i was looking at my rules, and i noticed afew things that should have been checked weren't. is there anyway i can show my kerio 2.1.5 rules to a firewall expert? how do i do it thanks :)

I'm no expert, but you can go to the
http://forums.kerio.com
http://www.broadbandreports.com
Both have nice forums (Our own BlitzenZeus is very active in Broadband Reports)

there are quite some experts here. and I am sure that if you want to keep your setup private, you can sent a p.m. to BlitzenZeus or Gkweb.

thanks, no13 and INFINITY. i think ive got the rules under control now, however, i still may get someone to have alook at them :)
thanks.

-{ Quote: "i was looking at my rules, and i noticed afew things that should have been checked weren't. is there anyway i can show my kerio 2.1.5 rules to a firewall expert? how do i do it thanks :)" }-
If you take a screenshot of your rule set and post it here we could then provide you some suggestions. Depending on the number of rules, it may require a couple of screenshots. Also edit out any IP's you may not want posted publicly.

Regards,

CrazyM

this is pretty much how they all are, with proxomitron at the top with TCP out, any port, any address, then a block rule for proxomitron UDP/TCP .i'll take a screenshot of proxs rules. these are the last rules, im never to sure about the block rules.

here's proxomitron and browsers, does it matter that i dont have any remote addresses for any of the rules?

here is the stuff i was more worried that i might have changed by mistake

im on a standalone XP home. thats pretty much all of them, im sure you can see somekind of similarity between most of them :D

-{ Quote: "this is pretty much how they all are, with proxomitron at the top with TCP out, any port, any address, then a block rule for proxomitron UDP/TCP .i'll take a screenshot of proxs rules." }-
While allowing proxo out to any port will work, you could consider refining that to only required remote services. When using proxo the configuration of your loopback rules is also important.

-{ Quote: "these are the last rules, im never to sure about the block rules." }-
They look fine right now, but as the rules are processed top to bottom it helps to see the entire configuration in order to make sure everything works as intended.

Does the highlighted rule for java require outbound to any port?

Regards,

CrazyM

-{ Quote: "here is the stuff i was more worried that i might have changed by mistake" }-
Are you using the custom IP blocking to block a list of IP's entered there?

You could also modify your unrestricted DNS rules and restrict them to your ISP's DNS servers. The custom address is a convenient way to do this, hence the above question. If you are already using custom addresses for blocking, you will need individual rules for your DNS servers.

Regards,

CrazyM

*** Only a BRIEF COMMENT***


ICE

I am not able to "see" your posted rules without disabling some of my own security........so will only comment on a couple of things.



your first TWO (2) rules should be


1)block persfw udp/tcp (both)


2) pfwadmin udp/tcp (both) (block)



*****Ice protect your firewall fire and foremost***



As for Proxo.....it can go below several of your others rules which may be more important........assign port 8080 to proxo...outbound. ( its assumed that you are not using other proxies with proxo...so wont mention how that would be set-up)

CM


We posted near the same time......am sure you have this covered so off I go to the land of OZ........seeya

Another option for your DNS rules.
Your current rules allow for UDP only which will normally suffice. There will be the odd occassion your system (or some apps/specific types of DNS querries) will use TCP outboud. To allow for this you would use separate DNS rules for inbound and outbound and as noted above restrict them to your ISP's servers.

Regards,

CrazyM

Your using the advanced ruleset... Do you remember what I said about those who should use the advanced ruleset??

Your showing the ruleset out of order, and even leaving some rules out of these screenshots. Make the window bigger next time, but don't repost your entire ruleset again. Go back, and completely re-read the page where you got this ruleset please as you didn't disable or restrict dhcp!! You very likely didn't bother yourself to read the instructions to restrict your dns either....

CrazyM They used my default ruleset replacement, to see how the dns rules are supposed to work, see the thread linked in the forum sticky. However that doesn't guarantee they actually restricted the dns to their dns servers...

If you want a no-trouble config ruleset (no intervention) http://www.geocities.com/yosponge is a good option

I have it too from sponge and it works flawlessly. it looks like a lot but no problem on resources what so ever.

cheers

A piece of advice, though...
Take the blocked ips <they're to block adservers> and add them to Protowall, Proxomitron or Peerguardian (or any other such product)... this increases your net connection throughput (Kerio takes longer to examin packets against IPs than these products, and they put hardly any load on the system)
Note: Unblock "Microsoft x" rules (x=1,2,4) as they are needed to surf MSN sites.
>.< I thought you'd have posted at "The Official Kerio Thread"...
<just kidding>

-{ Quote: "If you want a no-trouble config ruleset (no ntervention)" }-
That is not how your supposed to use Kerio, you are supposed to learn how to configure it correctly, not leave gaping holes with general rules, which my instructions tell you how to fix if people would just bother themselves to read them. Also all those rules blocking ip addresses are wasteful in those rulesets...

Blitzen

Would you be so kind as to post a link to your rule set so as I can compare it to yosponge.


Would you also be so kind as to offer your resoning for this statement that you made:

**Also all those rules blocking ip addresses are wasteful in those rulesets...***

-{ Quote: "Blitzen

Would you be so kind as to post a link to your rule set so as I can compare it to yosponge.


Would you also be so kind as to offer your resoning for this statement that you made:

**Also all those rules blocking ip addresses are wasteful in those rulesets...***" }-


BZ's ruleset, along with instructions, can be found here:

http://www.dslreports.com/forum/remark,8023708~mode=flat

Go to the bottom of the page for the final version.

Blitzen


Thank you for the fast response..



Regards

TheSnowGuy/ The Snowman

Kerodo


An thank you as well.....am not planing on using the rules...have no need.......just wanted to compare........always open-minded....




Regards

TheSnowGuy

-{ Quote: "That is not how your supposed to use Kerio, you are supposed to learn how to configure it correctly, not leave gaping holes with general rules, which my instructions tell you how to fix if people would just bother themselves to read them. Also all those rules blocking ip addresses are wasteful in those rulesets..." }-

I knoi... which is why I posted saying ...to take the the blocked IPs out of Kerio and into an IP blocking program like Proxomitron...
:)
Regards.
no13.

BZ dont be too annoyed with me. i was using your basic rules up until afew days ago. i reinstalled XP and installed your advanced set which i had on disk, thats why i was worried about the set. ill read up on it all and show you what i have learned :D
thanks for all the help from everyone :)

I'm sorry, but a pet peeve of mine is when people don't read the manual available for something before asking about it. I've also had to instruct users not to IM, or E-Mail me about questions in the thread as most of the questions were due to them not reading the material already provided. You can only answer the same question so many times before you wish people would look at the material already provided that usually answers their question. 8)

An example would be when I was very young, I was the only person in the house who could program the vcr, or even use it without getting fustrated. My parents never read the manual, and if they had just spend a few minutes reading it, they would have a much better understanding of how to use it correctly. ;D

-{ Quote: "I'm sorry, but a pet peeve of mine is when people don't read the manual available for something before asking about it. I've also had to instruct users not to IM, or E-Mail me about questions in the thread as most of the questions were due to them not reading the material already provided. You can only answer the same question so many times before you wish people would look at the material already provided that usually answers their question. 8)

An example would be when I was very young, I was the only person in the house who could program the vcr, or even use it without getting fustrated. My parents never read the manual, and if they had just spend a few minutes reading it, they would have a much better understanding of how to use it correctly. ;D" }-
BZ thats why i posted my last post. at first i thought you were really scary. but now i realise that you are trying to help, and the people you are helping need to know its a two way street. my next post, i hope, wont stress you out too much :) i'll do abit of learning :) . plus i can see how it must get very frustrating posting the same things over and over :o for people who dont listen