Closed aadrian closed 3 years ago
So it looks like the firewall side of things is just outputing iptables rules, so porting that to netsh wouldn't be too bad. If an intermediary fw language was used, this would be much easier. Not sure if it works with Windows 10, but wipfw might be useful, as it would have most if not all functionality needed.
I haven't looked too closely just yet, but I think the slightly harder part would be the process stuff in /proc, as that's not similar at all.
Although not what you're looking for (as in: OpenSnitch on Windows), on Windows devices I've often recommended (and installed) Glasswire, although it's not free (or only semi-free, the 'ask to connect' feature is a paid feature) and not open source / free software. Not sure how close you'll come to LittleSnitch with it, but might be close enough?
There have been an ample amount of layer 7 packet filter (frontends) for Windows, often called "personal firewall". A known example from end '90s is ZoneAlarm (bought in 2004 by Checkpoint).
I also remember a port of OpenBSD PF to Windows, called Core Security or something like that.
I'd say you need to be specific in your issue. Which features do you find lacking in current solutions?
You can somewhat kludge together an implementation for Windows, but here are the problems:
You cannot do a "netfilter" style interception of connection attempts as they happen. Well you can, but you'd have to write a WFP (Windows Firewall Platform) callout driver as this ability is not exposed to user mode. Drivers need to be signed, so open source distribution goes out the window.
Similarly, you cannot use the Windows Firewall With Advanced Security API to control the firewall because any application that uses the API to actually control the firewall needs to be signed.
For these reasons, you are mostly restricted to commercial firewalls on Windows, with vendors who are willing to put their name on a Code-Signing certificate.
You are then left with the kludges :
ETW
to capture network traces netsh
commands. ETW
level will not give you process information 100% of the time, since the kernel executes some pathways in worker threads or in other contexts not directly related to the socket that owns the connection. So you cannot reliably identify the process making the connection 100% of the time.edit:removed extraneous info
Windows has tons of firewalls already. No need to waste the already limited resources of this project on that.
Sorry, this is out of scope :(
Hi,
Are there any plans releasing a Windows version too? There would be many Windows users interested in one.
Even if there are may firewalls for Windows, none comes close to LittleSnitch for OSX. (The only one that comes a little bit close would be Netlimiter https://www.netlimiter.com/docs/basic-concepts/blocker )
Thank you.