Jetico alerts

Discussion in 'other firewalls' started by SamSpade, Oct 15, 2007.

Thread Status:
Not open for further replies.
  1. SamSpade

    SamSpade Registered Member

    Joined:
    Oct 22, 2006
    Posts:
    415
    My apologies if this has already been covered: when reverting back to factory settings in "Optimal Protection" mode in JPF1, many alerts pop up (which everyone knows, and many complain about). These are understandable because the FW is learning which programs and applications should get access and which should not. OK, no problem.

    What I want to know is: I am getting bunches of alerts for my Skype application; they come in clusters of at least 3, but sometimes up to 10 or 12 requests, one after another. The requested ips are different or the ports are different, so JPF is asking for permission on each one. OK, no problem.

    But because this happens so much with Skype (and primarily Skype, as of course other queries pop up, just not so many; my second biggest requester comes from Firefox) my question is: are these clusters of queries being generated based upon the list of "contacts" I have on my Skype list of contacts (or FFox browser outbounds/inbounds)?? Iow, whenever a contact sends me a query, or whenever JPF notices another contact in Skype, is *this* the cause of all these alerts coming in rapid succession??

    Anybody know?



    //
     
  2. wat0114

    wat0114 Guest

    I don't use Jetico 1 but I do use Jetico 2 on one of my pc's. I also don't use Skype. If you can create custom tables in the left-hand pane of the configuration wizard, then that may be the way to go. You could create one named "skype" under Network Activity, then, if it is possible in Jetico 1, create rules from the "Ask" log entries. Make sure you have logging enabled for the "Ask" rule and select "Warning" or "Alert" for the log level entry. This way the logged alerts will be in red, making them easy to find. right-click the alerts for Skype and select "create rule", then choose the Skype table to place the rules in. You will probably have to go into the table later to fine-tune the rules by creating port ranges and/or ip address ranges so that you don't have so many individual rules.

    This info is based on the way rules can be created from log entries in Jetico 2. Hopefully the same can be done in Jetico 1.
     
  3. SamSpade

    SamSpade Registered Member

    Joined:
    Oct 22, 2006
    Posts:
    415
    Re: Jetico alerts & Skype


    Thanks for the suggestions. Tuning these rules is not so much the problem. I know I can do that. My question is whether the pop-ups I get for Skype are related with the "contacts" (address book) in my Skype. I know after a week or so (since I re-set the Optimal Protection to the default) these pop-ups will diminish until they occur only when I do go to a new web-site or something like that. Since you don't use Skype, I guess it's hard for you to see the same thing as I am talking about.



    ||||
     
  4. tisungho

    tisungho Registered Member

    Joined:
    May 27, 2007
    Posts:
    148
    Re: Jetico alerts & Skype

    I've got the same problem with Yahoo Messenger. However when the pop-up is up, I chose the "Handle as" option and chose Application Trusted Zone, and everything goes fine here. One more thing I noticed in Jetico is my VOIP program. I talked my friend, but sometimes she can't hear what I was saying.
     
  5. Seer

    Seer Registered Member

    Joined:
    Feb 12, 2007
    Posts:
    1,596
    Location:
    Singidunum
    No, you are not connecting 'directly' to other Skype users. Skype is a P2P type of software, but it is used for other things than file-sharing. Your connection goes through random Skype servers all over the world, and this may be the reason you are getting popups from Jetico for different IP addresses. Which server will be used for connection depends on which party initializes the connection, so you may see a lot of popups for different IP addresses.

    Are you trying to make rules in Jetico for Skype for specific IP addresses? You should not bother with this, rather try to bind your rules to specific (1024-65535 TCP out UDP in) ports only. Skype will need TCP outbound connections on 80 and 443 ports as well. This is what the default rule for Skype in Jetico 2 says, as well as Skype help on homesite :)

    Cheers,
     
  6. tisungho

    tisungho Registered Member

    Joined:
    May 27, 2007
    Posts:
    148
    Hi, this means I have to definea specific rule for my installed applications. Do u know any other way so that Jetico can handle things like comodo or other firewalls do other than defining rules one by one?

    Thank you!
     
  7. Seer

    Seer Registered Member

    Joined:
    Feb 12, 2007
    Posts:
    1,596
    Location:
    Singidunum
    Hello tisungho :)

    Jetico v2 have some preconfigured rulesets by default, such as for P2P software, IMs, Skype, etc. When you receive a popup from Jetico, you can select "Handle as..." and select the appropriate ruleset for your type of application (Web browser, P2P,...). It's as simple as that.

    It was a long time ago when I used Jetico v1, so I don't really remember which default rulesets it comes with, except for Web browsers, mail clients and some other basics (DNS?). Jetico is pretty much do-it-yourself type of firewall. You would need to have some basic knowledge on networking, and to be aware of which resources (ports) your apps use to make appropriate rules.

    I am not sure how Comodo handles/creates application rules now, but when I used it (for a very short time) I remember that I had to make my own rules for (example) P2P.
     
  8. SamSpade

    SamSpade Registered Member

    Joined:
    Oct 22, 2006
    Posts:
    415

    Thanks, Seer (Nick). I have not bothered trying to make any rules yet. On my first go-around with JPF1 a year+ ago, I would put frequently used apps, like Skype, into the "trusted zone", but I later heard that this might be leaving too much of an opening for something to come in and mimic Skype, fooling JPF to thinking it was Skype when in fact it was malware. So I have since used individual approvals for each pop-up; I have clicked to "allow" while leaving the "remember this decision" box in the dialogue window. It takes longer to do it this way, and I get a lot of pop-ups for a while, but eventually the pop-ups taper off. They only return when I go into new territory and JPF wants to know how to handle it.

    I know there is a rules set somewhere; I think Stem or somebody like that set one up for Jetico. Maybe I should take a deeper look into it (?).


    //
     
  9. wat0114

    wat0114 Guest

    Post deleted.
     
    Last edited by a moderator: Oct 17, 2007
  10. SamSpade

    SamSpade Registered Member

    Joined:
    Oct 22, 2006
    Posts:
    415

    Yikes!! What happened to your post??


    Anyway, I appreciate your giving me an answer. I am using JPF1 not 2, but the principle is the same.


    |||
     
  11. wat0114

    wat0114 Guest

    Sorry, maybe I jumped the gun but I figured someone using version 1 could give you more relative info than I could.
     
  12. Seer

    Seer Registered Member

    Joined:
    Feb 12, 2007
    Posts:
    1,596
    Location:
    Singidunum
    Hello :)

    This is not the best way to handle Jetico firewall. When you are about to establish network connection, Jetico will ask (with popup) for protocol, port and IP address. By clicking "allow" with "remember" you are creating a rule for every single address your app is accessing, which is not really necessary, and in Skype's case it is almost impossible to achieve a steady ruleset (without further prompts). Instead of "allow" you shoud select "custom" and create the following rules in your application table-

    for TCP

    80.jpg 443.jpg

    TCP out.jpg


    and for UDP

    UDP in.jpg UDP out.jpg


    Skype should work correctly after that without further prompts. Note that under "application" I entered "Skype path", as I don't have Skype installed at the moment. You would need to browse to Skype's executable in that field by clicking "...".

    Please repost back with your results. :)

    Cheers,
     
  13. SamSpade

    SamSpade Registered Member

    Joined:
    Oct 22, 2006
    Posts:
    415
    Hello, Seer,

    OK, I did as you suggested. I still get some pop-ups, I think because the IP address of the remote may need to be set in rule (??). (I hesitate to put a range of IP addresses because I'm not that knowledgable about IP addresses, which are safe and which want to steal the computer. Could IP address variations cause the fw to prompt me??)


    //
     
  14. Seer

    Seer Registered Member

    Joined:
    Feb 12, 2007
    Posts:
    1,596
    Location:
    Singidunum
    Hello Sam.

    I had to actually install Skype to check this properly. BTW, this is my first encounter with Skype :) I entered the above rules rules (plus "acces to network" rule of course), and all is well here, I am not getting any popups from Jetico, I am logged in and Skype works. I got two popups from Skype's other proces though, the Plugin Manager (skypepm.exe) for remote TCP ports 443 and 37 (outbound), so I created the rules for them as well. This plugin manager can be disabled from Skype's preferences, so these rules are not really needed for Skype's proper operation.

    No need to set the rule(s) for any IP address, as I said before, just bind your rules to correct ports. You should set the IP address field in every rule to "any", local and remote.

    Cheers,
     
  15. SamSpade

    SamSpade Registered Member

    Joined:
    Oct 22, 2006
    Posts:
    415


    I'm refining as I go here. Still getting some pop-ups for Skype. Have entered the port range for both incoming and outgoing as "1024-65355", except where Jetico has already entered "any"; then I just leave it be.


    |||
     
  16. Seer

    Seer Registered Member

    Joined:
    Feb 12, 2007
    Posts:
    1,596
    Location:
    Singidunum
    Hi again Sam :)

    Can you be more specific? Popups for which exact process on which port/protocol? A screenshot of popup perhaps...?
     
  17. SamSpade

    SamSpade Registered Member

    Joined:
    Oct 22, 2006
    Posts:
    415

    Sorry, I'm not able to do a screen shot; file is too big, I guess.


    Anyway, I was getting one after another. I must have made at least a dozen rules, giving port access from 80-65355, and then "any", but the pop-ups kept coming. I finally bagged it and uninstalled JPF1. I trialed JPF2 some months ago, and it is more refined, probably doesn't have this hassle, but at 39 euro + 18% tax, that's about $60 for a firewall. No thanks. I'm using the Comodo FW 2.4.xx, and it's working fine. Lower on resources than last year.


    |||
     
    Last edited: Oct 20, 2007
  18. SamSpade

    SamSpade Registered Member

    Joined:
    Oct 22, 2006
    Posts:
    415
    What a difference ten days makes!! I went back to Comodo 2.4, but just didn't like the way it slowed down my internet connection, used more resources than Jetico, and the murky feeling I get from not knowing what all is happening.

    So, here I am, back with Jetico 1 again!! :) I really like this kind of firewall the best. Call me a "control freak" or whatever. I don't care.

    So, this time I followed your advice above to the letter, plugging in all the parameters exactly as you show above, and now all seems running well. It's quiet, smooth, and using as few resources as before. :thumb: At least concerning Skype pop-ups, everything is good.

    Now I do have a couple of questions regarding the way connections are handled in Jetico:

    1. Why do you leave unchecked: the "override port" in "Local Address"/"type: any"? What does that do? What would happen if I checked "override port"?

    2. For "Remote Address"/ "Address Type", you say to choose "any" rather than the default "host". Why? What is the difference between allowing connection to a "host" and "any"?? I feel a bit skittish about allowing "any", and I feel better about allowing a "host". Just a feeling I have, no particular reason except "host" sounds more specific than "any".

    3. Then, the fact that you *do* check "override port" for this remote connection -- why is that?? Why not "override port" for local connection and "override port" for remote connection??

    If you can help understand these finer points I think I can understand not only how Jetico works but also how internet connections are made, which would be great to know.

    Thanks very much, Seer.

    Sam Spade



    //
     
  19. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    When outbound connections are being made, the application will normally use a random local port (usually a port available between 1024-5000). You could overide the local ports used, but you would need to place a "port range" (as mentioned) or you would get further popups.

    "Any" is any IP, to place a rule for "host" would intend only connections to that one IP, further rules would then be needed for each/every IP connected to. You could do this, but be aware of the popups you would get (and would advise that you should setup a table, so for every rule created (for each IP) would be grouped into its own table (for ref, editing)

    Remote ports within a connection are normally static. As with when you connect to websites, This will normally connect to remote port 80 (there are some alternative ports used). [This restriction would normally be put in place so the application is not allowed (for example) to send out mail.]
     
  20. SamSpade

    SamSpade Registered Member

    Joined:
    Oct 22, 2006
    Posts:
    415
    Thanks, Stem. I understand better now. So, if I *wanted* to limit the port range of my outbound connections, would this ever cause a connection to fail because the app wanted to use a different port than the ones in my range??

    To simplify matters what potential harm might there be in just allowing "any" port of mine to be used for outbound??

    Then, what potential for harm would there be in just allowing "any" IP?? Of course, there are IPs out there that I know I do not want to connect to; wouldn't my hosts file stop that? What, if any, other preventions could I implement to keep out unwanted IPs??

    So is it safer to place a very restricted set of remote ports to connect to, or is that too uncertain?? (because we don't know if a good IP connection would use a new port??)


    //
     
  21. showtime33

    showtime33 Registered Member

    Joined:
    Jun 23, 2006
    Posts:
    28
    Just lettin everyone know....I tried to install jetico v2 on my dell laptop xpsp2....installed fine....but uninstall is a whole different story....said it was uninstalled but services stayed and reg keys stayed.....installed uninstalled 10 times without resolution....found a manual way to remove registered files (ocx), services and reg keys....windows never went back to running smoothly....had to format and start over....I dont recommmed trying jetico on anything but a test machine...
     
  22. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    From the default Jetico config, you would get a popup if other local ports are needed. This is possible if you have many connections established.

    Where the remote port is restricted within the rules, then there is no main concern on this. Only if you where you to place a rule with "any local" and "any remote" ports would I have concern.


    With trusted software, the concerns are the same as you should have as with where your browser connects to.
    An Hosts files will prevent DNS lookups for those site within the Hosts file, and can then block such connections. You could also look at an app such as Peerguardian that can import blocklists (and block known malware/spider etc IP`s)

    You can resrtict to remote ports. If other are needed, then you would get a popup for this.
     
  23. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    I have seen other similar posts to this with un-install problems. I personally dont uninstall, I revert back to an image.

    Please report this directly to Jetico support, unless report/complaint is made, this problem will not change (it will continue).
     
  24. SamSpade

    SamSpade Registered Member

    Joined:
    Oct 22, 2006
    Posts:
    415
    Because an app may be a forgery or spoofed, then call out to a bogus/malware site?? Or.... ?





    I see. So if I limit the ports of the foreign machine, pop-ups will automacally occur, should there be a call to or from same?


    (Thanks again for all your time and help.)



    |||
     
Thread Status:
Not open for further replies.