Hi

Had it installed a few days, seems fine, but just wanted to see if I should tweak any of these rules. Still a few applications that I let online that I haven't ran yet, but I don't think they will be the problem, it's just all this stuff at the top I don't really understand.

Not really my firewall, but I thought I might direct you to the Tiny-Kerio FAQ at DSLR http://www.dslreports.com/faq/security/2.5.1.+Kerio+and+pre-v3.0+Tiny+PFW .
After that, there's the associated forum at http://www.dslreports.com/forum/kerio .

Some of your rules (especially up near the top) look a bit loose to me and it should be possible for you to tighten them up, I believe. Check those two URLs above for some tips.

-{ Quote: " quoting: jaxson link=board=23;threadid=7446;start=0#49106 date=1045837686]
Hi

Had it installed a few days, seems fine, but just wanted to see if I should tweak any of these rules. Still a few applications that I let online that I haven't ran yet, but I don't think they will be the problem, it's just all this stuff at the top I don't really understand.


" }-

Hi,

I should not use a general loopback rule but only for the needed applications, like IE and OE for instance.
DNS rules only for your ISP DNS servers.

You might have a look here :
http://tinylink.com/?jX9T2MsOVq

(French but the rules are edited in Eng)

Rgds,

Cheers.

I changed the loopback so only IE uses it.

Sounds lazy but do I really need to go through all that lot?
It'll take ages :(

I don't like ZA, too bulky, so maybe Outpost or Sygate are better for me
if you need to really setup all this stuff?

-{ Quote: " quoting: jaxson link=board=23;threadid=7446;start=0#49125 date=1045845471]. . . . Sounds lazy but do I really need to go through all that lot?
It'll take ages :(

I don't like ZA, too bulky, so maybe Outpost or Sygate are better for me
if you need to really setup all this stuff?
" }-
The basic problem is pretty much the same with all of the rules-based firewalls. And, in saying that, I specifically include Tiny/Kerio/Sygate/Outpost/LnS/NIS/NPF. (And the rules are pretty much translatable from any of the above to any other. Indeed, the people that write recommended rulesets for one often collaborate with people writing rulesets for another.)

However, there's no need to freak out about all this. Most of them start off with a set of default rules that are at least as rigorous as what you would find with the free version of Zone Alarm. Take your time, do it at your leisure (and you'll learn a lot more about firewalls in the process).

What we're talking about here is tightening the rules up as much as possible to reflect your specific needs and requirements, based on your particular system configuration -- that's all.

There's admittedly a bit of esoterica in all this, but if you just take it one step at a time, you'll do just fine.

if you arent willing to spend time and tweak your rules for Kerio then i would suggest a different firewall.

Sygate personal firewall is very easy to use. it is an application based firewall with the capabilities to make advanced rules if you want to.
http://soho.sygate.com/products/shield_ov.htm

this site will help you learn about it. very good info
http://home.bellsouth.net/p/s/community.dll?ep=16&groupid=60610&ck=&userid=1&userpw=.&uh=1,0,

plus they have a support forum if you need it.
http://forums.sygatetech.com/

Hi

Well if Kerio default rules are more rigorous than ZA anyway, i'll do it at my own pace like you say :)

And i'm a single user home pc, using Windows 2000 and connecting to the net using NTL Cable STB connected by NIC if that makes any difference.

-{ Quote: " quoting: JacK link=board=23;threadid=7446;start=0#49118 date=1045842970] . . . . You might have a look here :
http://tinylink.com/?jX9T2MsOVq

(French but the rules are edited in Eng)" }-
JacK,

Does the following link lead to the same discussion in English?
http://www.blarp.com/faq/faqmanager.cgi?toc=kerio (plus maybe some other information?

Jaxson.

The rules in Kerio aren't that hard to configure.
I did it.I thought it would be much more difficult.

A Google search helped me a lot.I saw a lot of options.Some I used,some I didn't.
I added 6 rules and while that doesn't seem like much,I'm comfortable with that for now.

I'm sure that I will have to tweak my rules.
But most of "my" rules are set.The default rules took care of most of my concerns.

-{ Quote: " quoting: Joseph V. Morris link=board=23;threadid=7446;start=0#49136 date=1045849139]
-{ Quote: " quoting: JacK link=board=23;threadid=7446;start=0#49118 date=1045842970] . . . . You might have a look here :
http://tinylink.com/?jX9T2MsOVq

(French but the rules are edited in Eng)" }-
JacK,

Does the following link lead to the same discussion in English?
http://www.blarp.com/faq/faqmanager.cgi?toc=kerio (plus maybe some other information?
" }-

Hello Joseph,

Not really, I know the KPF FAQ , NL and Blarp (nice guy BTW) where you will find the basic rules, on the french given link you will find tighter rules for people seaking more control on KFP.

Nice WE,

Hi jaxson

You have already been provided with some good links. Here are a few more to look at for some ideas:

Customizing Rules
System Wide (http://www.wilderssecurity.com/showthread.php?t=4413)
Global Permit/Block (http://www.wilderssecurity.com/showthread.php?t=4419)
Application (http://www.wilderssecurity.com/showthread.php?t=4423)
Final Block (http://www.wilderssecurity.com/showthread.php?t=4426)

Although the terminology varies from product to product, the concept or intent of the rules remain the same. (ie. Remote Address Kerio refers to as Remote Endpoint)

As a starting point for your application rules, you may want to look at restricting them to the remote services/ports you will need. Right now your application rules permit outbound to any remote service/port.

Example:
Internet Explorer: remote service/port - 80, 443, 8080
Microsoft Outlook: remote service/port - 25, 110

Default rules with the Kerio install that you can probably remove:
Local Security Authority System
Microsoft DS
Services and Controller App
Generic Host Process

The Reply from DHCP should already be covered by the default DHCP near the top of your rule set.

The loopback rule concern can be dealt with a number of different ways. If you choose to go on a per application basis that is fine. I have attached an image of a rule set as an example only and to provide you with some ideas and it uses per application loopback rules. Note if you use a final block for outbound, make sure you enable logging as this will usually disable the rule assistant/wizard in most products and you will not be prompted for new applications wanting to access the network. They will just be blocked and logged. As has already been suggested, there is no one rule set for everyone. You will have to determine what best suits your needs.

For some of your specific applications, you may need to enable logging for short periods while using the application to determine just what local and remote services/ports and addresses are used to help determine how you customize the rules for those applications.

edit to update image and text accordingly - CrazyM

Regards,

CrazyM

Hi

Thanks for all the helpful replies. Here are my latest rules after editing
from your advice.

Are my basic system rules ok?

Ive edited some applications a little, but I don't know what port they use and stuff, anyone able to help with MSN and Kazaa as they are quite common.

Hey Jaxson,

You got the basic rules set up good IMO.

I don't know the ports regarding Kazaa and MSN.
CrazyM mentioned enabling logging and watching the programs for info on the ports and addresses that are used.
I hadn't thought of that.

Jaxson -

For the very first rule, I'd block Kerio itself from TCP & UDP. This might sound weird but it provides a little protection should the firewall itself be compromised.

Then put a rule right beneath the DNS rule blocking all traffic to and from Port 53 (remote). Since you have DNS already as restricted as it can be there is no point in allowing Port 53 traffic to continue further down the list. Ditto for DHCP.

I would also enable that last rule blocking everything.

You should consider adding some spyware IP filters if you plan on using IE and IRC, since a lot of the spyware out there likes to hijack IE, and if you use auto DCC on IRC you can get something loaded on your system quite easily.

All in all it looks like a good setup.

Sponge
Sponge's Anti-Spyware Source
www.geocities.com/yosponge

Isn't the first rule actually too narrow to block all NetBIOS? Set up the way it is, see image, isn't it only saying to block any connections to/from local ports 137-139 from/to remote ports 137-139? Wouldn't an incoming bugbear/opaserv connection to local UDP port 137 get by this rule since these generally come from a remote port of 1024 and above?

Nice catch LWM :)

A more effective way would be to have two rules:

Block inbound netbios
protocol: tcp/udp
direction: inbound
local service/ports: 135-139
remote service/ports: any
any address

Block outbound netbios
protocol: tcp/udp
direction: outbound
local service/ports: any
remote service/ports: 135-139
any address

If he activates his final block rule, that would also cover the above.

Regards,

CrazyM

-{ Quote: " quoting: jaxson link=board=23;threadid=7446;start=0#49307 date=1045961532]

Ive edited some applications a little, but I don't know what port they use and stuff, anyone able to help with MSN and Kazaa as they are quite common.

" }-

Hello,

I should add a second DNS rule :

Description: Other DNS
Protocol: TCP and UDP
Direction: Both
Local Port: Any
Local App.: Any
Remote Address Type: Any
Port type: Single
Port number: 53
Action Deny

Special applications ports to open for MSN and others :

http://www.practicallynetworked.com/sharing/app_port_list.htm

for Kazaa :

Description: Kazaa out
Protocol: TCP
Direction: Outbound
Remote Address Type: Any
Local Port: Any
Remote Port: 1214
Action: Allow

Description: Kazaa in
Protocol: TCP
Direction: Inbound
Remote Address Type: Any
Local Port: 1214
Remote Port: Any
Action: Allow

Description: Kazaa HTTP
Protocol: TCP
Direction: Outbound
Remote Address Type: Any
RemotePort: 80-83, 443, 1080, 3128, 8080, 8088, 11523
Action: Allow

Rgds,

Since I am now using Sygate free version and we are posting screen shots, I thought I would add a few and any of those people using Sygate Pro's advanced features can then chime in at any point.

Notice in the screenshot above the grayed out check boxes.
Those sure look like important and cool options to me.

The next two screen shots are the application advanced rule sets
configuration area.

.

.

sponge:

I'll add that rule, so I need to block persfw.exe and pfwadmin.exe?

Added the DNS and DHCP ones to, a few other people also said.

LowWaterMark:

I got that rule from:

http://www.blarp.com/faq/faqmanager.cgi?file=kerio_genrules&toc=kerio

So I just added it, thought it would be right if it was in there FAQ :(

CrazyM:

Will add those. :)

JacK:

I tried those Kazaa rules but it just won't connect me to Kazaa with them.
It starts asking me to let it connect to loads of different UDP ports and when I deny it doesn't connect me. ???

Also

I'll enable the block everything else rule when I have conigures all my apps.

Another thing though the opened connection window I don't get. Here is a screenshot, what are all them things listening? Should they be listed there?

Black parts ive marked are just covering my IP.

-{ Quote: " quoting: jaxson link=board=23;threadid=7446;start=15#49532 date=1046056670]... Here is a screenshot, what are all them things listening? Should they be listed there?

Black parts ive marked are just covering my IP." }-

Yes, those are normal. The three lines you blacked out your IP on are just NetBIOS, of course. You said in a previous post:

>> ...And i'm a single user home pc, using Windows 2000 and connecting to the net using...

If you are just a single, non-locally networked PC, you should just disable NetBIOS (see this: link (http://www.petri.co.il/disable_netbios_in_w2kxp.htm)). Ports 135 and 445 are epmap and microsoft-ds. See this thread (http://www.wilderssecurity.com/showthread.php?t=7502) for more information.

Just to add to LWM's reply...

The entries for PERSFW and PFWADMIN are just the firewall communicating with itself and are also normal. If you want less clutter, there is an option under settings to disable/enable seeing those entries (and others).

Regards,

CrazyM

Thx guys.

I just noticed those options CrazyM, I think I will use some to get rid of the clutter. Do you have some of them ticked?

LowWaterMark:

I have disabled NetBIOS completely now using those instructions. So it's safe to delete the NetBIOS rules in Kerio now? I also noticed that when I disabled it the things started listening on port 445, after looking at a link of yours I have now disabled this port to. All I have now is svchost on port 135 and after reading some posts people say they couldn't boot into windows when they disabled it and you yourself don't reccomend it either so I think I will leave that.

I have read guides before on 2K services and have adjusted mine accordingly, but many that were automatic it told me to set to manual. But should I set some of these manual to disable alotogether? Here are some screenies.

Continued...

Most of the services I don't want to start I set to Manual. I like this better than disable for some because this will allow them to start if another service calls upon them. Unless it is something I considered insecure, I believe setting to Manual is good enough.

There were only a couple that I set to Disable because I really wanted them off, and a Manual setting didn't prevent them from starting (because some other process was triggering them). For myself, I don't need the DHCP Client (I'm on an ADSL PPPoE connection that doesn't use DHCP), and Manual wouldn't prevent it from starting, so I set it to Disable.

I also set "Automatic Updates" to Disable (because I really wanted that one dead! ;) ), plus a couple that aren't on Windows 2000 but are included on XP.

Manual should be fine unless you are worried about a particular service. Your list of Services looks really clean!

Oh, and of course, everytime I've done a major update at Windows Update, Microsoft re-enables and restarts Automatic Updates. >:(

Will probably leave it as it is then. Do you reccomend a site that does a thorough port scan, as I want to do with with Kerio turned off to see what ports are closed without my firewall on. Or can I do it another way?

Hi jaxson,

You will find a lot of usefull testsites here: http://www.wilderssecurity.com/showthread.php?t=6341

Regards,

Pieter

Hey

I just ran most of them with Kerio off, and all ports are closed apart from 135, which i'm not sure about closing.

Although 1 scan also said port 31337 was open

And another scan said it was stealthed.

What does this port do? And is there a way I can confirm as 2 scans contradict eachother.

Just read this on port 135:

http://www.uksecurityonline.com/husdg/windows2000/close135.htm

Some people do run okay with port 135 closed, but many don't. I wouldn't close it (and I didn't, as noted in the other thread I referenced in a previous post).

As far as port 31337, just bring up a DOS/CMD window and run a "netstat -an" command to see if anything is actually listening on that port. If nothing is listening, than the scanning site is either wrong or your ISP could be intercepting that port for something purpose, before it reaches your machine. In any case, if nothing is listening, you have nothing to worry about. If it is open on your system, then it becomes a matter of tracking it to the program holding the port open and proceeding from there.

Thx

Just done that and no it's not listening or even listed.

Lots of ports listed on the left hand side that aren't listening either, what they doing?

-{ Quote: " quoting: jaxson link=board=23;threadid=7446;start=30#49725 date=1046208249]Lots of ports listed on the left hand side that aren't listening either, what they doing?" }-

Could be any number of things, as you saw from your Kerio active connections screen, (same data - just presented differently)... Different programs holding open connections for different purposes.

In the screen shots below, you see the execution of a netstat command, twice. The first one was immediately after I used IE to connect to two different websites (fairly verbose ones - with lots of images, ads, etc.) The second netstat command was a minute or so later. I hadn't done anything, just waited. The excess connections closed in the amount of time that passed between the two netstat commands. I wouldn't worry about ports opened by IE while browsing.

If I'm also at a port scanning website at the same time I'm doing other browsing, these IE ports won't appear to be open to the scanner because they are busy in the established connections to the other sites.