Jetico making me crazy.

Discussion in 'other firewalls' started by aigle, Feb 19, 2006.

Thread Status:
Not open for further replies.
  1. Jack_Brody

    Jack_Brody Registered Member

    Joined:
    Nov 4, 2006
    Posts:
    24
    Location:
    Napajedla, Czech Republic
    Roger, I'm sorry to tell you that network connection is active during logon screen. I often use RDP to connect to my PC from my friends or when I run my FTP server (which is a service), I can log off and then connect to it from other PCs.

    Where did you find those bc...sys drivers?
     
  2. Jack_Brody

    Jack_Brody Registered Member

    Joined:
    Nov 4, 2006
    Posts:
    24
    Location:
    Napajedla, Czech Republic
    These informations about services are weird, Roger. There are only 3 types of service start (in Windows XP):
    • Auto-start (automatic)
    • Manual
    • Prohibited
    Auto-start service means it starts with system boot-up and no one ever has to log on.
     
  3. Roger_

    Roger_ Registered Member

    Joined:
    May 7, 2006
    Posts:
    89
    Location:
    Portugal
    If you go to Device Manager/View/Show Hidden Devices and you will see them listed under Non-Plug and Play Drivers.
    Or some tools like Winservices:
    http://www.dominetrix.org/winservices.php

    will also let you manage them together with so-called normal services.

    If you look at a driver´s properties either in Device Manager or in Winservices, you will see the 5 different types: Boot , System, Auto, Demand and Disabled.

    If you cannot properly see the hidden drivers in Device Manager, you may have to apply this tweak:
    https://www.wilderssecurity.com/showpost.php?p=868402&postcount=11

    I am still researching on network connections and logging on and off...

    Edit:
    According to Microsoft
    http://support.microsoft.com/kb/279782/en-us

    If you click the Log Off button, you will quit all running programs and disconnect all network connections for the current session

    So, the situations you mentioned probably apply to running software (like RDP or other servers) that must keep open sessions to preserve connection management...
     
    Last edited: Nov 10, 2006
  4. Jack_Brody

    Jack_Brody Registered Member

    Joined:
    Nov 4, 2006
    Posts:
    24
    Location:
    Napajedla, Czech Republic
    Well, I've been thinking about this for long time, but now I know why it works this way. Actually it is pretty simple.

    It's all because of the second rule in Application table - the one that jumps to Applications Trusted Zone under conditions: TCP/IP and remote address in Trusted zone. See it?

    So do just one thing like I did: change the remote address condition to local address to only allow all loopback communication - like in the picture:

    p880437-local_address.png
    http://www.volny.cz/pavel.pilat/share/local_address.png

    From now on every attempt to communicate with any address from Trusted addresses list will invoke a pop-up. And you can keep your Trusted addresses list and use it for the purpose it was made.

    And the "network access" event really means only allowing app to load network libraries (as the Jetico help file says).


    Jetico is powerful and fast, but it needs a little tweaking. This thread really deserves its name. :)
     
  5. Jack_Brody

    Jack_Brody Registered Member

    Joined:
    Nov 4, 2006
    Posts:
    24
    Location:
    Napajedla, Czech Republic
    Oh yeah, I can see those. All my bc_*** drivers have "system" startup. And we have a question what that actually means...


    I am also going to do some research in this area.
     
  6. Roger_

    Roger_ Registered Member

    Joined:
    May 7, 2006
    Posts:
    89
    Location:
    Portugal
    You can use LoadOrder from SysInternals (now at Microsoft's site :rolleyes: ) to get the picture of the order that is used for drivers and services startup:

    http://www.microsoft.com/technet/sysinternals/utilities/LoadOrder.mspx
     
  7. Jack_Brody

    Jack_Brody Registered Member

    Joined:
    Nov 4, 2006
    Posts:
    24
    Location:
    Napajedla, Czech Republic
    Thanks, Roger, really interesting utility.
    And when I am looking at it, I can see some services like lanmanserver or spoolservice to be run after those BC_***.sys drivers of Jetico. So it seems to me they are run even when nobody is logged in.
    But if this means that we're protected by Jetico before logging-in, I don't know.
     
  8. Roger_

    Roger_ Registered Member

    Joined:
    May 7, 2006
    Posts:
    89
    Location:
    Portugal
    Yep, I am also very interested on the answer to that question as it is essential for security coverage evaluation!

    As I can see no support forum/e-mail address in Jetico's site, do you or does anyone else know if a 'Feedback' form should be submitted instead?
     
  9. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    I mentioned this in my post#584

    This is a dangerous rule to allow. As the "local address" includes your own PC IP address, this would allow a "Land (DOS) Attack"

    Why have a "trusted zone" if this is going to give a popup. You can allow all loopback by simply changing the rule you mention to "Accept any to remote 127.0.0.0/24 (or add this rule, and leave direct access to the "trusted zone" if needed for LAN (Which is one of the main reasons for the "trusted zone"))

    >
    Allowing an application "access to network" also allows that application access to any open rules that are within the rules tables

    It needs to be tweaked correctly
     
    Last edited: Nov 10, 2006
  10. Roger_

    Roger_ Registered Member

    Joined:
    May 7, 2006
    Posts:
    89
    Location:
    Portugal
    Hey, Stem, but is that not what is happening when keeping remote address as Trusted Zone (which includes the local network)? o_O
    Having a home LAN, my impression altogether is that it might be safer to remove the loopback address from the Trusted Zone and create a rule like this one to allow it... am I right?
     
  11. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    It is better to remove the localhost from the trusted zone, and place this either into a table (to be called by applications that need it) or bind a loopback rule to each application that requires it.(This is needed the most when using a localhost proxy (like proxo))
    If there are a group of IPs you want to trust for a certain application, then again, bind a rule to that applications access to the "trusted zone".
    You shouldn`t really have an open rule that can give such access. (I do not use a "Trusted zone",.. even behind a LAN)
     
  12. Jack_Brody

    Jack_Brody Registered Member

    Joined:
    Nov 4, 2006
    Posts:
    24
    Location:
    Napajedla, Czech Republic
    I would have to attack myself. :) But I have not created a new rule. As you can see from my screeshot, I have tightened the existing rule - instead of allowing all TCP/IP communication with Trusted addresses (default) I have changed it to loopback.

    I needed to kill that direct access to the "Trusted zone" because I wanted to allow some programs to only access loopback. In the default state when I gave an app "network access" it also gained TCP/IP access to all trusted addresses (as we have discussed before).
    Now, when some process pops-up and I want to give it access to "trusted zone", I assign it my own ruleset (Handle as...) which does the job.

    But ...when I am thinking about it right now... I can make a ruleset allowing access to Trusted without using the Trusted zone (and the wizard). It would have the advantage of possibility to name every trusted address (which is not possible in the Wizard).
    Yep, I agree.
     
  13. Jack_Brody

    Jack_Brody Registered Member

    Joined:
    Nov 4, 2006
    Posts:
    24
    Location:
    Napajedla, Czech Republic
    So, for anyone who's interested:
    during log-off Jetico closes as well and doesn't provide protection. I have just tested this with my friend and my Apache webserver.

    I ran Apache, my friend could access it. Then I rejected his access in Jetico (I simply unticked the rule allowing communication with his IP in my ruleset "Trusted addresses") - he then really could not refresh the webpage (with F5). Then I logged-off and he tried F5 again - and he refreshed successfully.
    After I logged back on, Jetico started and began to reject his connections.

    So as I thought - it does not run as a service so no protection.

    The time has come to try some SW to turn Jetico into a service.
     
  14. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    I have already informed you of this
    In this post
     
  15. Jack_Brody

    Jack_Brody Registered Member

    Joined:
    Nov 4, 2006
    Posts:
    24
    Location:
    Napajedla, Czech Republic
    Yea, I remember. I just needed to do a practical test.
     
  16. Jack_Brody

    Jack_Brody Registered Member

    Joined:
    Nov 4, 2006
    Posts:
    24
    Location:
    Napajedla, Czech Republic
    Now I'm running Jetico as a service on "system" account thru NTWrapper (actually NTWrapper is a service and it runs Jetico as a normal process under given credentials - that's how it works)
    When I log-off Jetico exits but in 20 seconds it is restarted by NTWrapper. So, finally...
     
  17. acowild

    acowild Registered Member

    Joined:
    Oct 25, 2006
    Posts:
    14
    I tested and on the first login screen I am protected, once I login and logoff it shuts down.
    There is another way I believe.. from srvany docs:

    I was able to start it and survive logoff with the task scheduler but I lose the interactive mode.

    Try runprocess from http://gearbox.maem.umr.edu/batch/f_w_util/Frank_Westlake-Freeware.html
    It has an option /i for ignoring CTRL_LOGOFF_EVENT and can be run with srvany.
     
  18. Jack_Brody

    Jack_Brody Registered Member

    Joined:
    Nov 4, 2006
    Posts:
    24
    Location:
    Napajedla, Czech Republic
    With NTWrapper? Have you selected the "Restart application" option in service settings for Jetico?

    I cannot afford losing the interactive mode.
     
  19. bryanjoe

    bryanjoe Registered Member

    Joined:
    Feb 23, 2006
    Posts:
    380
    just installed this firewall for the first time. I don't know what is trusted zone blah blah ... etc And i allow all pops up.

    Seriously, are there any "Simple As ABC" rules to configure? Any simple steps i can follow? I am running SSM and it seem that Jetico also has application control, how to turn it off?
    Pardon me, I really know nuts about network.
     
  20. acowild

    acowild Registered Member

    Joined:
    Oct 25, 2006
    Posts:
    14
    The lost Interactive mode I was talking about was with Task scheduler.
    I am using Srvany and runprocess works except it shows a seperate console window which is annoying and it doesnt close even on shutdown. (end task message comes up).
    edit: The best way would be to request Jetico for an option or a different compile with CTRL_LOGOFF_EVENT ignored or just popup message for save etc and not close, or an option for that which would close on shutdown etc.. . But with development closed on Jetico 1 this would be very unlikely.
    ps. not very fond of NTwrapper.
     
    Last edited: Nov 15, 2006
  21. Jack_Brody

    Jack_Brody Registered Member

    Joined:
    Nov 4, 2006
    Posts:
    24
    Location:
    Napajedla, Czech Republic
    Acowild: Using Srvany and Runprocess, Jetico doesn't close at log-off at all? No message "Firewall shutdown completed" in log?
    About NTWrapper: I dont't say I like it, I don' say I don't. It just works. It doesn't protect Jetico from receiving CTRL_LOGOFF_EVENT, but it restarts it in about twenty seconds. Makes no console window. Supports only 1 service in lite version.
    First I was playing with similar freeware "Any2Service". But that's completely useless software as it is unable to restart closed app.
    The second SW in a queue was NTWrapper and I sticked with it. After I log-off these two lines appear in the log:
    Notice those 22 seconds before Jetico is restarted.

    If you found out how to remove the Runprocess console window, I would give it a try.
     
  22. poirot

    poirot Registered Member

    Joined:
    May 4, 2005
    Posts:
    299
    bryanjoe, if you dont want to use the Process Attack Table in Jetico alongside SSM you dont have to disable anything ,but just allow all through the Table:
    1-create a new rule in Process Attack like this-
    -(Action)=accept (LogLevel)disabled (Event) any
    and place it on top.
    2-remove the flag in Ask?
    This way you keep the chance of both using it in the future and
    not interfering with SSM.

    If you dont have particular security needs the simplest ever way to go is just replying to the pop ups sending your browser/s to the Web Browser Table ,your email client to the Mail Client Table and placing there the rules you want to create for these programs if you care to.
    Even if you just answer pop ups only Jetico 1.0 will be stealth,albeit not fully protected.
    There's a lot of info about Jetico in lots of threads to begin understanding how to move with it and you wont have too much difficulty doing it.
     
  23. Thomas123

    Thomas123 Registered Member

    Joined:
    Apr 7, 2005
    Posts:
    26
    Location:
    Hong Kong <-> New York City
    Hi, everyone.

    I have bought a new computer and connected them through a router. I also enabled the File Sharing feature on both of my PCs. After I enabled that feature, I rebooted my computer and Jetico popped up and I made the following two rules:

    1.
    Action: Accept
    Protocol: TCP/IP
    Event: inbound connection
    Application: System
    Local address: Any
    Remote address: 192.168.88.1
    Local port: 139
    Remote port: Any

    2.
    Action: Accept
    Protocol: TCP/IP
    Event: inbound connection
    Application: System
    Local address: Any
    Remote address: 192.168.100.1
    Local port: 139
    Remote port: Any

    When I browsed the shared folder on my other PC, Jetico popped up a fews time and then I added the following rules:

    1.
    Action: Accept
    Protocol: TCP/IP
    Event: outbound connection
    Application: C:\WINDOWS\system32\svchost.exe
    Local address: Any
    Remote address: 192.168.88.1
    Local port: Any
    Remote port: 80

    2.
    Action: Accept
    Protocol: TCP/IP
    Event: outbound connection
    Application: C:\WINDOWS\system32\svchost.exe
    Local address: Any
    Remote address: 192.168.100.1
    Local port: Any
    Remote port: 80

    Did I make the right rules for my computer?

    Besides, I want to know more details about the following IP address:

    192.168.1.1
    192.168.88.1
    129.168.100.1

    I do not know what 192.168.1.1 does but I think it is related to my LAN and my brother added the following rule:

    Action: Accept
    Protocol: TCP/IP
    Event: receive datagram
    Application: C:\WINDOWS\system32\svchost.exe
    Local address: Any
    Remote address: 192.168.1.1
    Local port: Any
    Remote port: 53
     
  24. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    Hi Thomas123,
    From the IP`s you have posted,... 192.168.1.1 would normally indicate the router (gateway) IP,.. Normally, jetico would pick up the LAN, and place this into the trusted zone (so that comms on the LAN can be made without the need to set rules)
    Could you enter the router setup and check on the router IP, and the range of IP`s for DHCP. (The DHCP range determines what IP`s are given out to the connected PC`s,... and would presume your PC`s are set to "obtain an IP address automatically) If we can confirm the IP range,.. we can then place this into the "configuration wizard" trusted zone,... (to save any problems if these IP`s change when you re-boot)
     
  25. Thomas123

    Thomas123 Registered Member

    Joined:
    Apr 7, 2005
    Posts:
    26
    Location:
    Hong Kong <-> New York City
    Hi, Stem. My computers are set to obtain an IP address automatically.

    I think my router address is 192.168.0.1 as I use this address to get into my router. When I etnered my router, I found the IP address of my DI-604 and the range of IP address for DHCP Server.

    p886445-1-router2.jpg
    http://xs109.xs.to/xs109/06471/router2.JPG

    p886445-2-dhcp2.jpg
    http://xs209.xs.to/xs209/06471/dhcp2.JPG
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.