Author Topic: AIS firewall: a few questions (W7 related)  (Read 11037 times)

0 Members and 1 Guest are viewing this topic.

Offline logos

  • Avast Überevangelist
  • Serious Graphoman
  • *****
  • Posts: 9442
AIS firewall: a few questions (W7 related)
« on: October 04, 2010, 01:50:38 AM »
does AIS firewall supports IPV6? I actually couldn't care less as as far as I know, there aren't many web sites supporting it, but the thing is that Win7 has to use it at LAN level to support homegroup connections. I already noticed that switching this firewall from home to work or public doesn't change anything on a homegroup network on Win7, all computers remain available and accessible whatever the mode is. At the opposite Win 7 native firewall does support IPV6 protection, and unrelated here, when switched to public mode, disables homegroups automatically.

 Also, W7 leaves the opportunity to third party firewall developers to use an API call in the setup disabling in Windows firewall what this third party firewall can do, and leaving all the rest active. No idea if Avast does that. If yes, this would mean that it's better to leave Windows firewall on. The only thing that still works in Seven, as opposed to Vista or XP when you disable the firewall, is IPsec, but not IPV6 protection.

 Any comment, especially from Lukor, appreciated.


reference: http://technet.microsoft.com/en-us/library/cc755158%28WS.10%29.aspx
Quote
In Windows Server 2008 R2 and Windows 7, Windows Firewall with Advanced Security enables more specific disabling of its features through published application program interface (API) calls. When a third-party firewall program is installed, the installer can disable only those portions of Windows Firewall with Advanced Security that conflict with the services that are provided by the third-party program. Other Windows Firewall with Advanced Security services are left enabled, and continue to help protect your computer.

...so again, does Avast do that automatically if Windows firewall is left running?

adding:the thing is that you're very unlikely to have homegroup computers near you when connecting to a public network, that homegroup connections are encrypted and passworded...meaning that protecting the IPV6 traffic there isn't a must be. Oh yeah, there's a controversy on many sites as to whether IPV6 is mandatory only at homegroup creation and joining time, or constantly in order for homegroups computers to communicate properly. I'll check that tomorrow by disabling IPV6 on two W7 systems here.
« Last Edit: October 04, 2010, 01:55:33 AM by Logos »
w7 - ais7

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67255
Re: AIS firewall: a few questions (W7 related)
« Reply #1 on: October 04, 2010, 02:30:33 AM »
Good questions. I'm also interested in the answers.
Seems that it's time to push the firewall up. They can. :)
The best things in life are free.

Offline MasterTB

  • Jr. Member
  • **
  • Posts: 78
Re: AIS firewall: a few questions (W7 related)
« Reply #2 on: October 04, 2010, 10:37:36 AM »
Me too, every new article I read about the quality and capabilities of the Windows 7 Built in firewall make me miss it even more and wonder if a third party firewall is as good when handling network protection.
Specially considering the multiple active profile configuration of the windows firewall. I have that need on my laptop which at work is connected at two different networks simultaneously and I'm not sure the Avast! firewall behaves that way, I have seen it switch to the hardest profile when connecting to the less secure network -the Internet Proxy- while still connected to the corporate lan.

Martin.-
Running Avast! IS on a Windows 7 Ultimate x64 PC
Phenom II x6 1090T @4.05 GHz.
Asus Crosshair V Formula
8GB Kignston DDR3 @1638 MHz.
2x Sapphire HD 6870 OC CrossfireX
Creative X-Fi Fatal1ty Extremegamer Pro
LG 24" LED Monitor
OCZ Vertex 2 SSD
2x 1TB WD Caviar Black HDD
ASUS DVD-RW Drive

Offline lukor

  • Avast team
  • Super Poster
  • *
  • Posts: 1879
    • AVAST Software
Re: AIS firewall: a few questions (W7 related)
« Reply #3 on: October 05, 2010, 03:26:32 PM »
Hello guys,

I am sorry, but currently avast firewall does not support ipv6. The only way it can control ipv6 is via Packet rules, where you can create rule for protocol IPv6 (41) - but there you can basicaly just block IPv6 completely. IPv6 support will be added in future versions.

Avast Firewall does not disable Windows Firewall during install, not in part or as a whole - as far as I know.

Lukas.

Offline logos

  • Avast Überevangelist
  • Serious Graphoman
  • *****
  • Posts: 9442
Re: AIS firewall: a few questions (W7 related)
« Reply #4 on: October 05, 2010, 03:42:55 PM »
okay thanks for the feedback; yeah like you said manually you can just block or allow IPV6. Now the thing is that as said there aren't that much IPV6 traffic on the web right now... it's always supposed to happen...well one day ;)

 Just right now IPV6 as I described above is being used at LAN level on homegroup connections, completely unprotected. This could matter on large LANs, and I must admit that on mine, it doesn't matter. I would have just liked that AIS firewall would have been able at least to disable homegroup automatically when switched to public mode.

 Also apparently, yes as you confirmed, when Windows firewall is left running prior to installing AIS, Avast setup isn't able (as described by MS) to deactivate automatically in Windows firewall what it (AIS firewall) is able to do, and leave the rest on (like IPV6 protection), meaning that we're bound after all to leaving Windows firewall on.
w7 - ais7

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67255
Re: AIS firewall: a few questions (W7 related)
« Reply #5 on: October 05, 2010, 04:19:52 PM »
Thanks Lukas.

Avast Firewall does not disable Windows Firewall during install, not in part or as a whole - as far as I know.

Two other questions:

1. What about performance? I mean, letting both firewalls running won't affect performance?
2. Some users say that two firewalls conflict and could bring troubles each other. Others say no, it's ok.
   From your development point of view, what is better in case of AIS? Why?
The best things in life are free.

Offline wsx123

  • Full Member
  • ***
  • Posts: 112
Re: AIS firewall: a few questions (W7 related)
« Reply #6 on: October 05, 2010, 07:50:57 PM »
I would also like to know if leaving Avast and Windows 7 firewall running at the same time will create problems.
Windows 7 Ultimate 32 bit, Intel Pentium D, 2.8GHZ, 2GB ram, Avast Internet Security 7

Offline lukor

  • Avast team
  • Super Poster
  • *
  • Posts: 1879
    • AVAST Software
Re: AIS firewall: a few questions (W7 related)
« Reply #7 on: October 05, 2010, 07:56:10 PM »
Windows 7 firewall uses completely different set of kernel API to provide its functionality than Avast FW. Since we work on both WinXP and WinVista/7 we have choosen NDIS/TDI model which is available on both platforms. Windows Vista/7 firewall is implemented differently. This is why I don't see any significant problems running both firewalls together - besides the obvious fact that you have to allow certain communication in both of them (which might easily be a hassle, I admit) - but from the compatibility point of view, it is perfectly ok.

The idea of switching the Homegroup off (or at least to have such option) when in public mode seems pretty nice. We have to definitely make it there. Thanks Logos.

Offline logos

  • Avast Überevangelist
  • Serious Graphoman
  • *****
  • Posts: 9442
Re: AIS firewall: a few questions (W7 related)
« Reply #8 on: October 05, 2010, 08:14:47 PM »


The idea of switching the Homegroup off (or at least to have such option) when in public mode seems pretty nice. We have to definitely make it there. Thanks Logos.


glad that you like the idea too ;) ...because as said, otherwise, switching to public mode on Seven makes no difference with the other mode, incoming connections from other homegroup computers remain possible (+ it runs on IPV6 and there's already no safety as AIS doesn't support it).
w7 - ais7

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67255
Re: AIS firewall: a few questions (W7 related)
« Reply #9 on: October 05, 2010, 10:47:01 PM »
Quote
Two other questions:

1. What about performance? I mean, letting both firewalls running won't affect performance?
2. Some users say that two firewalls conflict and could bring troubles each other. Others say no, it's ok.
   From your development point of view, what is better in case of AIS? Why?
???
The best things in life are free.

Offline lukor

  • Avast team
  • Super Poster
  • *
  • Posts: 1879
    • AVAST Software
Re: AIS firewall: a few questions (W7 related)
« Reply #10 on: October 06, 2010, 04:16:10 PM »
Quote
Two other questions:

1. What about performance? I mean, letting both firewalls running won't affect performance?
2. Some users say that two firewalls conflict and could bring troubles each other. Others say no, it's ok.
   From your development point of view, what is better in case of AIS? Why?
???

??? ??? ???

Offline lukor

  • Avast team
  • Super Poster
  • *
  • Posts: 1879
    • AVAST Software
Re: AIS firewall: a few questions (W7 related)
« Reply #11 on: October 06, 2010, 04:17:55 PM »


The idea of switching the Homegroup off (or at least to have such option) when in public mode seems pretty nice. We have to definitely make it there. Thanks Logos.


glad that you like the idea too ;) ...because as said, otherwise, switching to public mode on Seven makes no difference with the other mode, incoming connections from other homegroup computers remain possible (+ it runs on IPV6 and there's already no safety as AIS doesn't support it).

Switching to the public mode in AIS makes quite a difference even on Win7. Just IPv6 is not supported/protected.

Offline logos

  • Avast Überevangelist
  • Serious Graphoman
  • *****
  • Posts: 9442
Re: AIS firewall: a few questions (W7 related)
« Reply #12 on: October 06, 2010, 04:38:16 PM »


The idea of switching the Homegroup off (or at least to have such option) when in public mode seems pretty nice. We have to definitely make it there. Thanks Logos.


glad that you like the idea too ;) ...because as said, otherwise, switching to public mode on Seven makes no difference with the other mode, incoming connections from other homegroup computers remain possible (+ it runs on IPV6 and there's already no safety as AIS doesn't support it).

Switching to the public mode in AIS makes quite a difference even on Win7. Just IPv6 is not supported/protected.

not really as when you got homegroup network activated (the default), all the LAN runs on IPV6. Other connections aren't possible anyway as they would rely on the old "xp-like" username+password method + common workgroup name between computers, and this is obviously de-activated.

 How do you explain that incoming connections keep coming and working from other homegroup computers when AIS is in public mode then?
« Last Edit: October 06, 2010, 04:40:31 PM by Logos »
w7 - ais7

Offline lukor

  • Avast team
  • Super Poster
  • *
  • Posts: 1879
    • AVAST Software
Re: AIS firewall: a few questions (W7 related)
« Reply #13 on: October 06, 2010, 04:59:28 PM »

 How do you explain that incoming connections keep coming and working from other homegroup computers when AIS is in public mode then?

Have you seen this on IPv4? E.g. with IPv6 protocol unchecked on the network adapter?

Thanks a lot. Lukas.

Offline logos

  • Avast Überevangelist
  • Serious Graphoman
  • *****
  • Posts: 9442
Re: AIS firewall: a few questions (W7 related)
« Reply #14 on: October 06, 2010, 05:24:48 PM »

 How do you explain that incoming connections keep coming and working from other homegroup computers when AIS is in public mode then?

Have you seen this on IPv4? E.g. with IPv6 protocol unchecked on the network adapter?

Thanks a lot. Lukas.

okay there's a controversy and I didn't test yet. Some are saying that IPV6 is mandatory only at homegroup creation time and joining time, while others say it's mandatory constantly
  ...after testing >>> and it seems that indeed, IPV6 is not mandatory all the time, and you're right ;D, once IPV6 is de-activated, homegroup connections keep working, and public mode does block incoming connections (so when IPV4 alone is on) ;)

edit: would be of course nice if IPV6 gets fully supported in a future release, and we don't have to turn it off.
« Last Edit: October 06, 2010, 05:38:46 PM by Logos »
w7 - ais7