Need clues to choose my new personal FW

Discussion in 'other firewalls' started by gagman, Feb 6, 2006.

Thread Status:
Not open for further replies.
  1. gagman

    gagman Registered Member

    Joined:
    Feb 5, 2006
    Posts:
    68
    Location:
    France
    Hello,

    I am quite new at those boards, and found some very interesting stuff.

    I need to change my personal FREE FW, the old one in kerio 4, but the free edition doesn't provide a way to share internet connection (it is called the gateway feature in Kerio, only available in the paid version).

    So... I read a lot of review, internet boards (above all here !), and tested some FWs.
    In the short list are Safetynet, Jetico, and Core Force.
    I haven't done some deeper tests, so maybe I miss the good one...

    First question : sometimes in the boards, I can find some sentences like :
    this one is not good, surfing take more time, the connection is slower... .
    Do you have any tool to know if, with a given FW, the surf (or whatever) is slower than with another one ?

    Second question : some FW (like McAfee Desktop FW for ex) deals with other protocols than TCP and UDP (like esp, ike, vrrp,... long list). What about FWs where there is only TCP, UDP and ICMP (Core Force is one of them). ipsec packets are not filtered at all ? Or blocked ?

    Thanks for everybody with a bit of answer... and thanks to others too !
     
  2. CrazyM

    CrazyM Firewall Expert

    Joined:
    Feb 9, 2002
    Posts:
    2,428
    Location:
    BC, Canada
    Hi gagman

    ... and welcome to Wilders :)

    Are you sure ICS will not work with the free v4.x of Kerio? It was available in the free v2.x

    Everyone will have different experiences with software and firewalls are no different. It is just a matter of finding the one that works best for you.

    Filtering of other protocols will vary. Keep in mind that you would need to be running something using one of these protocols in order for there to be potential vulnerablilities and some of these other protocols will only work on private networks. For most home users TCP/IP filtering is enough.

    Regards,

    CrazyM
     
  3. gagman

    gagman Registered Member

    Joined:
    Feb 5, 2006
    Posts:
    68
    Location:
    France
    Internet gateway :
    I didn't know it was available with Kerio 2 , but I confirm it is not anymore in Kerio 4.

    Agree with you, but when I see in the forum : my connection is 15% slower, I thing there is a way to "calculate" this ! It is very difficult to see if a connection is slower or better just with human feeling (OK, I perform a ftp transfert, and I see the clock... but in this case, there is no FW issue, or only one time, there is only connection issue).

    Maybe I am not an average user... I need some of those features.
    Just FYI, I am a security engineer, but in my scope, there is only some professionnal tools, and above all perimeters protection, not personal one (like Checkpoint, PIX, Netscreen... for FW). So I know quite nothing about personal one.
    I need to have some VPN tunnels going through my machine, so through my personal FW, and I don't know how they handle non TCP/UDP protocols.
     
    Last edited by a moderator: Feb 6, 2006
  4. CrazyM

    CrazyM Firewall Expert

    Joined:
    Feb 9, 2002
    Posts:
    2,428
    Location:
    BC, Canada
    There are online speed tests available for checking your overall connection speed. I think a lot of comments concerning slower connections may result from some active content filtering that some firewalls do now, but could also be due to any number of other reasons. These options can usually be disabled and there are firewalls that are just firewalls that should not impact your speed at all.

    In addition to ICS and VPN what other features are you looking for in a firewall? Have you considered a router instead of using ICS?

    Regards,

    CrazyM
     
  5. gagman

    gagman Registered Member

    Joined:
    Feb 5, 2006
    Posts:
    68
    Location:
    France
    Maybe I should have a router instead of just a personal FW, but at home I would prefer not to have another equipment...

    I will perform some tests to see how esp (for example) is handled by some firewalls, if I have time to do...
    If yes, I will post the results.
     
  6. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,694
    Hi,
    If you are into firewalls rather than router:
    My suggestion would be Sygate firewall, easy to configure for ICS, and does not slow down your browsing. Catch 23 is that it has been bought by Symantec and the future is unknown. But the previous to last build and the latest builds are mature, robust and stable, and since the last version is out since only last year, you can live happily with Sygate for next 2 years.
    If you do not like that, then try Jetico. I have a document that explains how you can configure ICS on Jetico. It's a tricky devil, that one, but it's very powerful. The only problem is, it's sort of very advanced beta, and there's no knowing what might happen. But again, you might be happy with the latest release. Their help is very good, though.
    Mrk
     
  7. gagman

    gagman Registered Member

    Joined:
    Feb 5, 2006
    Posts:
    68
    Location:
    France
    I am on the way of testing Jetico (is it a very correct english o_O).
    If you have a doc with Jetico configuration, please tell me how I can reach it.
    Thanks all for your help.
     
  8. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,694
    Hi,
    You have the help file that you can download alongside Jetico.
    Plus, I have a document how to configure ICS. I can post it here if you like.
    Mrk
     
  9. hollywoodpc

    hollywoodpc Registered Member

    Joined:
    Feb 14, 2005
    Posts:
    1,325
    $ 15 . 00 is close enough to free for what you get . You should really think about that one . Jetico could be a good one if you know how to configure . I still say that , for the money , Kerio is the best deal going . Plus , renewal is $ 9 . 95 a year !!!!
     
  10. gagman

    gagman Registered Member

    Joined:
    Feb 5, 2006
    Posts:
    68
    Location:
    France
    Yes, bying Kerio is not a very big deal.
    But I installed Jetico, I am a bit confused by the configuration (not what I see everytime in my profesionnal life), and that why I want to go further with Jetico, just to configure it well.
    Then I will choose Jetico or not.
    But that's true, configuring Jetico is quite strange (even the rules order is strange !!).

    Mrkvoni, may I ask you to post your doc about internet connection sharing with Jetico ?
     
  11. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,694
    Hi,
    OK, later on when I'm back home.
    Mrk
     
  12. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,694
    Hi,
    Sorry for the super long delay on my behalf.
    Here's the document how to configure ICS with Jetico:

    Note - I did not invent this, this is official reply from one of Jetico's guys.

    The firewall can be configured for using it with
    Internet Connection Sharing, but please note that
    an overall level of protection aginst inbound
    scanning will be lower in this case. It happens
    because of the following.

    JP Firewall has two levels of protection: low-level
    Network Level and Application Level. (We don’t keep
    in mind here third Process Attack Protecting level,
    because it will work in any case.)

    Application Level provides Network Level with information
    about applications that have active connection and about
    all the network traffic Windows applications are interested
    in. All other network traffic is blocked. It is so-called
    Stateful Inspection.

    Now when you turn on Internet Connection Sharing, you get
    private network (for example interface B: 192.168.0.1) and
    continue to have interface with IP address that is opened
    to Internet (say interface A: 207.46.156.18:cool:.

    All the packets that come from interface B to interface A
    and all the packets that come from Internet for interface B
    - all that packets do not correspond to any application
    in Windows! The packets should simply go from/to interface
    A to/from interface B.

    So default JP Firewall configuration with stateful inspection
    rules will reject the “interface A < -> interface B” traffic.

    Hence, to get Internet Connection Sharing working, we should
    turn off Stateful Inspection in JP Firewall:

    1) Select “Configuration” tab in JP Firewall;

    2) Select the following table in “Optimal Protection” configuration
    tree: Root -> System IP Table -> System Internet Zone;

    3) In the “System Internet Zone” table find rule with
    “Stateful TCP Inspection” rule and run “Edit” command for the rule;

    4) In the “Protocol specific” settings for the rule uncheck the
    “Stateful inspection” checkbox.

    5) Do the same for the “Stateful UDP Inspection” rule.

    Then, Private Network with interface B should be added as
    Trusted Zone in JP Firewall. It can be done quite simply.
    After you finish configuring Internet Connection Sharing,
    run Configuration Wizard program from “Jetico Personal Firewall”
    program group.

    Configuration Wizard should automatically discover the Private
    Network address and add it to the list in the “Trusted zone”
    dialog window. Just finish Configuration Wizard normally.

    After the procedure Internet Connection Sharing should work on
    your computer.

    Mrk
     
  13. Hulk

    Hulk Registered Member

    Joined:
    Aug 25, 2005
    Posts:
    40
    Do you know any app/config rules for a PC running xp using Jet:cautious: ico- I have allowed app rules but when I reboot my PC the firewall keeps asking for Access by command AV:doubt:
     
  14. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,694
    Hi,
    You need to save the changes.
    I don't remember right now - but click the file menus and look under options. You have the chance to save upon exit or immediately. Choose immediately and the changes will be automatically saved.
    Otherwise, it's rather fire and forget.
    Maybe special rules for p2p and maybe gaming, but you can also mail them and they can help - they are very quick and thorough.
    Mrk
     
  15. khazars

    khazars Registered Member

    Joined:
    Jun 8, 2005
    Posts:
    124
    Location:
    Glasgow, Scotland
    In Jetico, click options and then click general and there you can check the boxes to save changes automatically. Just make sure to check apply and then ok it and then exit!
     
  16. hitbit

    hitbit Registered Member

    Joined:
    Nov 25, 2005
    Posts:
    35
    Location:
    Dublin Ireland
    Have you considered looking at Grisofts AVG Anti Virus / Firewall combo. They are much cheaper than most offering a 2 year license for less than most offer for a 1 year job. You can check out other users comments about AVG and many other products at CastleCops forums.

    hitbit
     
  17. gagman

    gagman Registered Member

    Joined:
    Feb 5, 2006
    Posts:
    68
    Location:
    France

    Many thaks for your complete answer.
     
Loading...
Thread Status:
Not open for further replies.