Hello,

I am quite new at those boards, and found some very interesting stuff.

I need to change my personal FREE FW, the old one in kerio 4, but the free edition doesn't provide a way to share internet connection (it is called the gateway feature in Kerio, only available in the paid version).

So... I read a lot of review, internet boards (above all here !), and tested some FWs.
In the short list are Safetynet, Jetico, and Core Force.
I haven't done some deeper tests, so maybe I miss the good one...

First question : sometimes in the boards, I can find some sentences like :
this one is not good, surfing take more time, the connection is slower... .
Do you have any tool to know if, with a given FW, the surf (or whatever) is slower than with another one ?

Second question : some FW (like McAfee Desktop FW for ex) deals with other protocols than TCP and UDP (like esp, ike, vrrp,... long list). What about FWs where there is only TCP, UDP and ICMP (Core Force is one of them). ipsec packets are not filtered at all ? Or blocked ?

Thanks for everybody with a bit of answer... and thanks to others too !

Hi gagman

... and welcome to Wilders :)

{QUOTE-> I need to change my personal FREE FW, the old one in kerio 4, but the free edition doesn't provide a way to share internet connection (it is called the gateway feature in Kerio, only available in the paid version). <-QUOTE}
Are you sure ICS will not work with the free v4.x of Kerio? It was available in the free v2.x

{QUOTE-> First question : sometimes in the boards, I can find some sentences like :
this one is not good, surfing take more time, the connection is slower... .
Do you have any tool to know if, with a given FW, the surf (or whatever) is slower than with another one ? <-QUOTE}
Everyone will have different experiences with software and firewalls are no different. It is just a matter of finding the one that works best for you.

{QUOTE-> Second question : some FW (like McAfee Desktop FW for ex) deals with other protocols than TCP and UDP (like esp, ike, vrrp,... long list). What about FWs where there is only TCP, UDP and ICMP (Core Force is one of them). ipsec packets are not filtered at all ? Or blocked ? <-QUOTE}
Filtering of other protocols will vary. Keep in mind that you would need to be running something using one of these protocols in order for there to be potential vulnerablilities and some of these other protocols will only work on private networks. For most home users TCP/IP filtering is enough.

Regards,

CrazyM

Internet gateway :
I didn't know it was available with Kerio 2 , but I confirm it is not anymore in Kerio 4.

{QUOTE-> Everyone will have different experiences with software and firewalls are no different. It is just a matter of finding the one that works best for you. <-QUOTE}
Agree with you, but when I see in the forum : my connection is 15% slower, I thing there is a way to "calculate" this ! It is very difficult to see if a connection is slower or better just with human feeling (OK, I perform a ftp transfert, and I see the clock... but in this case, there is no FW issue, or only one time, there is only connection issue).

{QUOTE-> Second question : some FW (like McAfee Desktop FW for ex) deals with other protocols than TCP and UDP (like esp, ike, vrrp,... long list). What about FWs where there is only TCP, UDP and ICMP (Core Force is one of them). ipsec packets are not filtered at all ? Or blocked ? <-QUOTE}

{QUOTE-> Filtering of other protocols will vary. Keep in mind that you would need to be running something using one of these protocols in order for there to be potential vulnerablilities and some of these other protocols will only work on private networks. For most home users TCP/IP filtering is enough. <-QUOTE}

Maybe I am not an average user... I need some of those features.
Just FYI, I am a security engineer, but in my scope, there is only some professionnal tools, and above all perimeters protection, not personal one (like Checkpoint, PIX, Netscreen... for FW). So I know quite nothing about personal one.
I need to have some VPN tunnels going through my machine, so through my personal FW, and I don't know how they handle non TCP/UDP protocols.

{QUOTE-> Agree with you, but when I see in the forum : my connection is 15% slower, I thing there is a way to "calculate" this ! It is very difficult to see if a connection is slower or better just with human feeling (OK, I perform a ftp transfert, and I see the clock... but in this case, there is no FW issue, or only one time, there is only connection issue). <-QUOTE}
There are online speed tests available for checking your overall connection speed. I think a lot of comments concerning slower connections may result from some active content filtering that some firewalls do now, but could also be due to any number of other reasons. These options can usually be disabled and there are firewalls that are just firewalls that should not impact your speed at all.

{QUOTE-> Maybe I am not an average user... I need some of those features.
Just FYI, I am a security engineer, but in my scope, there is only some professionnal tools, and above all perimeters protection, not personal one (like Checkpoint, PIX, Netscreen... for FW). So I know quite nothing about personal one.
I need to have some VPN tunnels going through my machine, so through my personal FW, and I don't know how they handle non TCP/UDP protocols. <-QUOTE}
In addition to ICS and VPN what other features are you looking for in a firewall? Have you considered a router instead of using ICS?

Regards,

CrazyM

Maybe I should have a router instead of just a personal FW, but at home I would prefer not to have another equipment...

I will perform some tests to see how esp (for example) is handled by some firewalls, if I have time to do...
If yes, I will post the results.

Hi,
If you are into firewalls rather than router:
My suggestion would be Sygate firewall, easy to configure for ICS, and does not slow down your browsing. Catch 23 is that it has been bought by Symantec and the future is unknown. But the previous to last build and the latest builds are mature, robust and stable, and since the last version is out since only last year, you can live happily with Sygate for next 2 years.
If you do not like that, then try Jetico. I have a document that explains how you can configure ICS on Jetico. It's a tricky devil, that one, but it's very powerful. The only problem is, it's sort of very advanced beta, and there's no knowing what might happen. But again, you might be happy with the latest release. Their help is very good, though.
Mrk

I am on the way of testing Jetico (is it a very correct english ???).
If you have a doc with Jetico configuration, please tell me how I can reach it.
Thanks all for your help.

Hi,
You have the help file that you can download alongside Jetico.
Plus, I have a document how to configure ICS. I can post it here if you like.
Mrk

$ 15 . 00 is close enough to free for what you get . You should really think about that one . Jetico could be a good one if you know how to configure . I still say that , for the money , Kerio is the best deal going . Plus , renewal is $ 9 . 95 a year !!!!

Yes, bying Kerio is not a very big deal.
But I installed Jetico, I am a bit confused by the configuration (not what I see everytime in my profesionnal life), and that why I want to go further with Jetico, just to configure it well.
Then I will choose Jetico or not.
But that's true, configuring Jetico is quite strange (even the rules order is strange !!).

Mrkvoni, may I ask you to post your doc about internet connection sharing with Jetico ?

Hi,
OK, later on when I'm back home.
Mrk

Hi,
Sorry for the super long delay on my behalf.
Here's the document how to configure ICS with Jetico:

Note - I did not invent this, this is official reply from one of Jetico's guys.

The firewall can be configured for using it with
Internet Connection Sharing, but please note that
an overall level of protection aginst inbound
scanning will be lower in this case. It happens
because of the following.

JP Firewall has two levels of protection: low-level
Network Level and Application Level. (We don’t keep
in mind here third Process Attack Protecting level,
because it will work in any case.)

Application Level provides Network Level with information
about applications that have active connection and about
all the network traffic Windows applications are interested
in. All other network traffic is blocked. It is so-called
Stateful Inspection.

Now when you turn on Internet Connection Sharing, you get
private network (for example interface B: 192.168.0.1) and
continue to have interface with IP address that is opened
to Internet (say interface A: 207.46.156.188).

All the packets that come from interface B to interface A
and all the packets that come from Internet for interface B
- all that packets do not correspond to any application
in Windows! The packets should simply go from/to interface
A to/from interface B.

So default JP Firewall configuration with stateful inspection
rules will reject the “interface A < -> interface B” traffic.

Hence, to get Internet Connection Sharing working, we should
turn off Stateful Inspection in JP Firewall:

1) Select “Configuration” tab in JP Firewall;

2) Select the following table in “Optimal Protection” configuration
tree: Root -> System IP Table -> System Internet Zone;

3) In the “System Internet Zone” table find rule with
“Stateful TCP Inspection” rule and run “Edit” command for the rule;

4) In the “Protocol specific” settings for the rule uncheck the
“Stateful inspection” checkbox.

5) Do the same for the “Stateful UDP Inspection” rule.

Then, Private Network with interface B should be added as
Trusted Zone in JP Firewall. It can be done quite simply.
After you finish configuring Internet Connection Sharing,
run Configuration Wizard program from “Jetico Personal Firewall”
program group.

Configuration Wizard should automatically discover the Private
Network address and add it to the list in the “Trusted zone”
dialog window. Just finish Configuration Wizard normally.

After the procedure Internet Connection Sharing should work on
your computer.

Mrk

Do you know any app/config rules for a PC running xp using Jet:dry: ico- I have allowed app rules but when I reboot my PC the firewall keeps asking for Access by command AV:-\

Hi,
You need to save the changes.
I don't remember right now - but click the file menus and look under options. You have the chance to save upon exit or immediately. Choose immediately and the changes will be automatically saved.
Otherwise, it's rather fire and forget.
Maybe special rules for p2p and maybe gaming, but you can also mail them and they can help - they are very quick and thorough.
Mrk

In Jetico, click options and then click general and there you can check the boxes to save changes automatically. Just make sure to check apply and then ok it and then exit!

Have you considered looking at Grisofts AVG Anti Virus / Firewall combo. They are much cheaper than most offering a 2 year license for less than most offer for a 1 year job. You can check out other users comments about AVG and many other products at CastleCops forums.

hitbit

{QUOTE-> Hi,
Sorry for the super long delay on my behalf.
Here's the document how to configure ICS with Jetico:

Mrk <-QUOTE}


Many thaks for your complete answer.