Firewall prompts that I don't get... (Kerio 2.15)

Discussion in 'other firewalls' started by cochese, Mar 8, 2005.

Thread Status:
Not open for further replies.
  1. cochese

    cochese Registered Member

    Joined:
    Feb 25, 2005
    Posts:
    13
    I'm sort of new to this rule making biz, and so I'm not entirely sure what to do with these prompts. I made my rules up by reading/looking at examples, but from what I understand, they should be good default rules, but I'm still getting these prompts (all are window services, I believe).

    I've cut & pasted each prompt...and then I included a picture of my rules so everyone can see what I have & what I may be missing. Maybe someone could be so kind to tell me how to fix or make a new rule to solve the issues (I'm trying to have as few rules as possible).

    #1: 'Generic Host Process for Win32 Services' from your computer wants to send UDP datagram to 239.255.255.250, port 1900
    ...I solved this by turning of UPnP...or I think I solved it.

    #2: Someone from 192.168.0.1, port 1900 wants to send UDP datagram to port 1900 owned by 'Opera Internet Browser' on your computer
    ...this is from my router, but I don't get what it's doing, and why my current rules aren't taking care of it

    #3: Someone from home4.bellatlantic.net [151.197.0.39], port 53 wants to send UDP datagram to port 1026 owned by 'Generic Host Process for Win32 Services' on your computer
    ...what's svchost.exe up to here? I have Verizon DSL, which is what I figure the IP is coming from...again, I don't get it.

    Also, as one last thing...I have a SSDP rule, but then I just figured, why not turn this service off (which I did, because I was still getting prompts)...so is there any need for the rule (maybe just to be safe?).

    Thank you very much!
     

    Attached Files:

  2. Diver

    Diver Registered Member

    Joined:
    Feb 6, 2005
    Posts:
    1,444
    Location:
    Deep Underwater
    Problems #1 and #2 are related to upnp in XP. Run services.msc to disable SSDP and Unuversal PnP and you can get rid of the SSDP rule as well.

    Problem #3 is a DNS lookup. Take 192.168.0.1 out of your DNS rule and use "any" address until you know the address of your DNS servers. Run ipconfig /all at a command prompt to get this information.

    Get lots of caffine, it is one of the 5 major food groups:
    Burgers
    Pizza
    Chocolate
    Caffine
    Alcohol :)
     
  3. cochese

    cochese Registered Member

    Joined:
    Feb 25, 2005
    Posts:
    13
    Thansk for the quick reply Diver.

    I have disabled the UPnP and SSDP services in services.msc...and I'm still getting those prompts. Should I have a blocking rule? I'm new to Kerio so maybe I'm supposed to set one of my current rules as log only...I don't know.

    The only service still enabled is regular Plug & Play.

    I run through a router, so I thought I wasn't supposed to put in a specific DNS. If I do ipconfig /all (which I already did) it just lists my router.
     

    Attached Files:

  4. tiluid

    tiluid Registered Member

    Joined:
    Nov 9, 2004
    Posts:
    41
    Location:
    Bulgaria -> Sofia
    Out of the topic.

    Hi cochese!
    Just one out-of-the-topic question: How did you manage to show only Command prompt window?

    :oops: :rolleyes:
     
  5. MushfiQ

    MushfiQ Registered Member

    Joined:
    Jan 8, 2005
    Posts:
    131
    Re: Out of the topic.

    Go to Start >> Run >> type cmd in da box :)
     
  6. Diver

    Diver Registered Member

    Joined:
    Feb 6, 2005
    Posts:
    1,444
    Location:
    Deep Underwater
    Command prompt window- I think he means how to show just the image. Alt Print Screen
     
  7. tiluid

    tiluid Registered Member

    Joined:
    Nov 9, 2004
    Posts:
    41
    Location:
    Bulgaria -> Sofia
    When you hit print screen the file that you paste in paint shows the whole screen (with task bar, etc.) and it is wide(very big), but the cochese's attached image is small and shows only cmd. That was what I was trying to clear up.

    Please forget it!
    I dont want cochese to get mad at me because i am ruining his topic.
    Lets get to the point.

    :) :D
     
  8. Kerodo

    Kerodo Registered Member

    Joined:
    Oct 5, 2004
    Posts:
    7,779
    I've had to eliminate all of the above food groups except caffeine... I refuse to give that one up... :D
     
  9. MushfiQ

    MushfiQ Registered Member

    Joined:
    Jan 8, 2005
    Posts:
    131
    BTW Kerodo & Diver do u both use proximitron & how would i configure that in Kerio...thought if proximitron is only needed, havent tried HOSTS file either.
     
  10. Kerodo

    Kerodo Registered Member

    Joined:
    Oct 5, 2004
    Posts:
    7,779
    I don't use Proxomitron, but I imagine it's like any other proxy software. Try googling for Proxo and kerio or check out BZ's rules at dslreports.com. There are other threads there also relating to proxy and Kerio.
     
  11. cochese

    cochese Registered Member

    Joined:
    Feb 25, 2005
    Posts:
    13
    Yah, this thread is off subject....damn, I've posted this in 3 different forums, and I'm not getting any responses.
     
  12. Kerodo

    Kerodo Registered Member

    Joined:
    Oct 5, 2004
    Posts:
    7,779
    Have you posted in the Kerio forum at dslreports.com cochise? Someone there ought to be able to help you...
     
  13. Diver

    Diver Registered Member

    Joined:
    Feb 6, 2005
    Posts:
    1,444
    Location:
    Deep Underwater
    Perhaps you have been there already, but I would try the kerio support forum at DSL Reports. Honestly, I used to have the port 1900 problem but got rid of it by turning off the UPnP services. Is your router UPnP compatible? Try turning off that feature.

    Just why your router does not pass through the addresses of the DNS servers is beyond me, because the ones I have used do. 192.168.0.1 is usually the address of the router. See if there are any settings in the router dealing with DNS.

    Sometimes the thing to do is to keep looking at the firewall prompts and see if there is a pattern. Also you can set up fairly broad allow rules with logging enabled to see what is going on.

    As a last resort try rules that will block the alerts and see if things still work. Its crude, but sometimes necessary.

    Don't disable regular Plug and Play, it will probably break your OS.
     
  14. CrazyM

    CrazyM Firewall Expert

    Joined:
    Feb 9, 2002
    Posts:
    2,428
    Location:
    BC, Canada
    Check your router configuration for UPnP options.

    Regards,

    CrazyM
     
  15. CrazyM

    CrazyM Firewall Expert

    Joined:
    Feb 9, 2002
    Posts:
    2,428
    Location:
    BC, Canada
    Does your router (in it's configuration) list your ISP assigned DNS servers?

    Regards,

    CrazyM
     
  16. cochese

    cochese Registered Member

    Joined:
    Feb 25, 2005
    Posts:
    13
    Thanks for the help everyone. I had also posted this question over at DSLreports Kerio forum...but there's one fella there who has replied (a few times) with such an attitude. ...and he doesn't seem to fully know what he's talking about.

    I had turned UPnP off...in XP...not thinking to check the router. I did that, and since then, I haven't had that prompt on port 1900.

    As for the DNS thing...I was stumped by it too (because my router does have the 2 servers Verizon uses listed). The smartass at DSL reports is hell bent on it being messenger spam, but I have disabled that windows service. I haven't had that prompt again...yet. Say, if I set a rule for each DNS server, will it work? (rather than have the rule to my router?)

    One other question...I noticed in the router config an option to stealth pings from the router side. If I enable this, will it make me unpingable, even if I wish to be (make a firewall rule for it)? Might be a silly question, but I dare to ask it! :)
     
    Last edited: Mar 9, 2005
  17. Diver

    Diver Registered Member

    Joined:
    Feb 6, 2005
    Posts:
    1,444
    Location:
    Deep Underwater
    I would enable the stealth pings option. It causes your router to not respond to unsolicited pings.

    DNS is one of those things that if it is not working correctly you will not be able to do much.

    I would try using both the addresses that ipconfig gives you and the ones listed your router. Eliminate one or the other so see which is essential. Block all the other traffic to and from remote port 53 to eliminate the messaes from the firewall.
     
  18. ghost16825

    ghost16825 Registered Member

    Joined:
    Feb 1, 2005
    Posts:
    84
    I take it he/she is referring to me in both cases.
    The original thread so all readers can read it and create their own opinion is located at http://www.dslreports.com/forum/remark,12855267~mode=flat
     
    Last edited: Mar 10, 2005
  19. cochese

    cochese Registered Member

    Joined:
    Feb 25, 2005
    Posts:
    13
    I'm not too proud of a man to admit I was wrong posting that message here. You got under my skin, and I reacted. I don't back away from thinking you were snide & in a way condescending in your reply, but I should have kept it out of this place. I would delete it, but then I don't want to appear to be hiding from it...ya know?

    ...and you obviously know your stuff...
     
  20. Diver

    Diver Registered Member

    Joined:
    Feb 6, 2005
    Posts:
    1,444
    Location:
    Deep Underwater
    cochese-

    If you don't bug Ghost, he might have some time to spend on the Kerio - Like project, which is something a lot of us want.

    It helps to maintain sort of a thick skin in internet forums, or you will go nuts over very small things.
     
  21. MushfiQ

    MushfiQ Registered Member

    Joined:
    Jan 8, 2005
    Posts:
    131
    Diver.. i have a question regarding Kerio...to do windows updates i guess u have allow svshost for that i just opened Tcp/Udp both with remort port opended 80,123 & 443...if i have to change something do tell me...cheers :)
     
  22. Kerodo

    Kerodo Registered Member

    Joined:
    Oct 5, 2004
    Posts:
    7,779
    I believe you only need remote ports 80 and 443. Someone correct me if I'm wrong...
     
  23. Diver

    Diver Registered Member

    Joined:
    Feb 6, 2005
    Posts:
    1,444
    Location:
    Deep Underwater
    MushfiQ

    For windows update you need to open ports TCP 80, 443 on svchost.exe for outbound. The easy way to do it is allow for any remote address (actually necessary if you use automatic updates because sometimes non-microsoft ranges are used). With SP2 the windows automatic update service must be set to automatic, even if you do not use automatic updates, or else windows update will complain.

    UDP port 123 is for the windows time service. This rule is both ways with port 123 on both ends.

    Check out the kerio support forum over at DSLR. If the search function is working (sometimes it is broken) you will be able to find almost anything dealing with Kerio 2.15 over there.
     
  24. Kerodo

    Kerodo Registered Member

    Joined:
    Oct 5, 2004
    Posts:
    7,779
    Diver - Are you going to try LNS sometime? It's pretty nice... after observing it some more, I actually found it's ram usage down to as low as 1 meg. Pretty amazing...
     
    Last edited: Mar 10, 2005
  25. Diver

    Diver Registered Member

    Joined:
    Feb 6, 2005
    Posts:
    1,444
    Location:
    Deep Underwater
    Actually, I have LnS running on my old slow test machine. Monkey see, monkey do. Indeed, it has no effect on the blazing speed of a p3 450 with a whopping 128MB of ram.

    My comments are limited at this time. I looked at Phant0m's rules, but found them to a be a bit complex for my taste, so I am using the enhanced rules supplied by the author. When i have a better understanding of Phant0m's rules I will give them a try. Also, I am working out just how LnS treats its rules, and so forth. It is way different from Kerio in this respect. There are definitely some good features in LnS, and no extraneous stuff.

    I have been reading through the LnS forum to get an idea of what the issues are.
     
Loading...
Thread Status:
Not open for further replies.