Configure Kerio 2.1.5 to monitor outbound only?

I have an SPI/NAT router that monitors inbound. Therefore I want to configure Kerio 2.1.5 so that it will NOT monitor any inbound connections whatsoever.

Can someone who is now using Kerio 2.1.5 tell me a rule or configuration whereby I can accomplish this?

 

May I ask why?

Anyway, create a rule like this:
Description= ...(e.g. allow incoming)
Protocol= TCP/UDP
Direction= Incoming
Local endpoint:
Port type= any port
Application= Any Application
Remote endpoint:
Address type= any address
Port type= any port
Rule valid= always
Action= permit

(or if you want to allow all traffic at the protocol choose ANY)

ps.If you do that I would advise you to keep windows firewall activated too, since it has better packet filtering than most home/soho routers.

Panagiotis

 

Uh... well I figured, since my router handles inbound, why let Kerio duplicate its actions? Surely Kerio's surveillance of inbound causes at least a teeny bit of slow-down. Doesn't it? So, if I take Kerio out of the loop on inbound, I'm saving a nanosecond or 2, right? Wrong? Dumb way for me to think?

 

Have not tested it in ages so I cannot really tell.
At least a nanosecond or 2 you will definitly save.

But leave windows firewall on if you do (is more up to date and supports ipv6 too).

Panagiotis

 

As to the Win FW -- you DO know I'm running WinXP SP3 Home edition right? {I also have a fully operational computer running CP/M }

 

Yes, I had XP SP2/SP3 in mind when I wrote to leave it on.

CP/M= ?

Panagiotis

 

There should be no real difference. Kerio filters all packets, in and out. It then uses the first rule that applies. Even with a "permit all inbound" rule, Kerio still checks the packets.

Even with a router, I wouldn't automatically allow all inbound with Kerio or any other firewall, even if there was an improvement. Routers and external hardware attacks are appearing. I seem to remember one that used UPnP and Flash. I doubt it'll be the only one.

 

Not according to the manual.

Panagiotis

 

One of the early OS -- era of the 1970's (when dinosaurs still roamed the earth). I was a whiz at using it. I was also a fairly *dangerous* programmer in Forth. Later... Pascal.

In those days, 8-bits was the deal & 64K of RAM was really really BIG. Programmers wrote VERY compact/efficient code because they HAD to.

 

You are right. Kerio will filter inbound no matter what you do, rule or no rule. There is no way around it.

 

Hi Kerodo,

I didn't know this!

From the Kerio Help File:

Five years ago, several of us ran w/o a firewall to demonstrate that if all ports are closed, nothing can penetrate. (You may remember this discussion at DSLR)

I set things up so that Port 135 was open, hoping to snag the MSBlaster that was still going around. I configured Kerio to permit all traffic, and I logged everything. There were no alerts from Kerio to deny anything, so I assumed that Kerio was not monitoring.

Check here -- maybe my setup was not a valid test!

http://www.urs2.net/rsj/computing/tests/fw_test


----
rich

 

Hi Rich,

Ok, maybe you are right. I thought Kerio would have to filter regardless of what rules were in place, but I didn't realize that without any rules it was transparent.

Yes, I remember running without a firewall, I was one of those people. I actually ran for 2 months or so on Win2k with no firewall or router, just closed all my ports. It was fun, and nothing horrid ever happened.

 

Yes, I remember now, you were one that ran w/o a firewall. There was a regular at DSLR (whose name I've forgotten) who ran w/o a firewall with WinXP. He had some system monitor and no intrusion showed up with all ports closed.

Remember, our ports were *closed* and not *stealthed* which was another point of the exercise.

Yes, it was fun!

----
rich

 

Hi Bellgamin,

noone_particular is correct - even with a "Permit All" rule at the top, Kerio still checks "some" packets.

Here is my ruleset with a "Permit ALL" rule at the top. I've disabled my system rules disabled to test:



Here is my log with Suspicious Packets configured to log, and you can see that even though Kerio lets all traffic through -- trojan ports included! -- it does block what Kerio calls "suspicious" packets.



It's not really an attack, of course "Ack" means ACKnowledge something has been received (or blocked)

You can tell Kerio not to log these (I normally don't log them -- I enabled logging just to test here).

For all practical purposes, Kerio's inbound protection is disabled and I doubt if the Ack Packet garbage is slowing down your system even a nano second!

Outbound protection still works. Here, my DHCP attempting to connect out. With the outbound rule disabled, Kerio alerts:



And my utility to sans.edu with my outbound rule disabled:




----
rich

 

OT, but some history

http://inventors.about.com/library/weekly/aa033099.htm

 

Nicely demonstrated Rmus! MANY thanks for putting so much effort & expertise into this discussion.

The upshot of what I have learned herein is that I shall NOT configure K215 so as to keep it from messing with inbound. Also, I have gained a newly increased respect for K215's ability to be a high-grade firewall for use in 2010, despite K215'2 age & status as abandonware.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~

P.S. Does anyone have the history of K215? When it was first released? When it was assimilated by Sunbelt? When discontinued? And so forth?

 

You are welcome, Bellgamin, it was nice to re-visit the inner workings of Kerio 2.1.5

See this article:

Kerio Personal Firewall
http://en.wikipedia.org/wiki/Kerio_Technologies#Kerio_Personal_Firewall

Two things to keep in mind:

1) Kerio will not control IPv6. There doesn't seem to be any consensus as to at what point a Kerio 2 user will be vulnerable to exploits via ports.

2) The general consensus (which you are free to ignore) that you are vulnerable to trojan outbound exploits because Kerio 2 fails most Firewall Leaktests.

Years ago, when the Firewall Leaktests were all the rage, (Leaktests today test more than just the Firewall) and vendors were scrambling to keep their Firewall products updated to contain these "exploits" that the Leaktests demonstrated, Kerio 2 ceased being developed.

However, in one of the on-going threads, I stated that my Kerio 2 passed all of the tests.

"Say what?"

My reasoning was thus: The Leaktest executables simulated the action of a trojan which, once installed, would bypass the firewall's outbound protection.

So, I showed a screen shot of an attempt to download/install one of the Leaktests. It was blocked by my security from downloading/installing, so, I claimed a "Pass" since it didn't get past my firewall:



"Foul Play" was the outcry. It didn't bother me, for if the trojan can't install, why worry about a firewall to catch a phantom exploit?

"What about a drive-by download?"

That was easy to demonstrate. I put the path to the Leaktest executable into an IE exploit:



And ran the code:



Same thing. Leaktest executable blocked, end of exploit.

Depending on the peace of mind your security setup provides you, the Firewall Leaktest thingy is either important, or irrelevant.

CONCLUSION

Many people, including myself, would agree with your assessment of Kerio 2 as "a high-grade firewall for use in 2010, despite K215'2 age & status as abandonware."

regards,

rich

 

As far as I know, Kerio 2 evolved from Tiny Personal Firewall. Version 2.0.15 of Tiny was extremely similar to Kerio. Kerio could even import Tiny's rulesets. I still have a copy of it. The installer is a tiny 1385KB.

Regarding Kerio and leaktests, with properly configured rules, Kerio will pass more of them than the tests would have you believe. Then again, those tests seem to be based on the assumption that the user has one security app and it has to be a firewall. IMO, the tests have been reduced to the role of advertizing gimmicks with little if any basis in reality. Just blocking Internet Explorer will make it pass several of those tests, which tells me that the problem isn't the firewall, it's Internet Explorer. Some of the older tests were very useful for tightening firewall rules. PCAudit2 was excellent for tightening loopback rules. Even if I allow the hook with SSM, Kerio will pass that test provided you have control over loopback (local) connections. IMO, Kerio 2.1.5 will remain viable as long as IPv4 is in use.

Regarding Kerio slowing things slightly, a long time ago when I used some really old hardware and had dialup, I ran several speedtests with and without Kerio, then averaged the results. The results were just slightly faster with Kerio running than without it. The difference was about 2%, barely noticeable. Best I could determine, the results with Kerio were faster because Kerio prevented the unnecessary use of bandwidth by system components like windows explorer, making it all available to the browser. With DSL or better, it would be meaningless (as would any slowdown) but on dialup, the user would probably notice the change.

 

So . . . for WinXP, what FW will match K215's lightness & simplicity, and WILL control IPv6?

By the way, what app generates that "Guard dog on duty" pop-up --- Anti-executable or ?

 

I haven't checked, and am not looking forward to replacing Kerio. Until something comes along to bypass Kerio, I subscribe to noone_particular's view:

Yes, AE - you can customize the bitmap image.

----
rich

 

Huh? I fully expected you to say something nice about Look'n'Stop. (I am leaning toward it at the moment.)

By the way, I have a hard-to-find stand-alone version of Dynamic Security Agent. DSA is a fairly decent replacement for K215 IMO.

 

I've heard nice things about it but haven't tested it, so I'm reluctant to say anything about it.

I've not heard about this.

For both of the above, since you have mentioned them, can we look forward to an in-depth report of your tests?!!

----
rich

 

Hola Rich-sensei,

I am unqualified to test LnS. I have a lot of information about DSA but any all-out discussion could get me busted for going off-topic. Therefore I shall start a new thread for DSA at HERE

 

Just my 5 cents, I'm no expert. A while back I got concerned how LookNstop watches/doesn't local host vs Kerio which does it perfectly
see last 2 posts in this thread if local host activity is important to you as it is to me
https://www.wilderssecurity.com/showthread.php?t=256474