How do I block port 135 using KerioPF

Discussion in 'other firewalls' started by node, Aug 12, 2003.

Thread Status:
Not open for further replies.
  1. node

    node Guest

    This new exploit has me in a frenzy has affected both of my friends and I have no idea how to block port 135 using keriopf.
     
  2. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,875
    Location:
    New England
    By default, software firewalls block port 135 along with NetBIOS and other ports and services. Do you have any reason to believe that TCP port 135 is not blocked? If you look in your firewall logs and see block messages for any of the currently occurring port 135 scans, then that'll tell you that Kerio is already blocking port 135.

    Generally speaking, you don't need a special rule to block an unsolicited connection. Firewalls are really supposed to do that by default unless you make a change to allow something in.

    Have you checked your logs to see if the current port 135 scans are listed there as being blocked?
     
  3. node

    node Guest

    I checked my firewall log and did not see anything from port 135. Is there anything else to check such as an online scan?
     
  4. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,875
    Location:
    New England
    Before you go to an online scanner, can you answer one other configuration question? Do you also have a router in your network setup? If a router is between you and your ISP modem, there's a very good chance it is protecting you from the scans and they'll never reach Kerio.

    As for scans, well the new GRC scan is a good one. (Click the big "Shields Up" text)...

    http://www.grc.com

    Or, you can try the various scans over at PCFlank...

    http://www.pcflank.com

    If these scans show your TCP port 135 as either closed or stealth, then you are blocking the new tcp/135 scans. If 135 shows as "open" then there is something to be concerned about. Let us know and we can advise further.
     
  5. node

    node Guest

    www.grc.com has ccomfirmed that my port 135 is stealth! Yes I am running a router with a firewall built in along with kerio.

    But for future references I would love to know how to block a port using kerio if anyone can help that would be great.

    Thanks for all your help and quick replies LWM!
     
  6. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,875
    Location:
    New England
    Ah, that's good. Yes, your router is handling all the inbound scans for you, so you are secured... Very nice.

    Check back in this thread in a couple hours or tomorrow (depending on your time zone), as there are several knowledgable people here who know both Kerio and most rules based firewalls, and I'm sure they'll be along in time and can answer your questions.

    In fact, if you have any other questions, maybe you should post them now so when they do pass through, they can answer them all in one shot.

    In the meantime, here is a thread that shows some Kerio rule sets and some discussions of them, which may be of interest to you.

    https://www.wilderssecurity.com/showthread.php?t=11917
     
  7. CrazyM

    CrazyM Firewall Expert

    Joined:
    Feb 9, 2002
    Posts:
    2,428
    Location:
    BC, Canada
    Hi node

    Using port 135 as an example, you would create a new rule (name it), protocol TCP & UDP, local port 135, remote address any, remote port any, action would be Block, Logging - your choice. You would then place the rule in an appropriate location in your rule set.

    As LWM mentioned, most firewalls default action is to block what is not permitted. With this in mind, focus on your permit rules.

    With Kerio you could have a final rule to block Any Inbound with logging enabled. This would block and log all unsolicited inbound traffic and the firewall would still prompt you for outbound connections not accounted for in your rules.

    Regards,

    CrazyM
     

    Attached Files:

  8. node

    node Guest

    Thanks for the reply!

    Is blocking stealthing or closing? If it's closing how would I stealth a port?
     
  9. CrazyM

    CrazyM Firewall Expert

    Joined:
    Feb 9, 2002
    Posts:
    2,428
    Location:
    BC, Canada
    Well I just used "block" in describing the action for the rule (can't recall at the moment if KPF uses the term block or deny in the rules editor). Kerio will stealth your system (it drops = no response to unsolicited packets) unless you have it configured to run on/as a ICS gateway.

    Regards,

    CrazyM
     
Loading...
Thread Status:
Not open for further replies.