Just installed Jetico today and its pop ups are making me crazy, it is constantly giving me pop ups about my Norton products and sometimes firefox also. Hundreds of time I have opted for REMEMBER this action, no benefit. Is there any way other than uninstaling it.

Also i want to ask does it has hooking techniques, I mean it can be used with PG free or antihook without overlap or not?

I've had a play witth it this wekend - awkward to config but seems light and very good. Prefer LNS and Outpost at this point


Try this link

http://www.wilderssecurity.com/archive/index.php/t-62970.html
or this
http://castlecops.com/t134648-Jetico_firewall_need_help_with_this_spanish_page.html

I just uninstalled it, i hate these pop ups,I was so used to accept it that I am sure if some malware ask for permission,I would have clicked yes for it also. Why they don,t fix it, I will write to them. Really disappointing.

Any solution?

I think the key to Jetico is to look closely at each of the popups to see what's actually going on, and then try to (when necessary) create rules of a more global nature to handle some of the common situations that come up. It definitely takes more work than your average firewall. But it's also possible to tame it as well. Hopefully they will make it a little easier in upcoming versions (if and when any arrive). But Jetico is not one of the install, set and forget firewalls..

There will be a certain amount of overlap if you use jetico with either processguard or antihook but I remember someone saying here a while ago that if you create a new rule in the ask user table of jetico to allow access to network for local sockets you can cut down on the popups substantially without affecting the firewall's control over internet access.
Maybe someone with more knowledge on the subject can confirm this?

-{ Quote: " if you create a new rule in the ask user table of jetico to allow access to network for local sockets you can cut down on the popups substantially without affecting the firewall's control over internet access.
" }-

That would be very helpful - I like the firewall but ... creating the rules is difficult.

A template set would be very useful ?

I had the same problem as op. I chucked it. Happy with GhostWall.

Ok, when Jetico pops up it's asking you what you want do with a process on your computer.

In the box that pops up, tick the box in the bottom left, remember my answer , then look at what Jetico is asking you!

If It's a programme you trust you obviously want to allow it access, so all example here are for allow activity. If it's a baddie then don't allow and deny!


So Jetico pops up with this!

Event: Attacker writes to application memory
Description: Suspicious process activity

click allow this activity, once you have did this once the box should remain ticked on the next popup. Then you just click ok to allow this activity, usually a windows system file like lsass or Explorer.exe or a programe.

All files asking for access are treated as hostile by Jetico and will be seen in the process attack table, these rules are made when you initailly decide what a programme is allowed to do, that is, you accept it as ok!

If Jetico pops up with

Event: access to network: configration table : Ask User

which gives you the choice of ticking these options of:

Allow activity
Block this activity
Handle As
Custom

this is where you should always choose Handle as, use the drop down menu and click Jetico's drop down menu and choose web-browser if its either IE, Mozilla or Opera, if it's a mail client like Outlook Express, Mozilla Thunderbird choose web client, make sure always to check the box in the bottom left, as having this box ticked everytime you answer will reduce the pop ups!


For all other programmes which you trust like security programmes which need access to the internet for updates etc you choose the application trusted zone. Sometimes Jetico will ask twice to confirm this but remember, some programmes have many services all asking for outbound connections or network access, hence you think Jetico is giving you a hard time.

Anti vir has 4 agents all asking for access, update, notify, avguard and scheduler so Jetico is actually alerting you to 4 seperate files within one programme asking for either network access and outbound to the internet.

So, when Jetico pops up with the Allow activity and Block Activity with the handle as, you can use this for web client and web-browser this is mainly for outbound connection to the internet and for access to the network. So you'll get a request first for access to the network and then if the programme has internet capabilities it will at some point request access to the internet once you have initiaiised it!

Jetico is basically not allowing any programme willy nilly to gain access to either the network or the internet without being probed and prompted, a far better system than most firewalls that don't aggressively challenge programmes which make requests to the network. Jetico will block and prompt even if you use the cmd prompt and many other areas where other firewalls wouldn't do anything.

Jetico even asked me did I wanted to allow myself to make a new folder in explorer!

This is why a lot of people give up, all those pop ups as Jetico is a very aggressive firewall but this is what makes it one of the best. Once it's configured, about an hours work, it's really quite quiet after that and well worth it as it can breeze past all those leak tests and its resources are mega low, last night I checked and it was at an all time low for me at 1.6 MB!

An easy way to configure Jetico is to introduce all the programmes you know will need outbound access to the internet, and all the other main programmes you will be using, and please read what Jetico is asking you and choose the appropriate rule as it will make life a lot easier for you and also keep the box ticked at bottom left as this will limit the amount of pops up you get.

Last bit, with a p2p networks you will get maybe anything up to a dozen pop ups as p2ps are using many different IPs and /or ports, no problem, just keep clicking alllow activity and choose the application trusted zome and you'll be ok!


I hope this rather disjointed discussuion on Jetico helps.

Cheers Khaz

I'll try and upload some screenshots so you can see the main box with handle as.

Hopefully from this attachment if it works you'll see the allow, block activity, handle as which is greyed out, but once checked the drop down menu opens up and you cna choose here trusted application, web browser and web client!

hers another one!

This box is accessed from clicking options/and then general, you should tick all the boxes and click optimal protection in jetico!

Face it some of don't want to deal with an annoying prompt 10x an hour. I had the same experience with Outpost as well. Only pf I'm comfortable with are LnS, Sygate, Kerio & GhostWall. All the others I tried so far about 6 more. Were a pain & or failed leaktests.

Yip, it certainly isn't be everyone's cup of tea and it will also no doubt conflict with others systems! But, this is just to try and help those who have been trying to configure and set up Jetico and are put off by it, everyone to their own!

If you want real noise try antihook!

Thanks for the warning about antihook.

-{ Quote: "Ok, when Jetico pops up it's asking you what you want do with a process on your computer.

In the box that pops up, tick the box in the bottom left, remember my answer , then look at what Jetico is asking you!

If It's a programme you trust you obviously want to allow it access, so all example here are for allow activity. If it's a baddie then don't allow and deny!
Cheers Khaz" }-


But what if it ask about the same prpgramme with same action 100 times in few hours, isn,t it crazy. I installed it and almost every 5 mi it is asking about symantec products, everytime same component with same action.

-{ Quote: "If you want real noise try antihook!" }-
I like antihook, can I use it with Jetico together or it is just an overlap.

yes there is a lot of overlap, why not use procesguard free and Prevx free beta!
Antihook takes overyour system, well mine anyway and is really noisy, Jetico and processguard tend to go to sleep with antihook on as it does take over lol! I have now suspended antihook through msconfig and I now know processguard is alive and well!


prev free

http://free.prevx.com/

with Jetico , just make sure you check the box remember this answer and put symantec into the apllication trusted zones, the problem with symantec if you have it's security suite as I see this in many hijack this logs, is there are many processes for Norton's anti virus and it's other products, so I doubt it your seeing just the same Symantec file asking for access!

Either your not telling Jetico it is a trusted application, and allowing it access when it asks you if it is an attacker.

When Jetico pops asking about

Event: Attacker writes to application memory
Description: Suspicious process activity

click allow this activity,


Then if it's asking for


Event: access to network: configration table : Ask User

which gives you the choice of ticking these options of:

Allow activity
Block this activity
Handle As
Custom

this is where you should always choose Handle as, use the drop down menu and click Jetico's drop down menu and choose web-browser if its either IE, Mozilla or Opera, if it's a mail client like Outlook Express, Mozilla Thunderbird choose web client, make sure always to check the box in the bottom left, as having this box ticked everytime you answer will reduce the pop ups!

You might be better to go into Jetico's ask user table and delete all the rules for Symantec and then Jetico will ask again and follow these examples above!


I hope this helps!

-{ Quote: "with Jetico , just make sure you check the box remember this answer and put symantec into the apllication trusted zones, the problem with symantec if you have it's security suite as I see this in many hijack this logs are there are many processes for Norton's anti virus and .......might be better to go into Jetico's ask user table and delete all the rules for Symantec and then Jetico will ask again and follow these examples above!I hope this helps!" }-

So i got it, i was giving option, allow it. Infact i used ZA pro for sometme and it was very easy,i can give options for any programme to connect to net,block, or ask user option OR kill the process.

-{ Quote: "with Jetico , just make sure you check the box remember this answer and put symantec into the apllication trusted zones" }-

So how to put it in trusted zones, can you explain a bit.

also i am not sue how to make the first intial configuration when you start jetico first time after install. I am using dial up with proxy server and have a single PC not attached to a network. I will be thakfulif you can expalin by scrrenshots. Your previous post was very nice.Thanks a lot.
I am going to install it again.

Also i want to ask how I can take screenshots of my pc to post and how to edit these shots, sorry for an unrelated Q.

-{ Quote: "....

I hope this helps!" }-

THanks for the examples this is very useful - Jetico might be noisy but ... it is very good with Leak tests as good as LNS - and better than Outpost; can block almost all, but ... it is very easy to allow a component.


Jetico shows the launchng process making saying no a bit easier - for me any way.

ok here's some more images!

here's another one!

This is usually the first box you get, simply to allow or deny an application, then you usually get the previous ones for outbound to the internet or to the network!

In this example I was checking for updates for quicktime so I could get an example for you, here quicktime is lauching IEplorer to access the web and Jetico sees it as an attack until I ok-ed it!

I'll do more if you need them, but you need to tell me what you want?

ok, to take screen shots you simply hit the printscreen/sysreq on your keyboard. Then go to start/programmes/accessories/paint, in paint you click edit/then choose paste, the image should now appear in the Paint box, then click file and save as, make sure to select "save type as" choose jpeg, choose a location to save it to and then attache it here if you need to!

Thnks Khazars,very helpful stuff, just reinstalled ir now, no repeated popups like before but i have a new problwm, for firefox i click,handle as web browser and now firefx is not working unless i choose allow all, so wat,s wrong?

same for IE

I suspect initial configuration may be wrong.

Use the screenshots as examples, use the last screen as your first for IE and firefox, so you simply choose allow activity, then when your browsers ask for access Jetico should pop again and then you choose the first of those last 3 screen shots I posted and click "Handle as, and choose web browser, and you'll probably be asked again to confirm this action!

Also check the process attack table and right click the IE and firefox rules and change them to accept, you can also do the same for the ask user table and make sure thay are set to handle as and set to web browser!

You might be best to go into the ask user table and right click and delete all the IE and firefox rules and then try again?

From this window there are 3 options, which one I should choose, as I told my Pc is not connected to any network and I use dial up with proxy serevr. I choosed only first option.

-{ Quote: "You might be best to go into the ask user table and right click and delete all the IE and firefox rules and then try again?" }-

How i can access process attack table and ask user table.

-{ Quote: "here's another one!" }-

I think the choice should be handle as system file here rather than application trusted zone. Am I right?

For your screen shot you simply accept Jeticos selection for that the trusted zone and the next one for the untrusted zone! Yes you could accept it as system application but I think putting it as trusted application means the rule will be in the trusted zone!

When you double click the Jetico icon on your status bar this will open up Jetico and you can navigate to the ask user table and any other table! In my screen shot this is in ask user table, and I have opened up the options tab! Note I have two optimal protections listed with the bottom one selected, this is a Jetico ruleset I saved and imported to use after I reinstalled Windows Xp last week!

To save your Jetico rule set, click file and save as, give the ruleset a name, I choose Jetico 2006 and then save it to a safe location and back it up to floppy or cd! To import and use the ruleset, go to file, open and navigate to the c:\program files\jetico flder were you should copy your jetico rulset after a new install and then open the ruleset to import.

Then go to options and tick the bottom one of the optimal protections as you'll now have two and make sure to tick all the boxes to save it!

-{ Quote: "For your screen shot you simply accept Jeticos selection for that the trusted ........ to options and tick the bottom one of the optimal protections as you'll now have two and make sure to tick all the boxes to save it!" }-

Infact in spite of all my efforts I am not able to use it. In optimal mode it blocks all in and out bound traffic, I am surprised, last time it was not so. Even I uninstalled and reinstalled it. It,s so strange, last time my problem was only pop ups, this time no pop ups but it will not allow ant traffic, can,t update anything and can,t browse.

I will show you my set up. This one is my trusted zone configuration, I don,t know much about these set ups, these option came by default and I Just accepted and clicked next.

Make a ruleset for yourself based on the default.
Here is my: http://rapidshare.de/files/13858841/wip.bcf.html
(don't use it, it's just an example)

I get popup when a new program tries to reach the net.

When you first install Jetico you should accept the defaults which jetico picks, as it automatically configures your Trusted and Untrusted zones!

In your screen shot from post 30 you have it set to single IP address. In post 34 you have it set to Network address. I think it should be set to single IP address.


Ok, I have checked the wizard, I think now you have not set and saved optimal protecion!?

Setting Jetico to optimal protection should not be a problem either, just make sure you have checked the optimal protection box and then make sure all the boxes are ticked to save changes automatically and apply changes automatically. See my screen shot from post 33!


If you have not saved optimal protection, when you rreboot Jetico is not set to any ruleset, so I would imagine it's just blocking all, this happened to me too when I loaded up my saved ruleset and I forgot to save it automatically and I never checked the optimal protection button!


See if this helps!

Ok,I uninstalled it, did a system restore and reinstalled. I put trusted zone with single IP address, and put for optimal protection with auto save and auto apply. Firefox is set to be trested as web browser in ASK USER TABLE and is set to accept in PROCESS ATTACK TABLE, but still it is blocking every thing on my system from accessing the intenet.

Is there any official forum also? I don,t know, first time ahen I used it, this type of problem never happened.

change it from single IP address to Network address for both the trusted and the untrusted, you had it right the first time, my mistake! Go to start/programmes/jetico/configuration wizard to reset the above and then save and try it!

In my example you can see the light bulbs in the table screen shot, so you'll know when it's working when the light bulbs are on!

So sorry to bother you again and again, I tried both ways, in either way, I fcae same problem. Even I rebooted just thinkibg that it is not able to save settings automatically( although I have already made it to save settings automatically). It is stopping all the traffic in optimal mode.

You must be doing something wrong here, because you don't want to be using either Deny all or allow all as one is as bad as the other!

the best thing to do would be to uninstall Jetico and reinstall it, but make sure you remove it all as some features may be left on!

double click jetico firewall and select allow all and save!

go to add/remove and uninstall Jetico.

If your confident editing the registry do this!

Go to start/run and type regedit in the box and hit enter!

Open the Hkey currrent User\ click software\Jetico and right click it and delete the Jetico folder!

Then go to the Hkey local Machine\software\jetico \right click and delete it!

Go to start/search/ for all files and folders/click search all files and folders/click more options from the drop down /and click the boxes for search system folders/ search subfolders/search hidden files. Now search for Jetico and delete all instances of Jetico!


Reboot your computer!


Reinstall jetico. Accept the default settings when Jetico wizard runs. When Jetico is installed, double click it from the status bar to open Jetico, go to options/general/ click the optimal box and check the boxes to save automatically, save default policy and apply settings and exit!

Now see if it works!

-{ Quote: "You must be doing something wrong here, because you don't want to be using either Deny all or allow all as one is as bad as the other...... default policy and apply settings and exit!

Now see if it works!" }-

That,s lot of job, but I wil try it. I am not aware much about registry, so before I delete some from it, I want to make a backup of registry but I am not aware how to make a backup.

Backing up the registry!


http://support.microsoft.com/kb/322756

I did all as you advised. I ran for few minutes and then same problem was there. So I stopped all of my active security software and disabled there loading at start up along with some other utilities. Then reintroduced all programmes one by one, rebooting each time. Finally just luckily I found it was conflict with a dial up monitor software( DU Traffic) which I was using. This software is freeware but it is not well known. However I like it and it is useful for me. I did not want it to connect to internet, so I put it as Application blocked zone( as I do when I use my Norton firewall). Now as soon as I go to internet, this software is running and at the same time Jetico will block all traffic. So there were only 2 options, either I shut down this software or put it as Application Trusted zone/ allow connection etc. ( that I did and it solved the problem).

Now question is that if some programme is runing that is it the list of Application blocked zone, why Jetico is blocking all the traffic instead of blocking just that programme and letting other traffic to run smoothy?

BTW there is another interesting post made by me about this software( DU Traffic).
http://www.wilderssecurity.com/showthread.php?t=121458


And thanks for all your help so far. It was really great. Just I will ask one more unrelated question how I can cut my desktop sapshots in small size just to show the required area only.

I really don't know, just shows you what happens when two programes don't get on: War!

Glad you got it sorted out!

Jetico can monitor your activity anyway, this is probably why it conflicted.

another programme which can do this anf doesn't conflict is Packetyzer from Network chemistry!

Thanks, infact my main aim from this programme is to just monitor internet time and bill on log in basis. Willl continue more discussion on Jetico as I use it. thanks a lot.

Few questions,

1- Just my feeling that Jetico is making the system a bit slow, did you notice this?

2- Another thing if you put anything in blocked application list, Jetico blocks all the traffic, so you can,t block anything practically?

3- It does not accept even windows proceses to be treated as system process9 only accept as allow connection or treat as trusted), and if you accept windows process as trusted as you mentioned in post 24 and 23, you are loosing all you security, that means any malware in windows process can do anything and jetico will akllow( imagine any virus and explorer.exe wants to make connection to internet!).

There is some confusion to new users of Jetico....one of the main problems is the way Jetico works...To try to explain....
Firewalls such as Outpost (and many others) give you the option to block an application, you can for example place "csrss.exe" into the blocked zone, and all internet activity will continue, but the fact is that the firewall is allowing "csrss.exe" (and others) to have net access (loopback) otherwise you would simply not be able to gain internet access. Other examples of windows pgms that require net access (not connections, just access to the loopback (localhost)) are "csrss.exe", "services.exe", "lsass.exe", "winlogon.exe", "userinit.exe" and "explorer.exe". If any of these are completely blocked, then you will not gain internet access. Jetico firewall,.. when you place a pgm into the blocked zone it will completely block that app, this then may lead to no internet access at all.
Going on to the problem of "aigle"
-{ Quote: " Finally just luckily I found it was conflict with a dial up monitor software( DU Traffic) which I was using. This software is freeware but it is not well known. However I like it and it is useful for me. I did not want it to connect to internet, so I put it as Application blocked zone( as I do when I use my Norton firewall). Now as soon as I go to internet, this software is running and at the same time Jetico will block all traffic." }-This is more that likely due to norton firewall allowing this app "loopback". Jetico will block everything (and the app probably requires loopback for your connections). So remove this app from the blocked zone, and allow "net access" but block "connections".

Yes Manzz, and also make sure Svchost.exe is allowed as this will definetly block internet access! Best to put the system applications into either the trusted zone, or make Jetico allow activity!

Blocked zone I think should only be used for blocking Trojans by port and TCP/IP. I have taken basic rules for Kerio 2.1.5 and adapted them and put them into the blocked zone!

-{ Quote: " So remove this app from the blocked zone, and allow "net access" but block "connections"." }-

So how I can make my settings for this, can u please explain more. Will be happy if u can post it with picture.

-{ Quote: "Yes Manzz, and also make sure Svchost.exe is allowed as this will definetly block internet access! Best to put the system applications into either the trusted zone, or make Jetico allow activity!" }-

Another problem with Jetico is that it does not accept even windows proceses to be treated as system process, it only accepts as allow connection or treat as trusted), and if i accept windows process as trusted as mentioned in post 24 and 23, I suspect I am loosing my security, that means any malware in windows process can do anything and jetico will allow( imagine any virus comes to your system and explorer.exe wants to make connection to internet that it does not do normally but as u put it in trusted zone, so Jetico will allow it).

I will be happy if anybody can post his rules for Jetico that can be used for any beginner like me.

Jetico fw has the potential to be outstanding, but the rules configurations nearly drove me insane. Far too tedious and far too many pop-ups for my liking.

I am not able to see the last post of this thread, that I saw just 5 min back, may be deleted?

Aigle, you should just put system files into the trusted zone and that will take care of it! Yes there are many viruses/trojans out there that try and masquerade as a legitmate file, but they will not be the same size as a legetimate file say svchost and jetico will flag it as it will know what the legitimate file is!

Part of a firewalls remit is to challenge programmes whose signature has changed, so if you update a programme, not its definitions for say a anti virus programme Jetico will notice the programme has changed and alert you to it, if you know you have just updated it then you can ok it with Jetico!


Jetico also uses Hash so it will use this for checking files if modified against the original Hash id, if ok then it's allowed if not your asked to make a decsion about it! I'll upload a screen shot for the ask user table with the hashes showing! Hash is also used in the system application table!

This is the same process as a system file changing, Jetico will know that a legitimate file has been changed or tampered with and alert you to it! If the file has changed due to a windows update such as installing the monthly cycle patches then you know it's ok!


Many system files are only listening or as in the case of svchost.exe and services.exe are using the internet to connect to DHCP for renewing a IP or sending out datagrams!

Ok, right but two questions,

1- why i can,t choose system files as ALLOW rather than to say as TREAT AS TRUSTED? Is there any difference between the two?

2- As i asked earlier If I want some programme to stop from internet connection, how to configue it.

aigle 1/pt1
System files are placed in the "system application" table,..... placing anything in "allow all" is not good practice.
Example:-

aigle 1/pt2

To allow application network access

aigle 1/pt3
To block network access/connections:

aigle 1/pt4
Place a rule to allow "net access" (1/pt2) and then a "block" rule (1/pt3) for the same app (in that order) will allow that app net access (loopback) but will stop all/any connections.

Any more questions, just ask.

cheers stem for clearing that up. as from Stem's examples, only a few system files need access to the internet mainly svchost.exe which you can make a trusted application!

Hi khazars,
-{ Quote: "cheers stem for clearing that up" }-If I can help, I will
-{ Quote: "as from Stem's examples, only a few system files need access to the internet" }-The post I made was made just after I made an update from microsoft, my normal config for system is below. (this is a config that I use, but it is only for browser use)

Thanks Stem for such a nice description. If you don,t mind, pls can u send the picture of your ASK USER TABLE and PROCESS ATTACK TABLE.

I have one quary. Some times some operating system file asks for network access, and I give the option TREAT AS SYSTEM APPLICATION but jetico doesn,t accept it no matter how many times I try, and at that time I have no other option except to use the option ALLOW CONNECTION or TREAT AS TRUSTED ZONE. However later if I go to ASK USER TABLE, and manually change it to TREAT AS SYSTEM APPLICATION then it accepts it( I am just assuming that it accepts it, as there is no more new popup about that file, although i suspect it might still be treating that file as trusted/allow connection as i had opted it on first popup). I hope I was able to make my point clear.

aigle, 2/pt1
When an app (either a system app, or a pgm you have installed) first requests network access, you will get this popup from Jetico:
(In this example, this is my Packet analyzer requesting net access)

aigle 2/pt2
You can then check the rule in "ask user"

aigle 2/pt3
Most system apps will only require "Net access" (they like to talk a lot with each other via the loopback adapter (localhost 127.0.0.1)) The exception mainly being "Svchost" which, depending on the services running on your PC will require further rules.

Please note:-

aigle 2/pt4

Hope I can explain this correctly:.....
Somthing that may be confusing you, is that when you select "Handle as", this is simply placing a "Jump to" that rules-set, it is allowing whatever rules are created within the "Jumped to ruleset". If you handle as "System, there are no "Open rules" (all the rules are per-app (each rule as a named pgm that can use that rule)) so you are not actually giving your app any "net access". (when you handle as "system")
If you where to handle as "Web browser" then this would "jump" to the web browser ruleset, which is an open ruleset (any app can use these rules once they are allowed to jump there)

Thanks for explaining, wat I understand is that if we want to treat some application as system, we first have to craete rule in ask user table for it and then we can select TREAT AS SYSTEM FILE? Am i true? Sorry to bother u a lot but infact these sort of settings are totally new for me.

What you need to do, to make Jetico treat a pgm as a "system app" is:- either add the file manually as in post 55/56, OR, if you are prompted, then allow "net access", as in post 62, you then need to go to "Ask user" left click the "New rule" (keep the mouse button held down) and drag the rule over to "System Applications.
example:-

Stem,
nice and useful input in last the few posts, thank's

I have few question regarding DNS, DHCP, Loopback, and ICMP & IGMP. I still confuse how to make these rules. Do you have any suggestion or advice how to make one? An example will be very helpfull.

thank's

Fumens,
Most of the rules you mention, are already in the default setup (rule-sets) on the installation of Jetico. But as I know Jetico can be a little confusing to the new user, I will post to show,... and how to creat new rules (where needed).
For these posts I have reloaded the default rule-set (by:- open Jetico....File....Revert to factory settings) so you can see the basic setup / rule-sets

(1) (From the default setup/ruleset) You will find DHCP request/reply rules are in the "System Applications"

(2) (from the default setup / ruleset) DNS (UDP) and the basic ICMP rules are in the "System Internet Zone"

(3) loopback (127.0.0.1) is placed in the "Trusted Zone" during setup. You can check / edit this by:- Go to windows "Start"...all programs....Jetico personal firewall...and select "Configuration Wizard" (Note: all pgms with net access, use the "Trusted Zone")
(I will post more later (when time permits) on ICMP, IGMP rules creation (If you need them)

Thank's a lot Stem,
I know now to get there. If I may ask you again can you give an example how to create a rule set for:
1) DNS (TCP & UDP)
2) DHCP (reply & request)

Sorry if I ask to much because I read in the firewallleak test that a rule based firewall will be useless with default configuration. So I would like to configure it myself.

I'll be waiting for the ICMP & IGMP rule set

edit - any inputs on how to set a rule will be helpfull to me and for others Stem

regards,
fumens

-{ Quote: "Jetico fw has the potential to be outstanding, but the rules configurations nearly drove me insane. Far too tedious and far too many pop-ups for my liking." }-

Ill give you that one, after seeing the firewall tests. I decided to give it a whirl.
Call me a idiot....but I spent close to a half hour trying to figure out how to access the internet. I finally gave up and decided to try out LNS.

Fumens,
First of all, I believe that Jetico`s default ruleset is quite tight, (this is why some users have problems, and why there are so many "Popups" after first installation.)

Entering rules are simple, once you know the layout. Below is an example of outbound (UDP) DNS.
This is a "System IP rule" so you will find it in the "System Internet Zone" (by default)
(Is this how you want the info??)

Very usefull thread! I was on the point to let Jetico go but now that I found this I won't be looking for another firewall for a long time. I do have a questions for you guys. What settings should I make for handeling a DC++ client? I mean what should be allowed and what shouldn't. Thanks.

Hann

I have never used a Dcc client but I would set them up in the handle as application trusted zone and only allow what needs to be allowed!


I think you would need to make some rules in the system internet zone table in Jetico, one for TCP, and one for UDP? I'm sure Stem will be able to help with this? See these links below!


See this guide here on dcc as it may help with setting it up and with a firewall!

http://www.dc-resources.com/guide.htm



The outpost thread has more info on setting up ports and TCP and UDP and using a router/firewall with a link to dslreports!


http://www.outpostfirewall.com/forum/showthread.php?t=7900

http://www.dslreports.com/faq/6518

Stem,
exactly what I meant, but I confused where I have to put DNS server and do I still to put my IP address?

I believe that for DNS (UDP) there is no need to set the direction, correct me if I'm wrong. And if I able to set the rule allow DNS resolve, do have to make one to block unnecessary DNS (UDP/TCP) traffic?

thank's before

Fumens,
The rule I showed you in post #74 is for outbound DNS, the first rule having a destination of "Name server". The "Name server" is the stored addresses of your "DNS" servers that are issued via DHCP by your ISP, (or if you use a fixed IP then this is from the info you have entered yourself) Note that this is NOT your IP, but that of your ISP DNS servers. (If you are connected to the internet directly (and not via a router or proxy), you can call up this info by:- Go to windows "Start".....Run,...and type "CMD".... click o.k. This brings up a dos window, at the Dos prompt type... IPCONFIG /ALL ...(leave a gap between the G and /) and press enter/return key. This will bring up a list including your DNS server IPs (The info shown in this list is what Jetico uses)

-{ Quote: "I believe that for DNS (UDP) there is no need to set the direction, correct me if I'm wrong." }-With most fiewalls, this is correct, as UDP is connectionless, but Jetico uses SPI (Pseudo state (a timeout for the reply to be made from the outbound packet)) for UDP so a direction is required (the inbound (DNS) is not required, unless there is a late reply from your servers, if a late reply is made, then the packets will be dropped, so the inbound is there by default to allow for this.)

-{ Quote: "do have to make one to block unnecessary DNS (UDP/TCP) traffic?" }-All packets are processed untill an "allow", "block" or "Ask" rule is found. The last rule in Jetico is to "block all non-processed packets" (so if you have not set an "allow" or "ask" rule for a packet, then the packet will be dropped.

Hann, khazars,...
I do not use DC++,... I have set up rules for this (for other users) in other firewalls, but cannot find my notes on this. I know that certain rules will depend on the users settings within DC++ for UDP and TCP. I have been to http://dcplusplus.sourceforge.net/ to find info on any other ports required, but as you will find from the link, the website is down for maintenance.
When I have time,(later tonight I think), I will see what info I can find (as once I can confirm all udp/tcp ports used, a ruleset will be easy to create)

Hann (1/pt1)

I have created 4 rules for DC++ (info taken from the DC++ help files)
To enter these rules, open Jetico....configuration tab....select "ask user" then right click the blank area and select new_application rule (see pic) Do this to enter the 4 rules (see pic on next post for the 4 rules)_
I have not created a new table etc. for these rules (to save confusion) just ensue that you place the application into the rule so only that App can use the rule.
I did install DC++ to test the rules, and all o.k., but after logging on to an "Hub" I was informed I did not have enough file to share (well,.. I didnt set up any files to share) and I was disconnected.
If you get any popups while using DC++ let me know (take a note of the connection request) and also check the log to see if any packets are lost.

Hann (1/pt2)
Here are the 4 rules for DC++ (if you are behind a router, then you must forward the ports 1025-32000)
These rules are created for the default setup of DC++, if you enter ports yourself outside this range of 1025-32000 then the rules will need adjustment

Hann (1/pt3)
An edit on the rules (one to add). Have connected up to do full test on the rules, and outbound datagrams pops up now and again, so I am adding this rule. If anything else shows up,.... I will post the revision
(I have connected for uploads/downloads to see if anything else is needed)

Could someone take a moment to just explain the logical flow of the configuration menu? I mean I don't grasp it at all. For example there are three main entries; "Optimal protection", "Allow all", and "Block all." Would it be possible to add another main entry? Maybe "Block all but Log events?"

Thanks!

-{ Quote: "Could someone take a moment to just explain the logical flow of the configuration menu? I mean I don't grasp it at all. " }-Take time to read the Jetico help files, which explain this.

-{ Quote: "there are three main entries; "Optimal protection", "Allow all", and "Block all." Would it be possible to add another main entry? Maybe "Block all but Log events?"" }-This is in the help file, but not explained very well.
As you want to add a "block all with logging", you should re-load the block policy, and then add a rule (within the new poicy) to block applications with logging (and then re-name the policy)

Ok, I admit that there is a lot in the help file when you fully expand all the hierarchy, but it isn't very readable to me. For example in the "Optimal protection" setup I see no need for the four trusted / blocked zone tables. Instead of simply issuing a decision they have these four tables which each contain only one unconditional entry -- accept or reject. Why bother??? Also why end these tables with a continue?

3/19 11am -- I did finally get a "blocked with IP logging" mode working -- but so far that is the only thing I have working.

3/19 1pm -- I had a hard crash occur and had to uninstall and then reinstall Jetico. A few more crashes like that one and Jetico will be history.

3/20 9am -- After cleaning Jetico out of the registry and then reinstalling it seems to be working, but attempts to get event logging have yielded erratic results in the log.

I am on the road alot with my laptop, so am using the motel router-cable modems. The thing I do noy like is when I have to use their unsecured wireless connections.

My question is will Jetico drive me nuts with pop-ups everytime I switch motels?


thankyou


con

Thank you all for help. I was away for a few days but I'll setup the new rules tonight and let you know how's going.

-{ Quote: "
My question is will Jetico drive me nuts with pop-ups everytime I switch motels?
" }-

So far my impression of Jetico is that it has two problems. #1 is that it seems to cause my pc to crash occasionally, or not shutdown or boot up cleanly. #2 is that it would be annoying to use if you want to manually grant permission to programs because of the multiple popups. For example if you want to manually approve your anti-virus each time it wanted to download an update. I also had to install Jetico twice before it issued its popups properly without a delay. For use on the road at hotels/motels I can't think why Jetico would be too different.

The old Jetico that's available now has some quirks I think. I recently installed it to have another look after a long time and found that it sometimes gets stuck in infinite loops on the popups. At first I thought it was just asking a lot like it usually does, but after about the 12th time I realized it was just looping on one of the 'attacker' popups and the only way to exit was to shut down everything and reboot. Then it was ok, but I just can't live with that kind of nuisance stuff going on. It might be the best on leak tests, but it is also without a doubt the most annoying of them all. Still needs some work, hopefully version 2 upcoming will resolve some of the old standing problems.

hi all.
i just installed jetico and just wanted to say i love it to bits :o :o :o :o

much better than my old zonealarm :lurking: :lurking:

very easy to use and make rules very good software A++++++++++++++++++

:thumb: :thumb:

installed this firewall.i must say very good one indeed.this thread and the help file will help anyone to configure jetico properly.lightweight and rule based.looking forward to version2.this one is a keeper:thumb: thanks everyone who contributed to this thread..

Was about to install Jetico over Kerio 2.1.5, but I guess I will be waiting for v2.

-{ Quote: "Firewalls such as Outpost (and many others) give you the option to block an application, you can for example place "csrss.exe" into the blocked zone, and all internet activity will continue, but the fact is that the firewall is allowing "csrss.exe" (and others) to have net access (loopback) otherwise you would simply not be able to gain internet access." }-Just to go a little OT, this is not the case with Outpost - if a program is made a Blocked Application, it is not permitted access to loopback at all (unless a global rule is set with the High Priority/IgnoreCC option, see Outpost Rules Processing Order (http://www.outpostfirewall.com/forum/showthread.php?t=8394) for more details).-{ Quote: "Other examples of windows pgms that require net access (not connections, just access to the loopback (localhost)) are "csrss.exe", "services.exe", "lsass.exe", "winlogon.exe", "userinit.exe" and "explorer.exe". If any of these are completely blocked, then you will not gain internet access." }-My experience has been that the only Windows programs that require network access are services.exe (for Windows 2000) and svchost.exe (for Windows XP). If you are using Windows' Internet Connection Sharing then alg.exe will need access also.

Only if your PC is part of an Active Domain (this only applies to business users running Windows Server) should lsass.exe, etc need access as per Microsoft's Service overview and network port requirements for the Windows Server system (http://support.microsoft.com/default.aspx?scid=kb;en-us;832017) guide - they can (and should) be blocked otherwise.

I think just to clear up any possible confusion, when Jetico blocks an App, it blocks that App completely from the network and local sockets (this is possibly where it appears a number of O.S. Apps require net access, when they only need the ability to access local sockets) I have attached an image of a log from Jetico, (all system was on logging). I simply started up Firefox to a blank page. Now if any of these O.S. Apps where blocked in Jetico, then no access would be allowed to Firefox.

If I block all O.S. Apps from access, then try to connect, (I attempted connection to here at Wilders), then the attached image shows the result. (csrss is the first O.S. app that is blocked, which as a knock on effect, and stops firefox from being allowed access.)

Use application trusted zone more for programs you know are safe and you won't get nearly as many pop-ups.

-{ Quote: "If I block all O.S. Apps from access, then try to connect, (I attempted connection to here at Wilders), then the attached image shows the result. (csrss is the first O.S. app that is blocked, which as a knock on effect, and stops firefox from being allowed access.)" }-The error reported is consistent with a failed DNS lookup - DNS lookups are performed by svchost in Windows XP if you have the DNS Client Service running (disabling this should result in firefox itself makng the DNS request).

As for the Client-Server Runtime Subsystem (csrss.exe) being reported as being blocked, this is Windows' process and thread manager so Jetico may be preventing it from accessing svchost (or any other connected process) resulting in this failure. Csrss.exe itself does not need network access and should never send or receive network traffic.

-{ Quote: "The error reported is consistent with a failed DNS lookup - DNS lookups are performed by svchost in Windows XP if you have the DNS Client Service running (disabling this should result in firefox itself makng the DNS request)." }-DNS client is disabled (always as been, due to using large hosts file).

-{ Quote: "As for the Client-Server Runtime Subsystem (csrss.exe) being reported as being blocked, this is Windows' process and thread manager so Jetico may be preventing it from accessing svchost (or any other connected process) resulting in this failure. Csrss.exe itself does not need network access and should never send or receive network traffic." }-The O.S. Apps where blocked from net access only. I do not use Jetico process attack filter, as I use PG.

Hi Stem,
I have some questions regarding Jetico ruleset. I tried to make a ruleset for bittorrent client and it works, feel great. But I don't know how to make a ruleset for Yahoo Messenger and MSN, tried to make one but everytime I start the application another pop up window. It seems I have to allow it everytime or put it in the application trusted zone. Is it save enough to do so?

Another question is I can't find a way to make an IP range in the ruleset box. Does Jetico has this feature?


Thank's before

Hi Fumens,
This is more of an experiment to see if I can upload a config file for jetico, (and then it can be downloaded and used).

I have created a ruleset for Yahoo messenger (not tested, as I do not use Yahoo), but if you want to try it, then please post back info on any blocked packets. (there is a rule to block all non-processed packets at the end of the ruleset, which will log).

Download the attached yahoo.bcf.txt file, and place this in the Jetico / config directory. You will then need to remove the .txt extension. (you may need to go in explorer / tools / folder options / view .... and untick "hide extentions for known file types")


More instructions to follow:-....

Fumens,
Once you have removed the .txt extension, open jetico...select file (top left) / open ... and browse to the Jetico / config folder and select the "Yahoo" config file. This will then load another "optimal protection". now see attached image:-

When you have completed this, go to the yahoo app (the one you say you have selected as trusted) and change this from "trusted" (in the drop down menu) to Yahoo

Hi Fumens,
I have attached a policy containing the yahoo, and now the MSN messenger ruleset. (MSN ruleset should be o.k. for both msmsgs.exe and msnmsgr.exe). Once again, follow the previous instructions to delete the txt extention, load into Jetico, and move(drag) the rules over to your "Optimal protection" policy.

If you, or anyone want to use these rules within Jetico have any problems with dropped packets from the rules, please post (with log (all rules will have a "block all" at the end of the ruleset, to produce a log for dropped packets)).

Have added a ruleset for "Download Manager" and for "BitTornado"(bittorrent). The inbound rule for bittornado will have to be edited to suit your setup (currently set at "allow inbound localport 10000"


EDIT
Rulesets attached to post 106

Hi Stem,
I don't encounter any problems with Yahoo ruleset you attached in post #100. It works great, I don't even see any ads in YM.

I don't know about the rule of webcam if it works coz I don't use one. I assume the new rule set for MSN will work.

I'll try out the bittorrent rule set for BitTornado, especially I heard that BitTornado is rather difficult. I'll post the result and if there is some probs.

Thank's Stem

-{ Quote: "I don't encounter any problems with Yahoo ruleset you attached in post #100. It works great, I don't even see any ads in YM. " }-Good to hear,
-{ Quote: "I don't know about the rule of webcam if it works coz I don't use one." }-Just untick the rules you dont need, or delete them. (I just wanted to post a full ruleset)
-{ Quote: "I assume the new rule set for MSN will work." }-They should do, these are rules I have used in other firewalls. But post if any problems.
-{ Quote: "I'll try out the bittorrent rule set for BitTornado, especially I heard that BitTornado is rather difficult" }-Its the only bittorrent client I had on hand,.... the ruleset worked o.k.
-{ Quote: "Thank's Stem" }-Your welcome.

Regards
Stem

I have been asked for a Jetico ruleset for Emule. The ruleset I have made is for the default installation (inbound tcp.udp ports) So if you change the inbound ports within Emule, then you will need to edit the rules to suit (see pic).

I did test the rules,...... there are a number of blocked packets, (mainly due to packets to incorrect ports, so I have disabled logging on the block rule) but no problem getting high ID. (New rulesets attached to next post)

Attached are the rulesets for:-
Bit tornado: (user to edit tcp inbound rule, to suit own setup)
DC++ (the two inbound rules (tcp,udp) are set for the default installation (DC++ uses random ports between 1024-32000 (so edit these if you change the settings within DC++))
Download Manager
Emule See last post for instructions
MSN Messenger
Yahoo Messenger

EDIT
Note: see posts 100/101 for instructions on how to load/transfer the rules to your rulesets.

Ruleset on post 307

What rules require for Home network.

Client => Server (with Jetico) => Internet

-{ Quote: "What rules require for Home network.

Client => Server (with Jetico) => Internet" }-I am not sure by the setup you mention,.... Server? (post info)

(Do you mean ICS (Internet connection sharing) Client => Host =>Internet ?)

yup I meant ICS

-{ Quote: "yup I meant ICS" }-Jetico cannot "see" the Client IP, so it is not possible to create rules for the client.
When the client attempts a connection, jetico sees this as a connection attempt from the host (the shared IP), and as there is no App associated with the connection, the packet is dropped (blocked).

I made and saved my rules with Jetico under admin account so far seems ok but have another problem when i use my xp under limited account Jetico asks same rules which i already made under admin account.

According to my experince, if you use your xp with different accounts that means you have to make same rules for every single account.

Is there a way to import same rules to different accounts?

-{ Quote: "I made and saved my rules with Jetico under admin account so far seems ok but have another problem when i use my xp under limited account Jetico asks same rules which i already made under admin account.

According to my experince, if you use your xp with different accounts that means you have to make same rules for every single account.

Is there a way to import same rules to different accounts?" }-

Every user has his set of rules that you can find under C:\Documents and Settings\UserName\Application Data\Jetico Personal Firewall\1.0 and then you can copy and paste Optimal.bcf to the other user

Hi DarkX,
Just to confirm, (I have just checked), the policies can be imported to the user (see attached image, easier than to explain.... just remember where you saved them.)

Hi MaB69, nice to see another Jetico user..

Thanks for replies MaB69 and Stem :thumb:

Had some problems with KAV6 and Kerio 4.2.3, so i figured i'll give Jetico a try...
I must admit, i was sure i'll get enough of it really soon (having read all the horror stories regarding the hundreds of pop-ups, weird configuration etc.).
However, i must admit that once you get a hang of it, it's really fairly easy to configure :)
So, although the topic of this thread is "Jetico making me crazy." - i'm satisfied with it ;D

* EDIT *
OK, one problem...
Currently i'm connected to the net via another computer (some sort of ICS software), so my i.p. address is 192.168.0.2 and the address of the network card i'm connected to in the other computer is 192.168.0.1.
Now, i want to make the other computer trusted so i enter it's full adress (ip address/mask) in the configuration wizard.
However, when i'm running the wizard again, i see the Jetico insist on adding the entire network (192.168.0.0) to the trusted zone, in addition to the address i've entered manually, which is of course something i would not like.
It says "192.168.0.0/24 Local network (added by default)".
Ideas anyone?
Thanks in advance, Adam.

Hi Adam,
Due to seeing your edited post (and your other thread on ICS), I re-checked and realised that the settings for the network with jetico are taken from the windows config. So if you do want to restrict your network to just the 2 IP addresses, then you will need to go into the windows settings,.. Start / control panel / network connections....(see pic)
Entering a subnet mask of 255.255.255.252 will restrict the network to the 2 IP range you require.
Then use the Jetico "config wizard" to remove the network range of 192.168.0.0/24 if it hasnt already. The new config should of been picked up by Jetico from windows (192.168.0.0/255.255.255.252 = 192.168.0.0/30)

First of all, thanks again, Stem.
As for your suggestion - could you please explain to me, why changing the subnet mask will allow me to restrict the network to just the 2 IP's i need?
Needless to say, the network really does contain only 2 computers, and the reason i wanted to seperate the server IP from the general network is, i'm used to do it from other FW's.

Hi Adam,
Network masks:-

Netmask .................... Netmask (binary) ..................... CIDR

255.255.255.255 11111111.11111111.11111111.11111111 /32 Host (single address)

255.255.255.254 11111111.11111111.11111111.11111110 /31 Unuseable
255.255.255.252 11111111.11111111.11111111.11111100 /30 2 useable
255.255.255.248 11111111.11111111.11111111.11111000 /29 6 useable
255.255.255.240 11111111.11111111.11111111.11110000 /28 14 useable
255.255.255.224 11111111.11111111.11111111.11100000 /27 30 useable
255.255.255.192 11111111.11111111.11111111.11000000 /26 62 useable
255.255.255.128 11111111.11111111.11111111.10000000 /25 126 useable

255.255.255.0 11111111.11111111.11111111.00000000 /24 "Class C" 254 useable

I am hoping the chart will explain how the mask works. The mask 255.255.255.254 cannot be applied to a network, as this would only give you one possible address (and you need min 2 PCs for a network)

If you do not understand binary, take a read http://en.wikipedia.org/wiki/Binary_numeral_system to see if it helps.
You may also need to do a google for "Bits" and "Bytes"

You're the best, Stem :thumb:

Hi,

I'm having some troubles getting my VPN client to connect properly to my office VPN. What rules do I need to set in Jetico's System IP Table to have this work? Right now, it seems to timeout.

The VPN Client I'm using is the default one that Microsoft ships with WinXP. All the settings are left at default when I configured this client.

I noticed in the log that there's a warning created for Block All non Process IP packets. I tried two things:
- set the rule to accept instead of the default reject. Connection still hangs & times out
- deleted the rule altogether. Connection still hangs and times out.

So this tells me that there must be some kind of explicit rule I need to create to allow a VPN request, and a VPN reply but the ports are a mystery to me.

Unfortunately, there's no popup when I try to connect so I can't go the easy route and accept it.

Can anyone help?

Thanks

I have not used the windows VPN connection, but I will help if I can.

As the IP that you would of set up (using the connection wizard for VPN within windows) is that of your employer/works, then this is an IP that you trust. So rather than trying to sort out the windows Apps that are required, and the specific rules (the protocols are PPTP and GRE for windows VPN), you can simply set a rule to allow all outbound to your works IP (Jetico SPI will sort out the inbound replies...If inbound connections are required, then we will have to add rules).

First, you must replace the "Block all not processed packets" rule that you removed, as we can get info from this for any blocked packets, which can help in resolving any connection problems.

Next add a "System IP" rule to allow all outbound to your works IP, this is the IP that you have entered in the VPN setup within windows (see pic)

Now I see Jetico Firewall seriously rocks and fun to play exactly my type of tea.

I will try it but will still need a pro like Stem to guide out :p

if I am right the ruleset you made for
-{ Quote: "
Attached are the rulesets for:-
Bit tornado: (user to edit tcp inbound rule, to suit own setup)
DC++ (the two inbound rules (tcp,udp) are set for the default installation (DC++ uses random ports between 1024-32000 (so edit these if you change the settings within DC++))
Download Manager
Emule See last post for instructions
MSN Messenger
Yahoo Messenger" }-

Could be used under Utorrent , limewire using direct ports for outbounds and inbounds right ???

-{ Quote: "Could be used under Utorrent , limewire using direct ports for outbounds and inbounds right ???" }-You can use the Bit tornado rules for "Utorrent" (have just tested). Dont forget to change the "allow inbound rule" local port number to suit your setting.
Have just downloaded "limewire" to test, will post details later .................................
EDIT
Have installed and had a quick look at limewire, this pgm only requires the one inbound port, so you should be able to use the bit tornado ruleset (I would advise that you disable the UPnP within limewire,... even if you are using a UPnP router, you should manually port forward)

I tried playing LNS but it takes quite slow for the connection to reach turbo charge which is Limewire " sharing frequency to tell how how good is their server currently online and which level of connection you are in " Normally the best is turbo charge since it increases the search rate.

I think Limewire requires a outbound too to communicate with the server to tell it how ready it is and to send search out much faster.

-{ Quote: "I think Limewire requires a outbound too to communicate with the server to tell it how ready it is and to send search out much faster." }-There are outbound connections allowed within the bit tornado ruleset,....

Hi Stem,

Thanks so much for trying to help. I did as you suggested but I'm still getting the same kind of error:

datetime reject Block All not Processed IP Packets 44 TCP incoming packet <IP of my VPN server> 192.168.1.100 1723 3065

I wonder if there's something about the source/destination ports 1723 and 3065 that I must somehow set a rule for? (I tried connecting again but the destination port changed this time)


-{ Quote: "I have not used the windows VPN connection, but I will help if I can.

As the IP that you would of set up (using the connection wizard for VPN within windows) is that of your employer/works, then this is an IP that you trust. So rather than trying to sort out the windows Apps that are required, and the specific rules (the protocols are PPTP and GRE for windows VPN), you can simply set a rule to allow all outbound to your works IP (Jetico SPI will sort out the inbound replies...If inbound connections are required, then we will have to add rules).

First, you must replace the "Block all not processed packets" rule that you removed, as we can get info from this for any blocked packets, which can help in resolving any connection problems.

Next add a "System IP" rule to allow all outbound to your works IP, this is the IP that you have entered in the VPN setup within windows (see pic)" }-

Hi mpeg,
This is due to inbound connections being required, you can for now, change the IP rule Event from "outgoing packet" to "any", this will allow the inbound, and as this is from a trusted source, it should be o.k.
Check this new rule, and if all o.k. we can always tighten up by adding a set of rules for the inbound needed (if you want to)

@Jetico users,
I have been testing Jetico using a large "block" file to block the IP`s from known spyware. I did this due to the possiblity of the "HOSTS" file being bypassed using an IP rather than the site url. I have been running this for a few days with no slow down or problems, so I thought I would upload the file for any who wish to use this. The current file contains an updated list of spyware IP`s (717,438 sites), the original list is from http://www.bluetack.co.uk which I have converted, so Jetico can use it.
First you should run the Jetico "configuration wizard" and note the "trusted zone" IP`s (which you may need to re-enter)........ download the attached file, remove the .txt extention, and copy to the Jetico / config folder (save the old one first, if needed). Then re-run the "configuration wizard" and re-enter the IP`s in the "trusted zone" if needed

Safe surfing,...

Oh, I forgot, if you want to view the above file, using your browser, before putting it in your Jetico/config folder.....you will need to take a copy of the settings.xsl (stylesheet) from the jetico/config folder and place it in the same folder as the settings.xml

Hi Stem,

I have been trying your block ip list and no probs, no slow down so far everything was ok :thumb:

Hi DarkX,

Good to hear,...thanks for the feedback.

Hi, Stem

There is an ip address should be in the whitelist, which is 67.15.192.17, Happy Baytes's Weblog.

Stem,
I don't know what to say about the block list just created for Jetico. I thought that I lost blockpost plugin when switch to Jetico but you found the solution.

I also installed BlockList Manager but don't know which format I have to convert to after finished downloading the source file. Can you explain it?

thank's before

http://phoenixlabs.org/pg2/

I have used jetico on and off for some time, mostly resorting in the end out of lazyness to firewalls like outpost that "do it all for you" But now having at last managed to spend enough time with jetico to learn how it works and fully configer it for my system, giving jetico the time and respect it deserves, i can see that all my previous gripes with jetico were just down to my lazyness and bad practice having got used to firewalls like outpost etc. Now i can say how pleased i am with jetico, it runs so light and so secure and once configerd to my own system it runs quiet with very little pop ups. Anyone that uses jetico should be warned that this firewall requires a little time and patience from the first time user but that effot will be rewarded with 1 of the best if not the best software firewall thier is and did i mention its also free lol ;D

This post has been very helpful to me. I'm trying to learn how to configure jetico.

I installed it on a computer with a Tyan motherboard. There is software to monitor the motherboard. When you launch the software it requires you to login locally or remotely. Of course, I just click the login button and I gain access to the software.

When I run the firewall, it interferes with the software during its launch. The software insists on asking for a username and password. Not being able to configure it to work while the firewall is running, I start the software first, then the firewall.

I have enclosed an abbreviated screen-shot of the application (there are really 2) which the firewall sees as it was started before the firewall.

Can someone help me configure this?

TIA

larzeb,
First of all I see you have the nVidia <networkAccessManager/apache.exe> running on your system. I have in the past found some problems with this, when I ran this with the nVidia "anti-hacker" and Jetico, but do not know if this is causing problems in this case.
I would suggest first that you check to see if there are any "blocked" packets in your jetico log that may relate to this. If not, then there may be a conflict. To check this, set Jetico policy to "allow all" and then try to connect to the web interface, if this is still not possible, then you will know that there is a conflict.

-{ Quote: "I also installed BlockList Manager but don't know which format I have to convert to after finished downloading the source file. Can you explain it?" }-Hi Fumens,
There is no quick way to perform the conversion, as the blocklist manager will not convert to a format that can be used directly by Jetico. What you need to do is to output your blocklist (from blocklist manager) into the CIDR format and save as a text file, you then need to use a text editor that has the function to `replace` at the beginning/end of all lines with
"<value>" at the front of each line and
"</value>" at the end of each line

Once done to can copy and paste this into the source code of the Jetico "settings.xml" file, under the <var id="Blocked Zone"> heading.

I have loaded Jetico onto one of my hard drives and got it going. It did take a while to configure it.

The GUI interface is awkward to use compared to TPF but Jetico does have many positive features.

Under TPF I always get PORT 137, 138 hits.

I configured Jetico to reject and log PORT 137, 138 hits- but I don't see any hits.

Maybe I am doing something wrong- Just wondering how to configure Jetico to reject and log PORT 137, 138 hits.

Hi Stem,
thank's for the explanation. I just did it and made a new blocklist. So far Jetico runs smooth. I don't know how big Jetico can handle "big" blocklist, just for the info I added around 5000 lines.

regard

Hi Fumens,-{ Quote: "thank's for the explanation. " }-No problem,
-{ Quote: "I don't know how big Jetico can handle "big" blocklist," }-I have not yet tested to see if Jetico as a limit on this, I will give it a test later.

Regards,
Stem

-{ Quote: "Maybe I am doing something wrong- Just wondering how to configure Jetico to reject and log PORT 137, 138 hits." }-Jetico, by default ruleset should be blocking and logging any packets to these ports, as netbios is not allowed by default...
Go to "Shieldsup" https://www.grc.com/x/ne.dll?bh0bkyd2 and perform a "All service ports" scan, and you should see the packets being blocked in the log as "Block all not processed packets"(as long as you are not behind a router??).
If no log is being produced, open Jetico / options / log... and change the directory for the saved logs,... then try again.
Please, post back your findings

Stem,
I set the protection to allow all and the problem application was no longer an issue. So I guess the nvidia app was not a contributing factor. Any other suggestions?

-{ Quote: "Stem,
I set the protection to allow all and the problem application was no longer an issue. So I guess the nvidia app was not a contributing factor. Any other suggestions?" }-While you are in "optimal protection" you say you cannot connect to the interface,....Have you checked the log for blocked packets??(ref post#137)

-{ Quote: "Jetico, by default ruleset should be blocking and logging any packets to these ports, as netbios is not allowed by default...
Go to "Shieldsup" https://www.grc.com/x/ne.dll?bh0bkyd2 and perform a "All service ports" scan, and you should see the packets being blocked in the log as "Block all not processed packets"(as long as you are not behind a router??).
If no log is being produced, open Jetico / options / log... and change the directory for the saved logs,... then try again.
Please, post back your findings" }-

Hello Stem,
How can I see a log for port 137, 138 events?

-{ Quote: "Hello Stem,
How can I see a log for port 137, 138 events?" }-As I have mentioned, these ports are blocked by default, have you performed a "shieldsup" scan as I suggested, and then checked your log??.
I have attached a pic showing part of my log after completing a "shieldsup" scan on a PC connected directly to the internet (No router-firewall / tcp/ip hardware filter)

-{ Quote: "As I have mentioned, these ports are blocked by default, have you performed a "shieldsup" scan as I suggested, and then checked your log??.
I have attached a pic showing part of my log after completing a "shieldsup" scan on a PC connected directly to the internet (No router-firewall / tcp/ip hardware filter)" }-

Yea and Jetico passed with full stealth. I was just wondering if there was a way to see the "hits".

Jetico could improve on their interface by showing all hits in the log by default and making a feature where "right clicking" on an undesirable hit you can change the rule.

TPF has this feature although it won't show the hits by default.

Thankyou

-{ Quote: "Yea and Jetico passed with full stealth. I was just wondering if there was a way to see the "hits"." }-All blocked packets are shown in the log

Stem,
I think I didn't respond to your original question about the log because there was nothing much in it. I went to both executables in the config tab and set their logging from disabled to error.

Then I launched the application, and it worked. I must not be watching carefully enough. Anyway, it's OK.

What logging levels do you leave set for your apps? If you leave them disabled then you will not see the dropped packets? Why are some entries blue and others red?

Thanks again for your help, Lars

Hi larzeb,
Showing in your log is "go to another table", this, I have found, is generated by the use of a local-host proxy, in your case <networkAccessManager/apache.exe> (this is part of the problem I mentioned in my earlier post), Jetico does not process the packets correctly, I did not make a lot of tests on this, but found that the IP filter was bypassed. (so this is not the best of combinations) -{ Quote: ".What logging levels do you leave set for your apps?....If you leave them disabled then you will not see the dropped packets?" }-I dont log allowed connections within Jetico,..... I place a block-all rule at the end of the App-ruleset and have logging on this.
-{ Quote: "Why are some entries blue and others red?" }-The color of the entry depends on the logging level you have selected "info / notice / warning" etc for that app/rule

-{ Quote: "Thanks again for your help, Lars" }-No problem,...... is the interface now connecting correctly while Jetico is active?

THANKS for this thread explaining lots of rules in Jetico!!!

I have been reading all more than once and I am getting along with most of it. A few days ago I switched to Jetico and I will stay for sure. For a common user it´s hard but if you take your time, success will follow. Rule #1=rtfm ;D

So did I and I´m convinced about the philosophy of Jetico so far. I´ll come back for fine tuning questions maybe at the weekend.

Good work!!! :thumb: :thumb: :thumb:
8)

Stem,
Do you mind posting your application ruleset so I can see how you did the logging? Newbie!

I have to find out more about the nvida/apache stuff. It must be associated with the motherboard I'm using, but I'll hash it out.

Just now I started the machine and tried to log onto my app, but problem reappeared. Very flakey. Once I find out more about it I'll post.

Lars

-{ Quote: "Do you mind posting your application ruleset so I can see how you did the logging? Newbie!" }-Take a look @ post#106,.. there are some rules I have posted, most of these have a "block all with logging" rule at the end of the ruleset (instructions on loading these @ post #100/101

-{ Quote: "Just now I started the machine and tried to log onto my app, but problem reappeared. Very flakey." }-I would suggest (for testing) that you load a new "optimal policy" into Jetico (open Jetico / file / open .. browse to the Jetico/ config folder, and select "optimal.bcf", this will load a new "optimal policy" (your old policy will still remain) right click the new loaded policy and select "apply policy"), once this is loaded and active, attempt to log on to your interface, Jetico will prompt you for any outbound rules required.....if you are blocked from logging on, you then need to check the log for any blocked packets (if you are not prompted for rules, they will pass through to the "block all" at the end of the default ruleset, which is set to log). Once you have logged on succesfully, you will be able to make a ruleset. Once a ruleset is created, you can edit your old policy to suit.

Hello,

I got a question for a torrent client like Bittorrent. Well, I know there has been a rule uploaded in here but the question is, how you gonna insert the rule in Jetico.
I made my own rule for my client and it´s nearly the same like the one which is uploaded.
When I start the client, Jetico keeps asking for outbound connections even when the rule is defined in "Ask user/Bittorrent client".
In the Ask user tree I defined one rule for it. "Handle as Bittorrent client" (blue arrow straight to the right) with the permission to access the network on any protocol, nothing else. That should be enough to jump into the "Bittorrent client" tree below and use there the proper rules.
Fact is, it doesn´t work that way. It keeps asking me for the first outbounds, which already are defined. I have to set "Handle as Bittorrent client" with all set to any in the "Ask user" tree. I doubt that is correct.
Another question is, which rule Jetico performs in the "Ask user" tree, when there is a special rule one step below for it. Is it just a "jump to" or already a rule.
I know pictures can tell more but I wasn´t able to get space for it right now. On the other hand, maybe I should take a closer look at my rules...:blink:
Maybe I still didn´t get the clue about outbound/inbound, recieve datas/send datas and so on and when it is necessary to define the local address/remote address/local port/remote port when using an application with a protocol and a special event. Guess thats what most of the ppl in here are thinking about...:lurking:
Ok, I will keep trying and hope you can help a bit.
Links are also appreciated.

Stem,
I did as you said, loaded the optimal temporarily, launched my app, it worked, so I copied that rule to my main optimal. Everything is OK.

I also removed that Nvidia Network Access Manager junk. This system was made for me. I didn't load the operating system. I should know better than that.

In looking at your articles at 101, 102 and 106, I was particulary interested in your wip.bcf, which I believe expands to 'My Rules' once loaded. Now what I'm about to ask will really show my ignorance, but I'd like to understand clearly.

When I look at the Applicaiton Table, you've got a bunch of right, blue arrows, e.g. Windows, DHCP, DNS, etc. Does Jetico go to down the Application Table, first to the Windows table to each of its entries, then to the DHCP table and to each of its entries, until it hits an accept or reject rule?

Somehow I thought there was something special that Jetico knew about Windows (in the Application Table).

Well, I re-read the manual. I think I understand the order of rules. Straight sequential until accept or reject.

Thanks for your patience. Lars

I need to setup a rule for uTorrent which I don't know how to do. Among others, it needs an inbound UDP connection to a specific port of my setting. However, I cannot find a UDP protocol under packet parameters.

Which protocol should I use instead?

Thanks, Lars

-{ Quote: "I need to setup a rule for uTorrent which I don't know how to do. Among others, it needs an inbound UDP connection to a specific port of my setting. However, I cannot find a UDP protocol under packet parameters.

Which protocol should I use instead?

Thanks, Lars" }-Hi Lars,
I thought uTorrent only used tcp (the same as bit tornado), as I have used the bit-tornado rules for utorrent to test, and all o.k. (unless this is a different uTorrent).
For UDP, in application rules, the format for outbound:- Protocol: TCP/IP Event: send datagrams
For inbound UDP: there must be a rule to "listening datagrams" (this by default is already in place in the application Table), you then set your application rule protocol TCP/IP event receive datagrams with port/range

Take a look at the "emule" rules I uploaded, which have/show rules for UDP and may help you.

I am just putting together instruction for PvA on the download/install/use of the Bit tornado rules, which may also help you (which I will be posting a little later)

(By the way, what is "wip.bcf" you mention in your post #155)

The reason I asked about UDP and uTorrent is that on the machine I'm currently using, Agnitum is running and shows UDP connections, a lot of them, all going to the inbound port specified in uTorrent. So I wanted to be prepared before switching that machine's firewall to Jetico.

As for wip.bcf, I thought that was your file. When I load it into the fw, its title is 'My Rules', containing a Root table. Its Application Table contains Ask, DHCP, DNS, Messenger, P2P, Programs and Windows tables. In the Application Table there are right-facing, blue-green arrows pointing to each of the tables subordinate to the Application Table.

Sorry for the confusion.

Lars

@PvA
Part 1
I have used the Bit tornado ruleset on Bittornado and utorrent with no problems

@PvA
Part 2

-{ Quote: "As for wip.bcf, I thought that was your file. ...." }-No,..not mine,...I only post "rulesets" not complete policies (changing the flow of the policy can cause some problems, all my uploaded rules are application based only, and will not compromise the system)

Stem,

I have a few questions about your posting #160. You said that once you copy over the loaded ruleset for BitTorrent from you, change the inbound port number and delete all torrent rules. Which ones, the ones we just changed, or do you mean to unload the one from you? Why would we delete what we just entered?

Assuming that we have the ruleset copied to our configuration with the changed inbound port number, I notice that you did not place the application name in any of the rules - they were blank. Will this address be placed in the rules when we point to this ruleset when asked what to do with BitTorrent from a pop-up message?

Confused

-{ Quote: "I have a few questions about your posting #160. You said that once you copy over the loaded ruleset for BitTorrent from you, change the inbound port number and delete all torrent rules. Which ones, the ones we just changed, or do you mean to unload the one from you? Why would we delete what we just entered?" }-Sorry, was pushed for time, should of worded that better. ...Delete any other rules you have create yourself in the application rules or the ask user rules for your torrent client. The rules you have loaded from my ruleset will still be seperate (not yet within the root policy), so leave that where it is.

-{ Quote: "Assuming that we have the ruleset copied to our configuration with the changed inbound port number, I notice that you did not place the application name in any of the rules - they were blank. Will this address be placed in the rules when we point to this ruleset when asked what to do with BitTorrent from a pop-up message?" }-This is a ruleset, there is no need to enter an application name within the ruleset itself, when you get the pop-up from Jetico for your torrent client, you select the bittornado ruleset and a jump will be created for that application to the ruleset, and the ruleset will be imported to the root policy.

Hope this explains a little better,
Regards

Thx Stem,
The explanation in post 159, 160 works perfect. Jetico doesn´t keep asking now anything. I assume the rule in the "Ask user tree" is just a "jump to" and nothing more, I hope.
It´s kinda confusing, because the "handle as rule" in the ask user tree (right blue arrow) has preferences ---> protocol=any and event=any, which made me thinking. I tested it by blocking all applications in the new tree of the bittorrent client and ok, the client stopped downloading or uploading! So that´s very fine.
After that, funny thing is, I checked only one rule (access to network), the first one on top and the application started running ??? Does this have something to do with my router? The port for the application is forwarded in the router... Is this ok?

-{ Quote: "The explanation in post 159, 160 works perfect. Jetico doesn´t keep asking now anything. I assume the rule in the "Ask user tree" is just a "jump to" and nothing more, I hope." }-Yes, make sure you have just the one rule for your torrent client, ((the rule is that, a jump will be made to <ruleset> for that <named application> when <any protocol> and/or <any event> is processed for that <named application>)...A bit confussing to start with, but stick with it......I hope the attached pic may explain better)

-{ Quote: "After that, funny thing is, I checked only one rule (access to network), the first one on top and the application started running Does this have something to do with my router? " }-If you only have the "access network" rule checked within the ruleset (all others unchecked), then the application will run, but all connections will either be blocked, or you will be prompted for rules.

-{ Quote: "The port for the application is forwarded in the router... Is this ok?" }-Yes, you will need to portforward the same port as in your rules

-{ Quote: "If you only have the "access network" rule checked within the ruleset (all others unchecked), then the application will run, but all connections will either be blocked, or you will be prompted for rules." }-

Well, I checked only "access network" and the application is running well connecting to the www uploading and downloading. To make sure Jetico does have the rules active I checked "apply policy" in optimal protection on top left. I even did a complete restart windows to make sure.
I ´ll have a look somewhere to upload pics, so you can see...

I found out, I just have to upload pics 8) Well here it comes

pic removed*

if you want more, just go ahead

pic removed*

Hi PvA,
You must have another rule that is over-riding, or your policy is corrupt. I see that you have a lot of activity in Ask user/system applications.......why is there a system applications in Ask user? You also have a lot of packets going through the trusted zone

If you are sure there are no other rules that are intercepting the packets for your torrent client, you may need to re-start - load a new "optimal policy"...and start again.

edit
You could upload your policy if you would like me to take a look.

Ok, have a look. I hope it´s better now. :-\

Hi PvA,
I see that you have removed a lot of rules from your policy before uploading, but you still have a lot of "allow inbound connections" within your policy.
Your policy, is, well, a little messed up, I really think you should take the time to create a new policy, taking into account that the only pgms that require inbound connections are server programs.(apart from the inbound loopback-which in the default policy, is covered by the trusted zone in the setup wizard)

Stem,

Another newb question. Does "access to network" mean access to the LAN or to the internet?

In your posts #55 and #60, you have different permissions for apps in System Applications. You mentioned that one of them was used for MS updates. Does this mean you have different configs floating around, and that you load them under different circumstances?

Thanks for all your help.

Hi lars
-{ Quote: "Another newb question. Does "access to network" mean access to the LAN or to the internet?" }-This gives access to the trusted zone (set up in the "config wizard", which is basically allowing loopback and access to pre-defined open rules (eg: listen ports) to the Lan (or IP`s entered at config).

-{ Quote: "In your posts #55 and #60, you have different permissions for apps in System Applications. You mentioned that one of them was used for MS updates. Does this mean you have different configs floating around, and that you load them under different circumstances?" }-Yes, the ruleset in post #60 is my setup while general browsing (like when I visit this forum), and policies for others, such as updating from microshaft. (it keeps a tight hold on comms)

-{ Quote: "Thanks for all your help." }-No problem,

Now I've got a new issue. I reverted the fw back to factory defaults to make sure everything was OK to start.

I'm working within Dreamweaver 8. I'm in their Extension Manager, where I can choose to go to Extension Exchange, a page on the internet.

Immediately when I click on that icon, I get the pop-up message which I've attached, to which I respond, allow. However, after that response, the web browser cannot see that site. Not only that site, but any other.

I also placed the resulting entry in the Process Attack Table.

What am I missing here?

Image removed. Please resize images to an acceptable size before posting - Ron

Hi larzeb,
Your attachement as been removed,.....but before you resize/repost....there are some known problems with Dreamweaver 8/Extension Exchange/Manager, have you been to Adobe to check for updates?

Hi Stem,
I made a complete reinstallation of Jetico hoping this might look even more better now :dry:

Hi PvA,
Please check your PM

thx for your help! :thumb:

I have been reading this thread for sometime and have not found what I am looking for.

I have Jetico setup and am impressed by the power of the software. Yesterday I did a cclean and reg clean and today the outgoing traffic monitor is no longer working. Any suggestions? I also have Peer Guardian and Kaspersky AV on the system...other than that everything works great.

Rich

-{ Quote: "..... and Kaspersky AV on the system..." }-Hi Rich,
Which version of KAV have you installed, as I have found some conflicts with KAV6 due to its "Proxy".
Others have reported no problems with this combination, but on my 2 setups I made with KAV6 I found that the outbound IP filter within Jetico was being bypassed by KAV6. (No outgoing packet count in the "Jetico traffic monitor")

-{ Quote: "
... you should always choose Handle as, use the drop down menu and click Jetico's drop down menu and choose web-browser if its either IE, Mozilla or Opera, if it's a mail client like Outlook Express, Mozilla Thunderbird choose web client, ...

For all other programmes which you trust like security programmes which need access to the internet for updates etc you choose the application trusted zone.
Cheers Khaz" }-

The above instructions do not mention some applications, which a user with my restricted knowledge cannot easily relate to the proper category and where I would need some guidance.

So, what is the "Handle as" with respect to:

1) avast WebShield (Port 12080)
2) avast Mail Provider
3) News-Server (NNTP) Terabyteunlimited.com (Port 1198 )
4) download of music clips like
http://www.jpc.de/sound/961/9618316_01.wma
I assume that not all of those should be associated with "Trusted Zone"?


What are the consequences of a wrong choice?


Should the Jetico Firewall be before or behind the avast WebShield, which is a proxy on port 12080? What would the configuration look like?

you can put the first, third and fourth on your list into web-browser and the second one into mail-client!

Maybe Stem can comment, he/she knows more about this and I do!

-{ Quote: "
So, what is the "Handle as" with respect to:

1) avast WebShield (Port 12080)
2) avast Mail Provider" }-Hi raffnixpert, The Webshield needs only outbound as your Browser, so you can select Browser. For Mail, just select the "Handle as" Mail (As khazars as already posted)
. I have installed avast to check, just to make sure that Jetico is still filtering through the SPI, and all appears to be O.K.
-{ Quote: "3) News-Server (NNTP) Terabyteunlimited.com (Port 1198 )" }-I have been to this website you mention, but I am unable to locate this "News-server". Is this "server" downloadable from this website? (I would like to install to check the ports/settings required)
-{ Quote: "4) download of music clips" }-Are you downloading using your browser, if so, then the Browser rules should be o.k. (Post if you are downloading using other software or are having problems with the downloads


-{ Quote: "What are the consequences of a wrong choice?" }-There are very few programs that require "inbound connections", so setting a program to "Trusted" which would allow the "inbound connections" is not always the best choice. If you are unsure of a programs rules you can create a ruleset to "Allow all outbound (with logging)" and then set "Block all inbound (with logging)" so you can review the log to create a ruleset, or set an "Allow all inbound" rule to "Prompt (with logging)" (but this is not a good idea if you are using any sort of filesharing program where a lot of inbound connections are required), this then gives you an option to block or allow while the program is online (you can then review the log to creat a ruleset). Or post the program name here on the forum (a download link for the program may help), and somone, i`m sure, will help you to create a ruleset.


-{ Quote: "Should the Jetico Firewall be before or behind the avast WebShield, which is a proxy on port 12080? What would the configuration look like?" }-As I mentioned, I have just installed "Avast", after the installation, Jetico re-configured its network driver, and called for a re-boot,..so the config is performed automatically (Avast webshield is "listening" on port 12080 and all running o.k.)

I was induced to experiment with Jetico by this post and i want to say two things: thanks to Stem and all others who contributed,without this post it would have been much harder-as i initially found Jetico's ways as an alien line of thought (i mean from another planet) and i couldnt find any english non Jetico manual,only a couple in spanish,albeit well written-

http://www.geocities.com/ladidel_jetico/jeticoindex

and another,more like Jetico Help at

http://www.wikilearning.com/

the second thing i want to say is that Jetico install in place of Sunbelt Kerio,had the same effect as if i had doubled the RAM,making the pc in question twice as quick = i will go any length in order to learn its ways.

Now i am beginning to understand a bit, but what annoys me is that when i go online with my ltd account there's a an intial Jetico pop up warning that the Log space /or disk space is insufficient- i changed the space allocated from the standard 1000kb to 3000kb,but i still receive the alert.
Also in the limited account there's no trace of outbound logging.
Which is nearly the only available logging since it runs behind a Router.
(but it works fine in the admin account)
My question is: how can i apply the same Optimal Protection and general config to a limited account? What particular files need to be copied and,most importantly, where? (i couldnt find in C:/Program files /Jetico any differentiation btw accounts, hence i dont know where to start to)

Hi poirot,
-{ Quote: "My question is: how can i apply the same Optimal Protection and general config to a limited account? What particular files need to be copied and,most importantly, where? (i couldnt find in C:/Program files /Jetico any differentiation btw accounts, hence i dont know where to start to)" }-
You can find the admins config file: Documents and settings/your folder name/application data/jetico personal firewall/1.0/ ..... copy the optimal.bcf over to the same location in the user account/folders.

-{ Quote: "Now i am beginning to understand a bit, but what annoys me is that when i go online with my ltd account there's a an intial Jetico pop up warning that the Log space /or disk space is insufficient- i changed the space allocated from the standard 1000kb to 3000kb,but i still receive the alert.
Also in the limited account there's no trace of outbound logging.
Which is nearly the only available logging since it runs behind a Router." }-In windows create a seperate folder for the log files,... then set the permissions on that folder so that the user can modify/write to that folder (I am at work, so dont have a XP box, but to set permissions on folders in W2K, you have to right click the folder/properties/security/ select user and tick the boxes to allow modify/write...I think its the same in XP)
Then open Jetico/options/log .. and browse to and select the log folder you have created.
Do all the above while in admin, when you switch users, the user can then write/modify the jetico log folder.

Sorry the explanation is a little rushed, at work must dash.....
Post back if any problems,....

thanks a lot Stem,i'll do it asap!

Good configured Jetico pass Internet Explorer and Firefox "DNSTESTER" - leaktest!
I post my Optimal.bcf later!

Ok, I have tested and retested, on 2 machine, work!
This my configuration block "dnstester.exe" tested in all mode.
Can someone test him, to confirm!
You need to enter your ISP name server IP in "DNS" send & receive datagrams (svchost).
If you install KAV6 (free of Webantivirus,this make conflict with Jetico Outgoing monitor)
and with enabled Proactive Defense (Enble Application Activity Analyzer, Application Integrity Control and Enable Registry Guard) Yuo be able stop "jumper.exe" leaktest too.
"Breakout-en.exe" leaktest KAv recognises like a "Trojan program Trojan-Clicker.Win32.Small.ip", so I think real Trojan with similar function like
a "Breakout.exe" not pass.With Jetico and KAV you are 27/27 Outgoing protected.
Have Fun..

I am a bit late with this post but I think I will follow up my post #181 and Stem's answers given in #183 before I study the excelent but voluminous stuff in poirot's Spanish links.

My original question in #181 was:
So, what is the "Handle as" with respect to:
1) avast WebShield (Port 12080)
2) avast Mail Provider
3) News-Server (NNTP) Terabyteunlimited.com (Port 1198 )
4) download of music clips like http://www.jpc.de/sound/961/9618316_01.wma

Concerning the cooperation of avast WebShield and Jetico:
-{ Quote: "As I mentioned, I have just installed "Avast", after the installation, Jetico re-configured its network driver, and called for a re-boot,..so the config is performed automatically (Avast webshield is "listening" on port 12080 and all running o.k.)" }-
Does that mean you installed avast for test purposes on your system with Jetico being already present and that the sequence of installing matters? (I started with avast and subsequentially added Jetico).

Concerning "News-Server (NNTP) Terabyteunlimited.com (Port 1198 )":
-{ Quote: "I have been to this website you mention, but I am unable to locate this "News-server". Is this "server" downloadable from this website? (I would like to install to check the ports/settings required) " }-
For subscription to the Terabyte Newsgroup see the attached Thunderbird account.

Concerning download of music clips from http://www.jpc.de:
Once on their website choose a music title, click on "Hörproben" and select a track number. The clips offered are wma files. My setting under Firefox Downloads is "Open with Windows Media Player".

Hi raffnixpert,
-{ Quote: "Does that mean you installed avast for test purposes on your system with Jetico being already present and that the sequence of installing matters? (I started with avast and subsequentially added Jetico)." }-I did install Avast while Jetico was already installed (just for testing), but this should not change the fact I found no conflict, as Jetico would/should install correctly. If you are having any problems/doubts, I will re-install "Avast first" to re-check.
-{ Quote: "For subscription to the Terabyte Newsgroup see the attached Thunderbird account." }-Are you currently using the "Mail Client" ruleset for Thunderbird? as you should simply be able to add a rule for this port. (I can post back with full instructions on how to do this, if needed, later tonight)

For the downloading of your music using "Firefox=> Media player", there will need to be rules set up for "Media Player" (and an attack rule to allow firefox=>Media player),.... I will set up tonight to check which ports/rules are required, and post them. (Sorry,.. but dont have much time to check this now, but will find time tonight)

Hi raffnixpert,
-{ Quote: "Concerning download of music clips............" }-I have setup "Firefox" for WMA files to "Open with Windows Media Player". (this is the dynamic plugin) At the moment when I follow your instructions -{ Quote: "Once on their website choose a music title, click on "Hörproben" and select a track number. The clips offered are wma files." }- the WMA file is played without the need for any further rules (default Jetico browser rules)



-{ Quote: "
Concerning "News-Server (NNTP) Terabyteunlimited.com (Port 1198 )"" }-As I mentioned in my last post, if you are using the "Mail client" rules for Thunderbird, then add a rule to the mail client ruleset to allow outbound to port 1198 (example attached)

Thank you Stem for taking such efforts to help newbies with Jetico. Your explanations are clear and precise. I think these screenshots with red arrows are of particular importance for beginners to become acquainted and familiar with configuring Jetico. I remember having seen such red arrows elsewhere in this thread and I think I will study these as well.

-{ Quote: "@Jetico users,
I have been testing Jetico using a large "block" file to block the IP`s from known spyware. I did this due to the possiblity of the "HOSTS" file being bypassed using an IP rather than the site url. I have been running this for a few days with no slow down or problems, so I thought I would upload the file for any who wish to use this. The current file contains an updated list of spyware IP`s (717,438 sites), the original list is from http://www.bluetack.co.uk which I have converted, so Jetico can use it.
First you should run the Jetico "configuration wizard" and note the "trusted zone" IP`s (which you may need to re-enter)........ download the attached file, remove the .txt extention, and copy to the Jetico / config folder (save the old one first, if needed). Then re-run the "configuration wizard" and re-enter the IP`s in the "trusted zone" if needed

Safe surfing,..." }-

Hi,
I used this blocked list and try to set a rule for firefox so that it doesn't access to the blocked IPs. However, seems that jetico doesn't work with the System blocked Zone. Any idea??
TIA

Hi sharkking,
The "blocked zone" will over-ride (block) any Jetico "Allow" rules to those IP`s. If you want to access one or more of the IP addresses that are within the "Blocked zone" then you should edit (remove) these by going into Jetico "configuration wizard".
If you want only to remove one IP, but do not know the IP of the site, then go to a "whois" site, such as Samspade (http://www.samspade.org/) where you can enter the site name and this will give you the IP info.
If you want to remove all the blocked IP`s, then run the "configuration wizard", and in the "Blocked zone", select "remove all".

-{ Quote: "Hi sharkking,
The "blocked zone" will over-ride (block) any Jetico "Allow" rules to those IP`s. If you want to access one or more of the IP addresses that are within the "Blocked zone" then you should edit (remove) these by going into Jetico "configuration wizard".
If you want only to remove one IP, but do not know the IP of the site, then go to a "whois" site, such as Samspade (http://www.samspade.org/) where you can enter the site name and this will give you the IP info.
If you want to remove all the blocked IP`s, then run the "configuration wizard", and in the "Blocked zone", select "remove all"." }-

Hi Stem,
Thanks for your quick reply. However, the problem is that I used the setting.xml that you attached in one of your posts and have all of the needed block IP in setting.xml configured properly (by checking again with jetico configure). Tested it with firefox with one IP in the block list and firefox could still access to that page. Can you re-check and confirm that.
Ciao

-{ Quote: "Hi Stem,
Thanks for your quick reply. However, the problem is that I used the setting.xml that you attached in one of your posts and have all of the needed block IP in setting.xml configured properly (by checking again with jetico configure). Tested it with firefox with one IP in the block list and firefox could still access to that page. Can you re-check and confirm that.
Ciao" }-
Well, please disregard this as I found out I'm behind a proxy and the blocked list doesn't work with proxy server.
Ciao

-{ Quote: "Well, please disregard this as I found out I'm behind a proxy and the blocked list doesn't work with proxy server.
Ciao" }-Hi, there are some issues with Jetico and installed proxy servers. At times, this is not a good combination.

With all the noise about Jetico at the moment I decided to give it another go having not had any success with it in the past. I had a rule set d/l in case of trouble. This time however it installed ok and ran without much problem.

Although it uses less memory than Kerio 4, I do not find that there is any increase in speed either browsing on in normal use.

I am getting plagued with a plethora of pop ups for the same program all the time. Also I cannot find any way of restricting a program once it is in the application table. Right clicking on the application does not give an option to alter it.

I want to ask you something different

Is Jetico recognazed by security center in Windows XP?

Sorry for my bad English

Hi Green Dragon,
-{ Quote: "Is Jetico recognazed by security center in Windows XP?" }-No, it is not. (you would need to disable the security center alert)

Hi David,-{ Quote: "I am getting plagued with a plethora of pop ups for the same program all the time. Also I cannot find any way of restricting a program once it is in the application table. Right clicking on the application does not give an option to alter it." }-Which program is giving you all the popups? We can go through the creation of a ruleset if you want to?

EDIT,
On call out (work) will be back in about 5 or 6 hours,....

-{ Quote: "Hi David,Which program is giving you all the popups? We can go through the creation of a ruleset if you want to?
." }-

Thanks Stem

It is every program that wants net access popping up

Avast
Proxo
Mozilla
Firefox etc.

Even once connected with Moz, a fresh page will bring an alert for Proxo

I am accepting the defaults "Allow this activity" and remember my answer.

No rulesets have been imported.

Hi David,
O.K. lets start from the basics.

But first, I am going to install "proxo" (as your setup), as I have not used this with Jetico, so I am not sure what effect this will have the the rulesets needed (if the default "browser" rules can be used "as is" or not), or if "proxo" may cause problems?.......

Hi David,
O.K., I have installed "Proxo", So lets begin. First, please either, revert to the Jetico "factory settings" or load a new "optimal protection" and make this active. (to reset, open Jetico / file and select "revert to factory settings",..... or to load new "optimal policy",.. file / open / browse to you Jetico/config folder and open "optimal.bcf" when loaded right click this loaded policy and select "Apply policy"
(Post if any questions)


Once done, start "Proxo", you will be prompted by Jetico,.. select "HANDLE AS"__ "web browser" (see attached pic).

Now you can start "Firefox" (I assume the proxy settings in Firefox are already made for "Proxo" (127.0.0.1:8080). When Prompted by Jetico, [because Firefox is setup to use "proxo" proxy, you can just "allow network access"] OR to save any confusion you can select "HANDLE AS"__ "web browser". That should bring you online,..

If you are prompted by Jetico for "Avast", again, simply select "HANDLE AS"__ "web browser" (this will allow Avast to connect out for updates/ web shield (is avast web shield on? config for Proxo?)) Avast may want to connect out to FTP (remote port 21), check any alert for this, if it does then select "HANDLE AS"__ ftp client (but on my short use of Avast, it only updated using HTTP)



Post if questions,...or when you are ready to continue,...

-{ Quote: "Hi David,

Post if questions,...or when you are ready to continue,..." }-

Thanks Stem

Yes I get that. Basically anything that wants to connect to the 'net you allow as a web browser? Does that also apply to a time check program I have that connects to a time server?

Now I am getting a lot of the type below. This was initiated by starting Word 95 from the MS Office Toolbar. A whole van load of these come up and seem to cycle through every running program.



180153

-{ Quote: "Thanks Stem

Yes I get that. Basically anything that wants to connect to the 'net you allow as a web browser? Does that also apply to a time check program I have that connects to a time server?" }-You will need to check the info given by Jetico, Check the "remote port" that the program is trying to connect to, the remote pot is normally static (always the same) but the local port will change, so if the program is attempting to connect to remote port 80, and you trust the program, then yes, select the "browser rules". If the program is attempting to connect to, for example, remote port 123, then you would need to edit/create a rule (I will find an example of this, and post)

-{ Quote: "Now I am getting a lot of the type below. This was initiated by starting Word 95 from the MS Office Toolbar. A whole van load of these come up and seem to cycle through every running program." }-You should block this. But, make sure this does not cause connection problems (just about any MS program will attempt network access, one way or another,.. )

Hi David,
Below is an alert from Jetico, as "Svchost" is attempting to connect to MS time server.
You will see from the rule:
Event: o.k.
Protocol: o.k.
local address: o.k.
local port: Now, this is where there can be some confusion, in this rule it is showing "any", which can be allowed for a trusted program. Somtimes when a rule comes up, this "local port" may have a number, example 2000. Now if the rule shows a local port, and you allow/remember the rule, then only a connection from this local port will be allowed. So for this (if a port number is shown) you would need to edit (will post to show how next)
Remote address: o.k. for this program, If this is the address that the program will always connect to, then this is o.k. (but if this program was a browser, or a program that may need to connected to any address, then you would need to edit this).
Remote port: As mentioned, this is normally static for such a program (an exception is FTP)

So this rule, for svchost, for connecting to "time" is o.k. as is

Hi folks!

I have been following this thread from the start and all I can say is "Stem, you are a GODSEND". You are giving others the opportunity that normally they would'nt have and I thank you for that;)

Hi David,
The points I made in my last post concerning,
local port:
remote address:
If these as I mentioned need editing, you would select custom, (I know this says "reject", but this is the only way to edit while the rule is up at this point), EDIT rule.
You will see the rule opened out, and I have arrowed:-
Change the "verdict" to accept (as you are allowing this rule)
You can see from the pic, where the entries are for:
local port (local address/port) if this had a port number, you would need to change this to "any" for a trusted program, or, as I do, you could change this to a port range of 1024-5000
Remote address: As mention, this may be correct, if that is the only site that is needed by the program, or you may need to change this to "any"
"

Thanks Stem for all the input.

All seemed to be going fine till Jetico decided without warning to block all access to the web. A reboot resolved it for a while then it happened again. The third time after I had been away for about an hour, I had to uninstall it and go back to Kerio since it was stopping me from doing any work.

Interestingly although Kerio uses more memory I find it is faster than Jetico in all aspects. Maybe it is not tuned in very well.

One program that is causing a problem is a mouse guesture one called StrokeIt. The option to "handle as" is greyed out because it is injecting code into another program. Of course it would since it is controlling it for an instance. Don't know if that is why Jetico is closing things down. If you have any thoughts I will look at it again.

Hi David,
-{ Quote: "All seemed to be going fine till Jetico decided without warning to block all access to the web. A reboot resolved it for a while then it happened again. The third time after I had been away for about an hour, I had to uninstall it and go back to Kerio since it was stopping me from doing any work." }-What MS applications where you running at the time? I have found problems with MS programs such as MS word (and 1 or 2 other programs), which for some reason require "network access" (not internet connection) and if blocked can cause problems. I did allow "network access" then placed a rule to "block all" for MS word, and this solved my problem.
Can you remember what MS applications (and others) you had running (MS office?) and where these blocked from network access?

If you do get blocked from access to the internet, before re-booting, try, "right click Jetico tray icon / security policy / and select:- block all", then re-select "optimal protection"

-{ Quote: "Hi David,
What MS applications where you running at the time? I have found problems with MS programs such as MS word (and 1 or 2 other programs), which for some reason require "network access" (not internet connection) and if blocked can cause problems. I did allow "network access" then placed a rule to "block all" for MS word, and this solved my problem.
Can you remember what MS applications (and others) you had running (MS office?) and where these blocked from network access?
" }-

The only one running was MS Toolbar which I think is the '95 version. I do have Office 97 but nothing later. The only program running were

Mozilla
Pocomail
Outlook 98 (just remembered that one)
PG
Avast
BOClean
Socketwatch (Time checker)
Download Mage

I think those are the main ones.

None of them have caused problems with other f/w's

Looking at 'Active Ports' the only one listening are
System
lsass
Avast
Oodag (defrager)
Kerio
Mozilla
Proxo

Where/are any of these programs blocked from network access?

What is your connection type? are you behind a router? (DHCP / fixed IP)

Check Jetico log for any blocked packets.

-{ Quote: "Hi David,Which program is giving you all the popups? We can go through the creation of a ruleset if you want to?
" }-

Nah, why borther with understading, just download and use the rule set here
http://www.wilderssecurity.com/showthread.php?t=134029 and be done with it!
;D

Your advise with proxomitron is okay, but I prefer a tigher rule set myself when using such web proxies.

-{ Quote: "Your advise with proxomitron is okay, but I prefer a tigher rule set myself when using such web proxies." }-The default ruleset for "Browsers" within Jetico, which I advised to use for "Proxo", allow only outbound connections to HTTP/HTTPS,.. Nothing more. Should "proxo" not be allowed outbound to HTTPS?, as that is the only way to make the ruleset any tighter (without blocking it all-together)

-{ Quote: "Where/are any of these programs blocked from network access?

What is your connection type? are you behind a router? (DHCP / fixed IP)

Check Jetico log for any blocked packets." }-

I am behind a router f/w with a fixed IP. DNS servers are fixed.

I think some of them were blocked. Can't check the logs as I have had to remove it to get some work done, but will try it out again this evening

I had another go at installing it over the weekend. Apart from the hassle it presents I find that it slows my web access speed down by roughly half. There is also the fact others have mentioned that it does not install as a service.

stem, pertaining to post 209 why is svchost connecting to windows.time.com for and what is initiating svchost? Is it just for time sync and should it be allowed?

-{ Quote: "stem, pertaining to post 209 why is svchost connecting to windows.time.com for and what is initiating svchost?" }-Windows service "Windows Time"
-{ Quote: "Is it just for time sync......" }-Yes
-{ Quote: "......and should it be allowed?" }-If you have this service enabled, and want it to run correctly, yes..... If not, go into "Control panel \ Administrative Tools \ services" and disable "Windows Time"

cheers!

Hi guys

I am a newbie about how firewalls work, but this discussion helps me a lot.
I have a few questions.

a) as i see in Stem's 67 post, he has handle Adware and Spyboot & Destroy as "Web browser" rather than "Trusted Application". What is the difference between theese two?

b) What about other security applications such Ewido and a-Squared with need of daily updates. Is better choise the "Web browser" rather than "Trusted Application" too?

c) There are a lot of applications with a need for occasional search for updates, such as Acrobat reader, motherboard software, Samsung mobile suite, creative software etc. I prefer to search for these updates manually. Is " handle as Trusted Applications" the correct way or you suggest something else?

Thanks a lot for your help. Have a nice day.

Hi Green Dragon,
Just about any software that requires update can achieve this by either HTTP/HTTPS or FTP.
Setting an updater as handle as "browser" will give the program the ability to make outbound connections to HTTP/HTTPS, which in most cases is sufficient, some updaters may require FTP, and a firewall will alert that the program is attempting an outbound connection to remote port 21, in this case you would also Handle as "FTP client".
Placing a program in the "application trusted zone" will allow the program all outbound and all inbound (unrestrictive). This is up to you, for me, I only allow outbound connections (to defined ports) for such programs.

Hi Stem

-{ Quote: " Just about any software that requires update can achieve this by either HTTP/HTTPS or FTP...... Setting an updater as handle as "browser" will give the program the ability to make outbound connections to HTTP/HTTPS, which in most cases is sufficient...... some updaters may require FTP, and a firewall will alert that the program is attempting an outbound connection to remote port 21, in this case you would also Handle as "FTP client". " }-

a) I have setted any software that requires update ( adware, ewido, spyboot, QuickTine, Registry Mechanic, etc ) with the same manner.
At the first popup: "access to network".......the choise is "allow".
At the second popup: "request for outbound connection"......the choise is " handle as Web browser". Am i right?
All my programms work fine now.

b) The only exception was MSN Messenger and Icq where the choise was " handle as Application Trusted Zone". It was the only way to work.
Is there any different suggestion?

c) I would like to have a better understanting, how you have made two different rulset settings. For istance, one for browsing only and another for Windows and other updates.

Stem thanks for your valuable help.
Apologize for my bad English.

Hi Green Dragon,
a) For programs such as browsers / updaters etc, when prompted for "network access" you can simply just select "handle as browser" (there is a "allow network access" within the "browser" rule.

b)I did post a ruleset for MSN messenger post#106 (instructions on loading these are in the previous posts to that). I didnt get any feed back on if the ruleset was o.k. or not (I do not use MSN myself, so never fully tested it myself) You could try this if you want to?

c)You can load as many rulesets as you want to within Jetico,.. open Jetico,..file/open...browse to you Jetico config folder, here you will see the base rulesets, you can load another "optimal protection",.. configure this, lets say for manual windows updates, then to use this ruleset, right click on the ruleset and select "Apply policy"

I'm a Chinese.I have used many firewall softwares.And Jetico made me crazy,too. So,I uninstalled it. Now,I think Look'n'stop is the best

Who is up to a Chinese translation of our beloved Jetico ? ;)

gkshikuro : you should not abandon so quickly, this very long thread is full of precious information about effective configuration.

Also I have another post here (http://www.wilderssecurity.com/showpost.php?p=780620&postcount=26) with a few questions about jetico.

edit: mmm I don't know why the above link only shows a "non thread" view of this (http://www.wilderssecurity.com/showthread.php?t=134981&page=2)...

Thanks !
Jerome

HI, Stem,

I don't quite understand the local proxy issues with avast's web shield and mail scanner. Could you explain it a little bit about how to set up the rules within avast? btw, in my jetico setting, 127.0.0.1 is not in the trusted zone.

Thank you.

shek

Hello Shek,
-{ Quote: "I don't quite understand the local proxy issues with avast's web shield and mail scanner. Could you explain it a little bit about how to set up the rules within avast?" }-I found no need to change any settings within Avast or Jetico for these to work correctly together, Jetico re-configured on a re-boot (after the installation of "Avast"). The only rules I found needed for Avast within Jetico, where Handle as "Browser", these rules where needed to allow "Avast" to update.
-{ Quote: "btw, in my jetico setting, 127.0.0.1 is not in the trusted zone." }-The "local host" (127.0.0.1), this is placed within the trusted zone by default. The entry of this you need to re-check. Go to: Start menu / All programs / Jetico personal firewall,.. and select the "Configuration Wizard". This will show the "Trusted zone" (this should have the "Local Host (127.0.0.1)" and, if you are on a local network (behind a router), you will see your Lan IP/subnet-mask (these entries do not show within the Jetico rulesets)

I have just installed Jetico FW on another computer I have, running Windows 98SE.

I see that the Security policy view context menus (at the Configuartion Tab, left hand pane) do not come up using left of right mouse click. That means I cannot see Flat View, Expand, Unload policy etc. although I can use Insert from the keyboard to insert an new table etc and triple right clicking Optimal Protection allows me to rename it. But importing a saved policy leaves me no way to get rid of it later.

Is this a problem with Win98SE or just my set up and is there a way around it? Thanks for any help.

Hi guys

I would like to show you my "ask user table", after a whole week in which jetico works fine in my machine.

a) Are these settings for my programms correct or you have any different and more usefull suggestion? Is my security status good?

b) At the bottom of the table there are 4 entries "C:WINDOWS\system32\svchost.exe". When there was the pop ups i choose "allow". Is there any better choice?

Thanks for your help.

-{ Quote: "a) Are these settings for my programms correct or you have any different and more usefull suggestion? Is my security status good?" }-You are keeping most programs to "outbound connection" only (browser rules) which is good. I am a little concerned with you allowing msnmsgr and ICQ as trusted. (I do not know the "Powerchute software", is this making inbound connections? is a rule to allow these needed?)

-{ Quote: "b) At the bottom of the table there are 4 entries "C:WINDOWS\system32\svchost.exe". When there was the pop ups i choose "allow". Is there any better choice?" }-I would need to see where these connections are going, is this windows update?

Hi Stem

-{ Quote: "I would need to see where these connections are going, is this windows update?" }-

As I can see there are 4 proccesses "svchost. exe"

a) C:WINDOWS\system32\svchost.exe
Event: sent datagrams, Protocol: TCP/IP,
IP Adress: 239.255.255.250, Port: 1900

b) C:WINDOWS\system32\svchost.exe
Event: outbount connection, Protocol: TCP/IP,
IP Adress: 212.187.162.158, Port: 80

c) C:WINDOWS\system32\svchost.exe
Event: outbount connection, Protocol: TCP/IP,
IP Adress: 212.73.246.62, Port: 80

d) C:WINDOWS\system32\svchost.exe
Event: outbount connection, Protocol: TCP/IP,
IP Adress: 64.4.21.125, Port: 443

My choice was "allow" for all above requests but i am not sure. Any idea please!!!

Hi Green Dragon,

239.255.255.250, Port: 1900, this is uPnP (http://www.grc.com/port_1900.htm), are you behind a router or have any software that requires this?

212.187.162.158 / 212.73.246.62 = Level 3 Communications (Have you any dealings with this company that may require comms?)

64.4.21.125 MS Hotmail

Is it humanely possible to allow / block any occurrence of svhost ??? it's used all the time for so many purposes... is it not better to choose "web browser" or "trusted zone" ?

-{ Quote: "Is it humanely possible to allow / block any occurrence of svhost ??? it's used all the time for so many purposes... is it not better to choose "web browser" or "trusted zone" ?" }-You should restrict ANY program / windows application / windows service to only needed comms. On my system, Svchost is allowed only localhost (127.0.0.1) and local Lan connections.

-{ Quote: " 239.255.255.250, Port: 1900, this is uPnP (http://www.grc.com/port_1900.htm), are you behind a router or have any software that requires this? " }-

Yes i am behind a router.

-{ Quote: " 212.187.162.158 / 212.73.246.62 = Level 3 Communications (Have you any dealings with this company that may require comms?) " }-

First time in my life, i heard such a company! I really don't know what is that!

-{ Quote: "Level 3 Communications (Have you any dealings with this company that may require comms?)
" }-Level 3 Communications is one of the largest Internet backbones in the world and has from time to time helped Microsoft with their load for updates for instance.

Hi,
-{ Quote: "Yes i am behind a router." }-This then is not a major problem, but these comms are not normally needed, unless you are using software that is opening ports automatically in the router. If you are not using this type of software, I would suggest that you change the uPnP rule to "Reject"

-{ Quote: "First time in my life, i heard such a company! I really don't know what is that!" }-You should set these two rules (for 212.187.162.158 / 212.73.246.62) to "reject" with "logging" (and name the rule so you can see easily when they are blocked) If you have any connection problems after you do this, check the logs, and post back (I am not sure if this may be related to your ISP?_ have you any software installed that was provided by your ISP?)

I think Level 3 Communications has to do with Windows Defender updates.

Thanks Bubba!

-{ Quote: "I think Level 3 Communications has to do with Windows Defender updates." }-Test this, set the two rules to "reject" with "logging" and attempt an update.

-{ Quote: "Test this, set the two rules to "reject" with "logging" and attempt an update." }-

Windows Defender update is impossible now!

-{ Quote: "Level 3 Communications is one of the largest Internet backbones in the world and has from time to time helped Microsoft with their load for updates for instance." }-Thanks for the info, I suppose anything is possible where Microsoft is concerned.
I just downloaded and installed "windows Defender" to see the connections for update (will restore my drive from image later).
connection (attempts) to:
193.38.108.216: a258.g.akamai.net (nothing new there then)
207.46.253.157: update.microsoft

-{ Quote: "Windows Defender update is impossible now!" }-o.k. change the rules back to "allow", rename the rules to "defender update" with logging, and try again. If this then updates, we know for sure, and you can then remove the logging.

-{ Quote: "...... o.k. change the rules back to "allow", rename the rules to "defender update" with logging, and try again. If this then updates, we know for sure, and you can then remove the logging." }-

After all, Windows defender updates again.

-{ Quote: "After all, Windows defender updates again." }-Thanks for taking the time,.. it is best to know where the connections are going and why. (on any windows or software updates, I have never had any connections to Level3, thats why I wanted you to check)

EDIT: Bubba, is Level3 used globally by Microsoft?

-{ Quote: "EDIT: Bubba, is Level3 used globally by Microsoft?" }-By globally do you mean all the time :-\

I don't have an answer to that but with it being a backbone a lot of traffic especially in North America goes thru those folks. Microsoft is just one of many users of Level3 Communications (http://www.level3.com/).

-{ Quote: "By globally do you mean all the time :-\

I don't have an answer to that but with it being a backbone a lot of traffic especially in North America goes thru those folks." }-Globally (worldwide).. I dont see these connections here in the u.k. Its possibly mainly U.S.? (as you mention (north America))

-{ Quote: "I dont see these connections here in the u.k. Its possibly mainly U.S.? " }-Well....it's pretty Worldwide and as noted in the linked supplied above....there is Level 3 in the United Kingdom (http://www.level3.com/606.html) also among many other countries.

Who is Level 3? (http://www.level3.com/576.html)

-{ Quote: "The world’s largest telecom carriers all continue to use Level 3 services, as do the 10 largest U.S. Internet Service Providers, and the 10 largest European telecom carriers.

Based on the amount of Internet traffic on Level 3’s IP backbone, Level 3 is among the largest Internet carriers in the world. " }-

Thanks Bubba,
But it was mainly "is Level3 used globally by Microsoft?" its just I check a number of users logs (u.k.) and the only updates I see for microsoft software is to either "akamai" or "microsoft"
Its not important, I just thought it strange when I saw the connections in GD post. I will note this for future reference.

Thanks,

Stem---

Thank you for your help. One more question, how could i disable the process attack table? uncheck it under the root? or add a accept all rule on the top of the process attack table?

regards,

shek

-{ Quote: "Stem---

Thank you for your help. One more question, how could i disable the process attack table? uncheck it under the root? or add a accept all rule on the top of the process attack table?
" }-Both of these will work. But if you "uncheck it under the root", it does save Jetico a little bit of work (it will not process the attacks).