Firewall settings

When I set my Firewall to block all incoming traffic, browsing slows down a great deal, why is that? I read where a regular home user does not need to allow any incoming traffic.

Thank you.

 

What FW are you using? Which build? What OS? CPU+Memory config?

I personally don't notice a slow down with my firewall (Sygate Pro 5 1170) but I have read others (including those using Sygate) experiencing slow downs. Keep in mind you now have a middle man inspecting all of the packets that enter and exit your your system. It is bound to have a resouce hit. Depending on your set-up that might be greater or smaller.

If you is really bad you could look around for a FW that has a smaller footprint, look Kerio/Tiny/Lock 'n' Stop and Stop or if you, if you haven't yet spent cash on your FW, you could get a FW/Router and take the packet inpsection off your desktop and possible speed things up a bit if it that is actually what is slowing down your PC.
Free
http://www.kerio.com/us/kpf_home.html
Cost
http://www.looknstop.com/En/index2.htm
http://www.tinysoftware.com/home/tiny2?la=EN
FW/Router
http://www.linksys.com/
http://www.netgear.com/
Those are just a few thoughts.

 

I'm using Sygate 5 1170, with Windows 98se 192mb ram,
I'm now allowing incoming traffic on a few ports: 80,443
with this surfing is normal, I guess if you allow outgoing traffic on 80,443 you also have to allow incoming.

 

What a second, chief! What you just stated, if you have actuall set it to allow incoming traffic, is not correct. In fact, that setting would partially defeat the whole purpose of the firewall. Before I go on let me point in the right direction for help:

Go to the support forum for Sygate Pro at this link
http://forums.sygatetech.com/

A good overview of features and use
http://personal.atl.bellsouth.net/i/k/ikpe/

If you go the Sygate forum you can get pretty much any question answered. But let's probe your post a little. Whey you say you are allowing incoming traffic, you mean one of these two things right?

1. When you go to Applications, click on your browser, and select Advanced the box for Act As Server is checked marked?

2. You have created an Advanced Rule that allows either incoming traffic on 80/443 for your browser or have a rule that allows for both in the same rule?

If so you have exposed yourself to anyone with a port scanner. Unless your PC actually is a server then you would never want to either select Act As Server for any app or allow incoming traffic on any application. There are some rare exceptions to this rule that involve your ISP/internal network.

Here is why. When your firewall is set-up to allow outgoing traffic only here is what it does. It sends out a packet to a given remote source A. It will only allow a correct response from A to your packet. If A attempts to sending a packet that was not iniated by you, it get's blocked. If anyone other than a source your are sending packets to attempts to send a packet to you on that same port, it will be blocked because it was not expected. This is basics of how any packet filter works whether software or hardware firewall.

Even P2P file sharing programs like Kazaa do not need to allow for incomming packets.

Anyway, although your solution seems to be working for you, it defeats the purpose of the firewall. Checkout Sygate Forums and I am sure somone can get to a better more secure solution. Also, you didn't mention what CPU you are running? Are you running an older CPU such as a PII?

 

By default sygate has allow as server - checked, I didnt know until I clicked on the applications and then advance, I unchecked all of them.
When I say I allowed incoming traffic, I mean I set up an advanced rule for IE not to allow traffic on TCP ports 0-79,81-109,111-442,444-8079,8081-65535.
So your saying that no incoming traffic should be allowed not even with file sharing programs like kazza and Winmx?
And another thing when I close an application like outlook It still appears in the sygate running applications window, does this happen to you?

 

Yes, that is true and the excuse used by Sygate is that is the default setting of Windows, but in my opinion that is a poor excuse and is contary to good security. So yes, on install or upgrade you have to go through and manually uncheck Act As Server for all of the applications that are listed in the Applications settings and as new applications are opened that attempt to access the internet. It is the one thing about the program that I hate.

Ok, it probably be useful if you post the rule you created so we could review it. There are two basic approachs to FW rules: Allow-all (allows all packets that are not specifically listed in a rule to be denied) and Deny-all (all no packets except those that are allowed by a rule). Sygate by default is Deny-all FW. This means it will only allow traffic that you have either created a specific allow rule or if it is allowed by your Application settings. Keep in mind the Application settings are really just really general rule sets. Also, when creating your rules remember that Sygate like most rules based firewalls works In Order or the first rule is applied before the 2nd and 3rd and etc. That is why you have the arrow keys on the advanced rules for moving rules that you create to change the order.

Now, before I go on let me say Pak or Spacecowboy at the Sygate forum are by far more advanced rule makers than I, but looking at your rule above seems to me you are taking the Allow-All approach, in that you are specifing what should not be allowed rather than the what should be. That said there is an easier way to acheive what it looks you are attempting.

1. Creat a rule or rules for what you want to be permitted
2. Make the last rule for any application a Block All rule
3. Once you are sure you rule set is good, go the Application settings and uncheck all boxes. This will ensure that the only your Advanced rules are applied. Otherwise Sygate will go to the Application settings after going through your rule sets.

Now for your specific rule, what you have described so far doesn't specify anything about the direction of traffic being allowed or denied so I can't tell how would effect incoming/outgoing traffic. But these are the conditions that would allow incoming traffic (keep in mind this doesn't mean all incoming traffic--just unsolicited incoming traffic).

1. Act As Server is selected in Application Settings for that particular appplication (make sure to check all of the windows service as well)

2. Your advanced rule has "Action: Allow This Traffic" selected, "Traffic Direction" is selected as either incoming or both.

So yes, it is not necessary to specifically create rules for which ports should not receive incoming traffic. You should create rules for what outgoing traffic is allowed and then end it with a seperate block all rule. This block all rule is probably not necessary but it creates a bit of extra insurance to ensure that only those conditions you have set are actually happening.

Here is an example of one of my rule sets for Kazaalite:
Rule 1
Rule Summary:
This rule will allow outgoing traffic to all hosts on TCP remote port(s) 1024-4999,80 and TCP local port(s) 1024-4999,80. This rule will be applied to all network interface cards. This traffic will be recorded in the 'Packet Log'. The following applications will be affected in this rule: Kazaa Lite.

Rule 2
Rule Summary:
This rule will block both incoming and outgoing traffic from/to all hosts on all ports and protocols. This rule will be applied to all network interface cards. The following applications will be affected in this rule: Kazaa Lite.

Now I could tighten that rule by restricting the remote ports to only 1214 and 80 (default for Kazaa). The trick to creating rules is reviewing your logs. Your Traffic and Packet logs are key for this. It now only gives you the basic road map for how to create the rule to start with but how to fix it if it is too tight. Also for applications such as an auto update function of a particular app, you can use the logs to see what the IP addresses are that the app is dialing back to and use this to restrict the rule down to only those specific IPs. Again, it is matter of trail and error and reviewing your logs.

Also you could get a jump start by going to PC Flank. They have rule sets for most common applications. Just keep in mind that their rule sets are a bit liberal. Also again, the Sygate forum should be good for gettting other examples.

http://www.pcflank.com/index.htm

Also, make sure to select "Record this traffic in the Packet Log" on the front of all of your rules. Otherwise the appplication of that rule will not be recorded. I hope that helps.