Jetico Personal Firewall

Well, I don't change much really.. The default rules are actually not too bad as far as I can tell. They just take a little tweaking for each individual system I guess. But I pretty much leave things alone if they don't need changing.

 

I received some replies from Jetico on feedback today. They mentioned that they are working on rule editing portion of the interface to make it esier to use.

K- you are right, the folks at Jetico are a great bunch.

 

I am still in trouble with JPF and Mozilla Thunderbird. I can't managed to get my emails.
I have tried to reinstall JPF (build 49) from scratch. It detects Thunderbird when I run it, so I allow it as an "Email client", but when I want to check my emails, Mozilla Thunderbird tells it can't connect to port 110. No rules in JPF seems to apply and it doesn't even work when I "allow all" in JPF.
Does anyone have the same problem here ?

 

Hi Junior, no problem here, I have used 3 mail clients and run fine, I use 4 rules for them at application table:

1.- verdict:acept, application: C:...\Outlook Express\msimn.exe, event:access to network, protocol:any.

2.-verdict:acept, application: C:...\Outlook Express\msimn.exe , event: outbound connection, protocol: TCP/IP, local address:any, local port: port range 1024-5000, remote address: host ( xxx.xxx.xxx.xxx), remote port: 110.

3.-verdict:acept, application: C:...\Outlook Express\msimn.exe , event: outbound connection, protocol: TCP/IP, local address:any, local port: port range 1024-5000, remote address: host ( xxx.xxx.xxx.xxx), remote port: 25.

4.-verdict:reject, application: C:...\Outlook Express\msimn.exe, event: inbound connection, protocol:any.


NOW IF I USE MAIL CLIENT MODULE:

At application table:

1.- verdict:acept, application: C:...\Outlook Express\msimn.exe, event:access to network, protocol:any.

2.- verdict:mail client, application: C:...\Outlook Express\msimn.exe
event: oubound connection, protocol:any.

Then at Mail Client module you have to add at the rules where are the ports 25 and 110 the remote address of your provider for security xxx.xxx.xxx.xxx.

For me is easyer to work at the application table and I do it for all applications, as if I was using kerio. I only make rules as ICMP(system internet zone), at other modules. In fact I don´t use preconfigured rules for FTP client and server, bittorrent client, mail client. and web browser.

If you have done one of this 2, it is rare that it doesn´t work.

 

Hi,
I am using Thunderbird with JPF build 49. No problems here. Port 110 is the POP3 port, and I am using it from Thunderbird.
What does your JPF log shows when you open Thunderbird?
-hojtsy-

 

The log just shows that the rule "Block non processed IP" (can't remember the exact name as I'm not at home) matched. This means that the rules in Application Table (even the "ask" one) didn't match. That is why I really don't understand what is going on.
I did a couple other tests this morning : after reinstalling the whole system with a Ghost, I installed JPF and run Thunderbird. The first time, it as been detected and declared as "Mail client". I was able to receive emails this time.
But afterwards, I reboot the computer and did another test and Thunderbird said that it can't connect to port 110. The point is that I was using the same rules as 5 min before. I was forced to uninstall JPF to get back mail working.
Any ideas ?

Thanks for your help,
Thomas

 

Hi Junior, probably is the Optimal.bcf that doesn´t work correctly when you restart. You could try to save your configuration when your mail client works by going to file-save as and save it, then giving it a new name like Optimal1.bcf and then saving it in Jetico folder at config folder, so that there will be there two .bcf and then go to file-open and select Optimal1.bcf, you will have two configurations in your firewall, Optimal.bcf and Optimal1.bcf. In you firewall at left you will see these two configurations, the last one will be Optimal1.bcf, right click on it to apply policy and set default. This happened to me some time ago with Jetico when I used only one configuration, and never happened again since I do this I am telling you. I wrote before about rules because I was thinking that this problem wasn´t present now.
Another thing is that at options-general you olways have to check:automatically save changes, apply changes automatically and load default policy at startup.
I hope this helps Junior.
good luck

 

To determine what IP address(es) apply when the "name server" setting is selected, JPF checks the registry value NameServer under the following key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX}

Where {XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX} is your adapter ID string.

Yes, that niggling thought in the back of your mind is correct: It would be possible for malware to change this registry value. Ultra-paranoiacs may want to manually configure their DNS server IP addresses, rather than use the "name server" setting.
-

 

Thank you for your help, I will try this tonight. I hope it will work !

 

Hi Nameless, that´s right.

By Nameless:
" It would be possible for malware to change this registry value. Ultra-paranoiacs may want to manually configure their DNS server IP addresses, rather than use the "name server" setting."

 

Anyone else here have a problem with Mozilla products not working on the net with jetico, or is it just me?

 

Switched to Jetico from Sygate, seems like my net is running faster, have also tried out ZAP and Tiny but this one runs with far less memory than others, only cons if any is that the interface is not for novices.

I am using it on dual P-III and dual K-8 machines without any problems with Win2K SP4, all the latest patches installed. My anti virus is Avast Pro.

I use Firefox, Thunderbird as well as Opera 8 and so far no problems at all with any. The only thing that worries me is to enable ICS, I have to edit the stateful inspection rule for TCP and UDP to none and according to Jetico's excellent support, this weakens the firewall a bit.

 

I have problems too, as I explain in previous posts in this thread.
After discussing here and with the (really good) support of Jetico, it seems it might be in relation with Kaspersky Antivirus for Thunderbird.
I will run tests tonight and post my results here.
Don't forget to give tips if you find solutions.

 

If you are using KAV 5, you must set up a rule for it to act as a mail client. KAV 5 listens on ports 1110 and 1125 for mail traffic, intercepts and scans it.

 

I am afraid you are *not* using the same rules as 5 minutes before. Either you did not save the ruleset or the rule you created orignially was temporary one. Go to the ruleset both before and after reboot and see that the Ask User table is identical. If it is not then you are not using the same ruleset.
-hojtsy-

 

Hi, many people here have asked what ACCESS TO NETWORK means, here is an answer from Jetico:

Access to network in our terms means general access to networking
subsystem.
Thus, to establish network connection, an application must gain
'Access to network',
then create connection.
In other hand, JPF tracks interprocess communications in order to
prevent process
hijacking. So, there are two types of 'Access to network': direct
(when an application makes access to network
itself) and indirect (when, say, an application invokes IE with url
passed via command line).
In current version when some application makes access to network, the
'access to network' event
is generated for parent process and so on.
In near future we plan to separate direct and indirect access to
network.

Sincerely yours,
Nail Kaipov

This will clear the questions about this, well I hope so!!!

 

I've also found that if you deny "Access to network" on a program that uses a global hook, you may lose all internet connectivity at that point (while the program is running, and assuming you let it set the hook in the first place). I'm not sure if this is true in all cases, but I've seen it happen more than once.
-

 

I decided to retry Jetico, and no net access at all, even with IE
All web sites give DNS errors with both IE and Firefox. I am behind a router, but that never made a difference before with ANY other firewall that I have tried.

 

The router won't make any difference.. Try looking at your DNS rules, and perhaps manually enter your DNS server's addresses in there. Create more rules for them if necessary. Maybe that'll work? No idea why you would be having problems like that..

 

This is good news ,I hope they can change it for the next build

 

Someone please tell me why separating direct and indirect "access to network" is important. I realize they are different, but how am I better off if the program allows an application to make direct access and deny indirect access, or visa versa, when the program can still be denied the ability to make a connection? Do other firewalls have this feature? Anyway, I have been running JPF solid since 1.49 came out, and with very little desire to go back to Kerio 2.15, or anyting else.

 

The only reason I can see to separate them would be so you could allow one and deny the other maybe? Does that make any sense?

The only reason I can see to stick with kerio is if you like a simpler interface. JPF already does much more than kerio. Once you adjust to JPFs interface then it's doubtful you'll want to go back..

 

Hi diver, about your question I think you are asking about this:

JPF tracks interprocess communications in order to
prevent process
hijacking. So, there are two types of 'Access to network': direct
(when an application makes access to network
itself) and "indirect" (when, say, an application invokes IE with url
passed via command line).
"""In current version when some application makes access to network, the
'access to network' event
is generated for parent process""" and so on

"Indirect" for example when you use "copernico", a searching site program: let´s say you find something interesting with this program and you want to see it, so that it is going to invoke IE with the url you want to visit, so that you are going to see it with no problem if you add this rule in jetico.(this is about parent and child process I think).

 

Let me give an example. File explorer (explorer.exe) is a common parent process for a lots of applications, which will do network communication. So it needs indirect access. But does it need direct network access? I strongly believe, that it does not. It would only attempt that, if it would be compromissed by some dll injection technic. So let's deny direct newtork communication for it. Hmm but there is an other way for that also: deny the outbound/inbound connection/datagram events for it. So in the end it seems there is no added security of the separation. It could only give better understanding and user experience. The user would know if a learning dialog popped up because the named application attempted network communication, or an child processess attempted. (In the later case the dialog could also display the child process in question)

Not exactly. For example Kerio 2.x does not restrict indirect access. Kerio 4.x restricts creating child processes, which replaces the indirect access restriction. The solution employed by Jetico seems unique. It may not be the best, but at least there seems to be a desire to come up with new ideas. The fate of this design will depend on whether generic users will be smart enough to understand or not.

-hojtsy-

 

I have check the options to automatically save configuration on exit and I check the rule at startup to see if everything if OK too. There is no problem on that point.
As proposed by the support of Jetico, I have tried to disable Kaspersky Antivirus to test Thunderbird but it doesn't help.
In fact, JPF does not even see that Thunderbird is trying to use Network. I don't understand what is going on.
I have noticed that on my computer, Thunderbird is not the only program that JPF "forget" (another example for me is KAV.exe taht is not always detected).
As mentioned before, Thunderbird might work one time and not after a reboot, with same rules. It looks like a random issue.