Jetico Personal Firewall and ICS. Help please

I can't get Internet Connection Sharing to work properly with Jetico Personal Firewall. I can access the internet from my other computer when JPF is turned off or set to "Allow All" policy, but when it's turned on it cuts the internet on that pc. Pinging google from cmd on the other computer succeeds with and without JPF turned on.
Anyone got any ideas how I can get it to work properly?
Hope you can help me

 

I just started Jetico today and also needed to enable ICS, I was shocked at the speed of response for a free product, here is what you have to do, I am copy/pasting it from their email.
(Quote)

Thank you for your interest in Jetico Personal Firewall.

The software can be configured for using it with
Internet Connection Sharing, but please note that
an overall level of protection against inbound
scanning will be lower in this case. It happens
because of the following.

JP Firewall has two levels of protection: low-level
Network Level and Application Level. (We don't keep
in mind here third Process Attack Protecting level,
because it will work in any case.)

Application Level provides Network Level with information
about applications that have active connection and about
all the network traffic Windows applications are interested
in. All other network traffic is blocked. It is so-called
Stateful Inspection.

Now when you turn on Internet Connection Sharing, you get
private network (for example interface B: 192.168.0.1) and
continue to have interface with IP address that is opened
to Internet (say interface A: 207.46.156.18.

All the packets that come from interface B to interface A
and all the packets that come from Internet for interface B
- all that packets do not correspond to any application
in Windows! The packets should simply go from/to interface
A to/from interface B.

So default JP Firewall configuration with stateful inspection
rules will reject the "interface A <-> interface B" traffic.

Hence, to get Internet Connection Sharing working, we should
turn off Stateful Inspection in JP Firewall:

1). Select "Configuration" tab in JP Firewall;

2). Select the following table in "Optimal Protection" configuration
tree: Root -> System IP Table -> System Internet Zone;

3) In the "System Internet Zone" table find rule with
"Stateful TCP Inspection" rule and run "Edit" command for the rule;

4) In the "Protocol specific" settings for the rule uncheck the
"Stateful inspection" checkbox.

5) Do the same for the "Stateful UDP Inspection" rule.

Then, Private Network with interface B should be added as
Trusted Zone in JP Firewall. It can be done quite simply.
After you finish configuring Internet Connection Sharing,
run Configuration Wizard program from "Jetico Personal Firewall"
program group.

Configuration Wizard should automatically discover the Private
Network address and add it to the list in the "Trusted zone"
dialog window. Just finish Configuration Wizard normally.

After the procedure Internet Connection Sharing should work on
your computer.

Sincerely,
Sergey Frolov

(End Quote)

 

They need to put that in the help file. It would take a real networking guru to figure that out.

 

One more thought:

jetico Personal Firewall is only free for the moment. While I believe they can rightly call it out of beta, it is under intense development. A few important features need to be added. They went through this path with BC Wipe and now sell it.

In the future it is likely that you will see changes to the rule editing interface, additon of password protection of settings and an easier way to retain user rules between version upgrades.

 

The thing that concerns me here is that by disabling the TCP and UDP 'Stateful Inspection', what implications or vulnerabilities if any are we exposing the system to?

 

On vunerabilities, I don't know. But, you could get a cheap NAT, chuck ICS and have the additional security of the NAT over JPF. Obsolete 802.11b wireless access boxes are dirt cheap. You can just shut off the wireless feature and use the direct wired ports.

 

When you use ICS, you cannot be stateful in an environment like this as your machine is not seen as the source of the traffic, and as a matter of fact, you need a sniffer to see the traffic due to invisible port redirection.

I understand how they want you to set it up, but they made it much harder than it has to be, as part of the rules themselves you should be able to check/uncheck a box enabling stateful inspection... done... easy....

 

That is why it's good to participate in it's development and get your ideas and requests in to them now while you still can. Since they're so responsive, it's a great opportunity to effect the outcome of the product.

 

Kerodo-

You are 100% right. Let's hope they can stay true to the concept of a fast, light rules based firewall with sandboxing. (Is there any part of the concept I missed?)

 

Yep... Let's hope they keep it light and let's hope they don't ever add a bunch of useless crap to it. That seems to be what happens to most software as time progresses.

I think starting with 1.0.1.49, I'm going to start keeping old copies of it, just in case they ever screw it up and don't offer the old ones for download. Right now I like it pretty well as is, and it would do me fine for a long time without many further changes. I keep copies of a lot of software on CD and many times I've been glad I did...