Jetico making me crazy.

Nope the logging shows

"Block All not Processed IP Packets" with the port I set to.

while there is still no download taking place.

 

So the packets are falling to the end of the rules (they are not being processed for your application).

Open Jetico while limewire is running, and select the applications tab, is limewire being shown?, and is there a "listen" connection active on the correct port?

At the end of your ruleset for "limewire", place a "ask"(for any event) rule. (to see if you are prompted for the inbound)

 

Yes Stem

It did ask for a loop back inbound and the port 50 000 for inbound,

( alright its finally solved )

Seems like Limewire itself have problem than jetico coz most of the time when downloading from utorrent nothing happens like this.

Another Problem

Limewire unable to connect when I set this in the ask user table

reject disabled any inbound connection

I mean limewire had its own table to refer to why does it rely on the above rule to not startup

btw there's some confusion between DNS client being disable and being on.

Correct me if I am wrong, from firewallleaktest , the said that DNS client service will be used by services.exe and svchost.exe to make request to the DNS server. By disabling DNS client services, services.exe and svchost.exe will not be able to make a request for a DNS right and then I cannot surf the internet also.

If this is the case how can I improve this type of security which Firewallleaktest statistics shows that Jetico is unable to protect against the DNS tester.exe ??

ans: will I be safe by not allowing the app to access the network on jetico ? but then it says that if someone prodigy create a app which need access to network, with this type of DNS request and you allow it without knowing it exist a DNS request wouldn't this bleach the security of jetico rulebased??

 

When a packet is processed, it will stop at the first rule that it matches. So, if you place a rule to block inbound, and this rule is before the call to the limewire ruleset, then the inbound will be blocked. This is one of the main reasons there is a need to make rulesets for you applications, you can then see better your application rules, and if there may be a rule that could block the packet from reaching your application ruleset..

When the DNS client is disabled, then any application that requires a DNS lookup will do this itself (example,.. if DNS client disabled,.. when you run firefox, firefox will perform the DNS for its own connections)

By disabling the DNS client, all applications will perform DNS using the TCP datagram rules which are in the "Application table", so, any application that is given "access to network" can perform DNS

To tighten access for DNS (jetico1):-
Disable windows "DNS client" service
......create a new table, name this DNS,.. go to the "Application table" and drag the 2 (allow DNS requests) rules to the new table. Then go to the "system IP table"/"system internet zone" and remove the 2 allow DNS rules (you can just uncheck these,.. but do not set to block).
Then when an application attempts DNS you can allow "Handle as" DNS. This is more work,.. but only applications you explicitly allow will be able to perform DNS.

 

I've just noticed that if the Process Attack jump in the Root node is left unchecked, Jetico 1 sometimes doesn't properly recognize applications as requesting network access, and blocks them silently (they don't even appear in the applications tab.) No manner of restarting, reloading configs, or re-running configuration wizards can fix it for me.

I guess the Process Attack Table isn't optional...

 

Thanks Stem, seems like its working like a charm, the DNS Clients currently disable passed the DNS Tester. Hmm, jetico scored 23/27 of the test in firewall leak test, is there anyway to improve the security of others devices or jetico had already done it jobs well enough to protect from them

 

About which leaktest are you talking about? Jetico passed here all with flags in the wind; and Jetico v2 Beta 7 also pcflanktest

P.S.
Ah you mean http://www.firewallleaktester.com/tests.php. Well Jetico is at least the best there. Jetico v2 will go even better.

 

Hi everybody !
I lately got rid of Kerio 4 and Norton AV and installed JPF and Nod32. On a PIII, you can easily imagine the difference : much faster - and I feel much more secured.
I'm pretty confident on these programs, but not quite on my ability to configure JPF to be as performant as it can be...

Thanks a lot to you all for this very helpfull thread, specially to Stem for his enlightening explanations, - and to all others for their questions.
I still have some to ask, though !
- I have noticed that blocking ctfmon.exe prevented IE to access Internet. Even if I got rid of ctmon since, could you explain me why it happened ?
- I have installed Acrobat Reader 7 yesterday. Same thing : preventing it to "access network" blocks IE. Why is it so What should I do about it ?
- More generally, which system applications can be blocked ans which schould not be (I already have disabled uPnP in XP and DHCP in both XP, router and JPF).
- I have configured JPF according to the advice given by Stem about DNS. Since then, no application has ever asked to access DNS. Is that normal ??
- Finally, would it be possible to post my own .bcf file to be analyzed, Master Stem ?

PS Feel free to correct my english !

 

Hello Bashogun, and Welcome to Wilders

If you have removed ctfmon.exe from your system, then remove any rules that block this application.

Acrobat reader will attempt internet access through the browser (as with ctfmon), if you block Acrobat reader then any applcation Acrobat reader tries to use to access the internet will also be blocked (such as the browser). You could try using a pdf reader such as Foxit Reader which will not give you these problems (uninstall Acrobat)

This does depend greatly on your O.S./setup, I am currently putting together a help topic for Jetico which will include the main windows applications that require "access to network" but my spare time to do this at the moment is limited, and I have still to complete this.

If you have followed my instructions correctly, then each application will need to ask for access to DNS on the first access, once you have allowed this, you will not be asked again for that application. (If new applications are making DNS lookups without your permission, then you need to re-check your config to ensure you have remove the "allow DNS" rules from the locations mentioned, and only have rules to allow DNS within the ruleset)

You can post your config file onto the forum if you wish, but I cannot say (at this time) when I would be able to find time to check this.

____
Stem

 

Hi Stem !
Thank you for your answser.

I will test it soon.

It will be of great use !

Iread your instructions several times and I think I followed them correctly, but I wonder why the tabke named DNS in my ruleset is still at the end of "optimal". Should I place à call to it in another table ?

Thank you for examining my config file attached when you have time.

 

As you have disabled the DHCP within windows, you will be using a fixed IP and fixed DNS server, yes?
Have you placed the router IP as DNS server? If yes then this is the problem as your LAN will be placed into Jetico trusted zone by default, and comms to the router will be allowed.

Please confirm your fixed IP settings.

 

My IPs are fixed, indeed : mine is 192.168.1.2 and my wife's 198.168.1.3.
They are behind a router (192.168.1.1). It's IP has been entered in each PC as DNS server.
Yes, I kept the Jetico's default Trusted Zone :
127.0.0.1
127.0.0.1/8
192.168.1.0/24
and, right, my router is in this zone.
I see what you mean.
But what should I do to correct this point ? Simply change the definition of the trusted zone by entering manually my two PCs IPs instead of the lan's ?

 

If you want to keep a tight config (which you have), then you should first block fwsetup.exe from "access to network" (or this will pick up your LAN settings again as trusted), then run the Jetico configuration wizard, and remove the LAN from trusted. If you are sharing files etc. between your home PC`s then you can place those IP`s as trusted (as single IP ( example 192.168.1.2/32))

 

I have read your explanations about hexadecimal in the IPs definition, but I must admit I didn't really understand...
Will 192.168.1.2/32 cover the 2 PCs ?
I plan to soon buy a portable PC. It woul be defined as 192.168.1.4. What would be the IP definition with hexadecimal ?

Once I have these changes done, will there be modifications in the general behavior of Jetico ?

(Thanks again - for your patience !)

 

The /32 is CIDR format, and entering 192.168.1.2/32 will cover only that 1 IP address,.. You will need to enter each IP. Only if you can change the router IP,.. to say 192.168.1.254 could you place a single rule to cover more that one IP (without it including the router)

You will be asked for DNS lookups,.. but be carefull,.. as your setup is very tight with blocking rules at the end of each ruleset, so the DNS lookup will be blocked by these "block" rules. You could for testing,.. set the trusted zone as mentioned, then uncheck the block rule at the end of the browser ruleset,.. then open another page in your browser, you will then get a prompt for the remote port 53 access,.. you can then "Handle as" DNS. (from there you can place a jump rule to DNS within each ruleset (before the block rule)).

Your Welcome

 

Hi Stem !

I have done as you said. It works well for DNS.

But :
- I wonder if doesn't slow down the computer too much...
- as I expected, there are then other changes to make in the ruleset : at least Netbios for file and printer sharing ; seems that the router has to send log files to my PC and cannot anymore.

I have set rules for Netbios allowing 137:139 between local adress and 192.168.1.255 (receive and send datagrams) as the log file showed.

For the second problem, I must modify the 'system IP table' - but there is no 'ask' in this table !
The log says :
deny UDP incoming from 192.168.1.1 (port 4015:4018...) to 192.168.1.2:162
So I suppose I have to set a rule allowing it.
Arghhh ! Now this last rule is done, I have ICMP outgoing packets from my PC to the router that are denied.......
Another rule to set ? When does it last ?

 

A workaroud for the DNS is to set your fixed dns servers (in win config) to your actual servers. (you could then put the router back as trusted) But This can cause problems if your dns servers change.
The other way is to set your PC`s back to DHCP.

 

If the ICMP rule is the last one to set, there is no need to use the workaround.
I don't know why, but I feel that it won't be the last rule...
Anyway, it's interesting solving such problems (and even funny) !

There's no way I set back DHCP. I really don't like things I don't understand or can't control. That's why I disabled uPnP too.
If the DNS servers change, I suppose I would only have to have a look at the router configuration when it connects. So it doesn't seem to be a big deal.

Finally, what's the safer way ? put back the router in the Trusted Zone or leave it out ?

 

For me, the router is another layer of protection,.. if this layer is "Trusted", then I personally cannot see this layer as protection.
I personally create rules that are specifically needed, even for the router comms, but as you will/have noticed, extra rule can be needed.

 

I understand and agree.

I have noticed ! I should have expect it, anyway.
As I told you, I created the rules I apparently needed, but they sure need to be verified !

 

You may have noticed me crazed about comodo around the forum but have you tried the new 2.3 released today?

Many haters are now lovers as their are many upgrades and fixes plus its a lot smoother.

I also got annoyed about Jetico"s constant popups but in comodo new pf you choose how often they come!

 

Jetico v.2 is way better than Comodo. Comodo is still using way too many resources in my book.
It took me about an hour and a half to set up Jetico and uses alot less memory. I haven't got a pop up since I installed and set it up.
About a week and half ago.

Right now it's humming along at 8304k.

 

With basically everything running as should be, I have 2% usage in total, if I shut down CPF, it makes no difference in my system at all. Also, the new 2.3 is even lower in resources. It is an excellent firewall and just wondering if in fact you have tried it? Very smooth running, easy to use but can be for advanced users as well.

Cheers,

Paul

 

Quick thing:

I have setup a network between two machines using a crossover cable. One of the machines has internet connction which I want to distribute to the other via Internet Connection Sharing. Problem is that as long as the "Block All not Processed IP Packets" in System IP Table is set to "reject" the connection between the two machine is dead. Once I set this to "accept" everything works great. Thing is noting else get blocked by the firewall.
What rule needs to be created (and where) to allow only the client computer to connect and block everything else?

Thankyou,

Hann

 

There was a post concerning Jetico V1 and ICS:- here

Does this help?