Best Firewall to use with utorrent

[mountainmachine]

Ok so running Kiero Firewall at the moment and regarless of what i do it seems to be blocking ports, i can switch machines and go from 5-10kB/s to 25-50kB?s on another machine.

Basically i want to know the best firewall to use with utorrent! That also gives decent protection - obviously!

Thanks

[Alpha-Toxic]

I don't have much experience with firewalls, but from some of my tests I think Comodo is a very good choice. Also I remember that like 2 years ago Kerio and Tiny Personal were very good and convenient, but this was too long ago. And my personal preference is STAY AWAY FROM ZONE ALARM, i don't know how good it is at keeping u safe, but the interface is sooooooo irritaitng.... and as I recall it lacked too many config options.

[Ultima]

Oh the problems with ZA go much further than skin-deep.

[µtorrent-Guest]

if you use xp then the built-in one is all you need. just activate it!

[anoxan]

the best firewall is no firewall...unless you have a router. then use that.

[Intangir]

If you're behind a NAT (router), you should be more-or-less golden. The well-behaved XP firewall on top of that usually fits the bill just fine. If you do use Kerio, do like Alpha-Toxic said and get the older series. I believe the last version of the classic Kerio/Tiny was 2.1.5 and you can probably find it with Google easily.

Still, a router + SP2 firewall = win.

[silverfire]

I only have WIPFW installed on my laptop because when I take it to classes, it's not firewalled. It serves its purpose nicely, but if you're not used to using console-based apps, you're probably screwed.

[weilawei]

Hrm, everyone is so down on ZoneAlarm. Personally, it's my favorite choice; I have never had issues with it being unconfigurable for any given purpose. I'm behind a router, but I'm not going to let that sit as my only line of defense. Here's how I do it, fwiw, ymmv.

1. Check which port uTorrent wants to use.

2. Forward that port on the router.

3. ZoneAlarm -> Firewall -> Expert tab -> Add

4. Fill in the nice dialog. (Mine below)

5. Save, apply, and minimize ZoneAlarm.

6. Use the uTorrent Port Checker at http://www.utorrent.com/testport.php?port=[your uTorrent port here] to make sure everything is kosher.

Rank: 1 (Can be ranked something else to give other firewall rules priority)

Name: uTorrent

State: Enabled

Action: Allow

Track: None (Can be Log/Alert and Log here if you feel like checking up on it)

Source: Internet Zone (Possibly be Gateway here, but I'm on a wireless connection that switches between 2 different APs)

Destination: My Computer (Again, you have options, could be an outward-facing IP or DNS entry)

Time: Any (If you've got uTorrent on the scheduler, you could modify this)

Protocol: Add a new protocol here, like so

Protocol: UDP

Description: uTorrent

Destination Port: Other - [your uTorrent port here]

Source Port: Other - [your uTorrent port here]

[boo]

weilawei, except that ZA has a backdoor and does a "calling home" with sensitive information.

[Alpha-Toxic]

If you have a router, you need no firewall at all, 99.999% the router does a better job than any given firewall (except if it is not some very very crapy one).

[boo]

Alpha-Toxic, true, but there are some security function which only a software firewall can do,

so the best protection is software + hardware firewall.

[anoxan]

what is so important on your pc that makes it so desirable anyway? I know it's not your porn, cause I'll guarantee my collection's bigger/better than yours....

[boo]

for example personal data, work related data + I don't won't my computer to be hijacked and

used in various illegal matters.

But even if I didn't have anything important on my computer,

I highly believe in privacy and also a hacker could mess up my system and

I like to avoid reinstallation of windows etc.

[weilawei]

weilawei, except that ZA has a backdoor and does a "calling home" with sensitive information.

Okay, I don't remember this existing. I'm running ZoneAlarm Security Suite 6.1.x. Here's what I found.

Starting here -> http://www.iss.net/search.php?config=corporate&pattern=ZoneAlarm&x=0&y=0

18 reports. Time to dig.

zonealarm-ipc-dos (19309): Zone Labs: ZoneAlarm Security Suite prior to 5.5.062.011

Not an issue, anymore.

zonealarm-adblock-dos (18159): Zone Labs: ZoneAlarm Security Suite 5.x

Not an issue, anymore.

zonealarm-showhtmldialog-obtain-information (22971): Zone Labs: ZoneAlarm Internet Security Suite 6.0.x

Okay, this looks somewhat serious, since they didn't mention a remedy. Does it affect 6.1.x as well?

http://www.derkeiler.com/Mailing-Lists/Securiteam/2005-12/msg00003.html gives a bit more information. It seems we have to run a malicious program on the local system. This is a tossup. Do you like to run random code from strangers? Mmm, candy.

zonealarm-synflood-dos (10379): Zone Labs: ZoneAlarm Pro 3.1

Not an issue, anymore.

zonealarm-insecure-file-permission (17099): Zone Labs: ZoneAlarm Pro 5.x

Not an issue, anymore.

zonealarm-udp-dos (13072): Zone Labs: ZoneAlarm Pro Any version

Well, this certainly looks troubling.

http://www.securityfocus.com/bid/8525 lists Zone Labs ZoneAlarm Pro 4.5, Zone Labs ZoneAlarm Pro 4.0, Zone Labs ZoneAlarm 3.7 .202. I'm not sure yet if the UDP flood still works in 6.1.x builds. Any more information here?

18 ways to escalate privileges in Zone Labs ZoneAlarm Security Suite

build 6.1.744.000: This is a bit of a side-track into Bugtraq archives.

http://www.securityfocus.com/archive/1/427122 details this one.

Exploitation Requirements:

First of all, you will need to have a directory that is writeable to a

lower level user, that is included in the Windows PATH environment

variable. As you saw above, I had ActiveState's ActivePerl installed

and it worked just fine.

Secondly, verify that the path you have chosen is definitely writeable

to a lower level user. On Windows 2000 operating systems the default

permissions for the root of the partition where the operating system

is installed is set as Everyone/Full Control. So, by default,

C:\Perl\bin is set to Everyone/Full Control. On Windows 2000 operating

systems a guest account can be used during the exploitation process.

On Windows XP, the C:\Perl\bin folder has special permissions set (by

default) for the local Users group that allows the creation and

modification of new files and folders. Perfect, that is all that is

needed. On Windows XP, an account in the local Users group can be used

during the exploitation process.

This feels a bit like leaving the door open and letting a stranger run their own code. Granted, it is a privilege escalation, but it's not a remote vuln. (Unless... something else is vulnerable on the system that gives local account access.) Your call, I never leave Guest open.

zonealarm-email-bypass-security (15884): Zone Labs: ZoneAlarm Any version

Again, this doesn't look good. Unfortunately, I don't see anything since 2004. Considering that this is a potential remote exploit (if you use ZA mail filtering) it might be worth a test run to see if it still exists.

Although... you shouldn't run random executable code attached to your email from strangers.

zonealarm-mailsafe-dot-bypass (8744) Zone Labs: ZoneAlarm 3.0

Not an issue, anymore.

zonelabs-multiple-products-bo (14991): Zone Labs: ZoneAlarm prior to 4.5.538.001

Not an issue, anymore.

device-driver-gain-privileges (12824): Zone Labs: ZoneAlarm 3.1

Not an issue, anymore.

ca-vet-antivirus-bo (20686): Zone Labs: ZoneAlarm Security Suite Any version

Here's a good one.

Affects any operating system or program using the Vet Antivirus Library. Remote heap overflow exploit. However, this seems out of date.

http://www3.ca.com/securityadvisor/vulninfo/vuln.aspx?id=32896 says Vet engine 11.9.1 and later are not affected. Install the latest virus defintions if an earier Vet is in use. ZA 6.1.x seems secure here. Not an issue, anymore?

Annnnd.. the rest were attempts to kill ZA once you have a worm safely harbored in your computer. Now to look at ZA "phone home" settings.

Check for product updates can be set to manual.

Whenever I request info from Zone Labs: Alert me with a pop-up before I make contact can be turned on.

Hide my IP address when applicable can be turned on.

Share my security settings anonymously with Zone Labs can be turned off.

If you contact ZA for program advice, that's your own contact initiation, not a phone home.

Spyware or not?

A Perfect Spy? It seems that ZoneAlarm Security Suite has been phoning home, even when told not to. Last fall, InfoWorld Senior Contributing Editor James Borck discovered ZA 6.0 was surreptitiously sending encrypted data back to four different servers, despite disabling all of the suite's communications options. Zone Labs denied the flaw for nearly two months, then eventually chalked it up to a "bug" in the software -- even though instructions to contact the servers were set out in the program's XML code. A company spokesmodel says a fix for the flaw will be coming soon and worried users can get around the bug by modifying their Host file settings. However, there's no truth to the rumor that the NSA used ZoneAlarm to spy on U.S. citizens.

http://www.vtc.net/~cdgoldin/caveat/zap0719.htm declares ZA to be spyware. Also, provides ways to disable the purported activity.

http://www.hansenonline.net/Networking/zaspy.html couldn't find any data being sent back. What to think?

I'll avoid the SP2 firewall with reports like this from http://www.derkeiler.com/Mailing-Lists/securityfocus/bugtraq/2004-09/0257.html

Granted, any software firewall will have its issues. No software is perfect. (Neither is hardware for that matter.)

As soon as you install SP2 on a Windows XP PC with a certain configuration,

your file and printer sharing data are visible worldwide, despite an

activated Firewall. This also applies to all other services. The PC only

has to provide sharing for an internal local network and connect to the

Internet via dial-up or ISDN. Users of DSL services are also affected, if a

firewall is not integrated into the DSL modem or a common modem instead of

a DSL router is used. Additionally, Internet Connection Sharing of the PC

has to be disabled.

A number of test scans run by PC-Welt revealed that this in fact is a

common configuration and not a rare sight. Without great effort, we were

able to discover private documents on easily accessible computers on the

Internet. It must be assumed, that these users wrongly believe they are

safe and that their sharing configurations are only visible in their

network at home: Often, we did not even encounter password protection.

Okay, that's my mini-research summary on the topic. I'm going to stick with ZA for now since *my* system doesn't seem to be phoning home or allowing my system to become swarmed with nasties.

[boo]

weilawei, well there are better options like Outpost, Look'n'Stop and Jetico Firewall.

A Perfect Spy? It seems that ZoneAlarm Security Suite has been phoning home, even when told not to. Last fall, InfoWorld Senior Contributing Editor James Borck discovered ZA 6.0 was surreptitiously sending encrypted data back to four different servers, despite disabling all of the suite's communications options. Zone Labs denied the flaw for nearly two months, then eventually chalked it up to a "bug" in the software -- even though instructions to contact the servers were set out in the program's XML code. A company spokesmodel says a fix for the flaw will be coming soon and worried users can get around the bug by modifying their Host file settings. However, there's no truth to the rumor that the NSA used ZoneAlarm to spy on U.S. citizens.

I think declaring it as a bug is a cheap and bad excuse, a bug does simply not encrypt data and send it to several ZA servers. If ZA once does this kind of immoral thing they can do it again and why I say it's immoral, well a firewall is meant to protect you from such things like this.

[µtorrent-Guest]

boo, correct me if i'm wrong, but we are talking here about a "firewall" for THE phone home closed source software on the market.

So why does anybody would even complain when another piece of software for that OS do also phones home?

I mean, come on, If you are really concerned about your security you would not use an closed source OS like windows in the first place and even not additional closed source software from 3rd party vendors that promise you "security" because they tell you that windows is not secure in the factory shipping version!

@weilawei

regarding the firewall bug with the open shares the german PC-welt wrote about back in the days; That was patched by MS if I remember correctly

[weilawei]

Morals. Iffy subject. I was more looking to see if there was any truth to the idea that the current code phoned home. I'm a tad more concerned about what a piece of code does than the moral reasoning behind it.

However, I had forgotten about Look 'n' Stop. Haven't used it in years, but from what I remember, it was an excellent choice as well. But.. for a quick rundown, http://www.firewallleaktester.com/tests.php has a great list of firewall tests and rankings.

Now, back to fiddling with the WebUI. There's a world to be taken over, you know!

[Ultima]

@boo: IMHO the "phone home" thing was blown out of proportion, and that isn't really the issue at hand. ZoneAlarm is just really buggy for a lot of people.

@weilawei: As I said to boo, ZoneAlarm has been buggy for a lot of people. I myself have never had any real "beef" with ZoneAlarm, and even wrote a guide for opening the port for ZA a while ago. I decided to switch from it myself simply because I got annoyed with it. It works fine for some, but in many cases, we've had to tell people to uninstall ZoneAlarm to fix some issue it was having with µTorrent. As you said, YMMV.

Edit: Oh, and regarding the phone home thing... here. But yeah, it's old news.

[boo]

boo, correct me if i'm wrong, but we are talking here about a "firewall" for THE phone home closed source software on the market.

So why does anybody would even complain when another piece of software for that OS do also phones home?

I mean, come on, If you are really concerned about your security you would not use an closed source OS like windows in the first place and even not additional closed source software from 3rd party vendors that promise you "security" because they tell you that windows is not secure in the factory shipping version!

Well some people have no choice but to use windows like me for example,

but when it comes to security programs you do have a choices to choose between and

thats the major difference to what your talking about.

And to windows there is no reliable open source firewall as far as I know,

so those who use windows have to use closed source firewall

Anyway, we are going a bit offtopic, as I mentioned I personally recommend Outpost,

Look'n'Stop and Jetico Firewall.

Also, I have heard that Securwall from Securstar will be a good firewall when it get released.

[Dark Shroud]

Just to add to the comments about ZA and why I stopped using it. It doesn't keep up with p2p traffic and blocks a lot of legit peers. It doesn't stop running, even when you set it to disable; you have to uninstall it. This I don't know of first hand but it from a knowledgeable person, ZA modifies the TCP/IP stack without telling you. And when you uninstall it ZA will leave tons of hidden files.

Personally I use McAfee. It hasn't failed me yet. For a free Firewall I suggest Windows or Kerio since Norton bought & kill Sygate.

[Switeck]

I have an old 4-port Linksys wired router. After updating its firmware, I was able to block LAN ips *AND* ports from being visible from the internet OR connecting outward to the internet.

In particular, I have these ports blocked:

23-24

48

129-139

445

17300

These ports are either unsecured ports that I need for LAN traffic or ports that correspond to portions of Microsoft Windows that I do not feel can be safely given internet access due to its "phone-home" features.

Almost all my unused LAN ips are blocked as well to prevent ghosting issues that can occur with file-sharing to ips reported second-hand. An example is if your LAN is on 10.0.0.x and the ip 10.0.0.223 arrives via DHT or Peer Exchange (they probably filter LAN ips so this is just a hypothetical example)...your computer will try to connect to 10.0.0.223 on your network even though it doesn't exist.

[aiyps]

hi! As far as i am concerned, you can use mcafee firewall with uTorrent.It gives u gr8 download speeds.

If you are looking for a free firewall, comodo is the best. i got good speeds on it too.

So, for utorrent, i would suggest comodo/Mcafee

[lsd]

Zone Alarm - absolute NO! NO! a bloated resource hog that's all to it; Someone mentioned KPF 2.x <-- NO!NO! as well, has unpached security hole, if you want to use KPF use 4.2.x, or latest version before Sunbelt took over; Comodo has had some issues (what issues - don't remember google it);

I don't agree that NAT and router is enough, what about Outbound traffic ??? What happens when on a bad day you get some malware that want to phone home, there's nothing to stop it if you don't have fw

Anyways kpf is my choice, small, resource easy, configureable and reminds me a bit Firestarter - gui for IpTables for Linux.

[µtorrent-Guest]

Isd asked:

"what about Outbound traffic ??? What happens when on a bad day you get some malware that want to phone home, there's nothing to stop it if you don't have fw :)"

let me ask back: what if some "bad day" malware is programmed in a way that circumvents the PFW software that runs on the same physical system that the malware is running on?!

If you truely believe that a PFW on the same system can protect you from the scenario you mentioned then you don't know what you are talking about and you got fooled by snakeoil promisses from the personalfirewall software vendors that make you believing that their product can stop it reliable!

Edit

Spelling + clarification

[FORCE]

Outpost is best choice, i used it years and it is best so far...

Connection monitor

Best user interface

Best defence against killing outpost.exe

Very good network stress resistance