Kerio 2.1.5 Inbound Rules

Hi all, a quick newbie question, one to which I just can't seem to find the answer. I'm using Kerio 2.1.5, and the manual states that it is a stateful firewall, that is to say (as per the manual) The main principle behind a firewall such as KPF is stateful inspection. This means that a record is made on every packet going from your computer and only a packet corresponding with this record is let pass back through. All other packets are dropped. This ensures that Personal Firewall only allows communication initiated from within the local network.

I understand this, but then become confused on one point. Take for example MSN messenger. If I create the automatic rules that allow all ANY TCP/UDP In and Out for this app, does the above rule still apply...that the 'IN' part of this rule will only accept solicited inbound connections, or has my rule overridden this and now messenger will accept any unsolicited connections? I merely use MSN as an example.

To add to my confusion: I used the port scan at GRC.com. All ports passed as stealth, other than port 9, which was being used by MSN messenger at the time. It reported as 'closed'. This was with an allow all inbound to MSN rule in place. So what does this mean? That allow all doesn't permit any unsolicted connections? Remove the allow all in rule for MSN and the port reverted to 'stealthed'. Can anyone explain this please?

Any help would be sincerely appreciated =)

 

I have not used msn messenger for a quite while, but yes, some ports will be listening. Allowing also unsolicited connections for msn messenger with those rules. Whether they are needed, I am not sure at the moment. You can double click the kerio systray icon and see what ports msn messenger opens. They are not many I think.

I know that Trillian multiprotocol client when used for yahoo pal typing chats, need only rules for outgoing TCP connections, so for that chat client solicited connections are enough.

EDIT
Just logging into Windows Messenger, I can do that with the rule Allow TCP Out from local ports 1024-5000 to any remote port&address. No incoming allowing rules are needed, so seems unsolicited connections are not needed. But I doubt if I have any active chat pals in here to test if it works more than able to log in, lol. I am of course all stealthed in shields Up!
It could have been some temporary connection you experienced with those rules and as it shows closed, should be just ok.

 

I can't comment on the version you're using but with the new 4.3.635.0 version, Messenger seems to work fine without having to manually open any incoming ports, and still passes all tests as 'fully stealthed' on Shields up whilst Messenger is in use.

The only alerts I got were asking me to allow Messenger outbound access to the net on 3 ports (1 UDP and 2 TCP) which I allowed permanently.

 

Thank you for the replies.

I really like the idea of Kerio 2.1.5 being a 'pure' rule based firewall, yet my incomplete understanding of how it works is frustrating me. Again with MSN as the example, it seems to listen on port 9 as I said; yet even with allow all UDP/TCP in rules in place for it, I still get a pop up asking me for action when port 9 is scanned. I would have imagined that as I'd set a rule allowing ALL in, and the rule is not set to alert, then this probe would have been allowed in to the port by default. The issue is not whether or not this rule is desirable, it is merely the results I have mentioned.

In my previous firewall, Netveda, MSN worked fine with a simple allow tick, and yet all ports passed as stealthy. However, I was always uneasy as to just what was going on under the hood, and wondered if this 'tick' allowed a lot more than I would like. Thus the attraction of Kerio 2.1.5.

I'm mostly babbling here, and realise I have a lot to learn...it is just that by nature, I only like to use applications that I understand somewhat comprehensively.

To throw in one more question, if I may...how much credence should be given to the results of a leak test comparison such as found here:

http://www.matousec.com/projects/windows-personal-firewall-analysis/leak-tests-results.php

The results seem quite alarming for a good number of firewalls; how meaningful are the results in a real world context?

 

Of course getting a popup when running a Shields Up! scan means that your ruleset is not complete.It sure did not popup for that messenger? If not then make a specific block rule from that popup, customized to only that local port.

Takes time and study, but rulemaking with kerio 2.1.5 popups is easy and more intuitive than with many other firewalls. Only thing that needs some experience is if your basic ruleset is a sound one regarding system protection. This comes as granted with more newbie firewalls.

 

I'm using a downloaded ruleset from

http://www.dslreports.com/forum/remark,8023708

The rules seem fairly comprehensive, which was why I was wondering at the alert I got for MSN on port 9, despite having an allow all inbound rule for MSN in place. I'm pretty much just experimenting purely to learn how this firewall works.

Again, cheers for the information.

 

BlitzenZeus evolved the ruleset regarding loopback rule etc. a bit, so the first picture in that thread is not the final ruleset, you can download the latest ruleset file & pictures belonging from that thread.
Yes, mine is based too on that and there was some local ports in the for SYSTEM, ports 1029,1031 that I got popupped and added block rules.

Kerio 2.1.5 as default blocks anything unknown, so nothing to worry about that popup you got. In the end I make my firewall as silent as possible though regarding port scan tests so as no need to answer deny to those tests.

The results would be not so good for kerio 2.1.5 too, it is not a leaktest passer. It means your AV has failed or something and some baddies installed that as a demonstration can bypass firewall's outbound control. Those tests have nothing to do with a basic firewall thing controlling incoming and outgoing traffic as a packet filter. Other programs can be added. I do run PG free for program control, but not for the main reason of passing those tests. Just wanna know what programs are running in my system.

 

One last quick question (I promise!)

Say MSN Messenger is listening on port 1163 (for example). I have rules set for MSN to ALLOW UDP/TCP BOTH DIRECTIONS, ANY LOCAL PORT, ANY REMOTE ADDRESS/PORT. When I probe port 1163 with the GRC.com scanner, I receive an alert to allow/deny. Why is this, when I have seemingly set a rule that would apply to (and allow) this packet? With a non-alerting block all rule added at the bottom of the rules list, I of course do not get an alert, but the probe is blocked all the same.

I find this behaviour very pleasing, but genuinely do not understand the reasoning behind it. I assumed the TCP SPI was overruled by the above rules. Also, as UDP is stateless, and Kerio doesn't have psuedo UDP SDI, would I receive an alert if the protocol was UDP, or would in that case the packet be allowed through?

That's the last of my questions, thanks again for the very helpful responses =)


Quick edit with one query:

A snippet from my logs

I'm not too concerned, as it's blocked, but why on earth does my computer want to send NetBIOS packets to this IP (which happens to be Microsoft...the IP seems to be involved in the MSN login process) ?

 

A few hints.
I can see from your logs that msn messenger is connected out to that port.
You have opened it too for all incoming connections, not just solicited to that messenger. I advice you not to do that. Allow incoming only if needed.
And since it is opened now, anything else trying to pass in might see it opened by msn messenger as well too like that grc scan. So kerio 2.1.5 will prompt you about that. It will block them for any applications like your browser in this case if you have not made a rule to allow. And thus you get prompted by that scan test

Second hint, make your rules to messenger separate for TCP outbound, allow as in my rule above. And another rule for incoming if needed only. If you make incoming rules they are always also for unsolicited connections same as with any firewall. Some programs like (Bit)torrents still do need unsolicited incoming connections. In the past messengers did that too. Hope not anymore. I have my Skype still opened for one special higher numbered port that grc scan never scans.
Don't make any block rules for that application or some block all rule at the bottom of your ruleset. If you get prompted still for tcp incoming, make a separate messenger rule. Same goes for UDP, make separate rules for outgoing and incoming. All 4 rules if necessary for those protocols. For outgoing, usually local port range 1024-5000 should suffice.

With MSN messenger using audio, web cam etc. it propably needs more rules than what I posted for Windows messenger, but for typing chats that rule maybe suffices. Depends of what crap you have installed too

Then again I am not an expert to say much on MSN messenger, above are just general advices.
With both Yahoo messenger and MSN messenger I used to allow as you did all outgoing and incoming to all ports with no restriction and still got stealthed on shields up! with that basic port scan. Maybe I check how it is now. But if you scan some active connection ports by grc, i guess you will get prompted? I did not at the time I ran them and allowed all like you did.

 

I'm not sure what you mean, how would I possibly make a UDP rule that allowed only solicited connections in? I don't like the idea of the allow all UDP in rule very much. Is that a correct concern? Reading one of your excellent posts in another thread, maybe not:

With only TCP out allowed, I get many UDP request in and out pop ups.

My current very loose rules for MSN are an allow all TCP/UDP in and out, to the messenger.

Also, any ideas on why MSN tries to make connections out from a NetBIOS port to Microsoft, even when I have just signed in and am not chatting etc?

 

Yes, UDP is a connectionless protocol. You should be just fine allow it incoming too for the messenger. It is made to handle them. My netphone rules have a restriction that it is only allowed that traffic I posted to/from a restricted IP range. Still it is of some concern and I could make those rules tighter for incoming. But that phone program is trusted same as your messenger.

You mean the netbios blocks from blitzens rules? They happen from time to time.
In my case they are port scans from infected machines or some noise from my cable network connection. Not too often I hope?

But you can also disable your netbios service if you want.
Then they are not initiated from your machine. You can go to windows control panel and network connections and there disable the netbios. Unfortunately my XP is Finnish, so hard to give you more specific advices how. And your BZ originated ruleset should block them already so you are at least protected from that traffic. But I recommend you do it. I don't get any outgoing netbios blockings in my log. It is something like disabling netbios over TCP/IP if I remember right. It maybe not disables the service, but disables those connections trying outbound. No idea why they do, maybe some automatics by MS or else

Or you can also stop the services with wwdc.exe.
https://www.wilderssecurity.com/showthread.php?t=166615
Might broke something else and i am not an advocant for recommending people hardening their systems too much and since I see you are quite new to that solicited/unsolicited things, maybe better you just concentrate on that for now?
I have that wwdc.exe applied, but on my system I think Comodo firewall did break something instead of that utility, not sure, in any case I am not recommending it full heartedly for now.

 

Thanks for the advice. I normally disable NetBIOS in XP, but I've just reinstalled so haven't got round to it. My main query there was why was my machine always initiating NetBIOS requests to the microsoft server from my MSN messenger? Not a big deal, just wondered.

I'm still learning a lot about these things, despite having been a computer geek for more than 25 years, net protocols are a big gap in my knowledge!

Thank you very much for the replies...I just read your nice guide to Sygate 5.5 and it had me wondering...which do you prefer, Kerio 2.1.5 or Sygate 5.5?

 

Sygate is nice but I prefer older kerio for just the reason I sometimes run firewalls like Comodo for testing. And with kerio, all i need is to install it and load my saved ruleset and I am same as I was ever before. No need to teach it any. It just works out of box after once made studies for the ruleset
Both offer good packet filtering though.

BTW
I just installed the latest Windows Live Messenger and rules it needed were:
TCP Out from 1024-5000 to any remote port&address.
Second rule same but for UDP
Third rule was In UDP for any local port from some microsoft address, port 7001.

That is just cause I am getting soon a new computer, would not be otherwise so careless to test any new microsoft software. It will be unstalled. Incoming unsolicited rule could be made tighter. Then again if I needed audio for chatting or web cam, who knows. Also one point Harry, if kerio 2.1.5 had that pseudo SPI, the 3rd rule maybe not needed. It was though allowed only from that MS server. It is good to keep tight rules sometimes even though the applications responding to them are trusted, hehe.
I did shields Up! scan and was all stealthed. But it was the basic scan only.

 

One suggestion, which may or may not be of help. If you need to allow inbound rules for any apps, one of the options in Kerio's rules is that you can allow the connection just for that session. For example, with my torrent program - I don't want other IP's connecting to my computer on port XXXX whenever they want; just when I'm using my program. With most firewalls, you make a rule to allow port XXXX and it is always valid, while Kerio has the option under the "Rule Valid" that says "Just for this interval." So, you can allow it for when you want the rule in place, but also have Kerio block those inbound connections when they're not wanted.

 

Would be grateful if you could explain the need to make separate rules here, rather than condensing, say, the UDP rules into one.

Lastly, he has a local ports block, 1024-1028, but warns that this might block legitimate traffic. Therefore, do I put any app rules I make above this rule?

 

You cannot combine these 2 UDP rules for windows live messenger into a single one:
allow UDP Out from 1024-5000 to any remote port&address.
allow UDP In for any local port from some microsoft address, port 7001.
And both of them can be restricted even more (if desired).

There are various reasons for separating rules for different protocols and separate rules for outgoing and incoming. Possibility to restrict them more. To use the flexibility of a real rulebased firewall. To make them log/alert when wanting. I sometimes make many different rules for my browser TCP outgoing even, one for 80, one for 443 logging and then again another one for all the rest of ports. They are just sometimes usefull for diagnostic purposes.
I would never make a rule that concerns both Out&In same time.
Things like BZ template are different, there one can think as much as one pleases to make them have as few rules as possible, but for apps, it really is much more convenient with separate rules. But that is just my opinion. Remember how much you allowed to that messenger, though that propably not anything dangerous, just really wide rule.

For svchost.exe I have made many rules for separate MS server IP ranges. Both for TCP 80 and 443 separate too. You can sometimes when wanting to restrict this or some security software update to restricted IP ranges to use pages like this:
http://www.geektools.com/whois.php.

About loopback. Yes, BZ default rule will allow TCP&UDP Out from any local port to address 127.0.0.1,any port for any application. You should not get prompted again for any connections that match LB rule.

I did use that address/mask thing that is in Blitzens default replacement rules, but I think I found a bug in how that address/mask is handled.
https://www.wilderssecurity.com/showpost.php?p=946449&postcount=11
So now I just put instead straight that localhost address, 127.0.0.1 with no mask.
Aaah, you edited from your post that loopback question, makes kind of my answer redundant, even worthless

The local ports rule is set to log so in case something is not working you can see what it is. I have found no need to allow them for any app.
I would add all application rules after the template, but in case you really need to allow those ports then by all means put the app rule above that BZ rule

 

Just a quick reply to say thanks again for your amazing level of help Jarmo. You're a real asset to this community, and the perfect example of an expert that's willing to help out a new guy, no matter how silly his questions might be!

Cheers sir =)

 

Glad to be of help Harry.
Remember to use that Apply-button after making new rules, cause without, they might sometimes not be applied.
Remember save your rules from time to time. It is very rare, but not not unheard of that kerio 2.1.5 looses it's rules. My naming convention for the configuration file is by date. Anyways, since my computer is so ailing, I have them also sent to my gmail account.