How to Optimize Security in Kerio 2.1.5 -Learning Thread 3

Wow, rules shifted, so they take priority, log 10.x logs gone. Bug still present because no one was a sloppy as me to have the rules in that order! IMHO.

See attached log!

Got to go now, it's "turkey day here!"

Please no bird jokes!

 

That looks like blocked DNS replies.

Send me a sandwich.


OK, I have now recreated this problem with blocked->10.*. This was on a VM LAN which defaults to 10.1.1.1(gateway) LAN 10.1.1.0/255.255.255.0, so such blocking from the rule mentioned should not take place.
I am now seeing problems with any DHCP on this VM LAN. which would indicate possible conflicts.

I will need to play for a while, possibly change the VM in use.

 

Those are different. Port 53.
It'll be tonite at the earliest before I can investigate this further. I have a big outdoor job that has to take priority, and nice days at this time of year are scarce around here.
Rick

 

Does the theory that the buggy rule in my case is now never reached because Rick had me elevate the DHCP rules ring true or false?

 

The blocking rule will not now be used, as the default "DHCP" rule will allow "from any"-> "to any".

From the facts (for the blocked 10.*):

1/ It is confirmed that this is an outbound event being blocked.
2/ The outbound is to Internet broadcast (255.255.255.255)
3/ The rule in place should only block outbound to 10.0.0.0<->10.0.0.255

This for me is a bug (possibly a conflict with network drivers)

 

Thank you. This is a better outcome than a trojan.

My DHCP rule is more restrictive I thought! Attached as jpg. It is not any to any is it? or does 255.255. etc etc mean any to any... I th ink I wearing down today...

network drivers? this software is old and no longer maintained so who is off them or us... pardon my terms

 

There is something wrong with how kerio 2.1.5 handles IP/mask thing.
I noticed it first myself with this old thread, but I was not the first one to find it:
http://www.dslreports.com/forum/remark,16592654

I have no router protecting my machine with my cable modem connection. The rules it happens are in the 3rd post and the loggings it should not make are the green allowed outgoing ones to 255.255.255.255 in the 4th post. This itself is needed perhaps for DHCP broadcast, but there was no rules allowing it, but that loopback rule with the mask allowed it anyways. After this I quitted using that mask with my loopback tules.

Since of current i have no "global" loopback rule.

I have not followed this thread very close, but I get if I can understand you ramblings is that here is also a question of IP/mask and remote address 255.255.255.255.

 

Hi Jarmo P,

Due to your post, I do remember this, but not sure if I remember your first report(on link posted), or possibly by another post you(or others) have made.

I have seen problems before due to masking of IPs, the latest was with "Online Armor",... as with the early beta`s of this, it did mask in reverse (a mask of 255.255.255.0, would actually mask as 0.255.255.255 (Note: the error with OA, was actually with input of CIDR, which was the default input, and was rectified on next release after my report of this problem)).

I will try to find some time to check on this, to see if this is the problem with Kerio2 (with the block of 10.*), but I would of expected anyone putting forward such a rule (within a ruleset) to of checked on such a possible problem.

 

This is a fine example of why it's better to start from scratch with your own rules and not use someone elses. In this instance, the LAN Subnet Bypass 10.x rule doesn't apply to Escaladers system/network whatsoever and would not exist at all if his ruleset wasn't based on someone elses, but causes problems with normal system functions. In the amount of time it's taking to learn and modify the premade ruleset, a user could have made their own.

I also have a lot more testing to do on this issue. So far, I've duplicated the problem with a 98SE testbox using DHCP to get its IP from Smoothwall. So far, the problem is limited to network/mask rules. When I converted that rule to an IP range, it didn't interfere.

Escalader,
There's nothing in your home network that's going to require network/mask rules to control properly. I suggest that you delete or at least disable any network/mask rules that don't directly apply to your system. Convert those that do apply to single IP or IP range format. I'd also suggest that you consider starting a new ruleset from a clean slate.
Rick

 

Hello Thread posters and lurkers and readers!

Hi Rick, a way back this post was made, I proceeded with the advanced BZ's as a base since the way I learn best was from a model. It has taken 2 months but the goal was not just to get me a rule set for me. But for others to learn with us. The error I made was not adapting the configuration generics first! At the beginning I could not have made one single rule never having seen one before. Now, yes I can write rules with ease ( well relative ease) I have often said I'm a slow learner, now I've proved it!

https://www.wilderssecurity.com/showpost.php?p=1077550&postcount=50

Isn't it a good thing that this problem has been exposed, in spite of the delay in my rule building? Take your time on the testing, the problem has been there a while and can wait a bit, IMHO

Okay, Rick for now I'll find them and disable them.

[/QUOTE]
Rick[/QUOTE]

 

Stem/Rick:

I have had all my network/mask rules disabled for a few hours now.

This is the only log entry I have now.

Is this a different item? or one I missed?

 

Stem can probably define this IP better but here goes.
When 0.0.0.0 is a local address, it's your default network. Not the components that make up your LAN, which have their own IP(s). This IP is internal to your computer.
When 0.0.0.0 is used for a remote address, it refers to an unknown address. See http://www.howstuffworks.com/question549.htm

That log entry is also DHCP traffic. The port numbers show that, assuming yours is a clean system.
I took these screenshots from the test box I'm using for this. These might give you a better idea of the traffic involved in DHCP. Here's the Ipconfig data being used. I used a lease time of 2 minutes so there'd be no need to manually release/renew.

I allowed all outbound DHCP traffic but blocked all inbound in order to get windows to use broadcast when it didn't get a response to a direct DHCP request. Both permitted and blocked traffic is logged, as are the resulting ICMP connection attempts (router solicitation). This was done using 98SE so there are some differences, the process name for one, and the addition of (null) in the log entries.

The IP address, 192.168.1.10, used in both the DNS and DHCP rules is the LAN side or gateway IP of Smoothwall for this test setup. The IP address and both the local and remote ports were specified using the "Customize Rule" interface for each prompt.

After 4 attempts to connect to Smoothwalls IP (responses were blocked), Windows made DHCP broadcasts, (responses also blocked). The traffic originating at 0.0.0.0:68 did not appear until after 5 DHCP broadcasts. These do not originate at the router or hardware firewall but from Windows itself. I verified this by unplugging the ethernet cable from the PC and repeating the test with no other hardware hooked up.

When all outbound DHCP connection attempts failed to get a response, Windows tried to locate routers using ICMP type 10 (router solicitation). The IP 224.0.0.2 is used for this purpose, referred to as multicast, explained better here. The ICMP packets originating at 169.254.xxx.xxx are also originating from within your PC. The last 2 number groups vary. They're assigned by Windows itself when it can't get a real IP via DHCP. Also called Link-local addresses. More info here.

Hopefully this will help explain some of the DHCP related entries in your logs and how the rules interact. The best way to deal with this issue is to assign a static IP to both PCs and not use DHCP at all. It's very straight-forward once you do it a couple of times.
Rick

 

Basically, this will be another PC on LAN making DHCP boot. (the blocked packet is inbound).

A DHCP_boot packet:-

 

Rick:

Thanks, when you say assign a static ip to both PC's you must mean on the Lan side not the ISP/WWW side since those rotate and are beyond my control.

Where do I read up on how to assign a static ip or is that during configuration time ?

Is the attached jpg setup right? I've seen MS Networking allow MS Net Trusted

192.168.1.0/255.255.255.0

with this in place what happens to this disable the mask rules? Or is even related?

 

I've never used the Microsoft Networking options. It's mainly for file and printer sharing. Unless you actually need it, I'd leave it disabled.

Yes, I was referring to your LAN. With just 2 PCs, you don't need dynamically assigned IPs. To use static IPs, you need to configure both PCs and the LAN side of your router. The manual for your router has the info you need. If you don't have a copy, it's available here as a PDF. The info you need starts on page 18, accessing the router configuration with your browser, and continues on 22 and 23, network setup. Your router is configured to use DHCP by default so you'll need to disable it. It's up to you what IPs you want to use and doesn't make that much difference what you choose, as long as you use IPs that are in the private IP ranges. These include:
10.0.0.0 – 10.255.255.255
172.16.0.0 – 172.31.255.255
192.168.0.0 – 192.168.255.255
The default local IP for your router is 192.168.1.1, with a subnet mask of 255.255.255.0. If you use these settings, the IPs available for your PCs are 192.168.1.2 thru 192.168.1.254, more than enough for a home network. 255 is reserved for broadcast. Only the last octet or 3 digits change when used with a subnet of 255.255.255.0. The first 3 octets have to be the same for all IPs on a network with this subnet mask. If the subnet mask was 255.255.0.0 instead of 255.255.255.0, the last 2 octets of the IPs could change. This would make all the IPs from 192.168.1.1 thru 192.168.255.255 available, a much larger network than you'd need.

Write down the local IP you select for your router. You'll need it when you configure your PCs. To set static IPs with WinXP, refer to these images.

For your network adapter, select "Internet Protocol TCP/IP", then "properties". This will bring you to the image on the right. Select "Use the following IP address". Enter the router IP you wrote down in the "default gateway". Use the same subnet mask that you used in the router settings. Then choose an IP address that works with the default gateway IP and the subnet mask. If you used the default settings, 192.168.1.1 for the default gateway and 255.255.255.0 for the subnet, the IPs of the PCs can be anything from 192.168.1.2 thru 192.168.1.254. Use a different IP for each PC. Then enter the IP(s) of your DNS servers. Then click "OK". Reboot if prompted.
Rick

 

Dear Escalader, the so called teaching threads. They change to more like like teaching you only of I may say so?
That sayed, you brought out something with your questions and the paranoia you have that was something others would have just dismissed. That is good.
Kerio 2's mask handling. You learned after all.

Still I say something. Without your rules shown that you use with kerio 2.1.5, this thread is pretty much useless for anyone to wanting to learn how to write their own rules. BlitzenZeus did a great service in his rules that are to be replaced as a suggestion for the default ones. Your rules have not been seen, even as a student you are not able to show them to have to some criticism from readers who are still reading this! So where is your contribution to the learning thread? Mistakes and all revealed? I just have to ask?

I just want to say about teaching, this thread almost none, sorry Rick et all, you did the best you could, But this thread gone astray, it is something no one newbie sure cannot learn anything?
Jarmo

 

It would help the thread if the rules were visible. A big part of optimizing firewall rules is matching them to your internet service. As long as the sensitive or personal info, (such as your real IP, the IP of your e-mail, etc) is obscured, I don't see a problem.
Rick