are these kerio 2.1.5 rules ok?

hi, i (iceni60) setup Helen's computer for her, but another friend of Helen's thought there was too much security software installed so decided to delete a lot of it (most of it was on demand).

he couldn't work out the FW rules either, so when he needed internet access for a program he'd installed thought it would be a good idea to delete the rules i set

realising there might be a problem with that, he enabled the MS FW, so there where two FW running at the same time. Helen's a bit upset about that, so asked if i'd come round and check too much damage hasn't been done. i haven't used windows, or Kerio, for awhile so can someone please let me know if these first few rules i've made are safe? i'd spend more time looking it all up, but i'm going home soon.

we're using the BZ standard ruleset. in this first screenshot i've added the first two rules -

http://img211.imageshack.us/img211/8963/proxo1pt3.th.jpg

and in this second i've added the last four rules

http://img144.imageshack.us/img144/3896/proxo2wa6.th.jpg

i'm not too sure about the proxo ports used - 80, 8080, and if i should enable the two rules directly above the proxo rules (in the second screenshot) and put them/it right at the end when i've finished? i might put in the ISP DNS too

if all looks ok i'll continue adding rules in a similar way to the firefox rules thanks

EDIT in the back of my mind i think i remember Kerio 2.1.5 can sometimes lose its rules. is that correct? if that does happen would the rules still be there, and a new unconfigured set would have replaced it, or are they totally deleted and there'd be no sign of them? Helen says he was playing around with Kerio when he needed internet access. it would just be nice to know what exactly happened to the rules

 

Hi helen321 and iceni60 First of all Kerio 2.1.5 has been one of the most common used firewalls since it was released, lots of people are pleased with its performance, I used it myself when I first got my computer,and with other firewalls now adding extra stuff, that I dont really need I'll probably go back to using it again The rules you have look fine, if they work, then keep them. I would test them at www.pcflank.com and see if they give a stealth result, try all the tests,but if I remember rightly Kerio 2.1.5 passed them all, with the exception of the leaktest, but really leaktests arnt so important,as long as your computer ports are stealthed your safe

 

I've never had a problem with Kerio 2.1.5 losing rulesets. It normally stores them as a .conf file in the program folder. You can save a copy to another location if you're concerned about the possibility. Click "administration" on the tray icon, then the miscellaneous tab. Use the "save" button to store a copy where ever you want. This also makes it easy to add a copy of the ruleset to a backup CD. On the chance that the old ruleset might have been saved to an odd location, run a wildcard search with find using *.conf. Might get lucky.

Don't enable the two "blocking rules" unless you move them to the very bottom of the ruleset. Everything below those rules will be blocked.

It is a good idea to add the ISPs DNS servers to the permitted DNS rules. I used the custom address group for this rule and listed them there, The regular
ones from my ISP plus the ones for Open DNS.

Regarding the FF and Proxomitron rules, Are you using Proxo to filter https? If you are, you'll want to add port 443 to the Proxo outbound rule or make a separate rule for Proxo and https. If you're not specifying specific addresses for https or logging it, one rule is fine. Depends on whether you prefer separate rules for secure connections. If you're not running https thru Proxo, you'll need to add a rule for FF allowing it to connect out on port 443. I haven't found a need on my PC to allow Proxo to connect out on port 8080 thus far. Port 80 and 443 have been sufficient. It might be necessary if a remote proxy service is used.

Regarding the first 2 rules, I've never tried that before. Just added them to my ruleset. It does seem to work OK so far. Not sure just what effect those will have.
Rick

 

Regarding the 2 blocking rules, there's a couple ways to deal with this, depending on your friends preferences and abilities. Since Kerio reads rules from the top downwards, rules like those would have to be at the bottom of the ruleset. The same results can be obtained by using the slider on the first administration screen, setting it to "deny unknown". I'd leave those disabled at least until you finish the ruleset, If you enable them at all. If enabled now, no other internet apps will be able to prompt you for access, no matter where the rules are located.

Depending on your friends preferences and skill, it may be better to not use them. Besides being a line of defense that prevents an unwanted application or malware from connecting out, the firewall can alert you to the presence of such malware, if it's allowed to alert the user. Those rules would also prevent legitimate apps like updaters from prompting the user. While using the "display alert" option with them would help offset these problems, this could result in a lot of alerts unless application specific blocking rules that cover the known system processes are used farther up the ruleset. That would limit the alerting to unknown items. You'll have to decide what works best for you/her.
I settled on something of an "in-between" approach. The upper part of my ruleset is much like the BlitzenZeus set, with blocking rules added for most of the windows executables (easier to do on Win98 ). If you're blocking any specific sites or IP ranges, put those rules up here too.

These are followed by rules for Proxomitron, loopback rules, browser rules, and rules for proxy services/apps. These rules work together and their positions in relation to each other is important. Keeping them together makes it easier to work with them. You may want to consider unchecking that standard loopback rule and require applications to ask for loopback connections individually, then make application specific loopback rules.

The rules for most other internet apps can go below these. I opted to keep the rules for each application together, "permit" rules followed by "block the rest" rules for each individual app. Exceptions would be IM programs and similar items, where a block everything rule could prevent anyone not already permitted by rule from contacting you.

You might also want to limit the info you want to log to items you need to know about. Kerio 2.1.5 has no option for limiting the size of the log. If your friend doesn't review and clear it occasionally, it can get big.
Hope this helps.
Rick

 

Adding to Rick's post.

It is not seen, your loopback rule regarding port exlusions.
But if the 'Standard Loopback" is the BZ's one unedited, I suggest you uncheck it and check instead the 'Software Proxy Loopback" where port 8080 is excluded from the rule.

That to prevent a hole through proxomitron local proxy same way as Sygate does. I have never used Proxomitron local proxy, only Avast's ones, but I am pretty sure it works the same way.

Jarmo

 

I would hope the people using the computer with the firewall installed would know what to do, not their computer buddy.

Telling the firewall to block itself is useless, and all it really does it lookup dns information for alerts/logs. For how old the program is I would hope people are keeping the boxes unchecked for checking for updates as the server doesn't exist anymore.

As commented if you are going to use a software proxy, you should not use the wide open loopback rule, and of coarse the software proxy rule can be edited for other ports/ranges/etc, many av like Avast have a handfull of ports they use in an upper range when used in combination with invisible redirection so if people are running the web shield any program requesting http access could get out on the standard loopback rule.

As also commented is it very easy, and necessary to move the block all rules if you plan on using them, otherwise I don't really use them myself, since Kerio implicitly blocks packets to non-listening ports the only packets that prompt are to listening services not already covered by one of your rules.

I would suggest you install something that you find easier to configure, and something they might be able to configure without your help, along with have them be more strict about what software they might allow on the system. It sounds like they wanted to run p2p software which av software might have flagged, and their lack of knowledge made them remove more security software to install it. If the person is not the owner, the MUST ask permission to install new software, and they shouldn't be messing with that persons security software, period. These people are worse kind of computers users, and are a very big reason why many people are infected with malware, their own ignorance is the problem. Using user accounts instead of admin accounts for normal use is a good step in this direction.

 

Hi iceni60, hope you did not get upset on BlitzenZeus's reply.
He can be a little harsh at times, but his advices are always with a good reason.

It is, if a person running kerio 2.1.5 has no idea what to do when installing new software, like a new local proxy software, then it is not so recommended to run kerio 2.1.5.

As Rick in his excellent posts told also among other things,
you can also do without a global local loopback rule.
If you allow an application anything out, also the localhost address is covered if it needs it.
And you would get asked by kerio 2.1.5 about localhost access, if not allowing all blank out.
That loopback rule is just a convenience to have, but it can be dangerous too, as was in your case.
Maybe DVD+R's case too since he failed the basic leaktest in pcflank.

Regarding Avast's local proxy software, webshield and email scanner, the ports needed to exclude are in this post if wanting to keep the global loopback rule.
http://www.dslreports.com/forum/remark,16592654
Just look at the attachements and ignore rest of the posts.
I made it pretty steroids since I also made those ”Deny WS proxy” and ”Deny email proxy” rules.
There needs to be logging on those rules so one can see what is needed to add later .
One was jucheck.exe and some others I later needed to add too.
Those block (deny) rules are really not necessary.

I have now changed from Avast to Avira Antivir PE Classic to have an even better AV protection.
Antivir free has no email proxy or other protection besides normal file read/write access protection, so I run my Mozilla Thunderbird email client now inside Sandboxie (free version at the moment).
This way I believe if there is some vulnerability in Thunderbird, I should be safer safer when Antivir Classic does not provide that protection by itself. Hope these excursion notes did not stray too far from the main topic, since I believe many of us are using also Antivir

Jarmo

 

I found this out a couple of years ago when I started using the freeware Kerio 2.1.5. I ran the default ruleset for a short time and then became interested in customizing it. I eventually found the Kerio forum at DSLR and discovered a number of beginners with Kerio being flatly told by the regulars there, that they didn't know enough to use Kerio. Including me. Using someone else's ruleset was no help, since I didn't know what many of the rules meant, and I could see that many of them didn't apply to my situation. There were some FAQs but they assumed more than just basic knowledge.

So here was a dilemma: I had to ask beginner's questions and most didn't want to help beginners. I can understand that - it takes patience and time to teach beginners - which is my line of work. So I decided to see if I could teach myself.

In reading about Kerio, I noticed the "Ask me first" setting:

http://www.urs2.net/rsj/computing/imgs/kerio.gif

Hmmm, I thought, this means that I can let Kerio make the rules, so to speak, since Kerio will prompt for everything. Armed with this astounding discovery, I set out to create a ruleset.

I backed up the default ruleset, perswf.conf, and then deleted all of the rules in the ruleset window - starting from scratch. I re-created this procedure earlier today.

On connecting to my dialup, I was immediately prompted:

http://www.urs2.net/rsj/computing/imgs/dhcp.gif

From reading, I knew that this was DHCP. I discovered early that if you don't learn the basic operations of the internet and protocols, you will not understand what you are doing.

When you attempt to connect to the Web with an application (browsers, email) you will be prompted for your DNS, as you were with DHCP above.

Kerio will also "ask you first" for your applications, such as the browser:

http://www.urs2.net/rsj/computing/imgs/opera.gif

You can set up all of your application rules this way.

If another application tries to auto-connect out while you are working, you will be alerted:

http://www.urs2.net/rsj/computing/imgs/isc.gif

This is my sans.org update, and I have a rule to permit it.

For Other applications that you don't want to connect out, you can set a block rule when Kerio alerts you.

Kerio will also alert for inbound attempts. Here is messanger spam to port 1026:

http://www.urs2.net/rsj/computing/imgs/inbound.gif

I decided that for me, rather than being bothered with making separate inbound block rules for the many ports that are bombarded daily, I would just create a "Block all other" rule at the bottom of the ruleset. I set it to "log" so that I could study these scans - looking up information on the various ports that are scanned is a great source of information about how malware works.

http://www.urs2.net/rsj/computing/imgs/log.gif

So, these are the rules so far that Kerio "made" and my block rule at the bottom:

http://www.urs2.net/rsj/computing/imgs/rules.gif

You can re-name the Description to identify the rule, and further customize the rule:

http://www.urs2.net/rsj/computing/imgs/rules2.gif


I began to see that you aren't helping anyone in the long run if you configure her/his ruleset. So I created a Beginners Tutorial which I've used quite a bit with others:

http://www.urs2.net/rsj/computing/kerio/index.html

It's just the basic ruleset, and other rules will have to be added according to individual setups. But in the end, the user has a very good understanding of a ruleset, and then can post "advanced" questions to the forums, which the experts are most happy to answer!

regards,

-rich


________________________________________________________________
"Talking About Security Can Lead To Anxiety, Panic, And Dread...
Or Cool Assessments, Common Sense And Practical Planning..."

--Bruce Schneier​

 

In the end people have to help themselves, and most people don't know that Tiny/Kerio 2.1.5 was a packet filter ripped from a advanced enterprise gateway firewall so it was not meant for beginners to start off, however it was provided for free with basically no support unless you had a license. This was never designed to be used by people not in network administration, hell the help file was a joke, but in the days when the program was made available all of the firewalls were rule based. It wasn't really until AtGuard which application based came into play, and after AtGuard has been out for years the first ZA was available around the same time WRQ sold a licence to use AtGuard's code/technology in Symantec Norton Firewall, which is nothing like the Norton of today.

Years ago its popularity soared, and many people were interested in the program, however a huge majority of the people were not willing to spend the time to learn how to use the firewall even with their hands held, and this was merely users helping other users. The real problem is most of these users were not actively trying to help themselves either, but there were various FAQs available even back then covering basic tcp/ip, along with common applications like browsers.

The main reason I made the rulesets in general was I got tired of answering the same damn questions over, and over as people were not using the resources already available, also the default rules that were there when you first installed Kerio 2.x could have allowed a worm infection if you were running an NT operating system, most new users had no clue what those rules were permitting. I was approaching total burnout due to users who just didn't want to take the time to learn anymore after they had their hands held the entire way so far. One of my last efforts was working on the rulesets to have the rules already made with basic instructions, but I even said bluntly in the information where the download is available that this wouldn't teach them how to use the program, they would have to do that on their own. Soon afterwards of the release of the default replacement update which had some updates to the first default replacement like pre-configured ICS support, I just didn't have the time anymore due to real life was calling nor want to spend the time anymore due to burnout from users who really didn't want to learn on their own. However you have to realize, if you have ever been in a teaching/management position yourself, you cannot do everything for the students/employees, and they must be willing to take on the education themselves. At least you get paid in management/teaching, but if you get the right people who are learning on their own, along with asking the right questions, you really don't mind helping those people if you have time.

I still maintain that there are many users who shouldn't run certain programs if they do not understand what the program is doing, and that still extends to installing the program on somebody else's computer, where you basically must be the support as you volunteered yourself for the position, however when they cannot reach you they are stuck. I have no problem suggesting someone run ZA instead of Kerio 2.1.5 if the situation warrants it.

 

An interesting conclusion. It closely describes an incident with a friends PC, except the perpetrators were friends of their kids, installing Kazaa of all things. Iceni, I seriously hope you're not facing this kind of situation.

Unless the PCs owners are willing and able to learn how to write effective firewall rules, you should consider using something they can handle, unless you're willing to be "on call" available whenever they have a firewall problem. Trying to sort out firewall rules over the phone gets old quick. Very few users will bother to learn enough to effectively use Kerio 2.1.5. I installed Kerio on PCs for several of the more computer literate users I've done work for. Only one learned to use it effectively. The rest either called every time something didn't work or switched to one that writes its own rules.
Rick

 

I totally agree with you and also what BlitzenZeus told.
Best place is security forums. Not to have some person as a crutch, but find out yourself.
I learned to use kerio 2.1.5 only gradually, being kind of slow to absorb new things.

First there was Norman firewall in my system, rulebased but offered to mass market with Fujitsu-Siemens computers as installed.
It was not a right software to offer for newbies. There was Shields Up! Port scan, some ports open, so one goes to phone support help, them not much more knowledgeable than a newbie. No help, just some stupid rule to give to deny all incoming connections. That was my crutch phase.

Thinking about past, it was a good choice I chanced my firewall to Sygate instead ZA.
It offered a gradual phase of getting to know about internet connections, TCP, UDP ports, outgoing and incoming, and ”advanced rules”.
I learned them step by step, reading a forum and sometimes also asking stupid questions from the helping people like DilatedPupil and Mats and also there was one other who helped me about Wireless Zero Configuration service that was causing so much traffic in the log, unnecessary.
It was not the fastest possible education, but it was good cause it made me learn by myself more than asking someone else as a crutch.

I made also my SPF guide page to internet that is in my sig still.
I now knew all about Sygate I needed to know and was able to ”try” help others in my posts.
I have never had a local network or hardware firewall or even a router, so that area is still missing from me.

Then I switched to kerio 2.1.5. Got rid of the default ruleset and downloaded Blitzen's system protection rules. But I was a newbie again, did not know what to do with DNS and DHCP rules.
Basic firewall operation was a piece of cake though.
I remember posting some ”moronic” thread to dslreports kerio/tiny forum and then soon afterwards reverting back to my trusted Sygate.

I came back to kerio 2.1.5 1.5 year ago and finally made those rules according to my ISP, all by myself. There was the loopback proxy issue with SPF with proxy software that made me do that change too.
Rich tells that one should not have anyone elses ruleset as a template and build it from blank.
I kind of disagree in that a ”newbie” is able to build one, a sound one, though reading his tutorial is nice too. But I thank BlitzenZeus for making available his one. No block all rules at the bottom even as Rich has them logging. There are the rules in BZ system protection and one has just to study what they mean. Even if it is made by someone else than me does not mean I have not continued and made my own ruleset in the end.

I have also tried Kerio 4 after I get to understand Blitzens rules. Noticed its ”bugs” and non functionality compared. It was also educational and thus not totally useless, since it had ”application behaviour blocking” that lead me to HIPS software. First with PG and then thanks to Rick's and others posts here to SSM.

It has been a long and winding road, testing also Comodo to know what I like and what I don't like to end up with my current security.
Sandboxie is the latest in HIPS department, just got the over 30 day popup today.

Jarmo

 

thanks for all the help i've read through it all and i'll go through it again. i should have remembered the loopback rule; the first post i made here was about the kerio loopback rule here. after re-reading the thread afew times and doing more reading i managed to work it out.

i have learned not to try and fix/secure friend's computers, but Helen is different because she always makes notes about just about eveything and asks about them when i see her, so in the past when i was using Windows/Kerio and had setup Kerio with all her programs there wasn't any problems, infact using kerio was a plus because if anything wanted internet access she didn't know about she would disallow it and we'd lookup what it was later on. she just uses a browser and email, so installing new programs wasn't/isn't a problem. i was round there and using the computer alot, so the rules were fine, i was familiar with kerio and the rules.

i'm not using windows anymore and don't know how to setup any other FW that's why i was trying to reconfigure kerio, but i don't go around there so much now either, reconfiguring Kerio was the only thing i thought about, i didn't think to install something easier.

i really don't know what her friend was trying to do, and as it seems he goes round there more then i do, maybe i should just let them get on with it. i really don't know what to do, i need to go there one more time to sort out the loop back rule, but maybe i should just install something easier, i don't know??

what FW do you recommend that will be easy for her to use and make rules? that way i can install it and configure afew programs, then let her make the rest when she runs something. thanks

 

Very sound advice. While I have read so much accolades about Kerio 2.1.5, when a program is not set up properly, it will not function effectively enough for your system. Many PC users don't have the time to learn the underpinnings of AV, AS, HIPS, FW programs (let alone the registry, BHO, and other things relating to the OS of their machine). Most just want their system to not give them BSOD, steal their identity and slow to a crawl.

 

As far as questions go, I wouldn't consider real questions 'moronic', but when it comes to configuring rule based firewalls there is quite bit of terms that are used in association with tcp/ip ipv4 which can seem like a second language.

His method is sound in the long run as that is how I started out with another firewall on own to begin with, but my firewall first configurations was far from sound for many months, this was back running Win9x where I had netbios disabled so I had no listening services anyway to be exploited. There were also very few to no FAQs back then, but after a few months when I had a basic grasp of how things worked I found a user forum for this firewall where I read most of the posts, along with participated in the discussions. This process really helped confirm, and correct some of my understandings. So its not impossible for a newbie to make a solid ruleset, but improbable unless they already have a good understanding of how the program along with tcp/ip works, however most people are not up for all of the reading, prompts, logs I went through in my learning process.

 

Zone Alarm free, while the low to high security levels can be confusing the application permit/block system, and the simple setting if you want to allow a program to be a server if necessary should be ok.

If you feel they don't need app filtering just leave them with the xp firewall, and if they won't really understand the prompts this is the best solution, however if they have broadband they should have a hardware router anyway.

 

When someone "helps" a friend by first deleting security apps, I'd start questioning what their real intentions are. If there's nothing in the browser history, cookies or cache, the index.dat files may be able to tell you. Did you check the applications MD5 signature listing in Kerio? If he deleted individual rules as opposed to the configuration file itself, there should still be signatures for the internet apps that were used. On 98 units, more info can be found in /windows/applog/. I'm not sure if there's an equivalent location on XP. If nothing else, a keyword search of the registry can be revealing, even when the apps are uninstalled. Many uninstallers leave a lot in the registry. If P2P apps are suspected, run a few of the more common names like Kazaa, Limewire, etc thru "find" in the registry editor.

It is hard to decide what to do in that kind of situation. If you have concerns about what he's doing, maybe it would help to talk to her about it. What do your instincts tell you? He may be legitimate, but a bit misguided with the removing security apps. Then again, he might be removing anything that would detect a trojan or keylogger he's added. I've run into examples of both, posing as someones friend.
Rick

 

I would like to amplify what I said.

When I discovered the Kerio forum at DSLR, I noticed posts by people who had copied verbatim BZ's ruleset and then asking for help when things didn't work right.

As I studied their problems and read the various threads, I realized that they didn't have an understanding of TCP/IP and all of the other stuff. Neither did I as I was struggling with my rules and trying to understand what others were doing. I finally realized that if I was going to use Kerio, that I had to start from the beginning and learn the basics. I copied to my notes many thoughts from threads by BZ, Ghost, and TheWiseGuy, and I hope BZ won't mind if I put here some quotes from his posts, because they are pivotal to getting on the right track with working with this type of firewall.

-rich

 

again thanks for helping. i went round to Helen's eariler and had a good look at each rule. however, this time their modem wouldn't connect, so there was no internet connexion, this made it more difficult to test out the rules as well as look anything up.

the modem is from http://www.now.com/ it's a truely wireless modem because instead of cable or POTS, the connexion to the ISP is wireless.

i tried launching the modem dialler afew times, but its signal indicator only showed two lights (three lights are the minimum needed for it to work). i then ran firefox, which initiates the modem conection too; for some reason, even though i'd already made a firefox rule, kerio popped up asking what it should do, i just clicked allow firefox. the modem connexion failed, then when i checked Kerio's rules to see why i was prompted for firefox access, every rule had gone! all but the firefox allow rule i'd just made.

at that point i didn't have time to reconfigure kerio again and even if i had it looks like there might be a problem. i disabled kerio's automatic startup option and enabled the windows FW. that's all i could do, i had no other option with no internet access.

herbalist, i don't think her friend was using P2P or was up to no good, rather he was trying to use something like excel - the problem i think he might have had was something like allowing excel to update, and not understanding teatimer too. as i said eariler Helen doesn't have these problems - she only uses 3 or 4 programs so hardly ever has to deal with a popup she doesn't know what to do with. she has proxomitron in startups too and firefox configured to use it, and loves being protected by proxomitron and kerio. AFAIK the combo was working well.

i think BZ's advice sounds best - use the windows FW along with a router, that's what i'll recommend i don't know when i'll next go round there, so i think i'll leave it at that. thanks for all the help from everyone