kerio 2.1.5 and rules

Discussion in 'other firewalls' started by lasu, Aug 3, 2006.

Thread Status:
Not open for further replies.
  1. lasu

    lasu Registered Member

    Joined:
    Mar 19, 2005
    Posts:
    43
    hi to all,
    a quick question about some rules.
    i see that kerio 2.1.5 will be a contiuning work in progress. i now have 5 rules for ewido antispy and a few for avg antivirus. is this normal? if i block a new popup for ewido connection im blocked from getting the update. there times it goes through just fine, yet there are times i need to create a new rule. is this normal?
    also, i would like to use the net range for some updates, it would cut down on the number of rules, would that be ok to do?
    thanks for the help w/kerio;-)

    L
     
  2. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    Hi lasu,
    The amount of rules you need will depend on the rules you have created.
    Example: Most updaters will update with an outbound connection (tcp) to remote port 80(http), or in some circumstances make an outbound connection (tcp) to remote port 21(ftp)
    If you have created rules to allow outbound, but in these rules you have placed a local port to use, or have specified a fixed IP, then other popups for further rules can happen, as the same local port will vary, and the remote IP could also vary, depending on the number of update servers the software as to try for updates.

    Could you post the rules you have created?
     
  3. lasu

    lasu Registered Member

    Joined:
    Mar 19, 2005
    Posts:
    43
    hi stem,
    here are the ewido rules i was speaking of and thank you.
    L
     

    Attached Files:

  4. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    Hi lasu,
    Yes, I see you are placing the remote IP adresses into the rule. This is good practice, but does lead to a need to place a rule for each and every update server.
    The main Ewido update server is 85.10.237.9 (ref post here)
    The IP 209.163.112.198 is akamai which is possibly (like the others) used as a mirror download.(these are possibly not static/fixed)

    I have on searching for the Ewido update servers, seen a number of posts reporting connection problems to the update servers.

    Maybe there is a need to place a more open rule for this application, as the application is trusted,... the fact that the application is possibly being re-directed to mirror sites from the main update server can make it difficult to keep track and create rules for all the mirror sites (which can possibly change)

     
  5. lasu

    lasu Registered Member

    Joined:
    Mar 19, 2005
    Posts:
    43
    hi stem,
    i use karens whois and check all ip adresses before i let something in/out of my puter. thats how i got the net range for the top 2 'remote port' ewido rules. i havent got the range set for the bottom 2 rules, as you can see. one came up today and the other came up awhile back. all my updaters have the remote IP address set in the rule but i should use 'any address' instead of a certain ip address, if i understand you correctly, for the 'remote ip address'?
    L
     
  6. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    Hi lasu,
    It is what I would/do with a trusted application (such as trusted anti-malware sofware) who`s servers may change, as you may be given popups for new IP`s on a regular basis, and the old rules in place may never be used again.

    It really is down to yourself, and how strict you want to be with your ruleset. At this time I am not able to find a static IP list for updating the free version of Ewido. If one was available, then the rules would be easy to put in place, but as you are finding, the IP`s are changing.
     
  7. lasu

    lasu Registered Member

    Joined:
    Mar 19, 2005
    Posts:
    43
    hi stem,
    i will change my rules for my various security apps as you suggested. it makes sence to me;-).
    thkx for helping me get things right and for the quick replys. this is a great site with great people.
    L
     
  8. djg05

    djg05 Registered Member

    Joined:
    Apr 6, 2005
    Posts:
    1,504
    I have returned to 2.1.5 after using version 4.2.2 for some months. Apart from the reduction in resources could not notice any diffeence in speed.

    I thought that I ought sort my rules out and started by going through all the leaktests, not sure how relevant they are in practice but it is a starting point. Some I found I could not contain (I block IE so that stops a lot). In trawling through some old threads I came acrosss Winsonar I installed that which resolved the remaining leaks. The memory usage of that and Kerio 2 is still less than Kerio 4 which in any case was not blocking them.
     
Thread Status:
Not open for further replies.