Kerio 2.1.5-XP SP2-browsers ONLY require 127.0.0.1 rule to access internet ??

Hello all, 1st post. Here goes.

I was setting up my daughters Acer Aspire 5000 series notebook with Kerio 2.1.5, after doing a fresh operating system install with the recovery discs, with Win XP SP2. I downloaded all the critical updates and avoided IE7 (after inadvertently installing it last time ). I've used Kerio for many years now on Win98, WinME, and W2K on multiple computers in the house, but this was my first time dealing with WinXP.

Starting with the default rules, I let the learning mode do it's thing to get it all started. What I noticed though, with the browsers (IE6 and Firefox), was that KPF only prompted for access to loopback 127.0.0.1 and I set the IP as 127...etc.. No other prompting occurred for another outbound rule with IP address and ports. This is different than on W2K, where the loopback rule is set-up as generic, but the browsers still require a separate rule for outbound TCP where all ports and IP addresses can be specified for tighter control.

The laptop is connected out by wireless, using windows to manage it, and out through a Motorola Router which handles the household LAN. I tried with and without the Windows firewall activated and made sure ICS wasn't on. I disabled DNS caching, disabled LMHosts lookup, tried all the settings available for Netbios, and disabled ALG service as well as others to try to change the behavior.

As a note, the latest Windows Live Messenger requires a separate outbound and inbound rule for TCP/UDP, so it works differently from the browsers

I've searched for days for articles about this, but nothing

IS this normal for XP or is there something strange about the Laptop's set-up? If normal, does this mean that KPF 215 isn't really well "imbedded" in XP, and perhaps not well suited? I would like to be able to restrict local ports and remote ports, but as it is now, things are wide open.

For anyone wondering, disable your outbound rule( if you have one) and (keeping the loopback rule intact), see if you can still surf unimpeded.

 

I think you are using a software that creates a local proxy. For example many antivirus do that for HTTP scanning. It's not related to WinXP or Win2000.

 

thanks for the reply ggf31416,

I was feeling that was what the behavior is like as well, but thought it was XP itself. I have Avast Home free version installed. Does Avast do this? Guess I'll have to start uninstalling programs to see what is doing it. There is not much installed though because it was a recent install. I don't have the laptop here at the moment but I could post a shot of the installed programs when it's here next. There are some Acer programs that are installed by default.

I've got Avast installed on WIN ME (dual boot on this computer), so I'll check if it is behaving the same way and will report back.

 

Probably the easiest way is to check the application rules. Could you post a screenshot of them?

 

Yes, it does.
See http://www.avast.com/eng/webshield_issues.html

 

You've hit a home run ggf31416.

I was playing around in my Win ME system. Initially the browsers required the standard rule in KPF for outbound access. This is because Avast does not support the "Transparent Proxy" in 98/ME, and requires a manual setup to function per this article http://support.avast.com/index.php?_m=knowledgebase&_a=viewarticle&kbarticleid=22

After following this manual proxy setup in Firefox, KPF prompted for a new rule for "avast! Web Scanner" (TCP out,port 80, ashwebsv.exe). Disabling the previous standard rule for Firefox access did not stop it from working, which mirrors my "issue" in Win XP.

It looks like the local and remote ports can be setup for the avast rule for tighter control, similar to the old browser rules, at least in Win ME. I can't recall now though whether there is an avast rule in XP, maybe not since it is "transparent". That would not be good if ashwebsv.exe is hijacked and phoning home to a non-standard port. I'll be checking next time the Acer is home with my kid.

At least now I know what's up. That was bothering me. Hope this thread helps out some other folks. Thanks ggf31416.

 

Appreciate the reply wat0114. Looks like the answer is solved though; Avast is doing it....not that that is a bad thing, or is it? Have to weigh the pros and cons of the web scanning feature vs possible non-detected outbound attempts in XP; however, I have to confirm that there is or isn't an avast rule that can be modified yet in XP.

If someone already knows please comment.

 

Transparent means you don't need to configure the browsers manually, but you still have the rule allowing outbound connections for the web shield executable and the browsers connecting to localhost.
Be aware that IIRC the e-mail scanner uses a local proxy as well.