Has anyone else tried Jetico Personal Firewall?

http://www.jetico.com/

It's a new rule based firewall with stateful inspection. I've been playing with it for several weeks now and it's quite powerful.

It's fairly complicated and takes some getting used to, and I would say it's not for anyone who just wants an easy to use firewall. But I do find it very nice and probably more powerful than Kerio 2.1.5.

Jetico has been VERY responsive to bug reports and comments, usually returning emails within several days, and frequently fixing problems and issuing updates as a result of bug reports. Very nice change of pace. Something the folks at Kerio could learn from.

It's still beta, however it's been quite stable here. It's free so far, and hopefully they'll keep it that way in the future.

Give it a try if you're interested in trying new firewalls and experimenting...

Well its been over two years since Kerio 2x has been updated, and 4x is just a bloated forever-beta POS... Somebody else has to make something better eventually.

I'm not sure if they are the ones that are actually going to do it, but it looks promising. Programs that are beginner oriented has never had the full control of a real rule based firewall in my expierence, and giving a rule based based firewall to beginners, even with templates is not the best of ideas.

I don't have a second operating system at the moment, otherwise I might actually play with it. I don't like to depend on software that I don't trust, and its a bad idea to mix two third party firewalls on the same system.

Just tried it for a while, and I must say it seems pretty nice... It stopped ALL the leaktests I threw at it, passed all tests with stealth and the latest beta seems quite stable (on my system that is, v1.0.1.21).

The GUI confused me a little bit at first, but once you get the hang of it it's pretty workable and the rules are very customizable. The learning curve is a little steep, but compared to that of Tiny's it's a piece of cake ;), I'd say it's in between Kerio and Tiny.

Memory usage wasn't very high either, it spawned 1 process using aprox. 10 MB of RAM. One thing that could be improved though is the startup method, it's loading through a HKLM RUN registry key while a service (running XP) would be better.

Overall: well worth a try!

Cheers.

PS. There's an old thread about it here (http://www.wilderssecurity.com/showthread.php?t=22701).

Be careful with this one

I hope you have good backup software... I just had to image my os partition back to a couple days ago to remove the program, it would not uninstall!

I had installed the program, rebooted, and then I had to reboot again because it didn't set something up properly. When I was finally able to use the program I looked around a bit, and setting up the rules is abstract at best, the settings are all over the place... So I get on the internet, it freezes... I reboot, get on the internet, it freezes... So I try to uninstall the POS, the uninstall just sits there....

-{ Quote: "...When I was finally able to use the program I looked around a bit, and setting up the rules is abstract at best, the settings are all over the place..." }-
Unticking 'Flat mode' helped for me, though I don't think you'll be installing it again any time soon ;) Haven't tried uninstalling it yet and I don't have any backups but I was planning on a clean install anyway :)

Hi,

Jetico has both firewall/sandbox features but is indeed easier to use than Tiny (it is more a firewall than a complete sandbox).
However as it is mentioned on their web page, Jetico is still a BETA software, and while I did not have any trouble to use it and to uninstall it, the things happened to you are things that happens with beta softwares.

In any beta testing of any beta software, _backup_ is a must.

Regards,

gkweb.

-{ Quote: "Be careful with this one

I hope you have good backup software... I just had to image my os partition back to a couple days ago to remove the program, it would not unisntall!

" }-

BZ, sorry you had such trouble with it. If I had known it would do that to you, I wouldn't have recommended it so highly..

I recently removed it due to some problems that I'm seeing here. It appears that they don't have their stateful inspection quite debugged yet. TCP packets are getting thru the firewall in cases where programs are listening to ports via localhost. I've talked to them about it and they say they are going to try to fix the problem. That, plus a few other bugs made me go back to another firewall.

Otherwise, it's never given me any problems uninstalling. Don't know why you had trouble. I'm running Win2K here.

The interface is a little difficult to get used to at first, but once you figure things out, it's not bad. I found it pretty powerful. You can do quite a few things that you can't do in other firewalls.

At any rate, yes, it is wise to have a backup handy with any beta software.

My favorite software firewalls that I have used for the most part are AtGuard, Tiny 2x, and Kerio 2x. Their interfaces were simple, straight forward, yet they allowed for complex configurations easily without going all over the program. Its one huge factor I couldn't stand about programs like LnS, and Outpost for example. For the most part I like having my entire firewall configuration in one place so I know exactly how the rules are going to process, and programs like Kerio is top to bottom, the first rule that matches, is the last rule that effects the packet, aka logical.

I might check out the program again later, hopefully when its a stable full release.

Quick heads up about a new beta release:

-{ Quote: "The problem of incompatibility with Cisco VPN Client is solved. Stateful rules were improved. The "Copy text" command is added for the "Configuration", "Log" and "Applications" tabs so that the user can copy information from the tabs to clipboard and then insert it to text file from the clipboard. User interface was improved. The "Properties" command is added in the firewall messages for application names. The occasional problems with dial-up adapters is solved." }-http://www.jetico.com/jpfirewall.htm

Installed over previous install, no problems so far.

-{ Quote: "Quick heads up about a new beta release:

http://www.jetico.com/jpfirewall.htm

Installed over previous install, no problems so far." }-

Thanks... They've fixed some problems in this one, but there's still a few more to go. Otherwise it looks pretty good here too... It definitely has potential. They're putting out new releases fairly often and fixing problems as they arise. The more feedback you give them, the better.

Hi all! what's the best way to configure ip and network protocol modules?
thanks for answering. I am using now kerio 2.1.5 that is a good one, but I want to try this one because of the filtering sandbox, I read here that it works fine, thanks for answering.

Hi, it is very good, I am glad with it, passes every test, even leaking tests.
The way to configure it is not easy but in a little time one can learn to do it.
I am going to use it for a while and to give kerio 2.1.5 ( my favorite) a little rest, it diserves it.

New beta version of Jetico out today for those of you testing it.


-{ Quote: "13. Wireless network adapters support added. Protocol filter module allows the user to specify arbitrary protocol in rule settings. User interface has got drag'n'drop operations with multiple selected rules. "Copy text" command added to firewall message's context menu. "Broadcast address" automatic variable become available for ruleset. "Optimal Protection" configuration is enhanced. (23-September-2004 release, version 1.0.1.30 beta)." }-

http://www.jetico.com/jpfirewall.htm

http://www.jetico.com/jpfwall.exe

New beta:

14. The firewall now detects outbound attacks illustrated by PCAudit test program in Windows Server 2003. Several issues in the firewall interface are fixed (drag-and-drop from the left to right pane in Configuration tab, synchronization between left and right panes). (24-September-2004 release, version 1.0.1.31 beta).

HI all! Has someone tryed to test jetico with any keylogger? to see if detects it from sending information outside? waht a question! excuse me if I am asking a foolish thing for you that know many things about this matters.

-{ Quote: "... It stopped ALL the leaktests I threw at it, passed all tests with stealth..." }-

Did you happen to try Thermite and Wallbreaker? These two test are rather rough on firewalls usually showing no mercy!

Hi,

Jetico will be on the next update of my website's test page, and might not score what you expect, even if it performs well.
None firewall still pass them all, based on my criteria.
Obviously, if you just "throw at it" without any testing protocol, our result can be completly different.
I recall that Jetico is still in BETA and that it has bugs in the program detection, bugs that I have submitted to their dev team (which is btw very responsive).

regards,

gkweb.

-{ Quote: "Hi,

Jetico will be on the next update of my website's test page, and might not score what you expect, even if it performs well.
None firewall still pass them all, based on my criteria.
Obviously, if you just "throw at it" without any testing protocol, our result can be completly different.
I recall that Jetico is still in BETA and that it has bugs in the program detection, bugs that I have submitted to their dev team (which is btw very responsive).

regards,

gkweb." }-

That's one of the things I like best about the JPF team. They ARE extremely responsive. I've been submitting many bug reports over the past month or two and they've replied to and fixed all of them. Plus they seem very open to suggestions also. Very nice. I'd recommend that anyone testing JFP give them as much feedback as possible. This will help it become a better product. I personally like JPF a lot and think it has much potential.

Hi, yes Q Section, I tested jetico with thermite and wallbreaker and passed very well, but I was curious to know opinions about this kind of tests. I am glad with it and hope when it goes out of beta stage to be a very good firewall.
minor bugs, no bugs, better firewall, good for it!!!

Hi, I am here again!!!
It´s passed some time for many of you, what do you think are the basic rules to configure jetico? It would be good to know how you configure it to be safer.
Thanks !!!

Hi Folks

It would be nice to see more of the Senior Members or Experts testing out Jetico Personal Firewall. A full report would be nice too.

I was wondering about it about a month or two ago when I saw it on a CD accompanying a PC mag here.

So in term of resource usage is Jetico Personal firewall as "lite" as Kerio 2.1.5 or LnS?

I think a thorough test should be done on Jetico Personal Firewall.

Cheers

Chew

GKWEB,

You may recall I have written you on a couple occasions about this firewall and am very anxious to see how it performs with your tests. Your site is very nice.

I also am in frequesnt contact with jetico support and agree they are very responsive. I do have to say that I saw above a quote from Jetico page stating "The problem of incompatibility with Cisco VPN Client is solved". This may be true in most cases but I am having trouble with 4.0.2 and also 4.6 still BSOD's. Jetico is working hard to fix these as we speak. Again great support.

Thanks,

Chris

I do hope Jetico Personal Firewall will be the next Kerio 2.1.5 & LnS .... lite and powerful.

;D

About configuring jetico, I used general rules that are at other firewall sticky posts and added the rules by BlitzenZeus for kerio 2.1.5 and they go very good with it.

Sounds encouraging if that is the case.

I think Experts should give it some severe testing to see if it is up to scratch.

If it is free ... the better.

;D

I wish jetico firewall will be as good as looknstop about the full control on filtering packet (Arp, igmp, Tcp fragment flag, sipp-esp, etc...)

Does anyone knows if this firewall will stay freeware after the beta stage ???

-{ Quote: "Does anyone knows if this firewall will stay freeware after the beta stage ???" }-
No one? I wrote the developers an e-mail but also no answer. Is this a secret? :D

I hope they will let it stay as Freeware.

;D

-{ Quote: "No one? I wrote the developers an e-mail but also no answer. Is this a secret? :D" }-

It sometimes takes them several days to answer emails. Depends on how busy they are etc. Plus, they may not even know themselves whether it'll be freeware or not. We can only hope... ;)

Hi! I think it will cost money. They will most likely have bundle of their other products plus this firewall. Pricing isn't final yet and watch out for november :)

Ok thx guys :)

Hi all, gkweb made a test to Jetico:
http://www.firewallleaktester.com/tests.htm

The test was made with Jetico 1.0.1.21
last Jetico is 1.0.1.31, I hope this is going to have better results, because of this:
14. The firewall now detects outbound attacks illustrated by PCAudit test program in Windows Server 2003. Several issues in the firewall interface are fixed (drag-and-drop from the left to right pane in Configuration tab, synchronization between left and right panes). (24-September-2004 release, version 1.0.1.31 beta).
could it be?
it failed de pc audit test.
what could gkweb tell us about this, he is the only one who knows about this, the real specialist.
At least Jetico goes on the right way. In this test one of the best.
Thanks gkweb for the test.

Informative information a good read indeed.

gkweb do you have tutorials on your website about the firewalls you tested and most common rule sets?

News from jetico:

15. Firewall logging subsystem significantly improved. Drag'n'drop for tables is implemented in configuration editor. Configuration editor's panes content is synchronized correctly now. Systray menu items fixed for Windows 9x. Long file names are reported now for all network accessing applications. (28-October-2004 release, version 1.0.1.40 beta).

New version released, seems they are getting close to release:
-{ Quote: "16. The problem of compatibility with Symantec drivers used in Norton AntiVirus is solved. Log file entries now are correctly saved when computer shuts down. (18-November-2004 release, version 1.0.1.41 Release Candidate)." }-

JETICO 1.0.1.41 works perfect, maybe that´s why it is a release candidate, the only thing is missing is the news about free or shareware!!!
I like it too much, in this days I was having a try to tiny that is a very good one, and of course I like it, and not so complicate as many people say, but I prefere Jetico for the way I can manage application rules, and if jetico is going to be free ( I think all of us would like it ) I will use it, no doubt!!!
So that only one news is missing: free or shareware.

Another beta released today (v1.0.42). I wanted to test just this one, but I would rather classify it as Aplha version than RC. Each time I tried to edit/modify network rules in the window popping up when some application wanted to access network, it crashed promptly, screwing my system along with. Perhaps there's some conflict with my other runnning progs, ex. PG, but it is not usable this way. Last time it left me with unbootable system, and the only solution was to restore a previous disk image with my W2K Pro. Jetico has a long way to go before I give it another try.

Isnogood

16. The problem of compatibility with Symantec drivers used in Norton AntiVirus is solved. Log file entries now are correctly saved when computer shuts down. Problem of compatibility with Avast! Antivirus v.4.5 is solved. (19-November-2004 release, version 1.0.1.42 Release Candidate)

-{ Quote: "Another beta released today (v1.0.42). I wanted to test just this one, but I would rather classify it as Aplha version than RC. Each time I tried to edit/modify network rules in the window popping up when some application wanted to access network, it crashed promptly, screwing my system along with. Perhaps there's some conflict with my other runnning progs, ex. PG, but it is not usable this way. Last time it left me with unbootable system, and the only solution was to restore a previous disk image with my W2K Pro. Jetico has a long way to go before I give it another try.

Isnogood" }-

Several people have had problems with it apparently. I didn't, but I'm not using it anymore anyway. To me, the interface is a little overly complicated when it doesn't need to be. And there are some issues I had with it allowing packets to ports with listening apps. I had high hopes for it, but it does not seem to be a complete product yet.

I do not bother to try it at all. There are reasons for this. I bet that once Jetico becomes a formal product (instead of beta), it's not going to be free. At least, if there is a free version, most of its useful functions will be disabled. In my view, there are two reasons for the 'free' beta. One reason is that, with the 'free' beta, it can attract users to try it, and some of them will fall in love with it, and pay the money to buy the formal product at the end. In this case, the 'free' beta acts as a bait. Another reason for the free beta is that, the users work just as a beta tester. In this case, the company are using these beta testers without a pay check. How much would the company have to pay to hire a software tester? It would be somewhere around $20~$40 per hour, I guess. So, how many hours have you put into beta testing their 'free' software and reported the bugs? 8)

kerodo,

So wat are u using now... just curious since u started the threadn got me looking at it...

I totally agree Yahoo. More than likely it wont be free and if it is like you said it will probably be some crippled version. I don't have the money to spend on a firewall so im not even going to waist my time being there guinea pig. :) Its fun though to watch whats out there and coming to the market though. It sounds like this one still has a long ways to go!

I already know it wont be free. If you install Jetico and click the Help menu item you can see purchase options faded out.

-{ Quote: "kerodo,

So wat are u using now... just curious since u started the threadn got me looking at it..." }-

I'm using VisNetic Firewall now. No app control, but I don't really need it. It's a rules based firewall, simple, clean, no bugs to speak of, and it gets the job done for me. My favorite... :)

I tried Jetico and immediately had problems with it locking up my computer, 1.3G AMD, XP Home, 512 RAM, SP2, and right after a reformat and clean install so I know the drive didn't have any leftover junk on it.

I've gone back to Visnetic 2.2. It doesn't have app controls as was mentioned before, but it's a solid, reliable, firewall that's easy to set up and use.

Chuck57... If you're interested, VisNetic has a new beta 2.2.5.xxxx out. Apparently they've been working on it again for the past few months. You can find it here:

http://blogs.deerfield.com/security.php

VisNetic (or 8Signs, they're virtually identical), is a great firewall. I love the simplicity of it and it's apparently got a good implementation of stateful inspection from what I've heard.

Some people simply can't do without app control, but I find I don't really need it. I'm pretty safe here. And the freedom you get without it is really nice. You don't have to constantly OK different apps for internet access every time you install something or change one. Just set up your rules for whatever ports and addresses you need, and that's it. I really like it.

Kerodo and all,

FYI: you'll find a fine review from Visnetic by CrazyM over here (http://www.wilderssecurity.org/visneticfirewall.html) ;) .

regards,

paul

I use Visnetic (8signs) in conjunction with Snortsam, www.snortsam.net
which is a plug-in to have 8signs auto-block intrusion attempts (IPS) with Snort rules. And they work great together!

Cheers
Lowen

Thanks Paul and Lowen... I'll be sure to check out both.. :)

I tried the latest Jetico.

When it blocked a gaming application accessing the network, it was able to completely hose my system.

This has not happened with me when using Kerio 2.x, Look'n'Stop 2.15 or earlier ZA versions.

As such, I'd recommend proceeding with caution if you want to use Jetico at this beta stage.

-{ Quote: "I tried the latest Jetico.

When it blocked a gaming application accessing the network, it was able to completely hose my system.
" }-
Could you explain what hose your system? And what you mean by hose?
Thanks

I am running WINXPSP2 and I tested the latest Jetico. I was not able to use any browser to matter what I did, but I just uninstalled it with no problems.

Hose as in:

Hard system lock. Could not alt-tab or ctrl-alt-del anywhere.

Had to wait till there was a sufficient stop in disk activity (listening by ear) and reset the system.

This caused the video card drive and the network layer of XP installation to become corrupt.

I had to repair my XP installation with the installation CD (using "Repair XP installation" option) and manually build my network connection from the ground up and re-install both system level drivers (chipset/mobo) and display drivers (ATI).

That's what happened in my case.

This is not a "told you so" but I wouldn't dream of playing around with new Firewalls/AntiViruses/Drivers without taking an image of my whole system first with something like Acronis TrueImage. It pays for itself in minutes believe me :)

Regards,

Fedorov.

@Fedorov999
what happened with halcyon, same happened to me with Jetico
tried restoring with GoBack to 24hrs. previous state.....
didn't help with Jetico.

So I threw out Jetico. Don't wanna try it. I don't talk about it. I don't even visit its forum anymore... too much hard work lost that day all b'coz I wanted to try a beta firewall that CANNOT be configured sanely.

Hi , I know that many people have problems with this, but I have used it for many months and it works fine in my system , I configured and it never asks me again, unless there is a new process running. I like this firewall, for me too good, and passes leak tests very good.

- Jetico Personal Firewall for Windows 98/ME/NT/2000/XP v1.0.1.44 Release Candidate is released at 1st December, 2004.

I've used it in the past for several months also, and had no major problems, but the fact that many others have had problems is a good indication that it isn't anywhere near ready for a final release yet.

Apart from all the install/uninstall issues, I personally felt that the configuration of the firewall was a huge hassle, especially if you were looking for app control.

17. The problem of occasionally repeated firewall messages is fixed, memory management procedures in kernel drivers are enhanced. (1-December-2004 release, version 1.0.1.44 Release Candidate).

-{ Quote: "Apart from all the install/uninstall issues, I personally felt that the configuration of the firewall was a huge hassle, especially if you were looking for app control." }-

Yes, I also felt that the firewall interface in general was overly complicated when it didn't need to be. App control was annoying as well. Every time you updated or changed a program, Jetico would create a new rule for it, so you'd have to go into the rules periodically and "clean up" old stuff.

It's an interesting firewall, but it still needs work, and it probably won't ever win any awards for ease of use... :)

I know many people here have problems with it, but about creating new rules when a programa updates like ewido, ad-aware, spywareblaster, e-trust antivirus( I use it), no problem with creating new rules, you only make a rule, and at the bottom of application table you chose the general rule REJECT, and as said It have never asked me anything about rules I have set for the programs I run.
The problem is that if you chose at the bottom a general rule, like ASK USER, every time you run un update for example it is going to ask you about the running program, an update for example.
Another thing that happends is that about process attack table, if you make the same decision about the general rule, it is going to ask you every time a process is calling another one, and if you chose a general rule for this and choose REJECT it will never is going to give you problems, it is going to stop this, so that only use in this ASK USER, when you know that a trust program has to call another part of it´s own to function, an example is: I use as I said e-trus, and when I want to manually update it I have to let inotask.exe to call inodist.exe, and I permit this at process attack table, but always I have the general rule REJECT.
I think that the general problem with this firewall is that it doesn´t have a good tutorial to use it, so only trying it one is going to know the right way for it to function, and I acept as you that it is dificult, it takes too much time, but it is good, as I said, I don´t make any new rule with it unless I install a new program.
In general I can say that the problem with this FW is the lack of information, and of course, the problems that testers here have said.
I hope the things I wrote before help to people who are still running it, thanks friends

I can run the new version of Jetico on WinXPSP2 with no problems at all. It is a great firewall for how old it is and they are doing very well with fixing bugs. It is setup very differently from other firewalls, but as there website says, they are working on making it as easy as possible while still being configurable. It already stops all known leaktests with its sandboxing. I think this will be among the best firewalls when they have a stable release and start offering it to the public as a service.

I agree... it has great potential. But I'll stick with 8Signs/VisNetic for now...

Ill probably stick with 8Signs forever, especially if they add packet logging per process :D

AJohn,

I didn't know that 8signs will be adding packet logging per process.

When will the software come out?

I requested, they said they are *considering* implementing it sometime in the future :D

Until now I considered myself a very advanced user, but I must admit I failed to set up Jetico PF (1.01.44) for at least a basic use. I turned off the "Ask user" rule and set to configure the firewall by hand. Unfortunatelly I couldn't even get IE to connect to the internet. I would have thought that a rule "application: path\iexplore.exe; verdict: table 'browsers'" would be straightforward enough, but for some strange reason it would NEVER get triggered despite the fact that IE is indeed run from the selected path. There are no reject rules in front of this one, either. Curiously enough, when I created the same rule through the Ask User path, it worked as it should.

Guess it's back to KPF 2.1.5 :-(

Why would you want to disable or delete the Ask User rule? It's there for a reason. Why mess with it?

Hi pepak, the way you have to use to create a rule for an application is this:
(at the application table)
1.- first you have to enable access to network for the application.
2.- make the rule for the application.
example:
internet explorer:
a.- click right button of the mouse, then new and application, then verdict: acept, application: C:\Archivos de programa\Internet Explorer\iexplore.exe
event:acces to network, protocol:any, then OK.
b.-rule: verdict:acept, application:C:\Archivos de programa\Internet Explorer\iexplore.exe , event: outbound connection, protocol: TCP/IP, local address: any, port:1025-5000, remote address:any, port:80 ( here there is not a list of ports like in kerio, so you have to do as many as you need.
(if you don't want to do this rule at the application table, you may choose at verdict: web browser, but if you see at the web browser remember that it has only rules for ports:80, 443, if you want to connect to another one you have to add another port here).

rule for outlook express:
a.- same as before but for outlook express
b.- rule: verdict:acept, application: C:\Archivos de programa\Outlook Express\msimn.exe, event:outbound connection, protocol: TCP/IP, local address: any, port:1024-5000, remote address: (the one for your provider), port:110
c.-rule: same but for remote port:25 ( you dont have to do all the rule, just right click mouse and clone it, and then change the port).
(as before, you can go directly to mail client table, selecting at verdict:web browser)
As you see, the basic point to make a rule in jetico is to permit to applications access to network and then the other one to control the way it is goin to acces to internet, if you don't make the first one it doesn´t start, if you don´t make the second it doesn´t access to internet.
Personnally I prefer to work at the application table and I don´t use the other tables.
At the end of each rule, I use a padlock, for ex. for intenet explorer: verdict:reject, application:C:\Archivos de programa\Internet Explorer\iexplore.exe, event: inbound connection, protocol:any, local address, any any any , etc.

As I said in another place, I configured jetico as kerio, and after doing this I locked all this way:
1.- I made all the rules at APPLICATION TABLE(I included rules to block ports 1024-1028, 135, etc, inbound and outbond, you can see at kerio 2.1.5 to have and idea)and at the end of the application table I changed ask to REJECT and too for log all not processed applications. at ASK USER TABLE, I changed too from ask to REJECT.
So that, it never asks me any thing, it only works in base of the rules I made.
2.- About the sandbox, I change from ask to reject, so that it doesn´t permit automatically:
attacker writes to application´s memory
attacker injects own code into application
attacker starts application with hidden wondow
attacker installs system wide windows hook
attacker modifies child process.
So that if you prove it this way with leaking test, it rejects them automatically.
And doing this as I said before, it is going to work with the rules you made for it, AND IT IS NOT GOING TO ASK YOU ANYTHING.
If you do all this, you are going to see that it is not so complicated, because you have to have in mind that you only have to work with application table and to close other things.
If you analize the modules, more than 10 can be configurated in application table( they were made maybe to make easyer the use of Jetico), when you see this it is not so complicated.
The last one thing, at process attack table: I only open it when I see that a new program I install doesn´t work, for example: I use e-trust antivirus free, and I couldn´t update it because inotask.exe calls inodist.exe so that I changed in this table from reject to ask and I permit this, then once again I changed to jerect, and once again Jetico was locked and only running with the rules I made for it.
I hope this helps people to use JETICO and to see that it is not as dificult as it seems.
thanks friends.

Hi, I tried to configure Jetico firewall and as I had problems I call for help.
These are my problems:
1) What rules for Windows services?
2) What rules for the browser?

Could you show me a screenshot of your configuration?

Thanks in advance.

Hi @ll,

can zorro or anyone post a rules's file ?
i need an example of configuration file.
In order to make my perfect list (AntiAttack Rule, Emule , Rule ...)

Thx for advance

-{ Quote: "Why would you want to disable or delete the Ask User rule? It's there for a reason. Why mess with it?" }-
Because I don't want to be bothered with thousands of confirmations. I am perfectly able to set up the rules I need by hand - in fact, I find it easier than going through a wizard (a deformation from the good old DOS days, you could say :-)).

-{ Quote: "1.- first you have to enable access to network for the application.
2.- make the rule for the application." }-
That's pretty much what I did, yes. In several different formats (rules directly in the Applications Table, a rule for application 'IE' verdict 'table Browsers', even through a separate table 'IE'). None of the activated even once. That's the strange thing - if the rules got scanned and then I was refused an access, I would assume there's something wrong with my rules. What had me baffled was the fact that the rules were never even checked. I only got a response at 'table "system programs" -> continue' (I moved almost all default rules to "system programs") and then at 'default action "reject all"'. If I enabled 'table "ask user"', I got response there as well - but never for any other table (including the Application Rules itself), even if the rules were exactly the same as in "ask user".

I suspect that Jetico didn't install correctly on my machine. For example, I wasn't able to create a custom configuration file (I mean, I could save an old one to a new name, but I could never get that new file in the policy list). I would also expect the trusted and blocked zone I set up in the wizard to appear somewhere among the rules.

I'll try to setup Jetico once more when I have enough time. Maybe I forgot something very obvious.

Example configuration file would be very useful indeed.

Come to think of it, Jetico is most similiar to Tiny 6, which I am trial-ling now.

It is free!!!

Jetico Personal Firewall for Windows 98/ME/NT/2000/XP
v.1.0 freeware

18. v. 1.0.1.47 Freeware version release, 30th December, 2004.
Default rules for Windows services added, as a result, the firewall will display less number of popup messages. The firewall rules for low-level network packets now have an explicit parameter for verifying correct packet checksum. Support for IGMP protocol added. Problem of compatibility with Kaspersky Anti-virus solved. Help documentation significantly improved.

I get so stinking tired of people crying and wining about having to pay for a firewall. When Jetico gets this firewall finished, they should make money on it. They have programmers working their butts off around the clock and everybody expects them to just give it away for nothing. If I like it, I will buy it....simple as that.


me.

I personally don't mind paying for a firewall... I have purchased 3 myself over the past year or so. But many people are on tight budgets and appreciate free software when it comes along. Nothing wrong with that... ;)

-{ Quote: "I personally don't mind paying for a firewall... I have purchased 3 myself over the past year or so. But many people are on tight budgets and appreciate free software when it comes along. Nothing wrong with that... ;)" }-Exactly right. mee better watch out or he will have a high blood pressure and die early getting that worked up about this issue. Trust me I know about these things. ;) I will wait a little while and see how Jetico goes. Been following this thread ;D

-{ Quote: "Been following this thread" }-
Lurking you mean ;)

Does Jetico firewall have TCP flag control in the rules at all?

Thanks.

Yes, you can set TCP flags in the rules... You can also set ICMP codes as well, for example, ICMP type 3 code 3. It's quite powerful..

what about resources usage? How does Jetico compare to VisNetic and L&S ?

I'm running it right now and the cpu usage is nil. Ram usage also seems very light, only 3 megs right now according to Task Manager. That seems very light actually. The executables are very small. I've never used LnS much so I can't compare it to that, but it's as good or better than Visnetic on resources.

All around I like it a lot, maybe even best. Some people have had various issues with it's uninstall, but I never have on a W2k system here.

Thank you Kerodo for all the info. This firewall sounds very interesting. I think I might just have to finally give it a try sometime this weekend. :)

Thanks.

Running Jetico right now. Interface is a bit different, but fine after you get used to it. I set up a "table" for programs that have outbound tcp on ports 1024-5000 to a server on remote 80. For a bunch of programs I am able to select this rule as the response. The rule only will apply to the specified applications, it is not global. Very clean.

My worst complaint: The box for editing rules is way too small.

It might be nice if lists of non contiguous ports were allowed.

When a rule is approved for a new program it will have the remote address in it by default. Usually you will have to change this to "any address". If one of the "table" rules can be used, you will not have this problem.

Because a lot of editing of rules is required, this is a firewall for advanced users, but it is not so difficult as to be considered a firewall for expert users. (I am no expert and it did not seem too difficult.)

Anyway, the price is right, it is full featured and it does well on the outbound leak tests. I wonder where Jetico will be going with this. I don't see this one staying freeware forever.

Check out the About dialog.. It still says it's beta software.. A typo I guess.. ;D

I didn't have much luck using this firewall unfortunetly. For one thing I think the rule editor layout stinks. They made it way to complicated it seems like then it needs to be. It was hard for me to work in the rules and actually find what I was looking for and I agree the rule editor window is way to small too. I really hope they work on cleaning things up a bit so its not so tedious creating/editing rules.

I only used it for a short while because once I got online and started my browser the red arrow in its icon lit up and my browser wouldn't connect out so when I tried going into the firewall to look at the logs/rules to find out the problem Jetico just stopped responding and frooze up on me. Anytime something was being blocked from going out Jetico would just keep freezing up on me. So I tried uninstalling it and the uninstall wouldn't uninstall anything it just kept sitting there doing nothing it looked like, it was really strange. So I had to click cancel on uninstalling and restart my pc and then it said something about the firewall driver not being able to be accessed and to reinstall which I did and then finally it uninstalled fine.

From the looks of things this firewall still needs alot of work yet. Maybe it saying its still a beta in the About section isn't a typo after all lol. :)

It's interesting that you had so many problems with it.. not good. Several people have reported similar experiences. I personally have had no troubles with it at all and am using it now without problems. I've also never had an uninstall problem. Perhaps it's because I'm using Win2k and not XP? Don't know though...

It would be nice if those who did have problems would take the time to report them to Jetico. Then maybe they could fix things. Unfortunately, when one has trouble with a firewall, the first thing you want to do is just get rid of it and the last thing you want to do is bother to report the problems..

At any rate, if you do have trouble or suggestions, consider telling them at support@jetico.com. It might help future releases...

Im just glad it didn't totally trash my system as some of the other people have reported. I was prepared anyways just in case after hearing some of the horror stories, turned on system restore and had an image of my drive ready. :)

I reported my problems to them right after I was able to uninstall it. I always try to report any problems I have with programs to hopefully make them better in the future. I used there feeback section on there website to report it, so hopefully they will get it ok. We'll see if they contact me or not about it.


By the way im using WinXP pro sp1. Are these problems pretty much just on XP then?

Hi, I am using XP SP2 and there is no problem with it, it run fine and pretty, and no asks anything after I set rule for my programs, and if I am going to use a new programs just go to askuser and change to rejetc to ask and run the program and I see the new rules I have to set at applications module, and change one moretime from ask to reject at askuser, runs fine. I like it as much as tiny.(there are two new version for tiny in beta and the diference is that one is for esayer use, and the other for professional, they look fine). It seems Jetico is going too farr in a good way.

Last night I found that a java video bitrate calculator would completely lock up my system with Jetico PF active, so I went back to Kerio 2.15. Anyone have any ideas on this one?

When you uninstall Jetico do not have any other programs running. I found that unless I unloaded KAV the uninstalation of Jetico PF would not complete.

I think this FW has a lot of potential, but it also needs some further development.

Sounds like it does need some more work. I've gone back to Tiny for now.

I did some more testing with Java. Any attempt to start Sun Java from a browser causes the entire system to lock up. XP sp2. Could have something to do with KAV being on the system.

Its just not ready yet, but it will be hot when it is done.

I have WinXP pro sp2 / KAV pers. 5.0.227 / Sun Java 5 upd.1 / Firefox installed, and have no problems with Jetico Firewall.

No uninstall problems either.

Well, I hope it keeps running. So far so good :(

-{ Quote: "I have WinXP pro sp2 / KAV pers. 5.0.227 / Sun Java 5 upd.1 / Firefox installed, and have no problems with Jetico Firewall.

No uninstall problems either.

Well, I hope it keeps running. So far so good :(" }-

Using java 1.4.2.06 here, perhaps Java 5 is the fix.

I tried changing my Java VM to 1.5 but it did not help, so it is back to Kerio 2.15 for me. Why it works for SSK and not for me is a mystery. There is probably some other low level driver on my system that is causing this. I suspect that it is related to the sandboxing as this sequenceof events involves having a browser launch the Java VM which then runs an applet. The problem is not limited to the bitrate calculator. Any browser launched instance of the VM locks things up and only a power off can fix it.

Diver, I have the "Place Java icon in the system tray" switched off in the Java control panel.

Furthermore, I have KAV "protection against network attack" disabled.
"Protect against network attack on startup" is unchecked.

I have the KAV network attack module disabled as well. I can't believe that place icon in system tray is the culprit. It has to be some other low level driver that is the culprit.

This is an obscure problem that may take a while to work out. It is probably in the sandbox feature of Jetico PF.

Hi, icon in system tray could be the culprit if you have reject in Process Attack table, if this is the case, change it to ask and if it responds that´s the answer to your problem and you are going to permit some rule here. It happened to me with my antivirus when I wanted to updated from the taskbar.

When something doesn´t work, I usually change askuser and process attack tables from reject to ask, and usually the problem solves.

good luck

-{ Quote: "Im just glad it didn't totally trash my system as some of the other people have reported. I was prepared anyways just in case after hearing some of the horror stories, turned on system restore and had an image of my drive ready. :)

" }-

It's a good idea to have a backup. I myself do frequent reformat and reinstalls of Win2k, so maybe that's why I don't mind playing with all these firewalls. If something goes wrong and things get hosed, I just reformat. Takes a few hours, but it's no big deal to me. Everything important is on CD. :)

To: Zorro

The tables you mention were set to ask. The FW did not ask. It just locked up the system completely. Perhaps by the next update they will fix it. I had a few other applications that place an icon in the taskbar and none of them had a problem.

Java Lock-up Solved

To troubleshoot a lock-up in Jetico Personal Firewall when the process attack table is suspected, I had to change the default action (next to last rule on process table) to continue. Then the Java binaries were able to run and the results in the log showed what the process attack table was responding to. The events tended to be stuff like access to low level system memory or attacker opens application with hidden window. javaw.exe or some of the other binaries go where it says attacker. Presto, everything works and the next to last rule on the table goes back to the default of ask.

Oddly enough the icon did make a difference as when the icon shows javaws.exe is started.

Exactly why this caused lock-ups on my system and not on others is not known, but is probably related to different low level drivers for some other function, possibly video.

Doublepost ::)

Diver: Good to hear that the problem is sorted!

I solved th problem, but I still feel more comfortable with Kerio 2.15. I have a bunch of nits and picks with Jetico, some of which may get solved in the future and some not:

1. When adding a new rule the display may freeze if no existing rule is highlighted.

2. Mot possible to add an ip address range. Only address/mask are allowed. I just do not happen to know how to use those masks as well as I would like to.

3. Perhaps not so important, but it is not possible to enter a list of non adjacent ports. A separate rule is needed for each one.

I realize that some people feel that sand boxing is the way to go, but I am not sure if I need or want it. It does provide additional protection, but at a cost in convenience. My experience with the Java problem is proof of that. Anyway, I thought my post may be helpful to anyone with the same or similar problem.

Well, switched back to Look 'n' Stop.
No serious problems with Jetico, and I even like the design very much, but with LnS my surfing and general computer use is faster.

The firewall looks promising though.

Hi,
I have a question for those who already mastered the rule creation and handling. If the processing of a communication event stops when a Reject rule is matched, and the Application Table ends with a Reject rule matching simply anything, how on earth could the tables coming after the Application Table be ever processed? ??? No traffic should reach those tables because it should already blocked by this Reject rule.
-hojtsy-

-{ Quote: "Java Lock-up Solved

To troubleshoot a lock-up in Jetico Personal Firewall when the process attack table is suspected, I had to change the default action (next to last rule on process table) to continue. Then the Java binaries were able to run and the results in the log showed what the process attack table was responding to. The events tended to be stuff like access to low level system memory or attacker opens application with hidden window. javaw.exe or some of the other binaries go where it says attacker. Presto, everything works and the next to last rule on the table goes back to the default of ask.

Oddly enough the icon did make a difference as when the icon shows javaws.exe is started.

Exactly why this caused lock-ups on my system and not on others is not known, but is probably related to different low level drivers for some other function, possibly video." }-




The process attack table is what was causing problems for me too I discovered. Each time I connected online Jetico would freeze up immediately and stop responding. When I changed the default action of ask to accept I then found that there were no longer any problems anymore. After a bunch of testing and investigating I finally found out that it was due to the event Attacker Starts Application with Hidden Window. The attacker being Explorer.EXE and the application being Jetico's fwsrv.exe.

It sounds like there are still alot of issues yet that need to be worked out with the process attack table. Going all the way back to the beginning of this thread it sounds like people were having problems with it. I have been in contact with Nail from Jetico a couple of times now to try to help them resolve at least the issue that im having. Hopefully they can fix all these issues once and for all very soon.

-{ Quote: "I solved th problem, but I still feel more comfortable with Kerio 2.15. I have a bunch of nits and picks with Jetico, some of which may get solved in the future and some not:

1. When adding a new rule the display may freeze if no existing rule is highlighted.

2. Mot possible to add an ip address range. Only address/mask are allowed. I just do not happen to know how to use those masks as well as I would like to.

3. Perhaps not so important, but it is not possible to enter a list of non adjacent ports. A separate rule is needed for each one." }-



I feel much more comfortable with Kerio 2.1.5 too which is why I have gone back to it. The layout is just so much more simple and straight-foward and easier to use.

In Jetico it just seems like everything is spread out all over the place and there are just way to many sections in it. The tree structure in the rule editor I found to be very tedious also. All the selections should be front and center in the window, so that you don't have to go searching for things. I could never find where the tcp flags was located in the rule editor for instance, it was just so difficult to use. Nail over at Jetico has said that they plan to get rid of the tree structure in the rule editor, so it should be much better.


I agree with you on the ip range and port lists, I would like to see that get added to. Also in the logs I would like to see them include the tcp flags and in the listening/active connections part it would be nice if they showed the protocols.


I think this firewall could be pretty nice eventually. We'll just have to see how much they care and listen to users input. Only time will tell I guess.

-{ Quote: "
I think this firewall could be pretty nice eventually. We'll just have to see how much they care and listen to users input. Only time will tell I guess." }-

I think JPF is pretty good for a version 1.0. It's stateful inspection seems to be "tighter" than most others.

There is one thing that I discussed with them and I couldn't get them to see it my way though. I noticed that when packets come in to a port where there's a program listening on that port, then JPF seems to let the packet in to the operating system whether you allow it or not. For example, I have Mstask listening (on my W2k) on port 1025 all the time. Whenever I get a packet coming in to 1025, whether I accept or deny it, I always see an outbound RST ACK in the logs. This shouldn't be happening. JPF should prevent the packet from getting to the OS in the first place I believe, and thus preventing the outbound RST ACK. But instead, it seems to let the packet in. This is only happening on ports where there's a program listening. I argued with them about it for quite some time, but they said it had to be that way for some reason. I think they're wrong though. In my view, NOTHING should reach the OS unless you specifically allow it, if the firewall is set up right. I had to create a block all incoming rule for all TCP with the SYN flag set and the ACK flag cleared to fix this. While it fixes the problem, I shouldn't have to be doing this.

Hi Kerodo,

Thank you for bringing this to my attention, I didn't know about this before. Tonight I reinstalled Jetico just to test this out on my own system. Port 445 on my XP system is always listening, so when I scanned my system I noticed port 445 TCP RST ACK in my logs showing up as being blocked outbound but nothing showing up as being blocked from coming in. (BTW I now see there is tcp flag info in the logs when you expand the Misc tab)

Whats really strange though is that I also noticed port 113 was being blocked out as well and I don't even have any programs listening or connected on that port! So obviously Jetico is allowing packets in on that port as well. I don't like this one bit, nor do I like it that you had to argue with them over it and they still didn't do anything about it. I agree with you that this should be blocked by default unless you have a rule setup allowing it in. The block all tcp you mentioned above seemed to work for me to if I put it under the Root table. But as you mentioned, we shouldn't be having to do this. This is something they should fix!

Yes, I agree that it needs fixing.. It's not right. Nothing should be allowed in. What you're seeing is JPF allowing the 445 packet in and then when the OS responds with the RST ACK, you're seeing the outbound response being blocked by JPF's stateful inspection, or so they say. I don't like the situation at all. So the incoming packet never gets an outbound response, but if you ask me, as I said before, no packets should ever be allowed into the OS to begin with. They're just not doing things right..

I believe port 113 is Ident. I asked them about this also, and they claim that they're allowing 113 in because some systems need it. I suggested that they should block 113 incoming and then let those who need it create a special rule to allow it. They didn't seem to agree with me on that either. :P

Just a few things that I don't think they're doing properly...

Hi all

Anyone can post a file of rules with best protection ?
I need an example of configuration file.

Thx

I just tried the new 1.0.1.48 version of Jetico and the problem I was having before with the process attack table is still not fixed I see. Nor have they responded back to an email of mine I sent them last week about Jetico allowing packets into the OS. I guess they don't want to talk about that one anymore lol. I can't say im all that impressed with them at all.

The problems that I had with process attack conflicting with Sun Java have been solved. I am impressed.

I did a bunch of firewall scan tests and all of them showed the ports to be stealthed.

In one situation some listening ports were detected, but it turned out that another rule for the same appliction was explicitly allowing the contact. After fixing that, the problem went away.

Just curious, has the listening port problem been solved to your satisfaction Kerodo or Dukedevil?

-{ Quote: "Just curious, has the listening port problem been solved to your satisfaction Kerodo or Dukedevil?" }-

No, I believe that the problem still exists. I have just reinstalled the latest JPF, and although I believe they're doing things wrong with that problem, I must admit that it doesn't affect me much since I added a rule to block all inbound TCP. So for all practical purposes, the problem is solved.

I did find one other problem too. I copied my previous config file to the configs folder and then did a File open to load it. Then I selected the new config, renamed it and so on. Then when I exited and reloaded JPF, I found that it didn't remember my previous policy config at all. It seems to just use "Optimal" config. I even looked for my other config file in the Options menu so I could check it to load at startup, but it doesn't show up. So I reported all this to Jetico and we'll see if it's a bug and gets fixed I guess.. I'd like to be able to have several configs loaded and switch between them if I need to.

-{ Quote: "I just tried the new 1.0.1.48 version of Jetico and the problem I was having before with the process attack table is still not fixed I see. Nor have they responded back to an email of mine I sent them last week about Jetico allowing packets into the OS. I guess they don't want to talk about that one anymore lol. I can't say im all that impressed with them at all." }-

Dukebluedevil... I'm not surprised they didn't respond yet. I had talked at length about this one with Nail at Jetico. In the end, he kept explaining it away. At first, I noticed the problem on programs listening on Localhost. So they DID fix that one. But they never acknowledged that the other port listening problem was even a problem, let alone fix it.

I'd suggest pounding away at them about it. I'll send another email myself on the subject and see what happens. But for now I've just used that block all rule on incoming TCP and it seems to take care of the problem.

I really like the firewall a lot. I'm planning on running it for a while now.

-{ Quote: "The problems that I had with process attack conflicting with Sun Java have been solved. I am impressed.

I did a bunch of firewall scan tests and all of them showed the ports to be stealthed.

In one situation some listening ports were detected, but it turned out that another rule for the same appliction was explicitly allowing the contact. After fixing that, the problem went away." }-

Diver... all ports will show stealth on scans such as grc.com and so on. However, if you look in your logs after the scan, you will see outbound RST ACKs every time a scan hits a listening port. The RST ACK never gets out or back to the scanner, so you get a stealth result, but the packets should never be getting in to the OS in the first place, as evidenced by the outbound response of the OS (the RST ACK).

Kerodo,

I now understand what you are talking about and have seen the activity in my logs, which is interesting because both of these listening ports are blocked with an explicit application rule for inbound TCP.

Could you please explain your solution with a bit more detail, like where do you put the rule and its parameters? I guess it is a "system ip rule".

That's interesting that it's getting in even though you have a rule blocking those ports.. must have something to do with the rule placement..

I simply put the rule in the System Internet Zone table. Near the top, and make sure it's BEFORE the stateful inspection rules at the bottom, otherwise it'll never get seen apparently.

Create a System IP rule to Deny All TCP Incoming, then go into the protocol-specific options at the end of the edit box and edit the TCP Flags. You want to Set the SYN flag, and Clear the ACK flag. Leave everything else alone. That should do it.

Just a note.. I wrote to Jetico just now and pleaded with them to fix the listening port problem. I also mentioned this Wilders Forum and the Jetico thread. So perhaps they'll take notice and maybe even answer some questions here (although that's probably wishing for too much...) :)

I don't know what pleading with them will do...

First I tried placing the rule in the root, but it would only work if limited to the known listening ports. Otherwise, i could not connect to the internet.

Then I tried it your way and it works without specifying a port.

Question: How do you know to specify the ack flag as not set? In my log the incomming packets had syn set and that was it.

I also just noticed that this rule is blocking some legitimate traffic for an AV automatic update originating on port 20 of the remote, so it would have to be limited to the listening ports, and even then it might interfere with some traffic.

I think that I will leave it alone for the time being.

I think you have to have the ACK flag cleared so you can get incoming responses back from legitimate outgoing TCP traffic. But I'm certainly no expert in these matters. I simply did what Nail at Jetico recommended. If you set the SYN flag then that would block incoming connection attempts, but you have to have some way to allow legit return traffic I think, so I assume that's what the ACK flag cleared is doing.

Don't know why you're have trouble with that AV program on remote 20. I assume you're using the FTP Client presets or something similar? I use this rule as mentioned above and everything works fine for me here, including AV updates, browser, email, newsreaders, and any other programs using various remote ports and so on. You shouldn't have to specify any ports... Are you sure the AV thing worked ok before the block rule? Maybe you need to set up a rule for that program alone in the ask user section? Or create a rule above the block all rule to allow incoming from remote port 20 for that app?

As a last resort, if you still have conflicts with the AV updater, you might instead of blocking ALL TCP incoming, just block it for those listening ports. That would probably work just as well.. Put the rule in the System Internet Zone. Try using the same flags settings also so you don't block legit responses to outbound traffic on those ports, if any.

-{ Quote: "I don't know what pleading with them will do...

" }-

I tried arguing with them for days before and lost, so I figured a little pleading this time might get them to re-evaluate the situation... ;)

-{ Quote: "I also just noticed that this rule is blocking some legitimate traffic for an AV automatic update originating on port 20 of the remote, so it would have to be limited to the listening ports, and even then it might interfere with some traffic." }-
Does your AV auto update allow you to configure it for passive FTP?

Regards,

CrazyM

-{ Quote: "If you set the SYN flag then that would block incoming connection attempts, but you have to have some way to allow legit return traffic I think, so I assume that's what the ACK flag cleared is doing." }-
How would/does it handle a scan to a listening port with something other than the SYN flag set?
(ie. certain types of stealths scans)

Regards,

CrazyM

Is there a rule in the UI that allows this traffic to come into the firewall if a program is listening on a port or is it a hidden rule coded into the firewall that the user can't control?

-{ Quote: "How would/does it handle a scan to a listening port with something other than the SYN flag set?
(ie. certain types of stealths scans)

Regards,

CrazyM" }-

Now you're getting beyond my knowledge, which is very slim anyway.. :)

I would think that anything other than a SYN would not matter anyway, would it? But you're right, I suppose any incoming other flags might prompt a response from the OS also. Or would they? Any outgoing response would be blocked by JPF though. Perhaps we should be setting all flags except the ACK flag?

I don't know, CrazyM. Now we're in need of some answers from Jetico I think...

-{ Quote: "Is there a rule in the UI that allows this traffic to come into the firewall if a program is listening on a port or is it a hidden rule coded into the firewall that the user can't control?" }-

At this point it's something that the user can't control.. It needs to be fixed by Jetico... All you can do is try to block incoming TCP to listening ports...

For the AV I am using a slightly modified version of the included rule for FTP Clients. The AV updates worked perfectly before. I just noticed it tried to update while I was looking at the log and the traffic from remote 20 was blocked while the update icon for the AV was flashing in the taskbar. I guess that I would have to limit the rule to the two listening ports, which is not that big of a deal. Those two happen to be for the AV to catch mail to scan. Its KAV 5.0.227, by the way. It is not possible to set the AV for passive FTP, at least not without knowing some undocumented registry setting.

You might want to check your log to see if any legitimate traffic is being blocked by your rule.

I turned off the DMZ setting for my machine on the NAT, which makes this academic in the sense that the NAT does block this stuff.

Kerodo, after seeing the difference the NAT makes, I have to agree with you on the "nothing should get through" philosophy. I just wonder what Jetico's real reason for doing things the way they are doing it is. It could be a performance issue of some kind, or they just could have designed themselves into a corner.

Like you said, its only version 1.0.

more:
K-
I think the only flag that needs to be set is SYN, just from looking at my log, those was the only flag that was detected on the inbound traffic. However, the inbound traffic from remote port 20 also indicated only a SYN flag set. So, I think the answer for now is to only block the listening ports. I am not an expert, but it seems like the logical answer.

Perhaps it is time to go back to Kerio until next month's exiting installment.

I don't know why they resisted fixing it a few months ago. Could be many reasons, but I agree that it does need fixing.

For now, I think I'm fairly safe if I don't allow any incoming TCP connection attempts (SYN flag), however, I'm not sure what the other flags do in terms of connections, if anything. I'll have to research that. CrazyM you do have a good point...

Diver, you might want to block 113 also, JPF let's it thru...

We'll see if I get any answers from Jetico in the next few days...

I have returned to Kerio 2.15 for the time being. I ran the same tests as I did earlier this evening with Jetico. Kerio 2.15 behaves as you say a firewall should. Nothing gets through on the listening ports. There is no rebound, unless there is something broken with Kerio's ability to log, and I put in the standard rules at the end to block everything and log.

This gets back to oneof my beliefs: There is so much noise being made about sandboxing and leak tests that other more important aspects of firewall performance are being forgotten by many participants of this, and the DSLR security forums.

Ultimately, the sandboxing is only going to help with some very exotic malware that has not yet made its way into the AV databases and there seems to be very little evidence that anyone is getting hit this way.

There was a news article today about a trojan that included both a keylogger and the ability to control any webcam connected to the owned machine. Some questions were raised as to whether it was in any AV database, although it was said to be based on older trojans which are in AV databases. There is a certian FUD factor, because the poliece in Spain (I think) have not released enough information for any AV vendor to respond and say if they can or can not detect it. I wonder if this particular trojan would have been blocked when phoning home by a non-sandboxed firewall like Kerio 2.15 , Sygate or ZA 4.5?

I don't worry much about programs getting out on my machine, since I consider myself very careful about what I download and install and run here. Others may need all the sandboxing however. I do like firewalls like Tiny anyway, even though I don't really need them. ;D

Diver, there is that fragmented packet thing with Kerio, so it's not perfect either. Supposedly any packet with the fragment bit set can get thru. But most likely no damage will ever occur anyway, so why not use it? I installed it just the other day so I could update my rules a little bit. I have copies of rules for all the firewalls I use here...

But for me, the most important thing about a firewall is whether it blocks everything from getting IN, not out. I guess it depends on what you use your machine for and so on...

-{ Quote: "more:

Perhaps it is time to go back to Kerio until next month's exiting installment." }-

Diver, what do you think of Kerio 4?

K-
As far as the fireall performance goes, I am behind a NAT. The firewall just covers a couple of forwarded ports on the inbound side. However, it is amazing how much traffic I see on these server ports after downloading something (GPL software of course) using bittorrent. Beyond tht it is nice to have a bit of application control to keep some of the M$ components from phoning home all day long, but I wonder how important that really is. As far as the Kerio 2.15 fragmented packet thing goes, the experts like BlitzenZeus say it is mainly theoretical. No two way communication can be established.

A lot of stuff gets run on my machine, but I have a fairly high level of awareness. A lot of areas get checked regularly including the task manager, startup entires, and the non P&P drivers list (show hidden devices in the device manager).

Its been a long time since I have gotten bit, and that one I got rid of in a couple of minutes.

A lot of folks are looking for some kind of foolproof software solution that still lets you use the machine normally. There is no such thing. The tighter things get, the more the machine fights its user. Freeze is foolproof, but it returns every little setting to a baseline after each reboot. Consequently, it is only useful for Kisosk browsing. Most of the sandboxes are somewhere in between. There is extra protection at a cost of responding to all sorts of pop-ups.

I mess with this stuff for fun as well. (I took a look at Tiny 6.0.x, and did not know where to start. Is there a tutorial somewhere?)

A lot of this stuff will not work in an office. Most folks have no idea of what is going on, and a lot of the geeks that post in these forums have a way of forgetting that. So, enterprise firewalls are designed to keep bad stuff out and the ordinary desktop does not have a personal firewall on it. Beyond that, most businesses have a no unauthorized software rule.

Of course, I notice that just about every internet forum is very busy during normal US working hours. No wonder nothing ever seems to get done.

K-
I have never tried Kerio 4, so I don't think of it much. Being a Diver, I try to think of fish, rays, sharks, eels, lobsters, crabs, dolphins and turtles whenever possible:)

I mess with this stuff for fun also, mostly because I have some extra time on my hands and I find it interesting..

Tiny is fun. At first, I had no idea what to do with it either. But after a while it sort of unfolds itself and you can get addicted to playing with it. It's got a handy backup and restore function, so you can mess with things, making periodic backups, and then when you mess something up, which you most likely will do, then you can restore from an earlier config. Very handy. There's no tutorial that I know of. Just the manual you can download and the forum on the Tiny site. All in all, I like it a lot, but in the end, I don't really need all that sandboxing, so I turn to the other ones.

Kerio 4 is different. Most people stay away from it because it has a reputation for being pretty buggy and more bloated than 2. I've used it though. It does not have that fragmented packet vulnerability like 2 does, so that's one plus for it. I like 2 better, but just wondered what other people thought of 4. 4's logging is generally terrible and messed up. If the logging was "normal", I think I might be tempted to use it again. Maybe they'll fix it in 4.2. Who knows... :P

I am still having intermittent internet connection problems, especially with Firefox, and this is round two with Jetico for me. I try to load web sites and it says whatever site I was trying to connect to was not found. How could this be? I don't even see anywhere to check the rules for browsers in Jetico.

Kerodo-

My return to Kerio 2.15 did not last that long. Nothing wrong with it, but curiosity brought me back to Jetico 1.0. I am going to try that rule of yours again,not limited to specific ports. I set my AV to autoupdate every hour and I will check my log. I did observe the outbound connection on port 113.

I suppose the downside of not being able to change the default behavior of Jetico on certain listening ports is you have to know which ports they are. However, there does not seem to be any problem with any other listening ports, like 135 and 445 etc.

-{ Quote: "I am still having intermittent internet connection problems, especially with Firefox, and this is round two with Jetico for me. I try to load web sites and it says whatever site I was trying to connect to was not found. How could this be? I don't even see anywhere to check the rules for browsers in Jetico." }-
It depends on what you have set for Firefox. Go to the Ask User table, and check all lines with Firefox indicated as application. From me there is only one, with the verdict Web Browser. For here it is very easy. Every verdict except the first 4 verdicts (allow, reject, ask, continue) are references to other tables. So you have a rule table called Web Browser. It should be visible in the left tree panel if you expand it. After selecting this table you will see the rules in it. Originally it contained the following rules:
1) Allow "access to network"
2) Allow "outbound connection" to remote port 80 (http)
3) Allow "outbound connection" to remote port 443 (https)
4) Default action is continue

But I inserted one more rule in my Web Browser table which also allows outbound connections to remote port 8080 (most often used http proxy).

You can now see that such things are not hidden and not hardcoded in this firewall.
-hojtsy-

K-

The rules to protect 113 and the two listening ports related to the AV mail scan must be limited to those ports. If not, other desired traffic is blocked. In particular, the server port for bittorrent.

I suspect this is something Jetico will get around to fixing. Whatever they are telling you now is an excuse IMO, not a reason. Go ahead and bother them.

Here's an update for anyone interested:

I wrote to Jetico last night, and right away got two responses this morning at 3:00am. They said that they are working on the listening port problem and hope to have a solution soon. They have positive results on it already apparently. So that's good news. Hopefully it will be fixed in the next release.. We'll see... :)

I must say that they do have the best support I've ever seen from a software company. I don't know what other people's experience with them is, but mine has always been excellent to date.

Kerodo- it looks like you convinced them this time.

I am back to Kerio 2.15 until the next update of Jetico. It makes me a bit queezy that this "feature" made it so far.

As you say, Kerio 2.15 may not be perfect. However, it has been tested extensively and it works. No wonder a bunch of the gurus keep using it.

Jetico will reach that level some day. Then they will start charging for it.

K-

3:00 AM in LA is lunchtime in eastern Europe where Jetico is located.

-{ Quote: "K-

3:00 AM in LA is lunchtime in eastern Europe where Jetico is located." }-According to this news, Jetico is from a country of Nokia, F-secure and jv16 PowerTools, Finland, which belongs to Scandinavia like Denmark, Iceland, Norway and Sweden too, not to the Eastern Europe.

Best regards,
Firefighter!

maybe he refers to the location of only the webservers?

FF is correct. Diver does not get a gold star in geography today. However, the time zone should be about the same as Eastern Europe, if not exactly the same.

I will never again tell anyone that Finland is in Eastern Europe. Promise.

Does anyone around here really understand the flow of things through the various tables in Jetico PF?

Look at the "Root" It shows "Application Table" above "System IP Table". "System IP Table" calls out to "System Internet Zone". If the order in "Root" is being followed then the "Application Table" which includes the "Ask User Table" would be processed ahead of the "System Internet Zone" which does not make sense. Am I missing something, or is this clearly covered in the help file?

I don't have much of an in depth understanding of it all myself, but I think the Ask User table may be processed sometimes before the Internet table. I only say this because I have that block all incoming TCP rule in the Internet Zone and you would expect it to interfere possibly with P2P programs, but I can successfully also run a P2P program in the Ask User section with inbound traffic allowed on certain ports. So, I guess I'm saying I'm not sure... :-\

These are good questions for Jetico support I think, since I doubt that anyone here really understands how it all comes together yet. I guess that's part of what makes this firewall interesting and a challenge..

I'm running Kerio 4 right now until the next Jetico comes out. Then, if they have that listening port problem fixed, I'll probably stick with Jetico for some time. Overall, I like it very much.

-{ Quote: "Does anyone around here really understand the flow of things through the various tables in Jetico PF?" }-
Well, yes, but I will only have time tomorow to detail it. Until than be patient please.
-hojtsy-

-{ Quote: "These are good questions for Jetico support I think, since I doubt that anyone here really understands how it all comes together yet. I guess that's part of what makes this firewall interesting and a challenge.. " }-
Actually it is quite easy once you get the point. I will try to put together a description.

-{ Quote: "Actually it is quite easy once you get the point. I will try to put together a description." }-

That would be great.. I think everyone would appreciate that...

-{ Quote: "K-

3:00 AM in LA is lunchtime in eastern Europe where Jetico is located." }-

I figured that 3:00am my time (west coast) must be morning or thereabouts their time. I always seem to get their responses around 3:00am here.. :)

-{ Quote: "Here's an update for anyone interested:

I wrote to Jetico last night, and right away got two responses this morning at 3:00am. They said that they are working on the listening port problem and hope to have a solution soon. They have positive results on it already apparently. So that's good news. Hopefully it will be fixed in the next release.. We'll see... :)

I must say that they do have the best support I've ever seen from a software company. I don't know what other people's experience with them is, but mine has always been excellent to date." }-



Hi Kerodo,

It is good to see that they are Finally acknowledging and working on the listening ports problem. It seems like they have been trying to avoid this issue for a long time now for whatever reason. Hopefully they will also fix the problem with packets coming in on port 113 as well.

It really doesn't matter to me if you can create a rule to block these packets from coming in or not. The fact is it shouldn't be happening in the first place Period. Nothing should be allowed in unless you have a rule in place allowing it in. They should of been upfront about this a long time ago in my opinion and just admitted it needed fixing then to keep making up excuses about it and trying to avoid it. If they finally fix these problems and the process attack table so that it doesn't keep freezing up my system then I might return and decide to give Jetico another shot maybe. We'll see, its up to them now to make things right.

-{ Quote: "Hi Kerodo,

It is good to see that they are Finally acknowledging and working on the listening ports problem. It seems like they have been trying to avoid this issue for a long time now for whatever reason. Hopefully they will also fix the problem with packets coming in on port 113 as well.

It really doesn't matter to me if you can create a rule to block these packets from coming in or not. The fact is it shouldn't be happening in the first place Period. Nothing should be allowed in unless you have a rule in place allowing it in. They should of been upfront about this a long time ago in my opinion and just admitted it needed fixing then to keep making up excuses about it and trying to avoid it. If they finally fix these problems and the process attack table so that it doesn't keep freezing up my system then I might return and decide to give Jetico another shot maybe. We'll see, its up to them now to make things right." }-

Yes, I did also mention the port 113 problem and asked them to block this by default as well. That's how it should be. They made a mistake when they decided to allow 113 thru just because some people need it that way. A rule would accomplish this easily.

We'll see how it looks when the next one comes out. I got the impression that it would be soon, perhaps in a few days.. We shall see... :)

Kerodo,

I could not get Bittorrent to work right when using the block all TCP rule in the system internet zone. Because 1) being behind a NAT solves the 113 and listening port problem and 2) I rather fool around wih something new like Jetico rather than something familiar like Kerio 2.15, I will probably hang onto Jetico for a while. I that it will be about three weeks for them to make the changes judging from their past relese schedule, but I agree this will be a pretty nice firewall when those changes are made. Anyway, the block incoming TCP rule causes Bittorrent to act like its server port is blocked, so I have been limiting the rule to distinct ports for testing purposes.

For anyone that has been having uninstallation problems, or is afraid of them: Make sure that all other programs are terminated before uninstalling, especially your AV or anything else that relies on low level system access.

Hojtsy: I await your thoughts. Some of the process flow looks obvious. Its just the application vs system thing at the root level that has me confused. If the application table is processed first, then I am confused, because the other stuff seems to operate at lower level.

I think it will be a lot sooner than 3 weeks, but we'll see I guess... ;)

I think I will stick with it also when they fix this problem. It has a few annoying characteristics, but it seems to be quite powerful also. One thing that annoys me is when you upgrade a program to a newer version, then JPF asks you for approval again and when you OK it, instead of updating the hash number for the program, it creates a whole new rule for it again. So you have to periodically go into the ask user area and clean up old stuff. I think they should just update the hash instead, and use the existing rule.

But all in all, it's looking pretty good...

K- There are a lot of little things like the hash issue. The window used to edit rules is too small. Rules should default to "any" remote address rather than a specific "host", with the host name retained if the rule is edited. Fortunately, these things are easy to fix. There are other items, but if the developers get the main stuff right, I can forget about the minor stuff. Is it still beta quality? I don't know, but IMO, XP was beta quality until SP2 came out.

Yeah, you're right, there are several minor annoyances. But I feel that I can live with them given the power that the firewall offers in general.

I think it's amazingly good for a version 1.0.

And when you have a developer that's that responsive then you can most likely get things corrected and changed too. That's rare these days..

Well the problems I was experiencing are gone in this latest version :),I like the overall feel of this firewall and it has great potential for sure.
I think the graphical traffic monitor is a bit unnecessary other than that though I'm very impressed.

Kaupp

-{ Quote: "K- There are a lot of little things like the hash issue. The window used to edit rules is too small. ." }-

YES!!!

-{ Quote: "Rules should default to "any" remote address rather than a specific "host", with the host name retained if the rule is edited. " }-

Actually I much prefer the current way, most of the time which some exceptions (browser, FTP server but those have specific filtering tables), I prefer to restrict
outboundconnection to only one specific host.

I am actually testing Jetico Firewall. It looks very promising but I have experienced some problems.
The main is with Mozilla Thunderbird that I can't get to work with JPF : when I use the default rules, JPF doesn't ask me what to do when I check my emails (no "ask rule" is processed) but it prevents Thunderbird from succeeding in getting my emails.
I don't understand because I managed to get it to work one time yesterday, but I can't reproduce this attempt.
It seems that a rule in "System application" is applying and nothing else after that.
Anyone has an idea ?

I hope to understand as I think JPF might be a killer soft !

Hi, have a look at the bottom of application table and it has to say ask user, then go to ask user module and at the bottom it has to say ask, then run your program and it has to ask you and the rules are going to appear there, and it will be acces to network and outbound connection, maybe that's the problem.

Just downloaded the latest 1.0.1.49 JPF from Jetico tonight. It should be available tomorrow I would guess. They sent me a link via email, but I don't see it on their site yet. Probably within a few hours though. I will test it out and see if the listening port problem is indeed fixed. They seem to have made some major changes to fix this. Very good... :)

They disagree however about closing port 113. So I guess this will need a rule to keep TCP out. They say that their stateful inspection won't accept any incoming on 113 without an already established session of some kind, but I'm not so sure about this given the outbound RST ACK that we're seeing. But I'll check this more also..

Ok, I have tested the new 1.0.1.49 release and they seem to have fixed all the listening port issues. Also, I see no outbound RST ACK from incoming packets to port 113 either, so it appears that their stateful inspection is preventing those from getting in too. So that's good. Now I believe that everything is as it should be, and no incoming packets are getting in thru the firewall. :)

I plan to run JPF now and see how it progresses as they add new features.

Another note, if I forgot to mention it before, they say they will also change the way JPF updates changed apps. Instead of creating a new rule for a changed app, they'll just update the hash. They plan to implement this in a coming release. So that's good also. One less hassle to deal with..

K-
You were right about the fast release. My Bad.

I dl'ed it this morning and installed it. In order to be sure that all changes to the default rules were included, I am rebuilding my application rules from scratch. However, the modular nature of the tables makes this much easier than with any other rules based firewall. Done now except for a few rarely used windows components.

I have recreated my rule set for Jetico PF and have also tested it for letting packets enter on ports 113 and listening ports used by my AV. So far as I can see, there is no outbound connection echo in the log. I do not have the expertise to do more detailed testing.

there are some minor issues with rule creation. Be careful when changing a rule with a verdict of "accept" to one that refers to a table. Sometimes other fields in the rule do not change and the rule may not work unless you make the necessary changes.

The hash problem when upgrading applications may be minimized by creating a table for any application that has a complex set of rules. In that case only the single rule which refers to the table will have to be replaced with a "handle as" verdict. This would be particularly useful for Bittorrent clients which seem to be on a short upgrade schedule.

I create a special table for almost any type of app.. Download Managers, Newsreaders, etc etc.. It eliminates at least one rule entry for each app. It's a handy feature.

I'm sure they've got the listening port problem licked. I feel secure with JPF now, without having to worry about creating extra rules. I'm pleased... :)

This new update is just another example of how good their support really is. I complained about the problem again and asked them to have another look, and within days they had a solution and released an update. And they also kept in touch with answers to questions. What other developer offers this kind of support these days? With most other firewall developers, you're lucky if they even read your email.

K-

Jetico has definiteely nuked the listening port issue. I happen to need an application rule for the KAV mail scan ports, but this is specific to KAV and is needed only to deal with inbound traffic where the remote is using port 20. If KAV used passive FTP to update, this would have not been necessary at all. I probably would have never discovered this, but for the "auditmypc" firewall test which uses remote port 20 and exposed the problem in my application rules for KAV.

Anyway, if thre are any major issues, I don't know how to uncover them. What is left now is convenience features like the application hash or making the edit window larger. The basic design as it is expessed in the user interface is good.

Jetico 1.0 may lack some of the rule editing features that make Kerio 2.15 so easy to use, but it makes up for it with the ability to build tables and make modular rules. It may not have Kerio's ability to put unrelated ports in the same rule, but you can clone a rule in Jetico andd just edit the one port.

Some have complained that everything is not in one place, but I rather have the ability to do tables.

I just hope this one stays free for a while.

Did you notice that the website still says 1.48, but the download link gave me 1.49 this AM?

Yep, I noticed that this morning around 10:30am. I think they just haven't gotten around to updating the web site.

I'm definitely sticking with JPF for a while now. I like it a lot. 1.0 is a good start and I think it has more power than Kerio. The interface is a little less elegant or intuitive than Kerio, but once you get used to it, it's fine.

And it can only get better... ;D Let's hope that they never turn it into bloatware with useless non-firewall features like so many of the others. I don't think they will..

And I was wondering why there was no .49 on the website... ;D

Running it now. I like it very much!

I got a email from Nail today saying that the issue im having with the process attack table they can't reproduce on there own systems, but they are trying to find a solution for it I guess. If I create a rule under the process attack table, with an event of "attacker starts application with hidden window", attacker being Explorer.exe, application being Fwsrv.exe it takes care of the hangups for the time being. More importantly is the packet filtering anyways which I am glad to see that they finally came to there senses and fixed the listening ports issue and port 113 problem.

I decided to test the new version out earlier today when I had some free time. I see it no longer allows packets in now which is good, but I did notice one strange thing happen when packets do come in on listening port 445 on my system. Jetico pops up a window asking to either allow or deny the traffic coming in on just that one port. All the other ports seem to get blocked by the "block all not processed ip packets" rule, while packets coming in on port 445 it looks like bypasses that rule and goes to the "ask user" table instead. Has anyone else noticed this happening on port 445 or any others ports such as 135 that are listening on your systems?

I tested 445, 135 and a couple of others, and had no problem. Perhaps there is a conflict with another appliction rule.

Are those ports listening on your machine?

I don't think it would be another rule causing this since I didn't add or change much in the rules at all before testing it. I will reinstall Jetico again later on tomorrow and double check this.

20. v. 1.0.1.49 Freeware, 21st January, 2005.
Stateful inspection is enhanced for inbound connections. Minor enhancements and fixes are made in user interface.

-{ Quote: "Are those ports listening on your machine?

I don't think it would be another rule causing this since I didn't add or change much in the rules at all before testing it. I will reinstall Jetico again later on tomorrow and double check this." }-

I believe 445 is listening here on my machine. 135 also. I don't think I get the popup on those ports because my ISP blocks 445 and 135. Maybe your ISP doesn't block it? That could be why you see it but others don't...

Note: I just did a scan without the firewall and my 445 and 135 show stealth, so my ISP is blocking them. Yours probably does not block 445, so JPF gives you a popup because that's a listening port. Diver's ISP probably blocks 445 and 135 also, like mine.

Do a scan at grc.com without the firewall and see if 445 shows as open. Then you'll know...

Do I need to uninstall the older version to install the latest jetico? I don't want to lose my rule sets.

I would uninstall the old version first. Make sure nothing else is running when you uninstall, especially your AV.

Before you uninstall, do a search for the file optimal.bcf. Theone located somewhere under "Documents and Settings" is your config. Save it, and use it to replace the default config that the new installation will place there. Note that if Jetico makes changes to their default rules, this will not pick up the changes. However, this release makes no mention of changes in the default rules.

Turns out like most installers these days it is able to detect older versions !

Upon restart it asks you if it wants to replace the older rules with factory settings.

I said no. I dont know if this is a good idea really.

-{ Quote: "Do I need to uninstall the older version to install the latest jetico? I don't want to lose my rule sets." }-
Just save your ruleset, then when you install just load your saved ruleset. :)

-{ Quote: "I believe 445 is listening here on my machine. 135 also. I don't think I get the popup on those ports because my ISP blocks 445 and 135. Maybe your ISP doesn't block it? That could be why you see it but others don't...

Note: I just did a scan without the firewall and my 445 and 135 show stealth, so my ISP is blocking them. Yours probably does not block 445, so JPF gives you a popup because that's a listening port. Diver's ISP probably blocks 445 and 135 also, like mine.

Do a scan at grc.com without the firewall and see if 445 shows as open. Then you'll know..." }-


My isp doesn't block any ports so traffic goes straight to Jetico to process, so that explains why you aren't seeing what im seeing then. I reinstalled the latest Jetico version again and made no changes to the rules other than just allowing my browser out and allowing traffic to my dns and I noticed the same thing as before where Jetico bypasses the Application table and goes straight to the Ask User table instead to process traffic to listening port 445. What I don't understand is why is Jetico doing this when it should be getting blocked like all the rest of the ports by the rule "block all not processed IP packets" under the Application table? This is something that needs fixing as well in my opinion. While its not as bad as before when they were just allowing traffic through, its not something that should be happening. There needs to be some consistency here in the way the rules are processed.

-{ Quote: "My isp doesn't block any ports so traffic goes straight to Jetico to process, so that explains why you aren't seeing what im seeing then. I reinstalled the latest Jetico version again and made no changes to the rules other than just allowing my browser out and allowing traffic to my dns and I noticed the same thing as before where Jetico bypasses the Application table and goes straight to the Ask User table instead to process traffic to listening port 445. What I don't understand is why is Jetico doing this when it should be getting blocked like all the rest of the ports by the rule "block all not processed IP packets" under the Application table? This is something that needs fixing as well in my opinion. While its not as bad as before when they were just allowing traffic through, its not something that should be happening. There needs to be some consistency here in the way the rules are processed." }-

Duke, I think that this is normal and ok. JPF is asking you about the incoming packet because it's to a listening port. It should do this when something comes in to any listening port I believe. That's how it works here too. When a packet comes in to 1025 here, it asks me about it because MsTask is listening on 1025. The only reason I don't see it ask me on 445 is because my ISP is blocking it, so JPF doesn't see it. If you don't see it on 135 for example, then perhaps you ISP is blocking 135... I think all is ok.. Turn off the firewall and scan 135 from grc.com and see if it shows stealth. If so then your ISP is blocking 135.

If the above isn't the case, then I'm not sure what's going on. Maybe write to Jetico about it? I'm seeing no problems here though.

My bad! It is not the Application table that the "block all not processed IP packets" rule is under its the System IP Table. I saw the rule "block all not processed.." under the Application table and thought it was the "block all not processed IP packets" rule when instead its "block all not processed applications". When I looked at it the "applications" part was not visiable so I guess I just assumed it was "IP packets". I guess I jumped the gun on this one, it looks like this is ok and not a problem after all. Sorry about the confusion. :)

On my listening ports Jetico does not ask me what to do when the inbound came from any remore port other than 20. I believe that Jetico treated the inbound connection as being directed to a closed port. When the inbound came from remote port 20 there was a rule for KAV that let that traffic in, so that was when Jetico asked me waht to do with the connection.

I think it should be asking you what to do on listening ports unless your ISP is blocking them, in which case JPF wouldn't even see the inbound packet.

K-

Rather than askine me what to do, JPF just showed a log entry for "Block not Processed". I think it has something specific to KAV and how it intercepts ports 25 and 110. But, I do not know for sure.

Interesting.. I guess I'm confused about what the problem is.. For me all seems well here...

-{ Quote: "Do I need to uninstall the older version to install the latest jetico? I don't want to lose my rule sets." }-
I installed 1.0.1.48 over 1.0.1.47, and 1.0.1.49 over 1.0.1.48. Both time I choosen "Shutdown firewall" from the tray icon menu before installing over. It caused no problems. Both cases a popup window told me that the default ruleset was (I checked, it was indeed) updated, and if I would like to replace my current ruleset with the new factory defaults. Both cases I selected Yes, because it is not that big work to build back my customized rules. I already suggested to Jetico support a new feature which would enable to both apply the new factory defaults, and keep your customizations. For example by keeping user selected tables from the old ruleset.
-hojtsy-

K-

I don't think there is a problem. Its application specific. If JPF treats an inbound as not processed and there is no outbound response then nothing got in.

On the listening ports, when the remote used port 20, JPF did give an application response window, but only becasue KAV has a rule allowing inbound traffic originating on remote 20 to local ports in the same range as the listening ports.

Ok, then that's good I guess.. No problems is excellent... ;D

Some useful things to add to JPF:

Password protection of settings.
Larger fonts in the edit window.
Application hash update (in the works per Kerodo).
Abilty to edit network parameters, or rerun setup wizzard.

Can anyone think of anything else that is not an attempt at code bloat?

I think they also need to rework their default rule set a little. Their dhcp rules and their windows update rules don't work for me. JPF prompts me for those two.

I hope they keep it simple for a while and avoid bloat. Perhaps just focus on bug fixes for some time until everyone's setup is problem free.

Whoops!

It is possible to run the configeration wizzard whenever you want to, thre is a link in the program group for it.

There is some access to the constants via an XML file which contains the definitions for "broadcast address" and "trusted Zone". However, I don't see where "name server" is defined.

I wonder what would happen if I edited that XML file?

-{ Quote: "
Abilty to edit network parameters, or rerun setup wizzard.
" }-
You can already do that. Go to the Jetico folder in the start menu, and select Configuration Wizard.

-{ Quote: "
There is some access to the constants via an XML file which contains the definitions for "broadcast address" and "trusted Zone". However, I don't see where "name server" is defined." }-
"name server" can be changing all the time. The address is dynamically determined by Jetico in runtime. The best idea I have ever seen to avoid leaks through DNS ports.
-hojtsy-

K-

For windows update I had to add the network range:
64.4.0.0/64.4.192.0 (64.4.0.0/18)

It takes me a while to decipher those masks.

theif DHCP rule is for serivces.exe and XP uses svchost.exe, but that one comes easy.

Right, they're easy changes.. I did change them already myself, but someone should probably tell Jetico about it.

I also went into the DNS rules and enabled stateful inspection. This keeps things tight and prevents all the outbound icmp type 3 that you typically see to dns servers in most firewalls. JPF works very well in that respect. I usually get late and random packets from my dns servers, which come in to closed ports and thus generates outbound icmp type 3. JPF's stateful inspection toggle in the dns rules cuts this out.

I also do a few other little things like turn on logging for fragmented packets and here and there as needed. I like the configurability of it.

H- thank you for throwing some light on the "name server" issue. Looks like that one needs no change, and you may have noticed that I finally stumbled over the config wizard thingie myself.

You can view the xml file in IE to get a pretty look at it.

K-
I dont think anyone will complain if you give some more detail on your additions to the default system level rules.

I put a rule in the system IP table to keep all of the inbound junk that comes in on the bittorent server port after the application is shut down from getting into the log.
Something like reject, log disabled, incoming packet, TCP, source ports :1024-65535, destination port 6881. If anything comes in from below 1024, I want to know about it, the other stuff just makes the log unreadable.

Well, I don't change much really.. The default rules are actually not too bad as far as I can tell. They just take a little tweaking for each individual system I guess. But I pretty much leave things alone if they don't need changing.

I received some replies from Jetico on feedback today. They mentioned that they are working on rule editing portion of the interface to make it esier to use.

K- you are right, the folks at Jetico are a great bunch.

I am still in trouble with JPF and Mozilla Thunderbird. I can't managed to get my emails.
I have tried to reinstall JPF (build 49) from scratch. It detects Thunderbird when I run it, so I allow it as an "Email client", but when I want to check my emails, Mozilla Thunderbird tells it can't connect to port 110. No rules in JPF seems to apply and it doesn't even work when I "allow all" in JPF.
Does anyone have the same problem here ?

Hi Junior, no problem here, I have used 3 mail clients and run fine, I use 4 rules for them at application table:

1.- verdict:acept, application: C:...\Outlook Express\msimn.exe, event:access to network, protocol:any.

2.-verdict:acept, application: C:...\Outlook Express\msimn.exe , event: outbound connection, protocol: TCP/IP, local address:any, local port: port range 1024-5000, remote address: host ( xxx.xxx.xxx.xxx), remote port: 110.

3.-verdict:acept, application: C:...\Outlook Express\msimn.exe , event: outbound connection, protocol: TCP/IP, local address:any, local port: port range 1024-5000, remote address: host ( xxx.xxx.xxx.xxx), remote port: 25.

4.-verdict:reject, application: C:...\Outlook Express\msimn.exe, event: inbound connection, protocol:any.


NOW IF I USE MAIL CLIENT MODULE:

At application table:

1.- verdict:acept, application: C:...\Outlook Express\msimn.exe, event:access to network, protocol:any.

2.- verdict:mail client, application: C:...\Outlook Express\msimn.exe
event: oubound connection, protocol:any.

Then at Mail Client module you have to add at the rules where are the ports 25 and 110 the remote address of your provider for security xxx.xxx.xxx.xxx.

For me is easyer to work at the application table and I do it for all applications, as if I was using kerio. I only make rules as ICMP(system internet zone), at other modules. In fact I don´t use preconfigured rules for FTP client and server, bittorrent client, mail client. and web browser.

If you have done one of this 2, it is rare that it doesn´t work.

-{ Quote: "I am still in trouble with JPF and Mozilla Thunderbird. I can't managed to get my emails.
I have tried to reinstall JPF (build 49) from scratch. It detects Thunderbird when I run it, so I allow it as an "Email client", but when I want to check my emails, Mozilla Thunderbird tells it can't connect to port 110. No rules in JPF seems to apply and it doesn't even work when I "allow all" in JPF.
Does anyone have the same problem here ?" }-
Hi,
I am using Thunderbird with JPF build 49. No problems here. Port 110 is the POP3 port, and I am using it from Thunderbird.
What does your JPF log shows when you open Thunderbird?
-hojtsy-

-{ Quote: "What does your JPF log shows when you open Thunderbird?" }-
The log just shows that the rule "Block non processed IP" (can't remember the exact name as I'm not at home) matched. This means that the rules in Application Table (even the "ask" one) didn't match. That is why I really don't understand what is going on.
I did a couple other tests this morning : after reinstalling the whole system with a Ghost, I installed JPF and run Thunderbird. The first time, it as been detected and declared as "Mail client". I was able to receive emails this time.
But afterwards, I reboot the computer and did another test and Thunderbird said that it can't connect to port 110. The point is that I was using the same rules as 5 min before. I was forced to uninstall JPF to get back mail working.
Any ideas ?

Thanks for your help,
Thomas

Hi Junior, probably is the Optimal.bcf that doesn´t work correctly when you restart. You could try to save your configuration when your mail client works by going to file-save as and save it, then giving it a new name like Optimal1.bcf and then saving it in Jetico folder at config folder, so that there will be there two .bcf and then go to file-open and select Optimal1.bcf, you will have two configurations in your firewall, Optimal.bcf and Optimal1.bcf. In you firewall at left you will see these two configurations, the last one will be Optimal1.bcf, right click on it to apply policy and set default. This happened to me some time ago with Jetico when I used only one configuration, and never happened again since I do this I am telling you. I wrote before about rules because I was thinking that this problem wasn´t present now.
Another thing is that at options-general you olways have to check:automatically save changes, apply changes automatically and load default policy at startup.
I hope this helps Junior.
good luck

-{ Quote: "There is some access to the constants via an XML file which contains the definitions for "broadcast address" and "trusted Zone". However, I don't see where "name server" is defined." }-
To determine what IP address(es) apply when the "name server" setting is selected, JPF checks the registry value NameServer under the following key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX}

Where {XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX} is your adapter ID string.

Yes, that niggling thought in the back of your mind is correct: It would be possible for malware to change this registry value. Ultra-paranoiacs may want to manually configure their DNS server IP addresses, rather than use the "name server" setting.
-

-{ Quote: "Hi Junior, probably is the Optimal.bcf that doesn´t work correctly when you restart. You could try to save your configuration when your mail client works by going to file-save as and save it, then giving it a new name like Optimal1.bcf and then saving it in Jetico folder at config folder, so that there will be there two .bcf and then go to file-open and select Optimal1.bcf, you will have two configurations in your firewall, Optimal.bcf and Optimal1.bcf. In you firewall at left you will see these two configurations, the last one will be Optimal1.bcf, right click on it to apply policy and set default. This happened to me some time ago with Jetico when I used only one configuration, and never happened again since I do this I am telling you. I wrote before about rules because I was thinking that this problem wasn´t present now.
Another thing is that at options-general you olways have to check:automatically save changes, apply changes automatically and load default policy at startup.
I hope this helps Junior.
good luck" }-

Thank you for your help, I will try this tonight. I hope it will work !

Hi Nameless, that´s right.

By Nameless:
" It would be possible for malware to change this registry value. Ultra-paranoiacs may want to manually configure their DNS server IP addresses, rather than use the "name server" setting."

Anyone else here have a problem with Mozilla products not working on the net with jetico, or is it just me?

Switched to Jetico from Sygate, seems like my net is running faster, have also tried out ZAP and Tiny but this one runs with far less memory than others, only cons if any is that the interface is not for novices.

I am using it on dual P-III and dual K-8 machines without any problems with Win2K SP4, all the latest patches installed. My anti virus is Avast Pro.

I use Firefox, Thunderbird as well as Opera 8 and so far no problems at all with any. The only thing that worries me is to enable ICS, I have to edit the stateful inspection rule for TCP and UDP to none and according to Jetico's excellent support, this weakens the firewall a bit.

-{ Quote: "Anyone else here have a problem with Mozilla products not working on the net with jetico, or is it just me?" }-

I have problems too, as I explain in previous posts in this thread.
After discussing here and with the (really good) support of Jetico, it seems it might be in relation with Kaspersky Antivirus for Thunderbird.
I will run tests tonight and post my results here.
Don't forget to give tips if you find solutions.

If you are using KAV 5, you must set up a rule for it to act as a mail client. KAV 5 listens on ports 1110 and 1125 for mail traffic, intercepts and scans it.

-{ Quote: " The first time, it as been detected and declared as "Mail client". I was able to receive emails this time.
But afterwards, I reboot the computer and did another test and Thunderbird said that it can't connect to port 110. The point is that I was using the same rules as 5 min before. I was forced to uninstall JPF to get back mail working.
Any ideas ?" }-
I am afraid you are *not* using the same rules as 5 minutes before. Either you did not save the ruleset or the rule you created orignially was temporary one. Go to the ruleset both before and after reboot and see that the Ask User table is identical. If it is not then you are not using the same ruleset.
-hojtsy-

Hi, many people here have asked what ACCESS TO NETWORK means, here is an answer from Jetico:

Access to network in our terms means general access to networking
subsystem.
Thus, to establish network connection, an application must gain
'Access to network',
then create connection.
In other hand, JPF tracks interprocess communications in order to
prevent process
hijacking. So, there are two types of 'Access to network': direct
(when an application makes access to network
itself) and indirect (when, say, an application invokes IE with url
passed via command line).
In current version when some application makes access to network, the
'access to network' event
is generated for parent process and so on.
In near future we plan to separate direct and indirect access to
network.

Sincerely yours,
Nail Kaipov

This will clear the questions about this, well I hope so!!!

I've also found that if you deny "Access to network" on a program that uses a global hook, you may lose all internet connectivity at that point (while the program is running, and assuming you let it set the hook in the first place). I'm not sure if this is true in all cases, but I've seen it happen more than once.
-

-{ Quote: "I have problems too, as I explain in previous posts in this thread.
After discussing here and with the (really good) support of Jetico, it seems it might be in relation with Kaspersky Antivirus for Thunderbird.
I will run tests tonight and post my results here.
Don't forget to give tips if you find solutions." }-
I decided to retry Jetico, and no net access at all, even with IE ???
All web sites give DNS errors with both IE and Firefox. I am behind a router, but that never made a difference before with ANY other firewall that I have tried.

-{ Quote: "I decided to retry Jetico, and no net access at all, even with IE ???
All web sites give DNS errors with both IE and Firefox. I am behind a router, but that never made a difference before with ANY other firewall that I have tried." }-

The router won't make any difference.. Try looking at your DNS rules, and perhaps manually enter your DNS server's addresses in there. Create more rules for them if necessary. Maybe that'll work? No idea why you would be having problems like that..

-{ Quote: "Hi, many people here have asked what ACCESS TO NETWORK means, here is an answer from Jetico:

Access to network in our terms means general access to networking
subsystem.
Thus, to establish network connection, an application must gain
'Access to network',
then create connection.
In other hand, JPF tracks interprocess communications in order to
prevent process
hijacking. So, there are two types of 'Access to network': direct
(when an application makes access to network
itself) and indirect (when, say, an application invokes IE with url
passed via command line).
In current version when some application makes access to network, the
'access to network' event
is generated for parent process and so on.
In near future we plan to separate direct and indirect access to
network.

Sincerely yours,
Nail Kaipov

This will clear the questions about this, well I hope so!!!" }-
This is good news ,I hope they can change it for the next build :)

Someone please tell me why separating direct and indirect "access to network" is important. I realize they are different, but how am I better off if the program allows an application to make direct access and deny indirect access, or visa versa, when the program can still be denied the ability to make a connection? Do other firewalls have this feature? Anyway, I have been running JPF solid since 1.49 came out, and with very little desire to go back to Kerio 2.15, or anyting else.

The only reason I can see to separate them would be so you could allow one and deny the other maybe? Does that make any sense?

The only reason I can see to stick with kerio is if you like a simpler interface. JPF already does much more than kerio. Once you adjust to JPFs interface then it's doubtful you'll want to go back..

Hi diver, about your question I think you are asking about this:

JPF tracks interprocess communications in order to
prevent process
hijacking. So, there are two types of 'Access to network': direct
(when an application makes access to network
itself) and "indirect" (when, say, an application invokes IE with url
passed via command line).
"""In current version when some application makes access to network, the
'access to network' event
is generated for parent process""" and so on

"Indirect" for example when you use "copernico", a searching site program: let´s say you find something interesting with this program and you want to see it, so that it is going to invoke IE with the url you want to visit, so that you are going to see it with no problem if you add this rule in jetico.(this is about parent and child process I think).

-{ Quote: "Someone please tell me why separating direct and indirect "access to network" is important. I realize they are different, but how am I better off if the program allows an application to make direct access and deny indirect access, or visa versa, when the program can still be denied the ability to make a connection? " }-
Let me give an example. File explorer (explorer.exe) is a common parent process for a lots of applications, which will do network communication. So it needs indirect access. But does it need direct network access? I strongly believe, that it does not. It would only attempt that, if it would be compromissed by some dll injection technic. So let's deny direct newtork communication for it. Hmm but there is an other way for that also: deny the outbound/inbound connection/datagram events for it. So in the end it seems there is no added security of the separation. It could only give better understanding and user experience. The user would know if a learning dialog popped up because the named application attempted network communication, or an child processess attempted. (In the later case the dialog could also display the child process in question)

-{ Quote: "Do other firewalls have this feature?" }-
Not exactly. For example Kerio 2.x does not restrict indirect access. Kerio 4.x restricts creating child processes, which replaces the indirect access restriction. The solution employed by Jetico seems unique. It may not be the best, but at least there seems to be a desire to come up with new ideas. The fate of this design will depend on whether generic users will be smart enough to understand or not.

-hojtsy-

-{ Quote: "I am afraid you are *not* using the same rules as 5 minutes before. Either you did not save the ruleset or the rule you created orignially was temporary one. Go to the ruleset both before and after reboot and see that the Ask User table is identical. If it is not then you are not using the same ruleset.
-hojtsy-" }-
I have check the options to automatically save configuration on exit and I check the rule at startup to see if everything if OK too. There is no problem on that point.
As proposed by the support of Jetico, I have tried to disable Kaspersky Antivirus to test Thunderbird but it doesn't help.
In fact, JPF does not even see that Thunderbird is trying to use Network. I don't understand what is going on.
I have noticed that on my computer, Thunderbird is not the only program that JPF "forget" (another example for me is KAV.exe taht is not always detected).
As mentioned before, Thunderbird might work one time and not after a reboot, with same rules. It looks like a random issue.

Hey looks lise I'm alone today !
I have continued my experiments with JPF to try to figure out what is wrong on my config.
I found that Kaspersky Antivirus (the kavsvc.exe module) is intercepting mail traffic on port 110, but JPF doesn't see that thunderbird is getteing the datas next.
I don't know how the communication is done.
Does anyone have an idea in order JPF could deal with it and make Thunderbird work ?
I remind you that I can get my mails with Thunderbird on a random basis even with the same set of rules in JPF.

Try creating an application rule for Thunderbird as follows:

Action = accept
Protocol = TCP/IP
Event = outbound connection
Application = Path to Thunderbird EXE
Local address = any
Local port = any
Remote address = local address
Remote port = 1110

-{ Quote: "Try creating an application rule for Thunderbird as follows:

Action = accept
Protocol = TCP/IP
Event = outbound connection
Application = Path to Thunderbird EXE
Local address = any
Local port = any
Remote address = local address
Remote port = 1110" }-
That would only make a difference if you do not have 127.0.0.1 in the Trusted Zone.
-hojtsy-

Today I tried out the CPU optimized MOOX builds of FF and TB instead of the official relase and Avast scans fine with Jetico running.

-{ Quote: "That would only make a difference if you do not have 127.0.0.1 in the Trusted Zone.
-hojtsy-" }-Which I assumed was the case. Why else would Thunderturd not work?

Besides, I thought the paranoiacs around here would remove 127.0.0.1 from the trusted zone, as I did.

New version released.

v. 1.0.1.51 Freeware, 31st January, 2005.
Option "Auto Best fit" was added to the "View" menu and minor corrections in user interface were made. Occasional crash of the firewall filtering module on multi-processor computers is fixed.

Has anyone been to www.auditmypc.com ?

When usig Jetico PF I am getting a message that my internal IP address is visible. This does not happen with Kerio 2.15.

Please try this and let me know if there is a fix.

I have a Netgear wireless access point/NAT and set my machine up as a DMZ when testing the firewall.

Diver...
go do a search at www.kye-u.com or www.outpostfirewall.com for your lat problem...
sorry... being lazy... can't explain
Hint: It's just an annoying Java embed.... Content filtering from Proxomitron required.

Aww heck
here you go
http://www.kye-u.com/proxo/forums/index.php?showtopic=310
now have fun.. ;)

Thank you No13. I just checked again and it happens with Kerio 2.15 as well. But, that is consistent with the explanation in the link.

Going to install the new build this afternoon.

Tried the new build. After installation, the indicators in the tray didn't show any activity. Lets see if a reinstall works.

EDIT:
Tray activity indicators work in my administrative account. In my user account it still doesn't show anything. Back to LnS for now.

Tray activity indicators did not work in an administrative account for me. I did not try the limited account.

Did not play with it a long time, but it seems to have a more restricted definition of "access to network".

Fonts in the edit window are still way too small.

Back to Kerio 2.15, until the next build.

-{ Quote: "Tray activity indicators did not work in an administrative account for me." }-I just upgraded to JPF 1.0.1.51, and noticed the same thing.

Ah well, activity indication in my administrative account failed as well.
So, waiting for the next build ;D

I noticed the same thing about the activity indicator, but also that it seemed to work (and continue to work) as long as I clicked on the "Network Indicator" tab and then closed the GUI.

-{ Quote: "I noticed the same thing about the activity indicator, but also that it seemed to work (and continue to work) as long as I clicked on the "Network Indicator" tab and then closed the GUI." }-Thanks for pointing that out. With that tip in mind, I find that as long as I go to the "Traffic monitor" tab, the tray icon becomes animated. It seems to stay that way no matter what I do after that. I've still got to think this is a bug.

Tray monitor working for the time being. Definitely a but, but possibly a minor bug.

OK, the tray monitor will work if the last tab clicked on the interface is "internet traffic". BUt, if th elast interface clicked is something else, like , "log" or "config..." , it does not work. Strange bug. Bet they have another release in less than a week.

Ah, you're right. I assumed that the tray icon was still working even after leaving the "Traffic monitor" tab, because both parts of the icon were green, and I had a P2P client running, which would have kept it busy just like that.

I assume somebody has told Jetico?

New version out that fixes the System tray indicator.

22. v. 1.0.1.52 Freeware, 1st February, 2005.
System tray firewall indication is fixed.

That was quick...

They answer quickly and act quickly too!!! each day that passes I like more this firewall, a real piece of dimond. I ask myself what a good news they are going to give us next time!!!

Is the system tray indicator working for you guys now?

I just tried the new version of Jetico and the system tray indicator isn't working at all on my system. Even if I try going under the "traffic monitor" tab it still doesn't do anything.

The process attack table I noticed no longer causes my system to freeze up anymore. Nail said that they finally came up with a work around for the problem I was having before. So thats at least some good news.

Ok, I rebooted my system and then on startup Jetico asks me if I want to allow fwsrv.exe access to network. I accept it and then go online and I noticed now the system tray icon works if I go under the "traffic monitor" tab or close Jetico after being under it. Otherwise it doesn't work at all. So it looks like the problem is still there.