Avast WEBforum

Consumer Products => Avast Free Antivirus / Premium Security (legacy Pro Antivirus, Internet Security, Premier) => Topic started by: logos on October 04, 2010, 01:50:38 AM

Title: AIS firewall: a few questions (W7 related)
Post by: logos on October 04, 2010, 01:50:38 AM
does AIS firewall supports IPV6? I actually couldn't care less as as far as I know, there aren't many web sites supporting it, but the thing is that Win7 has to use it at LAN level to support homegroup connections. I already noticed that switching this firewall from home to work or public doesn't change anything on a homegroup network on Win7, all computers remain available and accessible whatever the mode is. At the opposite Win 7 native firewall does support IPV6 protection, and unrelated here, when switched to public mode, disables homegroups automatically.

 Also, W7 leaves the opportunity to third party firewall developers to use an API call in the setup disabling in Windows firewall what this third party firewall can do, and leaving all the rest active. No idea if Avast does that. If yes, this would mean that it's better to leave Windows firewall on. The only thing that still works in Seven, as opposed to Vista or XP when you disable the firewall, is IPsec, but not IPV6 protection.

 Any comment, especially from Lukor, appreciated.


reference: http://technet.microsoft.com/en-us/library/cc755158%28WS.10%29.aspx
Quote
In Windows Server 2008 R2 and Windows 7, Windows Firewall with Advanced Security enables more specific disabling of its features through published application program interface (API) calls. When a third-party firewall program is installed, the installer can disable only those portions of Windows Firewall with Advanced Security that conflict with the services that are provided by the third-party program. Other Windows Firewall with Advanced Security services are left enabled, and continue to help protect your computer.

...so again, does Avast do that automatically if Windows firewall is left running?

adding:the thing is that you're very unlikely to have homegroup computers near you when connecting to a public network, that homegroup connections are encrypted and passworded...meaning that protecting the IPV6 traffic there isn't a must be. Oh yeah, there's a controversy on many sites as to whether IPV6 is mandatory only at homegroup creation and joining time, or constantly in order for homegroups computers to communicate properly. I'll check that tomorrow by disabling IPV6 on two W7 systems here.
Title: Re: AIS firewall: a few questions (W7 related)
Post by: Lisandro on October 04, 2010, 02:30:33 AM
Good questions. I'm also interested in the answers.
Seems that it's time to push the firewall up. They can. :)
Title: Re: AIS firewall: a few questions (W7 related)
Post by: MasterTB on October 04, 2010, 10:37:36 AM
Me too, every new article I read about the quality and capabilities of the Windows 7 Built in firewall make me miss it even more and wonder if a third party firewall is as good when handling network protection.
Specially considering the multiple active profile configuration of the windows firewall. I have that need on my laptop which at work is connected at two different networks simultaneously and I'm not sure the Avast! firewall behaves that way, I have seen it switch to the hardest profile when connecting to the less secure network -the Internet Proxy- while still connected to the corporate lan.

Martin.-
Title: Re: AIS firewall: a few questions (W7 related)
Post by: lukor on October 05, 2010, 03:26:32 PM
Hello guys,

I am sorry, but currently avast firewall does not support ipv6. The only way it can control ipv6 is via Packet rules, where you can create rule for protocol IPv6 (41) - but there you can basicaly just block IPv6 completely. IPv6 support will be added in future versions.

Avast Firewall does not disable Windows Firewall during install, not in part or as a whole - as far as I know.

Lukas.
Title: Re: AIS firewall: a few questions (W7 related)
Post by: logos on October 05, 2010, 03:42:55 PM
okay thanks for the feedback; yeah like you said manually you can just block or allow IPV6. Now the thing is that as said there aren't that much IPV6 traffic on the web right now... it's always supposed to happen...well one day ;)

 Just right now IPV6 as I described above is being used at LAN level on homegroup connections, completely unprotected. This could matter on large LANs, and I must admit that on mine, it doesn't matter. I would have just liked that AIS firewall would have been able at least to disable homegroup automatically when switched to public mode.

 Also apparently, yes as you confirmed, when Windows firewall is left running prior to installing AIS, Avast setup isn't able (as described by MS) to deactivate automatically in Windows firewall what it (AIS firewall) is able to do, and leave the rest on (like IPV6 protection), meaning that we're bound after all to leaving Windows firewall on.
Title: Re: AIS firewall: a few questions (W7 related)
Post by: Lisandro on October 05, 2010, 04:19:52 PM
Thanks Lukas.

Avast Firewall does not disable Windows Firewall during install, not in part or as a whole - as far as I know.

Two other questions:

1. What about performance? I mean, letting both firewalls running won't affect performance?
2. Some users say that two firewalls conflict and could bring troubles each other. Others say no, it's ok.
   From your development point of view, what is better in case of AIS? Why?
Title: Re: AIS firewall: a few questions (W7 related)
Post by: wsx123 on October 05, 2010, 07:50:57 PM
I would also like to know if leaving Avast and Windows 7 firewall running at the same time will create problems.
Title: Re: AIS firewall: a few questions (W7 related)
Post by: lukor on October 05, 2010, 07:56:10 PM
Windows 7 firewall uses completely different set of kernel API to provide its functionality than Avast FW. Since we work on both WinXP and WinVista/7 we have choosen NDIS/TDI model which is available on both platforms. Windows Vista/7 firewall is implemented differently. This is why I don't see any significant problems running both firewalls together - besides the obvious fact that you have to allow certain communication in both of them (which might easily be a hassle, I admit) - but from the compatibility point of view, it is perfectly ok.

The idea of switching the Homegroup off (or at least to have such option) when in public mode seems pretty nice. We have to definitely make it there. Thanks Logos.
Title: Re: AIS firewall: a few questions (W7 related)
Post by: logos on October 05, 2010, 08:14:47 PM


The idea of switching the Homegroup off (or at least to have such option) when in public mode seems pretty nice. We have to definitely make it there. Thanks Logos.


glad that you like the idea too ;) ...because as said, otherwise, switching to public mode on Seven makes no difference with the other mode, incoming connections from other homegroup computers remain possible (+ it runs on IPV6 and there's already no safety as AIS doesn't support it).
Title: Re: AIS firewall: a few questions (W7 related)
Post by: Lisandro on October 05, 2010, 10:47:01 PM
Quote
Two other questions:

1. What about performance? I mean, letting both firewalls running won't affect performance?
2. Some users say that two firewalls conflict and could bring troubles each other. Others say no, it's ok.
   From your development point of view, what is better in case of AIS? Why?
???
Title: Re: AIS firewall: a few questions (W7 related)
Post by: lukor on October 06, 2010, 04:16:10 PM
Quote
Two other questions:

1. What about performance? I mean, letting both firewalls running won't affect performance?
2. Some users say that two firewalls conflict and could bring troubles each other. Others say no, it's ok.
   From your development point of view, what is better in case of AIS? Why?
???

??? ??? ???
Title: Re: AIS firewall: a few questions (W7 related)
Post by: lukor on October 06, 2010, 04:17:55 PM


The idea of switching the Homegroup off (or at least to have such option) when in public mode seems pretty nice. We have to definitely make it there. Thanks Logos.


glad that you like the idea too ;) ...because as said, otherwise, switching to public mode on Seven makes no difference with the other mode, incoming connections from other homegroup computers remain possible (+ it runs on IPV6 and there's already no safety as AIS doesn't support it).

Switching to the public mode in AIS makes quite a difference even on Win7. Just IPv6 is not supported/protected.
Title: Re: AIS firewall: a few questions (W7 related)
Post by: logos on October 06, 2010, 04:38:16 PM


The idea of switching the Homegroup off (or at least to have such option) when in public mode seems pretty nice. We have to definitely make it there. Thanks Logos.


glad that you like the idea too ;) ...because as said, otherwise, switching to public mode on Seven makes no difference with the other mode, incoming connections from other homegroup computers remain possible (+ it runs on IPV6 and there's already no safety as AIS doesn't support it).

Switching to the public mode in AIS makes quite a difference even on Win7. Just IPv6 is not supported/protected.

not really as when you got homegroup network activated (the default), all the LAN runs on IPV6. Other connections aren't possible anyway as they would rely on the old "xp-like" username+password method + common workgroup name between computers, and this is obviously de-activated.

 How do you explain that incoming connections keep coming and working from other homegroup computers when AIS is in public mode then?
Title: Re: AIS firewall: a few questions (W7 related)
Post by: lukor on October 06, 2010, 04:59:28 PM

 How do you explain that incoming connections keep coming and working from other homegroup computers when AIS is in public mode then?

Have you seen this on IPv4? E.g. with IPv6 protocol unchecked on the network adapter?

Thanks a lot. Lukas.
Title: Re: AIS firewall: a few questions (W7 related)
Post by: logos on October 06, 2010, 05:24:48 PM

 How do you explain that incoming connections keep coming and working from other homegroup computers when AIS is in public mode then?

Have you seen this on IPv4? E.g. with IPv6 protocol unchecked on the network adapter?

Thanks a lot. Lukas.

okay there's a controversy and I didn't test yet. Some are saying that IPV6 is mandatory only at homegroup creation time and joining time, while others say it's mandatory constantly
  ...after testing >>> and it seems that indeed, IPV6 is not mandatory all the time, and you're right ;D, once IPV6 is de-activated, homegroup connections keep working, and public mode does block incoming connections (so when IPV4 alone is on) ;)

edit: would be of course nice if IPV6 gets fully supported in a future release, and we don't have to turn it off.
Title: Re: AIS firewall: a few questions (W7 related)
Post by: lukor on October 06, 2010, 05:39:36 PM

edit: would be of course nice if IPV6 gets fully supported in a future release, and we don't have to turn it off.

Totaly agree. Althought I don't see it used that much around, since it is natively supported in Win7 it is a must. We are working on it.
Title: Re: AIS firewall: a few questions (W7 related)
Post by: randunyogo on October 12, 2010, 08:40:36 PM
Hello guys,

I am sorry, but currently avast firewall does not support ipv6. The only way it can control ipv6 is via Packet rules, where you can create rule for protocol IPv6 (41) - but there you can basicaly just block IPv6 completely. IPv6 support will be added in future versions.

Avast Firewall does not disable Windows Firewall during install, not in part or as a whole - as far as I know.

Lukas.

Hi, When I try to set up a rule in the Packet Rules for IPv6, I select IPv6 (41) for the protocol and Block for the action, but when I click OK and close the window, the settings go back to Allow and All. Is this a bug?
Title: Re: AIS firewall: a few questions (W7 related)
Post by: logos on October 12, 2010, 08:56:39 PM
an advice: don't play with packet rules, unless you're ready to go for a full AIS re-install. Happened to me already and to others, modifying is very often either not taken into account or breaks everything, last experience I got from that was a multicast internal IP not corresponding to my router's DHCP range, while obviously something got modified that ignored my router. While deactivating the firewall and rebooting solved the issue, there was no way to repair, as said I had to re-install AIS from scratch.

 I guess we'll have to wait for 5.1 to get rid of some annoying bugs. But yeah, this is hardly acceptable for a supposed to be finish product. No offense guys but this firewall becomes easily very unstable when you play with advanced settings.
Title: Re: AIS firewall: a few questions (W7 related)
Post by: randunyogo on October 12, 2010, 09:11:51 PM
Thanks for the tip Logos. Is it okay to leave IPv6 on for Vista then?
Title: Re: AIS firewall: a few questions (W7 related)
Post by: logos on October 12, 2010, 09:21:47 PM
Thanks for the tip Logos. Is it okay to leave IPv6 on for Vista then?

for Vista it doesn't matter, as LAN connections don't use IPV6 like on Seven, so yes, it's okay to leave it on. But you won't be protected on rare IPV6 WAN connections by Avast, only way would be to leave Windows Firewall active.
Title: Re: AIS firewall: a few questions (W7 related)
Post by: randunyogo on October 12, 2010, 09:27:54 PM
Ok thank you.
Title: Re: AIS firewall: a few questions (W7 related)
Post by: lukor on October 12, 2010, 11:43:43 PM
Hi, the easiest way to disable IPv6 in Vista/Win7, if you don't use it at all, is disabling it right on the network adapter.

1) open the network control panel (e.g. by start/run and typing: ncpa.cpl)
2) find your local area connection (or Wireless Network Connection adapter - or both) and click properties
3) in the list of installed services choose Internet Protocol Version 6
4) uncheck the checkbox right next to it
5) click ok

This way you'll disable IPv6 on that adapter.

In avast firewall you can do it in the packet rules. Open the packet rules dialog, click add new rule, choose protocol 41, direction BOTH, action: DENY, click OK. Should be done.

I am afraid I must here confirm the bug on the dialog - it will display ALLOW again when the dialog is reopen, even when the rule is correctly set to block. This is a new present from the GUI team introduced with the latest program update. Its just the presentation layer (I mean, the rules are ok, just the dialog does not show it correctly) but I understand that does not makes much difference to you, guys. Sorry.
Title: Re: AIS firewall: a few questions (W7 related)
Post by: logos on October 12, 2010, 11:57:14 PM
oh okay, so the rule is still respected, it's just a GUI issue, thanks for letting us know. I've had this problem before and thought my input was ignored.
Title: Re: AIS firewall: a few questions (W7 related)
Post by: lukor on October 12, 2010, 11:59:23 PM
Very ugly issue, since this was working just ok already before the last update. We have it of course fixed already, just waiting for some update to deliver it to you guys.