How to Optimize Security in Kerio 2.1.5 -Learning Thread 3

OK.

We will need to go through all rules, for example:-

DHCP: are you actually using this, or have you fixed your IP?
In time exceded: This reply will not get past your Alphashild
Lan bypass: I thought you wanted to keep the lan as internet?
etc. etc.

 

Stem,
Regarding

I don't know the specifics of the network that Escalader is using, how may PCs, hardware firewall, static or dynamically assigned IPs, etc. Since you've already been working with Escalader on this, I didn't want to duplicate and probably undo the work you've already done.
Rick

 

Stem:

1) Please see the attached 2 jpg's I promised last night
2) My ip comes from the isp and stays fixed for up to say 2 to 3 weeks
3) Even though it makes more work I want to assume that the alpha shield may not always be in use! If I want to do a scan or it fails then the FW will catch what it needs to catch! Maybe I'm crazy. But like we said trust nothing
4) I do want to keep the Lan / router as internet, in services DHCP is set to automatic, should I disable this service or set it to manual in case needed when my ip address does change. Maybe I'm confused again!

Fire away guys! Show no mercy!

 

Your external IP (issued by your ISP) will be obtained by your router, this will renew when needed (any settings for DHCP on your PC`s will not alter this). Your PC`s on your LAN will obtain their IP`s from the router (if the PC is set for this).

Lets have a quick look through your rules:-

I will just go through the "allow" rules.

Microsoft office: I dont use this, so the rules mean nothing to me. If you are using this, then I presume you know what these connections are for?

DNS: Normally, I would enter the DNS server IP`s into the rule. But for you, it would depend if your DNS servers are fixed (do not change)

LAN subnet bypass: You should disable or remove this rule.(as you want to keep you PC isolated from the other PC`s on your LAN.

Standard loopback: Not really a problem to allow this, unless you are using any sort of local proxy (such as for example the HTTP scanner is kav)

DHCP: This is to obtain the IP for your PC (private lan IP) not the IP from your ISP. Its not really an issue to use DHCP on your home LAN, so if your PC is set up to obtain an IP automatically, then you can leave this

Intime Exceeded: As you have already blocked outbound "ping", this rule will not be used. You can disable it.

Windows logon: Are you actually using this? Some info

Generic host process: You need to look at this. The rule is allowing all outbound. You have a rule in place to allow DHCP and DNS. I presume your main need for this would be for windows updates?

Application Layer Gateway: This is basically an FTP client. You should not even need this process/service, I would certainly (at minimal) disable this rule.

Reply from NTC service: Windows time sync. Leave if you use this.

Microsoft help centre: Do you use windows help? If you do, do you want it connecting to microsoft each time?

Firefox/IE: I personally restrict these to the remote posts needed, but this is up to yourself.

The rest of the rules are mainly for your software updates. So I will leave these, apart from the:-
Sysinternals process explorer: As this is now part of microsoft, do you know where this is connecting? I am not sure why this needs to connect out

 

Stem:

Right, I'll make those improvements and post back results, will take a while.

Saw your posts on new PC tools FW so that was interesting.

More later

 

Hello:

Been busy elsewhere.

Turns out the Kerio 2.1.5 has a corrupt driver fwdrv.sys.

It impacts Windows xp sp2 not win 98. It causes a BSOD stop when running Perfect Disk defrag program.

I have replaced it with Sunbelt Personal FW on a 30 day trial.

It allows the import of the saved rules from Kerio plus a HIPS, NIPS and Behavior Blocking.

So, we will have to either drop this thread, do nothing or convert it to Sunbelt learning thread.

Makes no difference to me what is decided.

If anybody wants to ask me a Kerio question I will try to answer you.

 

I haven't had a problem with Kerio 2.1.5 on an XP box, but none of them used Perfect Disk Defrag either. Too bad this problem didn't show up earlier.
Rick

 

Agreed! See PM.

 

Escalader,

The issue with PD has been known for a while and Raxco recommends not running Kerio 2.x because of it. This is the only reason I'm not running Kerio 2 on my machines (they all have PD).

 

TY:

Yes, found this out only yesterday from PD.

It's a slip up not checking with PD and other vendors before proceeding with this learning thread Why I had to relearn this while working on Kerio FW piece of my layers/component is unforgivable! It will NOT happen again.

More later on next steps.

 

It's odd that this is only a problem with PD, unless there's others I haven't heard of. I'm not familiar with PD, doesn't run on my box. I just use the windows defrag. Do you still have Kerio installed or have an image of that setup you can restore? If you do, I have an idea you could try. I won't have access to an XP unit with Kerio on it until late tomorrow, so I can't check if it behaves the same way as it does on a 98 box. On 98, when you shut Kerio down via the tray icon, it doesn't kill the process. I have to use either SSM or Process Explorer to kill the process itself. On XP, you'd probably have to shut down the service. If PD is trying to move files for a process that's still active, that could explain the problem. If you still have Kerio installed or an image of that setup, try killing the Kerio process instead of just shutting it down, the run PD.
Rick

 

If you make it a policy to make a system backup before installing a new app, you'll always have an easy way to get back to where you started, without having to worry if the uninstaller removed everything. I made that mistake on my primary unit before I had imaging software. An install caused BSODs that wouldn't stop, even after removing the new app in safe mode. It took 114 separate installs of apps, patches, updates, etc to get back what I had. With configuring, it was 2 full days wasted.
Rick

 

Rick:

That 2 days you spent was worse than this for sure.

I have imaging software and frequent backups but only one had to use it when a chkdsk /f nearly destroyed my set up. Used the dvd image and bootable cd to bring it back up.

 

I've got an xp version of Kerio going now and imported our rules from your version into it thus preserving our work. The PD driver problem is gone now and it ran fine today. Only thing is I now have 27 days left on the trial version 4.1.3. The higher version has a bug in importing old kerio rule, so I'm 1 version or so back.

What now?

 

If a disk defrag is having problems with security software as simple as a packet filter, they are doing something wrong. They should be able to fix the problem on their end.

Pick the software firewall you like, and you can configure correctly. Not the one you need help with every 10 minutes

 

In this case, it is a driver incompatibility not the Disk Defrag. See following data from PD KB

" Article Title:
When I run PerfectDisk on my system, Windows crashes.

Article Details:
There are only 2 things that can cause Windows to crash:

A hardware component that may be in the process of failing
A driver that is inproperly written and isn't correctly handling a supported operation correctly
There are several 3rd party software programs that have drivers that are known to cause Windows to crash when PerfectDisk is run on the system:

Software Driver Name

IBM's Rapid Restore ibmfilter.sys - update avialable from IBM

EMC/Legato's RepliStor replistor.sys - fixed in RepliStor Version 6

New Softwares Folder Lock WinDrvNT.sys

Hide Folder HF30XP.sys

Universal Shield/Lock Folder US30XP.sys - update available from Everstrike

BitDefender/FileSpy filespy.sys and bdfsdrv.sys

Kerio Personal Firewall fwdrv.sys - update available from Kerio

INVISUS PC Security Solution fwdrv.sys

RamDiskXP ramdiskxp.sys

WinAntiVirus PRO fopn.sys


Please check to see if you have any of the listed programs installed on your computer and click on the appropriate link above for suggested workarounds or bug fixes from the program manufacturer. "

 

Blah blah blah, if they are having problems with so many companies software, they have a real problem, and just telling you not to run it is not the answer.

 

I've never used 4.1.3. I have no idea how it compares to 2.1.5, what additional components/functions it contains, or how functional it remains after the trial period. I'd hesitate to use a firewall that is partially crippled trialware as the non-functional features could still conflict with other functional software that performs the same tasks. If it were my PC, I'd try to find a way around the conflict with PD so I could keep using 2.1.5.
Rick

 

Rick/BlitzenZeus:

I agree with you guys. I don't like this 4.x stuff they have other duplicate shields and will charge us for a FW.

I'm moving back to 2.1.15, I'll import BlitzenZeus's rules and rebuild my rules from scratch.

See you both later!

Live and learn.


Update:

2.1.5 reloaded, BlitzenZeus's rules imported, all daily applications working so far fine!

Will now start adding applications to allow / not , then I will reinsert the Stem network advice then the Herbalist advice.

BlitzenZeus, what's the real story on this fwdrv.sys from 2003? I've seen a lot of "data" on it being an issue!
Do you have it on your setup or is there an upgrade somewhere?

 

So you did not have your own ruleset to come back with saved?

Kerio 2.1.5 is one of the easiest firewalls to reinstall. Uninstalls easy in my experience too and I always come back to it after getting dissapointed with others (Sygate is ok though kind of, if accepting the loopback address shortcoming with local proxy software and default act as server right).

I might try Comodo's 3 when it comes out of beta to see if basic firewall functions are improved from 2.4. Quite sure though that I will be dissapointed, again, lol. Not to mention what to do with my current HIPS's PG free and Prevx2.

Jarmo

 

Have stayed with Kerio 2.15 since windows 98 days when that system was all we had along with NT & Me.

It's an almost perfect firewall with reliable results time and again. The longetivity of it over all this time and over ALL others proves this out.

 

Hi Jarmo! Good you are still posting! My comments are embedded in your post as usual. - added proper quoting

Yes, I did have my own rule set(s) on a USB stick! But I wasn't that proud of them they were my first Kerio rules and I built them over many weeks sometimes getting confused. So I wanted to start with BlitzenZeus's advanced rules as a base follow his off line install procedure for what was known about my set up. I am now going back over all advice in this thread from post 1 up and rethinking then making changes in my rules as required!

Agree with you as others have disappointed me as well. I don't know anything about Sygate but that is OT most likely for mods.

Agree again, my posts over there speak on their own. Don't think vendor should design FW's by polling users that know less than I do!

What defrag do use with Kerio 2.1.5?

 

Hello Easter! Mine are embedded. - added proper quoting

Good! Are you running Kerio 2.1.5 with XP sp2? What defrag program are you using?

Hmm you are right no software is perfect. Can you tell the thread about it's flaws and if known the ways you may have mitigated for them?

If that is not what you want to do on open thread I understand there is always PM's!

 

Hello Escalader,

You should, with the amount of firewalls you have looked at, be at a stage of being able to create your own ruleset.

Complete rulesets are normally generic, and based on the needs of many users. You have your own needs for Internet use, so show this with your own ruleset.
Start with system apps, then updaters, then your browser.

Regards,