hello,i have a problem...ill post again if i ever work out how to work irfanview. p.s. sorry if ive attached something inappropiate.edit ill try out in test forum
hello,i was hoping someone could help me with kerio 2.1.5 loopback rules.ive just started useing kerio and im not sure if these make sense.ive also had some problems with screenshots so my first shot is here https://www.wilderssecurity.com/showthread.php?t=38751 and my second i hope is attached.in this second shot its mainly the ie udp im not sure about.but if the others look awkward,could you please help?
ronjor,no i haven't tried them,i got the bz standard rules from dsl. i just happened to be here,as hopeful,(other thread) when i thought about posting.when tassie devils,bigc73542 and paul wilders replied to my mindless test tread.it took me about 2 hours(look at the times)to post those two sreenshots,im not sure ill manage doing that two more times.i will if i have to though.thanks
Ice, Don't despair; we do have very knowledgeable Firewall Moderators. You're issue will be addressed for sure . regards. paul
Hi, iceni60, I have used kerio 2.1.5 for years now, and I feel myself confident with rule creation and ordering. I can not fully understand what your problem is. Are you trying to set up a good ruleset? I can help you in this, if you confirm it. About the screenshot you posted: mostly it makes sense except for the Block Proxomitron rule which will never be triggered. But this ruleset is not enough, or better said it does not fully utilize the capabilities of kerio. So it can be improved. To set up the ideal ruleset I need to know whether you are using any of: - external HTTP proxy, - DHCP server providing IP address of the computer (possibly built into ADSL modem) - ADSL modem with built in DNS server - external (hardware) firewall -hojtsy-
thanks,Hojtsy im on a standalone home xp,with dhcp server,im going to get JAP,i dont have a hardware firewall and im on tiscali ADSL PPP.i just reinstall my os because NAV and different ZA's kept on screwing up.i hope this answers your question,and kerio and AVG turn out to be what im looking for.i think i should add that ive only had kerio for a day,and before yesterday i was your average ZA free user,and if you dont see anything dangerous,im happy to carry on creating rules as i start using various programs.ill delete the Block Proxomitron rule.Thanks for your time.
can i ask another question?,i found the cws block addresses,and this is how i blocked the first one is this the right way to do it?in between my programs?im not sure how to give it priority.
For loopback use with Kerio 2.x there are a few configurations you can do, and here is the basic loopback configuration. --Standard Loopback(Subnet configuration)-- Outbound TCP/UDP Local: Any Remote: Network Mask 127.0.0.0/255.0.0.0 - Any Ports Allow No logging, or Alerting --Standard Loopback-- Outbound TCP/UDP Local: Any Remote: Address 127.0.0.1 - Any Ports Allow No logging, or Alerting If you run a software proxy like proxomitron you only want to allow certain programs access to that port on your localhost. It can either be subnet, or the ip address. --Software Proxy Loopback-- Outbound TCP/UDP Local: Any Remote: ADDRESS OR MASK - List of ports: 1-8079, 8081-65535 Allow No logging, or Alerting (Here your software proxy is on tcp 8080, but it should not hurt preventing udp 8080 either. --Firefox(Proxy)-- Outbound TCP Local: Any Remote: ADDRESS OR MASK - List of ports: 1024-5000, 8080(or use Any Port) Allow No logging, or Alerting. If you don't like the idea of a Loopback rule that allows every program to access your loopback you will have to make a rule for every program that would require this. If you had a software proxy on the system you might have to make multiple loopback rules for each program to prevent others from using the software proxy. --Firefox Loopback-- Outbound TCP Local: Any Remote: ADDRESS OR MASK - Any Port Allow No logging, or Alerting. --IE Loopback-- Outbound UDP Local: Any Remote: ADDRESS OR MASK - Any Port Allow No logging, or Alerting. There has been ip spoofing used to send one way packets like for messenger spam so here is a rule to prevent outside packets that look like they are from your localhost. Its very rare to have legit traffic coming from your localhost as the source. --127.x Block-- Inbound Any Protocol Local: Any Remote: Address 127.0.0.1 Block Logging, no Alerting ---------------------------- To address you ip blocking question, the rules in Kerio are processed first to last, aka top to bottom, so make sure that you examine your ruleset so your not blocking other communications, or allowing it by mistake before its blocked. If you don't already use the custom address group, stick those ip addresses in there so you only need one blocking rule for all these addresses.
iceni60, Proxomitron being a HTTP proxy does not use UDP only TCP. The rules you should have for Proxomitron are: 1) Block proxomitron OUTgoing to 127.0.0.0 (TCP/UDP) 2) Allow proxomitron OUTgoing to anywhere (TCP only) 3) Block proxomitron IN/OUT to anywhere (TCP/UDP) 4) Allow browser OUTgoing from 1024-4999 to 127.0.0.1:8080, TCP 5) Allow browser IN/OUT to 127.0.0.1:1024-4999 (TCP/UDP, needed for some silly browsers) 6) Block browser IN/OUT to anywhere (TCP/UDP) The processing order of these rules result in allowing proxomitron only outgoing TCP access to non-localhost addresses. Note that proxomitron does not need any rules to accept INcoming connections from your browser, because for localhost connections Kerio only checks the OUTgoing leg of the connection. (This deffect was inherited from the unix firewall "ipTables", and is present in practically all SW firewalls). Yes I have listed the same block proxomitron rule that I nuked from your config, but with these other rules it makes sense. Also note that if you are using proxomitron you should NOT allow unchecked free communication inside localhost, because then any hostile SW can tunnel through the local proxy, and communicate freely with external servers. -hojtsy-
I also suggest to restrict DNS (UPD:53) and DHCP (UDP:67,68 ) ports to only the specific IP addresses of the DHCP and DNS servers respectively you are using. If you don't know the address of these servers you can peek it, by setting up an Allow rule for it with logging, and alarming. No other IP address should be allowed to send/receive DHCP/DNS to/from you. As you want to enforce these rules also for the trusted apps, you should put these rules quite early in the list. Restricting a port to one address is possible by creating three rules (example): 1) Allow services.exe UDP IN/OUT from any port to MY_DNS_SERVER:53 2) Deny any app UDP IN/OUT from localhost:any to any:53 3) Deny any app UDP IN/OUT from localhost:53 to any:any This clearly restricts the DNS communication to the precise needs. Note that you possibly have two DNS servers, then you need to allow both. I only have one. -hojtsy-
Please see the sticky at the top of this thread dealing with firewall links, the link to my default replacement for Kerio 2x covers all of those
