Jetico making me crazy.

I am totally in favour of such a -Jetico- move!
Long overdue,and we already have -if he agrees- a firewall Moderator who can aptly take care of such section.

 

need your help stem, and it's the irritating svchost again!

I have so far allowed all svchost.exe inbound/outbound datagrams etc (after selecting it as a system app, which continued for 2 days) but the darn thing still continues to make connections.

Here is a screenshot of the ones I've allowed so far (starting from the selected one). Question do I need them? (i.e other than the svchost permission that are set by default)

thanks

(as I write this svchost is still knocking on the door)

http://img53.imageshack.us/img53/7130/1fw9.th.jpg

the port numbers are 137, 138, 139 local connection any and I can give you the remote addresses if you like

 

Ports UDP/137/138 are Netbios Name Service (NETBIOS Datagram Service) which is typically how Windows computers find out information concerning the networking features offered by a computer, such as System Name, File Shares, etc.

Port TCP/139 is the single most dangerous port on the Internet. All "File and Printer Sharing" on a Windows machine runs over this port. About 10% of all users on the Internet leave their hard disks exposed on this port. This is the first port hackers want to connect to, and the port that firewalls block.

I personal prefer to block these ports.

 

Right other than the default svchost permissions I'm gonna delete all permissions I' ve created.

But svchost will keep on nagging, any ides on how to stop this?

BTW I am on dial up adsl

 

I don't think it is a good idea to reject in generall _all_ the svchost TCP/UDP connections. I allow for example DNS Server connections on UDP/53. Also i think some aplications need Data Feedback with svchost; so watch them closly and look if some aplications don't work correctly after blocking svchost.

I have done a own table for svchost. Makes it easyer to watch and configurate. Often they use the same port with different IP's.

Wait for Stem he has surly more knowledge regarding this than me

 

Just checking my log. Maybe cilly question, but i can't find a solution.
How can i enable that the log does not only shows the 'reject' entries but also the 'allow' and so on?

P.S. Found it my self -> Loglevel , and am i right that the different loglevels result only in different colors in the log?

 

Me again. Is it possible to export a single table from Jetico?

 

Hi betauser2,
Sorry, I missed your posts,..

It would depend on what connections are being attempted, and what are actually needed. Post some screen grabs of the popups for svchost.

 

Yes.

Not on its own,.. you would need to save a policy. What you can do is "load" another "Block all" or "Allow all" policy,.. rename,.. then drag and drop the ruleset there. Then save that policy.

 

Can anyone post the rules for mIRC and TightVNC (viewer and server)? I can't seem to figure these out.

Thanx.

 

There is a ruleset for DCC posted here, have you tried that ruleset?

As this is a direct connection/Link you would need, you should enter an IP rule to allow all comms from your PC to the remote IP. I have attached an image to show a rule (which would be placed in the System IP table / System internet Zone). This rule would allow any comms to the IP you place in the Destination. NOTE: with this rule you would need to start the connection yourself. If you wanted to be connected into, then the IP would need to be placed in the "Source"

 

I have following ports enabled for Mirc (incl. Filetransfer and DCC):

If you want a tight solution (differnet rules have to be set):
outbound connection TCP Remote: 6660-6670,7000,8888,9999
outbound connection TCP Local: 59,113
Host: any

You can also choose to set just one simple rule which should work in most cases:
outbound connection TCP Remote: Range 6660:6670
local port: any
host: any

 

Thanx guys.

Someone should compile all these rules, maybe make a detailed HOWTO/guide. Makes it easier for newbies to understand how rule-based firewall works.

 

Those interested in using Jetico (IMO) should use Kerio 2.5 (with BZ's rules) first, it really helps if you then decide to use to Jetico. I was forced to migrate to Jetico due to the Web Shield (proxy) issue of Avast Home.

@ stem (think) I've got svchost tamed. Apart from the default svchost rules under system apps I have rejected all new alerts and so far no probs.

 

I think the default rules don't include DNS Server send/receive datagrams (UDP) connections on remote port 53. Enable them.

 

The "DNS client" rules are included and enabled by default in the System IP table/System Internet zone. (UDP outgoing / incoming packet)

 

I hav'nt rejected any send/recieve datagrams on remote port 53 (havn't got an alert). I've only rejected send and recieve datagrams on remote and local port 137 and 138.

edit thanks stem just seen your post

 

stem can you give us any advice for TOR

 

Looking at the program website, the rules would depend on the settings for either the "Proxy" or the "server", which would be set by the user.

 

ok I'll leave the current outbound connections I have accepted (ask user).

 

adaptive dynamic IDENT port handling possible with Jetico?

Is that possible with Jetico? Zone Alarm does this very nice with port 113.

Example:
When Zone Alarm receives an inbound connection request for port 113, it checks to see whether the computer has recently initiated any outbound connections to the remote server sending the IDENT request. If not, the IDENT packet is simply dropped, stealthing the protected machine. But if the user does have an existing "relationship" with the sender of the IDENT request, the IDENT packet is allowed to pass through Zone Alarm's firewall protection so that the user's system can respond normally (which usually means immediately returning a closed status for the port).

I know that IDENT is almost never used, but some email provider and old UNiX IRC Server still use it.

 

Re: adaptive dynamic IDENT port handling possible with Jetico?

Not as you descibe it. Jetico does not contain that type of rule to reference IP addresses in use.

 

Stem can you tell me where Jetico stores all the rules, tables and so on. Its not in the bcf. files. Registry? Do you have the exact path. Asking because of Backup.

 

The rules are stored on a user basis.
Documents and Settings / ~user~ / Application Data / Jetico personal Firewall / 1.0

(This is now changed in version2)

 

My god, Thomas look around before you ask cilly questions
Thanks again.