Jetico freezes until boot. Anyone encountered this?

Discussion in 'other firewalls' started by S13, Jul 1, 2006.

Thread Status:
Not open for further replies.
  1. S13

    S13 Registered Member

    Joined:
    Jul 13, 2005
    Posts:
    13
    Hi all,

    I've been using Jetico for quite some time now but recently it started acting strange.
    After various periods of time, regardless if my PC was just sitting humming to itself or running something, Jetico will freeze.

    There is no direct indication for that though.
    When it freezes, the "optimal protection" is still in effect but while the systray icon still shows "Jetico personal firewall - optimal protection" when I hover the mouse over it, right clicking it will produce nothing.
    If an application that will cause a pop up starts, no pop up will show and that app would freeze as if it is waiting for you to set the rule in Jetico.
    If i try to close the "fwsrv.exe" process from the task manager, the systray icon will disappear, but the process won't go away.
    Restarting Jetico at this point will cause the systray icon to appear again but the situation remains the same.

    So far the only way to resolve this is rebooting the PC.
    When I reboot the PC after the freeze, it would take much longer than usual and windows will let me know the fwsrv.exe process is not responding.

    So far I tried:
    Removing and reinstalling Jetico.
    Creating a fresh rule set from scratch.
    Reinstalling windows.
    Contacting Jetico (i know they usually answer within a few days but nothing so far).

    Did anyone encounter a similar scenario or has any thoughts about what might cause this behaviour?
     
  2. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    I have never had a reply from Jetico concerning questions about thier firewall. (so dont feel left out)

    What type of Internet connection have you? (check your logs for any blocked packets)

    EDIT:
    Are you behind a router? (wired/wireless)
     
    Last edited: Jul 1, 2006
  3. S13

    S13 Registered Member

    Joined:
    Jul 13, 2005
    Posts:
    13
    Thanks for replying.

    In reply to your questions, I am not behind a router and I use an ADSL connection using an alcatel RJ45 modem (as opposed to the USB modems).

    I looked at my logs, the data there consists of packets rejected by the "block all non processed IP packets"
    Most of the log looks like this:

    Time: 01-Jul-06 12:31:58.484
    Action:Reject
    Description:Block All not Processed IP Packets
    size: 388
    Protocol: UDP
    event: Incoming packet
    Source address: 204.16.208.74
    destination: <my ip>
    source port: 39386
    destination port: 1026

    although at boot time i also have this:

    Time: 01-Jul-06 17:32:57.140
    Action:Reject
    Description:Block All not Processed IP Packets
    size: 40
    Protocol: IGMP
    event: outgoing packet
    Source address: 10.200.1.1 (network interface address)
    destination: 224.0.0.22
     
  4. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    Hi S13,
    A Whois of 204.16.208.74 shows:-
    OrgName: FAST COLOCATION SERVICES
    OrgID: FCS-73
    Address: 3791 N. Edgewater Dr
    City: Wasilla
    StateProv: AK
    PostalCode: 99654
    Country: US
    A google shows info

    ====================================================

    I do not know your internet provider, or if they require "Broadcast/multicasting" to be accepted. (some info) you could allow this (temp) with logging to see if this helps. (open Jetico /root /system IP table / system internet zone / and tick the box next to "Allow incoming UDP broadcasts" Set this rule to logging (notice) so we can check on this.(try rebooting and re-check the log)
     
  5. S13

    S13 Registered Member

    Joined:
    Jul 13, 2005
    Posts:
    13
    Hi Stem,

    This address was one of many on the log. I just happend to paste it here.

    Essentially do you think that one of the blocked addresses might cause the firewall to freeze?
     
  6. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    I was thinking more that your ISP is being blocked, and with you being connected directly to the internet, that you will have ISP software on your PC that could cause confict if comms where blocked.
    But to check this, I would need to see your logs, at the time just before and during the "Freeze" (and info of your ISP/software etc)
     
  7. S13

    S13 Registered Member

    Joined:
    Jul 13, 2005
    Posts:
    13
    Sorry for the delay..
    I don't have an ISP software on that PC.
    At the moment my connection set up is done using the XP network connection.
    The ISP config requires me to create a VPN connection to connect to the internet.
    I will try to post later the log before/during/after the freeze.
    natrually now that i wait for it, it wont happen..
    I just noticed some odd behavior from while checking my pc on "shields up" that might be related. it seems like the ISP have some blocked/stealthed ports on their side.
    I dunno if the two issues are related. i opened a different post for it here to avoid hijacking my own post in case the two issues are not related.
     
    Last edited: Jul 5, 2006
  8. S13

    S13 Registered Member

    Joined:
    Jul 13, 2005
    Posts:
    13
    Some odd behavior with "shields Up" and Jetico. and possibly my ISP..

    Hi there,

    I checked my PC (direct connection to the internet using DSL modem and XP VPN connection, protected by Jetico) at "shields Up" today and discovered something strange.

    In this pic, Jetico is running normally. All is stealthed (failed due to unsolicited packets)
    s13-1-182858360_aa6c3b4a5d_o.png

    Here i tested it with "stateful inspection off" - a necesseray evil when running 2 pc's on the lan.
    s13-2-182858358_28e2f326c3_o.png

    And lastly i ran the test again, this time with jetico set to "Allow All"
    s13-3-182858359_05bd9ce252_o.png

    As you can see from the two last pics, even when using "Allow All" config some ports are stealthed and all are closed.
    What does it mean? am i missing something or is it just my ISP is overly protective of me?
     
  9. snapdragin

    snapdragin Administrator

    Joined:
    Feb 16, 2002
    Posts:
    8,415
    Location:
    Southern Ont., Canada
    S13 - Since it does look like both issues may be related, I have merged your other thread (Some odd behavior with "shields Up" and Jetico. and possibly my ISP..) with this one as Stem suggested.
     
  10. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    Thanks snapdragin,...

    Hope you dont mind S13, I asked for the threads to be merged, as I would like to get this problem resolved for you.

    Please let me know your ISP provider,..

    I believe your problem is due to the need for the VPN connection, and a possible need for a "wake up" ( a check on your online status).
    Please refer to my post regarding "Broadcast/multicasting"(post#4), as this may be the source of your problem.

    Your post concerning the stealth/blocked ports while Jetico was "allow all" would indicate filtering from your ISP
     
  11. S13

    S13 Registered Member

    Joined:
    Jul 13, 2005
    Posts:
    13
    Thanks Stem and Snapdragin, you are most kind.
    Of course i dont mind about the thread merge.

    My ISP is called 012 (http://www.012.net) (the site is in Hebrew apart from one "about" page in english) they are a local ISP in Israel and my connection is a business class connection with fixed IP address. This might be the reason they seem to be filtering.

    Following your advice i changed two things in Jetico.
    1. Allowed UDP broadcasts and soon after saw this in my logs:
    S13-183182647_2e5462ff2e_b.jpg
    (click above thumbnail to enlarge)

    Those IP's are from China. i doubt they wish to be friends.

    2. i added rules to the IP table to allow IGMP communications in this manner:
    from: 10.200.1.1 (DSL modem NIC) to 224.0.0.2 - IGMP - Allow
    from: my IP address to 224.0.0.2 - IGMP - Allow
    from: 192.168.0.1 (LAN PC) to 224.0.0.2 - IGMP - Allow

    The logs show this communication takes place mainly during boot time or when the LAN PC becomes alive.

    3. I can go into the modem and change the connection type from PPTP VPN tunnel to PPPOE connection type. Do you think this would help?
     
  12. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    Hello s13,
    When you set up your VPN within windows, you would of placed the IP of the VPN server within the setup,..yes? Place this IP into the trusted zone of Jetico,.. (start menu / all programs / Jetico personal firewall / configuration wizard).
    You can disable the IGMP rule.
    Try this, to test, if the problem is resolved, we can set about placing rules for your server IP
     
  13. S13

    S13 Registered Member

    Joined:
    Jul 13, 2005
    Posts:
    13
    Alright. I added the VPN address to the trusted and disabled the IGMP rule.

    since Jetico freezes are not well behaved, i will to see if it comes back and report.
    usually it is a matter of a day or two.

    Thnaks.
     
  14. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    This is possibly similar to a "lease renew" (every 24hrs on my (cable) connection, my IP is released/renew), if these connections are blocked, I would lose my internet access.

    Lets go back to your results from "Shields up". You say that even with "allow all" your ports are showing as stealth/closed. Perform this check again, and then check your Jetico logs, as there should be a very long list of dropped packets.
     
  15. S13

    S13 Registered Member

    Joined:
    Jul 13, 2005
    Posts:
    13
    Hi Stem,
    This is the output from Jetico's log during the Shields up scan while at optimal protection (without stateful).
    s13-1-183472236_275d29aeee_b.jpg
    (click above thumbnail to enlarge)

    And here is the log output during the test at optimal protection while Stateful inspection is on. (all stealthed - passed)
    s13-2-183476495_1db2946bd1_b.jpg
    (click above thumbnail to enlarge)

    The test results are at the 8th post.


    Just to be sure Jetico is not affecting the test even while at "Allow All", i completely shut down Jetico and went ahead with the same test.

    The results are very similiar to those of the test done with jetico at "allow all" as seen at post 8 - no port is open and some are stealthed.
     
  16. S13

    S13 Registered Member

    Joined:
    Jul 13, 2005
    Posts:
    13
    Hi,

    First and foremost - Thank you Stem.
    Your advice to add the VPN tunnel address to the trusted networks seems to resolve the problem.
    My PC is up for ~4.5 days now without a problem.

    and on another note - This morning i received a reply from Jetico's support regarding this issue. so far i had a good support experience from them, and i fully understand that they cannot be as quick as the forums here.

    Naturally they asked for some more information so i asked them to review this thread as all the details can be found here.
    Stem - i took the liberty of pointing out in my reply that you were able to resolve this issue for me and might be able to provide further insight. i hope its OK.

    Many Thanks,
    S13
     
  17. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    Would you now like to set up some rules (I would prefer you to block inbound connections from your server- to see if these are needed)
     
  18. S13

    S13 Registered Member

    Joined:
    Jul 13, 2005
    Posts:
    13
    Thank you, i would be happy to, although i must admit my knowledge is limited.

    I know most of my way around JPF but in terms of rule setting, it's mostly re-active response - i.e. waiting for a software to act or checking the logs for something i feel shouldn't be there and acting upon it so i would need some help on starting this process.
     
  19. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    S13,
    I have attached image to show how to set up 3 required rules. These simply allow All in/out but block inbound connections (inbound TCP SYN).
    Make sure you remove your VPN IP from the "trusted zone" (If there are any connection problems, you can always re-enter the VPN as trusted,.. and PM me the Jetico logs (the blocked inbound connections is set to log)).
    NOTE: You must Place the rules in the correct order!.
     

    Attached Files:

    • vpn.gif
      vpn.gif
      File size:
      121.4 KB
      Views:
      58
  20. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,874
    Location:
    New England
    A large number of off-topic posts were removed from this thread.

    For now, this thread remains closed.
     
Thread Status:
Not open for further replies.