How "good" is Jetico Personal Firewall 2's filtering capabilities? There seem to be very few block rules un the default set, which makes me a little nervous. I'm, interested in JPF because of its HIPS abilities, as apposed to LnS.
I have not used v2, however v1 was quite good overall. It takes some getting used to the interface and the way the rules are kinda spread around, but once you see how things work, it's pretty cool. It is a very good and effective firewall if you can manage to handle the annoyance factor. At first you tend to get a lot of popups until you can get the rules nailed down. In other words, it takes some work, but once done, it's a pretty good firewall. I am guessing that v2 should be even better, but I liked v1 quite a bit.
I am quite familar with JPF2 now, although that wasn't always the case. What I'm concerned about now if the firewall's filtering capabilities.
Can you be more specific? Also, Stem knows a lot about Jetico and can probably help you out on that....
Well, how tight is the ruleset; what is it allowing in and what is it blocking? Even with logged turned on it is very hard to tell because there are very few block rules. LnS has the standard set and the enhanced, not to mention Phantom's. With JPF it is very hard to tell. After all, a rule-based firewall is only as good as the ruleset.
It should be good, although since I am not running it now, I can't look at the default rule set. It should be blocking all unsolicited inbound (that is any firewall's job, even without a specific block inbound rule), and only allowing out what you tell it to, and only back in what SPI allows. I can't speak for it's SPI implementation, but I think it's decent. Something tells me you need to turn that on in a rule or two though, or at least you did in v1 (unless I am remembering wrong). For those rare cases where you need to allow unsolicited inbound, as in p2p etc, you can create your own rules to handle that. It probably won't catch everything outbound, but I believe it's quite respectable in that regard. Much better than Kerio 2 for example. When it gets to more technical details beyond that, I have to defer to Stem, who is far more versed in these matters.
By default:- Allow: DHCP / ping~out / Ping~reply ~ Unreachable ~ Time exceeded / allow inbound UDP broadcasts / allow any application to listen on port / allow ARP. During installation a setup wizard is run which will pick up a number of programs that may have pre-built rule_sets either for system and/or network access, those can be checked/edited during installation, and/or change after installation. Blocked:- If there is no allow rule (or pre-made block rule) then either you have a popup to Ask, or the packet will be blocked. Some TCP packets, such as fragmented/null and xmas are filtered out directly in the IP table,.. if required you can set your own rules to directly filter out other invalid flagged packets. There is a default block rule at the end of each main table, but logging is on a per rule basis, so you would need to enable logging within each rule (in a block and/or allow rule) The default ruleset in Jetico2 can be classed as an enhanced ruleset and it allows minimal for the system. Further rules are then added on a per application need and each application can have its own ruleset with its own logging,... or for example, if you have 2 or 3 browsers, they can share the same ruleset. - Stem
Hello n8chavez. As already mentioned, default Jetico IP ruleset is pretty tight, it will allow only Windows' services common to most setups. You can tighten it further but it would depend on your setup - primarily the use of DHCP and LAN. Regarding ICMP, it is a messaging protocol (connectionless) so whether you want to be informed on certain events or not would also depend on your personal preferences. Jetico will have types 3 and 11 allowed by default which I personally use (with logging) and find informative. For most cases, there is no need for "block" rules. Most of the things will be stopped by the last "block" rule in a table. For those that won't be stopped (invalid TCP flags combinations) there is a need to add specific rules. This should of been handled by Jetico SPI, unfortunately the devs are aiming for the leaktests and disregarding SPI. There is an old thread on invalid TCP flags you may find informative. It still applies. Cheers,
Hi Seer, I will just add to your reply. (to give OP more info) JPF does add localhost(127.0.0.1) to the trusted zone, so if you use a local proxy (such as an AV with local proxy) then you would want to remove that from the trusted zone, or, You can just remove the global rule that allows that access and then just allow that access to specific application (from popups) What is currenly allowed by default is very basic, really just to allow you to ping others with a possible reply being allowed, and to allow the user to perform trace_routes and be informed of unreachable. These if wanted can be added very easily, I can post info on how that is done if required (I personally always add such rules in a filter that allows such settings). - Stem
Was trying out Jetico2, I cant seem to save (seems disabled) and on vista, and autosave doesnt always save. Is there anyway to to enable manual save and disable autosave for the rules? when I am installing etc I dont always want the rules saved.
Hi acowild, Could you please first verify the build you are using (current build 25-August-2008 | v.2.0.2.6) and that it is active. If a lot of the rules are grayed out (and you cannot save) it would mean the trial period as expired. - Stem