Hi:

Just to be sure we are all on the same version etc.

I have Kerio 2.1.5 engine created 30/Apr/2003, driver 3.0.0 15/Apr/2002.
Source was http://www.dslreports.com/forum/kerio where I have the same id.

Some adminsitrivia:

1) My version is not registered, no licence #, during install process there was something about 30 days and you are gone? Is that for real?

2) Learning mode duration, does it end on it's own?


3) Apart from answering popups is there anything else I should be doing? Like backing up settings? How?

TY

-{ Quote: "Hi:

Just to be sure we are all on the same version etc.

I have Kerio 2.1.5 engine created 30/Apr/2003, driver 3.0.0 15/Apr/2002." }-
192444


-{ Quote: "Some adminsitrivia:" }-
192445

-{ Quote: "1) My version is not registered, no licence #, during install process there was something about 30 days and you are gone? Is that for real?" }-
192446

-{ Quote: "2) Learning mode duration, does it end on it's own? " }-
No, you set to "deny unknown"

192447

-{ Quote: "3) Like backing up settings? How?" }-
192448

Thanks Stem!

During this rule making period I think I should leave it on ask me first, OK?

I've learned enough from you and others that I have already made a few rules of my own blocking games on my pc that sort of thing.

For those who are interested my config is 2 PC's sharing a router and ISP, one is my PC to be secure and the second PC is a gaming surfing PC.
Game PC got infected last night by a trojan using IE7 off a news networks site, it loaded an active X without even clicking called winfix I think. We removed it. But that is the sort of thing I don't want to "share" with that PC!

First though I'm going to post 2 jpg's miscellaneous and the ms networking option pages I've got for any mistakes you guys see in these.

Hi Guys:

I pulled a set of "advanced" rules off the kerio forum web site so please don't think I made them. I haven't posted mine yet as they are a work in progress and I'm still reading FAQ's and Help screens etc. But I would use some of these rules as a starting set but what is best way to do it? I don't know if they could be imported direct and then tweaked or even if that is wise. It does contain the loopback rule and a very interesting one called custom blocking sites ! Sounds like what I want to do at some point!

The "ask me first" setting isn't just a learning mode. You can use that setting indefinitely if you want. Using the "deny unknown" setting is the equivalent of putting a "block all" rule at the end of the ruleset. The "deny all" setting can cause problems in certain situations. Games are one example. If one needs to use a port you didn't allow in the rules, the game won't work and you won't be prompted. You can have the same problem with updaters and address specific rules. If the IP addy it uses gets changed, it'll fail to work. IM programs connect directly to the individual you're talking to in certain situations, webcams and sharing files for instance.

I prefer to use the "ask me first" as an overall setting and blocking rules for specific apps and system components. This way, you're only prompted about connection attempts for the apps you choose. With a little planning, you can have the advantages of both settings.
A couple of examples:

Mail handler, rules. The first rule allows outbound TCP connections to one specific IP address, using ports 25 and 110 only. It's followed by a TCP/UDP blocking rule for all addresses and ports, in both directions. This way, I won't be promted for unwanted connection attempts to the mail handler.

Simplified browser rules, no proxy. The first rule allows outbound on ports 80 and 443 to any address. It's followed by a rule blocking all inbound traffic. This way, there's no prompts for inbound connection attempts, but if you're playing an online game that requires you to connect using a non-standard port, you'll be promted for those connections.

If you have specific apps or system components that you want all web access to or from blocked, put these rules at the top of the ruleset. Follow these with "system allow" rules like DNS, DHCP, allowed services, etc. Make them as specific as possible regarding IP address(es), ports, protocols.

After these come rules for applications. As much as possible, keep rules for specific apps together. In certain situations, the rules for a group of apps should be kept together. An example would be using more than one browser with proxy software and/or TOR. In these situations, the order of the rules becomes extremely important, not just to make it work but to prevent unwanted leakage. If you have or are going to assemble such a package, let us know and we'll guide you thru it. These use loopback rules that need to be specific.

If you don't already have one, pick up a whois utility. Karen has one in her power tools (http://www.karenware.com/powertools/ptwhois.asp). Sam Spade is a powerful set of web tools that includes one. Their main site is down but it's available here (http://www.pcworld.com/downloads/file/fid,4709-order,1-page,1-c,alldownloads/description.html).
These are very useful for finding who owns/controls a specific IP address and what range of IPs it's part of, useful when a rule needs to cover a range of IP addresses.
Rick

TY Rick:

My mail handler ISP uses 110 and 587 ports so we will need to take care of that point?

I really like the post you gave me, let me change my rule list order in line with you advice and I will post it as a jpg for comments good or bad.

I have left it on ask me, and I already have whois access via dnstuff! Have used it a lot to build my sites to block/allow lists.

More later.

Rick/Stem et al:

Here is my first shot at rules in Kerio they are 1 set but must show in 2 jpg's.

Fire away at will with the flaws you see!

I have done no work on ip restrictions yet and Rick I haven't inserted the stop mail client requests, what would that rule look like?

I know my isp's incoming and outgoing host names so I can get their ip/ip ranges.

I saw where Stem mentioned you're behind a hardware firewall and router. Instead of asking you all the questions again about how this is set up, I'll let him handle all the network related configuration since he knows what you're setup is. This affects your DNS, DHCP, some SVChost rules, and that LAN subnet bypass rule you've enabled.

As for the rest of the rules, the blocking rule for Kerio serves no purpose. All that rule does is block Kerio from resolving IP addresses, and then only if you're not using XPs DNS clent service. More on that subject here (http://www.wilderssecurity.com/showthread.php?t=180932).
-{ Quote: "I have done no work on ip restrictions yet and Rick I haven't inserted the stop mail client requests, what would that rule look like?" }-
I'm using the mail component of Sea Monkey. My mail rules look like these.
192474192475
Since Sea Monkey is also my browser in addition to my mail handler, I didn't include other outbound connections in the blocking rule. If I was using a stand-alone mail handler, the blocking rule could include outbound connections. When you follow an allow rule with a block all rule for an application, the blocking rule can be for any IP address. Kerio reads the ruleset from the top and uses the first rule that applies. The address specific allow rule above the blocking rule prevents it from blocking traffic on the needed IP addresses.

Noticed that you have separate permit rules for TCP and UDP for both browsers. You can edit a rule for each to allow both TCP and UDP outbound and have a little less congestion. I'd replace that allow incoming UDP rule for FireFox with a blocking rule for both incoming TCP and UDP, then make one like it for Internet Explorer. Unless there's some site specific service that requires incoming connections, browser connections should be outbound only.
Rick

I use Ask me first setting because it is the one to use to know if anything unusual in connections will be asked.

-{ Quote: "Mail handler, rules. The first rule allows outbound TCP connections to one specific IP address, using ports 25 and 110 only. It's followed by a TCP/UDP blocking rule for all addresses and ports, in both directions. This way, I won't be promted for unwanted connection attempts to the mail handler." }-
I see no reason to block unknown dear Rick.

-{ Quote: "Simplified browser rules, no proxy. The first rule allows outbound on ports 80 and 443 to any address. It's followed by a rule blocking all inbound traffic." }-
Again I see no reason to block. Incoming rules for a browser are not needed in my opinion. Would be curious to get ones.

In my opinion it is too much allowance you give to that game 'Age of Empires' or any before all the system protection rules. At least it is only outgoing connections, but still put them after your basic system rules?

With other firewalls system protection comes as granted. With kerio 2.x you have to MAKE your system protection rules.
I am writing as I see from previous screenshots and maybe not the latest post.

-{ Quote: "Noticed that you have separate permit rules for TCP and UDP for both browsers. You can edit a rule for each to allow both TCP and UDP outbound and have a little less congestion." }-
Having separate rules for TCP and UDPand also separate rules for some port ranges in TCP etc, is no congestion. That is why rulebased firewalls are made for. Sorry Rick, for disagreeing in some of your comments.

Hi Jarmo:

I will not venture into your discussion with Rick. However, if my jpg was hard to read on The Games there is o allowance (your word) for any of them I have them all denied.

On the mail business, in ZA pro you could set a red x against every single application denying it the power to send/receive Email. So my goal is to use Kerio to allow only my mail client on email. No other application needs to send mail on my PC.

-{ Quote: "-{ Quote: "Mail handler, rules. The first rule allows outbound TCP connections to one specific IP address, using ports 25 and 110 only. It's followed by a TCP/UDP blocking rule for all addresses and ports, in both directions. This way, I won't be prompted for unwanted connection attempts to the mail handler." }-I see no reason to block unknown dear Rick." }-
Nothing useful can come from allowing unsolicited connections to your mail handler. At best, incoming connection attempts are port scans, looking for a way into your system. They can also be attempts to exploit known vulnerabilities. Either way, they're not carrying anything you'd want to receive, so why allow it?
As for outbound traffic from the mail handler, what benefit is there to letting it connect to places that you don't have accounts at? If your mail handler is trying to connect to places you don't use, your system is probably infected.

It's the same with your browser. Why would you want to allow an unknown site to connect to your system?

A firewalls primary task is controlling internet traffic. Allowing unsolicited connections to applications or system components defeats the purpose of having a firewall. Comparatively few applications and system components need to receive unsolicited incoming connections, what ZA calls server rights. Out of the apps that do need incoming connections, most only need to receive connections of one type from a few specific IP addresses, on specific ports.
-{ Quote: "Having separate rules for TCP and UDP and also separate rules for some port ranges in TCP etc, is no congestion. That is why rulebased firewalls are made for." }-
When the rules for TCP and UDP are different in regards to ports, IP addresses, etc, separate rules serve a purpose. When they're both allow rules with no address or port restrictions, there's no benefit in keeping them separate. Separated, it's one more rule your system has to process for each new browser connection and one more rule on the screen for the user to deal with when editing the ruleset. Why make it harder than it has to be?

My firewall rules reflect the default-deny security policy my system is based on. Allow only what is necessary for correct functioning. Because of that, I'll probably block and/or restrict more than most users would, especially the unknown and unsolicited.
Rick

Stem I use to use this version of Kerio but never felt safe to use, your instructons really have me wanting to reload it. Do you have any suggestions for those that still use sygate & setting that up?

Yes Escalader, I did not notice it was blocked, the game. I only looked it being on top of your ruleset :P

Your goal of not allowing other apps to send mail is fullfilled, since you will get asked is something unknown tries to do that.

-{ Quote: "Nothing useful can come from allowing unsolicited connections to your mail handler. At best, incoming connection attempts are port scans, looking for a way into your system. They can also be attempts to exploit known vulnerabilities. Either way, they're not carrying anything you'd want to receive, so why allow it?
As for outbound traffic from the mail handler, what benefit is there to letting it connect to places that you don't have accounts at? If your mail handler is trying to connect to places you don't use, your system is probably infected.

It's the same with your browser. Why would you want to allow an unknown site to connect to your system? " }-
Yes Rick, but I don't see kerio 2.1.5 not blocking those unsolicited connections with the normal 'Ask Me First' setting. It is only if you block something and don't set it to alert or even log, you will not notice any abnormal activity. It is a taste of preference what we are writing about. I have same as you also allowed only special email traffic ports outbound and only to my ISP mail/news servers.
I prefer to not have any block all rule at the bottom of my ruleset either. My preference is to make my allowed rules tight, but also same time not blocking anything unknown beforehand and rather to get a prompt. Same time I don't like to get prompts for the internet accessing applications, so they have rules made for all normal traffic. Even Internet Explorer that is controlled instead for execution by ProcessGuard.

larryb52, there is my guide for Sygate in my signature and there is also this link to a page I made for additional rulemaking information:
http://www.kotiposti.net/string/SPF_eng/SPF_rulemaking.html
I feel as safe with kerio 2.1.5 as with Sygate. Kerio 2.1.5 has more more ease in rulemaking and allows to import/export rules that Sygate free does not. Sygate's log is much more "deluxe" than kerio's but then kerio allows to log every rule, even those system rules that go hidden with SPF.

-{ Quote: "Yes Escalader, I did not notice it was blocked, the game. I only looked it being on top of your ruleset :P

Your goal of not allowing other apps to send mail is fullfilled, since you will get asked is something unknown tries to do that.


Yes Rick, but I don't see kerio 2.1.5 not blocking those unsolicited connections with the normal 'Ask Me First' setting. It is only if you block something and don't set it to alert or even log, you will not notice any abnormal activity. It is a taste of preference what we are writing about. I have same as you also allowed only special email traffic ports outbound and only to my ISP mail/news servers.
I prefer to not have any block all rule at the bottom of my ruleset either. My preference is to make my allowed rules tight, but also same time not blocking anything unknown beforehand and rather to get a prompt. Same time I don't like to get prompts for the internet accessing applications, so they have rules made for all normal traffic. Even Internet Explorer that is controlled instead for execution by ProcessGuard.

larryb52, there is my guide for Sygate in my signature and there is also this link to a page I made for additional rulemaking information:
http://www.kotiposti.net/string/SPF_eng/SPF_rulemaking.html
I feel as safe with kerio 2.1.5 as with Sygate. Kerio 2.1.5 has more more ease in rulemaking and allows to import/export rules that Sygate free does not. Sygate's log is much more "deluxe" than kerio's but then kerio allows to log every rule, even those system rules that go hidden with SPF." }-


I'll check out your sygate setup but will work on setting up Kerio again, I'm running Nod32 & I always liked it as of it's lightness, thanks...

for frenchies and others, take a look @t
http://kerio215.free.fr/

-{ Quote: "I don't see kerio 2.1.5 not blocking those unsolicited connections with the normal 'Ask Me First' setting. It is only if you block something and don't set it to alert or even log, you will not notice any abnormal activity." }-
When set to either "ask me first" or "deny unknown", Kerio will block everything not permitted by rule. The only difference is whether it alerts the user to that connection attempt. I find the "deny unknown" setting to be too restrictive. There's too many instances where this setting could prevent an app from working, especially if the user has address specific rules. Likewise, the "ask me first" setting can result in way too many useless prompts.

I realize that everyone has their own specific needs and preferences, and that it's next to impossible to make specific rules for someone without knowing those preferences in detail. The firewall rules on my test units for instance are quite different from those on my primary unit, which other people also use. Except for the specific apps that might require it, my rules don't alert me to incoming connection attempts, port scans, etc. IMO, it's not important to know when they happen. They're outside of my control and as long as the firewall blocks them, those alerts just get in the way of whatever I'm doing. When I set up rulesets for another user, incoming connections to apps that don't need them (like the mail handler) get blocked silently. My reason for that is to prevent them from unknowingly allowing a malicious connection attempt. Too many will just click "allow" just to get rid of the prompt.

Regarding outbound connections by apps like the mail handler, I block them on both my primary box and on those I set up for others. The only thing I change is whether Kerio alerts them to the blockage or just logs it. Again, it's to prevent them from permitting a potentially malicious connection. IMO, if a user wants to investigate the unknown and has the ability to do so, they can always edit the rules.

Most users I know don't want to be prompted about every prevented attack. They want the security-ware to stay out of the way and do its job silently.
Rick

Hi Rick my questions and comments for you in red inside your post ( keeps me OT!)

-{ Quote: "When set to either "ask me first" or "deny unknown", Kerio will block everything not permitted by rule.

I'm using ask me first. I like this idea of blocking everything not permitted so when you review my current attached rules, see if I have undermined or dupicated Kerio using that approach. Example if I haven't allowed the games at the top, why do I need any blocking rules for them? Is it because some "bad" applications try to use permitted ones to gain access?

The only difference is whether it alerts the user to that connection attempt. I find the "deny unknown" setting to be too restrictive. There's too many instances where this setting could prevent an app from working, especially if the user has address specific rules.

Okay, I don't use this setting

Likewise, the "ask me first" setting can result in way too many useless prompts.

I don't seem to be experiencing that yet! Can you give me an example of a useless prompt?

I realize that everyone has their own specific needs and preferences, and that it's next to impossible to make specific rules for someone without knowing those preferences in detail. The firewall rules on my test units for instance are quite different from those on my primary unit, which other people also use. Except for the specific apps that might require it, my rules don't alert me to incoming connection attempts, port scans, etc. IMO, it's not important to know when they happen. They're outside of my control and as long as the firewall blocks them, those alerts just get in the way of whatever I'm doing. When I set up rulesets for another user, incoming connections to apps that don't need them (like the mail handler) get blocked silently.

Right, so far I have not got any log entries from Kerio! I must have some setting wrong OR I don't grasp where they are stored! Comments please.

My reason for that is to prevent them from unknowingly allowing a malicious connection attempt. Too many will just click "allow" just to get rid of the prompt.

Agreed, but I won't make that error, if I don't know what the prompt means I click deny.

Regarding outbound connections by apps like the mail handler, I block them on both my primary box and on those I set up for others. The only thing I change is whether Kerio alerts them to the blockage or just logs it. Again, it's to prevent them from permitting a potentially malicious connection. IMO, if a user wants to investigate the unknown and has the ability to do so, they can always edit the rules.

Agreed, can you review my rules on the mail server business, since I have kerio set to ask me and it denies if not permitted, wouldn't my 2 rules or draft MS Outlook settings just allow it to do mail denying all other to send / receive email on my PC?

Most users I know don't want to be prompted about every prevented attack. They want the security-ware to stay out of the way and do its job silently.

Yes, but for now I'm in learning mode and don't mind, but I have not 1 alert on something Kerio prevented? Some simple thing I'm missing again.:-[


Rick" }-

Escalader,
I've finally got a new copy of the default ruleset for XP. Kerio's default ruleset for XP is more vulnerable than its 98 equivalent.
These are Kerio's default rules for XP. I've circled several that need attention in both the default ruleset and yours. Since you're behind a router and assuming it's blocking these ports, they aren't as serious as they could be. Run a port scan to be sure they are blocked. Router configuration matters here.
192553
Microsoft-DS, port 445 More info on this port/service here (http://www.grc.com/port_445.htm). Unless you have a specific need to share files on a network, change this rule to block, both directions.

LSA Shell (kerberos), port 88 More on this here (http://en.wikipedia.org/wiki/Kerberos_(protocol)) and here (http://searchsecurity.techtarget.com/sDefinition/0,,sid14_gci212437,00.html) Unless you specifically use this service, block this port. If you're unsure, just uncheck the rule. This way, you'll be prompted if a connection attempt is made. This rule is for both directions, so check any incoming connection requests closely.

Winlogon, LDAP, LSA Shell, port 389 and others More info on WinLogon (http://en.wikipedia.org/wiki/Winlogon), LSA subsystem service (http://en.wikipedia.org/wiki/Local_Security_Authority_Subsystem_Service), Security Implications (http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx). Port 389 serves multiple purposes, much of which involves remote access. Without knowing your specific needs, I'd uncheck these rules but don't delete them. If you're prompted for any of these and are not sure if it's actually necessary, deny it once and see if everything still works. Windows services are good at asking for more than you need and some of these open ports for incoming connections you probably don't use. If everything still works with connections blocked, you can edit them to block permanently.

Generic Host Process (SVChost.exe) can be a problem as it includes many services, some of which you may use, the DNS client service being one possibility. Often multiple instances of SVChost are running. More info here (http://en.wikipedia.org/wiki/SVChost.exe), and here (http://support.microsoft.com/kb/314056). The alerts may or may not identify the specific service, but will identify the requested port number. A Google search for SVCHOST with the port number should lead you to the service in question. SVChost also performs the functions that rundll did on 9X systems, namely enabling DLLs to run as executables. Some malware is in the form of DLLs, making both SVChost and Rundll targets. Don't allow incoming access to these. With a few exceptions, SVChost can be denied outbound internet access with no ill effects. Using the deny option without actually making a permanent rule is the easiest way to sort thru it.

Your ruleset also allows Application Layer Gateway (Alg.exe) to connect out. This process in involved in internet connection sharing. More info here (http://en.wikipedia.org/wiki/Alg.exe), and here (http://www.blackviper.com/WinXP/Services/Application_Layer_Gateway_Service.htm).
Unless you specifically need it, you may want to block this as well.

You might also want to look into disabling some of the unnecessary services in addition to denying them internet access. Black Viper (http://www.blackviper.com/WinXP/servicecfg.htm) has a lot of info on this. If you decide to try disabling services, make a system backup first and go slowly, one or two at a time, making sure everything you use still works.

Rick

Didn't see that you'd posted before my last one.

-{ Quote: "I'm using ask me first. I like this idea of blocking everything not permitted so when you review my current attached rules, see if I have undermined or dupicated Kerio using that approach. Example if I haven't allowed the games at the top, why do I need any blocking rules for them? Is it because some "bad" applications try to use permitted ones to gain access?" }-
My reason for blocking rules at the top is so global rules (those that aren't specific to any application) aren't utilized by the blocked apps. Example, If the DNS rules are above the rules that block a specific application, that app can connect using the DNS rule. If you're question was more to the effect of "Why block what I haven't specifically allowed?" It's to keep apps you don't want to have internet access from asking for it.
-{ Quote: "I don't seem to be experiencing that yet! Can you give me an example of a useless prompt?" }-
Ever used a firewall that alerted you every time it blocked a port scan or incoming connection attempt? Several years back, I used NIS 2002. Every time a port scan touched my PC, it would put that alert in the middle of whatever I was doing, at times every few minutes. It always called the port scan a "WinCrash attack". Drove me nuts. I consider alerts to port scans and other inbound connection attempts to be useless. I can't prevent them and it's useless to try to track them. All I can do is block them, and that can be done silently. Being behind a router/firewall protects you from a lot of that.
-{ Quote: "Right, so far I have not got any log entries from Kerio! I must have some setting wrong OR I don't grasp where they are stored! Comments please." }-
Kerio is pretty good about logging only what you tell it to. The log is accessible from the status screen menu. Your router also blocks much of what Kerio would normally log. The main log settings are on the advanced screen, miscellaneous tab. Mine used to get filled quickly until I put Smoothwall out front. Now it's primarily for monitoring specific outbound attempts, selected on specific rules using the "log when this rule matches" option.
-{ Quote: "can you review my rules on the mail server business, since I have kerio set to ask me and it denies if not permitted, wouldn't my 2 rules or draft MS Outlook settings just allow it to do mail denying all other to send / receive email on my PC?" }-
On the "ask me first" setting, Kerio does block whatever isn't permitted by rule, but it also prompts you about it. Blocking rules eliminate the prompts. I've never used Outlook, but I'd question the rule allowing outbound UDP to anywhere. If outbound UDP is necessary for Outlook, I'd try to make it more specific. Other than that, just make the rules specific to your mail services IPs.

Rick

-{ Quote: "Didn't see that you'd posted before my last one." }-

That's okay Rick. Thanks, for all your work on my set up! As it is learning thread I really hope others on Kerio will benefit as well as myself.

Your posts have given me knowledge and work to do.

On services on or off I will hold until the setting work is done, then proceed as you say one service at a time. Stem helped me earlier and I turned off some services and have had no ill effects.

So now I will go away and do the work alter my settings and report back in a few days.

Take it easy.

A nice Kerio 2 Rule Set Tutorial (http://www.urs2.net/rsj/computing/kerio/index.html) :)

Hello Herb, Stem and lucus1985:

Been fishing in other lakes lately, so just got back to posting my Kerio 2.1.5 FW rules. Tried to carry out most of the learnings offered but would like your comments on this version 2. Be as blunt as you want it is faster!8)

Stem, Herb has left the lan and other network settings to you please!

I'm still having trouble stopping BD reporting back from using my outlook email settings, so any ideas on that would be good. I have the ip blocked on PG2 but the outlook craps out saying can't process and other normal email won't come in
so I turned off the rule.

Thanks in advance, ;D

Hello Escalader,

I would need to see all your rules before I could comment/help (your pic only shows a section of these)

-{ Quote: "Hello Escalader,

I would need to see all your rules before I could comment/help (your pic only shows a section of these)" }-

Okay, sorry I'll post multiple jpg's tomorrow!

Going to turn in now!

-{ Quote: "I'll post multiple jpg's tomorrow!" }-OK.

We will need to go through all rules, for example:-

DHCP: are you actually using this, or have you fixed your IP?
In time exceded: This reply will not get past your Alphashild
Lan bypass: I thought you wanted to keep the lan as internet?
etc. etc.

Stem,
Regarding
-{ Quote: "Stem, Herb has left the lan and other network settings to you please!" }-
I don't know the specifics of the network that Escalader is using, how may PCs, hardware firewall, static or dynamically assigned IPs, etc. Since you've already been working with Escalader on this, I didn't want to duplicate and probably undo the work you've already done.
Rick

-{ Quote: "OK.

We will need to go through all rules, for example:-

DHCP: are you actually using this, or have you fixed your IP?
In time exceded: This reply will not get past your Alphashild
Lan bypass: I thought you wanted to keep the lan as internet?
etc. etc." }-

Stem:

1) Please see the attached 2 jpg's I promised last night
2) My ip comes from the isp and stays fixed for up to say 2 to 3 weeks
3) Even though it makes more work I want to assume that the alpha shield may not always be in use! If I want to do a scan or it fails then the FW will catch what it needs to catch! Maybe I'm crazy. But like we said trust nothing
4) I do want to keep the Lan / router as internet, in services DHCP is set to automatic, should I disable this service or set it to manual in case needed when my ip address does change. Maybe I'm confused again!:-[

Fire away guys! Show no mercy!8)

-{ Quote: "I do want to keep the Lan / router as internet, in services DHCP is set to automatic, should I disable this service or set it to manual in case needed when my ip address does change." }-Your external IP (issued by your ISP) will be obtained by your router, this will renew when needed (any settings for DHCP on your PC`s will not alter this). Your PC`s on your LAN will obtain their IP`s from the router (if the PC is set for this).

Lets have a quick look through your rules:-

I will just go through the "allow" rules.

Microsoft office: I dont use this, so the rules mean nothing to me. If you are using this, then I presume you know what these connections are for?

DNS: Normally, I would enter the DNS server IP`s into the rule. But for you, it would depend if your DNS servers are fixed (do not change)

LAN subnet bypass: You should disable or remove this rule.(as you want to keep you PC isolated from the other PC`s on your LAN.

Standard loopback: Not really a problem to allow this, unless you are using any sort of local proxy (such as for example the HTTP scanner is kav)

DHCP: This is to obtain the IP for your PC (private lan IP) not the IP from your ISP. Its not really an issue to use DHCP on your home LAN, so if your PC is set up to obtain an IP automatically, then you can leave this

Intime Exceeded: As you have already blocked outbound "ping", this rule will not be used. You can disable it.

Windows logon: Are you actually using this? Some info (http://www.grc.com/port_389.htm)

Generic host process: You need to look at this. The rule is allowing all outbound. You have a rule in place to allow DHCP and DNS. I presume your main need for this would be for windows updates?

Application Layer Gateway: This is basically an FTP client. You should not even need this process/service, I would certainly (at minimal) disable this rule.

Reply from NTC service: Windows time sync. Leave if you use this.

Microsoft help centre: Do you use windows help? If you do, do you want it connecting to microsoft each time?

Firefox/IE: I personally restrict these to the remote posts needed, but this is up to yourself.

The rest of the rules are mainly for your software updates. So I will leave these, apart from the:-
Sysinternals process explorer: As this is now part of microsoft, do you know where this is connecting? I am not sure why this needs to connect out

Stem:

Right, I'll make those improvements and post back results, will take a while.

Saw your posts on new PC tools FW so that was interesting.

More later

Hello:

Been busy elsewhere.

Turns out the Kerio 2.1.5 has a corrupt driver fwdrv.sys.

It impacts Windows xp sp2 not win 98. It causes a BSOD stop when running Perfect Disk defrag program.

I have replaced it with Sunbelt Personal FW on a 30 day trial.

It allows the import of the saved rules from Kerio plus a HIPS, NIPS and Behavior Blocking.

So, we will have to either drop this thread, do nothing or convert it to Sunbelt learning thread.

Makes no difference to me what is decided.

If anybody wants to ask me a Kerio question I will try to answer you.

-{ Quote: "Hello:

Been busy elsewhere.

Turns out the Kerio 2.1.5 has a corrupt driver fwdrv.sys.

It impacts Windows xp sp2 not win 98. It causes a BSOD stop when running Perfect Disk defrag program.

I have replaced it with Sunbelt Personal FW on a 30 day trial.

It allows the import of the saved rules from Kerio plus a HIPS, NIPS and Behavior Blocking.

So, we will have to either drop this thread, do nothing or convert it to Sunbelt learning thread.

Makes no difference to me what is decided.

If anybody wants to ask me a Kerio question I will try to answer you." }-

If you switch to Sunbelt, starting a new thread would be most appropriate.

Pete

I haven't had a problem with Kerio 2.1.5 on an XP box, but none of them used Perfect Disk Defrag either. Too bad this problem didn't show up earlier.
Rick

-{ Quote: "I haven't had a problem with Kerio 2.1.5 on an XP box, but none of them used Perfect Disk Defrag either. Too bad this problem didn't show up earlier.
Rick" }-

Agreed! See PM.

-{ Quote: "It causes a BSOD stop when running Perfect Disk defrag program. " }-

Escalader,

The issue with PD has been known for a while and Raxco recommends not running Kerio 2.x because of it. This is the only reason I'm not running Kerio 2 on my machines (they all have PD).

-{ Quote: "Escalader,

The issue with PD has been known for a while and Raxco recommends not running Kerio 2.x because of it. This is the only reason I'm not running Kerio 2 on my machines (they all have PD)." }-

TY:

Yes, found this out only yesterday from PD.

It's a slip up not checking with PD and other vendors before proceeding with this learning thread:-[ Why I had to relearn this while working on Kerio FW piece of my layers/component is unforgivable! It will NOT happen again.

More later on next steps.

It's odd that this is only a problem with PD, unless there's others I haven't heard of. I'm not familiar with PD, doesn't run on my box. I just use the windows defrag. Do you still have Kerio installed or have an image of that setup you can restore? If you do, I have an idea you could try. I won't have access to an XP unit with Kerio on it until late tomorrow, so I can't check if it behaves the same way as it does on a 98 box. On 98, when you shut Kerio down via the tray icon, it doesn't kill the process. I have to use either SSM or Process Explorer to kill the process itself. On XP, you'd probably have to shut down the service. If PD is trying to move files for a process that's still active, that could explain the problem. If you still have Kerio installed or an image of that setup, try killing the Kerio process instead of just shutting it down, the run PD.
Rick

-{ Quote: "It's a slip up not checking with PD and other vendors before proceeding with this learning thread. Why I had to relearn this while working on Kerio FW piece of my layers/component is unforgivable! It will NOT happen again." }-
If you make it a policy to make a system backup before installing a new app, you'll always have an easy way to get back to where you started, without having to worry if the uninstaller removed everything. I made that mistake on my primary unit before I had imaging software. An install caused BSODs that wouldn't stop, even after removing the new app in safe mode. It took 114 separate installs of apps, patches, updates, etc to get back what I had. With configuring, it was 2 full days wasted.
Rick

-{ Quote: "If you make it a policy to make a system backup before installing a new app, you'll always have an easy way to get back to where you started, without having to worry if the uninstaller removed everything. I made that mistake on my primary unit before I had imaging software. An install caused BSODs that wouldn't stop, even after removing the new app in safe mode. It took 114 separate installs of apps, patches, updates, etc to get back what I had. With configuring, it was 2 full days wasted.
Rick" }-

Rick:

That 2 days you spent was worse than this for sure.

I have imaging software and frequent backups but only one had to use it when a chkdsk /f nearly destroyed my set up. Used the dvd image and bootable cd to bring it back up.

-{ Quote: "It's odd that this is only a problem with PD, unless there's others I haven't heard of. I'm not familiar with PD, doesn't run on my box. I just use the windows defrag. Do you still have Kerio installed or have an image of that setup you can restore? If you do, I have an idea you could try. I won't have access to an XP unit with Kerio on it until late tomorrow, so I can't check if it behaves the same way as it does on a 98 box. On 98, when you shut Kerio down via the tray icon, it doesn't kill the process. I have to use either SSM or Process Explorer to kill the process itself. On XP, you'd probably have to shut down the service. If PD is trying to move files for a process that's still active, that could explain the problem. If you still have Kerio installed or an image of that setup, try killing the Kerio process instead of just shutting it down, the run PD.
Rick" }-

I've got an xp version of Kerio going now and imported our rules from your version into it thus preserving our work. The PD driver problem is gone now and it ran fine today. Only thing is I now have 27 days left on the trial version 4.1.3. The higher version has a bug in importing old kerio rule, so I'm 1 version or so back.

What now?

If a disk defrag is having problems with security software as simple as a packet filter, they are doing something wrong. They should be able to fix the problem on their end.

Pick the software firewall you like, and you can configure correctly. Not the one you need help with every 10 minutes 8)

-{ Quote: "If a disk defrag is having problems with security software as simple as a packet filter, they are doing something wrong. They should be able to fix the problem on their end.

Pick the software firewall you like, and you can configure correctly. Not the one you need help with every 10 minutes 8)" }-

In this case, it is a driver incompatibility not the Disk Defrag. See following data from PD KB

" Article Title:
When I run PerfectDisk on my system, Windows crashes.

Article Details:
There are only 2 things that can cause Windows to crash:

A hardware component that may be in the process of failing
A driver that is inproperly written and isn't correctly handling a supported operation correctly
There are several 3rd party software programs that have drivers that are known to cause Windows to crash when PerfectDisk is run on the system:

Software Driver Name

IBM's Rapid Restore ibmfilter.sys - update avialable from IBM

EMC/Legato's RepliStor replistor.sys - fixed in RepliStor Version 6

New Softwares Folder Lock WinDrvNT.sys

Hide Folder HF30XP.sys

Universal Shield/Lock Folder US30XP.sys - update available from Everstrike

BitDefender/FileSpy filespy.sys and bdfsdrv.sys

Kerio Personal Firewall fwdrv.sys - update available from Kerio

INVISUS PC Security Solution fwdrv.sys

RamDiskXP ramdiskxp.sys

WinAntiVirus PRO fopn.sys


Please check to see if you have any of the listed programs installed on your computer and click on the appropriate link above for suggested workarounds or bug fixes from the program manufacturer. "

Blah blah blah, if they are having problems with so many companies software, they have a real problem, and just telling you not to run it is not the answer.

I've never used 4.1.3. I have no idea how it compares to 2.1.5, what additional components/functions it contains, or how functional it remains after the trial period. I'd hesitate to use a firewall that is partially crippled trialware as the non-functional features could still conflict with other functional software that performs the same tasks. If it were my PC, I'd try to find a way around the conflict with PD so I could keep using 2.1.5.
Rick

-{ Quote: "I've never used 4.1.3. I have no idea how it compares to 2.1.5, what additional components/functions it contains, or how functional it remains after the trial period. I'd hesitate to use a firewall that is partially crippled trialware as the non-functional features could still conflict with other functional software that performs the same tasks. If it were my PC, I'd try to find a way around the conflict with PD so I could keep using 2.1.5.
Rick" }-

Rick/BlitzenZeus:

I agree with you guys. I don't like this 4.x stuff they have other duplicate shields and will charge us for a FW. :thumbd:

I'm moving back to 2.1.15, I'll import BlitzenZeus's rules and rebuild my rules from scratch.

See you both later!

Live and learn.


Update:

2.1.5 reloaded, BlitzenZeus's rules imported, all daily applications working so far fine!

Will now start adding applications to allow / not , then I will reinsert the Stem network advice then the Herbalist advice.

BlitzenZeus, what's the real story on this fwdrv.sys from 2003? I've seen a lot of "data" on it being an issue!
Do you have it on your setup or is there an upgrade somewhere?

-{ Quote: "2.1.5 reloaded, BlitzenZeus's rules imported, all daily applications working so far fine!

Will now start adding applications to allow / not , then I will reinsert the Stem network advice then the Herbalist advice. " }-

So you did not have your own ruleset to come back with saved?

Kerio 2.1.5 is one of the easiest firewalls to reinstall. Uninstalls easy in my experience too and I always come back to it after getting dissapointed with others (Sygate is ok though kind of, if accepting the loopback address shortcoming with local proxy software and default act as server right).

I might try Comodo's 3 when it comes out of beta to see if basic firewall functions are improved from 2.4. Quite sure though that I will be dissapointed, again, lol. Not to mention what to do with my current HIPS's PG free and Prevx2.

Jarmo

Have stayed with Kerio 2.15 since windows 98 days when that system was all we had along with NT & Me.

It's an almost perfect firewall with reliable results time and again. The longetivity of it over all this time and over ALL others proves this out.

Hi Jarmo! Good you are still posting! My comments are embedded in your post as usual. - added proper quoting

-{ Quote: "So you did not have your own ruleset to come back with saved?" }-Yes, I did have my own rule set(s) on a USB stick! But I wasn't that proud of them they were my first Kerio rules and I built them over many weeks sometimes getting confused. So I wanted to start with BlitzenZeus's advanced rules as a base follow his off line install procedure for what was known about my set up. I am now going back over all advice in this thread from post 1 up and rethinking then making changes in my rules as required!

-{ Quote: "Kerio 2.1.5 is one of the easiest firewalls to reinstall. Uninstalls easy in my experience too and I always come back to it after getting dissapointed with others (Sygate is ok though kind of, if accepting the loopback address shortcoming with local proxy software and default act as server right)." }-Agree with you as others have disappointed me as well. I don't know anything about Sygate but that is OT most likely for mods.

-{ Quote: "I might try Comodo's 3 when it comes out of beta to see if basic firewall functions are improved from 2.4. Quite sure though that I will be dissapointed, again, lol. Not to mention what to do with my current HIPS's PG free and Prevx2." }-Agree again, my posts over there speak on their own. Don't think vendor should design FW's by polling users that know less than I do!:o

What defrag do use with Kerio 2.1.5?

Hello Easter! Mine are embedded. - added proper quoting

-{ Quote: "Have stayed with Kerio 2.15 since windows 98 days when that system was all we had along with NT & Me." }-Good! Are you running Kerio 2.1.5 with XP sp2? What defrag program are you using?

-{ Quote: "It's an almost perfect firewall with reliable results time and again. The longetivity of it over all this time and over ALL others proves this out." }-Hmm you are right no software is perfect. Can you tell the thread about it's flaws and if known the ways you may have mitigated for them?

If that is not what you want to do on open thread I understand there is always PM's!

Hello Escalader,
-{ Quote: "So I wanted to start with BlitzenZeus's advanced rules as a base" }-You should, with the amount of firewalls you have looked at, be at a stage of being able to create your own ruleset.

Complete rulesets are normally generic, and based on the needs of many users. You have your own needs for Internet use, so show this with your own ruleset.
Start with system apps, then updaters, then your browser.

Regards,

I seldom defrag. But if I would do that, just the normal thing that comes with XP os.
That has no problem with kerio 2.1.5.

Disk fragmentation is not something I care about since I have almost empty HD and also large memory. Running all the time inside Sandboxie might cause some fragmentation though, but I consider the tiny performance hit not something to do defrag.

What Stem suggests, deleting all the rules and building from scratch, is of course the thing that is most personal way. I prefer using BZ's or some other template as a starting point. There are many rule blockings that propably does not concern a particular system, but do no harm to have them.
The DNS and DHCP rules should be tightened, but this has been discussed in this thread already as also in BZ default replacement thread.

I would remove the standard loopback rule and make localhost address rules separate for the apps that need it. I think Rick commented also about that in here. This way no local proxy type software is not making a tunnel through which programs can go out to internet without you getting asked.

-{ Quote: "Hello Escalader,
You should, with the amount of firewalls you have looked at, be at a stage of being able to create your own ruleset.

Complete rulesets are normally generic, and based on the needs of many users. You have your own needs for Internet use, so show this with your own ruleset.
Start with system apps, then updaters, then your browser.

Regards," }-

Hi Stem:

Well yes! I'm doing exactly that. The level I'm actually at and the level I should be at may differ but that's okay. :-\

My scheme is simple to describe. If anybody sees a missing task just tell me and I'll consider it/add it.

1) DONE: Load BlitzenZeus's advanced rules into my Kerio 2.1.5
2) UNDERWAY: Adjust rules based on previous advice from this thread and earlier ones for systems apps, and browser, my ISP server finally in Primary DNS server
3) DONE: Security applications rules in place,
4) DONE: Limitation on email seems to work finally (logged) some blocks!
5) NOT DONE: provide rules for review here in the thread

BTW, earlier you asked about why that procexp.exe connects out.
Seems it goes to 199.7.54.190:80 it wants to verify the digital signatures of each application. On whois I get

Reports no PTR record (NXDOMAIN)

So for now I've removed this application. (when in doubt remove)

Hi Jarmo:

I'm forgetting about defrag issues for now. They came up and distracted me ( easy to do)

I'm like you a bit I like the template since I can always remove rules not relevant to my set up and it certainly provided a set I would not have produced my self (well some rules anyway).

What was interesting was that some of those "new" template rules logs showed up some new outgoing/incoming probes! Those packets passed through my H/W FW. So to me they were technically formed properly and shows what a SW FW can do!

I just add those ip's to PG 2 as permanent blocks.

On your quote ( not new I know)

"I would remove the standard loopback rule and make localhost address rules separate for the apps that need it. I think Rick commented also about that in here. This way no local proxy type software is not making a tunnel through which programs can go out to internet without you getting asked."

Can you help me a bit by posting your examples here since I think Stem told me earlier the standard loopback was okay in my case.:-\

On the localhost address rules have you got an example of that?

If you haven't the time don't worry since you can always comment on my "new" rules when I post them.




-{ Quote: "I seldom defrag. But if I would do that, just the normal thing that comes with XP os.
That has no problem with kerio 2.1.5.

Disk fragmentation is not something I care about since I have almost empty HD and also large memory. Running all the time inside Sandboxie might cause some fragmentation though, but I consider the tiny performance hit not something to do defrag.

What Stem suggests, deleting all the rules and building from scratch, is of course the thing that is most personal way. I prefer using BZ's or some other template as a starting point. There are many rule blockings that propably does not concern a particular system, but do no harm to have them.
The DNS and DHCP rules should be tightened, but this has been discussed in this thread already as also in BZ default replacement thread.

I would remove the standard loopback rule and make localhost address rules separate for the apps that need it. I think Rick commented also about that in here. This way no local proxy type software is not making a tunnel through which programs can go out to internet without you getting asked." }-

Here's an example of a rule allowing loopback connections from Sea Monkey to Proxomitron which is configured to use port 8080.
193432
This differs from BZs loopback rule in that it only allows loopback for Sea Monkey and only to remote port 8080. I also used a single IP instead of a network mask.

This rule blocks all loopback not specifically allowed by rules above it in the ruleset. The "allow" rules for both Sea Monkey and Proxomitron need to be located above this rule.
193433

Rick

Rick was fast and gave an example.
As I dont have any 'Any application' loopback rule. I get a popup when localhost address is needed. So I add a rule for example to Firefox:
Mine is not restricted. It is: Allow UDP/TCP Out Any port to address 127.0.0.1, Any port. Firefox is no baddie, so I dont restrict that rule. But quite ok to do that too like Rick does to SeaMonkey browser.

If I happened to have a "baddie program" and was also running a local proxy like Avast's WebShield or Proxomitron, I would get a popup of that baddie wanting to go out by kerio 2.1.5, since I have no "global" loopback rule. But if I had that standard loopback any app rule, the baddie program would go out. Without my knowledge.

Again Rick prefers to block unknown in his second example and I prefer to use 'ask me first' firewall feature to know if there is something wanting to run in my system that I like to have control indication from my firewall. It is a matter of preference of how to use the firewall.

TY Rick:

I put 2 allows in, one for FF, another for IE and the blocker bringing up the rear!
Did the same for MS Outlook. I don't have a handle on the ports so I'll log them a bit and pick those up there.

-{ Quote: "Here's an example of a rule allowing loopback connections from Sea Monkey to Proxomitron which is configured to use port 8080.
193432
This differs from BZs loopback rule in that it only allows loopback for Sea Monkey and only to remote port 8080. I also used a single IP instead of a network mask.

This rule blocks all loopback not specifically allowed by rules above it in the ruleset. The "allow" rules for both Sea Monkey and Proxomitron need to be located above this rule.
193433

Rick" }-

I tried Firefox on my 98SE testbox. It asked for that loopback connection but seems to work fine without it. Sea Monkey doesn't do that.
If you use apps like A4Proxy, Proxomitron or Privoxy, or use TOR, control over loopback is necessary to prevent data leakage.
-{ Quote: "If I happened to have a "baddie program" and was also running a local proxy like Avast's WebShield or Proxomitron, I would get a popup of that baddie wanting to go out by kerio 2.1.5, since I have no "global" loopback rule. But if I had that standard loopback any app rule, the baddie program would go out. Without my knowledge." }-
Definitely true. The PCAudit2 Leaktest (http://www.firewallleaktester.com/leaktest12.htm) is a good one for checking if your loopback rules are tight and if your firewall properly controls these connections. If they are, you can allow this test to set it's hook and still pass it without a HIPS. I'm not one who cares too much for leaktests, too misused as advertizing and comparison tools, but this one is very useful.
My firewall status screen after running PCAudit2. Without the blocking rule, I would have been prompted for each app on the screen, half of which aren't internet apps.
193438
Yes, any decent HIPS will detect both the process and the hook. Blocking either defeats the test, but by doing so, you never actually test your firewall or its ruleset. Should the malware writers find a way to embed such code into an application that's already allowed or find a way to inject the code that HIPS doesn't detect, or kill/blind the HIPS, your firewall can still protect you. Why rely on one layer when you can force them to defeat 2 or more in order to succeed?

Yes, I do prefer to block the unknown outright. Others use this PC and they might not know what's legitimate and what isn't. This way, they never see such a prompt.
Rick

TY Jarmo:

I know, it's now clear to me that there is no one right way to run a FW when it comes to things like faith in FF or not etc. I don't have Proxomation but I do have Webroot, BD AV 2008 PG 2 working away.

More later.

BTW guy's, just so you know, when I returned to Kerio 2.1.5 it was almost with a sense of relief. The FW's that emerged after it I had no idea what they were doing. 8)



-{ Quote: "Rick was fast and gave an example.
As I dont have any 'Any application' loopback rule. I get a popup when localhost address is needed. So I add a rule for example to Firefox:
Mine is not restricted. It is: Allow UDP/TCP Out Any port to address 127.0.0.1, Any port. Firefox is no baddie, so I dont restrict that rule. But quite ok to do that too like Rick does to SeaMonkey browser.

If I happened to have a "baddie program" and was also running a local proxy like Avast's WebShield or Proxomitron, I would get a popup of that baddie wanting to go out by kerio 2.1.5, since I have no "global" loopback rule. But if I had that standard loopback any app rule, the baddie program would go out. Without my knowledge.

Again Rick prefers to block unknown in his second example and I prefer to use 'ask me first' firewall feature to know if there is something wanting to run in my system that I like to have control indication from my firewall. It is a matter of preference of how to use the firewall." }-

-{ Quote: "I don't have a handle on the ports so I'll log them a bit and pick those up there." }-
Could you be a bit more specific as to what you're having trouble with regarding ports?

-{ Quote: "Could you be a bit more specific as to what you're having trouble with regarding ports?" }-

Well, you put in 8080, I don't know what to use in FF or IE yet.:-\

For the most part, browsers connect out to port 80 for http traffic and 443 for https. When you connect to a file (FTP) server, they usually use port 21. These are remote ports. For local ports, it's usually a range as your system uses the first one available. Other sites and services use different ports. I occasionally play MahJong tiles at Yahoo. For that site to work, I have to allow traffic on port 11999. Yahoo also has a web version of its instant messenger. It works like the actual program but it's done with Flashplayer in your browser. For that to work, traffic on port 5050 has to be allowed. There's plenty of other services that'll use different ports.

What you need to allow and how you want to go about it depends on what you do with your browser. You can allow it to connect out on any port with TCP and UDP or you can specify only the ports you need for what you use. I run thru Proxomitron most of the time so traffic on ports 80 and 443 are looped back to Proxomitron. For that game or webmessenger, I allow outbound connections to those ports for the IP ranges they use. I don't allow inbound.

Either way works. It just depends on how much control you want and if it's important to you to know when your browser uses a non-standard port.

Rick

Thanks Rick:

I'll not need micro control over ports yet.

Only the email ports my ISP uses are non standard (well just the outbound) have been out into MS Outlook.

When I am done I will want to do a shields/ports test of my whole set up to find flaws. So any nasties that are port oriented we can deal with then?

Does that make sense to you?

Makes plenty of sense. Firewall rules can be a work in progress for as long as it takes. Limiting the mail handler to the sites and services you use is a good place to start. Those are good rules to make address specific as the normal mail ports are probed regularly.

Regarding running a port scan on your system, Shields Up is a good start, but I'd also use one of the sites that can scan all the ports. Some DSL modems for instance listen on an unusual port for reasons I can't determine. My previous one showed port 43287 to be open, but no service of any kind listed for it. Another one used port 6363. I couldn't close them, even with remote administration disabled, which I doubt my ISP appreciates. I have no proof as to why they were open, only suspicions. I did confirm it was the modem as scans of those ports never reached Smoothwall as scans of those actual ports but were logged as attempts to connect to NetBios. I'd be interested to hear Stems view on this. Anyway, don't assume that because Shields Up shows the first 1056 closed or stealthed that all the ports are. You might be suprised.
Rick

-{ Quote: "Makes plenty of sense. Firewall rules can be a work in progress for as long as it takes. Limiting the mail handler to the sites and services you use is a good place to start. Those are good rules to make address specific as the normal mail ports are probed regularly.

Regarding running a port scan on your system, Shields Up is a good start, but I'd also use one of the sites that can scan all the ports. Some DSL modems for instance listen on an unusual port for reasons I can't determine. My previous one showed port 43287 to be open, but no service of any kind listed for it. Another one used port 6363. I couldn't close them, even with remote administration disabled, which I doubt my ISP appreciates. I have no proof as to why they were open, only suspicions. I did confirm it was the modem as scans of those ports never reached Smoothwall as scans of those actual ports but were logged as attempts to connect to NetBios. I'd be interested to hear Stems view on this. Anyway, don't assume that because Shields Up shows the first 1056 closed or stealthed that all the ports are. You might be suprised.
Rick" }-

Rick:

TY. Some years ago I ran a Shields Up on my set up at that time and remember that it only scanned a portion of the ports. I promise to assume zero and not be surprised at anything.

You mention remote admin, do you leave it disabled all the time. I have on the odd occasion used my ISP's interactive help service to raise questions.
Funny thing, sometimes they don't like questions like why are Canadian Emails processed in the USA? (Yahoo!)

Hi Stem:

In the CFW thread you indicated the following and I quote:

"Don't worry about this at this time. My (personal) concern of this is the layer2 comms that are allowed, such as ARP without any interception. Outpost pro does intercept ARP, with a number of user options for this."

What is the status of Kerio 2.1.5 on this layer 2 issue ie your ARP's?

Can Kerio deal with them?

Hi Rick,
-{ Quote: "I'd be interested to hear Stems view on this." }-I have seen a number of Modems/routers issued by an ISP to have such ports open. this I would presume for some external management by the ISP. I have also seen ports open on "off the shelf" routers, but have found this due to the ability for nesting of LANs (where one router can be connected to another to create sub-lans). I will admit I have not looked at this deeply, but did set up this internal type sub lan, and noticed comms, similar to uPnP between the routers on the open ports. At the time, I just personally expected some form of internal control of this (ports being used etc), but did not look further into this. (I only use one router behind my gateway)

I can look further, or take advice on this?

Regards,

-{ Quote: "What is the status of Kerio 2.1.5 on this layer 2 issue ie your ARP's?

Can Kerio deal with them?" }-I would expect not. Can you find a rule to allow/block ARP?

The last 2 DSL modems my ISP sent over both have this problem. The previous one was a Netopia, which had port 43287 open. Both had remote administration enabled (which I promptly shut off) but neither was configured for the port that was opened. I disabled uPNP, along with everything else I can think of. I can't affect it with the built in firewall or services settings. I'm starting to think this can't be changed without changing firmware. Can't find an update for it. Other than buying my own DSL modem, any suggestions?
Rick

-{ Quote: "The last 2 DSL modems my ISP sent over both have this problem." }-This will possibly not be seen as a problem. if your ISP is using this port. (I have to be carefull, due to fact I have been in disbute with my own ISP for the last 2 years due to such) I personally now place a gateway (PC) between my modem (ISP cable connection) and my home LAN. I do now see all comms (for last 2 years) of attempted inbound (allowed by isp modem/router) into my home.

-{ Quote: "The previous one was a Netopia, which had port 43287 open. Both had remote administration enabled (which I promptly shut off) but neither was configured for the port that was opened. I disabled uPNP, along with everything else I can think of. I can't affect it with the built in firewall or services settings. I'm starting to think this can't be changed without changing firmware. Can't find an update for it. Other than buying my own DSL modem, any suggestions?" }-You could try (as I did) to flash (update) the modem, but found this to cause me lock out (from actual bios update) I did bypass this and got total intenet loss (reporting this,... ISP must of re-flashed the modem, as connection was then allowed)

Think as you may, but I would ask to monitor and look.

Regards,

I haven't asked my ISP about this. The first modem had other problems, like continually restarting for no apparent reason. I tried to get info from the vendors site for this modem. Says I have to contact CenturyTel, which isn't my service provider. Figure that.

I can only assume that it's a back door for the ISP designed into the firmware since it appears to be separate from the remote administration. My concern is that modems would also become attack targets, and something as simple as changing the DNS settings to one controlled or compromised by malware vendors could cause big problems. It seems that if I want this solved, I'll have to get my own DSL modem, preferably one that's a PCI card for Smoothwall.
Rick

-{ Quote: "I would expect not. Can you find a rule to allow/block ARP?" }-

Stem:

No, I can't find the protocol. I can't see how write a rule for ARP!

It is not specifically in the list of protocols in Kerio unless it is in "other".
(See attached jpg)

Given that all we really need is TCP/IP, and UDP for Video why not unbind all other protocols in the advanced settings window for our LAN connections?

(see attached, with very few showing on mine!)

Would that work to simplify our rules?

If it does, then all the generic rules in the template aimed at Netbios etc could be either deleted or disabled. Am I right on this?

The main problem with adding such a blocking rule is that you won't be promted by any app that you haven't finished the rules for. Also, if you make addess specific rules for apps such as updaters or mail handlers and the address they use changes, you won't get a prompt, the app will just fail to connect. Also, if you use IM or P2P programs, unless you have rules permitting them to connect to anywhere, such a rule would interfere with them any time you had a new contact or connected to a new location.

AFAIK, Kerio doesn't address ARP specifically. Unless I'm missing something, if you used static IPs for your PCs and hardware instead of DHCP, there'd be no need for ARP or any control of it. If I'm wrong, I'm sure Stem will correct this.
Rick

Rick:

TY, as you said Stem will sort me out (as you do as well8) which is a good thing) In a learning thread as the learner (slow:-[ ) poster has to be ego less!

I have left all the non TCP/IP, and UDP rules that were in the template

Still building rules and adding to PG 2 blocking lists as outgoing ip's I don't know are researched. It is really amazing to see the ip's attempting to RECEIVE data packets from MY PC. Right now I'm just blocking them.

So I will be wanting to send you and Stem rule set # 2 for criticism in about a week or so. I'm still reluctant to open post it unless it is clean and reveals zero private data:-\ . But leave that for now as I'm getting ahead of myself.

Do you happen to know what protocols are in "other" for Kerio?

-{ Quote: "Do you happen to know what protocols are in "other" for Kerio?" }-
The only 2 I know for sure are IGMP and IPv6. It probably covers more but I don't know what they are and have never seen a prompt for any other.

As far as sending us the new rulesets, there's a couple ways you can do that. I understand your concern about sending sensitive info. Instead of screenshots, you could send me the actual .conf file. If Stem has a box with Kerio 2 already installed, it might work for him too. The file can't be read with a standard text editor, but can be easily imported into Kerio on another PC. I do that with one of my clients, import their configuration file into my PC and see what needs fixing. Haven't tried editing someone elses ruleset on mine yet. Not sure how much problem the built in MD5 checking would be. If it would be easier to send the actual conf file, I'll send you an e-mail addy.

Been meaning to ask you, does any of your hardware have a static IP or are you using DHCP throughout?
Rick

-{ Quote: "The only 2 I know for sure are IGMP and IPv6. It probably covers more but I don't know what they are and have never seen a prompt for any other.

As far as sending us the new rulesets, there's a couple ways you can do that. I understand your concern about sending sensitive info. Instead of screenshots, you could send me the actual .conf file. If Stem has a box with Kerio 2 already installed, it might work for him too. The file can't be read with a standard text editor, but can be easily imported into Kerio on another PC. I do that with one of my clients, import their configuration file into my PC and see what needs fixing. Haven't tried editing someone elses ruleset on mine yet. Not sure how much problem the built in MD5 checking would be. If it would be easier to send the actual conf file, I'll send you an e-mail addy.

Been meaning to ask you, does any of your hardware have a static IP or are you using DHCP throughout?
Rick" }-

Rick:

TY.
I like the send you/Stem the conf file idea.

On the MD 5 I had 1 program that didn't calculate right ( can't recall it now) but that didn't seem to impact anything operational.

I'm on semi static ip. It stays fixed at my ISP for a few weeks then changes. Who knew, but I do now.

On the Kerio "other" covering IGMP and IPv6, why not build a specific block rules for those guys using other?

But I'm gone now it's late here, send your addy along via PM make it a throwaway since you don't know me in person, that's my advice to clients but that is your call.

-{ Quote: "Unless I'm missing something, if you used static IPs for your PCs and hardware instead of DHCP, there'd be no need for ARP or any control of it." }-Within a LAN you would still need ARP to resolve the hardware/IP of the gateway to allow you to connect out.

It is not a problem in a trusted LAN.
In an untrusted LAN, if the firewall does not filter ARP, then tools such as "Netcut" can be used. If the firewall can block ARP, then that can be done, but there would be a need to (at minimal) setup a static ARP entry for the gateway.

Stem/Herbalist et al!

Been making rules and setting services on/off. Attached is a jpg for comments. Fire at will!

My setup does share an internet connection with a second PC via router so ALG.EXE is on.

I worked that one with a connection on, Set status to off in services and manual, tried to browse and connection was lost briefly, checked services and status was started again.

Did same again and rebooted, ALG.EXE started up, so I conclude my set up needs this service. If you disagree please explain.8)

I have 2 NetBios rules blocking UDP/TCP (Both),any address local ports 137-139 and the second rule remote any address ports 137-139.

So why does the open connections show anything on NetBios? Some service I have neglected to date?

-{ Quote: "So why does the open connections show anything on NetBios? Some service I have neglected to date?" }-
I assume you're referring to the last 3 lines on the status screen? The last 5 lines are all related. When the directory service (Microsoft DS) can't establish a connection on port 445, it will try to use the SMB or NETBIOS ports, the last 3 lines in your image. This is primarily for file sharing on a network. There are no connections there per se. The service is running and listening but isn't connected to anything. Kerio's status screen displays applications and services that are listening for incoming connections whether you have them blocked or not. If Kerio was shut down, many of those would result in ports open to the outside, or at least to your hardware firewall.

Everything on your screenshot from ALG.EXE down is a running windows service that's listening for a connection. This is not tied to Kerio's configuration but to your operating system and its running services. While Kerio can be configured to block every one of them from ever connecting in or out, the only way to actually eliminate the listening services is to shut them down. Stem may disagree with me on this, but IMO blocking connections to or from running services with firewall rules is a band-aid approach that doesn't fix the actual problem, unneeded services opening ports. If a service can be blocked, you don't need it running in the first place. XP makes this somewhat difficult as many of the services are inter-related.

Just for a comparison, this is the status screen on my box. I'm not certain if this can be accomplished on XP.
Rick

Hi Rick:

TY. Very interesting post for me anyway. I will enter my OT comments inside your quoted post as usual for me. I will do it in blue just to avoid the red! and to ensure that readers don't assume I'm putting words in your post!
I hope Stem has some time to look this one over as well. I don't know if he agrees or not but it would be goos to know.



-{ Quote: "I assume you're referring to the last 3 lines on the status screen?

Yes, your assumption is correct those were the ones.

The last 5 lines are all related. When the directory service (Microsoft DS) can't establish a connection on port 445,

I have that port 445 blocked in my rule set.


it will try to use the SMB or NETBIOS ports, the last 3 lines in your image. This is primarily for file sharing on a network.

I don't do file sharing on a network.


There are no connections there per se. The service is running and listening but isn't connected to anything. Kerio's status screen displays applications and services that are listening for incoming connections whether you have them blocked or not.

Is it possible to id these and shut them down safely?


If Kerio was shut down, many of those would result in ports open to the outside, or at least to your hardware firewall.

TY. Right! That is a good thing, I won't be shutting KFW down!

Everything on your screenshot from ALG.EXE down is a running windows service that's listening for a connection. This is not tied to Kerio's configuration but to your operating system and its running services. While Kerio can be configured to block every one of them from ever connecting in or out, the only way to actually eliminate the listening services is to shut them down. Stem may disagree with me on this, but IMO blocking connections to or from running services with firewall rules is a band-aid approach that doesn't fix the actual problem, unneeded services opening ports. If a service can be blocked, you don't need it running in the first place. XP makes this somewhat difficult as many of the services are inter-related.

That is for sure, I use Ed Bott and Carl Siechert's text on MS Win xp networking and security as a guide on the services to leave on and off. So far so good except for these nosy listener services. I want to id them at some point. Since getting to the root cause is to me a better idea than more rules.

Just for a comparison, this is the status screen on my box. I'm not certain if this can be accomplished on XP.

I like your status screen better than mine!;D




Rick" }-

Hi Rick,
-{ Quote: "Stem may disagree with me on this, but IMO blocking connections to or from running services with firewall rules is a band-aid approach that doesn't fix the actual problem, unneeded services opening ports." }-Personally, I have always disabled un-needed (in my setup) windows services without any problems. But care does need to be taken as disabling certain service can cause major problems. (I have made post before of all the services I disable)

As example, on a new install of XP pro (all windows updates), no other programs installed, we will see a report of port use as:-

193682

After I disable the services I do not need (on my setup):-

193683

These ports in use are for:-
RPC Locator (port 445)
DCOM RPC (port 135)

These can be closed using applications such as WWDC, but some problems can arise.
Example: port 445 can be closed by disabling the driver~ Hardware/ Device manager/ (show hidden) non-plug and play drivers/ "Netbios over Tcpip". But doing this will cause problems with DHCP (no IP via DHCP). So I actually leave these ports to be controlled by the firewall (as some of my setups require DHCP (VM`s / ICS))

Hi Escalader,
-{ Quote: "My setup does share an internet connection with a second PC via router so ALG.EXE is on." }-It will not be your LAN that requires ALG. I have personally never found a need to have this service running, even when I have ICS setup and running. So for this to cause you problems when disabled would indicate that a 3rd party program is using this for some reason.

-{ Quote: "I don't do file sharing on a network." }-Simply disable this in "Network Connections" (Some info/pics (http://www.petri.co.il/disable_netbios_in_w2k_xp_2003.htm))

-{ Quote: "Is it possible to id these and shut them down safely?" }-It is easy to ID what service is using which port, but there is a need to find if you require the service on your setup (as example with ALG, which I still do not see why you require this)

-{ Quote: "I have that port 445 blocked in my rule set." }-
You mentioned that you have the NETBIOS ports blocked as well. Then you have it blocked both ways.
-{ Quote: "Is it possible to id these and shut them down safely?" }-
I'm pretty sure that all of the last 5 are Microsoft DS. I haven't tried it but give this (http://seclists.org/bugtraq/2002/Aug/0426.html) a look. Also see http://www.blackviper.com/WinXP/servicecfg.htm although I don't see DS specifically listed there. I'm hoping to get over to a friends place today that has XP and Kerio. I can't remember for sure if I shut that down on their PC or not.
-{ Quote: "I won't be shutting KFW down!" }-
It's not always that simple. An update to a system component or another app can occasionally cause a conflict that crashes something. Some malware directly attacks firewalls. I haven't seen it with Kerio but when I used a security suite, I ran into a malicious webpage that crashed the entire suite, then crashed my PC. When I got it restarted, I was infected. True, the chances of it happening are low, but it is possible.
Rick

Stem had the links I was looking for.
-{ Quote: "Simply disable this in "Network Connections" (Some info/pics) (http://www.petri.co.il/disable_netbios_in_w2k_xp_2003.htm)" }-
Got to get these bookmarks organized better.
I haven't seen your posts regarding what services you disable. I don't use DHCP. All the IPs here are static. I'm not sure if my ISP assigned IP is supposed to be static, but it hasn't changed in over a year. Might be due to the changes I made in the modems configuration, but they haven't said anything about it so I won't either.
Rick

Hi Stem and Herbalist:

TY for your posts. For now I'll have do some more research on all your input/comments. I will answer in blue as before with the last post first (sort of a push down stack approach 8)

as before ot comments embedded in blue

-{ Quote: "Stem had the links I was looking for.

Okay, let's check them out.

Got to get these bookmarks organized better.
I haven't seen your posts regarding what services you disable.

I've attached them to this post

I don't use DHCP. All the IPs here are static. I'm not sure if my ISP assigned IP is supposed to be static, but it hasn't changed in over a year. Might be due to the changes I made in the modems configuration, but they haven't said anything about it so I won't either.

Okay, mine gets assigned via DHCP
Rick" }-

Hi Rick,
-{ Quote: "I'm not sure if my ISP assigned IP is supposed to be static, but it hasn't changed in over a year. Might be due to the changes I made in the modems configuration, but they haven't said anything about it so I won't either." }-Some ISP`s will bind an IP to your MAC address, some ISP`s will then not allow the MAC/IP binding to be changed, my own ISP will simply issue a new IP for any new MAC address I have (but with the same MAC, my IP remains the same).

see blue embedded comments


-{ Quote: "You mentioned that you have the NETBIOS ports blocked as well. Then you have it blocked both ways.

See attached rules you are right they are both ways, is this wrong?

I'm pretty sure that all of the last 5 are Microsoft DS. I haven't tried it but give this (http://seclists.org/bugtraq/2002/Aug/0426.html) a look. Also see http://www.blackviper.com/WinXP/servicecfg.htm although I don't see DS specifically listed there. I'm hoping to get over to a friends place today that has XP and Kerio. I can't remember for sure if I shut that down on their PC or not.

Good, when you can let me know but their setup may vary?

It's not always that simple. An update to a system component or another app can occasionally cause a conflict that crashes something. Some malware directly attacks firewalls. I haven't seen it with Kerio but when I used a security suite, I ran into a malicious webpage that crashed the entire suite, then crashed my PC. When I got it restarted, I was infected. True, the chances of it happening are low, but it is possible.

Yes, I know no set of tools is perfect. I have the AV and the ASW plus the H/W F/W plus PG 2 with SpyBlaster, the occasional Spybot S & D loads up my hosts file with 7000+ bad sites as well so I think/hope? the chances are low.

Suites? Well I'll not go there in this thread.;D

Rick" }-

-{ Quote: "Hi Escalader,
It will not be your LAN that requires ALG. I have personally never found a need to have this service running, even when I have ICS setup and running. So for this to cause you problems when disabled would indicate that a 3rd party program is using this for some reason.

Simply disable this in "Network Connections" (Some info/pics (http://www.petri.co.il/disable_netbios_in_w2k_xp_2003.htm))


It is easy to ID what service is using which port, but there is a need to find if you require the service on your setup (as example with ALG, which I still do not see why you require this)" }-

Hi Stem:

Okay, Lan doesn't use ALG and I do have 3rd party software which one uses it is unknown to me. I will disable it again and report back! Maybe the 1st time I forgot to click apply or something.

I have followed the procedure to disable Netbios and those listening entires are GONE! TY!

On my services, I gave Herbalist the list of disabled ( minus the net bios change)

-{ Quote: "I haven't seen your posts regarding what services you disable." }-
See here (http://www.wilderssecurity.com/showpost.php?p=896115&postcount=44) :)

Here is my revised list with Netbios and Alg.exe disabled! TY!

Only to now show my SS 5.3 services, briefly, they have disappeared during the typing of this post. So even though I have it turned to manual update it must listen on site for a bit:-\ I have the Black Viper services and now via lucas1985 I have stems setting from a while back. I will compare and contrast mine with those and report back any differences.

-{ Quote: "Good! Are you running Kerio 2.1.5 with XP sp2? What defrag program are you using?" }-

YES! And also on plain jane XP as well as SP1. No problems at all, ever. I have found many freeware apps more resilient and reliable over time then those commercial types that are constantly being tinkered with or tweaked for lack of a better term on a regular basis. Seems to be a trend and a welcome one at that.

I don't have a problem paying for commercial software because they as policy are for the most part obligated to the customer to provide support for issues/bugs etc.

But, lest we forget, our world is chalked full of even students with exceptional skill, some of which make releases as a hobby or class project, and some of those would boggle the highest IT Tech graduates as well as experienced IT Professionals.

And it's those developers i fund via generous donation in return for their own generosity and usefullness as an inspiration & reward for those efforts.

-{ Quote: "Hi Escalader,
........
It is easy to ID what service is using which port, but there is a need to find if you require the service on your setup (as example with ALG, which I still do not see why you require this)" }-

Hi Stem:

I have got rid of ALG and Netbios as you suggested, PC seems "snappier" but maybe that's an "illusion;D "

At the Shields up link you gave me see quote below:

-{ Quote: " from ShieldsUP
Name:
ldap
Purpose:
Lightweight Directory Access Protocol
Description:
LDAP (which is what people call it) is a modern and popular Internet directory access protocol used by many systems and services. Most Windows users will encounter it because Microsoft's NetMeeting uses and opens the LDAP port 389 while it is running.
Related Ports:
1002, 1720
Background and Additional Information:
Since LDAP's use of port 389, and H.323 teleconferencing's call setup use of port 1720, are intimately associated through their common Microsoft NetMeeting usage, please see our discussion of port 1720 security. The issues raised and discussed there also apply to LDAP port 389." }-

I don't use or want to use NetMeeting so I have it disabled in services and I left the disabled rule in my Kerio rule set. So I think it is "dead":thumb:

Do you agree?

Now I will attach the latest Kerio FW status for review and comment. ;D

Hello Escalader,

The pic you post of active apps does look better. The only one I am unsure about is the "svchost port 1158".
I am short of time at the moment, but will make post later to show you the services using the other ports (I need to revert to XP image to comment correctly), and how they can be disabled if wanted.

-{ Quote: "Hello Escalader,

The pic you post of active apps does look better. The only one I am unsure about is the "svchost port 1158".
I am short of time at the moment, but will make post later to show you the services using the other ports (I need to revert to XP image to comment correctly), and how they can be disabled if wanted." }-

Okay, when you have time, My FW rules seems stable now.

But I'm building up a few "minor" questions , ie loopbacks still not 100% clear yet but I've got the application/ip/port binding down now.

One issue is when I find the ip's that an updater uses, then a few days later they change them. I see no solution to that unless there is a way to put the site name in.

But anyway, zero phone homes.

Hi Herbalist/Stem:

Attached is a Kerio 2.1.5 FW log from 60 seconds back.

Cast your eye over this there are some interesting outbound packets (my issue8) caught by advanced rules.

Based on this and my last posts can you guys draw any conclusions about any rules/service issue that I still have?

On DNS Stuff, reverse65.55 .184.157 Reports back no PTR record (NXDOMAIN)

Whois produces;

OrgName: Microsoft Corp
OrgID: MSFT
Address: One Microsoft Way
City: Redmond
StateProv: WA
PostalCode: 98052
Country: US

NetRange: 65.52.0.0 - 65.55.255.255
CIDR: 65.52.0.0/14
NetName: MICROSOFT-1BLK
NetHandle: NET-65-52-0-0-1
Parent: NET-65-0-0-0-0
NetType: Direct Assignment
NameServer: NS1.MSFT.NET
NameServer: NS5.MSFT.NET
NameServer: NS2.MSFT.NET
NameServer: NS3.MSFT.NET
NameServer: NS4.MSFT.NET
Comment:
RegDate: 2001-02-14
Updated: 2004-12-09

Clearly svchost.exe was blocked 4 times TCPoutbound to MS at
65.55 .184.157 via ports 1710-1713.

The question I have is which service is attempting this, does it matter ? it was blocked but there are no apparent consequences?

So, am I unnecessarily blocking the unnecessary?

MS updates most likely Escalader.
The thing is not to log too much to get paranoid.
Local ports 1024-5000 are normal to outgoing connections.
And that server you traced sure is a MS update one.

Another thing I like to say to you dear Escalader. I don't block IP addresses at all by kerio 2. Or other firewalls I have used. The call home factor is a trust in first place, never have blocked any IP.
Call me stupid or not ;)

Jarmo

-{ Quote: "....

-{ Quote: "Another thing I like to say to you dear Escalader. I don't block IP addresses at all by kerio 2. Or other firewalls I have used. The call home factor is a trust in first place, never have blocked any IP.
Call me stupid or not ;)" }-

Jarmo" }-

Hi Jarmo:

Not ever! Best posters are candid and honest in their feedback that is you in this case!:thumb:

This thread is NOT about justification of security approaches, yours vs mine vs someone else's to security. I made an earlier comment on that idea for a thread covering that debate.

I am learning to write many rules some to allow and block, ip's, ports etc. In this example Kerio has reported an outbound I had not explicitly allowed.

I traced it to MS. It is not in the port range you mentioned and being a user who is concerned (not the same as paranoid:) I want to know what that packet is doing/ trying to leave my PC.

It is not Kerio I suspect, but the service in xp and MS sending to an ip belonging to MS? I hope you see the difference.

Clearly svchost.exe was blocked 4 times trying a TCP outbound to MS at
65.55 .184.157 via ports 1710-1713. 65.55 .184.157 Reports back no PTR record (NXDOMAIN) and I thought all ip's are supposed to have such a record.:-\

The questions I have are which service is attempting this, does it matter ? it was blocked but there are no apparent consequences? So, am I unnecessarily blocking the unnecessary? I don't know.

So I appreciate your comment, which basically says you wouldn't ask these questions but I do and await answers from Stem and Herbalist.

Take it easy!

PS: If you check your FW log you will no doubt find that your FW has blocked many In/Out ip's packets.

-{ Quote: "Whois: Final results obtained from whois.arin.net.
Results:

OrgName: Microsoft Corp
OrgID: MSFT
Address: One Microsoft Way
City: Redmond
StateProv: WA
PostalCode: 98052
Country: US

NetRange: 65.52.0.0 - 65.55.255.255
CIDR: 65.52.0.0/14
NetName: MICROSOFT-1BLK
NetHandle: NET-65-52-0-0-1
Parent: NET-65-0-0-0-0" }-
I just wanted to say that it is your computer checking Windows updates. There are also servers with no MS name that it uses, just don't remember names at the moment. I do block svchost also for the most time and allow it only for the dhcp and a few other things. And I do allow it for every months second tuesday and wednesday, when patches are released from Seattle "ms home motherbase", out to ports tcp 80 and 443 when I happen to use/visit my admin account instead of the limited one I almost all the time use. My computer is set to download the patches from MS automatically, but not to install them without my permission.
That said I always install the critical ones without going to sites like http://www.dslreports.com/forum/r19053306-Microsoft-Security-Bulletins-for-9112007
to see if other users are having problems. But I used to do that too. So it is ok by me to be curious of all happenings with our puters :P

-{ Quote: "PS: If you check your FW log you will no doubt find that your FW has blocked many In/Out ip's packets." }-
My log is much more interesting than yours. That must be cause I have no router. So if you get bored, just remove the router to see more :P

One thing I would take out of the logging though in my mind if I were you is that 192.168.x rule. To have kerio only log something that gives actual information.

Rick is one of the nicest guys to give information and good ones he gives too. Only one thing I disagree with him. And that is only a firewall policy of it to be too silent. I mean that block all outgoing rule! Duh? Good you made it to log at least. You use a firewall for heavens sake to give information about unknown outbound connections?


Best wishes,
Jarmo

PS
IP rule blocking though is stupid in my opinion (IMO) and a waste of time. I have always wanted to say you this, so now I have done that, hehe.

-{ Quote: "I just wanted to say that it is your computer checking Windows updates. There are also servers with no MS name that it uses, just don't remember names at the moment. I do block svchost also for the most time and allow it only for the dhcp and a few other things. And I do allow it for every months second tuesday and wednesday, when patches are released from Seattle "ms home motherbase", out to ports tcp 80 and 443 when I happen to use/visit my admin account instead of the limited one I almost all the time use. My computer is set to download the patches from MS automatically, but not to install them without my permission.
That said I always install the critical ones without going to sites like http://www.dslreports.com/forum/r19053306-Microsoft-Security-Bulletins-for-9112007
to see if other users are having problems. But I used to do that too. So it is ok by me to be curious of all happenings with our puters :P

My log is much more interesting than yours. That must be cause I have no router. So if you get bored, just remove the router to see more :P

One thing I would take out of the logging though in my mind if I were you is that 192.168.x rule. To have kerio only log something that gives actual information.

Rick is one of the nicest guys to give information and good ones he gives too. Only one thing I disagree with him. And that is only a firewall policy of it to be too silent. I mean that block all outgoing rule! Duh? Good you made it to log at least. You use a firewall for heavens sake to give information about unknown outbound connections?


Best wishes,
Jarmo

PS
IP rule blocking though is stupid in my opinion (IMO) and a waste of time. I have always wanted to say you this, so now I have done that, hehe." }-


Hi Jarmo:

Are we having fun yet? 8) You seem in good form, 2AM posts:o

We have different views on "trust", that's fine you have your view and I respect that, just disagree which is cool on this forum8) If you have a conversation to have with Herbalist, go ahead but I'm not involved with it!

Wth respect to M$, I get my Tuesday's and Wednesday's like everybody else in spite of the blocking approach. So there:D Like you I download them and install at my convenience not Mr Gates. Heck it's my PC not his!

I'm glad you like your log. Mine is boring, like my posts, but I'll keep my router anyway!

-{ Quote: "One thing I would take out of the logging though in my mind if I were you is that 192.168.x rule. To have kerio only log something that gives actual information." }-

Yes, I like that suggestion and as soon as I find the %^&*(* rule I'll shut it up but I suspect I may still have a loopback rule freeze up!

Escalader, I meant to ask this earlier in this thread but, what advantage have you found using the "Advanced" rules rather than the "Standard" rules? I'm using BZ's standard ruleset and have finally got the log running quietly, but your logs have made me think I'm not ready for the advanced ruleset yet... (noob question I know)

I'll answer. There is no difference, really. Just rules and our escalader has a few more rules of his own like that silly all outgoing block that sure makes him happy, lol, suspecting that his security programs someway call to evil motherbase. Makes him also happy I guess to play with the loopback rule as he mentioned cause of that blocking rule.
Jarmo

Doesn't the "block all" outgoing rule just cover what's missed in the ruleset. The reason for blocking "call-home" functions was discussed here... http://www.wilderssecurity.com/showthread.php?t=186724 ...and considering the fact that I got the "silent update" is reason enough for me to want to control in/out-bound in my pc. Enough to make me start using a firewall for the 1st time in months!!!

-{ Quote: "I'll answer. There is no difference, really. Just rules and our escalader has a few more rules of his own like that silly all outgoing block that sure makes him happy, lol, suspecting that his security programs someway call to evil motherbase. Makes him also happy I guess to play with the loopback rule as he mentioned cause of that blocking rule.
Jarmo" }-

Hey Jarmo:

This post we covered off line, all is well. I'm happy playing with my blocks!;D

-{ Quote: "Doesn't the "block all" outgoing rule just cover what's missed in the ruleset. The reason for blocking "call-home" functions was discussed here... http://www.wilderssecurity.com/showthread.php?t=186724 ...and considering the fact that I got the "silent update" is reason enough for me to want to control in/out-bound in my pc. Enough to make me start using a firewall for the 1st time in months!!!" }-

The short answer is yes. The block all end rule, it's like a safety in football. If all the other defenders miss the outgoing packet that you have no rule for that one catches it. Log it, think about it, look up the ip on who is and decide what rule you need to add or which one needs modifying. IMHO.

Jarmo doesn't worry about ip blocking, that is his prerogative.

But, I'm like you and Herbalist, once you get an application that has the bad habit of doing silent calls home, (I don't mean just updates) I get unhappy and add blocks/rules either in the FW or PG 2.

Herbalist, if I recall right, even removes the software that does that.

I removed Systems Mechanic (iolo) for the same reason. Even though I had autoupdate off and their analyseroff, when I got back an email from them with a frighteningly detailed analysis of my set up I removed the product.

Yea, I like the block all end rule much better. Watching the logs and blocking specific IP's seems a bit of an undaunting challenge. Silencing the logs seems to be at least attainable (I hope)...

Hello Escalader,

I have set up on a base XP pro sp2 (all windows updates), I have just installed Kerio 2.

I disabled Netbios (in network advanced settings, as you have already done) [ports 137-138]

Windows services I have disabled at this point:-
Windows auto updates
Windows Bits service
(I enable these now and again for M$ updates)

Windows time [ports 123]

ALG service [port 1027]

IPsec services [ports 500/4500] On my own setup, I have never found a need for this. But it well be needed on other setups, so caution needed?

SSDP [port 1900] This will now also disable the "Universal Plug and Play Device Host" service. So caution needed.

I also disable the DNS client.

After this, looking at the opened connections in Kerio I see (on my base setup):-

193834

Now as I mentioned, the ports 135/445 cannot be closed easily. Going into the windows drivers can close these down, but I would suggest if you have a need to close these, then use WWDC (http://www.firewallleaktester.com/wwdc.htm), do be cautious, as I mentioned, closing down the related driver to port 445 will cause problems for DHCP, so only close this if you are using a fixed IP. If using WWDC does cause problems, then run the program again to re-enable these drivers(ports). Just realize, you can simply block comms over these ports in your firewall if needed.

As for the "Svchost UDP port 1158" showing in your connections, I am still unsure of this. Do you have the DNS service enabled? As the port in use would, to me, indicate a wait for reply from outbound (possibly unresolved DNS).

Hi Rick,
Ref post#78
-{ Quote: "Just for a comparison, this is the status screen on my box. I'm not certain if this can be accomplished on XP.
Rick" }-Yes, this can be done. As you will see from my above post, only ports 135/445 (from OS) are left at this time. I can certainly close these down on my setup without problems.

-{ Quote: "MS updates most likely Escalader.
The thing is not to log too much to get paranoid.
Local ports 1024-5000 are normal to outgoing connections.
And that server you traced sure is a MS update one.

Another thing I like to say to you dear Escalader. I don't block IP addresses at all by kerio 2. Or other firewalls I have used. The call home factor is a trust in first place, never have blocked any IP.
Call me stupid or not ;)

Jarmo" }-Hello Jarmo P,

With respect to you, and your own thoughts on this, I have no problem. But this is your own thoughts, not mine or Escaladers (or many others).

As with M$, in the past we have seen this "Update" of WGA, this at first would connect out on every re-boot to check your copy of windows was genuine. My installation of windows is genuine and activated,.. does this need to be checked every day?, am I going to suddenly make some changes in my OS to make this installation illegal?. To me, this was more of a need by M$ to bind the copy of OS to the IP in use. (note this update could not be un-installed (well not easily/directly))
Yes, I know after much uprising this as been changed, but these outbound events due to this still happen, so for me, M$ certainly do not trust me, so why should I trust them? We have seen copies of Vista had restrictions placed due to server problems with M$, who is affected most by this,.. the end user with genuine version who update directly.

No, there is no trust from me to M$, I use their OS only because my need for this for the software I use, and the fact I give support for firewalls installed on this OS.

As for blocking IP`s. Well, I personally prefer to know what connections are being made by software/OS. As example, if I have an AV installed,.. for its updates it should only need these connections (update servers), if this AV suddenly decides to connect to some unknown (to me) Ip, then I want to know why. I know some AV`s will send out samples of files found to a different IP than the update server (as mentioned by "Escalader" in other threads), and yes, you could say this helps the AV vendor to develop better protection (if the files/sample are viri), but saying that, I pay for my AV,.. do they pay me to collect/send this data/info?

At the end of the day, this is my PC, I will control (to the best of my ability) what is allowed out/in. The OS does not need internet connections to function, so why allow what is not actually needed?

Regards,

-{ Quote: ".... Watching the logs and blocking specific IP's seems a bit of an ..daunting challenge. ." }-

Hi 19monty64:

Watching logs and blocking ip's is a project for me only during this thread ( well maybe a bit longer). There are thousands incoming attempts on our PC thus the need for FW and router. But have a look at PG 2 sometime (Stem put me on to it) since they provide a free service/ tool that allow THEM to do the work of blocking these organizations who want to snoop. The P2P trackers for example (I don't use P2P myself) are out on sort of a sting operation looking for music exchanges.

Anyway, when I catch an ip on an outbound attempt from my applications I pop it into my permanent block list in PG2. You can also do it with the host file on a site name basis.

Logs minimization is okay as a goal, but we are trying to log these offenders so they can be blocked or removed. Until I'm done I like the log!

-{ Quote: "Yes, I like that suggestion and as soon as I find the %^&*(* rule I'll shut it up but I suspect I may still have a loopback rule freeze up!" }-
The log includes the rule name in each entry. The majority of the log entries are from the 192.168.x(log) incoming rule. Protocol 2 is IGMP, probably being sent by your router or hardware firewall. Since you haven't posted or sent a copy of your ruleset, I can only assume that your ruleset still includes the BZ rules in pretty much their original order. Assuming this to be the case, even if you removed or disabled the above mentioned rule, those packets would still be blocked by the "IGMP (log)" rule, and the firewall log would end up with just as many entries in it for the IGMP rule. You should be able to configure your router or hardware firewall to stop sending IGMP packets since you already have the incoming packets blocked with Kerio with no apparent problems.
-{ Quote: "-{ Quote: "Just for a comparison, this is the status screen on my box. I'm not certain if this can be accomplished on XP. " }-Yes, this can be done. As you will see from my above post, only ports 135/445 (from OS) are left at this time. I can certainly close these down on my setup without problems." }-
I wasn't certain if all the listening services could be stopped with XP or not without causing problems. I'm glad to see it can be done. I've wanted to disable more of the services on several PCs for friends and clients, but not having a copy of XP of my own to test things on makes it difficult. As soon as I put some more RAM in this old box, I'll be able to use Virtual PC to run an XP test system.

Jarmo,
There's nothing silly about blocking unnecessary or unauthorized outbound traffic. Stems position regarding windows calling home was much kinder than mine would have been. I run Win98, so my PC has no reason to connect to M$ at all. They're issuing no patches or updates for it. My updates come from 3rd parties. For me, WGA isn't an issue in itself. It's the attitude behind it I don't accept. When a piece of software collects user data and calls home, the mildest name it's called is a data miner. More often the term used is spyware, and Windows crossed that line a long time ago. When you get to the bottom line, the real issue addressed by outbound control is ownership. The data on your PC is owned by whoever controls the outbound traffic. If your data is sent out by a program you didn't ask for without your consent or knowlege, that program is called a trojan and its owner a criminal. But if the OS does the same thing, it's supposed to be acceptable? Would you tolerate it if your car, television, etc required you to insert a sales receipt every time you wanted to use it? Would you tolerate a stereo that required you to hold the CD or tape up to a camera so it could verify that it's store bought and not a home copy? I doubt it.
AFAIC, I bought the computer hardware. I own my data. I paid for the OS. I pay for the connection. Whether M$ calls this leasing the OS or whatever doesn't matter. That doesn't give them free use of my connection or access to my files.
Rick

Hello Stem:

-{ Quote: "I have set up on a base XP pro sp2 (all windows updates), I have just installed Kerio 2." }-
Good, I have xp sp2 home not pro but I doubt that makes any difference
-{ Quote: "I disabled Netbios (in network advanced settings, as you have already done) [ports 137-138]" }-

Done a while back.
-{ Quote: "Windows services I have disabled at this point:-
Windows auto updates
Windows Bits service
(I enable these now and again for M$ updates)" }-
Okay, I have them on manual, has no impact on my Kerio active connections
-{ Quote: "Windows time [ports 123] " }-
Same, mine on manual, I use once every 6 months;D
-{ Quote: "ALG service [port 1027]" }-
I disabled this a while back.
-{ Quote: "IPsec services [ports 500/4500] On my own setup, I have never found a need for this. But it well be needed on other setups, so caution needed?" }-
Hmm, new one so I set at manual
-{ Quote: "SSDP [port 1900] This will now also disable the "Universal Plug and Play Device Host" service. So caution needed." }-
Right, I set this at manual start up.
-{ Quote: "I also disable the DNS client." }-
I disabled it as well, that knocked out some entries in the connection log.!:thumb:
-{ Quote: "After this, looking at the opened connections in Kerio I see (on my base setup):-

193834

Now as I mentioned, the ports 135/445 cannot be closed easily. Going into the windows drivers can close these down, but I would suggest if you have a need to close these, then use WWDC (http://www.firewallleaktester.com/wwdc.htm), do be cautious, as I mentioned, closing down the related driver to port 445 will cause problems for DHCP, so only close this if you are using a fixed IP. If using WWDC does cause problems, then run the program again to re-enable these drivers(ports). Just realize, you can simply block comms over these ports in your firewall if needed.
" }-

I don't use a fixed IP, if I do anything there I will block the ports in the FW.

-{ Quote: "As for the "Svchost UDP port 1158" showing in your connections, I am still unsure of this. Do you have the DNS service enabled? As the port in use would, to me, indicate a wait for reply from outbound (possibly unresolved DNS)." }-

Since DNS client was disabled, this one has disappeared, so I think your DNS assumption was right! Great! Now I'm left with only 2 UDP entries you don't have,1 listening on local host 1900, the 2nd on 192.168.1.100:1900.
See attached jpg picture and let me know what you think please.
Once we are done on service shut downs the rules in the FW won't have to deal with them!

-{ Quote: "The log includes the rule name in each entry. The majority of the log entries are from the 192.168.x(log) incoming rule. Protocol 2 is IGMP, probably being sent by your router or hardware firewall. Since you haven't posted or sent a copy of your ruleset, I can only assume that your ruleset still includes the BZ rules in pretty much their original order. Assuming this to be the case, even if you removed or disabled the above mentioned rule, those packets would still be blocked by the "IGMP (log)" rule, and the firewall log would end up with just as many entries in it for the IGMP rule. You should be able to configure your router or hardware firewall to stop sending IGMP packets since you already have the incoming packets blocked with Kerio with no apparent problems.
Rick" }-

Hi Rick:

Yes, I'm slow getting the rules to you.

But no, I have made a lot of changes using the advanced BZ rules as a base.

I've not gone through the BZ rules to shut off their logging (yet) I will send you version 29.1 or is it 29.2 rule set tonight. It of course is xp not w98, but you know that. Rules will contain applications you don't have, but I've found that doesn't matter in Kerio. I removed an application left the rules in place for some days before removing them. Not a problem for your test system I hope. If you find a problem I would look at Nod 32 and SS 5.5 first as the guilty ones! But that is a guess.

The rules are in the mail in 15 minutes!

The block all outgoing rule is stupid in my opinion and actually does only keep the firewall silent and shows what is bad in log. Who ever bothers to check logs from day to day?
~~snip~~
Jarmo

For fellow learners:

After making the changes posted by Stem, here is my current open connections on Kerio 2.1.5. After the services were made manual or disabled as posted my set of connections matches Stem's exactly! ( I hope, my eyes are clouding over!)

A lesson for me anyway is that the services in windows xp sp2 have an impact on the design of FW rules in Kerio. If the services are minimized, set to manual if you are in doubt, the rules can be simplified. So do that first then your unique rules either your own or if you want a set to start from download the BZ default or advanced rules and modify them as you work the PC . :thumb:

I'm gone now till tomorrow. 8)

-{ Quote: "But have a look at PG 2 sometime (Stem put me on to it) since they provide a free service/ tool that allow THEM to do the work of blocking these organizations who want to snoop." }-
Hey, Escalader
Do you mean ProcessGuard???

He means PeerGuardian (http://phoenixlabs.org/pg2/) :)

Ah, thank you for the quick response. Was reading up on it at their site. Looks very interesting, other than it's beta. That might put me off for a day or two. lol

-{ Quote: "Hi 19monty64:

Watching logs and blocking ip's is a project for me only during this thread ( well maybe a bit longer). There are thousands incoming attempts on our PC thus the need for FW and router. But have a look at PG 2 sometime (Stem put me on to it) since they provide a free service/ tool that allow THEM to do the work of blocking these organizations who want to snoop. The P2P trackers for example (I don't use P2P myself) are out on sort of a sting operation looking for music exchanges.

Anyway, when I catch an ip on an outbound attempt from my applications I pop it into my permanent block list in PG2. You can also do it with the host file on a site name basis.

Logs silencing is okay as a goal, but we are trying to log these offenders so they can be blocked or removed. Until I'm done I like the log!" }-
Silencing was a bad choice of words. Slowing it down would better describe it. I still want to log the suspicious activities, but as I play with the rules I have racked up some rather large logs in a short period of time. Also shutting down services has helped.
As an OT, I will probably give Comodo a try when it comes out of beta soon. Definitely be keeping my ruleset saved, as Kerio has set the bar pretty high for any other firewalls!!!

-{ Quote: "Hey, Escalader
Do you mean ProcessGuard???" }-

Monty:

Yes, sorry for the short form!

-{ Quote: "PeerGuardian 2.0 Beta 6c (01/30/2007)
Copyright (C) 2004-2007 Cory Nelson
Based on the original work by Tim Leonard" }-

The beta seems fairly stable. I have a thread here on PG 2 in privacy forum.

http://www.wilderssecurity.com/showthread.php?t=184661

Have a look it might help you!

-{ Quote: "Silencing was a bad choice of words. ...... Definitely be keeping my ruleset saved, as Kerio has set the bar pretty high for any other firewalls!!!" }-


Hi Monty:

Agreed, I edited the word out, it now says minimization which IMHO is better.

I don't want to silence the log either, and like you use it.

A question for you, what method did/do you use to decide which rule hits to log/ display alerts?

I set them for block all but haven't worked the logging rules hard yet. Been focusing on services minimization and strong rules.

I've gone off line posting my rules is open posts here my reason, privacy!

If you want to discuss that matter, PM me.

-{ Quote: "I've not gone through the BZ rules to shut off their logging (yet) I will send you version 29.1 or is it 29.2 rule set tonight. It of course is xp not w98, but you know that. Rules will contain applications you don't have, but I've found that doesn't matter in Kerio. I removed an application left the rules in place for some days before removing them. Not a problem for your test system I hope. If you find a problem I would look at Nod 32 and SS 5.5 first as the guilty ones! But that is a guess." }-
Your ruleset imported just fine on my 98 box. That's one of the things I like about Kerio, the ability to import, view, and (it would appear) edit a ruleset made on another operating system.
-{ Quote: "Once we are done on service shut downs the rules in the FW won't have to deal with them! " }-
Windows Update has a way of changing settings to what Microsoft wants them to be. I pretty sure that includes the settings for services. I'd keep the blocking rules active for all of the different listening services, even though you disabled them. I'd also use the alert option on these rules. This way, if M$ decides to turn a few back on via an update, you'll know it almost instantly.

A few observations on your ruleset.
I was trying to figure out why you had both a global and several application specific loopback rules. I missed it until just now. I see that you have modified the standard loopback rule from the BZ set, converting it from a network/mask to a single address rule. As a network/mask rule, it applied to a range of addresses. When you switched it to a single IP, you left the address as 127.0.0.0. It should be 127.0.0.1 if you're going to use a single address. This is the kind of mistake that can drive you nuts because it's easy to miss. BZ used a lot of network/mask rules. For most home setups, single IP rules are all that's needed. This might help you better understand the numbering system for network masks.
http://docsrv.sco.com/NET_tcpip/_Network_Masks.html

Regarding the DNS rules, I noticed that both rules are for the same IP, your primary DNS. There's no rule for your secondary DNS. The first rule, "Primary DNS Server" is fine. The 2nd rule, labelled "DNS alert" is actually an outbound allow rule. DNS needs both directions. That rule also allows TCP, which DNS doesn't need. I'd delete that rule entirely. There's a couple of ways you can handle DNS rules. You can use the format of the first rule and make one for each DNS server. You could also enter your DNS servers in the trusted address group and use it in just one rule. On my system, my hardware firewall acts as the DNS server. My DNS rule uses the trusted address group, which includes the LAN IP of Smoothwall. If you get DNS alerts after removing that 2nd rule, see if the IP in the alert is that of your router or hardware firewall.

Once you get that finished, I'd add a blocking rule for all other UDP traffic on port 53. Your choice if either the logging or alert options are used. 193880

I'll get back with you later this evening. I've got some outdoor work I need to do while the weather still permits.
Rick

Stem,
In the BZ ruleset, there's a rule labelled "Protocol 50 IPv6". Isn't protocol 50 for Encap Security Payload? http://www.iana.org/assignments/protocol-numbers
Rick

-{ Quote: "Isn't protocol 50 for Encap Security Payload? " }-
I have never looked at BZ ruleset, but yes, protocol (decimal) 50 is what you say. This, if I remember correctly is for IPsec service (for VPN)

Stem,
Here's the edit menu for that rule in its original form.
193888
Rick

Hi Rick,
-{ Quote: "Here's the edit menu for that rule in its original form. " }-I am not sure as to why this would be named as IPv6, protocol 50~ ESP (Layer 3 network) is used in both IPv4 and IPv6.

-{ Quote: "Hi Monty:

Agreed, I edited the word out, it now says minimization which IMHO is better.

I don't want to silence the log either, and like you use it.

A question for you, what method did/do you use to decide which rule hits to log/ display alerts?

I set them for block all but haven't worked the logging rules hard yet. Been focusing on services minimization and strong rules.

I've gone off line posting my rules is open posts here my reason, privacy!

If you want to discuss that matter, PM me." }-
I am setting most rules to log, (even the "allow" rules, just to narrow IP-addresses) but only one at a time so as not to flood the logs. Am installing PG 2 shortly, too, as well as disabling services (as per post#111 of this thread) that I didn't think were safe to disable. I usually set to manual and monitor for a few reboots before disabling, somewhere between "power-user" and "bare-bones" (as per BlackViper's configs)...

-{ Quote: "I am setting most rules to log, (even the "allow" rules, just to narrow IP-addresses) but only one at a time so as not to flood the logs. Am installing PG 2 shortly, too, as well as disabling services (as per post#111 of this thread) that I didn't think were safe to disable. I usually set to manual and monitor for a few reboots before disabling, somewhere between "power-user" and "bare-bones" (as per BlackViper's configs)..." }-

That's great, very helpful. One at a time! Should have thought of that one myself! :-[

OT on PG 2 I post my questions there under the same id, so not too many threads on PG here probably. Not that there is anything wrong with that.
Must keep remembering the hosts file. PG is not intended to replace it as it doesn't convert named sites to ip addresses like the host file does.

Hi Rick, my efforts are embedded by now with quotes.... ha


-{ Quote: ".......

-{ Quote: "Windows Update has a way of changing settings to what Microsoft wants them to be. I pretty sure that includes the settings for services. I'd keep the blocking rules active for all of the different listening services, even though you disabled them. I'd also use the alert option on these rules. This way, if M$ decides to turn a few back on via an update, you'll know it almost instantly." }-

Do you mean all the Generic Host Process for Win32 Services rules in my set? They are still present and I don't see removing them?

-{ Quote: "A few observations on your ruleset.
I was trying to figure out why you had both a global and several application specific loopback rules. I missed it until just now. I see that you have modified the standard loopback rule from the BZ set, converting it from a network/mask to a single address rule. As a network/mask rule, it applied to a range of addresses. When you switched it to a single IP, you left the address as 127.0.0.0. It should be 127.0.0.1 if you're going to use a single address. This is the kind of mistake that can drive you nuts because it's easy to miss. BZ used a lot of network/mask rules. For most home setups, single IP rules are all that's needed. This might help you better understand the numbering system for network masks.
http://docsrv.sco.com/NET_tcpip/_Network_Masks.html" }-

TY, I put it right, I made a typo! Left it as a single address!

-{ Quote: "Regarding the DNS rules, I noticed that both rules are for the same IP, your primary DNS. There's no rule for your secondary DNS. " }-

I seem to have one Primary DNS Server only, so I just replicated it. The ISP has a a whole range of addresses on the server but the dns server always is the same. I get this from the connection status details. If there was a secondary dns server would it be listed there? At any rate I removed the secondary rule. I'm wondering what would happen if I put the ISP's whole range of ip's in inclusive of mine?

-{ Quote: "The first rule, "Primary DNS Server" is fine. The 2nd rule, labelled "DNS alert" is actually an outbound allow rule. DNS needs both directions. That rule also allows TCP, which DNS doesn't need. I'd delete that rule entirely. " }-

Done, removed.

-{ Quote: "There's a couple of ways you can handle DNS rules. You can use the format of the first rule and make one for each DNS server. You could also enter your DNS servers in the trusted address group and use it in just one rule." }-

Do you mean the MS network screen tab? I have it ticked but no entries. Haven't used the trusted address group. Could / Should I put the isp's full range in there? My thought is no leave it empty and have the single ip rule do it. Or should I put the 192.168.1.100/255.255.255.0 in there? I am following the Stem maxim of NOT trusting the router/lan?

-{ Quote: "On my system, my hardware firewall acts as the DNS server. My DNS rule uses the trusted address group, which includes the LAN IP of Smoothwall. If you get DNS alerts after removing that 2nd rule, see if the IP in the alert is that of your router or hardware firewall. " }-


Which rule / display will tell me that?


-{ Quote: "Once you get that finished, I'd add a blocking rule for all other UDP traffic on port 53. Your choice if either the logging or alert options are used. 193880" }-

Do you mean the BZ advanced disabled rule on 53 blocking all other UDP, both, it is named Unrestricted DNS (Log)?

What is the reason you have for this rule. Would the rule move to be near it's friends at the top like all the other blocked BZ's etc?

I did test this idea by putting this rule in near my loop back and I could no longer connect the internet, so I removed it.

-{ Quote: "I'll get back with you later this evening. I've got some outdoor work I need to do while the weather still permits." }-

Good, it was a sunny day here, but the days are getting shorter....:'(

Rick" }-

You can use OpenDNS (http://www.opendns.com/) as your secundary DNS server :)

-{ Quote: "You can use OpenDNS (http://www.opendns.com/) as your secundary DNS server :)" }-
or do you use them as both (primary&secondary) DNS servers, as per instructions of OpenDNS???

-{ Quote: "TY, I put it right, I made a typo! Left it as a single address!" }-
It's easy to do. I made one in my last post to you that caused confusion. It's in bold in the quote below.
-{ Quote: "There's a couple of ways you can handle DNS rules. You can use the format of the first rule and make one for each DNS server. You could also enter your DNS servers in the trusted address group and use it in just one rule." }-
That should have read custom address group. Sorry about the confusion. I don't use the trusted address group either.

To find out what your secondary DNS servers IP is, open a command prompt and type "IPCONFIG /all" without the quotes. It should be listed there. Regarding the suggestion made by lucas1985 and OpenDNS, I've had good results with them. They're more reliable than the ISPs DNS servers, plus they have some anti-phishing and typo correction features added. Might be worth looking into.

I'd keep all the DNS rules together. Kerio reads the ruleset from the top downward and uses the first rule it comes to that applies. The DNS blocking rule is copied from my ruleset and is not address specific. It will block all port 53 traffic that's not permitted by a rule located above it in the ruleset, so it has to be below all the other DNS/port 53 rules. Regarding what an alert for DNS connections to/from a hardware firewall or router would look like, here's 2 from mine. The first is outbound from SeaMonkey. The 2nd is the incoming reply. The only difference is the IP address, which in this case is the LAN side IP of Smoothwall. This may or may not apply to your system as I don't know how your hardware firewall is set up.
193892193891
There's several reasons for restricting DNS or port 53 connections to the DNS servers you use. Unless you take the extreme step of entering the sites you use and their IPs into your host file, DNS resolving is something you almost have to trust that the site you request is going to be the site you get. If a compromised DNS server (or a malicious fake) connected you to a drive-by site when you're expecting one you trust, the results could be very bad. When your system is set up to use specific DNS servers, outbound connections to another are suspicious at best. In addition, there are trojans that use port 53 because traffic is generally allowed on that port. It's part of normal operations. A trojan that uses port 53 has a good chance of going thru a firewall because the default rules will allow it, and most users don't tighten those rules.

Regarding the rules for blocking listening services, that does include the SVCHOST rules and those for all the ports that were listening before you got control of the services. Ports 88, 135, 137-139, 389, 445, 500, 1900, and any others that were listening before you worked on the services. If you use the "display alert when this rule matches" option, you'll know very quickly if a patch or update changes the settings.

Rick

edited to fix more typos.

-{ Quote: "You can use OpenDNS (http://www.opendns.com/) as your secundary DNS server :)" }-
Good find! Thanks for the suggestion! They made it e-e-e-easy to set up the router and firewall, and config the filtering!

Hello Escalader,

Re:- DNS
You should have 2 or 3 DNS servers provided by your ISP. As mentioned by "herbalist", Go to the windows start menu ~ run. type CMD then click OK. In the command window, type ipconfig /all, this will show your (PC) IP and the DNS servers.

The only point at this time, is the fact you have a rule to allow ALG full outbound. I know you have now disabled this service, but you have left a rule to allow this. If you have no protection on your windows services (for change of state), then block ALG with logging enabled.

Thanks Rick:

-{ Quote: ".... Sorry about the confusion. I don't use the trusted address group either." }-

Not a problem, thought it must be that! We don't have trusted groups in the world of internet;D

-{ Quote: "To find out what your secondary DNS servers IP is, open a command prompt and type "IPCONFIG /all" without the quotes. It should be listed there. " }-

Sent you a copy of the dos screen under separate cover, seems over here my ISP doesn't provide secondaries. But I'll wait till you see the evidence.

-{ Quote: "Regarding the suggestion made by lucas1985 and OpenDNS, I've had good results with them. They're more reliable than the ISPs DNS servers, plus they have some anti-phishing and typo correction features added. Might be worth looking into." }-

TY, I'll look into that idea later.

-{ Quote: "I'd keep all the DNS rules together. Kerio reads the ruleset from the top downward and uses the first rule it comes to that applies. The DNS blocking rule is copied from my ruleset and is not address specific. It will block all port 53 traffic that's not permitted by a rule located above it in the ruleset, so it has to be below all the other DNS/port 53 rules. Regarding what an alert for DNS connections to/from a hardware firewall or router would look like, ...." }-

Right, I had one from BZ and somehow after 29 iterations, I lost it! Anyway, it is back and bellow all port 53's.

-{ Quote: "Regarding the rules for blocking listening services, that does include the SVCHOST rules and those for all the ports that were listening before you got control of the services. Ports 88, 135, 137-139, 389, 445, 500, 1900, and any others that were listening before you worked on the services. If you use the "display alert when this rule matches" option, you'll know very quickly if a patch or update changes the settings." }-

I have numbered these rule 1-9-10 etc in their descriptions to better id them in posts and put displays on them as discussed. But they are all on allow not deny!

But that's all for them for the moment, since Stem just posted and I want to see what that brings.

I'll send the October 1 rule set which includes these changes.

-{ Quote: "Hello Escalader,

Re:- DNS
You should have 2 or 3 DNS servers provided by your ISP. As mentioned by "herbalist", Go to the windows start menu ~ run. type CMD then click OK. In the command window, type ipconfig /all, this will show your (PC) IP and the DNS servers.

The only point at this time, is the fact you have a rule to allow ALG full outbound. I know you have now disabled this service, but you have left a rule to allow this. If you have no protection on your windows services (for change of state), then block ALG with logging enabled." }-

Hi Stem:

I have sent you a dos screen jpg, showing 1 DNS server.
Did a whois and it shows 4 servers for my IPS. 2 seem to be for email load and the other 2 servers are numbers in a range which includes my DNS ip server.

On the no protection on the windows services, I have now denied that #$%%^^ ALG rule. I have been laboring under the notion that these services rules were needed to be allowed! Are you saying:

1) They should all be denied?
2) They should all be like any other application, a rule allowing with specific ip/ ports etc followed by a deny rule?
3) why can't I just delete them all, since Kerio is deny unless specifically allowed?

Sorry, but my mind is jumbled again :-[

Hello Escalader,
-{ Quote: "I have sent you a dos screen jpg, showing 1 DNS server. " }-No image received with mail. But it does not matter. If you are only provided 1 DNS server, then it is only a problem if that server is unreliable. Only worry about this is you have slow connections or time outs.
-{ Quote: "
1) They should all be denied?
2) They should all be like any other application, a rule allowing with specific ip/ ports etc followed by a deny rule?
3) why can't I just delete them all, since Kerio is deny unless specifically allowed?" }-You can just remove the rules, I was just concerned that you had an open rule to allow ALG.

-{ Quote: "Hello Escalader,
No image received with mail. But it does not matter. If you are only provided 1 DNS server, then it is only a problem if that server is unreliable. Only worry about this is you have slow connections or time outs.
You can just remove the rules, I was just concerned that you had an open rule to allow ALG." }-

Hi Stem:

Think I'm having a seniors moment! I left out the image attachment. I'll resend it anyway, since there are some other techi items there like Hybrid etc I want you to see.

Great! Done the windows services rules are deleted!

What about the block all outbounds at the very bottom of the set?
I have outbound deny active and inbound inactive... is that correct?

Hi Escalader,
-{ Quote: "What about the block all outbounds at the very bottom of the set?" }-This would be classed as a "Block all ~ not already allowed" rule. Having such a rule is OK if the firewall rules are final, but, could cause some problems if, as example, update servers change. Basically the rule is similar to setting the firewall to "Deny Unknown", but saying that, with such a rule in place, you can set this log and/or alert to such events. It is a rule I would normally use myself, as my internet use is now quite limited (and I know all rules needed for my own use/setup).
-{ Quote: "I have outbound deny active and inbound inactive... is that correct?" }-You have now disabled most of the network related services, but I personally would also set the rule to block any "Inbound". (set the rule to alert for a time, to see what attempts "unknowns")

Hello Rick (herbalist)

Due to other posts/questions, mainly concerned with problems with stanalone firewalls, then adding an HIPS, I have been taking some time into looking at the low level hooking of the NT kernal (SSDT (System Service Descriptor Table) hooks).

I was just wondering if you have looked at this? (or have any knowledge of this)

This at first may appear "offtopic", but looking at the installation of Kerio 2, I see 5 hooks made by Kerio2 (fwdrv.sys). I cannot understand the hooks made.
(NOTE: Please, first, dont misunderstand me, as I am currently still in learning mode with this low level OS hooking, so I do still as many questions as answers.). My confusion is in the hooks made by Kerio2, I would expect probably such as Ntconnectport / Ntcreateport to be intercepted/hooked by a firewall, but I see from Kerio2, these are left, and instead such as Ntcreatesection is hooked, this to me (in my limited knowledge of this) is more for execution prevention. Was such interception being introduced to Kerio2 on this version?

-{ Quote: "Hi Escalader,
This would be classed as a "Block all ~ not already allowed" rule. Having such a rule is OK if the firewall rules are final, but, could cause some problems if, as example, update servers change. Basically the rule is similar to setting the firewall to "Deny Unknown", but saying that, with such a rule in place, you can set this log and/or alert to such events. It is a rule I would normally use myself, as my internet use is now quite limited (and I know all rules needed for my own use/setup).
You have now disabled most of the network related services, but I personally would also set the rule to block any "Inbound". (set the rule to alert for a time, to see what attempts "unknowns")" }-

Stem:

Thanks, I like the, "Block all ~ not already allowed" definition. I don't claim my rules are done, and both are already set at log/alert.

See attached the jpg log with these rule changes and they are all blocked outbound packets from SYSHOST.Exe The 1st are 2, Lan subnet bypass 10.x UDP packets to 255.255.255.255?

Take care

Hello Escalader,
-{ Quote: "See attached the jpg log with these rule changes and they are all blocked outbound packets from SVCHOST.Exe (corrected to svchost) The 1st are 2, Lan subnet bypass 10.x UDP packets to 255.255.255.255?" }-This is not right, you should not see such attempts of outbound from this pivate IP range~ unless you have such as a VM (virtual machine) installed, even then, I would not expect to see svchost (directly from host) making this attempt.
The rest of the blocked are attempts to "Net Access Corporation", is this for your own ISP, or parent of your ISP?

Hello Lucas1985.
Again, thank you for the OpenDNS suggestion.
Do you, or any others, happen to know if the new dns-addresses need to be entered anywhere besides router and firewall. I've no problems so far with going OpenDNS (for primary and secondary), but wondering if something within XP-Windows needs to be changed to reflect the new dns-servers. All is well in Kerio and router, but it is Windows, and problems don't always surface right away.
Any input or experiences would be appreciated. TIA

Escalader,
Allow rules for specific services are only needed if you use those services. Having blocking rules in place for ones you've disabled serves as a second layer of control and a means of notification should any get turned back on by an update, patch, etc. A "block all" rule at the end has the same effect, provided that the traffic isn't permitted by another "allow" rule. The advantage to using separate rules for the individual services would be for better control over what you want logged or to be alerted to. Myself, I'd use the "alert" option on the service blocking rules so I could have real time notification for that particular traffic. Another instance where separate rules would be an advantage is if you install or change something that requires a specific service to be functional. It's easy to change a single rule from "block" to "allow". I'd also recommend using the service name and/or the port number in the rule name to make them easy to work with. Having several rules all named SVCHOST just makes a ruleset harder to work with.

Your ISP is the first I've seen that only uses one DNS server. Every service I've used had 2 or more. If that one DNS server ever failed, you probably lose your internet service. I tried OpenDNS when I switched to DSL. At the time, they had what they called a temporary problem with their own DNS servers. After more than a month of this "temporary issue", I tried OpenDNS. They've been very reliable, enough so that I haven't bothered to see if my ISP ever fixed theirs.
-{ Quote: "What about the block all outbounds at the very bottom of the set?
I have outbound deny active and inbound inactive... is that correct?" }-
I agree with Stem, enable the block all incoming rule. Since you're behind a hardware firewall, most if not all the alerts you'd see will be coming from your own hardware, provided that you haven't set up any port forwarding. If you weren't behind a router/firewall, enabling alerts for all blocked incoming traffic could become very annoying. Regarding the "block all outbound" rule, if you plan on keeping that rule, disable it until you're ruleset is completely finished. With Kerio on the "Ask me first" setting, traffic that's not permitted by rule is still blocked. The only functional difference is that you get an alert and the option to allow that traffic. I don't use global "block all" rules except for certain test configurations. I prefer to make them application, port, or function specific, such as the "block all other DNS" rule or a "block all incoming" rule for the browser. In addition to the instances Stem mentioned, there are instances when you will need to be able to connect to a new IP or use a non-standard port. Online games and instant message programs are a couple of examples.
Rick

-{ Quote: "Hello Escalader,
This is not right, you should not see such attempts of outbound from this pivate IP range~ unless you have such as a VM (virtual machine) installed, even then, I would not expect to see svchost (directly from host) making this attempt.
The rest of the blocked are attempts to "Net Access Corporation", is this for your own ISP, or parent of your ISP?" }-


Thanks Stem: This show the value of logs.

1) I don't have a VM machine
2) Nevertheless the attempts are there.
3) PG 2 also blocked Net Access Corp but it showed 69.26.188.168 ip #'s

One ip lookup 209.123.81.168 led to Akamai Technologies, Inc. which is widely used by many firms.

I don't think my ISP has a parent and it's ip's are not in that range

So whatever it is it is blocked but something is amiss.

-{ Quote: "1) I don't have a VM machine
" }-This, as I said, is not right,... whichever way you look at this.
Errors in logs are possible, but not to a point of mis-informed local IP. I have not (personally) seen such events.

HJT is no longer done here, but out of curiousity, please go to, and post a HJT log for inspection. The site I know, and trained at was http://malwareremoval.com/ (There are of course many other such sites) This is just to put away possibilities.

Regards,

Escalader, Stem,
I believe those SVCHOST connection attempts to 255.255.255.255 are DHCP broadcasts. Do you have an active rule for DHCP? I didn't see one in the rules you sent. The only active DHCP rule I see is the unrestricted DHCP blocking rule. You need a "permit DHCP" rule above that. SVCHOST is broadcasting because it can't connect to your DHCP servers IP.
Rick

Hi Rick,
-{ Quote: "I believe those SVCHOST connection attempts to 255.255.255.255 are DHCP broadcasts." }-Yes, these are internet (255.255.255.255) broadcasts to DHCP(port 67). But these are from private IP 10.*, these should not be seen/attempted from private (Escalader) IP 168.*

Is this a possible problem with Kerio logging?

Stem,
My knowlege of SSDT hooks is very limited. It's been difficult to study this when I don't have an NT system to work with. I'm not aware of anything related to execution control being implemented into Kerio 2. Is it possible that those hooks are related to the MD5 signature checking?
Rick

-{ Quote: "Stem,
My knowlege of SSDT hooks is very limited. It's been difficult to study this when I don't have an NT system to work with." }-No problem, I will have to look at win98, as we see such as SSM(free) is still supporting this, so I would be interested how interceptions are made on this OS. (I actually still use W2K, only because my hardware does not have drivers for 98,.. come to that,.. I would prefer to stay with DOS)
-{ Quote: "I'm not aware of anything related to execution control being implemented into Kerio 2. Is it possible that those hooks are related to the MD5 signature checking? " }-MD5 or other checksums calculations do not require any system hooking. This is just a checksum of the binary of the file.

-{ Quote: "Yes, these are internet (255.255.255.255) broadcasts to DHCP(port 67). But these are from private IP 10.*, these should not be seen/attempted from private (Escalader) IP 168.*
Is this a possible problem with Kerio logging?" }-
I'm at a loss to understand why they'd be blocked by that particular rule. The log shows them originating from localhost. not a 10.xx address. I'm wondering if the rule is different than the one in the ruleset Escalader sent me. A typo perhaps, like a missing "1" in the IP address?

Escalader, could you post an image of the edit menu for the "LAN subnet bypass 10.x" rule, just to make certain?
Rick

What would you use to see all the hooks on a 9X system? On XP, I use rku, but never tried it on a 9X box.
Rick

-{ Quote: "I'm at a loss to understand why they'd be blocked by that particular rule. The log shows them originating from localhost. not a 10.xx address. I'm wondering if the rule is different than the one in the ruleset Escalader sent me. A typo perhaps, like a missing "1" in the IP address?

Escalader, could you post an image of the edit menu for the "LAN subnet bypass 10.x" rule, just to make certain?
Rick" }-
I was looking at the pic in post# 140 "block lan subnet bypass 10* outbound"

-{ Quote: "What would you use to see all the hooks on a 9X system? On XP, I use rku, but never tried it on a 9X box.
Rick" }-I admit I am not sure yet. I have only just started to dig deeply into NT (I do not like what I find). I have never looked at 98 (I never used that OS,.. NT3/4 at the time for me)

-{ Quote: "I was looking at the pic in post# 140 "block lan subnet bypass 10* outbound"" }-
I was looking at the image in post #95. Those entries are the same.
-{ Quote: "I have only just started to dig deeply into NT (I do not like what I find). I have never looked at 98 (I never used that OS,.. NT3/4 at the time for me)" }-
It's probably too off topic to ask what you're finding that you don't like. I can about guess what it is. It's the exact opposite for me. I rarely use an NT system. The vast majority of the time, I'm on 98 or 98SE. DOS is a big part of the reason I stay with it.
-{ Quote: "I actually still use W2K, only because my hardware does not have drivers for 98,.. come to that,.. I would prefer to stay with DOS)" }-
What drivers do you need?
Rick

-{ Quote: "I was looking at the image in post #95. Those entries are the same. " }-Why the outbound from 10.*?

-{ Quote: "It's probably too off topic to ask what you're finding that you don't like." }-I can see how easy it is to cause problems.

-{ Quote: "What drivers do you need?
" }-
Chipset drivers for nVidia4 , Graphic drivers for GT 6600, NIC drivers for Yukon,.. should I go on?

-{ Quote: "Escalader, Stem,
I believe those SVCHOST connection attempts to 255.255.255.255 are DHCP broadcasts. Do you have an active rule for DHCP? I didn't see one in the rules you sent. The only active DHCP rule I see is the unrestricted DHCP blocking rule. You need a "permit DHCP" rule above that. SVCHOST is broadcasting because it can't connect to your DHCP servers IP.
Rick" }-

I'll put an active rule in and see if this idea work and log issues goes away.

-{ Quote: "I'll put an active rule in and see if this idea work and log issues goes away." }-Any unresolved DHCP should be shown as from 0.0.0.0-> broadcast (either internet(255.255.255.255.) or your LAN (192.*~255), or from your own IP 192* to direct renew DHCP server (in your case the router), you should simply not see any request/broadcast made as seen from a local IP of 10.* with your setup.

-{ Quote: "I'm at a loss to understand why they'd be blocked by that particular rule. The log shows them originating from localhost. not a 10.xx address. I'm wondering if the rule is different than the one in the ruleset Escalader sent me. A typo perhaps, like a missing "1" in the IP address?

Escalader, could you post an image of the edit menu for the "LAN subnet bypass 10.x" rule, just to make certain?
Rick" }-


Yes, here it is:

Escalader,

This rule sould never be hit(need to be used) in your setup. But we see logs to this.

This to me (IMHO) is a problem

-{ Quote: "Why the outbound from 10.*?" }-
I'm questioning if it is from a "10.xx" IP. Why would this rule intercept traffic from localhost? In Escaladers loopback rule, a "1" got changed to a "0". I'm wondering if something similar has happened with this rule.

Escaladers last screenshot didn't show here when I refreshed the page. I misread the rule. 10.x is the remote endpoint. I read it as the local. Even so, the log shows the remote endpoint as 255.x. Why would this rule intercept that traffic?
Rick

Hi Rick,

The screenshots show 10.* -> 255.255.255.255,..... 10.* being local

Inbound/outbound from this private IP is blocked;logged by the rule shown.

-{ Quote: "there are trojans that use port 53 because traffic is generally allowed on that port. It's part of normal operations. A trojan that uses port 53 has a good chance of going thru a firewall because the default rules will allow it, and most users don't tighten those rules." }-Rick, you may remember the infamous gift.com postcard exploit, where the first action of the trojan was to connect out using Port 53.

For the benefit of others, I'll show how Kerio responds to this attempt depending on how your Rules are set up.

If you have a Block-all-other-Port 53 rule following your allow rules, Kerio will Block any any attempt that does not
correspond to those rules:

193913
_________________________________________________________________________

193914

If you do not have a Block-all-other rule, then Kerio will Alert for a Prompt to any attempt that does not correspond
to your allow rules. Here, I disable the Block-all-other rule:

193915
_________________________________________________________________________

193916


Very interesting and informative thread!

-rich

I definitely remember the postcards. I've got several variants of it captured from my webmail. That's a prime example of why a firewalls default rules should be tightened. I noticed your DNS rules used the custom address group. On a system using the default rules, the DNS rules allow any address. The only other thing that a user might notice is that the trojan launches a TCP connection while DNS uses UDP. Many firewall users don't know the difference. It would very easy for a user to allow that trojan to call home and never realize it.
Rick

Yes, the default DNS rules leave the user wide open. At least, Kerio's Help file should have cautioned about this.

However, I always maintained that the default Ruleset could have omitted a DNS rule altogether, with pertinent instructions in the Help file about DNS. Then upon connecting -- voila -- you get your two DNS servers courtesy of Kerio!

The Help file could go on to explain the options of listing the IP addresses in the rule, or putting them in the Custom addresses.

What a great way for the user to learn how to use Kerio right from the start! You get to see Kerio in action: how it prompts for anything not authorized; and, how to create a rule.


-rich

-{ Quote: "Hello Lucas1985.
Again, thank you for the OpenDNS suggestion.
Do you, or any others, happen to know if the new dns-addresses need to be entered anywhere besides router and firewall. I've no problems so far with going OpenDNS (for primary and secondary), but wondering if something within XP-Windows needs to be changed to reflect the new dns-servers. All is well in Kerio and router, but it is Windows, and problems don't always surface right away.
Any input or experiences would be appreciated. TIA" }-
If your network settings on the hosts are set to automatic (gateway, DNS, IPs, etc), you shouldn't have any problems.
Have you done the test to see if OpenDNS is working properly?

-{ Quote: "If your network settings on the hosts are set to automatic (gateway, DNS, IPs, etc), you shouldn't have any problems.
Have you done the test to see if OpenDNS is working properly?" }-
Which test do you mean?

-{ Quote: "Rick, you may remember the infamous gift.com postcard exploit, where the first action of the trojan was to connect out using Port 53.

For the benefit of others, I'll show how Kerio responds to this attempt depending on how your Rules are set up.

If you have a Block-all-other-Port 53 rule following your allow rules, Kerio will Block any any attempt that does not
correspond to those rules:

193913
_________________________________________________________________________

193914

If you do not have a Block-all-other rule, then Kerio will Alert for a Prompt to any attempt that does not correspond
to your allow rules. Here, I disable the Block-all-other rule:

193915
_________________________________________________________________________

193916


Very interesting and informative thread!

-rich" }-


Hi Rmus:

TY for the great port 53 contribution!

You say place after the allows. Do you mean that AND above the applications rules, which I have on an ip basis followed by a blocker rule for each applications

OR

Do you mean at the very bottom of the rule set near/above the last 2 block all in and all outs, discussed earlier in the thread?

If this is another of my dumb questions I ask for patience again!:-[

-{ Quote: "Which test do you mean?" }-
Hmm, it was in the old design of the site ???
That test directed you to a (fake) phish site and to a misspelled site.

-{ Quote: "Hi Rick,

The screenshots show 10.* -> 255.255.255.255,..... 10.* being local

Inbound/outbound from this private IP is blocked;logged by the rule shown." }-

Hi Stem and Rick and all interested readers/ lurkers and posters!

(No I'm not dead as some might hope for!);D

I have been resting my head a bit and cleaning up and reloading my hosts file with the latest and greatest from Spybot. That is done!

Also, I removed SpySweeper for now, since it was giving me too much static and every now and then it is good to scale back one tool when a new one gets added IMHO. So I added PG 2 and set SS aside (for now)


On my incomplete Kerio rules, mine work pretty well but want to consolidate the posts you all have given me into one document (underway) and identify all the advice which is all agreed between us and proven to work okay.

That process will leave me with any UFO issues which are under debate and unresolved. This 10.x rule being an example.

So I'm not concerned that much, (some users don't have any 2 way FW) so it' s a matter of degrees of risk.

One new little item was I restored a previous rule set and the last 6 or so rules were AWOL! I think I read something on the other forum about this being a problem for which the only solution was to trim down the list of rules?

Can I ask you guy's to count your rules in Kerio and we can see if my list is longer since I don't believe the trim down is the answer!

Hi Escalader,
-{ Quote: "That process will leave me with any UFO issues which are under debate and unresolved. This 10.x rule being an example. " }-I am still curious about this block from 10.* (broadcast). I can understand "Rick" putting forward this as possibly unresolved DHCP, but I have never seen such a broadcast from an unresolved (I would expect to see such a broadcast from a private IP range only for DHCP renew). I have been trying to recreate such an event. But up to now, I only see what I have seen before (such as unresolved DHCP NIC defaulting to IP`s such as 169.*. The IP being the same each time no successful DHCP boot is made).
You have mentioned another PC on LAN, is this using a VM (example: Virtualbox will use private network 10.* when setup for NAT,.. broadcasts (255.255.255.255) from this will go through the host if allowed). Just really thinking out load at the moment, as the (log) event we see for this could actually be a blocked inbound.

What you could do, when you have time, is to split the block 10.* rule, so that one rule blocks outbound, and one blocks inbound. We would know for sure the direction of this broadcast (if attempted again)

-{ Quote: "TY for the great port 53 contribution!

You say place after the allows. Do you mean that AND above the applications rules, which I have on an ip basis followed by a blocker rule for each applications

OR

Do you mean at the very bottom of the rule set near/above the last 2 block all in and all outs, discussed earlier in the thread?

If this is another of my dumb questions I ask for patience again!:-[" }-Hi Escalader,

Technically, it doesn't matter, as long as a Block rule follows the respective Allow rules.

For the sake of order and convenience, I keep my internet rules at the top, and application rules below.

If the outbound request doesn't match the rule, Kerio continues searching, and as I showed in my post, if there is an applicable Block rule, then Kerio blocks. If there is no block rule, then Kerio alerts.

In the example I gave, the Port 53 rule specifies IP addresses (in the Custom Addresses) and an application (Services.exe); neither matched the Outbound attempt.

-{ Quote: "Can I ask you guy's to count your rules in Kerio and we can see if my list is longer since I don't believe the trim down is the answer! " }-I have 28 rules: 14 for Internet and LAN, 14 for Applications.

-rich

-{ Quote: "Hi Escalader,
I am still curious about this block from 10.* (broadcast). I can understand "Rick" putting forward this as possibly unresolved DHCP, but I have never seen such a broadcast from an unresolved (I would expect to see such a broadcast from a private IP range only for DHCP renew). I have been trying to recreate such an event. But up to now, I only see what I have seen before (such as unresolved DHCP NIC defaulting to IP`s such as 169.*. The IP being the same each time no successful DHCP boot is made).
You have mentioned another PC on LAN, is this using a VM (example: Virtualbox will use private network 10.* when setup for NAT,.. broadcasts (255.255.255.255) from this will go through the host if allowed). Just really thinking out load at the moment, as the (log) event we see for this could actually be a blocked inbound.

What you could do, when you have time, is to split the block 10.* rule, so that one rule blocks outbound, and one blocks inbound. We would know for sure the direction of this broadcast (if attempted again)" }-


Let me do the split, now, I'll clear the log and reboot then post the log enteries. Don't get me wrong here I want to KNOW as well it's just a bit over my head. I've gained knowledge but I don't fully grasp what you and Rick are saying. He is concerned about this problem as well.

What is this private ip address in the sense of whose is it? I can block any ip I want either in the FW rules or in PG 2 as well?

What is the worst case a Trojan?


BTW I do not have a VM PC. There is the other PC that shares my internet connection through the router. Both PC's run xp sp 2 and both are also behind the alpha shield router.

-{ Quote: "Can I ask you guy's to count your rules in Kerio and we can see if my list is longer since I don't believe the trim down is the answer!" }-
I have a total of 80 rules. I'm not aware of a limit on the number of rules Kerio can handle. If there is a limit and if you're approaching it, you could combine a lot of the rules you have. When I get a chance, I'll edit the last ruleset you sent over and send it back with a text file explaining what I changed. One quick way to cut out a few rules would be with your ICMP rules. You have 5 blocking rules and no allow rules for ICMP. One blocking rule could do the same thing. Your 2 Peer Guardian rules are identical except that one allows and one blocks. The blocking rule serves no purpose when the first rule allows all IP addresses. Several of your SVCHOST rules are for single IPs with no port/protocol limitation. Some of them could be combined by using an IP range. Eventually you can remove the network rules that are for LAN IP ranges that don't apply to your system.
-{ Quote: "I can understand "Rick" putting forward this as possibly unresolved DHCP, but I have never seen such a broadcast from an unresolved (I would expect to see such a broadcast from a private IP range only for DHCP renew). I have been trying to recreate such an event." }-
I'm pretty sure that he had no rules permitting any DHCP active at the time, only a single blocking rule "Unrestricted DHCP" with no IP restrictions, local port 68, remote port 67, both directions. This rule was located 5 rules below the 10.x rule.
-{ Quote: "The screenshots show 10.* -> 255.255.255.255,..... 10.* being local
" }-I think we're just reading the log differently. You appear to be reading 10.x as the local IP while I'm reading 10.x as the rule name and "localhost" as the local IP. If you look at the other entries in Kerio's log, they all use the same syntax:
[Date and time] rule '(name of rule)' action: direction protocol, (source IP:port#)->(destination IP:port#), Owner:
The other outbound log entries show "localhost:port number" as the source IP. I read the 10.x entries as "localhost:port 68"->"broadcast:port 67".

It wouldn't take much to find out. If using IPCONFIG to release and renew results in more of those log entries, the question is answered. If it does, I'd be interested to see the resulting firewall alert for this with that 10.x rule disabled.

If I understand this correctly, a DHCP broadcast is sent to all LAN IPs, which would include 10.x IPs. Looking at the ruleset Escalader sent, the "LAN Subnet Bypass 10.x" blocking rule is the first rule in the ruleset for outbound TCP/UDP that is not application or port specific. Did Escalader send you a copy of this ruleset? I believe he was using the one he named 29.2 when these log entries were made. I'm beginning to suspect that Kerio has a bit of a problem with how it applies rules to outbound broadcasts.
Rick

-{ Quote: "What is this private ip address in the sense of whose is it? I can block any ip I want either in the FW rules or in PG 2 as well?" }-
The IP ranges used for private IPs are not assigned to or used by sites on the net. Private IPs are used on local networks. They belong to whoever owns that network. Private IPs are not directly accessible from the net. Your modem/router translates your public IP (provided by your ISP) into your private IP, chosen by you and determined by the settings you use in your router. Unlike internet IPs, private IPs aren't exclusive. Many networks use the same private IPs but have different public IPs. All the IPs on your local network are owned by you. Yes, you can block local IPs, just like you can block any other internet IP. Blocking local or private IPs prevents different parts of your own network from communicating with each other.
Rick

Hi:

1) I have 80 rules, with Stems split in ( I hope it is correct)
2) I also put in Rmus's rule on Port 53, it was really a matter of activating a BZ rule.
3) I will send today's October 3 rules to both of you and would really ask that 29.2 be set aside in favour of it for any editing


-{ Quote: "I have a total of 80 rules. I'm not aware of a limit on the number of rules Kerio can handle. If there is a limit and if you're approaching it, you could combine a lot of the rules you have. When I get a chance, I'll edit the last ruleset you sent over and send it back with a text file explaining what I changed. One quick way to cut out a few rules would be with your ICMP rules. You have 5 blocking rules and no allow rules for ICMP. One blocking rule could do the same thing. Your 2 Peer Guardian rules are identical except that one allows and one blocks. The blocking rule serves no purpose when the first rule allows all IP addresses. Several of your SVCHOST rules are for single IPs with no port/protocol limitation. Some of them could be combined by using an IP range. Eventually you can remove the network rules that are for LAN IP ranges that don't apply to your system.

I'm pretty sure that he had no rules permitting any DHCP active at the time, only a single blocking rule "Unrestricted DHCP" with no IP restrictions, local port 68, remote port 67, both directions. This rule was located 5 rules below the 10.x rule.
I think we're just reading the log differently. You appear to be reading 10.x as the local IP while I'm reading 10.x as the rule name and "localhost" as the local IP. If you look at the other entries in Kerio's log, they all use the same syntax:
[Date and time] rule '(name of rule)' action: direction protocol, (source IP:port#)->(destination IP:port#), Owner:
The other outbound log entries show "localhost:port number" as the source IP. I read the 10.x entries as "localhost:port 68"->"broadcast:port 67".

It wouldn't take much to find out. If using IPCONFIG to release and renew results in more of those log entries, the question is answered. If it does, I'd be interested to see the resulting firewall alert for this with that 10.x rule disabled.

If I understand this correctly, a DHCP broadcast is sent to all LAN IPs, which would include 10.x IPs. Looking at the ruleset Escalader sent, the "LAN Subnet Bypass 10.x" blocking rule is the first rule in the ruleset for outbound TCP/UDP that is not application or port specific. Did Escalader send you a copy of this ruleset? I believe he was using the one he named 29.2 when these log entries were made. I'm beginning to suspect that Kerio has a bit of a problem with how it applies rules to outbound broadcasts.
Rick" }-

-{ Quote: "The IP ranges used for private IPs are not assigned to or used by sites on the net. Private IPs are used on local networks. They belong to whoever owns that network. Private IPs are not directly accessible from the net. Your modem/router translates your public IP (provided by your ISP) into your private IP, chosen by you and determined by the settings you use in your router. Unlike internet IPs, private IPs aren't exclusive. Many networks use the same private IPs but have different public IPs. All the IPs on your local network are owned by you. Yes, you can block local IPs, just like you can block any other internet IP. Blocking local or private IPs prevents different parts of your own network from communicating with each other.
Rick" }-


Rick/Stem:

What about this log packets to unopened ports setting?

-{ Quote: "What about this log packets to unopened ports setting?" }-
That will cause incoming packets that are addressed to closed ports to be logged, "closed" as in not opened by a process or application on your system. Both hackers and malware scan PCs, looking for open ports to try to connect to. Since you're behind a router and hardware firewall, port scans won't reach your PC. Depending on how your router and firewall are set up, you could see some packets from them. With a hardware firewall blocking unwanted inbound traffic, the log will be more useful for specific monitoring of outbound traffic.
Rick

Okay, Rick, what about suspiciuos packets? Same logic? Only outbounds would be interesting?
Should I turn it on?


Oh, here is one you will like.

A day or so back, I thought I was restored a rule set. Something odd happened. i think I tried to restore from an empty set, not sure. But there should have been an alarm bell!

The rule set was empty! Nada, zip, void, Null what ever word you want!

I started getting pop ups, saying blah blah I want to connect.

What would happen If I left 0 rules in place and set it to deny all unless in the rules which don't exist?

My guess is if Kerio is working right, you will have no access to anything in or out. Same as stop all traffic?

I'm not sure just what Kerio considers suspicious packets. Turning it on won't cause any problems.
-{ Quote: "A day or so back, I thought I was restored a rule set. Something odd happened. i think I tried to restore from an empty set, not sure. But there should have been an alarm bell! The rule set was empty! Nada, zip, void, Null what ever word you want!" }-
I'm not sure if it's the same when Kerio is installed on XP, but on my box, there's a .conf file in the Kerio folder named stat.conf. When I load it, I get one error message. Kerio seems to run fine, but there's no rules. I've run into quite a few times when an empty ruleset is handy.

With no rules and using the deny unknown setting, nothing should have internet access except Kerio itself.
Rick

-{ Quote: "Hi Escalader,
I am still curious about this block from 10.* (broadcast). I can understand "Rick" putting forward this as possibly unresolved DHCP, but I have never seen such a broadcast from an unresolved (I would expect to see such a broadcast from a private IP range only for DHCP renew). I have been trying to recreate such an event. But up to now, I only see what I have seen before (such as unresolved DHCP NIC defaulting to IP`s such as 169.*. The IP being the same each time no successful DHCP boot is made).
You have mentioned another PC on LAN, is this using a VM (example: Virtualbox will use private network 10.* when setup for NAT,.. broadcasts (255.255.255.255) from this will go through the host if allowed). Just really thinking out load at the moment, as the (log) event we see for this could actually be a blocked inbound.

What you could do, when you have time, is to split the block 10.* rule, so that one rule blocks outbound, and one blocks inbound. We would know for sure the direction of this broadcast (if attempted again)" }-


October 5 bootup log observations:

These 2 10.x output UDP to 255.255.255.255 occured again today. They are the first entries occurring:

05/Oct/2007 07:24:06 Lan Subnet Bypass 10.x Outbound blocked; Out UDP; localhost:68->255.255.255.255:67; Owner: C:\WINDOWS\SYSTEM32\SVCHOST.EXE
05/Oct/2007 07:24:06 Lan Subnet Bypass 10.x Outbound blocked; Out UDP; localhost:68->255.255.255.255:67; Owner: C:\WINDOWS\SYSTEM32\SVCHOST.EXE

They show as if they are from an activated SVCHOST.EXE.

But which one?

____________________________________________________________________________________



Hi Stem:

Here is the bootup log from this morning. You dual split rule shows 2 outbound blocks!

Now I'm concerned I have a malware! It seems unlikely. Should I be? :-\
These were blocked on outbound. for 10.x

All scans by Nod 32 show zip.
Ad Aware shows only tracking and MRU otherwise clean, Spybot S and D shows zip.

I'm using a friends XP unit that uses Kerio. Here's the result of a test using a similar rule. I inserted this rule at the top of the ruleset.
194043
I then disabled the existing DHCP rules. Opened a command prompt and entered "Ipconfig /release", then entered ipconfig /renew. This was one of the alerts.
194045
These entries appeared in Kerio's log.
194044
The 10.x in this log is definitely the rule name, not the IP. Those alerts are standard DHCP broadcasts.
Rick

-{ Quote: "I'm using a friends XP unit that uses Kerio. Here's the result of a test using a similar rule. I inserted this rule at the top of the ruleset.
194043
I then disabled the existing DHCP rules. Opened a command prompt and entered "Ipconfig /release", then entered ipconfig /renew. This was one of the alerts.
194045
These entries appeared in Kerio's log.
194044
The 10.x in this log is definitely the rule name, not the IP. Those alerts are standard DHCP broadcasts.
Rick" }-


TY Herbalist:

When you have time tell me what I need to do to "fix", "correct" this alert? rule. What use is it to log standard boradcasts? What use is the deny rule this high up in the list? Did BZ error? More likely something I did in the rule set.

For now I'll leave my rules alone.

The only "new" things are the generic services keep regenerating attempts, I keep denying them and my list of denies of this group grows longer and longer.

Escalader, See PMs. I need info that doesn't need to be in an open post.
Rick

Once this is sorted out, we can address those generic services, figure out what each is for and block whatever isn't necessary. A few rules for services is normal but it shouldn't be a constantly growing list.

On the XP box I added that extra rule to, I went to the top of the ruleset to make sure that it was the first rule that was applied. I was working with an existing ruleset and didn't want to cause myself other problems. If I remember, you were using ruleset 29.2 when you first posted those logs? In that ruleset, the 10.x bypass rule was the first rule in the ruleset that covered TCP/UDP and wasn't specific about port numbers or applications. The rules above that were either for specific ports or single applications, not a general system rule.

BZs rulesets contain rules for several different types of setups. The user has to choose the ones that match what they use. On a network that uses DHCP throughout, DHCP broadcasts are normal. If the IPs on that same network are all static, those broadcasts are suspicious as DHCP shouldn't be in use. By logging the broadcasts, the log entries become a configuration tool that will contain the IPs for more specific rules that match your system.
Rick

-{ Quote: "Escalader, See PMs. I need info that doesn't need to be in an open post.
Rick

Once this is sorted out, we can address those generic services, figure out what each is for and block whatever isn't necessary. A few rules for services is normal but it shouldn't be a constantly growing list." }-

Thanks, Rick:

I have the PM's, will work on them today and probably tomorrow as time permits.

I shouldn't have said constantly growing! :o

I meant I started out with certain services disabled and zero services rules.

Now I have about 6 attempted services access all of which had ip's and I have blocked them all and consolidated those blocked rules into 4 using ip ranges to do it. Here is their whois information.

1st set is:

OrgName: Akamai Technologies ( my ISP MAY use these for email servers)
OrgID: AKAMAI
Address: 8 Cambridge Center
City: Cambridge
StateProv: MA
PostalCode: 02142
Country: US

NetRange: 72.246.0.0 - 72.247.255.255
CIDR: 72.246.0.0/15
NetName: AKAMAI-ARIN-1

2nd set is:

OrgName: WV FIBER LLC ( this one looks suspicious)
OrgID: WFL-9
Address: 315 Wilhagan road
City: Nashville
StateProv: TN
PostalCode: 37217
Country: US

NetRange: 66.216.0.0 - 66.216.63.255

3rd set is:

OrgName: Microsoft Corp ( no need for them to talk to me today!;D
OrgID: MSFT
Address: One Microsoft Way
City: Redmond
StateProv: WA
PostalCode: 98052
Country: US

NetRange: 207.46.0.0 - 207.46.255.255
CIDR: 207.46.0.0/16
NetName: MICROSOFT-GLOBAL-NET
NetHandle: NET-207-46-0-0-1
Parent: NET-207-0-0-0-0
NetType: Direct Assignment
NameServer: NS1.MSFT.NET
NameServer: NS5.MSFT.NET
NameServer: NS2.MSFT.NET
NameServer: NS3.MSFT.NET
NameServer: NS4.MSFT.NET

-{ Quote: ".....

BZs rulesets contain rules for several different types of setups. The user has to choose the ones that match what they use. By logging the broadcasts, the log entries become a configuration tool that will contain the IPs for more specific rules that match your system.
Rick" }-

Ah so! I have not made those BZ distinctions! That is an error on my part!

Needs fixing!

When you say -{ Quote: "On a network that uses DHCP throughout, DHCP broadcasts are normal. If the IPs on that same network are all static, those broadcasts are suspicious as DHCP shouldn't be in use" }-.


Do you mean my network from the dsl cable in or the ISP's huge network?

I think you mean my network but I've never been a network guy!:-[

Here is my set up:

wall>Dsl cable>ISP modem> Alphashield H/W FW> Linksys Ethernet Cable/DSL Router>PC#1 and PC#2 both sharing the ISP service through the router.

I was referring to your network, which is everything from the modem inward. It's quite possible that you have several NAT devices there. Many DSL/cable modems are combination units that use NAT and DHCP. Looking at the Alphashield page, they mention a 1 minute setup for non-tech users, which makes me believe that it's using DHCP as well. Not sure on the Linksys router.

It's entirely possible that you could have up to 3 layers of NAT in that network, all using DHCP to assign addresses. Could you PM the model number of the router, the version of Alphashield you're using (home or professional edition), and the make/model of your modem? It'll be tonite at the earliest before I can go thru this. I've got a big job outside that will take all the daylight hours for a few days. Need to get it done while the weather still permits.
Rick

-{ Quote: "I was referring to your network, which is everything from the modem inward. It's quite possible that you have several NAT devices there. Many DSL/cable modems are combination units that use NAT and DHCP. Looking at the Alphashield page, they mention a 1 minute setup for non-tech users, which makes me believe that it's using DHCP as well. Not sure on the Linksys router.

It's entirely possible that you could have up to 3 layers of NAT in that network, all using DHCP to assign addresses. Could you PM the model number of the router, the version of Alphashield you're using (home or professional edition), and the make/model of your modem? It'll be tonite at the earliest before I can go thru this. I've got a big job outside that will take all the daylight hours for a few days. Need to get it done while the weather still permits.
Rick" }-


Will do. The Alphashield product specs say the device does NOT

1) assign ip addresses
2) does not translate addresses

But does:

3) support the following Protocols, TCP/IP,FTP,UDP,HTTP,TFTP,IMAP,DNS,DHCP
4) INSPECTS Packets using RPA

-{ Quote: "I'm using a friends XP unit that uses Kerio. Here's the result of a test using a similar rule. I inserted this rule at the top of the ruleset.
194043" }-This rule should only block outbound to IP range 10.0.0.0<->10.0.0.255, and block any inbound from that same IP range. Nothing more.
-{ Quote: "I then disabled the existing DHCP rules. Opened a command prompt and entered "Ipconfig /release", then entered ipconfig /renew. This was one of the alerts.
194045" }-A typical boot DHCP broacast, which will be made to the Internet broadcast address.
-{ Quote: "These entries appeared in Kerio's log.
194044" }-An Internet outbound broacast should not be blocked by that "10.*" rule. It is why I asked for the rule to be split, in case the logging was incorrect, and possibly blocking inbound broadcasts from the 10.0.0.0<->10.0.0.255 range.
-{ Quote: "The 10.x in this log is definitely the rule name, not the IP. Those alerts are standard DHCP broadcasts.
Rick" }-Internet broadcasts from the PC should not be blocked with such a rule. (the only outbound broadcast that should be blocked, would be to 10.0.0.255)

-{ Quote: "It's entirely possible that you could have up to 3 layers of NAT in that network, all using DHCP to assign addresses. " }-It would not work like that. External DHCP broadcasts will not pass in through a router to the internal private network.

-{ Quote: "It would not work like that. External DHCP broadcasts will not pass in through a router to the internal private network." }-

Stem/Rick:

I sent under separate cover, my LAN set up. Apart from my AlphaShield, there are millions of setup identical to mine over here.

Stem, you have a different view than Rick, I did the split and the log shows a whole host of OUTBOUND attempts see attached jpg. ( whoops it was too large to upload) I cleared it and will have to wait a bit for it. I will post this without the log. Reboot return to thread and post the log.

What now?

I ran all real time AV's and on demand ASW scanners in safe mode nada, ThreatFire finds zip in real time>

Would there be any value in popping in a different FW for a bit to see if the same issue/symptom occurs?

-{ Quote: "I did the split and the log shows a whole host of OUTBOUND attempts" }-It is looking more like a bug/problem with Kerio.

-{ Quote: "It is looking more like a bug/problem with Kerio." }-

I have downloaded a last old version of Kerio 4.2, it seems to have a HIPS in it?

What do you think?

Should we fight this bug that will never be fixed, or move on with rules in hand?

I just looked at the log status it remains empty! This log entry shows at boot up time!

-{ Quote: "This rule should only block outbound to IP range 10.0.0.0<->10.0.0.255, and block any inbound from that same IP range. Nothing more." }-
and
-{ Quote: "Internet broadcasts from the PC should not be blocked with such a rule. (the only outbound broadcast that should be blocked, would be to 10.0.0.255)" }-
Agreed, it shouldn't have blocked it. When I added that rule to my friends ruleset, that 10.x rule did block outbound DHCP broadcasts. I cleared the log before starting and double checked the other rules to make sure I hadn't missed anything. Their cable modem translates IPs to the 192.168.x range, so nothing there has an IP beginning with "10". When I get back over there, I'm going to load Escaladers ruleset(s) into my friends XP box and try a few more ideas. To start with, I want to disable all of the 10.x rules, then release/renew again and see what turns up in the logs. If this a bug in how Kerio handles broadcasts, I'd expect to see the same type of log entry, except they would be for the "LAN Subnet Bypass 192.168.x" rule, with the rest of the log data staying the same. The one other thing I want to rule out is that 10.xx.xx isn't an IP being used by any of Escalader's other hardware. At the moment, I'm inclined to believe that there is a bug in how Kerio handles broadcast traffic.
Rick

Stem,
Is this a bug that's been undocumented until now? As popular as this firewall has been, that would be amazing. As soon as I can, I'll try to check this thoroughly on my friends XP box. They trust me to experiment on their PC. ;) I'll also set up a test configuration here with Smoothwall and set it to use DHCP

Escalader,
Hold off changing to the new version. If this is a bug, it doesn't necessarily mean that you're vulnerable. At the moment, it appears that Kerio is applying a rule when it shouldn't be. In this instance, it's blocking traffic with a rule that shouldn't apply. If this were an "allow" rule, the situation might be different. This will take some time to work thru and determine the extent of the problem, if it really is a bug. At the moment, I'd move your DHCP rules above all the LAN subnet and range rules, since they're the ones that should be handling this traffic anyway.
Rick

-{ Quote: "The one other thing I want to rule out is that 10.xx.xx isn't an IP being used by any of Escalader's other hardware." }-I cannot see this in "Escaladers" setup:- PC->router->Alpha shield->Modem. The only IP range that should be seen from the PC is that from the router private LAN (192.168.1.1/24)

-{ Quote: " At the moment, I'm inclined to believe that there is a bug in how Kerio handles broadcast traffic. " }-I will have another look on VM,... but do think this myself.

-{ Quote: "Stem,
Is this a bug that's been undocumented until now? As popular as this firewall has been, that would be amazing. As soon as I can, I'll try to check this thoroughly on my friends XP box. They trust me to experiment on their PC. ;) I'll also set up a test configuration here with Smoothwall and set it to use DHCP

Escalader,
Hold off changing to the new version. If this is a bug, it doesn't necessarily mean that you're vulnerable. At the moment, it appears that Kerio is applying a rule when it shouldn't be. In this instance, it's blocking traffic with a rule that shouldn't apply. If this were an "allow" rule, the situation might be different. This will take some time to work thru and determine the extent of the problem, if it really is a bug. At the moment, I'd move your DHCP rules above all the LAN subnet and range rules, since they're the ones that should be handling this traffic anyway.
Rick" }-


I will hold, as I see zero threat at the moment just possible bug. I will shift my DHCP rules up as you suggest. I want to optimize my rules delete any that are BZ's that aren't relevant so I will have MY rules. Those have value to me no matter what FW we test !


I just powered off and on and have attached a thin log now for you guys to enjoy! It occurs during boot time, as if I clear the log, and run all day no entries occur! I removed the log as it had my ip in error, I need to slow down.

This thread shows much more it seems that my usual slow learning!

If this is a bug do we all get an award!;D

After you shift those rules, reboot and see if that stops more log entries from appearing.
Rick

-{ Quote: "After you shift those rules, reboot and see if that stops more log entries from appearing.
Rick" }-

Okay, rules shifted, rebooting now.

-{ Quote: "After you shift those rules, reboot and see if that stops more log entries from appearing.
Rick" }-

Wow, rules shifted, so they take priority, log 10.x logs gone. Bug still present because no one was a sloppy as me to have the rules in that order! IMHO.

See attached log!

Got to go now, it's "turkey day here!"

Please no bird jokes!

-{ Quote: "See attached log!" }-That looks like blocked DNS replies.

-{ Quote: "Got to go now, it's "turkey day here!"" }-Send me a sandwich.


OK, I have now recreated this problem with blocked->10.*. This was on a VM LAN which defaults to 10.1.1.1(gateway) LAN 10.1.1.0/255.255.255.0, so such blocking from the rule mentioned should not take place.
I am now seeing problems with any DHCP on this VM LAN. which would indicate possible conflicts.

I will need to play for a while, possibly change the VM in use.

Those are different. Port 53.
It'll be tonite at the earliest before I can investigate this further. I have a big outdoor job that has to take priority, and nice days at this time of year are scarce around here.
Rick

-{ Quote: "That looks like blocked DNS replies.

Send me a sandwich.


OK, I have now recreated this problem with blocked->10.*. This was on a VM LAN which defaults to 10.1.1.1(gateway) LAN 10.1.1.0/255.255.255.0, so such blocking from the rule mentioned should not take place.
I am now seeing problems with any DHCP on this VM LAN. which would indicate possible conflicts.

I will need to play for a while, possibly change the VM in use." }-

Does the theory that the buggy rule in my case is now never reached because Rick had me elevate the DHCP rules ring true or false?

-{ Quote: "Does the theory that the buggy rule in my case is now never reached because Rick had me elevate the DHCP rules ring true or false?" }-The blocking rule will not now be used, as the default "DHCP" rule will allow "from any"-> "to any".

From the facts (for the blocked 10.*):

1/ It is confirmed that this is an outbound event being blocked.
2/ The outbound is to Internet broadcast (255.255.255.255)
3/ The rule in place should only block outbound to 10.0.0.0<->10.0.0.255

This for me is a bug (possibly a conflict with network drivers)

-{ Quote: "The blocking rule will not now be used, as the default "DHCP" rule will allow "from any"-> "to any".

From the facts (for the blocked 10.*):

1/ It is confirmed that this is an outbound event being blocked.
2/ The outbound is to Internet broadcast (255.255.255.255)
3/ The rule in place should only block outbound to 10.0.0.0<->10.0.0.255

This for me is a bug (possibly a conflict with network drivers)" }-

Thank you. This is a better outcome than a trojan.

My DHCP rule is more restrictive I thought! Attached as jpg. It is not any to any is it? or does 255.255. etc etc mean any to any... I th ink I wearing down today...

network drivers? this software is old and no longer maintained so who is off them or us... pardon my terms

There is something wrong with how kerio 2.1.5 handles IP/mask thing.
I noticed it first myself with this old thread, but I was not the first one to find it:
http://www.dslreports.com/forum/remark,16592654

I have no router protecting my machine with my cable modem connection. The rules it happens are in the 3rd post and the loggings it should not make are the green allowed outgoing ones to 255.255.255.255 in the 4th post. This itself is needed perhaps for DHCP broadcast, but there was no rules allowing it, but that loopback rule with the mask allowed it anyways. After this I quitted using that mask with my loopback tules.

Since of current i have no "global" loopback rule.

I have not followed this thread very close, but I get if I can understand you ramblings is that here is also a question of IP/mask and remote address 255.255.255.255.

Hi Jarmo P,
-{ Quote: "There is something wrong with how kerio 2.1.5 handles IP/mask thing." }-Due to your post, I do remember this, but not sure if I remember your first report(on link posted), or possibly by another post you(or others) have made.

I have seen problems before due to masking of IPs, the latest was with "Online Armor",... as with the early beta`s of this, it did mask in reverse (a mask of 255.255.255.0, would actually mask as 0.255.255.255 (Note: the error with OA, was actually with input of CIDR, which was the default input, and was rectified on next release after my report of this problem)).

I will try to find some time to check on this, to see if this is the problem with Kerio2 (with the block of 10.*), but I would of expected anyone putting forward such a rule (within a ruleset) to of checked on such a possible problem.

-{ Quote: "I would of expected anyone putting forward such a rule (within a ruleset) to of checked on such a possible problem." }-
This is a fine example of why it's better to start from scratch with your own rules and not use someone elses. In this instance, the LAN Subnet Bypass 10.x rule doesn't apply to Escaladers system/network whatsoever and would not exist at all if his ruleset wasn't based on someone elses, but causes problems with normal system functions. In the amount of time it's taking to learn and modify the premade ruleset, a user could have made their own.

I also have a lot more testing to do on this issue. So far, I've duplicated the problem with a 98SE testbox using DHCP to get its IP from Smoothwall. So far, the problem is limited to network/mask rules. When I converted that rule to an IP range, it didn't interfere.

Escalader,
There's nothing in your home network that's going to require network/mask rules to control properly. I suggest that you delete or at least disable any network/mask rules that don't directly apply to your system. Convert those that do apply to single IP or IP range format. I'd also suggest that you consider starting a new ruleset from a clean slate.
Rick

Hello Thread posters and lurkers and readers!

-{ Quote: "This is a fine example of why it's better to start from scratch with your own rules and not use someone elses. In this instance, the LAN Subnet Bypass 10.x rule doesn't apply to Escaladers system/network whatsoever and would not exist at all if his ruleset wasn't based on someone elses, but causes problems with normal system functions. In the amount of time it's taking to learn and modify the premade ruleset, a user could have made their own. " }-

Hi Rick, a way back this post was made, I proceeded with the advanced BZ's as a base since the way I learn best was from a model. It has taken 2 months but the goal was not just to get me a rule set for me. But for others to learn with us. The error I made was not adapting the configuration generics first! At the beginning I could not have made one single rule never having seen one before. Now, yes I can write rules with ease ( well relative ease) I have often said I'm a slow learner, now I've proved it!

http://www.wilderssecurity.com/showpost.php?p=1077550&postcount=50

-{ Quote: "I also have a lot more testing to do on this issue. So far, I've duplicated the problem with a 98SE testbox using DHCP to get its IP from Smoothwall. So far, the problem is limited to network/mask rules. When I converted that rule to an IP range, it didn't interfere. " }-

Isn't it a good thing that this problem has been exposed, in spite of the delay in my rule building? Take your time on the testing, the problem has been there a while and can wait a bit, IMHO;D

-{ Quote: "Escalader,
There's nothing in your home network that's going to require network/mask rules to control properly. I suggest that you delete or at least disable any network/mask rules that don't directly apply to your system. Convert those that do apply to single IP or IP range format. I'd also suggest that you consider starting a new ruleset from a clean slate." }-

Okay, Rick for now I'll find them and disable them.

" }-
Rick" }-

Stem/Rick:

I have had all my network/mask rules disabled for a few hours now.

This is the only log entry I have now.

Is this a different item? or one I missed?

Stem can probably define this IP better but here goes.
When 0.0.0.0 is a local address, it's your default network. Not the components that make up your LAN, which have their own IP(s). This IP is internal to your computer.
When 0.0.0.0 is used for a remote address, it refers to an unknown address. See http://www.howstuffworks.com/question549.htm

That log entry is also DHCP traffic. The port numbers show that, assuming yours is a clean system.
I took these screenshots from the test box I'm using for this. These might give you a better idea of the traffic involved in DHCP. Here's the Ipconfig data being used. I used a lease time of 2 minutes so there'd be no need to manually release/renew.
194142
I allowed all outbound DHCP traffic but blocked all inbound in order to get windows to use broadcast when it didn't get a response to a direct DHCP request. Both permitted and blocked traffic is logged, as are the resulting ICMP connection attempts (router solicitation). This was done using 98SE so there are some differences, the process name for one, and the addition of (null) in the log entries.
194143
The IP address, 192.168.1.10, used in both the DNS and DHCP rules is the LAN side or gateway IP of Smoothwall for this test setup. The IP address and both the local and remote ports were specified using the "Customize Rule" interface for each prompt.
194144
After 4 attempts to connect to Smoothwalls IP (responses were blocked), Windows made DHCP broadcasts, (responses also blocked). The traffic originating at 0.0.0.0:68 did not appear until after 5 DHCP broadcasts. These do not originate at the router or hardware firewall but from Windows itself. I verified this by unplugging the ethernet cable from the PC and repeating the test with no other hardware hooked up.

When all outbound DHCP connection attempts failed to get a response, Windows tried to locate routers using ICMP type 10 (router solicitation). The IP 224.0.0.2 is used for this purpose, referred to as multicast, explained better here (http://en.wikipedia.org/wiki/IP_Multicast). The ICMP packets originating at 169.254.xxx.xxx are also originating from within your PC. The last 2 number groups vary. They're assigned by Windows itself when it can't get a real IP via DHCP. Also called Link-local addresses. More info here (http://en.wikipedia.org/wiki/Private_network).

Hopefully this will help explain some of the DHCP related entries in your logs and how the rules interact. The best way to deal with this issue is to assign a static IP to both PCs and not use DHCP at all. It's very straight-forward once you do it a couple of times.
Rick

-{ Quote: "This is the only log entry I have now.

Is this a different item? or one I missed?" }-Basically, this will be another PC on LAN making DHCP boot. (the blocked packet is inbound).

A DHCP_boot packet:-

194148

-{ Quote: ".............The best way to deal with this issue is to assign a static IP to both PCs and not use DHCP at all. It's very straight-forward once you do it a couple of times.
Rick" }-

Rick:

Thanks, when you say assign a static ip to both PC's you must mean on the Lan side not the ISP/WWW side since those rotate and are beyond my control.

Where do I read up on how to assign a static ip or is that during configuration time ?

Is the attached jpg setup right? I've seen MS Networking allow MS Net Trusted

192.168.1.0/255.255.255.0

with this in place what happens to this disable the mask rules? Or is even related?

I've never used the Microsoft Networking options. It's mainly for file and printer sharing. Unless you actually need it, I'd leave it disabled.
-{ Quote: "Thanks, when you say assign a static ip to both PC's you must mean on the Lan side not the ISP/WWW side since those rotate and are beyond my control.
Where do I read up on how to assign a static ip or is that during configuration time ? " }-
Yes, I was referring to your LAN. With just 2 PCs, you don't need dynamically assigned IPs. To use static IPs, you need to configure both PCs and the LAN side of your router. The manual for your router has the info you need. If you don't have a copy, it's available here (http://www.linksys.com/servlet/Satellite?blobcol=urldata&blobheadername1=Content-Type&blobheadername2=Content-Disposition&blobheadervalue1=application%2Fpdf&blobheadervalue2=inline%3B+filename%3DBEFSR41_V4-UG-Rev_A.pdf&blobkey=id&blobtable=MungoBlobs&blobwhere=1130877019712&ssbinary=true&lid=) as a PDF. The info you need starts on page 18, accessing the router configuration with your browser, and continues on 22 and 23, network setup. Your router is configured to use DHCP by default so you'll need to disable it. It's up to you what IPs you want to use and doesn't make that much difference what you choose, as long as you use IPs that are in the private IP ranges (http://en.wikipedia.org/wiki/Private_network). These include:
10.0.0.0 – 10.255.255.255
172.16.0.0 – 172.31.255.255
192.168.0.0 – 192.168.255.255
The default local IP for your router is 192.168.1.1, with a subnet mask of 255.255.255.0. If you use these settings, the IPs available for your PCs are 192.168.1.2 thru 192.168.1.254, more than enough for a home network. 255 is reserved for broadcast. Only the last octet or 3 digits change when used with a subnet of 255.255.255.0. The first 3 octets have to be the same for all IPs on a network with this subnet mask. If the subnet mask was 255.255.0.0 instead of 255.255.255.0, the last 2 octets of the IPs could change. This would make all the IPs from 192.168.1.1 thru 192.168.255.255 available, a much larger network than you'd need.

Write down the local IP you select for your router. You'll need it when you configure your PCs. To set static IPs with WinXP, refer to these images.
194163
For your network adapter, select "Internet Protocol TCP/IP", then "properties". This will bring you to the image on the right. Select "Use the following IP address". Enter the router IP you wrote down in the "default gateway". Use the same subnet mask that you used in the router settings. Then choose an IP address that works with the default gateway IP and the subnet mask. If you used the default settings, 192.168.1.1 for the default gateway and 255.255.255.0 for the subnet, the IPs of the PCs can be anything from 192.168.1.2 thru 192.168.1.254. Use a different IP for each PC. Then enter the IP(s) of your DNS servers. Then click "OK". Reboot if prompted.
Rick

Dear Escalader, the so called teaching threads. They change to more like like teaching you only of I may say so?
That sayed, you brought out something with your questions and the paranoia you have that was something others would have just dismissed. That is good.
Kerio 2's mask handling. You learned after all.

Still I say something. Without your rules shown that you use with kerio 2.1.5, this thread is pretty much useless for anyone to wanting to learn how to write their own rules. BlitzenZeus did a great service in his rules that are to be replaced as a suggestion for the default ones. Your rules have not been seen, even as a student you are not able to show them to have to some criticism from readers who are still reading this! So where is your contribution to the learning thread? Mistakes and all revealed? I just have to ask?

I just want to say about teaching, this thread almost none, sorry Rick et all, you did the best you could, But this thread gone astray, it is something no one newbie sure cannot learn anything?
Jarmo

It would help the thread if the rules were visible. A big part of optimizing firewall rules is matching them to your internet service. As long as the sensitive or personal info, (such as your real IP, the IP of your e-mail, etc) is obscured, I don't see a problem.
Rick