What's the best firewall?

[User9841148774 0]

I want to block traffic from some applications when the VPN is down.

A free version is strongly preferable, but without any virus or popups etc.

I use Win7.

What is the best firewall for this purpose?

[michigan82 4]

https://airvpn.org/index.php?option=com_kunena&func=view&catid=3&id=3405&Itemid=142

[Philiberti 9]

I have found VPN Watcher to be very good. The full version costs $4.95 and will allow unlimited applications (free version just allows 1) and will pause or suspend these when the connection is down (free version just stops the 1 application as soon as the connection goes down). Although AirVpn is not in their list of tested providers I have had no trouble since I installed it over 6 months ago.

I am using Windows 7 32 bit.

[Philiberti 9]

PS - It's not a firewall but an independent application into which you enter the .exe file of the application you require.

I tried blocking via my firewall (Kaspersky Internet Security 2012) and was not able to do so.

I just start this application from my desktop and of you go - I have Firefox in my apps so I get a secure browser window popping up which will pause until the connection is re-established. great app for less than $5 one off payment.

[iHabanCUeUtj 1]

  Quote

I want to block traffic from some applications when the VPN is down.

A free version is strongly preferable, but without any virus or popups etc.

I use Win7.

What is the best firewall for this purpose?

I didn't see "software firewall running on Windows", but it seems implied. So far, the only software firewall I've ever used that doesn't phone home; cause unacceptable performance hits; or eventually cause some bizarre problem, such as dropping DHCP packets... is Windows Firewall.

I would recommend a reasonably configurable Linux or BSD firewall, either in the form of a re-purposed off-the-shelf wireless router running OpenWrt, or in the form of a small, cheap PC.

Or you can look at some of the more obscure solutions, such as a Mikrotik router. For instance:

http://routerboard.com/RB750GL (just a router)

http://routerboard.com/RB2011L-IN (a rather powerful router)

http://routerboard.com/RB2011UAS-IN (one with a touch screen)

http://routerboard.com/RB2011UAS-2HnD-IN (wireless router, touch screen)

So far as I can tell, a Mikrotik router will probably last a while, and it will probably be secure, whereas a "Cisco" (Linksys), D-Link, or NetGear router might crash at high throughput, die in a week, and/or have unpatched security holes.

And the prices are startlingly reasonable.

[hedon 0]

Mikrotik are really good routers, but have in mind that they have limited OpenVPN implementation.

They doesnt support UDP and compression (LZO), therefore not usuable for AirVPN.

I've tried everything to connect, but failed.

On Mikrotik devices with more memory, it's possible to install OpenWRT instance in it's Metarouter (virtual machine), which has full OpenVPN implementation. With last firmware 5.22 (2012-Nov-23), OpenWRT finally works inside Metarouter without crashing on RB450. Still, I have some problems with that too.

Upcoming hardware that looks quite promising is Ubiquity EdgeMAX.

http://www.ubnt.com/edgemax

But just for firewall purpose, I agree with your recommendation, definitely Mikrotik.

[skxBMrYsxlli 9]

  Quote

Mikrotik are really good routers, but have in mind that they have limited OpenVPN implementation.

They doesnt support UDP and compression (LZO), therefore not usuable for AirVPN.

I've tried everything to connect, but failed.

That's very strange. I've found confirmation here and there that RouterOS' core is merely a Linux kernel of some description, so, unless they've made the rest of the environment quite incompatible, there's no reason--other than a very weedy CPU--that they shouldn't be able to offer OpenVPN in its entirety.

  Quote

Upcoming hardware that looks quite promising is Ubiquity EdgeMAX.

http://www.ubnt.com/edgemax

Now, that is a very interesting link. I've been looking at Ubiquiti—sometimes Mikrotik—for some time, trying to decide whether I'd like to spend the money on building myself a far better AP than you can achieve with the rather unreliable hardware available from vendors like NetGear.

I'm somewhat puzzled that they're using MIPS64 in this product, although I wonder if it's simply because many of the much larger network hardware vendors have settled on MIPS64. Perhaps the encryption and packet decoding acceleration they refer to was only available with the CPU. (Perhaps Cavium? They only appear to offer the base "Octeon" CPU, though: 4 cores.)

I didn't see a reference on the UBNT product page, but Wikipedia claims that the EdgeMax is loaded with http://www.vyatta.com/ , which could be very cool indeed.

The one immediate concern I have, though, is that they're offering people CLI access "though" the web interface. That's almost certain to be a terrible idea. It's just possible that they have a nice, AJAX-y shell-like JS app that operates entirely in the context of an HTTPS session, but more and more people are offering ssh access via JavaScript, which is a completely terrible idea: http://www.matasano.com/articles/javascript-cryptography/

You could, in theory, do it with IE (terrible idea) and ActiveX (a more terrible idea), or you could do it with Chrome NaCl, which is completely nonstandard, and may only ever work in Chrome.

[feb82 0]

has anyone managed to get airVPN working with a mikrotik router?

I can connect using TCP on 443 but I've not got any routing over it yet.

I seem to pick up an IP at airVPN but I think im doing somthing daft stopping my routing over that interface.

Cheers