Hi:

Just to be sure we are all on the same version etc.

I have Kerio 2.1.5 engine created 30/Apr/2003, driver 3.0.0 15/Apr/2002.
Source was http://www.dslreports.com/forum/kerio where I have the same id.

Some adminsitrivia:

1) My version is not registered, no licence #, during install process there was something about 30 days and you are gone? Is that for real?

2) Learning mode duration, does it end on it's own?


3) Apart from answering popups is there anything else I should be doing? Like backing up settings? How?

TY

{QUOTE-> Hi:

Just to be sure we are all on the same version etc.

I have Kerio 2.1.5 engine created 30/Apr/2003, driver 3.0.0 15/Apr/2002. <-QUOTE}
192444


{QUOTE-> Some adminsitrivia: <-QUOTE}
192445

{QUOTE-> 1) My version is not registered, no licence #, during install process there was something about 30 days and you are gone? Is that for real? <-QUOTE}
192446

{QUOTE-> 2) Learning mode duration, does it end on it's own? <-QUOTE}
No, you set to "deny unknown"

192447

{QUOTE-> 3) Like backing up settings? How? <-QUOTE}
192448

Thanks Stem!

During this rule making period I think I should leave it on ask me first, OK?

I've learned enough from you and others that I have already made a few rules of my own blocking games on my pc that sort of thing.

For those who are interested my config is 2 PC's sharing a router and ISP, one is my PC to be secure and the second PC is a gaming surfing PC.
Game PC got infected last night by a trojan using IE7 off a news networks site, it loaded an active X without even clicking called winfix I think. We removed it. But that is the sort of thing I don't want to "share" with that PC!

First though I'm going to post 2 jpg's miscellaneous and the ms networking option pages I've got for any mistakes you guys see in these.

Hi Guys:

I pulled a set of "advanced" rules off the kerio forum web site so please don't think I made them. I haven't posted mine yet as they are a work in progress and I'm still reading FAQ's and Help screens etc. But I would use some of these rules as a starting set but what is best way to do it? I don't know if they could be imported direct and then tweaked or even if that is wise. It does contain the loopback rule and a very interesting one called custom blocking sites ! Sounds like what I want to do at some point!

The "ask me first" setting isn't just a learning mode. You can use that setting indefinitely if you want. Using the "deny unknown" setting is the equivalent of putting a "block all" rule at the end of the ruleset. The "deny all" setting can cause problems in certain situations. Games are one example. If one needs to use a port you didn't allow in the rules, the game won't work and you won't be prompted. You can have the same problem with updaters and address specific rules. If the IP addy it uses gets changed, it'll fail to work. IM programs connect directly to the individual you're talking to in certain situations, webcams and sharing files for instance.

I prefer to use the "ask me first" as an overall setting and blocking rules for specific apps and system components. This way, you're only prompted about connection attempts for the apps you choose. With a little planning, you can have the advantages of both settings.
A couple of examples:

Mail handler, rules. The first rule allows outbound TCP connections to one specific IP address, using ports 25 and 110 only. It's followed by a TCP/UDP blocking rule for all addresses and ports, in both directions. This way, I won't be promted for unwanted connection attempts to the mail handler.

Simplified browser rules, no proxy. The first rule allows outbound on ports 80 and 443 to any address. It's followed by a rule blocking all inbound traffic. This way, there's no prompts for inbound connection attempts, but if you're playing an online game that requires you to connect using a non-standard port, you'll be promted for those connections.

If you have specific apps or system components that you want all web access to or from blocked, put these rules at the top of the ruleset. Follow these with "system allow" rules like DNS, DHCP, allowed services, etc. Make them as specific as possible regarding IP address(es), ports, protocols.

After these come rules for applications. As much as possible, keep rules for specific apps together. In certain situations, the rules for a group of apps should be kept together. An example would be using more than one browser with proxy software and/or TOR. In these situations, the order of the rules becomes extremely important, not just to make it work but to prevent unwanted leakage. If you have or are going to assemble such a package, let us know and we'll guide you thru it. These use loopback rules that need to be specific.

If you don't already have one, pick up a whois utility. Karen has one in her power tools (http://www.karenware.com/powertools/ptwhois.asp). Sam Spade is a powerful set of web tools that includes one. Their main site is down but it's available here (http://www.pcworld.com/downloads/file/fid,4709-order,1-page,1-c,alldownloads/description.html).
These are very useful for finding who owns/controls a specific IP address and what range of IPs it's part of, useful when a rule needs to cover a range of IP addresses.
Rick

TY Rick:

My mail handler ISP uses 110 and 587 ports so we will need to take care of that point?

I really like the post you gave me, let me change my rule list order in line with you advice and I will post it as a jpg for comments good or bad.

I have left it on ask me, and I already have whois access via dnstuff! Have used it a lot to build my sites to block/allow lists.

More later.

Rick/Stem et al:

Here is my first shot at rules in Kerio they are 1 set but must show in 2 jpg's.

Fire away at will with the flaws you see!

I have done no work on ip restrictions yet and Rick I haven't inserted the stop mail client requests, what would that rule look like?

I know my isp's incoming and outgoing host names so I can get their ip/ip ranges.

I saw where Stem mentioned you're behind a hardware firewall and router. Instead of asking you all the questions again about how this is set up, I'll let him handle all the network related configuration since he knows what you're setup is. This affects your DNS, DHCP, some SVChost rules, and that LAN subnet bypass rule you've enabled.

As for the rest of the rules, the blocking rule for Kerio serves no purpose. All that rule does is block Kerio from resolving IP addresses, and then only if you're not using XPs DNS clent service. More on that subject here (http://www.wilderssecurity.com/showthread.php?t=180932).
{QUOTE-> I have done no work on ip restrictions yet and Rick I haven't inserted the stop mail client requests, what would that rule look like? <-QUOTE}
I'm using the mail component of Sea Monkey. My mail rules look like these.
192474192475
Since Sea Monkey is also my browser in addition to my mail handler, I didn't include other outbound connections in the blocking rule. If I was using a stand-alone mail handler, the blocking rule could include outbound connections. When you follow an allow rule with a block all rule for an application, the blocking rule can be for any IP address. Kerio reads the ruleset from the top and uses the first rule that applies. The address specific allow rule above the blocking rule prevents it from blocking traffic on the needed IP addresses.

Noticed that you have separate permit rules for TCP and UDP for both browsers. You can edit a rule for each to allow both TCP and UDP outbound and have a little less congestion. I'd replace that allow incoming UDP rule for FireFox with a blocking rule for both incoming TCP and UDP, then make one like it for Internet Explorer. Unless there's some site specific service that requires incoming connections, browser connections should be outbound only.
Rick

I use Ask me first setting because it is the one to use to know if anything unusual in connections will be asked.

{QUOTE-> Mail handler, rules. The first rule allows outbound TCP connections to one specific IP address, using ports 25 and 110 only. It's followed by a TCP/UDP blocking rule for all addresses and ports, in both directions. This way, I won't be promted for unwanted connection attempts to the mail handler. <-QUOTE}
I see no reason to block unknown dear Rick.

{QUOTE-> Simplified browser rules, no proxy. The first rule allows outbound on ports 80 and 443 to any address. It's followed by a rule blocking all inbound traffic. <-QUOTE}
Again I see no reason to block. Incoming rules for a browser are not needed in my opinion. Would be curious to get ones.

In my opinion it is too much allowance you give to that game 'Age of Empires' or any before all the system protection rules. At least it is only outgoing connections, but still put them after your basic system rules?

With other firewalls system protection comes as granted. With kerio 2.x you have to MAKE your system protection rules.
I am writing as I see from previous screenshots and maybe not the latest post.

{QUOTE-> Noticed that you have separate permit rules for TCP and UDP for both browsers. You can edit a rule for each to allow both TCP and UDP outbound and have a little less congestion. <-QUOTE}
Having separate rules for TCP and UDPand also separate rules for some port ranges in TCP etc, is no congestion. That is why rulebased firewalls are made for. Sorry Rick, for disagreeing in some of your comments.

Hi Jarmo:

I will not venture into your discussion with Rick. However, if my jpg was hard to read on The Games there is o allowance (your word) for any of them I have them all denied.

On the mail business, in ZA pro you could set a red x against every single application denying it the power to send/receive Email. So my goal is to use Kerio to allow only my mail client on email. No other application needs to send mail on my PC.

{QUOTE-> {QUOTE-> Mail handler, rules. The first rule allows outbound TCP connections to one specific IP address, using ports 25 and 110 only. It's followed by a TCP/UDP blocking rule for all addresses and ports, in both directions. This way, I won't be prompted for unwanted connection attempts to the mail handler. <-QUOTE}I see no reason to block unknown dear Rick. <-QUOTE}
Nothing useful can come from allowing unsolicited connections to your mail handler. At best, incoming connection attempts are port scans, looking for a way into your system. They can also be attempts to exploit known vulnerabilities. Either way, they're not carrying anything you'd want to receive, so why allow it?
As for outbound traffic from the mail handler, what benefit is there to letting it connect to places that you don't have accounts at? If your mail handler is trying to connect to places you don't use, your system is probably infected.

It's the same with your browser. Why would you want to allow an unknown site to connect to your system?

A firewalls primary task is controlling internet traffic. Allowing unsolicited connections to applications or system components defeats the purpose of having a firewall. Comparatively few applications and system components need to receive unsolicited incoming connections, what ZA calls server rights. Out of the apps that do need incoming connections, most only need to receive connections of one type from a few specific IP addresses, on specific ports.
{QUOTE-> Having separate rules for TCP and UDP and also separate rules for some port ranges in TCP etc, is no congestion. That is why rulebased firewalls are made for. <-QUOTE}
When the rules for TCP and UDP are different in regards to ports, IP addresses, etc, separate rules serve a purpose. When they're both allow rules with no address or port restrictions, there's no benefit in keeping them separate. Separated, it's one more rule your system has to process for each new browser connection and one more rule on the screen for the user to deal with when editing the ruleset. Why make it harder than it has to be?

My firewall rules reflect the default-deny security policy my system is based on. Allow only what is necessary for correct functioning. Because of that, I'll probably block and/or restrict more than most users would, especially the unknown and unsolicited.
Rick

Stem I use to use this version of Kerio but never felt safe to use, your instructons really have me wanting to reload it. Do you have any suggestions for those that still use sygate & setting that up?

Yes Escalader, I did not notice it was blocked, the game. I only looked it being on top of your ruleset :P

Your goal of not allowing other apps to send mail is fullfilled, since you will get asked is something unknown tries to do that.

{QUOTE-> Nothing useful can come from allowing unsolicited connections to your mail handler. At best, incoming connection attempts are port scans, looking for a way into your system. They can also be attempts to exploit known vulnerabilities. Either way, they're not carrying anything you'd want to receive, so why allow it?
As for outbound traffic from the mail handler, what benefit is there to letting it connect to places that you don't have accounts at? If your mail handler is trying to connect to places you don't use, your system is probably infected.

It's the same with your browser. Why would you want to allow an unknown site to connect to your system? <-QUOTE}
Yes Rick, but I don't see kerio 2.1.5 not blocking those unsolicited connections with the normal 'Ask Me First' setting. It is only if you block something and don't set it to alert or even log, you will not notice any abnormal activity. It is a taste of preference what we are writing about. I have same as you also allowed only special email traffic ports outbound and only to my ISP mail/news servers.
I prefer to not have any block all rule at the bottom of my ruleset either. My preference is to make my allowed rules tight, but also same time not blocking anything unknown beforehand and rather to get a prompt. Same time I don't like to get prompts for the internet accessing applications, so they have rules made for all normal traffic. Even Internet Explorer that is controlled instead for execution by ProcessGuard.

larryb52, there is my guide for Sygate in my signature and there is also this link to a page I made for additional rulemaking information:
http://www.kotiposti.net/string/SPF_eng/SPF_rulemaking.html
I feel as safe with kerio 2.1.5 as with Sygate. Kerio 2.1.5 has more more ease in rulemaking and allows to import/export rules that Sygate free does not. Sygate's log is much more "deluxe" than kerio's but then kerio allows to log every rule, even those system rules that go hidden with SPF.

{QUOTE-> Yes Escalader, I did not notice it was blocked, the game. I only looked it being on top of your ruleset :P

Your goal of not allowing other apps to send mail is fullfilled, since you will get asked is something unknown tries to do that.


Yes Rick, but I don't see kerio 2.1.5 not blocking those unsolicited connections with the normal 'Ask Me First' setting. It is only if you block something and don't set it to alert or even log, you will not notice any abnormal activity. It is a taste of preference what we are writing about. I have same as you also allowed only special email traffic ports outbound and only to my ISP mail/news servers.
I prefer to not have any block all rule at the bottom of my ruleset either. My preference is to make my allowed rules tight, but also same time not blocking anything unknown beforehand and rather to get a prompt. Same time I don't like to get prompts for the internet accessing applications, so they have rules made for all normal traffic. Even Internet Explorer that is controlled instead for execution by ProcessGuard.

larryb52, there is my guide for Sygate in my signature and there is also this link to a page I made for additional rulemaking information:
http://www.kotiposti.net/string/SPF_eng/SPF_rulemaking.html
I feel as safe with kerio 2.1.5 as with Sygate. Kerio 2.1.5 has more more ease in rulemaking and allows to import/export rules that Sygate free does not. Sygate's log is much more "deluxe" than kerio's but then kerio allows to log every rule, even those system rules that go hidden with SPF. <-QUOTE}


I'll check out your sygate setup but will work on setting up Kerio again, I'm running Nod32 & I always liked it as of it's lightness, thanks...

for frenchies and others, take a look @t
http://kerio215.free.fr/

{QUOTE-> I don't see kerio 2.1.5 not blocking those unsolicited connections with the normal 'Ask Me First' setting. It is only if you block something and don't set it to alert or even log, you will not notice any abnormal activity. <-QUOTE}
When set to either "ask me first" or "deny unknown", Kerio will block everything not permitted by rule. The only difference is whether it alerts the user to that connection attempt. I find the "deny unknown" setting to be too restrictive. There's too many instances where this setting could prevent an app from working, especially if the user has address specific rules. Likewise, the "ask me first" setting can result in way too many useless prompts.

I realize that everyone has their own specific needs and preferences, and that it's next to impossible to make specific rules for someone without knowing those preferences in detail. The firewall rules on my test units for instance are quite different from those on my primary unit, which other people also use. Except for the specific apps that might require it, my rules don't alert me to incoming connection attempts, port scans, etc. IMO, it's not important to know when they happen. They're outside of my control and as long as the firewall blocks them, those alerts just get in the way of whatever I'm doing. When I set up rulesets for another user, incoming connections to apps that don't need them (like the mail handler) get blocked silently. My reason for that is to prevent them from unknowingly allowing a malicious connection attempt. Too many will just click "allow" just to get rid of the prompt.

Regarding outbound connections by apps like the mail handler, I block them on both my primary box and on those I set up for others. The only thing I change is whether Kerio alerts them to the blockage or just logs it. Again, it's to prevent them from permitting a potentially malicious connection. IMO, if a user wants to investigate the unknown and has the ability to do so, they can always edit the rules.

Most users I know don't want to be prompted about every prevented attack. They want the security-ware to stay out of the way and do its job silently.
Rick

Hi Rick my questions and comments for you in red inside your post ( keeps me OT!)

{QUOTE-> When set to either "ask me first" or "deny unknown", Kerio will block everything not permitted by rule.

I'm using ask me first. I like this idea of blocking everything not permitted so when you review my current attached rules, see if I have undermined or dupicated Kerio using that approach. Example if I haven't allowed the games at the top, why do I need any blocking rules for them? Is it because some "bad" applications try to use permitted ones to gain access?

The only difference is whether it alerts the user to that connection attempt. I find the "deny unknown" setting to be too restrictive. There's too many instances where this setting could prevent an app from working, especially if the user has address specific rules.

Okay, I don't use this setting

Likewise, the "ask me first" setting can result in way too many useless prompts.

I don't seem to be experiencing that yet! Can you give me an example of a useless prompt?

I realize that everyone has their own specific needs and preferences, and that it's next to impossible to make specific rules for someone without knowing those preferences in detail. The firewall rules on my test units for instance are quite different from those on my primary unit, which other people also use. Except for the specific apps that might require it, my rules don't alert me to incoming connection attempts, port scans, etc. IMO, it's not important to know when they happen. They're outside of my control and as long as the firewall blocks them, those alerts just get in the way of whatever I'm doing. When I set up rulesets for another user, incoming connections to apps that don't need them (like the mail handler) get blocked silently.

Right, so far I have not got any log entries from Kerio! I must have some setting wrong OR I don't grasp where they are stored! Comments please.

My reason for that is to prevent them from unknowingly allowing a malicious connection attempt. Too many will just click "allow" just to get rid of the prompt.

Agreed, but I won't make that error, if I don't know what the prompt means I click deny.

Regarding outbound connections by apps like the mail handler, I block them on both my primary box and on those I set up for others. The only thing I change is whether Kerio alerts them to the blockage or just logs it. Again, it's to prevent them from permitting a potentially malicious connection. IMO, if a user wants to investigate the unknown and has the ability to do so, they can always edit the rules.

Agreed, can you review my rules on the mail server business, since I have kerio set to ask me and it denies if not permitted, wouldn't my 2 rules or draft MS Outlook settings just allow it to do mail denying all other to send / receive email on my PC?

Most users I know don't want to be prompted about every prevented attack. They want the security-ware to stay out of the way and do its job silently.

Yes, but for now I'm in learning mode and don't mind, but I have not 1 alert on something Kerio prevented? Some simple thing I'm missing again.:-[


Rick <-QUOTE}

Escalader,
I've finally got a new copy of the default ruleset for XP. Kerio's default ruleset for XP is more vulnerable than its 98 equivalent.
These are Kerio's default rules for XP. I've circled several that need attention in both the default ruleset and yours. Since you're behind a router and assuming it's blocking these ports, they aren't as serious as they could be. Run a port scan to be sure they are blocked. Router configuration matters here.
192553
Microsoft-DS, port 445 More info on this port/service here (http://www.grc.com/port_445.htm). Unless you have a specific need to share files on a network, change this rule to block, both directions.

LSA Shell (kerberos), port 88 More on this here (http://en.wikipedia.org/wiki/Kerberos_(protocol)) and here (http://searchsecurity.techtarget.com/sDefinition/0,,sid14_gci212437,00.html) Unless you specifically use this service, block this port. If you're unsure, just uncheck the rule. This way, you'll be prompted if a connection attempt is made. This rule is for both directions, so check any incoming connection requests closely.

Winlogon, LDAP, LSA Shell, port 389 and others More info on WinLogon (http://en.wikipedia.org/wiki/Winlogon), LSA subsystem service (http://en.wikipedia.org/wiki/Local_Security_Authority_Subsystem_Service), Security Implications (http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx). Port 389 serves multiple purposes, much of which involves remote access. Without knowing your specific needs, I'd uncheck these rules but don't delete them. If you're prompted for any of these and are not sure if it's actually necessary, deny it once and see if everything still works. Windows services are good at asking for more than you need and some of these open ports for incoming connections you probably don't use. If everything still works with connections blocked, you can edit them to block permanently.

Generic Host Process (SVChost.exe) can be a problem as it includes many services, some of which you may use, the DNS client service being one possibility. Often multiple instances of SVChost are running. More info here (http://en.wikipedia.org/wiki/SVChost.exe), and here (http://support.microsoft.com/kb/314056). The alerts may or may not identify the specific service, but will identify the requested port number. A Google search for SVCHOST with the port number should lead you to the service in question. SVChost also performs the functions that rundll did on 9X systems, namely enabling DLLs to run as executables. Some malware is in the form of DLLs, making both SVChost and Rundll targets. Don't allow incoming access to these. With a few exceptions, SVChost can be denied outbound internet access with no ill effects. Using the deny option without actually making a permanent rule is the easiest way to sort thru it.

Your ruleset also allows Application Layer Gateway (Alg.exe) to connect out. This process in involved in internet connection sharing. More info here (http://en.wikipedia.org/wiki/Alg.exe), and here (http://www.blackviper.com/WinXP/Services/Application_Layer_Gateway_Service.htm).
Unless you specifically need it, you may want to block this as well.

You might also want to look into disabling some of the unnecessary services in addition to denying them internet access. Black Viper (http://www.blackviper.com/WinXP/servicecfg.htm) has a lot of info on this. If you decide to try disabling services, make a system backup first and go slowly, one or two at a time, making sure everything you use still works.

Rick

Didn't see that you'd posted before my last one.

{QUOTE-> I'm using ask me first. I like this idea of blocking everything not permitted so when you review my current attached rules, see if I have undermined or dupicated Kerio using that approach. Example if I haven't allowed the games at the top, why do I need any blocking rules for them? Is it because some "bad" applications try to use permitted ones to gain access? <-QUOTE}
My reason for blocking rules at the top is so global rules (those that aren't specific to any application) aren't utilized by the blocked apps. Example, If the DNS rules are above the rules that block a specific application, that app can connect using the DNS rule. If you're question was more to the effect of "Why block what I haven't specifically allowed?" It's to keep apps you don't want to have internet access from asking for it.
{QUOTE-> I don't seem to be experiencing that yet! Can you give me an example of a useless prompt? <-QUOTE}
Ever used a firewall that alerted you every time it blocked a port scan or incoming connection attempt? Several years back, I used NIS 2002. Every time a port scan touched my PC, it would put that alert in the middle of whatever I was doing, at times every few minutes. It always called the port scan a "WinCrash attack". Drove me nuts. I consider alerts to port scans and other inbound connection attempts to be useless. I can't prevent them and it's useless to try to track them. All I can do is block them, and that can be done silently. Being behind a router/firewall protects you from a lot of that.
{QUOTE-> Right, so far I have not got any log entries from Kerio! I must have some setting wrong OR I don't grasp where they are stored! Comments please. <-QUOTE}
Kerio is pretty good about logging only what you tell it to. The log is accessible from the status screen menu. Your router also blocks much of what Kerio would normally log. The main log settings are on the advanced screen, miscellaneous tab. Mine used to get filled quickly until I put Smoothwall out front. Now it's primarily for monitoring specific outbound attempts, selected on specific rules using the "log when this rule matches" option.
{QUOTE-> can you review my rules on the mail server business, since I have kerio set to ask me and it denies if not permitted, wouldn't my 2 rules or draft MS Outlook settings just allow it to do mail denying all other to send / receive email on my PC? <-QUOTE}
On the "ask me first" setting, Kerio does block whatever isn't permitted by rule, but it also prompts you about it. Blocking rules eliminate the prompts. I've never used Outlook, but I'd question the rule allowing outbound UDP to anywhere. If outbound UDP is necessary for Outlook, I'd try to make it more specific. Other than that, just make the rules specific to your mail services IPs.

Rick

{QUOTE-> Didn't see that you'd posted before my last one. <-QUOTE}

That's okay Rick. Thanks, for all your work on my set up! As it is learning thread I really hope others on Kerio will benefit as well as myself.

Your posts have given me knowledge and work to do.

On services on or off I will hold until the setting work is done, then proceed as you say one service at a time. Stem helped me earlier and I turned off some services and have had no ill effects.

So now I will go away and do the work alter my settings and report back in a few days.

Take it easy.

A nice Kerio 2 Rule Set Tutorial (http://www.urs2.net/rsj/computing/kerio/index.html) :)

Hello Herb, Stem and lucus1985:

Been fishing in other lakes lately, so just got back to posting my Kerio 2.1.5 FW rules. Tried to carry out most of the learnings offered but would like your comments on this version 2. Be as blunt as you want it is faster!8)

Stem, Herb has left the lan and other network settings to you please!

I'm still having trouble stopping BD reporting back from using my outlook email settings, so any ideas on that would be good. I have the ip blocked on PG2 but the outlook craps out saying can't process and other normal email won't come in
so I turned off the rule.

Thanks in advance, ;D

Hello Escalader,

I would need to see all your rules before I could comment/help (your pic only shows a section of these)

{QUOTE-> Hello Escalader,

I would need to see all your rules before I could comment/help (your pic only shows a section of these) <-QUOTE}

Okay, sorry I'll post multiple jpg's tomorrow!

Going to turn in now!

{QUOTE-> I'll post multiple jpg's tomorrow! <-QUOTE}OK.

We will need to go through all rules, for example:-

DHCP: are you actually using this, or have you fixed your IP?
In time exceded: This reply will not get past your Alphashild
Lan bypass: I thought you wanted to keep the lan as internet?
etc. etc.

Stem,
Regarding
{QUOTE-> Stem, Herb has left the lan and other network settings to you please! <-QUOTE}
I don't know the specifics of the network that Escalader is using, how may PCs, hardware firewall, static or dynamically assigned IPs, etc. Since you've already been working with Escalader on this, I didn't want to duplicate and probably undo the work you've already done.
Rick

{QUOTE-> OK.

We will need to go through all rules, for example:-

DHCP: are you actually using this, or have you fixed your IP?
In time exceded: This reply will not get past your Alphashild
Lan bypass: I thought you wanted to keep the lan as internet?
etc. etc. <-QUOTE}

Stem:

1) Please see the attached 2 jpg's I promised last night
2) My ip comes from the isp and stays fixed for up to say 2 to 3 weeks
3) Even though it makes more work I want to assume that the alpha shield may not always be in use! If I want to do a scan or it fails then the FW will catch what it needs to catch! Maybe I'm crazy. But like we said trust nothing
4) I do want to keep the Lan / router as internet, in services DHCP is set to automatic, should I disable this service or set it to manual in case needed when my ip address does change. Maybe I'm confused again!:-[

Fire away guys! Show no mercy!8)

{QUOTE-> I do want to keep the Lan / router as internet, in services DHCP is set to automatic, should I disable this service or set it to manual in case needed when my ip address does change. <-QUOTE}Your external IP (issued by your ISP) will be obtained by your router, this will renew when needed (any settings for DHCP on your PC`s will not alter this). Your PC`s on your LAN will obtain their IP`s from the router (if the PC is set for this).

Lets have a quick look through your rules:-

I will just go through the "allow" rules.

Microsoft office: I dont use this, so the rules mean nothing to me. If you are using this, then I presume you know what these connections are for?

DNS: Normally, I would enter the DNS server IP`s into the rule. But for you, it would depend if your DNS servers are fixed (do not change)

LAN subnet bypass: You should disable or remove this rule.(as you want to keep you PC isolated from the other PC`s on your LAN.

Standard loopback: Not really a problem to allow this, unless you are using any sort of local proxy (such as for example the HTTP scanner is kav)

DHCP: This is to obtain the IP for your PC (private lan IP) not the IP from your ISP. Its not really an issue to use DHCP on your home LAN, so if your PC is set up to obtain an IP automatically, then you can leave this

Intime Exceeded: As you have already blocked outbound "ping", this rule will not be used. You can disable it.

Windows logon: Are you actually using this? Some info (http://www.grc.com/port_389.htm)

Generic host process: You need to look at this. The rule is allowing all outbound. You have a rule in place to allow DHCP and DNS. I presume your main need for this would be for windows updates?

Application Layer Gateway: This is basically an FTP client. You should not even need this process/service, I would certainly (at minimal) disable this rule.

Reply from NTC service: Windows time sync. Leave if you use this.

Microsoft help centre: Do you use windows help? If you do, do you want it connecting to microsoft each time?

Firefox/IE: I personally restrict these to the remote posts needed, but this is up to yourself.

The rest of the rules are mainly for your software updates. So I will leave these, apart from the:-
Sysinternals process explorer: As this is now part of microsoft, do you know where this is connecting? I am not sure why this needs to connect out

Stem:

Right, I'll make those improvements and post back results, will take a while.

Saw your posts on new PC tools FW so that was interesting.

More later

Hello:

Been busy elsewhere.

Turns out the Kerio 2.1.5 has a corrupt driver fwdrv.sys.

It impacts Windows xp sp2 not win 98. It causes a BSOD stop when running Perfect Disk defrag program.

I have replaced it with Sunbelt Personal FW on a 30 day trial.

It allows the import of the saved rules from Kerio plus a HIPS, NIPS and Behavior Blocking.

So, we will have to either drop this thread, do nothing or convert it to Sunbelt learning thread.

Makes no difference to me what is decided.

If anybody wants to ask me a Kerio question I will try to answer you.

{QUOTE-> Hello:

Been busy elsewhere.

Turns out the Kerio 2.1.5 has a corrupt driver fwdrv.sys.

It impacts Windows xp sp2 not win 98. It causes a BSOD stop when running Perfect Disk defrag program.

I have replaced it with Sunbelt Personal FW on a 30 day trial.

It allows the import of the saved rules from Kerio plus a HIPS, NIPS and Behavior Blocking.

So, we will have to either drop this thread, do nothing or convert it to Sunbelt learning thread.

Makes no difference to me what is decided.

If anybody wants to ask me a Kerio question I will try to answer you. <-QUOTE}

If you switch to Sunbelt, starting a new thread would be most appropriate.

Pete

I haven't had a problem with Kerio 2.1.5 on an XP box, but none of them used Perfect Disk Defrag either. Too bad this problem didn't show up earlier.
Rick

{QUOTE-> I haven't had a problem with Kerio 2.1.5 on an XP box, but none of them used Perfect Disk Defrag either. Too bad this problem didn't show up earlier.
Rick <-QUOTE}

Agreed! See PM.

{QUOTE-> It causes a BSOD stop when running Perfect Disk defrag program. <-QUOTE}

Escalader,

The issue with PD has been known for a while and Raxco recommends not running Kerio 2.x because of it. This is the only reason I'm not running Kerio 2 on my machines (they all have PD).

{QUOTE-> Escalader,

The issue with PD has been known for a while and Raxco recommends not running Kerio 2.x because of it. This is the only reason I'm not running Kerio 2 on my machines (they all have PD). <-QUOTE}

TY:

Yes, found this out only yesterday from PD.

It's a slip up not checking with PD and other vendors before proceeding with this learning thread:-[ Why I had to relearn this while working on Kerio FW piece of my layers/component is unforgivable! It will NOT happen again.

More later on next steps.

It's odd that this is only a problem with PD, unless there's others I haven't heard of. I'm not familiar with PD, doesn't run on my box. I just use the windows defrag. Do you still have Kerio installed or have an image of that setup you can restore? If you do, I have an idea you could try. I won't have access to an XP unit with Kerio on it until late tomorrow, so I can't check if it behaves the same way as it does on a 98 box. On 98, when you shut Kerio down via the tray icon, it doesn't kill the process. I have to use either SSM or Process Explorer to kill the process itself. On XP, you'd probably have to shut down the service. If PD is trying to move files for a process that's still active, that could explain the problem. If you still have Kerio installed or an image of that setup, try killing the Kerio process instead of just shutting it down, the run PD.
Rick

{QUOTE-> It's a slip up not checking with PD and other vendors before proceeding with this learning thread. Why I had to relearn this while working on Kerio FW piece of my layers/component is unforgivable! It will NOT happen again. <-QUOTE}
If you make it a policy to make a system backup before installing a new app, you'll always have an easy way to get back to where you started, without having to worry if the uninstaller removed everything. I made that mistake on my primary unit before I had imaging software. An install caused BSODs that wouldn't stop, even after removing the new app in safe mode. It took 114 separate installs of apps, patches, updates, etc to get back what I had. With configuring, it was 2 full days wasted.
Rick

{QUOTE-> If you make it a policy to make a system backup before installing a new app, you'll always have an easy way to get back to where you started, without having to worry if the uninstaller removed everything. I made that mistake on my primary unit before I had imaging software. An install caused BSODs that wouldn't stop, even after removing the new app in safe mode. It took 114 separate installs of apps, patches, updates, etc to get back what I had. With configuring, it was 2 full days wasted.
Rick <-QUOTE}

Rick:

That 2 days you spent was worse than this for sure.

I have imaging software and frequent backups but only one had to use it when a chkdsk /f nearly destroyed my set up. Used the dvd image and bootable cd to bring it back up.

{QUOTE-> It's odd that this is only a problem with PD, unless there's others I haven't heard of. I'm not familiar with PD, doesn't run on my box. I just use the windows defrag. Do you still have Kerio installed or have an image of that setup you can restore? If you do, I have an idea you could try. I won't have access to an XP unit with Kerio on it until late tomorrow, so I can't check if it behaves the same way as it does on a 98 box. On 98, when you shut Kerio down via the tray icon, it doesn't kill the process. I have to use either SSM or Process Explorer to kill the process itself. On XP, you'd probably have to shut down the service. If PD is trying to move files for a process that's still active, that could explain the problem. If you still have Kerio installed or an image of that setup, try killing the Kerio process instead of just shutting it down, the run PD.
Rick <-QUOTE}

I've got an xp version of Kerio going now and imported our rules from your version into it thus preserving our work. The PD driver problem is gone now and it ran fine today. Only thing is I now have 27 days left on the trial version 4.1.3. The higher version has a bug in importing old kerio rule, so I'm 1 version or so back.

What now?

If a disk defrag is having problems with security software as simple as a packet filter, they are doing something wrong. They should be able to fix the problem on their end.

Pick the software firewall you like, and you can configure correctly. Not the one you need help with every 10 minutes 8)

{QUOTE-> If a disk defrag is having problems with security software as simple as a packet filter, they are doing something wrong. They should be able to fix the problem on their end.

Pick the software firewall you like, and you can configure correctly. Not the one you need help with every 10 minutes 8) <-QUOTE}

In this case, it is a driver incompatibility not the Disk Defrag. See following data from PD KB

" Article Title:
When I run PerfectDisk on my system, Windows crashes.

Article Details:
There are only 2 things that can cause Windows to crash:

A hardware component that may be in the process of failing
A driver that is inproperly written and isn't correctly handling a supported operation correctly
There are several 3rd party software programs that have drivers that are known to cause Windows to crash when PerfectDisk is run on the system:

Software Driver Name

IBM's Rapid Restore ibmfilter.sys - update avialable from IBM

EMC/Legato's RepliStor replistor.sys - fixed in RepliStor Version 6

New Softwares Folder Lock WinDrvNT.sys

Hide Folder HF30XP.sys

Universal Shield/Lock Folder US30XP.sys - update available from Everstrike

BitDefender/FileSpy filespy.sys and bdfsdrv.sys

Kerio Personal Firewall fwdrv.sys - update available from Kerio

INVISUS PC Security Solution fwdrv.sys

RamDiskXP ramdiskxp.sys

WinAntiVirus PRO fopn.sys


Please check to see if you have any of the listed programs installed on your computer and click on the appropriate link above for suggested workarounds or bug fixes from the program manufacturer. "

Blah blah blah, if they are having problems with so many companies software, they have a real problem, and just telling you not to run it is not the answer.

I've never used 4.1.3. I have no idea how it compares to 2.1.5, what additional components/functions it contains, or how functional it remains after the trial period. I'd hesitate to use a firewall that is partially crippled trialware as the non-functional features could still conflict with other functional software that performs the same tasks. If it were my PC, I'd try to find a way around the conflict with PD so I could keep using 2.1.5.
Rick

{QUOTE-> I've never used 4.1.3. I have no idea how it compares to 2.1.5, what additional components/functions it contains, or how functional it remains after the trial period. I'd hesitate to use a firewall that is partially crippled trialware as the non-functional features could still conflict with other functional software that performs the same tasks. If it were my PC, I'd try to find a way around the conflict with PD so I could keep using 2.1.5.
Rick <-QUOTE}

Rick/BlitzenZeus:

I agree with you guys. I don't like this 4.x stuff they have other duplicate shields and will charge us for a FW. :thumbd:

I'm moving back to 2.1.15, I'll import BlitzenZeus's rules and rebuild my rules from scratch.

See you both later!

Live and learn.


Update:

2.1.5 reloaded, BlitzenZeus's rules imported, all daily applications working so far fine!

Will now start adding applications to allow / not , then I will reinsert the Stem network advice then the Herbalist advice.

BlitzenZeus, what's the real story on this fwdrv.sys from 2003? I've seen a lot of "data" on it being an issue!
Do you have it on your setup or is there an upgrade somewhere?

{QUOTE-> 2.1.5 reloaded, BlitzenZeus's rules imported, all daily applications working so far fine!

Will now start adding applications to allow / not , then I will reinsert the Stem network advice then the Herbalist advice. <-QUOTE}

So you did not have your own ruleset to come back with saved?

Kerio 2.1.5 is one of the easiest firewalls to reinstall. Uninstalls easy in my experience too and I always come back to it after getting dissapointed with others (Sygate is ok though kind of, if accepting the loopback address shortcoming with local proxy software and default act as server right).

I might try Comodo's 3 when it comes out of beta to see if basic firewall functions are improved from 2.4. Quite sure though that I will be dissapointed, again, lol. Not to mention what to do with my current HIPS's PG free and Prevx2.

Jarmo

Have stayed with Kerio 2.15 since windows 98 days when that system was all we had along with NT & Me.

It's an almost perfect firewall with reliable results time and again. The longetivity of it over all this time and over ALL others proves this out.

Hi Jarmo! Good you are still posting! My comments are embedded in your post as usual. - added proper quoting

{QUOTE-> So you did not have your own ruleset to come back with saved? <-QUOTE}Yes, I did have my own rule set(s) on a USB stick! But I wasn't that proud of them they were my first Kerio rules and I built them over many weeks sometimes getting confused. So I wanted to start with BlitzenZeus's advanced rules as a base follow his off line install procedure for what was known about my set up. I am now going back over all advice in this thread from post 1 up and rethinking then making changes in my rules as required!

{QUOTE-> Kerio 2.1.5 is one of the easiest firewalls to reinstall. Uninstalls easy in my experience too and I always come back to it after getting dissapointed with others (Sygate is ok though kind of, if accepting the loopback address shortcoming with local proxy software and default act as server right). <-QUOTE}Agree with you as others have disappointed me as well. I don't know anything about Sygate but that is OT most likely for mods.

{QUOTE-> I might try Comodo's 3 when it comes out of beta to see if basic firewall functions are improved from 2.4. Quite sure though that I will be dissapointed, again, lol. Not to mention what to do with my current HIPS's PG free and Prevx2. <-QUOTE}Agree again, my posts over there speak on their own. Don't think vendor should design FW's by polling users that know less than I do!:o

What defrag do use with Kerio 2.1.5?

Hello Easter! Mine are embedded. - added proper quoting

{QUOTE-> Have stayed with Kerio 2.15 since windows 98 days when that system was all we had along with NT & Me. <-QUOTE}Good! Are you running Kerio 2.1.5 with XP sp2? What defrag program are you using?

{QUOTE-> It's an almost perfect firewall with reliable results time and again. The longetivity of it over all this time and over ALL others proves this out. <-QUOTE}Hmm you are right no software is perfect. Can you tell the thread about it's flaws and if known the ways you may have mitigated for them?

If that is not what you want to do on open thread I understand there is always PM's!

Hello Escalader,
{QUOTE-> So I wanted to start with BlitzenZeus's advanced rules as a base <-QUOTE}You should, with the amount of firewalls you have looked at, be at a stage of being able to create your own ruleset.

Complete rulesets are normally generic, and based on the needs of many users. You have your own needs for Internet use, so show this with your own ruleset.
Start with system apps, then updaters, then your browser.

Regards,

I seldom defrag. But if I would do that, just the normal thing that comes with XP os.
That has no problem with kerio 2.1.5.

Disk fragmentation is not something I care about since I have almost empty HD and also large memory. Running all the time inside Sandboxie might cause some fragmentation though, but I consider the tiny performance hit not something to do defrag.

What Stem suggests, deleting all the rules and building from scratch, is of course the thing that is most personal way. I prefer using BZ's or some other template as a starting point. There are many rule blockings that propably does not concern a particular system, but do no harm to have them.
The DNS and DHCP rules should be tightened, but this has been discussed in this thread already as also in BZ default replacement thread.

I would remove the standard loopback rule and make localhost address rules separate for the apps that need it. I think Rick commented also about that in here. This way no local proxy type software is not making a tunnel through which programs can go out to internet without you getting asked.

{QUOTE-> Hello Escalader,
You should, with the amount of firewalls you have looked at, be at a stage of being able to create your own ruleset.

Complete rulesets are normally generic, and based on the needs of many users. You have your own needs for Internet use, so show this with your own ruleset.
Start with system apps, then updaters, then your browser.

Regards, <-QUOTE}

Hi Stem:

Well yes! I'm doing exactly that. The level I'm actually at and the level I should be at may differ but that's okay. :-\

My scheme is simple to describe. If anybody sees a missing task just tell me and I'll consider it/add it.

1) DONE: Load BlitzenZeus's advanced rules into my Kerio 2.1.5
2) UNDERWAY: Adjust rules based on previous advice from this thread and earlier ones for systems apps, and browser, my ISP server finally in Primary DNS server
3) DONE: Security applications rules in place,
4) DONE: Limitation on email seems to work finally (logged) some blocks!
5) NOT DONE: provide rules for review here in the thread

BTW, earlier you asked about why that procexp.exe connects out.
Seems it goes to 199.7.54.190:80 it wants to verify the digital signatures of each application. On whois I get

Reports no PTR record (NXDOMAIN)

So for now I've removed this application. (when in doubt remove)

Hi Jarmo:

I'm forgetting about defrag issues for now. They came up and distracted me ( easy to do)

I'm like you a bit I like the template since I can always remove rules not relevant to my set up and it certainly provided a set I would not have produced my self (well some rules anyway).

What was interesting was that some of those "new" template rules logs showed up some new outgoing/incoming probes! Those packets passed through my H/W FW. So to me they were technically formed properly and shows what a SW FW can do!

I just add those ip's to PG 2 as permanent blocks.

On your quote ( not new I know)

"I would remove the standard loopback rule and make localhost address rules separate for the apps that need it. I think Rick commented also about that in here. This way no local proxy type software is not making a tunnel through which programs can go out to internet without you getting asked."

Can you help me a bit by posting your examples here since I think Stem told me earlier the standard loopback was okay in my case.:-\

On the localhost address rules have you got an example of that?

If you haven't the time don't worry since you can always comment on my "new" rules when I post them.




{QUOTE-> I seldom defrag. But if I would do that, just the normal thing that comes with XP os.
That has no problem with kerio 2.1.5.

Disk fragmentation is not something I care about since I have almost empty HD and also large memory. Running all the time inside Sandboxie might cause some fragmentation though, but I consider the tiny performance hit not something to do defrag.

What Stem suggests, deleting all the rules and building from scratch, is of course the thing that is most personal way. I prefer using BZ's or some other template as a starting point. There are many rule blockings that propably does not concern a particular system, but do no harm to have them.
The DNS and DHCP rules should be tightened, but this has been discussed in this thread already as also in BZ default replacement thread.

I would remove the standard loopback rule and make localhost address rules separate for the apps that need it. I think Rick commented also about that in here. This way no local proxy type software is not making a tunnel through which programs can go out to internet without you getting asked. <-QUOTE}

Here's an example of a rule allowing loopback connections from Sea Monkey to Proxomitron which is configured to use port 8080.
193432
This differs from BZs loopback rule in that it only allows loopback for Sea Monkey and only to remote port 8080. I also used a single IP instead of a network mask.

This rule blocks all loopback not specifically allowed by rules above it in the ruleset. The "allow" rules for both Sea Monkey and Proxomitron need to be located above this rule.
193433

Rick

Rick was fast and gave an example.
As I dont have any 'Any application' loopback rule. I get a popup when localhost address is needed. So I add a rule for example to Firefox:
Mine is not restricted. It is: Allow UDP/TCP Out Any port to address 127.0.0.1, Any port. Firefox is no baddie, so I dont restrict that rule. But quite ok to do that too like Rick does to SeaMonkey browser.

If I happened to have a "baddie program" and was also running a local proxy like Avast's WebShield or Proxomitron, I would get a popup of that baddie wanting to go out by kerio 2.1.5, since I have no "global" loopback rule. But if I had that standard loopback any app rule, the baddie program would go out. Without my knowledge.

Again Rick prefers to block unknown in his second example and I prefer to use 'ask me first' firewall feature to know if there is something wanting to run in my system that I like to have control indication from my firewall. It is a matter of preference of how to use the firewall.

TY Rick:

I put 2 allows in, one for FF, another for IE and the blocker bringing up the rear!
Did the same for MS Outlook. I don't have a handle on the ports so I'll log them a bit and pick those up there.

{QUOTE-> Here's an example of a rule allowing loopback connections from Sea Monkey to Proxomitron which is configured to use port 8080.
193432
This differs from BZs loopback rule in that it only allows loopback for Sea Monkey and only to remote port 8080. I also used a single IP instead of a network mask.

This rule blocks all loopback not specifically allowed by rules above it in the ruleset. The "allow" rules for both Sea Monkey and Proxomitron need to be located above this rule.
193433

Rick <-QUOTE}

I tried Firefox on my 98SE testbox. It asked for that loopback connection but seems to work fine without it. Sea Monkey doesn't do that.
If you use apps like A4Proxy, Proxomitron or Privoxy, or use TOR, control over loopback is necessary to prevent data leakage.
{QUOTE-> If I happened to have a "baddie program" and was also running a local proxy like Avast's WebShield or Proxomitron, I would get a popup of that baddie wanting to go out by kerio 2.1.5, since I have no "global" loopback rule. But if I had that standard loopback any app rule, the baddie program would go out. Without my knowledge. <-QUOTE}
Definitely true. The PCAudit2 Leaktest (http://www.firewallleaktester.com/leaktest12.htm) is a good one for checking if your loopback rules are tight and if your firewall properly controls these connections. If they are, you can allow this test to set it's hook and still pass it without a HIPS. I'm not one who cares too much for leaktests, too misused as advertizing and comparison tools, but this one is very useful.
My firewall status screen after running PCAudit2. Without the blocking rule, I would have been prompted for each app on the screen, half of which aren't internet apps.
193438
Yes, any decent HIPS will detect both the process and the hook. Blocking either defeats the test, but by doing so, you never actually test your firewall or its ruleset. Should the malware writers find a way to embed such code into an application that's already allowed or find a way to inject the code that HIPS doesn't detect, or kill/blind the HIPS, your firewall can still protect you. Why rely on one layer when you can force them to defeat 2 or more in order to succeed?

Yes, I do prefer to block the unknown outright. Others use this PC and they might not know what's legitimate and what isn't. This way, they never see such a prompt.
Rick

TY Jarmo:

I know, it's now clear to me that there is no one right way to run a FW when it comes to things like faith in FF or not etc. I don't have Proxomation but I do have Webroot, BD AV 2008 PG 2 working away.

More later.

BTW guy's, just so you know, when I returned to Kerio 2.1.5 it was almost with a sense of relief. The FW's that emerged after it I had no idea what they were doing. 8)



{QUOTE-> Rick was fast and gave an example.
As I dont have any 'Any application' loopback rule. I get a popup when localhost address is needed. So I add a rule for example to Firefox:
Mine is not restricted. It is: Allow UDP/TCP Out Any port to address 127.0.0.1, Any port. Firefox is no baddie, so I dont restrict that rule. But quite ok to do that too like Rick does to SeaMonkey browser.

If I happened to have a "baddie program" and was also running a local proxy like Avast's WebShield or Proxomitron, I would get a popup of that baddie wanting to go out by kerio 2.1.5, since I have no "global" loopback rule. But if I had that standard loopback any app rule, the baddie program would go out. Without my knowledge.

Again Rick prefers to block unknown in his second example and I prefer to use 'ask me first' firewall feature to know if there is something wanting to run in my system that I like to have control indication from my firewall. It is a matter of preference of how to use the firewall. <-QUOTE}

{QUOTE-> I don't have a handle on the ports so I'll log them a bit and pick those up there. <-QUOTE}
Could you be a bit more specific as to what you're having trouble with regarding ports?

{QUOTE-> Could you be a bit more specific as to what you're having trouble with regarding ports? <-QUOTE}

Well, you put in 8080, I don't know what to use in FF or IE yet.:-\

For the most part, browsers connect out to port 80 for http traffic and 443 for https. When you connect to a file (FTP) server, they usually use port 21. These are remote ports. For local ports, it's usually a range as your system uses the first one available. Other sites and services use different ports. I occasionally play MahJong tiles at Yahoo. For that site to work, I have to allow traffic on port 11999. Yahoo also has a web version of its instant messenger. It works like the actual program but it's done with Flashplayer in your browser. For that to work, traffic on port 5050 has to be allowed. There's plenty of other services that'll use different ports.

What you need to allow and how you want to go about it depends on what you do with your browser. You can allow it to connect out on any port with TCP and UDP or you can specify only the ports you need for what you use. I run thru Proxomitron most of the time so traffic on ports 80 and 443 are looped back to Proxomitron. For that game or webmessenger, I allow outbound connections to those ports for the IP ranges they use. I don't allow inbound.

Either way works. It just depends on how much control you want and if it's important to you to know when your browser uses a non-standard port.

Rick

Thanks Rick:

I'll not need micro control over ports yet.

Only the email ports my ISP uses are non standard (well just the outbound) have been out into MS Outlook.

When I am done I will want to do a shields/ports test of my whole set up to find flaws. So any nasties that are port oriented we can deal with then?

Does that make sense to you?

Makes plenty of sense. Firewall rules can be a work in progress for as long as it takes. Limiting the mail handler to the sites and services you use is a good place to start. Those are good rules to make address specific as the normal mail ports are probed regularly.

Regarding running a port scan on your system, Shields Up is a good start, but I'd also use one of the sites that can scan all the ports. Some DSL modems for instance listen on an unusual port for reasons I can't determine. My previous one showed port 43287 to be open, but no service of any kind listed for it. Another one used port 6363. I couldn't close them, even with remote administration disabled, which I doubt my ISP appreciates. I have no proof as to why they were open, only suspicions. I did confirm it was the modem as scans of those ports never reached Smoothwall as scans of those actual ports but were logged as attempts to connect to NetBios. I'd be interested to hear Stems view on this. Anyway, don't assume that because Shields Up shows the first 1056 closed or stealthed that all the ports are. You might be suprised.
Rick

{QUOTE-> Makes plenty of sense. Firewall rules can be a work in progress for as long as it takes. Limiting the mail handler to the sites and services you use is a good place to start. Those are good rules to make address specific as the normal mail ports are probed regularly.

Regarding running a port scan on your system, Shields Up is a good start, but I'd also use one of the sites that can scan all the ports. Some DSL modems for instance listen on an unusual port for reasons I can't determine. My previous one showed port 43287 to be open, but no service of any kind listed for it. Another one used port 6363. I couldn't close them, even with remote administration disabled, which I doubt my ISP appreciates. I have no proof as to why they were open, only suspicions. I did confirm it was the modem as scans of those ports never reached Smoothwall as scans of those actual ports but were logged as attempts to connect to NetBios. I'd be interested to hear Stems view on this. Anyway, don't assume that because Shields Up shows the first 1056 closed or stealthed that all the ports are. You might be suprised.
Rick <-QUOTE}

Rick:

TY. Some years ago I ran a Shields Up on my set up at that time and remember that it only scanned a portion of the ports. I promise to assume zero and not be surprised at anything.

You mention remote admin, do you leave it disabled all the time. I have on the odd occasion used my ISP's interactive help service to raise questions.
Funny thing, sometimes they don't like questions like why are Canadian Emails processed in the USA? (Yahoo!)

Hi Stem:

In the CFW thread you indicated the following and I quote:

"Don't worry about this at this time. My (personal) concern of this is the layer2 comms that are allowed, such as ARP without any interception. Outpost pro does intercept ARP, with a number of user options for this."

What is the status of Kerio 2.1.5 on this layer 2 issue ie your ARP's?

Can Kerio deal with them?

Hi Rick,
{QUOTE-> I'd be interested to hear Stems view on this. <-QUOTE}I have seen a number of Modems/routers issued by an ISP to have such ports open. this I would presume for some external management by the ISP. I have also seen ports open on "off the shelf" routers, but have found this due to the ability for nesting of LANs (where one router can be connected to another to create sub-lans). I will admit I have not looked at this deeply, but did set up this internal type sub lan, and noticed comms, similar to uPnP between the routers on the open ports. At the time, I just personally expected some form of internal control of this (ports being used etc), but did not look further into this. (I only use one router behind my gateway)

I can look further, or take advice on this?

Regards,

{QUOTE-> What is the status of Kerio 2.1.5 on this layer 2 issue ie your ARP's?

Can Kerio deal with them? <-QUOTE}I would expect not. Can you find a rule to allow/block ARP?

The last 2 DSL modems my ISP sent over both have this problem. The previous one was a Netopia, which had port 43287 open. Both had remote administration enabled (which I promptly shut off) but neither was configured for the port that was opened. I disabled uPNP, along with everything else I can think of. I can't affect it with the built in firewall or services settings. I'm starting to think this can't be changed without changing firmware. Can't find an update for it. Other than buying my own DSL modem, any suggestions?
Rick

{QUOTE-> The last 2 DSL modems my ISP sent over both have this problem. <-QUOTE}This will possibly not be seen as a problem. if your ISP is using this port. (I have to be carefull, due to fact I have been in disbute with my own ISP for the last 2 years due to such) I personally now place a gateway (PC) between my modem (ISP cable connection) and my home LAN. I do now see all comms (for last 2 years) of attempted inbound (allowed by isp modem/router) into my home.

{QUOTE-> The previous one was a Netopia, which had port 43287 open. Both had remote administration enabled (which I promptly shut off) but neither was configured for the port that was opened. I disabled uPNP, along with everything else I can think of. I can't affect it with the built in firewall or services settings. I'm starting to think this can't be changed without changing firmware. Can't find an update for it. Other than buying my own DSL modem, any suggestions? <-QUOTE}You could try (as I did) to flash (update) the modem, but found this to cause me lock out (from actual bios update) I did bypass this and got total intenet loss (reporting this,... ISP must of re-flashed the modem, as connection was then allowed)

Think as you may, but I would ask to monitor and look.

Regards,

I haven't asked my ISP about this. The first modem had other problems, like continually restarting for no apparent reason. I tried to get info from the vendors site for this modem. Says I have to contact CenturyTel, which isn't my service provider. Figure that.

I can only assume that it's a back door for the ISP designed into the firmware since it appears to be separate from the remote administration. My concern is that modems would also become attack targets, and something as simple as changing the DNS settings to one controlled or compromised by malware vendors could cause big problems. It seems that if I want this solved, I'll have to get my own DSL modem, preferably one that's a PCI card for Smoothwall.
Rick

{QUOTE-> I would expect not. Can you find a rule to allow/block ARP? <-QUOTE}

Stem:

No, I can't find the protocol. I can't see how write a rule for ARP!

It is not specifically in the list of protocols in Kerio unless it is in "other".
(See attached jpg)

Given that all we really need is TCP/IP, and UDP for Video why not unbind all other protocols in the advanced settings window for our LAN connections?

(see attached, with very few showing on mine!)

Would that work to simplify our rules?

If it does, then all the generic rules in the template aimed at Netbios etc could be either deleted or disabled. Am I right on this?

The main problem with adding such a blocking rule is that you won't be promted by any app that you haven't finished the rules for. Also, if you make addess specific rules for apps such as updaters or mail handlers and the address they use changes, you won't get a prompt, the app will just fail to connect. Also, if you use IM or P2P programs, unless you have rules permitting them to connect to anywhere, such a rule would interfere with them any time you had a new contact or connected to a new location.

AFAIK, Kerio doesn't address ARP specifically. Unless I'm missing something, if you used static IPs for your PCs and hardware instead of DHCP, there'd be no need for ARP or any control of it. If I'm wrong, I'm sure Stem will correct this.
Rick

Rick:

TY, as you said Stem will sort me out (as you do as well8) which is a good thing) In a learning thread as the learner (slow:-[ ) poster has to be ego less!

I have left all the non TCP/IP, and UDP rules that were in the template

Still building rules and adding to PG 2 blocking lists as outgoing ip's I don't know are researched. It is really amazing to see the ip's attempting to RECEIVE data packets from MY PC. Right now I'm just blocking them.

So I will be wanting to send you and Stem rule set # 2 for criticism in about a week or so. I'm still reluctant to open post it unless it is clean and reveals zero private data:-\ . But leave that for now as I'm getting ahead of myself.

Do you happen to know what protocols are in "other" for Kerio?

{QUOTE-> Do you happen to know what protocols are in "other" for Kerio? <-QUOTE}
The only 2 I know for sure are IGMP and IPv6. It probably covers more but I don't know what they are and have never seen a prompt for any other.

As far as sending us the new rulesets, there's a couple ways you can do that. I understand your concern about sending sensitive info. Instead of screenshots, you could send me the actual .conf file. If Stem has a box with Kerio 2 already installed, it might work for him too. The file can't be read with a standard text editor, but can be easily imported into Kerio on another PC. I do that with one of my clients, import their configuration file into my PC and see what needs fixing. Haven't tried editing someone elses ruleset on mine yet. Not sure how much problem the built in MD5 checking would be. If it would be easier to send the actual conf file, I'll send you an e-mail addy.

Been meaning to ask you, does any of your hardware have a static IP or are you using DHCP throughout?
Rick

{QUOTE-> The only 2 I know for sure are IGMP and IPv6. It probably covers more but I don't know what they are and have never seen a prompt for any other.

As far as sending us the new rulesets, there's a couple ways you can do that. I understand your concern about sending sensitive info. Instead of screenshots, you could send me the actual .conf file. If Stem has a box with Kerio 2 already installed, it might work for him too. The file can't be read with a standard text editor, but can be easily imported into Kerio on another PC. I do that with one of my clients, import their configuration file into my PC and see what needs fixing. Haven't tried editing someone elses ruleset on mine yet. Not sure how much problem the built in MD5 checking would be. If it would be easier to send the actual conf file, I'll send you an e-mail addy.

Been meaning to ask you, does any of your hardware have a static IP or are you using DHCP throughout?
Rick <-QUOTE}

Rick:

TY.
I like the send you/Stem the conf file idea.

On the MD 5 I had 1 program that didn't calculate right ( can't recall it now) but that didn't seem to impact anything operational.

I'm on semi static ip. It stays fixed at my ISP for a few weeks then changes. Who knew, but I do now.

On the Kerio "other" covering IGMP and IPv6, why not build a specific block rules for those guys using other?

But I'm gone now it's late here, send your addy along via PM make it a throwaway since you don't know me in person, that's my advice to clients but that is your call.

{QUOTE-> Unless I'm missing something, if you used static IPs for your PCs and hardware instead of DHCP, there'd be no need for ARP or any control of it. <-QUOTE}Within a LAN you would still need ARP to resolve the hardware/IP of the gateway to allow you to connect out.

It is not a problem in a trusted LAN.
In an untrusted LAN, if the firewall does not filter ARP, then tools such as "Netcut" can be used. If the firewall can block ARP, then that can be done, but there would be a need to (at minimal) setup a static ARP entry for the gateway.

Stem/Herbalist et al!

Been making rules and setting services on/off. Attached is a jpg for comments. Fire at will!

My setup does share an internet connection with a second PC via router so ALG.EXE is on.

I worked that one with a connection on, Set status to off in services and manual, tried to browse and connection was lost briefly, checked services and status was started again.

Did same again and rebooted, ALG.EXE started up, so I conclude my set up needs this service. If you disagree please explain.8)

I have 2 NetBios rules blocking UDP/TCP (Both),any address local ports 137-139 and the second rule remote any address ports 137-139.

So why does the open connections show anything on NetBios? Some service I have neglected to date?

{QUOTE-> So why does the open connections show anything on NetBios? Some service I have neglected to date? <-QUOTE}
I assume you're referring to the last 3 lines on the status screen? The last 5 lines are all related. When the directory service (Microsoft DS) can't establish a connection on port 445, it will try to use the SMB or NETBIOS ports, the last 3 lines in your image. This is primarily for file sharing on a network. There are no connections there per se. The service is running and listening but isn't connected to anything. Kerio's status screen displays applications and services that are listening for incoming connections whether you have them blocked or not. If Kerio was shut down, many of those would result in ports open to the outside, or at least to your hardware firewall.

Everything on your screenshot from ALG.EXE down is a running windows service that's listening for a connection. This is not tied to Kerio's configuration but to your operating system and its running services. While Kerio can be configured to block every one of them from ever connecting in or out, the only way to actually eliminate the listening services is to shut them down. Stem may disagree with me on this, but IMO blocking connections to or from running services with firewall rules is a band-aid approach that doesn't fix the actual problem, unneeded services opening ports. If a service can be blocked, you don't need it running in the first place. XP makes this somewhat difficult as many of the services are inter-related.

Just for a comparison, this is the status screen on my box. I'm not certain if this can be accomplished on XP.
Rick

Hi Rick:

TY. Very interesting post for me anyway. I will enter my OT comments inside your quoted post as usual for me. I will do it in blue just to avoid the red! and to ensure that readers don't assume I'm putting words in your post!
I hope Stem has some time to look this one over as well. I don't know if he agrees or not but it would be goos to know.



{QUOTE-> I assume you're referring to the last 3 lines on the status screen?

Yes, your assumption is correct those were the ones.

The last 5 lines are all related. When the directory service (Microsoft DS) can't establish a connection on port 445,

I have that port 445 blocked in my rule set.


it will try to use the SMB or NETBIOS ports, the last 3 lines in your image. This is primarily for file sharing on a network.

I don't do file sharing on a network.


There are no connections there per se. The service is running and listening but isn't connected to anything. Kerio's status screen displays applications and services that are listening for incoming connections whether you have them blocked or not.

Is it possible to id these and shut them down safely?


If Kerio was shut down, many of those would result in ports open to the outside, or at least to your hardware firewall.

TY. Right! That is a good thing, I won't be shutting KFW down!

Everything on your screenshot from ALG.EXE down is a running windows service that's listening for a connection. This is not tied to Kerio's configuration but to your operating system and its running services. While Kerio can be configured to block every one of them from ever connecting in or out, the only way to actually eliminate the listening services is to shut them down. Stem may disagree with me on this, but IMO blocking connections to or from running services with firewall rules is a band-aid approach that doesn't fix the actual problem, unneeded services opening ports. If a service can be blocked, you don't need it running in the first place. XP makes this somewhat difficult as many of the services are inter-related.

That is for sure, I use Ed Bott and Carl Siechert's text on MS Win xp networking and security as a guide on the services to leave on and off. So far so good except for these nosy listener services. I want to id them at some point. Since getting to the root cause is to me a better idea than more rules.

Just for a comparison, this is the status screen on my box. I'm not certain if this can be accomplished on XP.

I like your status screen better than mine!;D




Rick <-QUOTE}

Hi Rick,
{QUOTE-> Stem may disagree with me on this, but IMO blocking connections to or from running services with firewall rules is a band-aid approach that doesn't fix the actual problem, unneeded services opening ports. <-QUOTE}Personally, I have always disabled un-needed (in my setup) windows services without any problems. But care does need to be taken as disabling certain service can cause major problems. (I have made post before of all the services I disable)

As example, on a new install of XP pro (all windows updates), no other programs installed, we will see a report of port use as:-

193682

After I disable the services I do not need (on my setup):-

193683

These ports in use are for:-
RPC Locator (port 445)
DCOM RPC (port 135)

These can be closed using applications such as WWDC, but some problems can arise.
Example: port 445 can be closed by disabling the driver~ Hardware/ Device manager/ (show hidden) non-plug and play drivers/ "Netbios over Tcpip". But doing this will cause problems with DHCP (no IP via DHCP). So I actually leave these ports to be controlled by the firewall (as some of my setups require DHCP (VM`s / ICS))

Hi Escalader,
{QUOTE-> My setup does share an internet connection with a second PC via router so ALG.EXE is on. <-QUOTE}It will not be your LAN that requires ALG. I have personally never found a need to have this service running, even when I have ICS setup and running. So for this to cause you problems when disabled would indicate that a 3rd party program is using this for some reason.

{QUOTE-> I don't do file sharing on a network. <-QUOTE}Simply disable this in "Network Connections" (Some info/pics (http://www.petri.co.il/disable_netbios_in_w2k_xp_2003.htm))

{QUOTE-> Is it possible to id these and shut them down safely? <-QUOTE}It is easy to ID what service is using which port, but there is a need to find if you require the service on your setup (as example with ALG, which I still do not see why you require this)

{QUOTE-> I have that port 445 blocked in my rule set. <-QUOTE}
You mentioned that you have the NETBIOS ports blocked as well. Then you have it blocked both ways.
{QUOTE-> Is it possible to id these and shut them down safely? <-QUOTE}
I'm pretty sure that all of the last 5 are Microsoft DS. I haven't tried it but give this (http://seclists.org/bugtraq/2002/Aug/0426.html) a look. Also see http://www.blackviper.com/WinXP/servicecfg.htm although I don't see DS specifically listed there. I'm hoping to get over to a friends place today that has XP and Kerio. I can't remember for sure if I shut that down on their PC or not.
{QUOTE-> I won't be shutting KFW down! <-QUOTE}
It's not always that simple. An update to a system component or another app can occasionally cause a conflict that crashes something. Some malware directly attacks firewalls. I haven't seen it with Kerio but when I used a security suite, I ran into a malicious webpage that crashed the entire suite, then crashed my PC. When I got it restarted, I was infected. True, the chances of it happening are low, but it is possible.
Rick

Stem had the links I was looking for.
{QUOTE-> Simply disable this in "Network Connections" (Some info/pics) (http://www.petri.co.il/disable_netbios_in_w2k_xp_2003.htm) <-QUOTE}
Got to get these bookmarks organized better.
I haven't seen your posts regarding what services you disable. I don't use DHCP. All the IPs here are static. I'm not sure if my ISP assigned IP is supposed to be static, but it hasn't changed in over a year. Might be due to the changes I made in the modems configuration, but they haven't said anything about it so I won't either.
Rick

Hi Stem and Herbalist:

TY for your posts. For now I'll have do some more research on all your input/comments. I will answer in blue as before with the last post first (sort of a push down stack approach 8)

as before ot comments embedded in blue

{QUOTE-> Stem had the links I was looking for.

Okay, let's check them out.

Got to get these bookmarks organized better.
I haven't seen your posts regarding what services you disable.

I've attached them to this post

I don't use DHCP. All the IPs here are static. I'm not sure if my ISP assigned IP is supposed to be static, but it hasn't changed in over a year. Might be due to the changes I made in the modems configuration, but they haven't said anything about it so I won't either.

Okay, mine gets assigned via DHCP
Rick <-QUOTE}

Hi Rick,
{QUOTE-> I'm not sure if my ISP assigned IP is supposed to be static, but it hasn't changed in over a year. Might be due to the changes I made in the modems configuration, but they haven't said anything about it so I won't either. <-QUOTE}Some ISP`s will bind an IP to your MAC address, some ISP`s will then not allow the MAC/IP binding to be changed, my own ISP will simply issue a new IP for any new MAC address I have (but with the same MAC, my IP remains the same).

see blue embedded comments


{QUOTE-> You mentioned that you have the NETBIOS ports blocked as well. Then you have it blocked both ways.

See attached rules you are right they are both ways, is this wrong?

I'm pretty sure that all of the last 5 are Microsoft DS. I haven't tried it but give this (http://seclists.org/bugtraq/2002/Aug/0426.html) a look. Also see http://www.blackviper.com/WinXP/servicecfg.htm although I don't see DS specifically listed there. I'm hoping to get over to a friends place today that has XP and Kerio. I can't remember for sure if I shut that down on their PC or not.

Good, when you can let me know but their setup may vary?

It's not always that simple. An update to a system component or another app can occasionally cause a conflict that crashes something. Some malware directly attacks firewalls. I haven't seen it with Kerio but when I used a security suite, I ran into a malicious webpage that crashed the entire suite, then crashed my PC. When I got it restarted, I was infected. True, the chances of it happening are low, but it is possible.

Yes, I know no set of tools is perfect. I have the AV and the ASW plus the H/W F/W plus PG 2 with SpyBlaster, the occasional Spybot S & D loads up my hosts file with 7000+ bad sites as well so I think/hope? the chances are low.

Suites? Well I'll not go there in this thread.;D

Rick <-QUOTE}

{QUOTE-> Hi Escalader,
It will not be your LAN that requires ALG. I have personally never found a need to have this service running, even when I have ICS setup and running. So for this to cause you problems when disabled would indicate that a 3rd party program is using this for some reason.

Simply disable this in "Network Connections" (Some info/pics (http://www.petri.co.il/disable_netbios_in_w2k_xp_2003.htm))


It is easy to ID what service is using which port, but there is a need to find if you require the service on your setup (as example with ALG, which I still do not see why you require this) <-QUOTE}

Hi Stem:

Okay, Lan doesn't use ALG and I do have 3rd party software which one uses it is unknown to me. I will disable it again and report back! Maybe the 1st time I forgot to click apply or something.

I have followed the procedure to disable Netbios and those listening entires are GONE! TY!

On my services, I gave Herbalist the list of disabled ( minus the net bios change)

{QUOTE-> I haven't seen your posts regarding what services you disable. <-QUOTE}
See here (http://www.wilderssecurity.com/showpost.php?p=896115&postcount=44) :)

Here is my revised list with Netbios and Alg.exe disabled! TY!

Only to now show my SS 5.3 services, briefly, they have disappeared during the typing of this post. So even though I have it turned to manual update it must listen on site for a bit:-\ I have the Black Viper services and now via lucas1985 I have stems setting from a while back. I will compare and contrast mine with those and report back any differences.

{QUOTE-> Good! Are you running Kerio 2.1.5 with XP sp2? What defrag program are you using? <-QUOTE}

YES! And also on plain jane XP as well as SP1. No problems at all, ever. I have found many freeware apps more resilient and reliable over time then those commercial types that are constantly being tinkered with or tweaked for lack of a better term on a regular basis. Seems to be a trend and a welcome one at that.

I don't have a problem paying for commercial software because they as policy are for the most part obligated to the customer to provide support for issues/bugs etc.

But, lest we forget, our world is chalked full of even students with exceptional skill, some of which make releases as a hobby or class project, and some of those would boggle the highest IT Tech graduates as well as experienced IT Professionals.

And it's those developers i fund via generous donation in return for their own generosity and usefullness as an inspiration & reward for those efforts.

{QUOTE-> Hi Escalader,
........
It is easy to ID what service is using which port, but there is a need to find if you require the service on your setup (as example with ALG, which I still do not see why you require this) <-QUOTE}

Hi Stem:

I have got rid of ALG and Netbios as you suggested, PC seems "snappier" but maybe that's an "illusion;D "

At the Shields up link you gave me see quote below:

{QUOTE-> from ShieldsUP
Name:
ldap
Purpose:
Lightweight Directory Access Protocol
Description:
LDAP (which is what people call it) is a modern and popular Internet directory access protocol used by many systems and services. Most Windows users will encounter it because Microsoft's NetMeeting uses and opens the LDAP port 389 while it is running.
Related Ports:
1002, 1720
Background and Additional Information:
Since LDAP's use of port 389, and H.323 teleconferencing's call setup use of port 1720, are intimately associated through their common Microsoft NetMeeting usage, please see our discussion of port 1720 security. The issues raised and discussed there also apply to LDAP port 389. <-QUOTE}

I don't use or want to use NetMeeting so I have it disabled in services and I left the disabled rule in my Kerio rule set. So I think it is "dead":thumb:

Do you agree?

Now I will attach the latest Kerio FW status for review and comment. ;D

Hello Escalader,

The pic you post of active apps does look better. The only one I am unsure about is the "svchost port 1158".
I am short of time at the moment, but will make post later to show you the services using the other ports (I need to revert to XP image to comment correctly), and how they can be disabled if wanted.

{QUOTE-> Hello Escalader,

The pic you post of active apps does look better. The only one I am unsure about is the "svchost port 1158".
I am short of time at the moment, but will make post later to show you the services using the other ports (I need to revert to XP image to comment correctly), and how they can be disabled if wanted. <-QUOTE}

Okay, when you have time, My FW rules seems stable now.

But I'm building up a few "minor" questions , ie loopbacks still not 100% clear yet but I've got the application/ip/port binding down now.

One issue is when I find the ip's that an updater uses, then a few days later they change them. I see no solution to that unless there is a way to put the site name in.

But anyway, zero phone homes.

Hi Herbalist/Stem:

Attached is a Kerio 2.1.5 FW log from 60 seconds back.

Cast your eye over this there are some interesting outbound packets (my issue8) caught by advanced rules.

Based on this and my last posts can you guys draw any conclusions about any rules/service issue that I still have?

On DNS Stuff, reverse65.55 .184.157 Reports back no PTR record (NXDOMAIN)

Whois produces;

OrgName: Microsoft Corp
OrgID: MSFT
Address: One Microsoft Way
City: Redmond
StateProv: WA
PostalCode: 98052
Country: US

NetRange: 65.52.0.0 - 65.55.255.255
CIDR: 65.52.0.0/14
NetName: MICROSOFT-1BLK
NetHandle: NET-65-52-0-0-1
Parent: NET-65-0-0-0-0
NetType: Direct Assignment
NameServer: NS1.MSFT.NET
NameServer: NS5.MSFT.NET
NameServer: NS2.MSFT.NET
NameServer: NS3.MSFT.NET
NameServer: NS4.MSFT.NET
Comment:
RegDate: 2001-02-14
Updated: 2004-12-09

Clearly svchost.exe was blocked 4 times TCPoutbound to MS at
65.55 .184.157 via ports 1710-1713.

The question I have is which service is attempting this, does it matter ? it was blocked but there are no apparent consequences?

So, am I unnecessarily blocking the unnecessary?

MS updates most likely Escalader.
The thing is not to log too much to get paranoid.
Local ports 1024-5000 are normal to outgoing connections.
And that server you traced sure is a MS update one.

Another thing I like to say to you dear Escalader. I don't block IP addresses at all by kerio 2. Or other firewalls I have used. The call home factor is a trust in first place, never have blocked any IP.
Call me stupid or not ;)

Jarmo

{QUOTE-> ....

{QUOTE-> Another thing I like to say to you dear Escalader. I don't block IP addresses at all by kerio 2. Or other firewalls I have used. The call home factor is a trust in first place, never have blocked any IP.
Call me stupid or not ;) <-QUOTE}

Jarmo <-QUOTE}

Hi Jarmo:

Not ever! Best posters are candid and honest in their feedback that is you in this case!:thumb:

This thread is NOT about justification of security approaches, yours vs mine vs someone else's to security. I made an earlier comment on that idea for a thread covering that debate.

I am learning to write many rules some to allow and block, ip's, ports etc. In this example Kerio has reported an outbound I had not explicitly allowed.

I traced it to MS. It is not in the port range you mentioned and being a user who is concerned (not the same as paranoid:) I want to know what that packet is doing/ trying to leave my PC.

It is not Kerio I suspect, but the service in xp and MS sending to an ip belonging to MS? I hope you see the difference.

Clearly svchost.exe was blocked 4 times trying a TCP outbound to MS at
65.55 .184.157 via ports 1710-1713. 65.55 .184.157 Reports back no PTR record (NXDOMAIN) and I thought all ip's are supposed to have such a record.:-\

The questions I have are which service is attempting this, does it matter ? it was blocked but there are no apparent consequences? So, am I unnecessarily blocking the unnecessary? I don't know.

So I appreciate your comment, which basically says you wouldn't ask these questions but I do and await answers from Stem and Herbalist.

Take it easy!

PS: If you check your FW log you will no doubt find that your FW has blocked many In/Out ip's packets.

{QUOTE-> Whois: Final results obtained from whois.arin.net.
Results:

OrgName: Microsoft Corp
OrgID: MSFT
Address: One Microsoft Way
City: Redmond
StateProv: WA
PostalCode: 98052
Country: US

NetRange: 65.52.0.0 - 65.55.255.255
CIDR: 65.52.0.0/14
NetName: MICROSOFT-1BLK
NetHandle: NET-65-52-0-0-1
Parent: NET-65-0-0-0-0 <-QUOTE}
I just wanted to say that it is your computer checking Windows updates. There are also servers with no MS name that it uses, just don't remember names at the moment. I do block svchost also for the most time and allow it only for the dhcp and a few other things. And I do allow it for every months second tuesday and wednesday, when patches are released from Seattle "ms home motherbase", out to ports tcp 80 and 443 when I happen to use/visit my admin account instead of the limited one I almost all the time use. My computer is set to download the patches from MS automatically, but not to install them without my permission.
That said I always install the critical ones without going to sites like http://www.dslreports.com/forum/r19053306-Microsoft-Security-Bulletins-for-9112007
to see if other users are having problems. But I used to do that too. So it is ok by me to be curious of all happenings with our puters :P

{QUOTE-> PS: If you check your FW log you will no doubt find that your FW has blocked many In/Out ip's packets. <-QUOTE}
My log is much more interesting than yours. That must be cause I have no router. So if you get bored, just remove the router to see more :P

One thing I would take out of the logging though in my mind if I were you is that 192.168.x rule. To have kerio only log something that gives actual information.

Rick is one of the nicest guys to give information and good ones he gives too. Only one thing I disagree with him. And that is only a firewall policy of it to be too silent. I mean that block all outgoing rule! Duh? Good you made it to log at least. You use a firewall for heavens sake to give information about unknown outbound connections?


Best wishes,
Jarmo

PS
IP rule blocking though is stupid in my opinion (IMO) and a waste of time. I have always wanted to say you this, so now I have done that, hehe.

{QUOTE-> I just wanted to say that it is your computer checking Windows updates. There are also servers with no MS name that it uses, just don't remember names at the moment. I do block svchost also for the most time and allow it only for the dhcp and a few other things. And I do allow it for every months second tuesday and wednesday, when patches are released from Seattle "ms home motherbase", out to ports tcp 80 and 443 when I happen to use/visit my admin account instead of the limited one I almost all the time use. My computer is set to download the patches from MS automatically, but not to install them without my permission.
That said I always install the critical ones without going to sites like http://www.dslreports.com/forum/r19053306-Microsoft-Security-Bulletins-for-9112007
to see if other users are having problems. But I used to do that too. So it is ok by me to be curious of all happenings with our puters :P

My log is much more interesting than yours. That must be cause I have no router. So if you get bored, just remove the router to see more :P

One thing I would take out of the logging though in my mind if I were you is that 192.168.x rule. To have kerio only log something that gives actual information.

Rick is one of the nicest guys to give information and good ones he gives too. Only one thing I disagree with him. And that is only a firewall policy of it to be too silent. I mean that block all outgoing rule! Duh? Good you made it to log at least. You use a firewall for heavens sake to give information about unknown outbound connections?


Best wishes,
Jarmo

PS
IP rule blocking though is stupid in my opinion (IMO) and a waste of time. I have always wanted to say you this, so now I have done that, hehe. <-QUOTE}


Hi Jarmo:

Are we having fun yet? 8) You seem in good form, 2AM posts:o

We have different views on "trust", that's fine you have your view and I respect that, just disagree which is cool on this forum8) If you have a conversation to have with Herbalist, go ahead but I'm not involved with it!

Wth respect to M$, I get my Tuesday's and Wednesday's like everybody else in spite of the blocking approach. So there:D Like you I download them and install at my convenience not Mr Gates. Heck it's my PC not his!

I'm glad you like your log. Mine is boring, like my posts, but I'll keep my router anyway!

{QUOTE-> One thing I would take out of the logging though in my mind if I were you is that 192.168.x rule. To have kerio only log something that gives actual information. <-QUOTE}

Yes, I like that suggestion and as soon as I find the %^&*(* rule I'll shut it up but I suspect I may still have a loopback rule freeze up!

Escalader, I meant to ask this earlier in this thread but, what advantage have you found using the "Advanced" rules rather than the "Standard" rules? I'm using BZ's standard ruleset and have finally got the log running quietly, but your logs have made me think I'm not ready for the advanced ruleset yet... (noob question I know)

I'll answer. There is no difference, really. Just rules and our escalader has a few more rules of his own like that silly all outgoing block that sure makes him happy, lol, suspecting that his security programs someway call to evil motherbase. Makes him also happy I guess to play with the loopback rule as he mentioned cause of that blocking rule.
Jarmo

Doesn't the "block all" outgoing rule just cover what's missed in the ruleset. The reason for blocking "call-home" functions was discussed here... http://www.wilderssecurity.com/showthread.php?t=186724 ...and considering the fact that I got the "silent update" is reason enough for me to want to control in/out-bound in my pc. Enough to make me start using a firewall for the 1st time in months!!!

{QUOTE-> I'll answer. There is no difference, really. Just rules and our escalader has a few more rules of his own like that silly all outgoing block that sure makes him happy, lol, suspecting that his security programs someway call to evil motherbase. Makes him also happy I guess to play with the loopback rule as he mentioned cause of that blocking rule.
Jarmo <-QUOTE}

Hey Jarmo:

This post we covered off line, all is well. I'm happy playing with my blocks!;D

{QUOTE-> Doesn't the "block all" outgoing rule just cover what's missed in the ruleset. The reason for blocking "call-home" functions was discussed here... http://www.wilderssecurity.com/showthread.php?t=186724 ...and considering the fact that I got the "silent update" is reason enough for me to want to control in/out-bound in my pc. Enough to make me start using a firewall for the 1st time in months!!! <-QUOTE}

The short answer is yes. The block all end rule, it's like a safety in football. If all the other defenders miss the outgoing packet that you have no rule for that one catches it. Log it, think about it, look up the ip on who is and decide what rule you need to add or which one needs modifying. IMHO.

Jarmo doesn't worry about ip blocking, that is his prerogative.

But, I'm like you and Herbalist, once you get an application that has the bad habit of doing silent calls home, (I don't mean just updates) I get unhappy and add blocks/rules either in the FW or PG 2.

Herbalist, if I recall right, even removes the software that does that.

I removed Systems Mechanic (iolo) for the same reason. Even though I had autoupdate off and their analyseroff, when I got back an email from them with a frighteningly detailed analysis of my set up I removed the product.

Yea, I like the block all end rule much better. Watching the logs and blocking specific IP's seems a bit of an undaunting challenge. Silencing the logs seems to be at least attainable (I hope)...

Hello Escalader,

I have set up on a base XP pro sp2 (all windows updates), I have just installed Kerio 2.

I disabled Netbios (in network advanced settings, as you have already done) [ports 137-138]

Windows services I have disabled at this point:-
Windows auto updates
Windows Bits service
(I enable these now and again for M$ updates)

Windows time [ports 123]

ALG service [port 1027]

IPsec services [ports 500/4500] On my own setup, I have never found a need for this. But it well be needed on other setups, so caution needed?

SSDP [port 1900] This will now also disable the "Universal Plug and Play Device Host" service. So caution needed.

I also disable the DNS client.

After this, looking at the opened connections in Kerio I see (on my base setup):-

193834

Now as I mentioned, the ports 135/445 cannot be closed easily. Going into the windows drivers can close these down, but I would suggest if you have a need to close these, then use WWDC (http://www.firewallleaktester.com/wwdc.htm), do be cautious, as I mentioned, closing down the related driver to port 445 will cause problems for DHCP, so only close this if you are using a fixed IP. If using WWDC does cause problems, then run the program again to re-enable these drivers(ports). Just realize, you can simply block comms over these ports in your firewall if needed.

As for the "Svchost UDP port 1158" showing in your connections, I am still unsure of this. Do you have the DNS service enabled? As the port in use would, to me, indicate a wait for reply from outbound (possibly unresolved DNS).

Hi Rick,
Ref post#78
{QUOTE-> Just for a comparison, this is the status screen on my box. I'm not certain if this can be accomplished on XP.
Rick <-QUOTE}Yes, this can be done. As you will see from my above post, only ports 135/445 (from OS) are left at this time. I can certainly close these down on my setup without problems.

{QUOTE-> MS updates most likely Escalader.
The thing is not to log too much to get paranoid.
Local ports 1024-5000 are normal to outgoing connections.
And that server you traced sure is a MS update one.

Another thing I like to say to you dear Escalader. I don't block IP addresses at all by kerio 2. Or other firewalls I have used. The call home factor is a trust in first place, never have blocked any IP.
Call me stupid or not ;)

Jarmo <-QUOTE}Hello Jarmo P,

With respect to you, and your own thoughts on this, I have no problem. But this is your own thoughts, not mine or Escaladers (or many others).

As with M$, in the past we have seen this "Update" of WGA, this at first would connect out on every re-boot to check your copy of windows was genuine. My installation of windows is genuine and activated,.. does this need to be checked every day?, am I going to suddenly make some changes in my OS to make this installation illegal?. To me, this was more of a need by M$ to bind the copy of OS to the IP in use. (note this update could not be un-installed (well not easily/directly))
Yes, I know after much uprising this as been changed, but these outbound events due to this still happen, so for me, M$ certainly do not trust me, so why should I trust them? We have seen copies of Vista had restrictions placed due to server problems with M$, who is affected most by this,.. the end user with genuine version who update directly.

No, there is no trust from me to M$, I use their OS only because my