fort icon indicating copy to clipboard operation
fort copied to clipboard

Published 20 hours ago verified publisher icon tnodir

Add "Ask to Connect" mode to pause new connection and let user to allow/block it

Open tnodir opened this issue 2 years ago • 27 comments

tnodir avatar May 24 '22 16:05 tnodir

This issue has been linked to a Canny post: Interactive Mode :tada:

canny[bot] avatar Jul 23 '22 09:07 canny[bot]

Is this feature still on the roadmap for implementation?

It's the only thing preventing me from permanently using Fort Firewall

mepherion avatar Mar 13 '23 20:03 mepherion

Yes, this is. Ok, let me add some basic functionality…

tnodir avatar Mar 14 '23 03:03 tnodir

Thanks! Something similar to Netlimiter's prompt would probably work for most use cases

mepherion avatar Mar 15 '23 21:03 mepherion

Thanks! Something similar to Netlimiter's prompt would probably work for most use cases

Nope, that doesn't work. It only asks for applications that you have added in the "ask" category. Who knows how many programs and services are connecting from behind your back.

It should be like xvirus firewall, where any app that tries to connect invokes a notification and ability to record the answer in settings permanently.

wealstarr avatar Sep 21 '23 16:09 wealstarr

Thanks! Something similar to Netlimiter's prompt would probably work for most use cases

Nope, that doesn't work. It only asks for applications that you have added in the "ask" category. Who knows how many programs and services are connecting from behind your back.

It should be like xvirus firewall, where any app that tries to connect invokes a notification and ability to record the answer in settings permanently.

Netlimiter has a setting that allows you to change the default blocker mode to "ask" instead of like deny all or allow all

mepherion avatar Sep 22 '23 00:09 mepherion

+1, Very need this feature.

ahdung avatar Nov 27 '23 06:11 ahdung

This function is very important, please put this as your first priority

Littleweisheit avatar Dec 21 '23 08:12 Littleweisheit

This function is very important

Why?

Most firewalls don't pause connections, but just show notification about blocked ones: Windows Firewall Control (WFC) by BiniSoft.org, Simplewall, GlassWire.

Portmaster, NetLimiter pause connections, because they have drivers.

(I'm going to work on this feature on winter holidays. And now I'm doing other easy ones.)

tnodir avatar Dec 21 '23 10:12 tnodir

This function is very important

Why?

Most firewalls don't pause connections, but just show notification about blocked ones: Windows Firewall Control (WFC) by BiniSoft.org, Simplewall, GlassWire.

Portmaster, NetLimiter pause connections, because they have drivers.

(I'm going to work on this feature on winter holidays. And now I'm doing other easy ones.) I am using Simplewall,It will ask me for allow or block,before that Simplewall will block connection.(Of course it is better to pause)

"Ask to Connect" It is more suitable for personal use scenarios and is different from the scenarios on the server.

Ordinary users don't know which software on the Windows system will connect to the network, and there is no way to write rules in advance. Editing the rules after problems occur will interfere with the user experience.

Especially in Windows, there are many software that will quietly connect to the Internet, and many users are unaware of this. Ask to connect will make users more aware of what is happening in their systems.

So almost all firewalls have the "Ask to Connect" function

NetLimiter is close source software.

Littleweisheit avatar Dec 21 '23 11:12 Littleweisheit

I am using Simplewall,It will ask me for allow or block,before that Simplewall will block connection.

  1. Simplewall provides rules to Windows Filtering Platform (WFP) and does not block connections itself
  2. Simplewall shows notification about blocked connection, because it can not pause connections

Fort also shows notification about blocked connection. So, I don't see a difference.

tnodir avatar Dec 21 '23 13:12 tnodir

I am using Simplewall,It will ask me for allow or block,before that Simplewall will block connection.

1. Simplewall provides rules to Windows Filtering Platform (WFP) and does not block connections itself

2. Simplewall shows notification about blocked connection, because it can not pause connections

Fort also shows notification about blocked connection. So, I don't see a difference.

When “Fort” support "Ask to Connect",The difference will be small. Simplewall not support path like: D:\softwate\ * \abc.exe the wildcard in path usually version number

Littleweisheit avatar Dec 21 '23 14:12 Littleweisheit

@tnodir But simplewall can Allow in the dialog: 微信图片编辑_20231222090605

Users don't care if it is pause or block the connection I think, we just need a dialog which provided a Allow and Block choices.

ahdung avatar Dec 22 '23 01:12 ahdung

There's a big difference between pause and block before asking to connect.

Pause would be least impactful to users.

Say you are installing an app and in the middle of the installation, it needs internet connection to continue. If the firewall straights up blocks and drops the connection, then the firewall prompts the user, user allows it, the installation would break. The user would have to cancel and retry it.

mepherion avatar Dec 22 '23 02:12 mepherion

I know the difference, I want to saying it doesn't matter, retry is fine, not too much inconvenience, user accepts retry, not accepts creating rules manually, that's the point, so Allow is not continue connection, it's just creating a rule automatically.

ahdung avatar Dec 22 '23 03:12 ahdung

For users who value privacy and security more than convenience, even blocking a connection would be preferable to allowing a connection, until the user choses to block or allow on a pop-up dialogue :-) A failed installation can be retried. A data leak is final and cannot be reversed.

danielmmmm avatar Jan 17 '24 13:01 danielmmmm

This function is very important

Why?

Most firewalls don't pause connections, but just show notification about blocked ones: Windows Firewall Control (WFC) by BiniSoft.org, Simplewall, GlassWire.

Portmaster, NetLimiter pause connections, because they have drivers.

(I'm going to work on this feature on winter holidays. And now I'm doing other easy ones.)

I also join the supporters of this feature, by the way essential for any self-respecting firewall. At first glance this firewall already has pretty much everything you need, except a popup notification unfortunately. The absence of such functionality prevents me from using it as my main firewall.

The BiniSoft Windows Firewall Control actually temporarily blocks the connection and then alerts the user whether to allow it or not, personally tested with installers that required online content downloads.

SimoLRepo avatar Jan 17 '24 21:01 SimoLRepo

The BiniSoft Windows Firewall Control actually temporarily blocks

From WFC’s manual: “The notifications are displayed for blocked connections, not for paused”

tnodir avatar Jan 18 '24 06:01 tnodir

@tnodir Please don't care if it's a real "pause", we just want a button to create rules with one click on demand, this has worked well for many years on simplewall, the only problem with it for me is that it doesn't support wildcard fuzzy matching, so if your two tools combined that would be perfect.

ahdung avatar Jan 19 '24 00:01 ahdung

@tnodir Please don't care if it's a real "pause", we just want a button to create rules with one click on demand, this has worked well for many years on simplewall, the only problem with it for me is that it doesn't support wildcard fuzzy matching, so if your two tools combined that would be perfect.

yeah,for now I just care "Ask to allow connect"

Littleweisheit avatar Jan 20 '24 03:01 Littleweisheit

The BiniSoft Windows Firewall Control actually temporarily blocks

From WFC’s manual: “The notifications are displayed for blocked connections, not for paused”

WFC evidently does not consider "paused" (TIME_WAIT) connections simply because they have already been passed and allowed by the user. The connections that remain in this state are usually legitimate system processes, blocking them would not make much sense unless you set a "paranoid" mode.

However, I have read some threads on MalwareTips that report instabilities in this software. Until it's stable I won't be able to use it.

SimoLRepo avatar Jan 24 '24 10:01 SimoLRepo

I have read some threads on MalwareTips that report instabilities in this software.

@SimoLRepo Do you mean instabilities in Fort Firewall? Then they were fixed already.

tnodir avatar Jan 24 '24 17:01 tnodir

Do you mean instabilities in Fort Firewall? Then they were fixed already.

Okay, thanks for the clarification

SimoLRepo avatar Jan 26 '24 19:01 SimoLRepo

Partially implemented in v3.11.0, i.e. "pausing the conn" is not yet implemented.

tnodir avatar Jan 31 '24 15:01 tnodir

@tnodir simplewall works fine, but I rarely use the allow action, which for simplewall means allow all network connections. I use user rules more (inbound/outbound, protocol, port, IP address). Is there a similar feature?

Mexthey avatar May 01 '24 03:05 Mexthey

I use user rules more (inbound/outbound, protocol, port, IP address). Is there a similar feature?

@Mexthey Not yet. I’m working on it.

tnodir avatar May 01 '24 05:05 tnodir

I use user rules more (inbound/outbound, protocol, port, IP address). Is there a similar feature?

@Mexthey Not yet. I’m working on it.

OK, I'll try it. I noticed someone above said "we just need a dialog which provided a Allow and Block", but to me user rules are also important. simplewall does not support paths such as C:xx\xxx* and cannot distinguish svchost.exe with different parameters, and the author does not seem to have plans to support these, but fort does. This is great, thanks.

Mexthey avatar May 01 '24 09:05 Mexthey