Jetico Personal Firewall

Does anyone around here really understand the flow of things through the various tables in Jetico PF?

Look at the "Root" It shows "Application Table" above "System IP Table". "System IP Table" calls out to "System Internet Zone". If the order in "Root" is being followed then the "Application Table" which includes the "Ask User Table" would be processed ahead of the "System Internet Zone" which does not make sense. Am I missing something, or is this clearly covered in the help file?

 

I don't have much of an in depth understanding of it all myself, but I think the Ask User table may be processed sometimes before the Internet table. I only say this because I have that block all incoming TCP rule in the Internet Zone and you would expect it to interfere possibly with P2P programs, but I can successfully also run a P2P program in the Ask User section with inbound traffic allowed on certain ports. So, I guess I'm saying I'm not sure...

These are good questions for Jetico support I think, since I doubt that anyone here really understands how it all comes together yet. I guess that's part of what makes this firewall interesting and a challenge..

I'm running Kerio 4 right now until the next Jetico comes out. Then, if they have that listening port problem fixed, I'll probably stick with Jetico for some time. Overall, I like it very much.

 

Well, yes, but I will only have time tomorow to detail it. Until than be patient please.
-hojtsy-

 

Actually it is quite easy once you get the point. I will try to put together a description.

 

That would be great.. I think everyone would appreciate that...

 

I figured that 3:00am my time (west coast) must be morning or thereabouts their time. I always seem to get their responses around 3:00am here..

 

Hi Kerodo,

It is good to see that they are Finally acknowledging and working on the listening ports problem. It seems like they have been trying to avoid this issue for a long time now for whatever reason. Hopefully they will also fix the problem with packets coming in on port 113 as well.

It really doesn't matter to me if you can create a rule to block these packets from coming in or not. The fact is it shouldn't be happening in the first place Period. Nothing should be allowed in unless you have a rule in place allowing it in. They should of been upfront about this a long time ago in my opinion and just admitted it needed fixing then to keep making up excuses about it and trying to avoid it. If they finally fix these problems and the process attack table so that it doesn't keep freezing up my system then I might return and decide to give Jetico another shot maybe. We'll see, its up to them now to make things right.

 

Yes, I did also mention the port 113 problem and asked them to block this by default as well. That's how it should be. They made a mistake when they decided to allow 113 thru just because some people need it that way. A rule would accomplish this easily.

We'll see how it looks when the next one comes out. I got the impression that it would be soon, perhaps in a few days.. We shall see...

 

Kerodo,

I could not get Bittorrent to work right when using the block all TCP rule in the system internet zone. Because 1) being behind a NAT solves the 113 and listening port problem and 2) I rather fool around wih something new like Jetico rather than something familiar like Kerio 2.15, I will probably hang onto Jetico for a while. I that it will be about three weeks for them to make the changes judging from their past relese schedule, but I agree this will be a pretty nice firewall when those changes are made. Anyway, the block incoming TCP rule causes Bittorrent to act like its server port is blocked, so I have been limiting the rule to distinct ports for testing purposes.

For anyone that has been having uninstallation problems, or is afraid of them: Make sure that all other programs are terminated before uninstalling, especially your AV or anything else that relies on low level system access.

Hojtsy: I await your thoughts. Some of the process flow looks obvious. Its just the application vs system thing at the root level that has me confused. If the application table is processed first, then I am confused, because the other stuff seems to operate at lower level.

 

I think it will be a lot sooner than 3 weeks, but we'll see I guess...

I think I will stick with it also when they fix this problem. It has a few annoying characteristics, but it seems to be quite powerful also. One thing that annoys me is when you upgrade a program to a newer version, then JPF asks you for approval again and when you OK it, instead of updating the hash number for the program, it creates a whole new rule for it again. So you have to periodically go into the ask user area and clean up old stuff. I think they should just update the hash instead, and use the existing rule.

But all in all, it's looking pretty good...

 

K- There are a lot of little things like the hash issue. The window used to edit rules is too small. Rules should default to "any" remote address rather than a specific "host", with the host name retained if the rule is edited. Fortunately, these things are easy to fix. There are other items, but if the developers get the main stuff right, I can forget about the minor stuff. Is it still beta quality? I don't know, but IMO, XP was beta quality until SP2 came out.

 

Yeah, you're right, there are several minor annoyances. But I feel that I can live with them given the power that the firewall offers in general.

I think it's amazingly good for a version 1.0.

And when you have a developer that's that responsive then you can most likely get things corrected and changed too. That's rare these days..

 

Well the problems I was experiencing are gone in this latest version ,I like the overall feel of this firewall and it has great potential for sure.
I think the graphical traffic monitor is a bit unnecessary other than that though I'm very impressed.

Kaupp

 

YES!!!

Actually I much prefer the current way, most of the time which some exceptions (browser, FTP server but those have specific filtering tables), I prefer to restrict
outboundconnection to only one specific host.

 

I am actually testing Jetico Firewall. It looks very promising but I have experienced some problems.
The main is with Mozilla Thunderbird that I can't get to work with JPF : when I use the default rules, JPF doesn't ask me what to do when I check my emails (no "ask rule" is processed) but it prevents Thunderbird from succeeding in getting my emails.
I don't understand because I managed to get it to work one time yesterday, but I can't reproduce this attempt.
It seems that a rule in "System application" is applying and nothing else after that.
Anyone has an idea ?

I hope to understand as I think JPF might be a killer soft !

 

Hi, have a look at the bottom of application table and it has to say ask user, then go to ask user module and at the bottom it has to say ask, then run your program and it has to ask you and the rules are going to appear there, and it will be acces to network and outbound connection, maybe that's the problem.

 

Just downloaded the latest 1.0.1.49 JPF from Jetico tonight. It should be available tomorrow I would guess. They sent me a link via email, but I don't see it on their site yet. Probably within a few hours though. I will test it out and see if the listening port problem is indeed fixed. They seem to have made some major changes to fix this. Very good...

They disagree however about closing port 113. So I guess this will need a rule to keep TCP out. They say that their stateful inspection won't accept any incoming on 113 without an already established session of some kind, but I'm not so sure about this given the outbound RST ACK that we're seeing. But I'll check this more also..

 

Ok, I have tested the new 1.0.1.49 release and they seem to have fixed all the listening port issues. Also, I see no outbound RST ACK from incoming packets to port 113 either, so it appears that their stateful inspection is preventing those from getting in too. So that's good. Now I believe that everything is as it should be, and no incoming packets are getting in thru the firewall.

I plan to run JPF now and see how it progresses as they add new features.

Another note, if I forgot to mention it before, they say they will also change the way JPF updates changed apps. Instead of creating a new rule for a changed app, they'll just update the hash. They plan to implement this in a coming release. So that's good also. One less hassle to deal with..

 

K-
You were right about the fast release. My Bad.

I dl'ed it this morning and installed it. In order to be sure that all changes to the default rules were included, I am rebuilding my application rules from scratch. However, the modular nature of the tables makes this much easier than with any other rules based firewall. Done now except for a few rarely used windows components.

 

I have recreated my rule set for Jetico PF and have also tested it for letting packets enter on ports 113 and listening ports used by my AV. So far as I can see, there is no outbound connection echo in the log. I do not have the expertise to do more detailed testing.

there are some minor issues with rule creation. Be careful when changing a rule with a verdict of "accept" to one that refers to a table. Sometimes other fields in the rule do not change and the rule may not work unless you make the necessary changes.

The hash problem when upgrading applications may be minimized by creating a table for any application that has a complex set of rules. In that case only the single rule which refers to the table will have to be replaced with a "handle as" verdict. This would be particularly useful for Bittorrent clients which seem to be on a short upgrade schedule.

 

I create a special table for almost any type of app.. Download Managers, Newsreaders, etc etc.. It eliminates at least one rule entry for each app. It's a handy feature.

I'm sure they've got the listening port problem licked. I feel secure with JPF now, without having to worry about creating extra rules. I'm pleased...

This new update is just another example of how good their support really is. I complained about the problem again and asked them to have another look, and within days they had a solution and released an update. And they also kept in touch with answers to questions. What other developer offers this kind of support these days? With most other firewall developers, you're lucky if they even read your email.

 

K-

Jetico has definiteely nuked the listening port issue. I happen to need an application rule for the KAV mail scan ports, but this is specific to KAV and is needed only to deal with inbound traffic where the remote is using port 20. If KAV used passive FTP to update, this would have not been necessary at all. I probably would have never discovered this, but for the "auditmypc" firewall test which uses remote port 20 and exposed the problem in my application rules for KAV.

Anyway, if thre are any major issues, I don't know how to uncover them. What is left now is convenience features like the application hash or making the edit window larger. The basic design as it is expessed in the user interface is good.

Jetico 1.0 may lack some of the rule editing features that make Kerio 2.15 so easy to use, but it makes up for it with the ability to build tables and make modular rules. It may not have Kerio's ability to put unrelated ports in the same rule, but you can clone a rule in Jetico andd just edit the one port.

Some have complained that everything is not in one place, but I rather have the ability to do tables.

I just hope this one stays free for a while.

Did you notice that the website still says 1.48, but the download link gave me 1.49 this AM?

 

Yep, I noticed that this morning around 10:30am. I think they just haven't gotten around to updating the web site.

I'm definitely sticking with JPF for a while now. I like it a lot. 1.0 is a good start and I think it has more power than Kerio. The interface is a little less elegant or intuitive than Kerio, but once you get used to it, it's fine.

And it can only get better... Let's hope that they never turn it into bloatware with useless non-firewall features like so many of the others. I don't think they will..

 

And I was wondering why there was no .49 on the website...

Running it now. I like it very much!

 

I got a email from Nail today saying that the issue im having with the process attack table they can't reproduce on there own systems, but they are trying to find a solution for it I guess. If I create a rule under the process attack table, with an event of "attacker starts application with hidden window", attacker being Explorer.exe, application being Fwsrv.exe it takes care of the hangups for the time being. More importantly is the packet filtering anyways which I am glad to see that they finally came to there senses and fixed the listening ports issue and port 113 problem.

I decided to test the new version out earlier today when I had some free time. I see it no longer allows packets in now which is good, but I did notice one strange thing happen when packets do come in on listening port 445 on my system. Jetico pops up a window asking to either allow or deny the traffic coming in on just that one port. All the other ports seem to get blocked by the "block all not processed ip packets" rule, while packets coming in on port 445 it looks like bypasses that rule and goes to the "ask user" table instead. Has anyone else noticed this happening on port 445 or any others ports such as 135 that are listening on your systems?