Tiny Firewall - Filter Rules

clevelandtexas · Post by **clevelandtexas** » Tue Mar 13, 2001 2:31 pm

I've been using ZoneAlarm for awhile now and it seems to get the job done.

However about 48 hours ago I downloaded and installed Tiny Firewall and have been playing with it. It appears that setting up filter rules is part skill and part magic and that rules must be prioritized into a special "pecking" order. Unfortunately the manual does not provide enough information.

Through some experimentation by rearranging certain items in the filter rules you can range from a constant barrage of messages asking to create more rules to locking up any program that accesses the internet to a near standstill. It seems that some catch all filters that 'deny' need to be at the bottom the pecking order to prevent the slow downs.

When installing Tiny Firewall you get 5 pre-assigned filter rules and if you are on a LAN the manual suggests adding a sixth to protect your NETBIOS.

There are some programs?/users? like the 'SYSTEM' and the 'kernel' that try to access certain ports. Should the rules on these be set as deny always or permit always or something in between?

These are just a few of my observations that have come with a lot of tinkering.

Does anyone know of any web sites that provide further information on Tiny Firewall or have any personal experience they can share? It would be much appreciated.

Presently it seems that I have the beast relatively tamed but I have a gut feeling that I have too many rules trying to block out phantoms.

KSJNX · Post by **KSJNX** » Tue Mar 13, 2001 3:24 pm

Before i start i would just like to sat that Tiny is the best ok now to the stuff. When kernel trys to send most of the time it's just trying to access your dns servers.
unless you can't browse the web or use the internet without those running just deney them. for instance i have loopback (you have to have that) outgoing ping. for internet explorer i have outgoing for port 80 and 443 and a few other ones. i'm not sure if microshaft (microsoft) is trying to spy on us or what. just deney and if you have a problem after setting the rule delete it.

clevelandtexas · Post by **clevelandtexas** » Tue Mar 13, 2001 6:40 pm

You mentioned that you have Loopback, that is one of the 5 "canned" filter rules. Of the other four, NetBT Datagram, NetBT Session, DNS and Outgoing PING what exactly are they doing? And how necessary are they? I do have a LAN.

fredra · Post by **fredra** » Tue Mar 13, 2001 7:43 pm

Hi textdawg
Those five rules must be kept...

I use Tiny on my test bed workstation under both WIN Me and Win2k.

I would refer you to this web page, it provides a detailed explanation of setting up Tiny and gives more information for accessing FTP sites and ICQ through Tiny firewall.
Let me know if that helps....good luck!!
www.legolas.ca:8080/sec2.html

clevelandtexas · Post by **clevelandtexas** » Tue Mar 13, 2001 8:44 pm

I checked out the legolas site but there is no explanation of what the "canned" 5 actually mean.

fredra · Post by **fredra** » Wed Mar 14, 2001 8:11 am

Hi textdawg

"If you are in a local area network, your computer will broadcast UDP packets using ports 137 and 138. These packets tell other LAN users your name and workgroup. Since these packets are frequently broadcasted, we provided a filter rule to permit all datagrams on ports 137 and 138 so that the user will not encounter several prompt screens from the wizard. This means that your computer name and workgroup name are available to anybody. If you do not wish to disclose such information you must add the following filter rule: For outgoing UDP packets specify the local endpoint as a range from 137 to 138. Leave all other information as "any." Deny all packets that fit this description. Make sure you give the rule a description like "Deny UDP netbios," and that the rule is at the top of the list."

This is an excerpt from www.winroute.com hope this can help

clevelandtexas · Post by **clevelandtexas** » Wed Mar 14, 2001 10:24 am

Thanks for the information. I spend about 2 hours last evening playing with Tiny Firewall, rearranging the filter order, etc, and I'm getting a good feel for it. The documentation could be a little stronger and the notes on the legolas site start to fill in the gaps. With a little trial and error I'm getting to understand this fine product.

I ran three firewall checkers against my PC and none could break in. In fact the TCP test on Sygate's site never gets beyond port 20 on its 1024 port check. I guess that Tiny Firewall completely frustrates the check. If I switch back to ZoneAlarm the TCP test will complete.

I also ran GRC's check and one other that is also very thorough which does a check and then e-mails the results.

Thanks for your help.

I imagine as Tiny Firewall gains more popularity more information will cross this forum.

fredra · Post by **fredra** » Wed Mar 14, 2001 1:04 pm

Hi textdawg
I am glad you are impressed with Tiny (to some degree). I still use ZA Pro on some of my PC's, however, on my laptop I use Tiny (the footprint is very small and it doesn't hog resources)
The drawback with Tiny (IMHO) is that you must be knowledgeable with firewall rules and know what is on your PC that requires to call out.
e.g. MSN Messenger needs a rule, but it never says it is Messenger, it says it is IEXPLORER...that is misleading...but after you create the ruleset the hacker can't piggy back through that port, as the signature is changed and it will block it coming in.
The rulesets in Tiny are similiar to WINROUTE PROXY (same people who make Tiny). I also hope others in this forum are able to try Tiny and see for themselves.
Thanks for posting your results for us to share.

clevelandtexas · Post by **clevelandtexas** » Wed Mar 14, 2001 5:39 pm

As Tiny Firewall becomes more popular its competition with ZoneAlarm should foster improvements in both products. Yes, Tiny does required more hands on but it does open the opportunity for users to understand the nuts and bolts of things.