Home User Questions

Yes! You have the same security needs as experienced PC users and the InJoy Firewall is designed to be easy for everyone. The InJoy Firewall is also well documented, offers pre-configured security templates, and ships with many examples. In fact, as opposed to firewalls that appeal exclusively to beginners, the InJoy Firewall is a product with which you can start small and grow as your needs dictate.
Before you install for first time, it is adviced that you quickly browse the platform specific readme and the Getting Started manual. The documentation will help you determine whether the product is appropriate for your needs and also offers you an introduction to the basics. You find both documents in our online documentation.
The InJoy Firewall is not complicated for the user. It ships with an intuitive graphical user interface and because of the well conceived default values, it will protect you right out of the box. For the more complicated features, such as Virtual Private Networking (VPN), the InJoy Firewall offers user-friendly configuration wizards and on-screen hints everywhere.
Yes, but not exclusively. By using the InJoy Firewall on your home PC, you will be able to enjoy the same enterprise-grade features as the business next door. The InJoy Firewall provides all the control you need, but it doesn't simply drop the whole thing in your lap. Even novices usually find our software approachable and it's no bigger than it is within the capability of most people to fully master it.
When your Internet traffic makes the traffic indicators in the Firewall GUI react, then the InJoy Firewall is installed properly and working to protect you.
No, the files on your harddisk are not checked for virus by the InJoy Firewall. We recommend that you install dedicated anti-virus software for that purpose.
Yes, the InJoy Firewall is a very powerful Internet Gateway. Not only will the InJoy Firewall allow you to share your Internet connection through Network Address Translation, it also protects your internal PCs, provides detailed traffic statistics, and offers a built-in DHCP Server to automatically configure the TCP/IP settings.
Yes, the InJoy Firewall includes a powerful Graphical User Interface (GUI) which can be used remotely. Read more about it on the InJoy Firewall Administration page.
It definitely is enough for some, as it allows you to close your ports, which by itself is one of the most powerful security measures. The Windows firewall however does not compare to dedicated firewalls, neither in terms of control, features, security or network monitoring.

Consults and resellers

Yes. The InJoy Firewall is ideal for consultants, as it's a very flexible and customizable low-admin product.
Yes. If you wish to resell the InJoy Firewall, please contact bww bitwise works GmbH for more information.
Yes. With the modular architecture, the standards-based operation, the multi-platform support and the complete feature set, it is indeed an ideal solution for firewall solution providers.
Yes. It uses standard intel-based hardware, it supports hardware VPN acceleration and through the modular architecture it can be customized to the exact needs.
Yes. Please refer to Firewall Administration page for more information.
In general the answer is yes. However, results can vary with the remote controlling solution used, as InJoy Firewall driver installation will briefly disconnect the Internet connection.
Yes. The InJoy Firewall is a product that is designed to offer safe technology and thus frequent updates generally aren't needed. In addition, bww bitwise works GmbH is currently working on central management server solution to allow your client installations to automatically update their security rule set.
Yes. The InJoy Firewall is a very transparent product in general. It is pre-configured to maintain a number of security logs, it provides color-coded security alerts and it allows you to graphically see the attack history. In addition, the InJoy Firewall GUI offers a multitude of graphical network activity and specialized security monitors that can be enabled at will to match your exact level of interest.
Yes. Everything in the InJoy Firewall can be configured in plain text.
Yes. The InJoy Firewall GUI allows you to trigger the execution of 2 pre-defined scripts on the [remote] Firewall Server. This allows you to remotely trigger the InJoy Firewall Server to perform specialized tasks, such as updating itself with new binaries, restart certain services, or similar.
Yes. We have solution and technology partners that resell the InJoy Firewall under their own brand.
Yes. There is a 30-day free trial. It includes the exact same features as you find in the InJoy Firewall Professional, 2-user version. Please refer to License Types page for more information.
Because the InJoy Firewall is easy to use and undoubtedly has become one of the most powerful and complete software firewalls in the world.
We primarily design for:
  • Knowledgeable home users looking to get the advantage.
  • SOHO users and Network administrators that need to be in control.
  • Businesses that require easily deployable mission-critical products, across OS platforms.
  • Security-conscious consultants that require flexibility.
Our customers enjoy a hardware-like solution — yet with all the benefits of software — that is cross-platform unified, self-contained, integration tested and easily deployable.
To provide the market's single most powerful Firewall and VPN solution. A solution that works with all the major operating systems and is a joy to use.
Many of the most expensive hardware firewalls deliver little more than primitive packet filtering (1st generation firewall technology) to protect major corporations. The InJoy Firewall offers very powerful intrusion detection and dynamic next-generation "deep inspection" technology. It is easier to monitor than any competing firewall solution and it offers high performance on any modern PC. With hardware VPN acceleration and Gigabit network equipment, the InJoy Firewall out-performs many of the most expensive "top of the line" hardware firewalls. At this point, the InJoy Firewall is however not suited for large user-databases with more than a few thousand users and the InIn Firewall doesn't yet interface RADIUS or other external user databases. We are working on implementing these features in future versions.

Corporate customers

Yes. The InJoy Firewall delivers complete security, IPSec VPN and Internet Gateway capability across all the major OS platforms.
Yes. The InJoy Firewall is ready out of the box, it works the same across multiple operating systems, it can be installed remotely, it can be managed remotely, it can be installed silently, it can be configured using plain-text files, it can execute external scripts, it is standards-based, it is well documented and it ships with many real-world examples. With the InJoy Firewall you don't need to learn a multitude of products, you don't need to seek support from multiple vendors and you don't need to be concerned about constantly having to install new updates.
Yes. The InJoy Firewall has been in continuous development for more than 6 years and support subscriptions are available to corporate customers.
The InJoy Firewall IPSec VPN support is licensed by several major technology partners, it is complete in terms of features, it offers robust stability, and it is the only software VPN solution that is available for all the major operating systems. The InJoy Firewall VPN solution has been tested for compatibility with most major VPN vendors. The IPSec VPN support is also available as a successful stand-alone IPSec VPN firewall toolkit.
Yes. The InJoy Firewall is designed for minimum heredity to third-party issues and it integrates a number of features to allow sustained fault-tolerant operation. For optimal security and reliability, all core functions of the InJoy Firewall were developed together using InJoy's own hardened codebase. In addition, the InJoy Firewall gives you the option to disable all traffic automatically in case the Firewall Server process becomes inactive for any reason. This feature provides an extra layer of security for your internal network if unexpected hardware or software difficulties arise.
For simplicity. Most of the powerful InJoy Firewall features are isolated in independent modules, which can be enabled at will. With the InJoy Firewall it is always easy to upgrade the software to meet new requirements through multiple individual product levels (Basic, Professional, etc). You download the same software whether you are a novice home-user or a top professional.
A single InJoy Firewall can handle up to a 1000 internal users.
It can theoretically handle up to 10000, however the normal distribution is limited to 1000 remote VPN Clients. Supporting more remote VPN Clients require VPN hardware acceleration support.
Yes. It supports both fail-over and fall back.
Yes. You can prioritize certain types of Internet traffic, limit bandwidth by class, or divide bandwidth evenly among a group of users. Read more on the Traffic Shaping page.
Yes. You can certainly monitor employee activity and you can limit access to certain web-sites or limit web-surfing to certain hours of the day. The InJoy Firewall is not at this point the optimal software for controlling web-site access by category.
Yes. The InJoy Firewall includes a high-performance firewall rule workshop that allows you to define and monitor detailed network access policies. Read more on the network access management page.
Yes. We offer both graphical and scripted installation. For completely silent installation, the setting in Windows to warn about unsigned device drivers must be turned off. The installation scripts can be easily changed to match special requirements.
During normal operation, the InJoy Firewall does not require user intervention.
Yes. The InJoy Firewall has built-in PPPoE over Ethernet (PPPoE) support across all supported operating systems.

Injoy Firewall Overview

Yes. The InJoy Firewall is designed to be easy for everyone to use.
The InJoy Firewall is a software firewall. A technology partner has implemented the InJoy Firewall as a hardware firewall, but this product is not yet widely available.
Yes. There is a 30-day free trial. The free trial includes the exact same features as you find in the 2-user InJoy Firewall Professional edition. Refer to License Types page for more information.
In general, yes. All major features, such as the VPN support and the firewall protection, work exactly the same on the supported operating systems.
Yes. If you get a new IP address via PPPoE or DHCP, then the InJoy Firewall will automatically detect this.
Yes. IPSec VPN support is seamlessly installed with the InJoy Firewall. The VPN support can easily be configured to work as a powerful corporate VPN Server (with user authentication) or as a simple VPN Client.
There are a lot of features in the InJoy Firewall and you don't need to learn about all of them at once. As a starting point, read the Product Information page.
If you operate a business, then check some of the unique benefits on our technology pages. If your are a home user, the InJoy Firewall gives you an edge. You will learn more about internet connection and enjoy unmatched security, control and convenience. And, should you decide to try out another operating system, you don't need to learn a new firewall product. We encourage you to download the InJoy Firewall and test it against any competing solutions, and discover the benefits for yourself.


The minimum requirements in general are a supported operating system, at least 1 network card and about 60MB of free disk space. For more information refer to the OS platform specific pages.
On Windows and OS/2, download the self-extracting executable and run it. The graphical installer will appear and guide you through the installation. For scripted installation, download the zipped archive and refer to the installation script found inside the archive. The install scripts are named "Install.sh" (on Linux), "install.bat" (on Windows) and "install.cmd" (for OS/2).
Install to the network adapter connected to the Internet.
The InJoy Firewall Server process is designed to offer protection for the individual network card to which it is installed. When multiple insecure network interfaces need protection, multiple autonomous instances of the InJoy Firewall can be easily installed. (One firewall for each insecure network card)
Yes. You can run the installation at any time and as many times as you want — even without un-installing. For major updates of the InJoy Firewall it is however recommended that you uninstall, re-boot and re-install.
No. The InJoy Firewall installs sample configuration files, typically with the extension ".cn_". Once you start the InJoy Firewall, these files are renamed into ".cnf" - however only if your own ".cnf" files doesn't already exist.
On Windows, refer to "Control Panel | Add or Remove Programs". On other operating systems, refer to the "uninstal*.*" script.
Run the folder script in the InJoy Firewall base directory or simply install again.
Yes. In particular if you have installation problems or are concerned about support for your hardware and operating system revision. The readme files can be found on the online documentation page.
Yes. The InJoy Firewall installs at least one device driver. It's this low-level device driver that allows the InJoy Firewall to intercept network traffic before it can harm your system.
Yes. The first time you install on Windows, one or more warnings about unsigned driver installation will appear. This is a standard Windows warning, which you must acknowledge. The exact number of warnings depends on the number of network bindings and network interfaces on your system. The warning is a sign that Microsoft hasn't been paid to test this particular driver.
Yes. The InJoy Firewall offers both graphical and scripted installation. For silent installation, the setting in Windows to warn about unsigned device drivers must be disabled. The installation scripts can be easily changed to match special requirements.
Currently, the only way to update the InJoy Firewall is to download updates from our web-page and install it on top of your existing version.
Generally no. However, be sure to check the operating system specific InJoy Firewall web-pages for the minimum requirements.
First check the platform specific readme for a possible solution. If that doesn't help, then please contact bww bitwise works GmbH support team.

Default behavior

Yes. If you operate just a single PC, a small home network or a small business. It is of course recommended that you step through the firewall properties and study the default security level to make sure the defaults match your actual expectations.
If the InJoy Firewall is to stealth your PC, it can not simply take over your existing connections. Starting the InJoy Firewall is like resetting your Internet connection and it thus requires your network applications to re-connect.
Yes. By default the InJoy Firewall is configured to safely share your Internet connection. See the networking FAQ for more information about how to configure your IP stack for the InJoy Internet Gateway.
By default, the InJoy Firewall considers its own IP address internal. Additionally, the InJoy Firewall is pre-configured to consider the following private IP addresses ranges internal:
  • -
  • -
  • -
These IP ranges are reserved for internal use and thus likely to be what is used on your LAN as well.
By default, all inbound traffic that does not result from an outbound request is blocked. For example, if you browse a web-site on the Internet, the returned web pages are allowed through because they result from an outbound connection. At the same time, any unsolicited incoming messages are blocked unless specifically allowed in the rule database.
Yes. All ports on your Internet server and internal network are stealthed by default. The term stealth refers to the ports on your PC being completely invisible to attackers and scanning applications.
Yes. The File and Printer resources uses TCP ports too and they are made completely invisible by the InJoy Firewall (stealthed).
At the default security level (5), the InJoy Firewall is designed to be minimally intrusive and instead of blacklisting remote users, suspicious traffic is simply blocked. If you switch the firewall to security level 6, port-scanners and other attackers start to get blacklisted. To get a good overview of how InJoy Firewall tackles each possible type of attack, please read the security summary next to the security level slider (in the "security level" dialog).
Yes. At the default security level (5) they are detected and a security alert is logged. To make sure port scanners are blacklisted, raise the security level to 6 or higher.
No, not by default. It can be enabled in the "File | Properties | Firewall Server" dialog.
No, not by default. It can be enabled in the "File | Properties | Firewall Server" dialog.
For example the "HTTP Request Log" require that the InJoy Firewall actually extracts and logs HTTP URL requests. At the present time, this happens on Security Level 6 and higher.
Security Level 5 represents what we believe to be the most appropriate compromise. Security level 0 is basically just a simple NAT router with packet filtering and security level 9 requires that you make rules for any traffic to be allowed. Both these levels represent extremes, while security level 5 is easy to get started with (even for beginners), it results in a minimum of false positives, and the security is second to none!


Yes. The InJoy Firewall includes a powerful stand-alone graphical user interface (GUI). Using this application, you can manage all the major features of the Firewall Server from the local desktop or remotely over TCP/IP.
The InJoy Firewall GUI is graphical application, natively built for your operating system.
No. It's optional. Consider using the deskband toolbar if the GUI takes up too much of your desktop space.
Click the InJoy Firewall GUI icon in the start-menu or desktop folder. To start the GUI from the command line, simply run the program fgui (in the InJoy Firewall directory). To run the GUI with a remote firewall, start it with the command: "fgui ip-number password".
Yes. The InJoy Firewall GUI provides remote administration, monitoring, and configuration of every major Firewall feature.
Yes. Security for the remote administration is ensured through an encrypted password that you can make unguessably long. The actual remote connection is scrambled using the high-grade AES encryption. All major GUI operations are logged and multiple failed GUI login attempts cause the offender to be blacklisted.
Yes. The remote GUI support is designed as a "plugin" for the Firewall Server. You can disable the plugin and thus completely prevent the code from running.
Yes. You can e.g. run the administration tool on your Windows desktop and control a firewall running on any of the other supported platforms.
Yes. The GUI uses shared memory for local administration and thus performs as fast as if it was an integral part of the InJoy Firewall Server application. For remote connections, compression and optimization algorithms allow the Firewall GUI to operate almost as fast as it does on your local PC.
Yes, about as many as you want and you can connect them to different Firewall Servers around the world - or to the same single Firewall.
By default port 3333. You can change the port number.
Yes. However, there is a sample firewall rule that you can easily enable and customize in the rule workshop.
Basically anything you want to know about network activity and security. Please refer to the Firewall GUI Administration page for more information.
The user interface has been designed to offer modular and customizable access to the information gathered by the InJoy Firewall. The different visual themes allow the GUI to "morph" into the look that best matches its mission.
Yes. On Windows there is a toolbar deskband that will provide you all the essentials directly from your Windows task bar. It helps you keep the Windows desktop free for other applications, while at the same time being able to monitor your firewall.
Yes. You can connect it either to a local or remote firewall server.
Yes. The logview application provides a single location for firewall log viewing. The benefit of the log-viewer is that you can customize it to view any log-file.
Because web-based applications (across different OS platforms) do not offer the performance and reliability required by the real-time monitoring offered by the InJoy Firewall.
Unfortunately, because of big-business tactics, the Java support is no longer a common component. Further, the many different Java versions makes it hard to base the development of a multi-platform security application on the Java technology.


Yes. If your responsibilities involve Security management, nothing is more important than the ability and capability to fully overview the solution. The InJoy Firewall is designed to provide that rare balance between features, usability and software reliability. Rather than configuring once and then putting the solution to rest in a corner, we seek to deliver feel-good products that any user should feel comfortable configuring and operating. If you are a novice, you may need to invest a little extra time, but it's an investment that will pay dividends over time.
The InJoy Firewall is built around its own hardened low-level device driver technology on each supported platform. This allows it to offer protection at the network layer, without exposing Operating System components to malicious traffic. While intercepting traffic at the lowest possible layer, the InJoy Firewall itself operates in user-land, just like all your other applications.
The InJoy Firewall is both a network firewall and an application layer firewall. However, please note that modern firewalls are not easily categorized, as they typically make use of a wide variety of technologies. The InJoy Firewall is no exception.
Yes. By default, all inbound traffic that does not result from an outbound request is blocked. For example, if you browse a web-site on the Internet, the returned web pages are allowed through because they result from an outbound connection. At the same time, any unsolicited incoming messages are blocked unless specifically allowed in the rule database.
Yes. The intrusion detection of the InJoy Firewall is second to none. It relies on a number of the industries most powerful technologies to dynamically detect and block any type of inbound intrusion. If it's something you wish to learn more about, then please refer to the remainder of the InJoy Firewall web-site for more information.
Extrusion is what happens when a trojan applications gets behind the firewall and then connects back out to the attacker. With the InJoy Firewall, focus is on providing sufficient protection to avoid the trojan-infection in the first place. Should the disaster still happen, then the excellent security monitoring of the InJoy Firewall will reveal the malicious activity better than any competing firewall.
That used to be how firewalls were designed and it required a lot of user-rules, which few people have the time and the attention span to deal with. With the InJoy Firewall you can however pick security level 9, and then only traffic specifically allowed by rule will pass through. We recommend this option only for TCP/IP knowledgeable experts.
Yes. At the default security level 5, all ports are stealthed. To change the setting, refer to the "Security Level" dialog.
Security Level 10 will configure the InJoy Firewall to only accept IPSec VPN connections, which is probably not what you want. Security Level 9 will configure the InJoy Firewall to block all traffic by default. Only traffic specifically allowed by rules is allowed. Typically only TCP/IP experts can master such a setup. For most users with "normal" security requirements, we recommend using Security Levels 5 to 8. Security Level 8 will be safer, but also increase the risk of false positives.
Yes. The InJoy Firewall includes an optional SafeMail component, which enables you to shield your internal users from potentially dangerous e-mail attachments. The SafeMail proxy intercepts all incoming SMTP connections and is able to deny, rename and log dangerous attachments. Further the SafeMail proxy offers relay control to ensure that your mail-server isn't exploited for spamming.
Yes. You will see a security alert and if you jack up the security level to 6, they will be blacklisted as well.
No. The InJoy Firewall does not protect you from e-mail spam.
Yes. The InJoy Firewall displays all inbound and outbound connections, each with its source and destination, state and bandwidth statistics.
No. As most firewalls, the InJoy Firewall checks Internet traffic for signatures of popular e-borne viruses, but on the network level, a firewall cannot ensure that you don't receive (for example encrypted) traffic with virus. A network firewall also does not check the files on your harddisk for virus. We strongly encourage that you install a virus checker to periodically check your computers for virus.
Yes. To do that, you can either modify your existing security level or jack it until the security summary indicates that only outbound ICMP pings are allowed. To modify your existing Security Level to silently reject incoming pings, navigate to the dialog "Security Level | Custom | ICMP" and de-select the "Echo Request - 8" checkbox.
For the best possible overview of the security on your system, keep an eye on the "Suspicion Monitor" and its peaks. It's also recommended to monitor the "Firewall Security Alerts" for a record of questionable activity, and finally the "Security Summary" monitor for unexpected trends.
Absolutely not. The InJoy Firewall automatically blocks any traffic that it deems malicious, no matter if you look or not. However, it is strongly recommended that you keep an alert eye on the InJoy Firewall management interface, as your own brain is the most powerful tool in the effort of keeping your network safe over a longer period of time. Think of a firewall not only as a black box, but also as the interface between you and your Internet connection. The InJoy Firewall excels like no other firewall in the area of providing its users with deep insight into the network activity and security situation — so why not take advantage of that?
Yes. Step in to the Firewall Security Level dialog. In there, you see a slider, with which you can easily set up a base security policy for your Internet connection. If you need to customize the security level, simply click the custom push button and watch out for the on-screen hints.
That's up to you. If you are in doubt or don't have time to study the other levels, then stay at the default security level 5.
Yes. That's necessary with Windows and with aggressive worms of which several can be received every single second. Being unprotected on the Internet for just 5-10 seconds might be enough to get you infected, almost no matter where you were. When you install the InJoy Firewall, there is an option to reject all traffic whenever the Firewall Server isn't running. We highly recommend this option.
Packets get dropped whenever they violate the Firewall, IPSec or NAT policy. Packets can also get dropped if they were deliberately malformed (exploits) or if they went malformed in transit. The InJoy Firewall logs all dropped packets and you can see them in the management interface, together with the reason why they were dropped.
Yes. The InJoy Firewall has a number of sophisticated mechanisms to detect virtually any Denial of Service attack. If the DOS attack is of the distributed type, i.e. performed by a huge number of systems, the InJoy Firewall will deal with one offender at a time, until they are all blacklisted. With DOS attacks, it is important to note that perfectly valid traffic can be used to simply keep your server busy and no static threshold can define exactly when network activity qualifies as being a DOS attack. The InJoy Firewall has its own tunable thresholds defined in a way where they are extremely unlikely to ever interfere with normal business and yet any attempt at DOS will get detected. To test DOS protection in action, simply try to flood your Internet server with thousands of pings or TCP connections per second.

Technology basics

A firewall is a system (hardware, software or combined solution) that secures access between two or more networks, usually an organization's private network (LAN) and the public Internet (WAN).
A firewall inspects network traffic and determines whether to forward it towards its destination. To fulfill this mission, modern firewalls will utilize a number of technologies, ranging from simple packet filtering to highly advanced deep inspection technology.
The Internet Protocol specifies the addressing scheme and the format of the packets being exchanged on TCP/IP networks (such as the Internet and private networks). Most networks IP in combination with the higher-level TCP protocol in order to establish a virtual connection between a destination and a source.
Every participant on a TCP/IP network is uniquely identified by its IP number.
A port number in combination with the IP address uniquely identifies a service on a TCP/IP network, such as the Internet. Server applications "listen" on certain ports in order to be able to accept incoming connections. Client applications then send a request to relevant port, and if any server application exists on this port, a TCP/IP connection is established. If not, a refusal message is sent to client. Port numbers are applicable only to TCP and UDP protocols.
Packet filtering is a commonly available feature in most firewalls and even in simple network routers. It allows the operator to create rules to reject packets based on certain criteria
A network firewall operates within the context of the network. In other words, it operates solely on network traffic, without knowing exactly which applications and other resources on the PC that are in use. A network firewall will typically use technologies such as stateful inspection, packet filtering, deep packet inspection and intrusion detection (IDS) to provide protection for one or more PCs on the private network.
An application layer firewall examines network traffic, not just in isolation, but by analyzing the packet streams that make up the individual application sessions. This technique provides the firewall with a context that more accurately allows it to determine whether traffic is malicious. An application layer firewall delivers significantly better security than simple packet filtering.
Stateful inspection is a technique that allows the firewall to maintain a state for all connections going through it. With the scope of sessions, the firewall can determine whether a packet belongs to an existing connection and whether the packet respect the current state of that connection. With this information, the firewall can more accurately determine the probability that a packet is malicious.
A dynamic firewall uses adaptive next-generation firewall technology to detect malicious activity and to make real-time adjustments to the security policy. For example, if a remote attacker probes a certain number of port within a certain time-interval, the dynamic firewall can automatically block all future traffic from that IP number. A dynamic firewall will typically base its behavior on a mix of static signatures and behavioral rules technology.
Deep packet inspection is a technology where traffic is analyzed not just in isolation, but in the packet streams that make up the individual application sessions. By analyzing both state and protocol compliance, deep packet inspection can spot odd behavior that might signal a brand-new attack. Further, with deep packet inspection firewalls, any threat is usually followed up with some kind of dynamic response to block the attack.
To understand next-generation Firewall technology, consider your own thought process. To detect potential threats from "unfamiliar people", your brain compares observed behaviour against expected behaviour. Next generation firewalls mimic human behavior by running traffic through fine-mesh nets of carefully crafted firewall rules and by analyzing an aggregate history of the remote endpoint - within a defined period. By using these techniques, a firewall is able to pick up on any first signs of abnormality and more accurately determine the overall threat level. Once a serious offense is detected, such as repeated login failure with a network service, the firewall can automatically blacklist the remote offender and administratively log the event.
Stealth mode is when a firewalled network is completely invisible to the outside world and attackers. In other words, a stealth network must not run any publically accessible network services and it must not respond to ICMP pings. Stealth mode is achieved by maintaining a table of all connections and filter out ALL inbound packets that don't belong to any current session. Stealth mode is one of the most used buzz words in the personal firewall market, however the actual protection gained from having a stealth mode system is a source of much debate.
Short for Network Address Translation, an Internet standard that enables a private network to use one set of IP addresses for internal traffic and a single public IP address for external traffic. The main purposes of NAT is to share an Internet connection, to allow the use of private IP numbers within an organization, and to hide internal IP addresses from the public address space.
Short for De-Militarized Zone, a dedicated part of a network that is directly exposed to Internet traffic without necessarily having access to internal networks. Typically, computers in the DMZ have publically routable IP numbers and are used for running services, such as Web, FTP and SMTP servers. Often the DMZ is considered a safety measure, based on the idea that it's too dangerous to place these public servers on the internal network, in case they are hacked.


Yes. The InJoy Firewall VPN support works exactly the same on a multitude of operating systems, including Windows, OS/2, Linux and FreeBSD. The multi-platform support allows the network administrator to use all implemented features on any of these platforms, reducing the administrative burden and the chance of future crippling multi-vendor interoperability issues. Generally, both support and configuration efforts are dramatically reduced when the same VPN support can be used across all endpoints.
The VPN Wizard offers a way to quickly configure and establish an IPSec VPN through simple modifications to pre-configured template SAs. The VPN Wizard is simple for anyone to use and since it uses standards-based IPSec features, it is compatible with most other (but far from all) IPSec implementations.
The Tunnel Workshop provides another method of configuration, allowing detailed configuration of every individual option of the Security Associations. The Tunnel Workshop is what you should use if you need to configure an advanced VPN, which spans multiple types of devices and IPSec solutions.
Currently, a maximum of 1000 tunnels is supported. The limit is based on performance considerations and it can be increased on demand.
The InJoy Firewall offers a complete set of client/server IPSec features and it supports several operating systems. The InJoy Firewall VPN implementation is also highly interoperable and has been tested with most major VPN vendors. Both Ethernet and dial-up connections are supported, including pseudo-dialup connections, such as PPTP and PPPoE connections. In addition, the InJoy Firewall security features and rule database provides control over IPSec, allowing you to control everything down to least detail.
Yes. The InJoy Firewall IPSec implementation is capable of traversing NAT devices through the use of traditional port forwarding and also with the help of the more modern NAT Traversal technique.
Yes. The InJoy Firewall can work with dynamic IP addresses for IPSec VPN Clients. Even if the new IP address is assigned via a PPPoE connection, the IPSec support is notified and will successfully re-negotiates IPSec using the new IP address.
The InJoy Firewall supports fail-over and fall-back to automatically switch to a backup IPSec VPN Gateway in case the primary VPN Gateway stops responding. As the backup VPN Gateway stops working, the InJoy Firewall performs fall-back to the primary IPSec VPN Gateway. When both VPN Gateways are in out of order, IPSec cycles between them in order to maintain the VPN.
Yes. When using the InJoy Firewall as a VPN Client, you can specify the DNS name of the remote endpoint, rather than a static IP address.
Yes. The InJoy Firewall supports high-performance and high-grade encryption standards such as AES and BlowFish
No. The InJoy Firewall IPSec solution was developed and compiled outside of the USA and therefore is not subject to USA export limitations.
Yes. The InJoy Firewall IPSec implementation supports the IP Compression (IPCOMP) standard. IPCOMP offers compression for all VPN traffic, reducing the amount of data transferred over the Internet and thus minimizing the cost of Internet traffic and maximizing performance. Further, IPCOMP works to compensate any bandwidth absorbed by the IPSec payload added to each packet.
Tough question. Generally, our IPSec implementation works well with standards-compliant third-party IPSec solutions. However, many vendors have tampered with the IPSec standards and added proprietary algorithms (to help their users, protect market-share, etc). Unfortunately these proprietary extensions often limit, or even make impossible reliable multi-vendor IPSec connections.
The InJoy Firewall allows you to easily differentiate VPN and non-VPN traffic with its firewall rules.
Yes. Switch to Security Level 10. It will allow only IPSec and DNS traffic to pass through.
Due to the IPSec overhead in each encrypted packet, datagrams can exceed the standard Ethernet MTU of 1500 bytes. The result, if left untreated, is weird and unexplainable network problems, such as stalling web browsing. VPN induced MTU problems can be resolved by either enabling the MSS-Adjust feature in the InJoy Firewall (recommended) or by decreasing the MTU size of every PC on the tunneled network. By default, the InJoy Firewall sets the MSS-Adjust value, so you shouldn't have to do anything. Check the "File | Properties | Intermediary" dialog for more information. Additionally, version 4.0 of IPSec plugin supports Path MTU Discovery, which finds out smallest MTU on the path between IPSec endpoints and generates packets of that size.
Generally yes. InJoy IPSec/IKE were tested with a multitude of major VPN vendors and found to be interoperable.

VPN basics

A VPN is a method of providing secure and encrypted communications via the public Internet. A VPN is (in theory) completely transparent to network applications. Tunneled traffic appears to be local and peer-to-peer, even if datagrams traverse the public Internet before they reach their destination. Tunneled data cannot be read and/or modified by third-party, as it's protected and authenticated using modern bullet-proof encryption algorithms.
The Security Association (SA) is the essential configuration entity in IPSec. It holds the current tunnel parameters, encryption keys and other configuration data required for proper encrypted communications.
Internet Key Exchange protocol (IKE) is an automatic key exchange protocol that exchanges security parameters and keying information (cryptographic keys) between IPSec endpoints.
A wide variety of VPN protocols exist, however the most popular variants are IPSec and PPTP. The InJoy Firewall supports and uses the IPSec protocol for VPN support. IPSec is a framework, offering great flexibility and strong security. Unfortunately, the flexibility sometimes also makes it difficult to mix products from different vendors. PPTP is a light-weight VPN protocol that uses PPP for authentication and accordingly it's much simpler, but also not very flexible.
The InJoy Firewall IPSec VPN supports these authentication methods:
  • Pre-shared Key (PSK) Authentication - peers authenticate themselves using an encrypted password
  • Extended Authentication (XAUTH) - user-based authentication
  • Group Authentication - adds one more authentication layer by using additional group login/password pair to indicate that peer belongs to some group and let authenticating peer to apply relevant group access rights
  • RSA Digital Signatures Authentication (RSA DSS) - Signature based (private/public key) authentication, used in place of PSK.
  • x.509 Digital Certificates - the most powerful, but also the most complicated authentication mechanism
Yes, using one of two ways:
  • Traditional port forwarding, where port 500 and protocols 50 and 51 are forwarded to the internal IPSec capable PC
  • NAT Traversal: An IPSec extension which allows NAT'ed peers to easily establish a VPN tunnel from behind NAT devices - even if both peers are behind NAT


Yes. There is a 30-day free trial. It includes the exact same features as you find in the InJoy Firewall Professional, 2-user version. Please refer to License Types page for more information.
Yes. For software bought directly from our homepage there is a 30 day money-back guarantee to cover technical defects.
You get a license key, which must be pasted into the InJoy Firewall. The license key will unlock the features you bought.
Within 1 business day after we received the payment.
Yes. Please refer to the purchase page for the details.
There are several possibilities.
  • Using the Firewall GUI.
    Click the surface of the GUI with the right mouse button to bring up the pop-up menu. In the pop-up menu select "File | Properties" and then choose the Authorize tab.
  • Using the Firewall configuration file.
    Navigate to the InJoy Firewall directory and then continue into the "config" subdirectory. In that directory, open gateway.cnf (or gateway.cn_ if gateway.cnf does not yet exist) and fill in your license information.
Yes. It adds 50% to the price.
If you liked the program, we hope you will buy it. If you didn't like it, then you might want to tell us what you didn't like and then uninstall the product. After the trial key expires, you can run the InJoy Firewall only for a few minutes at a time. Just long enough for you to fill in your license key.
Yes - typically for a period of 1 or 2 years. For the precise details, please refer to the License Types page.
The term "NAT users" is the number of internal IP numbers that can use the InJoy Firewall for Internet access. Any IP number that has been routed through the InJoy Firewall is counted.
The maximum number of IPSec users refer to the number of internal users (or IP addresses) that can be routed out through the IPSec VPN.
We believe in affordable software. We maintain a cost effective organization and focus on creating quality software that markets itself - mainly through word of mouth.


The Firewall Server is the InJoy Firewall process that actually protects your network. It must run whenever you are connected to the Internet.
Make sure the InJoy Firewall Server is started. During installation you have selected to either start the Firewall Server manually (from an icon) or automatically (for example as a Windows service). Once started, it is suggested that you familiarize yourself with the product by browsing the Getting Started Manual.
Start the InJoy Firewall GUI from the InJoy Firewall start menu or desktop folder. Once started, step through the "File | Properties" dialog and verify the default configuration. In particular the internal network configuration and the DHCP pass through setting in the "Networks" tab should be verified. Once you have completed this step, move into the security level dialog and check out whether the security settings match your needs.
The internal networks on the "network" tab of the "File | Properties" dialog define which systems are behind the InJoy Firewall. Only IP numbers on your internal network (and the IP number of the Firewall PC) can use the NAT Internet sharing (gateway) capability and thus occupy a position in the table of NAT clients. Any IP number that does not fall within the internal network configuration is considered to be outside your firewall protected firewall. If you need to specify more than 3 internal networks, please edit the file "config/gateway.cnf" manually.
DHCP pass through is an easy way to allow your system to receive an IP address via the DHCP protocol.
Yes. InJoy Firewall detects when its LAN interface receives a new IP address and every time it happens, it calls the script: newip.cmd. If you use PPP over Ethernet (PPPoE) to connect to your ISP, the InJoy Firewall calls the script "pppoe_c.cmd" at connect and "pppoe_d.cmd" at disconnect.Note: On Linux, replace the ".cmd" file extension with ".sh".
Yes. However, the most important information from a security perspective is found within the Suspicion Monitor, the Security Summary, and the Firewall Security Alert log. From an administrative perspective, be sure to check the "Firewall Server Console" and if you made changes to the Firewall security configuration, also periodically check the "Firewall Plugin log". All the above mentioned monitors can be easily enabled in the Firewall GUI pop-up menu. Simply look for "Monitors" sub-menu.
Currently the only way to update the InJoy Firewall is by downloading updates from the web-site and install them on top of your current installation. Alternative solutions will be made available in the future.
It can happen (rarely). In the blacklisting monitor you can see what caused any IP address to get blacklisted and in the "Firewall | Rule Workshop | Blacklist Rules" you can easily remove the rule for the IP number in question.
During installation, the InJoy Firewall gives you the option to disable all traffic automatically if the Firewall Server isn't running. If you enable this option, all Internet access will be blocked if the Firewall Server process becomes inactive for any reason. This feature provides an extra layer of security for your internal network when unexpected hardware or software difficulties arise.


Incoming (or inbound) traffic refers to traffic coming from the external network (typically the Internet) to your private network. Outgoing traffic is the exact opposite.
Yes. IP forwarding is a setting in the operating system that enables packets to flow between two or more network interfaces. For the InJoy Firewall to work as an Internet Gateway, IP Forwarding must be enabled. With IP Forwarding enabled, any standard Intel PC can be turned into a powerful software router (for your network).
Yes. However on the Windows platform, the IP Forwarding setting is located deep in the registry database. The InJoy Firewall therefore includes the tool IPGATE, which can be used to easily modify the state of IP Forwarding across supported OS platforms. To enable IP Forwarding using the IPGATE tool, type "IPGATE ON". To disable IP Forwarding, type "IPGATE OFF". On OS/2, it is recommended that you control the state of IP Forwarding in the TCP/IP configuration dialog. You can bring up these settings by typing tcpcfg2.cmd in an OS/2 Window.
Generally yes. InJoy Firewall can protect a PC that has only one (1) network card, however, if you also have an internal network, you will need to use IP aliasing on your server. The exact details are beyond the scope of this FAQ.
We recommend the use of NAT to share your Internet connection among the multiple PCs on your network. Network Address Translation (NAT) is a feature that in the outbound direction multiplexes private IP addresses into a single public IP address. In the incoming direction, NAT de-multiplexes the public address into private IP addresses, thus allowing your internal PCs to have transparent Internet access.

In other words, NAT permits multiple users with internal IP addresses to use single public routable IP address for Internet access. This is important nowadays, where the IP version 4 address space is limited.

Yes. A TCP/IP network where all work-stations can ping each other and where internal PCs use the Firewall PC as their default gateway (route).
Your TCP/IP network can be configured automatically with DHCP or manually, as described below
  • The client systems must have a DNS server filled in, which is able to resolve Internet domain names
  • The client systems default gateway/route must point to the internal IP number of the InJoy Firewall PC.
  • The IP addresses of the work-stations must fall within the internal networks specified in ("File | Properties | Network") in the InJoy Firewall GUI.
  • IP Forwarding must be enabled on the NAT PC.
Even if the InJoy Firewall PC does not require NAT for Internet access, several of its features make use of the NAT functionality. For this reason, licensing also includes one (1) IP address for the InJoy Firewall in its total NAT node count.
The list of networks that are subject to NAT is located in the "File | Properties | network" dialog of the InJoy Firewall GUI. If you need to NAT more than 3 networks, refer to the file config/gateway.cnf and manually edit it. Up to 7 internal networks can be specified in this fashion.
Create a bidirectional firewall rule, with your IP address as Source, 80 as the Source Port and Allow as the Rule Action. This will permit incoming traffic to port 80 (the http web server port) through the InJoy Firewall. In the Rule Workshop a ready sample rule exist, which you can enable by right clicking it in the list and selecting "Rule Status | Enable".
Ports 10000 and higher are reserved for NAT.
Yes. The InJoy Firewall DHCP Server is ready to work out-of-the-box, however you might want to adjust certain parameters for it to better match your desired network topology. The DHCP configuration can be changed from the Firewall GUI or edited directly, by accessing dhcpd/dhcpd.cnf and dhcpd/ip-pool.cnf.

To enable the InJoy Firewall DHCP Server, refer to the dialog: "File | Properties | Firewall Server".

Most Operating Systems are installed with a DHCP client enabled. If you have previously configured TCP/IP to use a static IP addresses, then step into the OS TCP/IP properties and enable "Obtain IP address automatically". Notice: you might see different wording on different OS platforms and also for the IP address and the DNS server addresses (which can both be either statically or dynamically specified).

Technical information

The InJoy Firewall Server ("gateway") and the InJoy Firewall GUI ("fgui").
Yes, everything in the InJoy Firewall can be controlled via simple configuration files.
Yes. Only configuration attributes that deviate from the default values are actually saved. All configuration files have a complete set of default values. You can see these template files and the default values in the template directory.
The logs that relate to the general operation are stored by default in the logs dir.
The security oriented logs, are all stored in the directory firewall/logs.
Firewall security logs and IPSec VPN logs tend to run full. When that happens (at the 2-10MB boundary - depending on the log file), the log is renamed to a .bak file, where after logging to the original file name continues.
Yes. The primary log can be stored in a directory of choice, e.g. on a network drive. To specify an alternate location for firewall.log, update "config/gateway.cnf" with the configuration attribute "Logging-Directory = "x:/logs/" as example
To get an overview and clean up blacklist rules, use the "Firewall | Rule Workshop | Blacklist Rules" dialog. If you prefer to edit the blacklist file directly, navigate to the firewall sub-directory and edit the file blacklst.cnf.
Yes, by default all IP packets are defragmented before they analyzed by the firewall engine.
Yes. We alter the Maximum Segment Size in new TCP connections. This shields you from the most common MTU problems. You can tune the MSS value in the dialog "File | Properties | Intermediary".
Because we cannot base our multi-platform security product on another security product.
One size does not fit all when it comes to network security needs. Network security personnel have been forced to buy multiple large software packages to get the few features that they really want or need. Instead of pre-packaging our solutions with different fixed configurations, each feature is a separate, loadable module.