates 3 days ago. About Safing ICS and Portmaster, in addition to the official website Safing Portmaster - Easy Privacy they also have a webpage on GitHub GitHub - safing/portmaster: 🏔 Love Freedom - Block Mass Surveillance They are organized like a software company and I used their product some time ago (if I remember correctly at that time it was free of charge and there weren't different pricing plans like nowadays) but I uninstalled it because it was rather heavy in resources.

Minimal firewall is heavy too; the lightest is simplewall.

 

[Avethil]

lightest is simplewall.

I also used it many years ago but I didn't particularly like it. Furthermore I remember that after uninstalling it I couldn't connect to Internet anymore so I had to reinstall it , search on the web for a solution and after uninstalling it once again I had to run a command prompt to restore the Internet connection . Probably something has changed since then and that issue was fixed with subsequent releases.

 

[Parkinsond]

I didn't particularly like it.

Me too; but you have to choose the least worst one among the available; pick your poison.

I remember that after uninstalling it I couldn't connect to Internet anymore so I had to reinstall it

Must forgot to disable and delete the created rules before uninstalling; I did not face the problem when uninstalling simeplewall.

 

[Avethil]

Currently I'm using Binisoft Windows Firewall Control (also named Malwarebytes Windows Firewall Control) Windows Firewall Control together with Sphinx Software Windows 11 Firewall Control Advice Request - Windows 10 Firewall Control - Sphinx Software - opinions ? . I used this combo for several years and I have never had any problems.

 

[deminimis]

Well if anyone can answer this: minimal firewall will function with kaspersky antivrus’s firewall enabled? Because simplewall can function with kaspersky firewall enabled - I ask because if I remember correctly, Kasperski disabled windows firewall?? If so would minimal firewall be able to run alongside of it?

If it disables Windows firewall, then no, Minimal Firewall will not work with it. Minimal Firewall uses the COM interop, to directly interact with Windows Firewall.
Simplewall works because t uses the WFP API to create filters at a deeper level in network stack at the kernel level.

I assume there is an option to not disable Windows Firewall with Kapersky (but I haven't used it).

 

[deminimis]

Why do you think the driver or disabling core isolation are needed?

--
Fort Firewall (FFw) requires driver to:
- effectively filter large IP lists (with thousands addresses) - Windows Firewall (WF) uses linear search, but FFw and PeerBlock use binary search
- filter ShcHost services (especially for Windows Update)
- speed limit apps
- pause connections to ask user's decision (not yet implemented)
- not allow to startup of specified apps (Kill Process)

You don't have any of the feature listed above, but you're proud that you don't use a driver?

--
Do you understand why FFw requires "core isolation disabling"?

Because I've no company to be a Partner of MS and sign the driver via Hardware Program.

If you're going to say that only companies should implement drivers, but not "homebrew developers", then remember Crowdstrike.

So blame MS that individual developers can't sign drivers and FFw requires "core isolation disabling".

That's a pretty big trade off.
Not only are you opening up a major attack surface at the kernel-level, but core isolation specifically protects against those attacks. Two birds with one stone. It's what can let rootkit malware hide on your device.

Doesn't Simplewall handle large IP lists with WFP callouts? Or why not use VPN routing rules, a DNS filter, or something like Suricata that's built for it?

I'm not sure what you mean about filtering ShcHost services. Are you saying it's not possible to block svchost.exe in Windows Firewall?

I also don't see the benefit of "pausing" rather than blocking a connection. I've never run into anything you can't restart a connection with. With Minimal Firewall, you can just allow anything within a specific folder if you want (such as a browser update folder where the .exe name changes constantly).

 

[Parkinsond]

Currently I'm using Binisoft Windows Firewall Control (also named Malwarebytes Windows Firewall Control) Windows Firewall Control together with Sphinx Software Windows 11 Firewall Control Advice Request - Windows 10 Firewall Control - Sphinx Software - opinions ? . I used this combo for several years and I have never had any problems.

Why to use two 3rd party firewalls simultaneously?

 

[tnodir]

Not only are you opening up a major attack surface at the kernel-level, but core isolation specifically protects against those attacks.

1. The driver can be opened only by processes with Admin rights.
2. If malware has Admin rights, then the Game Over.
3. Core isolation protects only kernel structures from malware that has Admin rights.

Again, I'm not against core isolation. But MS does not let individual developers to sign drivers.


Again, only Fort Firewall requires core isolation disabling, because I've no company.

All other firewalls with own driver (ESET, ZoneAlarm, Comodo Fw, NetLimiter etc) has no problem with core isolation, because their drivers are signed by MS.

It's a organizational, not technical or inherent, problem for Fort Firewall.
So it's very strange that you write about "core isolation disabling of other firewall" in the description of your program.

 

[tnodir]

I'm not sure what you mean about filtering ShcHost services. Are you saying it's not possible to block svchost.exe in Windows Firewall?

I mean filtering SvcHost services by name.

You can block SvcHost services by name in WF, but not Windows Update service.

Simplewall uses a trick by copying the "svchost.exe" to other file.

 

[deminimis]

1. The driver can be opened only by processes with Admin rights.
2. If malware has Admin rights, then the Game Over.
3. Core isolation protects only kernel structures from malware that has Admin rights.

Again, I'm not against core isolation. But MS does not let individual developers to sign drivers.


Again, only Fort Firewall requires core isolation disabling, because I've no company.

All other firewalls with own driver (ESET, ZoneAlarm, Comodo Fw, NetLimiter etc) has no problem with core isolation, because their drivers are signed by MS.

It's a organizational, not technical or inherent, problem for Fort Firewall.
So it's very strange that you write about "core isolation disabling of other firewall" in the description of your program.

Your firewall looks good, but hopefully you get some funding and can get that sorted. It's a big security disadvantage. The whole point of the firewall is to make your system more secure, not less.

And I don't rely on any of those other ones either, because why would I increase potential attack surface? Bad opsec.

 

[Parkinsond]

Frankly speaking, if Windows built-in firewall has interactive mode for outbound connections (it has for inbound only), I would not bother looking for a 3rd party firewall.

 

[jamey910111]

If it disables Windows firewall, then no, Minimal Firewall will not work with it. Minimal Firewall uses the COM interop, to directly interact with Windows Firewall.
Simplewall works because t uses the WFP API to create filters at a deeper level in network stack at the kernel level.

I assume there is an option to not disable Windows Firewall with Kapersky (but I haven't used it).

@harlan4096
Hi Harlan, can you clarify for us whether windows firewall can be turned on if kaspersky firewall from kaspersky antirvirus is on? the original question I posed was about miniwall - miniwall works with windows firewall being active/on, however, if kaspersky firewall in kaspersky standard is enabled, can windows firewall also be enabled (in order to allow minifirewall to work)?

 

[jamey910111]

@deminimis One thing I like about simplewall are these options that I have attached screenshots for below - any chance that you may take into considering adding such options (regarding blocking telemetary, and windows apps from updating etc)

\

 

[harlan4096]

@harlan4096
Hi Harlan, can you clarify for us whether windows firewall can be turned on if kaspersky firewall from kaspersky antirvirus is on? the original question I posed was about miniwall - miniwall works with windows firewall being active/on, however, if kaspersky firewall in kaspersky standard is enabled, can windows firewall also be enabled (in order to allow minifirewall to work)?

When K. product installs on Windows, it keeps FireWall service enabled, it does not disable it, that can be the reason.

This is the status of my FW service in my system with KES 12.9 installed:

 

[Avethil]

Why to use two 3rd party firewalls simultaneously?

Malwarebytes Windows Firewall Control isn't a 3rd party firewall but it's a enhanced UI for Windows Firewall. Some years ago I purchased a license for Sphinx Software Windows 10 Firewall Control Plus Edition because it had added features over the Windows Firewall but I choose to not disable the latter one. About two months ago Sphinx Software released Windows 11 Firewall Control (Plus and Server Editions) free of charge. The features of Sphinx Software Windows 11 Firewall Control are listed here, if anyone is interested GitHub - Windows11FirewallControl/Windows11FirewallControl: Simple and exhaustive solution for applications network activity controlling and monitoring. Also here it is a review of previous version (paid) Windows 10 Firewall Control Review that casually compared it to Malwarebytes Windows Firewall Control.
The UI of the updated version is pretty identical to the previous one but anyway now it's free of charge.
I could disable Windows Firewall but I prefer to have it on, just for added security and to not have the red "X" on Windows security taskbar icon

 

[deminimis]

@deminimis One thing I like about simplewall are these options that I have attached screenshots for below - any chance that you may take into considering adding such options (regarding blocking telemetary, and windows apps from updating etc)
View attachment 289291
View attachment 289292

View attachment 289293\

Yes, it's a very easy implementation, but I'm considering creating another app for it, so it doesn't get bloated, because I have a lot of features I want to add regarding DNS, VPN and related matters. I will just pull from well-known lists: Advertising Blacklists - CuratedHub , to essentially be a system-wide ad/spyblocker. Most people just use those in the browser (uBlock) or network (pihole) though.

I'm quite busy over the summer though, so I will probably just fix any bugs until then, and then I have a lot planned in those regards. In the meantime, apps already implementing some of the features I want include Adguard and Zen Adblocker.

 

[deminimis]

Frankly speaking, if Windows built-in firewall has interactive mode for outbound connections (it has for inbound only), I would not bother looking for a 3rd party firewall.

That would be the best option in my opinion. Lowest attack surface. It would be very easy for them to implement it too. But I think we won't see it anytime soon with full capabilities, given how much they try to spy on your usage of their OS.

 

[deminimis]

I mean filtering SvcHost services by name.

You can block SvcHost services by name in WF, but not Windows Update service.

Simplewall uses a trick by copying the "svchost.exe" to other file.

Sorry, I guess I don't understand what you mean. You can block specific services like Windows Update and Background Intelligent Transfer Service, and also block the specific .exe for each svchost.exe in Windows Firewall or most third party firewalls:

Svchost is not really a service, it's a host process for individual services that you can find in most firewalls. And any firewall could implement that within a workday if they wanted to, but it's pretty niche. It would take no processing power or memory to get the list, literally just go to cmd and type: tasklist /svc

But I think I'm misunderstanding you due to a language barrier.

 

[Parkinsond]

I think we won't see it anytime soon

or even later; MS fears of common users break things by blocking outbound connections without knowledge.

 

[Fan-of-spyshelter]

Svchost is not really a service, it's a host process for individual services that you can find in most firewalls.

No, svchost.exe is not just a generic host process like you think.

It’s a critical system component in Windows that runs essential background services. Each instance of svchost.exe can host different Windows services — some of which are absolutely vital, like:

• DNS Client (name resolution),
• Windows Update,
• Security services (like antivirus cloud sync).

Without certain svchost services running, your system can't properly read your local hosts file, located at:
C:\Windows\System32\drivers\etc\hosts

This means your local DNS filtering fails, especially if you’ve got apps that constantly update via changing IPs. Worse, if your DNS requests default to your ISP’s resolver and your system is already compromised — you’re screwed.

Now imagine a malware that modifies the Windows registry and injects a fake svchost.exe under SYSTEM privileges?
Your antivirus can’t connect. Real-time protection fails. You’re either stuck offline or redirected to malicious domains.

On top of that, without the real svchost.exe running properly, you can’t monitor anything on your own system. It’s like being blind in your own house.

And if someone manages to remotely run their own version of svchost.exe under NT AUTHORITY\SYSTEM?


Let’s just say…

FATALITY. STALKER WINS.