The German c't magazine has one right now, too, so if you are around Germany, feel free to buy one for 3.70 €...
edit: Fixed price, sorry.
edit: Fixed price, sorry.
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
Also, saying that running a software firewall is nowhere near as good as a hardware firewall is laughable due to the fact that hardware firewalls are SOFTWARE based running embedded on a set of dedicated hardware. In most cases, systems running personal firewalls are faster than the hardware included in the average home user firewall/router.So being fast is more important to you than being secure? You can't count that.-Josh (January 05, 2010, 01:05 AM)
Nice move ignoring the iptables link, which sounds like it could potentially be a lot worse than the cry-wolf XP bug.Not ignoring it, but keeping the discussion on-topic.
too bad default user wasn't made non-admin alread in Win2kAFAIK he still is not?
it shows that MS certainly aren't ignoring the problem any longer - and you get a lot of stuff with NT now that you don't get with linux unless manually choosing a kernel with SELinux patches.Which is, at least, a giant step into the right direction after rolling backwards for years. Let's hope they'll stick with it.
Well, duh, isn't this what I've been saying all along?Not quite, as we were still on "Personal Firewalls".
Except for the "doesn't need paranoia" part... a packet filter isn't paranoia, it's an additional level of security.... or maybe also insecurity. See, most people I know mix up "consider your system's security" with "install a security suite and everything is fine", and then they'll wonder why their system is fucked up.
Hopefully it'll never be needed on neither hosts nor servers, but if you have a breach it can save your assSo far I (personally) never had a problem that could have easier been fixed by installing a packet filter. Lucky me.
If you don't need something complex, why waste time developing it?cmd.exe is complex but not mighty. "Scriptable" but not "flexible". For my own workstation(s) it is more than enough, but fiddling with config files without grep or something sounds hard.
Apparently enough users wanted a more powerful shell, and MS responded with PowerShell. Haven't used it myself so I can't comment on it's quality.To me, the PowerShell more looks like some .net command console, not a valid MinGW/Cygwin replacement. I really wish MS would consider making Windows POSIX-compatible by default for everyone, not only the high-class editions... would make life a lot easier.
...see a slight difference between those two statements?Yep, I missed the "IMO" in my original posting. The statement is, basically, the same, but the second one seems to be more clearly or something. Sorry for fuzzy phrasing.
You've come up with one thing so far, which is more than three years old, limited to XP, and requires the ICS service to be on (which it isn't by default, as far as a lazy google says).http://en.wiktionary.org/wiki/potential
And it's not like *u*x daemons haven't had their fair share of exploits during the years. Apache, BIND, wu-ftpd, whatnot. Also, both OS X and Linux kernels have had very interesting local privilege escalation during the recent months, some of which are present in several years worth of kernels... could that with a remote exploit in a single third-party service (or even something as a lowly PHP bug) and boom, you've got root. Non-Windows doesn't automagically equate secure - no matter what you run, you need competent server admins who keep their eyes open.Some are "better" however.
So what, really? Windows isn't unix, things work differently.Now this is not a reason for having to use a rather mediocre shell, is it?
By this, you're saying that packet filters which require administrative privileges to configure are useless... to me. Maybe there are some rare circumstances that might be easier to handle with something like a "packet filter". Using such does not necessarily make your system more secure, though.
You're the one who flat-out claimed that packet filters aren't firewallsPacket filters and "real" (hardware) firewalls work on the network layer, "software firewalls" mainly on the application layer. (With a driver-thingy on another layer, probably, but then we'll have a packet filter again.)
and that Windows' built-in firewall is useless... and potentially dangerous.
2) why would't I run an important server on a Windows box?Because Windows is not known for stability and security, both of them are the most important attributes of servers IMO.
Ever checked this list?Uptime depends on various things. That Windows servers are on top of the list doesn't necessarily mean something. (edit: Missed a dot.)
My personal fileserver (which can hardly be thought of as a critical machine) runs linux - simply because it's free. Free as in beer.Now that's not actually a reason. If it was, no-one would use Windows anymore, as it is not free.
Fortunately, I'm not a stupid user that clicks yes to everything, and locations that are sensibly set up will have non-trusted users run as exactly that: non-trusted users without admin privs.So, at least, we're talking on a similar level. Quite a progress yet.-f0dder (January 04, 2010, 07:32 PM)
Btw, as for automatic updates: standard users should keep that on. But, while it hasn't happened very often, once in a blue moon and on a subset of configurations, updates have caused trouble.I know about that, but I wouldn't count this as a reason to disable AU for standard users. We're not talking about important servers right now (which should never run Windows anyway), right?-f0dder (January 04, 2010, 07:32 PM)
one should think that a software firewall (if primarily focusing on packet filtering) isn't that hard a job to get right.Given that we only talk about a packet filter and nothing more: You'll need some kind of an A.I. to decide which traffic is "good" and which is "bad". A packet filter completely controlled by its users does not do what it is intended to.-f0dder (January 04, 2010, 07:04 PM)
Show me an exploit for the built-in Windows PF? Not saying it doesn't exist, I just haven't seen it.There is one for the XP firewall, and I doubt there are none for newer versions ...-f0dder (January 04, 2010, 06:49 PM)
with proper software design, there's no reason that a 3rd-party software firewall can't be as secure as Windows' built-in...If we assumed proper software design, there were no holes in Windows at all, right?-f0dder (January 04, 2010, 06:49 PM)
If you've ever tried bringing an XP box pre-SP2 on the internet without 3rd party PF or a NAT'ing router, you'll see how fast this happens with internet traffic.Like that Sasser worm? I know it, yep ...-f0dder (January 04, 2010, 06:38 PM)
ever considered what can happen on a LAN or WLAN if one computer gets infected and there isn't a software firewall running on the individual hosts?A LAN or a WLAN don't actually send data between the clients without requesting them. Infected clients in my network don't make my Windows more insecure. Still talking about nonsense?
The Windows Firewall is a firewallWrong, because:
A firewall's main purpose is preventing access to the computer, not preventing the computer from reaching outYou can not protect a machine from unauthorized access when running a prevention system on it!
but iirc a limited user account on XP can't modify firewall rules, and on Vista/Win7 you get an UAC prompt?People who use limited accounts and/or the UAC prompt will, like, never have serious system failures caused by malware. They just don't need any extra protection anyway.
Oh, I almost forgot: you've already spouted this nonsen.I was right.
Whether or not it can be bypassed, as can ANY firewall or software is not a valid point when determining its usefulness.Of course it is. Security software that can be bypassed simply doesn't protect you. Period.
If you need at least one reason why, it HELPS prevent problems.How?
and have found that the Windows firewall, even though it started simple, added an easy to use, unobtrusive layer of protection and sense of security.Placebo effect?
From what I have seen above, you have given us nothing but the usual "I hate Windows/Microsoft" diatribe, which always comes with no hard evidence, just empty statements on how useless or horrible MS and it's software is.I am a proud Windows user. You won't get me this way.
Windows firewall routinely prompts me when a new program attempts to establish a connection.If this prompt is not clicked away automatically (or the malware even installs a rule there), you'll still have to consider that explorer.exe is not explorer.exe, right?-Josh (January 04, 2010, 05:29 PM)
You see?2. It is not that hard to write a script which automatically clicks "Allow".
And this can be done with just about ANY firewall application...-Josh (January 04, 2010, 05:02 PM)
if you install something bad, then chances are your firewall is the last thing you need to worry about.Indeed. So again: What is your reason to call the Windows Firewall "useful"? For what purpose?-Josh (January 04, 2010, 05:02 PM)
Disable Windows Firewall - And there it is!How many reasons why the Windows "Firewall" is neither a firewall nor of any use would be enough to convince you that disabling it is a good idea? I think I could find dozens of them.-Innuendo (January 04, 2010, 04:18 PM)