Firewall¶
This is going to be a long section packed with a lot of info, so grab a snack and a sleeping bag!
This is one of Defender’s biggest weaknesses right now, but is easily remedied. There was a trend that started years ago when this was still new where people would turn it off by default. It’s never recommended to turn off your firewall and it is an absolutely critical piece of the layered security approach. MS has improved the firewall a lot, but I don’t recommend using it by itself, the reasons being covered throughout this section.
If you use a third party suite, I strongly recommend it has a firewall. Some of the suites only include AV software, but not a firewall. The complete solutions are usually called internet security suites or have some kind of goofy name like “Ultra Complete Cloud Edition Maximum Security.”
There’s a couple different options that I use and that I recommend to other people, though there is some learning required to use these tools properly, which are Simplewall and Portmaster. These are both free and open source firewalls and they also run in tandem with Windows Firewall and work well. There are other free Windows firewalls I’ve tested, but they seem lackluster in comparison to these tools. I’ve made video guides on how to use Simplewall and Portmaster and will also have written documentation for each in this section. The devs for each program also have their own documentation.
Portmaster¶
Portmaster guide
This is my favorite free Windows firewall by far, and for a few really good reasons. First, it has a user-friendly and intuitive network activity screen. Being able to see incoming and outgoing traffic is really important because there can be tell-tale signs that something isn’t right. If you don’t use this program, you would need something like Wireshark to be able to monitor traffic. (Note: Wireshark is more powerful if you are willing to have an extra program and are willing to learn it.) If you haven’t monitored network traffic before, it just takes some time to figure out what you’re looking at and what issues there might be.
Second, you can filter traffic by app, IP address, and domains. Simplewall doesn’t have the ability to filter domains, though it is still a very powerful firewall. This is a part that can cause some issues for new users who aren’t used to doing this kind of stuff. Every once in a while, you’ll have issues loading legitimate websites and will have to take a look at the network activity screen to figure out what needs to be unblocked. This is mostly because of filter lists which I’ll cover next.
Third, you can set which filter lists you want to use. There’s mixed opinions from people on this subject in that the more lists you use, the less usability you have and the more issues you have. I run with almost all the lists enabled and have almost no issues. Some sites like social media platforms will have issues here and there, but it’s mostly because they get blocked because of egregious privacy problems. Something to note here is that there’s a handful of ads and trackers blocking lists. These don’t replace the need for you to have an adblock on your browser.
Fourth, Portmaster comes with encrypted DNS built in. This is covered in much more detail in the networking section. This is much better than using encrypted DNS through the browser since all DNS requests coming from the operating system are encrypted. This would normally require a separate program like YogaDNS to do. Encrypted DNS protects against a handful of attacks and depending on the provider you use, like Quad9 or dns0, a lot of malware laden sites will get filtered out before the threats could even make it to your computer. This is a very detailed topic that needed its own section, so refer to the DNS page in the networking area for more information.
Fifth and the last big option Portmaster has is something called the Safing Privacy Network (SPN). This is hailed as an alternative to VPNs, which for most users, don’t do a damn bit of good. This statement is qualified further in the networking section. I have given SPN a test drive and it seems to work well but it wasn’t something that was necessary for my needs. A big advantage to it is how it works. It uses onion encryption and uses entry and exit nodes much like Tor does, but works at the operating system level instead of the browser level. Safing has a lot of documentation on this feature. I suggest reading it so you can figure out if this is something that you think you might want or need.
VPN vs. SPN
Now that I’ve got all that out of the way, let’s dive into a rundown of how to use this. When you open up the program, you’ll be greeted with the network activity screen. This will tell you all your incoming and outgoing connections. Portmaster blocks incoming connections by default and it’s best to leave it that way. You don’t want any random device to be able to connect to your system.
The graph near the top part of the screen shows allowed connections as green and blocked connections as red. If you see a bunch of blocked connections, don’t freak out. It just means the firewall is doing its job and a lot of those connections are probably telemetry related anyway.
There will end up being a ton of connections that show up and you could end up having a couple dozen pages of connections to go through in any ten minute period. A lot of this will have to do with how well your Windows OS is locked down. The more telemetry is blocked, the less cluttered the network activity area will be.
When you open up one of the connections, you’ll see a lot of information, such as the domain, the app associated with the connection, the IP address (IPv4 and IPv6), the time of the connection, the protocol used (TCP or UDP), if the connection was encrypted, the country the IP address belongs to, if the connection was routed through SPN, among a few other things. Like I mentioned previously, if you’ve never monitored network traffic before, it will take some time and practice to figure out what to look for.
From here, you can click on process details. Doing so will let you see more details about the app associated with the traffic. This part starts to become more important if you are doing threat hunting. You will also have the options to block or allow that traffic. One example to note here is that if you unblock a connection to get a website to load, you will need to exit the browser then reload the site to get it to work.
You can also click app settings. This will let you set more specific rules per app, such as the default network action like allow or block, if you want to force block internet access, accept incoming connections, change filter rules, etc.The next section in the app is the apps and profiles page. This is another area where you select individual apps like mentioned before to change settings. You can also create profiles if you so choose and switch between them when you want. There’s not much more to say here.
The next section is SPN settings. If you don’t already have a subscription, it will have a screen to purchase one. I’m not going to cover this since it’s not something that everyone needs. I suggest reading the documentation from Safing to see if it’s something you want or need. If so, they have covered the usage of it very well.
The last section is global settings. The first option you’ll see is Secure DNS. Earlier in this page, I mentioned encrypted DNS. This is what Secure DNS is. For more info about why this is so important, take a look at the network security section of this site. If you click on quick settings on the top right of this setting, you’ll see four options to choose from which are Cloudflare, Quad9, AdGuard, and Foundation for Applied Privacy. Of these choices, I recommend Quad 9. This recommendation is covered in detail in the DNS section. You can also use other options here such as ControlD or dns0.
When you select a DNS server, you’ll need to make sure your browsers are set to use the default DNS option if you have changed it. The reason for this is that Portmaster will send all DNS traffic from your operating system through your server of choice. If you set your browsers DNS setting to a custom setting, you’ll have issues getting webpages to load, which is covered later. Check out the video on the right for more details about this.
The next option in the global settings page is to always use DNS cache. There isn’t much to add to this that the program doesn’t already say if you click the tooltip next to its name. It says it can improve DNS resolving performance but might lead to some connection errors due to outdated DNS records. If you have some delay in getting websites to load, you may see this program give you a notification asking if you want to turn this on. This doesn’t really matter much either way.
The next option is the default network action. By default, Portmaster has this set to allow. This means everything will be allowed network access by default. This isn’t really an issue for an average home user, though if you want to increase security and privacy, you would want to change this to either block or prompt.
Setting it to block would have niche use cases and would likely be because you were trying to do something specific with your computer. If you select prompt, you’ll quickly see why this isn’t the default option. There’s a if you want to have a prompt and not have a ton of notifications pester you, which I cover later in this section. This has been a weakness of a lot of firewalls as well, and is not something I would hold against Portmaster. It’s just doing what it’s supposed to do.
The next options you will see are force block internet access and force block LAN. Both of these are self explanatory and are not something that an average home user would have much use for.
The next button is to force block P2P/direct internet connections. This is not likely something you would need to configure. It’s not turned on by default. This blocks anything not resolving through DNS first. An example would be if you used an app to sail around the Caribbean or if you played an old game where you would use a direct connection to someone else, i.e. Diablo 1 or 2.
The outgoing rule option allows you to set rules on outgoing connections. This is something that’s not going to be applicable to the vast majority of people. If you do need to set a custom rule, refer to the tooltip on Portmaster to get more info.
Now we move to the filter lists, which is one of Portmaster’s strongest features. This allows you to block a ton of garbage from the operating system level. Filters are used in various network security programs or routers to block annoying and/or malicious domains and IP addresses. In the case of Portmaster, there are a bunch of lists with a short explanation for what each one does.
You can select whichever ones you want to use, which you will need to base off of your wants or needs in regards to security and privacy. Blocking things like ads, trackers, and telemetry are good choices. Whatever you end up selecting here will be shown as being blocked on the network activity screen when that domain or IP attempts a connection. When you start to look at what’s being blocked, you’ll see why this is such an excellent feature to have.
You’ll see an option underneath the lists asking if you want to block subdomains of filter list entries. This is on by default and I recommend it stays that way. An example of a subdomain would be something like news[.]google[.]com. Google[.] com is an example of a top level domain, whereas the news part is what is called a subdomain. Disabling this option would weaken the security benefit provided by the block lists.
The next option is to block bypassing. You have to click on the tooltip to get more info. This is what can allow using things like a custom DNS setting on your browser, which would override the setting on Portmaster. If you uncheck this option, you’ll lower the security of your device and isn’t something I recommend.
The only other option on this page worth mentioning is the UI mode, which allows you to select simple, advanced, or developer. Selecting a different option other than the standard simple interface will give more options, but isn’t necessary for efficient use of Portmaster.
And there you have it! Adding this to your security toolbox will make Windows much safer. This tool is simple to use and adds a lot to the security posture, especially with the encrypted DNS function.
Simplewall¶
Simplewall guide
The written section is coming soon! Please refer to the video for more info on using Simplewall.