Kerio 2.1.5 is allowing response to probes

I am using Kerio 2.1.5 with BlitzenZeus's default replacement ruleset (standard). I have noticed that some probes generate outgoing network activity. I noticed this when I was using Sygate PF, and it's part of the reason why I am trying Kerio right now.

It seems that the replies are associated with TCP inbound to port 445. I've determined this by looking in the firewall log immediately after the outgoing activity.

After seeing a lot of this going on today, I installed the demo for Port Explorer. By monitoring in real time with Port Explorer, I have a slightly better idea of what's going on. After some of the inbound connection attempts to port 445, my computer is responding by sending something to my ISP's domain name server, and Kerio 2.1.5 is letting it.

It seems odd that probes to port 445 would generate replies of some sort, while probes to other ports do not. I should probably add that, as far as I know, port 445 is closed (I am using Windows 98 SE). Anyone have an idea of what is going on here?

BTW, I'm not sure that this a Kerio 2.1.5 problem. I recall seeing similar behavior when I was using Sygate PF and NetVeda Safety.Net, though probably to a lesser degree.


Phil

 

You might try putting a Block All Incoming rule down at the end of your rules and block anything coming in. There should be nothing getting in unless you're specifically allowing it via another rule. Best check your rules again in more detail.

 

I do have a "Block All" rule at the end. I don't think it's the ruleset. My ruleset is only slightly modified from BZ's original. There's something else going on. Do you think this could have something to do with fragmented packets?

BTW, I just took another look at Port Explorer because it is happening again right now pretty frequently. It looks like Kerio is responsible. Port Explorer shows PERSFW.EXE as the process associated with these communications with the domain name server. Is it normal for the firewall to be communicating with the domain name server?

Hmm, now I am thinking that maybe what I am seeing is Kerio doing DNS lookups in order to convert numeric IP addresses into domain names. If that's what is happening, it still seems odd that the lookups would tend to coincide with inbound connection attempts to port 445.


Phil

 

Now that you mention it, I recall having seen that on my own system while running Kerio 2. I believe you are right, and it is just Kerio doing lookups. There should (if I remember) be an option to turn this off somewhere in Kerio. Look around in the MS Networking section (don't remember exactly) and see if you can find it and turn it off.. Then it should stop.

 

Right-click on the Blue Shield in the system tray, click on Administration, click on the Miscellaneous tab and untick "Enable DNS Resolving"

 

That's it....

 

That was it. What a relief. It was unnerving to see outbound traffic when I wasn't doing anything.

Port Explorer was quite useful. If I hadn't tried it, I wouldn't have known that Kerio itself was responsible for the activity.


Phil