Kerio 2.1.5 and firewall in general

Discussion in 'other firewalls' started by Pedro, Feb 16, 2007.

Thread Status:
Not open for further replies.
  1. Pedro

    Pedro Registered Member

    Joined:
    Nov 2, 2006
    Posts:
    3,502
    I’m trying to build my Kerio 2.1.5 rules. Naturally, I have questions…
    I have a router, a D-Link DSL-504. This one has one DNS address configured by some “expert”, but I checked with my ISP, and they give me primary and secondary DNS, and none are those appears in the router.

    1-Should I change to my ISP’s DNS in the router?
    2-Do I set the DNS in Kerio with the same address as in the router, or point to the router’s address for DNS? I ask this because when doing ipconfig /all, the DNS shows as the router’s address. Windows is on auto, should I change this?
    3- Changing the DNS in the router, with other pcs on auto, they will connect ok right?

    I can see some places where these rules may not be right, but this is giving me headaches:

    Why is SYSTEM allowed to open conections (by the way, where’s SYSTEMo_O)? It’s blocked on my rules :blink:
    And ConfigFree (Toshiba), ALG, ashmaisv.exe?? It’s localhost, but I have no rule!

    What rules need tightening, basically what's wrong here?
     

    Attached Files:

  2. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    If your router supports DNS caching/DNS forwarding yes, the DNS should point at the router´s address.
     
  3. Mem

    Mem Registered Member

    Joined:
    Mar 7, 2005
    Posts:
    292
    I allow the router to automatically get the DNS from the ISP in case they make changes. Then each PC looks to the router for DNS (DNS relay). If a DNS problem shows up on all PC's, it usually means I need to configure the DNS in the router to an alternative since the ISP is having a problem. Much easier than trying to go to all the PCs to reconfigure.

    On your ruleset - there is a lot to learn on this. The first place to start is the BZ default replacement update: http://www.dslreports.com/forum/kerio Read through all you can and see how the order placement of the rules affects the firewall and the individual parameters that are needed.
     
  4. Jarmo P

    Jarmo P Registered Member

    Joined:
    Aug 27, 2005
    Posts:
    1,184
    Yoy are on the right track. though I wont be surprised if you went back to your previous firewall.
    Yes, get the blitzens ruleset, my recommendation.
    System might be ntoskrnl.exe, but I never knew for sure.
    Just block it.
    For DNS and DHCP it is good to have your isp servers only.
    Anyways what ever you do, you are basically blocked from unknown connections and thus safe. Good luck !
     
  5. Pedro

    Pedro Registered Member

    Joined:
    Nov 2, 2006
    Posts:
    3,502
    :thumb: I see. Thank you.

    In terms of DNS, it is how it's configured. I'll just change to the appropriate DNS address.
    For one computer though, there's no problem in using another DNS i guess.
    I forgot about those BlitzenZeus' rules. I'll take a look, thanks:thumb:

    Thank you for that too. I'm not too far from the objective:) .
    Maybe i'll revisit Comodo, but install it on manual. Just to see how different it is making rules. When i tried before, (before reading about all this in depth...), i was confused. There's a lot of info for Kerio 2.1.5.
    But i won't stop there. I'll look at Sygate, and Coreforce too:D . I have to take a peak. Then it's GNU for me, no more of this.

    I just want to "master" these rules a bit, before going to the hardcore OS:D . Then it's iptables and whatnot.

    I now see what's the big deal about Kerio 2.1.5 . It's so rudimentar on the surface, but it's SOO cool to tweak the rules. Freakin rocks! And very light.
    There's a project to clone this, and update it called "Ghost Personal Firewall", an open-source project. But i don't know if it's available. I probably won't see it.
    For whoever's interested: http://kerio.sourceforge.net/index.html

    Some Q's remain, for a kind soul to illuminate my path:p
     
  6. Pedro

    Pedro Registered Member

    Joined:
    Nov 2, 2006
    Posts:
    3,502
    Hello again, a few more Qs, besides the ones above:

    BlitzenZeus has a rule for loopback, where he allows it for everything, apps, ports, any. It basically skips loopback. I understand what it's meant for, but i didn't know it's perfectly ok to allow it in general. Is it just safe?

    2 rules appear to be redundant, can you explain why they're not, since obviously i'm missing something? They are the DHCP broadcast, and Unrestricted DHCP (log), the first looks redundanto_O

    ok, i guess i'd go on all night. Is there a place where he explains the reason for each rule, or some of them?

    the rules: http://www.dslreports.com/forum/remark,8023708

    TIAo_O
     
  7. BlitzenZeus

    BlitzenZeus Security Expert

    Joined:
    Feb 11, 2002
    Posts:
    451
    Location:
    Oregon, USA
    You can't just look at the rules, you have to actually read the information provided with the rules, I didn't type out all that text as filler :cool:

    All this is included on the page you have linked to.


     
  8. EASTER.2010

    EASTER.2010 Guest

    You can sure say that again. :cool:

    It is so very COOL! and has been so super effective for me for years since i dumped bug-ridden ZA for it, that i went right back to it after installing the whole darn KIS6 Suite which has it's own firewall of sorts. Yep, thats a roger alright, Kerio 2.15 works in tandem with it and there is absolutely no conflicts whatsoever with the 2. Who says you can't have 2 firewalls without problems, i beg to differ with that now. Neither one gets shortchanged or suffers any overlap, and stable as can be.

    Aside Note: I had to Uninstall COMODO only after one week and a half of enjoying it, it's a rock solid firewall i suppose, but it meant more to me to brace my system structure with ANY Anti-Virus that would not give me issues, and i finally found that with Kaspersky thank goodness. Oh yeah, plus the bonus of not having to abandon Kerio 2.15 either. It has served my units very successfully. 98SE and Win XP Pro.

    Best Of Luck With Kerio For You!! IT DOES ROCK!!!
     
  9. Jarmo P

    Jarmo P Registered Member

    Joined:
    Aug 27, 2005
    Posts:
    1,184
    I see you are an Avast user. In this thread are my rules for Avast, taking care of those local proxies. There are other solutions, but this uses the global loopback rule.
    http://www.dslreports.com/forum/remark,16592654

    Now running Antivir, so my ruleset is a bit shorter now. hehe.
    Remember to save your ruleset time to time.

    Regarding to the DHCP broadcast rule I dont have to use it. It may be a bug in kerio 2.1.5 since in Kerio 4, I did need it. Standard loopback rule seems to take care of that. It was what that thread I wrote to was all about originally.
    Jarmo
     
  10. BlitzenZeus

    BlitzenZeus Security Expert

    Joined:
    Feb 11, 2002
    Posts:
    451
    Location:
    Oregon, USA
    With Avast you can easily exclude its ports from being in the loopback, I have it setup this way on my install, and everything works fine.

    You need the dhcp broadcast rule to get a dhcp lease, or renew one once the firewall is loaded. There is no bug related to this, its all in your rules...
     
  11. Jarmo P

    Jarmo P Registered Member

    Joined:
    Aug 27, 2005
    Posts:
    1,184
    Perhaps, but it is shown in this pic, the green entries.
    http://www.dslreports.com/speak/slideshow/16594831?c=1042529&ret=L2ZvcnVtL3JlbWFyaywxNjU5MjY1NA==
    I am not familiar with this mask concept, to know if the loopback rule should
    pass this. It did not with Kerio 4 as far as I remember. I know Kerio 4's logs suck, but main thing was when I changed my IP by MAC address change, I needed the DHCP broadcast rule. With kerio 2.1.5 I don't.

    I wonder also since you seem as an expert to not give any credit to my ruleset regarding avast to tell what is wrong in them ;)

    Best wishes,
    Jarmo
     
    Last edited: Feb 17, 2007
  12. BlitzenZeus

    BlitzenZeus Security Expert

    Joined:
    Feb 11, 2002
    Posts:
    451
    Location:
    Oregon, USA
    While not common, spoofed packets with the fake source of 127.0.0.1 were used for messenger spam, and masks can be used to make sure to only allow packets from the correct subnet. The subnet of your local/internet connection is different than your localhost loopback.

    If you don't have the rule enabled, then some other rule enabled is permitting the necessary traffic, either way your rules are permitting the necessary dhcp communication, period. It is all in YOUR rules, the unrestricted dhcp will also allow the broadcast, but its best to not leave it enabled, once you disable it you need the broadcast rule enabled...
     
  13. Jarmo P

    Jarmo P Registered Member

    Joined:
    Aug 27, 2005
    Posts:
    1,184
    I just did the IP change again. And same log entries there as in that picture when I set the loopback to log. It is the mask 127.0.0.0/255.0.0.0.
    I have no idea and it is a mystery to me, but in my system it resolves to, matches to those in the picture link.

    Just made a screen capture of my loopback rule. To be sure :p
    You should check that this is the loopback rule:
    http://www.dslreports.com/speak/slideshow/16594831?c=1042529&ret=L2ZvcnVtL3JlbWFyaywxNjU5MjY1NA==
    Now it of course reads Standard Loopback in the log, but it is handling this mask thing this way for sure.

    EDIT
    And when I change the loopback rule to 127.0.0.1 with no mask I do get prompted from kerio or need that DHCP broadcast rule checked. It should not act this way? Allowing with that mask that connection I think.
     

    Attached Files:

    Last edited: Feb 17, 2007
  14. Pedro

    Pedro Registered Member

    Joined:
    Nov 2, 2006
    Posts:
    3,502
    opps. Sorry, i shoot too fast. I couldn't get passed the picture:oops: I was comparing, and got stuck. I need to be more patient...
    Thank you for the explanation, and the time to build that and post it. It will help me alot. Five stars:thumb:
    Yep, looks like i'll be with Kerio for a while. Might as well learn more:thumb:
    Thank you again!
    I see what you mean. Avast! is everywhere! Of course for a good reason.

    Thank you BlitzenZeus and Jarmo. I'll be reading more:D .
     
  15. Escalader

    Escalader Registered Member

    Joined:
    Dec 12, 2005
    Posts:
    3,710
    Location:
    Land of the Mooses
    Hi Guys:

    Picked up this quote in another forum and wanted to verify it's accuracy.
    For the record I am using ZA Pro 7.0 at the moment, but it keeps me to busy flipping switches and giving it help! My thoughts now are to change but to what, this quote is positive on Kerio. Don't we want an application firewall and the ability to protect open ports?

    Here is the quote:

    "ZA Free has lately been stripped down to practically nothing, hardly any better than Windows Firewall. TechSupportAlert.com no longer recommends it.

    Personally, I wouldn't use even the pro version. ZoneAlarm is not an anti-hacker firewall, it's an application firewall, which doesn't protect ports when they're open. Kerio does.

    Technical jargon aside, even when ZA Free was powerful enough to be #2 at TechSupportAlert.com, it was still Kerio that was #1. It's ICSA certified, too. Show me one application firewall that has that kind of a track record!"
     
  16. Pedro

    Pedro Registered Member

    Joined:
    Nov 2, 2006
    Posts:
    3,502
    Lets wait until an experienced member can answer you. One thing though: i can't find Kerio on the certified firewalls in ICSA's site, unless i'm getting the wrong ICSA, coz there seems to be plenty ICSAs...
    Anyone has a link to the right ICSA? If this is the one:
    http://www.icsalabs.com/icsa/icsahome.php
    the recomendations are weird, and Kerio isn't there.

    Anyone know what it's about and where?
     
  17. Escalader

    Escalader Registered Member

    Joined:
    Dec 12, 2005
    Posts:
    3,710
    Location:
    Land of the Mooses
    Thanks Someone:

    I'll go back and ask the poster for the source which says Kerio is certified.

    Weird is right, best to check. You can't always trust the accuracy of what you read on these sites! "Trust but verify" a good rule to follow!

    It tooooo cold here to go outside -15 C and windy.
     
  18. Escalader

    Escalader Registered Member

    Joined:
    Dec 12, 2005
    Posts:
    3,710
    Location:
    Land of the Mooses
    Hi here's the certification scoop! The poster had an error! Here with id's masked is his correction:

    "Big OOPS!
    by sssssss - 13/02/07 5:50 PM
    In reply to: Certification question... by zzzzzzz
    Thank you for that, and I stand corrected. It is Kerio's Winroute firewall, not Sunbelt Kerio, that has the certification. In addition, the ISS product (now IBM/ISS) with certification was Proventia, not BlackICE. I goofed!"
     
Loading...
Thread Status:
Not open for further replies.