Jetico Firewall

You're not the only one Arup.. JPF didn't last long here. Just too much hassle. CHX-I is here to stay. It's great...

 

What? Many of pfws (system ptotection modules) will do that! ZA (Pro, when tread injection is on) is one of the examples. Many system apps in ZA will get "access to network" but not outbound/inbound allowance. Maybe U right that "access to network" is not a good name but is only by Jetico design. Asking about "access" is in fact valid behavior.

It seems that Jetico treats inbound in the similar manner. App can (or not) open listening port by rule "allow (reject) listening port" and can receive (or not) inbound connection by rule "allow (reject) inbound connection. So in theory U can allow app to only listen and receive connection and to ask about outbound:
Allow access, allow open listening port, allow inbound connection, nothing else for that app. Other action and Jetico will prompt. Simple! Don’t U think so? I really don’t know if anybody will ever want such a rule set for any app but… It could be done.

What is wrong with it? I like this concept very much. Total control, that’s it!

 

Arup,

I am not too concerned about inbound, as I have a well configured NAT router with SPI. I have been running TreeWalk DNS for several months now and I want to keep a tight noose on that to make sure it doesn't get exploited, so I usually limit it's activity with Sygate. I will probably return to Sygate for the time being because I haven't had a single problem with it in years, it plays nicely with TreeWalk DNS, and I learn a lot from it's full packet logging capabilities.

For now I am going to remove Jetico Personal Firewall from my system with pleasure. I will keep an eye on it and possibly try it next release depending on what issues get fixed and so on. I am certain that JPF has a huge amount of potential sometime down the road, but at this point I don't feel that it is solid enough to use.

Lets just cross our fingers and hope they don't pull a "ZoneAlarm" and load it with all sorts of useless features. I remember the good old 2.6 days...

 

Hi,

I'm new here...and had tried Jetico. I think it's a solid firewall but rather difficult to understand for instance the inbound connection and network access. It asks for different layer of protection but uses the same sentence so many users become confuse and it's pure set up set-up....but if you can (i'm not) understand deeply it's powerfull one.

Still I like this personal firewall since there are not so many powerfull and free left...not forgetting netveda.

 

Dave 54321,

If using Sygate, disable Smart DNS as that clashes with Treewalk, another combo to try is Treewalk+Kerio 2.15, a truly lightweight and fast combo.

 

Didn't you have system stability problems using TreeWalk DNS with Kerio 2.15?

I think I may stick it out with JPF for a few more days to see if I can troubleshoot the cause of any of the issues so that I can report the details to Jetico. It seems to run now at a steady 3.7MB of memory even while using BitTorrent and eMule. I suppose it is quite sturdy, despite some minor glitches.

 

Yes but that was exceptional case due to Avast Webshield, others use it for days in days out without any problems.

 

Marceli7 - Perhaps you are right, however, I don't know of any other firewall out there that plagues the user with so many infernal prompts.. I only wish they would simplify things a little. That is one of the main complaints about Jetico. However, I will admit that once you do get past the initial configuration of everything, then it's pretty solid and good, and doesn't bother you too much.. I've just gotten to the point where I'm tired of answering all the crazy prompts. I'm using CHX-I now, which never asks me anything! Period. Can't beat that...

 

Well... I thought that Kerodo is right that some users just do not want such high level of system protection and want just basic app filtering with strict rules like it was in Kerio 2. Is it possible in Jetico? Yes. I found a very simple way to do that. Just add one rule on top of "Ask user" table:
verdict: accept, protocol: any, event: access to network.
Then Jetico will alert U about app activity only when real traffic occurs.

U want FULL outbound allowance for any trusted apps? Go ahead! Make new table (name it to something like "FULL OUT") and create new rule in this table:
verdict: accept, protocol: any (maybe better just TCP/IP), event: outbound connection

U can also add (insert) a rules/table with send/receive datagrams to cover UDP protocol for trusted app. Then start app and when asked by Jetico what to do with connection attempt click "handle as" and chose your new "FULL OUT" table. Start another app... It may seems complicated at first but believe me it is simple and fun playing with Jetico interface. IMHO for Kerio2 users it is a "dream came true" after all that version 4 fiasco. For others... Jetico devs should ad "Novice" switch during install
The beauty is that user can configure Jetico to much his paranoia level . I prefer strict rules but in fact it is not so necessary.

What do U think about it, Kerodo?

 

Two more Jetico issues...

1: On start up, the screen flickers for a split-second everytime it loads JPF.

2: Every 4 or 5 reboots or so, JPF appears to be minimized in the task bar and can only be opened by right-clicking on the system tray icon, Restore (to open the GUI), then close it. This seems to be completely random.


I have finally decided to remove JPF from my system.

 

I think a couple of versions back this would not work. If it works now, it is a nice solution to the problem. It also lets the user customize to the level of security or intervention that is desired.

 

If this works then that would indeed be a good solution to the annoyance factor. Next time I load Jetico I will try that. I guess one has to use a little imagination like you've done to get the full benefits out of any product.

 

the rule for permission of access network is great. I have tried on the 1.0.1.58 and 59. both work.
after i installed the 59 version, i found a problem. My bitcomet(bittorrent client) could not listen to a local port any more. i do have a rule to allow this activity. but my abc, another bittorrent client, works. both of them use the same table template. does anyone have similar problem?

 

Do you mean Jetico is acting in a similar way to this discussion: http://www.dslreports.com/forum/remark,12665885#12675119

I haven't used Jetico but I believe this to be the case. Going by a previous Jetico tutorial I believe this is because the existance of a separate 'rule table' for this purpose - i.e. 'Allow access to network' table. From the discussions in the linked thread I'm undecided as to whether this is good thing to have on by default or even at all. It would seem that the only purpose for this table is to make up for a lack of control on ICMP outbound for applications, since complicated TCP rules can be directly associated with applications but ICMP cannot. (Note that this is unrelated to dll-injection checks or dll component checks).

 

Hey Ghost... I don't know exactly why Jetico asks for that "access to network" stuff. I don't believe it's a separate table or anything. It's something internal to the firewall. And I'm not sure how Jetico support defines the "network" either. All I know is that this "access to network" thing is yet one more necessity for any app to connect to the internet. For example, in Jetico it has a table for "web browser". Inside this table there are the usual rules for port 80 and 443 and whatever else you might want to allow, but also there is an initial rule for "access to network" first. This has to be in every table as far as I know, and for any app to otherwise connect out, this "access to network" has to be allowed too. It has something to do with the network subsystem or something, which I know nothing about, so I can't elaborate much more than this. Probably the best way to get a good explanation of it is to just ask Jetico support via email.

Anyway, with this extra "access to network" step in there everywhere, it gets extremely annoying when the firewall pops up constantly asking this for every new app first. A rule to allow this by default, which is what someone suggested above, helps tremendously. My initial comment was to wonder why Jetico throws this "access to network" stuff in there at all. I guess it's just one more level of security, but it's a regular pain in the ass when compared to other firewalls. Kerio for example, does nothing like this.

You have to try it to see what I mean I think.. Risky business...

 

Interesting.....

I decided to give JPF another spin after reading about the "access to network" rule as suggested by marceli7. This rule is, as mentioned, in most of the other tables within JPF. After implementing that rule, I noticed the following...


Mozilla Thunderbird and Stunnel with OpenSSL:

Thunderbird did not ask for any kind of access whatsoever. Stunnel was the only program that required prompts for Internet access.


Mozilla Firefox and avast! Web Shield:

Firefox did not ask for any kind of access whatsoever. avast! Web Shield was the only program that required prompts for Internet access.


Now I can understand why Thunderbird and Firefox did not ask for "access to network", but this is starting to remind me of Sygate and the well known issue of running localhost proxy software.

 

AFAIK Jetico in default configuration treats local hosts addresses as a "Trusted Zone". Try this, pls.
Shutdown your connection and then shutdown Jetico. Run Jetico’s configuration wizard and remove all net addresses from trusted zone. Launch Jetico and then connection to internet. I suppose this time Jetico will ask U about traffic on localhost Well it’s only my assumption, so please report because I don’t know that Stunel thing and maybe U just found a big hole in Jetico :/
In my configuration (without trusted localhost) Jetico warn me about Kaspersky and Thunderbird interaction when getting maile on POP3 accounts. Same is for localhost internal communication of Firefox and Thunderbird. Jetico asking about allowance outbound to 127.0.0.1 and inbound from 127.0.0.1. So… Yes I know Sygate can not control localhost traffic but Jetico can for sure.

BTW1: Do not take my advice about “Allow access network” rule on top of “Ask user” table as a default, recommended rule. It is not! It is just to gain “near Kerio2” requests amount

BTW2: Pls excuse my English. I hope U can sometimes understand what I am talking about

 

Excuse my ignorance but I do not see such a default rule despite one in "Application Trusted" table.

That’s maybe true. But... Not every app started "under" Jetico will ask about access to network. This is not "Take it" just in case. I must admit that I do not know what triggers this "need for access" request. Maybe that application just started trying (or it is potentially doable by using same dlls) to interact with apps already allowed and Jetico asks about it because it is potential risk of hijacking allowed app.
About ping... AFAIK it was always like this that ICMP is controlled via "independent from application" rule. It is a system thing. In Jetico ICMP rules are in "System Internet Zone" and default rules set:

Allow outbound Echo Request, inbound Echo Replay, Destination Unreachable, Time Exceeded

is OK. I’ve had the same in my Kerio2 configuration.

 

From Jetico's help file, access to network - special event which means general access to networking subsystem preceding to all network communications. While 'access to network' is not enabled for an application, it won't be permitted to execute any network-related function.

Since allowing application to access to network doesn't mean the permission for real network communication, I prefer the “Allow access network” rule as a default. So I only have to control the inbound connection,outbound connection, receiving and sending datagram.It is enough for me. NO more annoying popup warning. I need the balance between easy configuration and security.

 

Using the default configuration rules that come with JPF, and implementing the "access to network" rule from marceli7 I can confirm that the "access to network" rule added to the Ask User table does make JPF behave like Sygate. I tested that concept by launching Internet Explorer (which I haven't used since Firebird'fox' 0.4 was released). Internet Explorer was able to connect to the Internet using avast! Web Shield's local proxy without any access prompts from JPF. I would personally not recommend using this rule if you run any local proxy software on your system. Otherwise, it would be an excellent rule. I suppose that is why Jetico doesn't add this rule to the Ask User table by default.


marceli7,

I did try what you suggested by removing all addresses from the "Trusted Zone" with the JPF configuration and you were correct, that did work. JPF behaves that why by default though anyways by prompting for "access to network" without your suggested rule in place. So by default, it is setup quite well with regards to local proxy software. But unfortunately with your rule in place, users that are running local proxy software 'might' allow unsolicitated outbound traffic out without any knowledge or logged events of that occuring.

 

Thank you Dave. I got your point. I don't have any local proxy software installed, which means using the rule "access to the network" will be safe. Am I correct?

I just find an interesting thing about jetico's rule editor. There is one rule I could edit before( i don't remember when i added it in and under which version). Now it also applys to the 59 version, but I cannot not edit it. It could happen in application table, ask user table or any application template.

Here is the rule:
Action--accept
Description--Trust 127.0.0.1( i didn't use the trusted zone)
log--disabled
Protocol--TCP/IP
event-- any
application-- any
local address-- any
remote address--127.0.0.1
local port--any
remote port--any

in 59 version, only if i choosed a particular event, then i would be able to change the last four items.

shek

 

Shek!
It is strange. Could U rerun Configuration Wizard? I am sure that I removed all localhost addresses in CW before first run of Jetico just to find out how it will alert about localhost communication. It works good. Jetico ask me about any connection attempt (to allow or eject) on localhost. This way I can safely use internal proxy program if I wish.
And yes! If U do not use any "Proximotion like" program U are safe IMHO but in fact U will have no additional prompts when for ex. your av will scan POP3 mail on the fly, etc.

Additional note! Beware! When U disable localhost from trusted U will get prompt that your app like IE, Thunderbird, Firefox, av pop3 scanner are trying to communicate with 127.0.0.1 address. Normally U will click "Allow and remember" but... Next time running the same app will prompt U again. And why? Because next time it will use the same address but different port.
So… After first launch of for ex. Firefox allow this in and out, next exit ff and then find your new rules (in and out) in Jetico and edit them to allow 127.0.0.1 but add port range 1025-5000, both remote and local. This way Jetico will never ask about it again and simple allow next time

BTW1: It is not so hard to exclude any address in Configuration Wizard. U can make global rule for localhost with antispoofing in Jetico later if U decide (look for special Loopback rule for Kerio2). And it is not so disturbing to click allow network access without my suggested access allow rule. I have only 12 apps with this alone rule (despite some allowed in "System Applications" table).
BTW2: Going to some test with internal proxy program. I am FireFox user so which to take on exam? Please advise.

 

i have never run the configuration wizard or put any ip address in the trusted zone. so i did notice lots of localhost communication. After keep on revisng and updating the rule set, it became what it was. the rule i mention above is one of them for webbrowser. i just found out i could not edit it anymore after applying it to the new version. Maybe jetico tighen security for its ruleset.

 

I thought that I would give Jetico another try but I cannot get it to connect, fine if you allow all but otherwise no connection allowed. The configuration wizard seemed to hava all the right addresses and it went through numerous popups of which the relevant ones were allowed. Any ideas?

 

I suggest to try delete those rules. Make new when asked about 127.0.0.1 and then revise it to much local/remote ports range 1025-5000.