Join 3,375 readers in helping fund MetaFilter (Hide)


Good, free firewalls.
April 25, 2007 9:12 PM   Subscribe

What's a good, free firewall I can use on my home PC (running WindowsXP SP2) that isn't Zone Alarm Pro, Sygate or Kerio?

I currently use the last free version of the Sygate firewall. It's great and seems to protect my system from attacks well enough (as far as I can tell) but I'm thinking that it's probably going to start becoming ridiculously obsolete soon (if it isn't hopelessly so already). So I need a new, preferably free firewall solution for my home computer which is linked via an Ethernet cable to one other home computer.

I don't want to use Zone Alarm Pro, for the simple reason that it doesn’t get on with Nintendo's Wi-Fi service. So I suppose one other feature that I'd like to see this new firewall use would be compatibility with that service.

I've tried Kerio, but I didn't like it. Maybe I didn't configure it correctly when I used it or something, but within a day or so of running it my system had collected more spyware than you could shake a stick at, something which simply hadn't happened under Sygate. It got so bad that I had to actually restore my Windows installation to a restore point from before Kerio was installed! So sufficed to say, it was a bad experience and I don’t intend to repeat the Kerio experiment again.

If there aren't any free firewalls out there that are worth using, I'd be happy to hear a few recommendations for low cost firewall solutions, but as I'm sure many here would agree, free is pretty much always better.
posted by Effigy2000 to Computers & Internet (24 answers total) 10 users marked this as a favorite
 
CORE FORCE is a open and free port of the very good OpenBSD PF firewall to Windows (including GUI and additional features like file system and registry access control and programs integrity validation). Runs on XP. Seems to be okay - but is still listed as Beta - so wouldn't bet my life with it.

CORE Security, the company behind the project, are pretty well respected in the security assessment space for their penetration testing tools.
posted by inflatablekiwi at 9:46 PM on April 25, 2007


Are you behind a router?
Even just NAT (nevermind the firewalling functions you get nowadays) should be enough to prevent you from getting "more spyware than you could shake a stick at" in a short a time as a day or so.
posted by juv3nal at 10:02 PM on April 25, 2007


I can't see any reason for running anything more invasive than the inbuilt XP SP2 firewall. It works just fine. It doesn't have per-application outbound-connection control, but if your system is clean to start with you shouldn't need that; use Spybot Search & Destroy to make it clean if it isn't already.
posted by flabdablet at 10:08 PM on April 25, 2007


BTW I would be very, very, very surprised to find that System Restore actually managed to fix a spyware infestation. Gobsmacked, even.
posted by flabdablet at 10:09 PM on April 25, 2007


WOW, I just tried the CORE FORCE program and it is very controlling! I was all stoked that there was a high-quality and open source firewall. After I installed it, restarted the computer and tried to restart firefox, it gave me like 20 different alerts. Apparently, it checks to see if programs are even allowed to access local files. Very high security product, way too much for me.

I don't have anything else to add. I have also noticed that zone alarm has gotten more pushy lately. I've been keeping my eyes out for a better program.
posted by philomathoholic at 10:18 PM on April 25, 2007


you could try Comodo Free Firewall It does a very good job for a freebie
posted by mrbenn at 10:23 PM on April 25, 2007


I use Sygate's free firewall and it allows you to designate which programs will always be allowed to access the Internet without notification. I think it works quite well. I was surprised to see that several applications were broadcasting data without my knowledge.
posted by laskagirl at 10:25 PM on April 25, 2007


Sygate PFP rocks. Unfortunately Vista broke it for me and I have yet to find a decent replacement. Honestly, I'd keep using it for a while, nothing I've found comes close when it comes to ease of use and security (Did you know it's possible to run SNORT under XP?). You can set that sucker up to be as tight or as painless as you want. Seriously, I've been searching and testing everything since I can no longer use it. There's nothing quite like it.
posted by IronLizard at 10:42 PM on April 25, 2007


I'm also behind a NAT. It's not enough by itself, Juv3nal.
posted by IronLizard at 10:43 PM on April 25, 2007


Software firewalls are for wimps. Real men defend their networks with a Smoothwall box.

Then those men are beaten up by other, less nerdy men.
posted by tracert at 10:54 PM on April 25, 2007


I'm with flabdabet on the utility of the basic WinXP SP2 firewall. In so far as "free" and "software firewall" should ever be considered the sole protection for Internet connected Windows machine, the built-in SP2 firewall does its job.

But ideally, you want to run a software firewall behind a front end device doing NAT and also running a firewall of it's own. The software firewall on your Windows box prevents that box from becoming a SPAM zombie if you do pickup a trojan from a random CD or other source, and the firewall on the NAT device in front of your network gives you control of network wide protection for your LAN. And most of the better Linksys SOHO routers, and similar products from other vendors, offer built-in "SPI (stateful packet inspection) firewalls" themselves, at street prices of under $50. SPI is an important product feature, because along with NAT (network address translation) it offers protection for the network behind the NAT device that only devices which can inspect individual packet content, and filter accordingly, can offer. With an SPI firewall, you can set pretty fine-grained rules for accepting or dropping connections, or even rewriting packets accordingly.
posted by paulsc at 12:20 AM on April 26, 2007


Seconding Comodo. Was previously using Zone Alarm but tried Comodo after reading good reviews. Pretty happy with it.
posted by gfrobe at 12:24 AM on April 26, 2007


paulsc, AFAIK "stateful packet inspection" simply means that the firewall understands that some packets are continuations of conversations or TCP connections initiated by other packets, and allows for filtering on the basis of the connection a packet belongs to as well as on individual packet contents; and since you can't do NAT at all without connection tracking, AFAIK there's no such thing as a NAT router that doesn't do stateful packet inspection.
posted by flabdablet at 12:34 AM on April 26, 2007


Actually, flabdablet, lots of NAT devices were around before SPI was added. It's true that NAT requires packet inspection; however stateful packet inspection generally implies that the NAT device understands the protocols running on the connections it serves, and that it can do selective filtering of those connections based on programmable rule sets. On Linksys devices with SPI, there are actually additional configuration pages in the user interface that allow you to add custom rules, as opposed to older devices which didn't have these capabilities.
posted by paulsc at 2:04 AM on April 26, 2007


I'm also behind a NAT. It's not enough by itself, Juv3nal.

Yeah, this is true, but the last two routers I've had have had firewalls as well, so I've haven't had any troubles despite not running a software firewall. I thought the built-in firewall was pretty much par for the course with routers nowadays. I admit, I'm hosed if it comes down to paulsc's scenario of getting something off a CD, but that's got to be a pretty rare occurence, no?
posted by juv3nal at 3:24 AM on April 26, 2007


"...I admit, I'm hosed if it comes down to paulsc's scenario of getting something off a CD, but that's got to be a pretty rare occurence, no?"
posted by juv3nal at 6:24 AM on April 26

I should have used a better range of examples. One source of trouble that I've seen a couple of times is with friends who take their poorly configured, rarely updated laptops out for walks at WiFi hotspots, and come home to their own LAN, and proceed to have strange new problems, which are sometimes passed over to "impregnable" desktop machines. Mobile devices are probably as big a malware vector as media ever used to be, but us old guys generally still default to pointing crooked fingers at media as a malware vector, out of our memories when Sneakernet was the network of the Cool Kids.

Sorry. [NOT AGEIST] :-)
posted by paulsc at 3:59 AM on April 26, 2007


I've tried Kerio, but I didn't like it. Maybe I didn't configure it correctly when I used it or something, but within a day or so of running it my system had collected more spyware than you could shake a stick at

Yeah, I think maybe you need to configure it at a more paranoid level or something. My only security measures are Kerio, and use of Firefox instead of IE, and I haven't had any spyware in years. Kerio COMPLETELY locks down net access if you configure it properly; after a couple weeks of annoying Kerio popups, I had most everything on auto-deny and the few programs I actually use on auto-allow, and it's been fine since.
posted by rkent at 5:08 AM on April 26, 2007


>my system had collected more spyware than you could shake a stick at

Spyware and your firewall have nothing in common. The firewall protects whatever open services your computer has (file, print sharing) from the net. The built-in windows firewall handles this just fine.

Spyware comes along the software you download with your browser. What you need to do is stop downloading random software and installing it. Google the name of all software you try with the word 'spyware' to see if anyone has reported spyware. Also run spybot periodically to see if anything has gotten on your system without you permissions (kids).

Also, spyware and viruses come from the same places nowadays. You should verify that yoru anti-virus is getting the updates it needs. You should also be doing scans. Weekly or daily.

Lastly, if security is such a problem, consider changing your account from an administrator to a user. As a user you wont have install privs, thus no one can fool you into downloading 'this hot new screensaver.' To instal things as a user you can use right-click 'run as' or log in as administrator.

Another firewall is not the solution here.
posted by damn dirty ape at 7:32 AM on April 26, 2007


>Spyware and your firewall have nothing in common.

Agreed.

Almost any current NAT router should be sufficient. As mentioned, use the built in XP SP2 firewall for extra security, or use a firewall like Zone Alarm or Kerio (which is an excellent firewall*) to monitor outbound "phone home" traffic (which XP SP2 doesn't do).


* Except for the latest version from Sunbelt. It seems to have a number of issues.
posted by roofone at 12:53 PM on April 26, 2007


I'm giving Comodo a go as we speak. It seems to be doing a good job so far. We'll see how it runs over the next few days.
posted by Effigy2000 at 1:21 PM on April 27, 2007


OK, one more attempt at defending my technical cred and I'm done.

It seems to me that what you're calling "stateful inspection" is what I've formerly seen called "deep inspection". I still maintain that it makes no sense to do NAT without stateful inspection, regardless of how the marketroids have subsequently corrupted these technical terms :-)

Without connection tracking, there is no way for a router to know which of the machines on its LAN side should be the target for any given incoming packet on the WAN side. The only thing that distinguishes the intended targets of those incoming packets from each other is their port numbers; without a table associating port numbers with established connections from LAN-side hosts, this can't be done, and to keep such a table up to date requires connection tracking.

And once you have connection tracking, it's actually easier to use it for packet filtering than not to; so I'd be surprised to find an actual example of a commercially available NAT router that actually has a non-stateful (as opposed to non-deep-inspection) firewall.
posted by flabdablet at 11:24 PM on April 27, 2007


It's entirely possible I was wrong about Sygate. (Ahem)

Just don't tell anybody
posted by IronLizard at 12:54 AM on May 3, 2007


I just uninstalled Comodo.

As a free firewall, it seemed to do the trick. Infact, it seemed to work perfectly. But where it fell down for me was that no matter how I tried to configure it, my Wii and NDS couldn't connect to the internet. Even with All Traffic allowed and even when I actually closed down the firewall itself, it still couldn't connect. So since it's important to me to be able to access the internet with these consoles, I uninstalled it.

So I'm back to Sygate again, which is fine. It's still a great firewall and it's letting my consoles connect to the net. I'd recommended Comodo if you don't ever plan to use the Nintendo Wi-Fi service but if you do, use Sygate, because its the only decent free firewall I've found that works with it.
posted by Effigy2000 at 5:12 PM on May 3, 2007


I am eagerly awaiting the 14th, though I still wish Sygate was supported, regardless of it's (possible) shortcomings.
posted by IronLizard at 5:16 PM on May 3, 2007


« Older What do you call the drink tha...   |  WindowsVista : How do I determ... Newer »
This thread is closed to new comments.