Skip to content

Simplewall

Simplewall is an excellent, open source, and straightforward firewall that you can use for Windows. I've been using it for the past few years and will continue to do so. It uses the Windows Filtering Platform (WFP), and is separate from Windows Defender. If you use Defender and are looking for some extra firewall protection, this is a good tool to add.

Features that make this a great firewall

All processes are denied internet access by default. You have to allow access for every single process, including ones that are part of Windows. You can set these on a timer, have Simplewall ask later, block forever, and allow forever. You can also change these at any time later on. This is one of my favorite features, as many things try to access the internet when they have absolutely no need to.

There's a built in blocklist of known Microsoft telemetry IP addresses. There's two different levels to this. You can use the default list of 540 or crank it up a notch and add an extra 956 IPs.

You have the option of disabling certain networking features in Windows that are left on by default. NetBIOS and LLMNR are two examples. Many people don't have a need for them and it's a slight increase to security to just disable them. Note that disabling certain rules here can cause other issues. It's important to test for your specific system and needs.

You can see what apps are currently connected to the internet, along with the destination IP. You also have the ability to log packets. Though these are great features, I personally have different preferences for tracking these items.

Initial setup and configuration

Download Source

When you download this, make sure it's from the official repo by the developer, "henrypp." There have been issues where bad actors will take something from GitHub, make malicious changes, and then upload it there or somewhere else and make it seem official. Other tools have had to deal with impostors as well - Picocrypt being an example.

When you start Simplewall, you'll notice a button to turn on the filters (which activates the firewall). An option will also appear asking if you want to disable Windows Firewall. This is your choice. Both firewalls work well together and I leave both of them enabled.

As soon as you enable the firewall, you're going to get a deluge of popups from the firewall asking if you want to allow access to a pile of different processes. This will seem like a lot at first, but once you get done with the initial configuration, this is very non obtrusive and will run well in the background. After that, it will only need to ask for anything new and in some cases, apps that have been updated.

You'll notice that some processes have different color highlights. Green means the .exe is digitally signed, purple means it's actively connecting to the internet, and red means the .exe doesn't exist anymore (this can be due to deletion, or in some cases, when the .exe gets updated).

As far as what you should or shouldn't allow internet access to - that's something that's completely up to you. There may be times where putting the app on a 15 minute timer might be a good option, some apps might need a constant connection to work properly, and some don't need one at all.

Windows processes

Since many of the connection requests will come from Windows itself, here's a quick explanation of what they do. I'll reiterate that you'll have to decide for yourself whether you want to allow internet access or not.

mpcmdrun.exe / smartscreen.exe / mrt.exe / msmpeng.exe / nissrv.exe - I'm grouping all of these together, since they are all part of Windows Defender. If you want Defender to work properly, these need internet access. If you use a third party AV, it might be okay to disable these, though if Defender is hardened properly, it's an excellent option for many home users.

sihclient.exe - SIH means service initiated healing. This process will connect to the internet to automatically fix issues with Windows. This happens in the background and stays out of the user's way.

ntoskrnl.exe (shows as "System" in Simplewall) - This process is a core component of Windows and is needed for the computer to work properly. It may or may not be an issue to block internet access for this. I've tested both and things seem to work okay. Your milage may vary.

waasmedicagent.exe - This process is used to fix issues with Windows Update. In order for it to work properly, it needs access to connect to MS servers to fix any problems.

compattelrunner.exe - This process name is short for Windows Compatibility Telemetry. This sends data from your computer to MS.

dashost.exe - The name is short for Device Association Framework Provider Host. This is used to pair hardware with your device (i.e. keyboards).

devicecensus.exe - This sends device data to MS servers. According to an employee that posted in the MS forums, "This is the background process that runs to check your machine and tell us which build we should send to you."

phoneexperiencehost.exe - This is a process that lets people pair their Android phone to Windows.

spoolsv.exe - This is the print spooler service. You may notice issues with printing if you block this process.

svchost.exe - This process is disabled by default when you install Simplewall. If you attempt to enable, a popup will show, warning you that internet traffic can be let out through unexpected ways and asks if you want to continue.

The warning is not wrong to say that. Some malware can hide traffic going through svchost, since it functions as a daemon. Blocking this can break other components of Windows though.

For example, you may use Hyper-V to create VMs. If you have this process blocked, the VM won't be able to access the internet. The same goes for Windows Update. If you block this, you should manually run Windows Update on some sort of schedule to keep the security patches going.

systemsettings.exe - This will come up when you open Settings. It seems like this is just to collect telemetry on what you change in the Settings panel.

taskhostw.exe - This is used to start up Windows services during boot.

widgets.exe - This is used for Windows widgets. If you use widgets, they might need internet access to work properly.

Blocklist

In addition to blocking Windows services, Simplewall also has an IP blocklist built in. By default, it blocks 540 IPs that MS uses to collect data. It has a list of 1496 IPs in total. You can change the IPs individually, but there's not really going to be any use in doing that.

There's a simple way to manage what's block and allowed. At the top of the window, you'll see a tab named "Blocklist." There are three different menu options - syping and telemetry, applications, and update. If you wanted to block all of the apps for example, you can turn that on. When you enable and disable these lists, the firewall will stall for about 5 seconds while it applies the rules.

Whether you want to enable or disable anything here is completely at your discretion. I presume that many using this app probably want to block the telemetry as much as possible.

System Rules

This is an optional area where you can enable and disable certain protocols. Keep in mind that doing this may have a significant effect on the usability of your system.

Just because something is enabled, doesn't mean that it needs to stay that way. For example, when you go to this page for the first time, you'll notice things like LLMNR (Link-Local Multicast Name Resolution) and NetBIOS are enabled. Not everything should be disabled. For example, if you turn off DNS, websites won't load anymore.

While all the default enabled services may be used by some people, having them enabled and not in use gives a larger attack surface. Whether or not you should disable anything in here will require you to test your computer thoroughly to see if things will continue to work well. I recommend only turning off one rule at a time, then use your computer as you normally would for a week or two to see if anything seems to not be working right.

Once you have a good configuration for you computer, it would be prudent to get a screenshot and save it with a backup. When you eventually reinstall Windows, you won't have to guess what you had disabled.

Connections & Packets Log

These two sections are good ways to have a look at what apps and services are connecting to the internet and where the traffic is going. I don't recommend being neurotic about checking these logs though. When people are new to using these, many have a tendency to become hyper suspicious of everything and analyze every single thing going on.

It's normal to have a stream of traffic going in and out. If you have Steam running in the background, a window open with a video playing, and you're working with a webapp, there's going to be plenty of traffic just from that. It's a good idea to check these once in a while though to make sure nothing suspicious is going on.

Now if you really want to get detailed, you'll need to use something like Wireshark. You'll have way more information about connections if you use that. Simplewall is a good way to have a basic idea of what's going on though. Just a note - when you click into and browse through the packets log, the app might start to lag. This is just due to the huge amount of logs it shows you.

Issues

If you come across a bug or some other issue while using Simplewall, you'll need to report it to the dev on the official GitHub repo. Feel free to contact me on one of my social channels as well and let me know what's going on. If there's a solution to it that doesn't require the dev to fix, it could be something I can add to this guide.