Jetico Personal Firewall and ICS. Help please

Discussion in 'other firewalls' started by I-coNer^, Jan 20, 2005.

Thread Status:
Not open for further replies.
  1. I-coNer^

    I-coNer^ Guest

    I can't get Internet Connection Sharing to work properly with Jetico Personal Firewall. I can access the internet from my other computer when JPF is turned off or set to "Allow All" policy, but when it's turned on it cuts the internet on that pc. Pinging google from cmd on the other computer succeeds with and without JPF turned on.
    Anyone got any ideas how I can get it to work properly?
    Hope you can help me:)
  2. Arup

    Arup Guest

    I just started Jetico today and also needed to enable ICS, I was shocked at the speed of response for a free product, here is what you have to do, I am copy/pasting it from their email.

    Thank you for your interest in Jetico Personal Firewall.

    The software can be configured for using it with
    Internet Connection Sharing, but please note that
    an overall level of protection against inbound
    scanning will be lower in this case. It happens
    because of the following.

    JP Firewall has two levels of protection: low-level
    Network Level and Application Level. (We don't keep
    in mind here third Process Attack Protecting level,
    because it will work in any case.)

    Application Level provides Network Level with information
    about applications that have active connection and about
    all the network traffic Windows applications are interested
    in. All other network traffic is blocked. It is so-called
    Stateful Inspection.

    Now when you turn on Internet Connection Sharing, you get
    private network (for example interface B: and
    continue to have interface with IP address that is opened
    to Internet (say interface A:

    All the packets that come from interface B to interface A
    and all the packets that come from Internet for interface B
    - all that packets do not correspond to any application
    in Windows! The packets should simply go from/to interface
    A to/from interface B.

    So default JP Firewall configuration with stateful inspection
    rules will reject the "interface A <-> interface B" traffic.

    Hence, to get Internet Connection Sharing working, we should
    turn off Stateful Inspection in JP Firewall:

    1). Select "Configuration" tab in JP Firewall;

    2). Select the following table in "Optimal Protection" configuration
    tree: Root -> System IP Table -> System Internet Zone;

    3) In the "System Internet Zone" table find rule with
    "Stateful TCP Inspection" rule and run "Edit" command for the rule;

    4) In the "Protocol specific" settings for the rule uncheck the
    "Stateful inspection" checkbox.

    5) Do the same for the "Stateful UDP Inspection" rule.

    Then, Private Network with interface B should be added as
    Trusted Zone in JP Firewall. It can be done quite simply.
    After you finish configuring Internet Connection Sharing,
    run Configuration Wizard program from "Jetico Personal Firewall"
    program group.

    Configuration Wizard should automatically discover the Private
    Network address and add it to the list in the "Trusted zone"
    dialog window. Just finish Configuration Wizard normally.

    After the procedure Internet Connection Sharing should work on
    your computer.

    Sergey Frolov

    (End Quote)
  3. Diver

    Diver Guest

    They need to put that in the help file. It would take a real networking guru to figure that out.
  4. Diver

    Diver Guest

    One more thought:

    jetico Personal Firewall is only free for the moment. While I believe they can rightly call it out of beta, it is under intense development. A few important features need to be added. They went through this path with BC Wipe and now sell it.

    In the future it is likely that you will see changes to the rule editing interface, additon of password protection of settings and an easier way to retain user rules between version upgrades.
  5. Arup

    Arup Guest

    The thing that concerns me here is that by disabling the TCP and UDP 'Stateful Inspection', what implications or vulnerabilities if any are we exposing the system to?
  6. Diver

    Diver Guest

    On vunerabilities, I don't know. But, you could get a cheap NAT, chuck ICS and have the additional security of the NAT over JPF. Obsolete 802.11b wireless access boxes are dirt cheap. You can just shut off the wireless feature and use the direct wired ports.
  7. BlitzenZeus

    BlitzenZeus Security Expert

    Feb 11, 2002
    Oregon, USA
    When you use ICS, you cannot be stateful in an environment like this as your machine is not seen as the source of the traffic, and as a matter of fact, you need a sniffer to see the traffic due to invisible port redirection.

    I understand how they want you to set it up, but they made it much harder than it has to be, as part of the rules themselves you should be able to check/uncheck a box enabling stateful inspection... done... easy....
  8. Kerodo

    Kerodo Registered Member

    Oct 5, 2004
    That is why it's good to participate in it's development and get your ideas and requests in to them now while you still can. Since they're so responsive, it's a great opportunity to effect the outcome of the product.
  9. Diver

    Diver Guest


    You are 100% right. Let's hope they can stay true to the concept of a fast, light rules based firewall with sandboxing. (Is there any part of the concept I missed?)
  10. Kerodo

    Kerodo Registered Member

    Oct 5, 2004
    Yep... Let's hope they keep it light and let's hope they don't ever add a bunch of useless crap to it. That seems to be what happens to most software as time progresses.

    I think starting with, I'm going to start keeping old copies of it, just in case they ever screw it up and don't offer the old ones for download. Right now I like it pretty well as is, and it would do me fine for a long time without many further changes. I keep copies of a lot of software on CD and many times I've been glad I did... ;)
Thread Status:
Not open for further replies.