Jetico Personal Firewall

I tried arguing with them for days before and lost, so I figured a little pleading this time might get them to re-evaluate the situation...

 

Does your AV auto update allow you to configure it for passive FTP?

Regards,

CrazyM

 

How would/does it handle a scan to a listening port with something other than the SYN flag set?
(ie. certain types of stealths scans)

Regards,

CrazyM

 

Is there a rule in the UI that allows this traffic to come into the firewall if a program is listening on a port or is it a hidden rule coded into the firewall that the user can't control?

 

Now you're getting beyond my knowledge, which is very slim anyway..

I would think that anything other than a SYN would not matter anyway, would it? But you're right, I suppose any incoming other flags might prompt a response from the OS also. Or would they? Any outgoing response would be blocked by JPF though. Perhaps we should be setting all flags except the ACK flag?

I don't know, CrazyM. Now we're in need of some answers from Jetico I think...

 

At this point it's something that the user can't control.. It needs to be fixed by Jetico... All you can do is try to block incoming TCP to listening ports...

 

For the AV I am using a slightly modified version of the included rule for FTP Clients. The AV updates worked perfectly before. I just noticed it tried to update while I was looking at the log and the traffic from remote 20 was blocked while the update icon for the AV was flashing in the taskbar. I guess that I would have to limit the rule to the two listening ports, which is not that big of a deal. Those two happen to be for the AV to catch mail to scan. Its KAV 5.0.227, by the way. It is not possible to set the AV for passive FTP, at least not without knowing some undocumented registry setting.

You might want to check your log to see if any legitimate traffic is being blocked by your rule.

I turned off the DMZ setting for my machine on the NAT, which makes this academic in the sense that the NAT does block this stuff.

Kerodo, after seeing the difference the NAT makes, I have to agree with you on the "nothing should get through" philosophy. I just wonder what Jetico's real reason for doing things the way they are doing it is. It could be a performance issue of some kind, or they just could have designed themselves into a corner.

Like you said, its only version 1.0.

 

more:
K-
I think the only flag that needs to be set is SYN, just from looking at my log, those was the only flag that was detected on the inbound traffic. However, the inbound traffic from remote port 20 also indicated only a SYN flag set. So, I think the answer for now is to only block the listening ports. I am not an expert, but it seems like the logical answer.

Perhaps it is time to go back to Kerio until next month's exiting installment.

 

I don't know why they resisted fixing it a few months ago. Could be many reasons, but I agree that it does need fixing.

For now, I think I'm fairly safe if I don't allow any incoming TCP connection attempts (SYN flag), however, I'm not sure what the other flags do in terms of connections, if anything. I'll have to research that. CrazyM you do have a good point...

Diver, you might want to block 113 also, JPF let's it thru...

We'll see if I get any answers from Jetico in the next few days...

 

I have returned to Kerio 2.15 for the time being. I ran the same tests as I did earlier this evening with Jetico. Kerio 2.15 behaves as you say a firewall should. Nothing gets through on the listening ports. There is no rebound, unless there is something broken with Kerio's ability to log, and I put in the standard rules at the end to block everything and log.

This gets back to oneof my beliefs: There is so much noise being made about sandboxing and leak tests that other more important aspects of firewall performance are being forgotten by many participants of this, and the DSLR security forums.

Ultimately, the sandboxing is only going to help with some very exotic malware that has not yet made its way into the AV databases and there seems to be very little evidence that anyone is getting hit this way.

There was a news article today about a trojan that included both a keylogger and the ability to control any webcam connected to the owned machine. Some questions were raised as to whether it was in any AV database, although it was said to be based on older trojans which are in AV databases. There is a certian FUD factor, because the poliece in Spain (I think) have not released enough information for any AV vendor to respond and say if they can or can not detect it. I wonder if this particular trojan would have been blocked when phoning home by a non-sandboxed firewall like Kerio 2.15 , Sygate or ZA 4.5?

 

I don't worry much about programs getting out on my machine, since I consider myself very careful about what I download and install and run here. Others may need all the sandboxing however. I do like firewalls like Tiny anyway, even though I don't really need them.

Diver, there is that fragmented packet thing with Kerio, so it's not perfect either. Supposedly any packet with the fragment bit set can get thru. But most likely no damage will ever occur anyway, so why not use it? I installed it just the other day so I could update my rules a little bit. I have copies of rules for all the firewalls I use here...

But for me, the most important thing about a firewall is whether it blocks everything from getting IN, not out. I guess it depends on what you use your machine for and so on...

 

Diver, what do you think of Kerio 4?

 

K-
As far as the fireall performance goes, I am behind a NAT. The firewall just covers a couple of forwarded ports on the inbound side. However, it is amazing how much traffic I see on these server ports after downloading something (GPL software of course) using bittorrent. Beyond tht it is nice to have a bit of application control to keep some of the M$ components from phoning home all day long, but I wonder how important that really is. As far as the Kerio 2.15 fragmented packet thing goes, the experts like BlitzenZeus say it is mainly theoretical. No two way communication can be established.

A lot of stuff gets run on my machine, but I have a fairly high level of awareness. A lot of areas get checked regularly including the task manager, startup entires, and the non P&P drivers list (show hidden devices in the device manager).

Its been a long time since I have gotten bit, and that one I got rid of in a couple of minutes.

A lot of folks are looking for some kind of foolproof software solution that still lets you use the machine normally. There is no such thing. The tighter things get, the more the machine fights its user. Freeze is foolproof, but it returns every little setting to a baseline after each reboot. Consequently, it is only useful for Kisosk browsing. Most of the sandboxes are somewhere in between. There is extra protection at a cost of responding to all sorts of pop-ups.

I mess with this stuff for fun as well. (I took a look at Tiny 6.0.x, and did not know where to start. Is there a tutorial somewhere?)

A lot of this stuff will not work in an office. Most folks have no idea of what is going on, and a lot of the geeks that post in these forums have a way of forgetting that. So, enterprise firewalls are designed to keep bad stuff out and the ordinary desktop does not have a personal firewall on it. Beyond that, most businesses have a no unauthorized software rule.

Of course, I notice that just about every internet forum is very busy during normal US working hours. No wonder nothing ever seems to get done.

 

K-
I have never tried Kerio 4, so I don't think of it much. Being a Diver, I try to think of fish, rays, sharks, eels, lobsters, crabs, dolphins and turtles whenever possible

 

I mess with this stuff for fun also, mostly because I have some extra time on my hands and I find it interesting..

Tiny is fun. At first, I had no idea what to do with it either. But after a while it sort of unfolds itself and you can get addicted to playing with it. It's got a handy backup and restore function, so you can mess with things, making periodic backups, and then when you mess something up, which you most likely will do, then you can restore from an earlier config. Very handy. There's no tutorial that I know of. Just the manual you can download and the forum on the Tiny site. All in all, I like it a lot, but in the end, I don't really need all that sandboxing, so I turn to the other ones.

Kerio 4 is different. Most people stay away from it because it has a reputation for being pretty buggy and more bloated than 2. I've used it though. It does not have that fragmented packet vulnerability like 2 does, so that's one plus for it. I like 2 better, but just wondered what other people thought of 4. 4's logging is generally terrible and messed up. If the logging was "normal", I think I might be tempted to use it again. Maybe they'll fix it in 4.2. Who knows...

 

I am still having intermittent internet connection problems, especially with Firefox, and this is round two with Jetico for me. I try to load web sites and it says whatever site I was trying to connect to was not found. How could this be? I don't even see anywhere to check the rules for browsers in Jetico.

 

Kerodo-

My return to Kerio 2.15 did not last that long. Nothing wrong with it, but curiosity brought me back to Jetico 1.0. I am going to try that rule of yours again,not limited to specific ports. I set my AV to autoupdate every hour and I will check my log. I did observe the outbound connection on port 113.

I suppose the downside of not being able to change the default behavior of Jetico on certain listening ports is you have to know which ports they are. However, there does not seem to be any problem with any other listening ports, like 135 and 445 etc.

 

It depends on what you have set for Firefox. Go to the Ask User table, and check all lines with Firefox indicated as application. From me there is only one, with the verdict Web Browser. For here it is very easy. Every verdict except the first 4 verdicts (allow, reject, ask, continue) are references to other tables. So you have a rule table called Web Browser. It should be visible in the left tree panel if you expand it. After selecting this table you will see the rules in it. Originally it contained the following rules:
1) Allow "access to network"
2) Allow "outbound connection" to remote port 80 (http)
3) Allow "outbound connection" to remote port 443 (https)
4) Default action is continue

But I inserted one more rule in my Web Browser table which also allows outbound connections to remote port 8080 (most often used http proxy).

You can now see that such things are not hidden and not hardcoded in this firewall.
-hojtsy-

 

K-

The rules to protect 113 and the two listening ports related to the AV mail scan must be limited to those ports. If not, other desired traffic is blocked. In particular, the server port for bittorrent.

I suspect this is something Jetico will get around to fixing. Whatever they are telling you now is an excuse IMO, not a reason. Go ahead and bother them.

 

Here's an update for anyone interested:

I wrote to Jetico last night, and right away got two responses this morning at 3:00am. They said that they are working on the listening port problem and hope to have a solution soon. They have positive results on it already apparently. So that's good news. Hopefully it will be fixed in the next release.. We'll see...

I must say that they do have the best support I've ever seen from a software company. I don't know what other people's experience with them is, but mine has always been excellent to date.

 

Kerodo- it looks like you convinced them this time.

I am back to Kerio 2.15 until the next update of Jetico. It makes me a bit queezy that this "feature" made it so far.

As you say, Kerio 2.15 may not be perfect. However, it has been tested extensively and it works. No wonder a bunch of the gurus keep using it.

Jetico will reach that level some day. Then they will start charging for it.

 

K-

3:00 AM in LA is lunchtime in eastern Europe where Jetico is located.

 

According to this news, Jetico is from a country of Nokia, F-secure and jv16 PowerTools, Finland, which belongs to Scandinavia like Denmark, Iceland, Norway and Sweden too, not to the Eastern Europe.

Best regards,
Firefighter!

 

maybe he refers to the location of only the webservers?

 

FF is correct. Diver does not get a gold star in geography today. However, the time zone should be about the same as Eastern Europe, if not exactly the same.

I will never again tell anyone that Finland is in Eastern Europe. Promise.