kerio loopback

Discussion in 'other firewalls' started by iceni60, Jun 29, 2004.

Thread Status:
Not open for further replies.
  1. iceni60

    iceni60 ( ^o^)

    Joined:
    Jun 29, 2004
    Posts:
    5,116
    hello,i have a problem...ill post again if i ever work out how to work irfanview.
    p.s. sorry if ive attached something inappropiate.edit ill try out in test forum
     
  2. iceni60

    iceni60 ( ^o^)

    Joined:
    Jun 29, 2004
    Posts:
    5,116
    hello,i was hoping someone could help me with kerio 2.1.5 loopback rules.ive just started useing kerio and im not sure if these make sense.ive also had some problems with screenshots so my first shot is here https://www.wilderssecurity.com/showthread.php?t=38751 and my second i hope is attached.in this second shot its mainly the ie udp im not sure about.but if the others look awkward,could you please help?
     

    Attached Files:

  3. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,749
    Location:
    Texas

    Have you tried these forums? Might be easier.

    Here

    Here
     
  4. iceni60

    iceni60 ( ^o^)

    Joined:
    Jun 29, 2004
    Posts:
    5,116
    ronjor,no i haven't tried them,i got the bz standard rules from dsl. i just happened to be here,as hopeful,(other thread) when i thought about posting.when tassie devils,bigc73542 and paul wilders replied to my mindless test tread.it took me about 2 hours(look at the times)to post those two sreenshots,im not sure ill manage doing that two more times.i will if i have to though.thanks :)
     
  5. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    Ice,

    Don't despair; we do have very knowledgeable Firewall Moderators. You're issue will be addressed for sure ;).

    regards.

    paul
     
  6. hojtsy

    hojtsy Registered Member

    Joined:
    Dec 28, 2003
    Posts:
    351
    Hi, iceni60,

    I have used kerio 2.1.5 for years now, and I feel myself confident with rule creation and ordering. I can not fully understand what your problem is. Are you trying to set up a good ruleset? I can help you in this, if you confirm it. About the screenshot you posted: mostly it makes sense except for the Block Proxomitron rule which will never be triggered. But this ruleset is not enough, or better said it does not fully utilize the capabilities of kerio. So it can be improved. To set up the ideal ruleset I need to know whether you are using any of:
    - external HTTP proxy,
    - DHCP server providing IP address of the computer (possibly built into ADSL modem)
    - ADSL modem with built in DNS server
    - external (hardware) firewall

    -hojtsy-
     
  7. iceni60

    iceni60 ( ^o^)

    Joined:
    Jun 29, 2004
    Posts:
    5,116
    thanks again,Paul.here,i hope is the other attachment
     

    Attached Files:

    • C!.jpg
      C!.jpg
      File size:
      5.9 KB
      Views:
      376
  8. iceni60

    iceni60 ( ^o^)

    Joined:
    Jun 29, 2004
    Posts:
    5,116
    thanks,Hojtsy im on a standalone home xp,with dhcp server,im going to get JAP,i dont have a hardware firewall and im on tiscali ADSL PPP.i just reinstall my os because NAV and different ZA's kept on screwing up.i hope this answers your question,and kerio and AVG turn out to be what im looking for.i think i should add that ive only had kerio for a day,and before yesterday i was your average ZA free user,and if you dont see anything dangerous,im happy to carry on creating rules as i start using various programs.ill delete the Block Proxomitron rule.Thanks for your time.
     
  9. iceni60

    iceni60 ( ^o^)

    Joined:
    Jun 29, 2004
    Posts:
    5,116
    can i ask another question?,i found the cws block addresses,and this is how i blocked the first one is this the right way to do it?in between my programs?im not sure how to give it priority.
     

    Attached Files:

  10. BlitzenZeus

    BlitzenZeus Security Expert

    Joined:
    Feb 11, 2002
    Posts:
    451
    Location:
    Oregon, USA
    For loopback use with Kerio 2.x there are a few configurations you can do, and here is the basic loopback configuration.

    --Standard Loopback(Subnet configuration)--
    Outbound
    TCP/UDP
    Local: Any
    Remote: Network Mask 127.0.0.0/255.0.0.0 - Any Ports
    Allow
    No logging, or Alerting

    --Standard Loopback--
    Outbound
    TCP/UDP
    Local: Any
    Remote: Address 127.0.0.1 - Any Ports
    Allow
    No logging, or Alerting

    If you run a software proxy like proxomitron you only want to allow certain programs access to that port on your localhost. It can either be subnet, or the ip address.

    --Software Proxy Loopback--
    Outbound
    TCP/UDP
    Local: Any
    Remote: ADDRESS OR MASK - List of ports: 1-8079, 8081-65535
    Allow
    No logging, or Alerting
    (Here your software proxy is on tcp 8080, but it should not hurt preventing udp 8080 either.

    --Firefox(Proxy)--
    Outbound
    TCP
    Local: Any
    Remote: ADDRESS OR MASK - List of ports: 1024-5000, 8080(or use Any Port)
    Allow
    No logging, or Alerting.

    If you don't like the idea of a Loopback rule that allows every program to access your loopback you will have to make a rule for every program that would require this. If you had a software proxy on the system you might have to make multiple loopback rules for each program to prevent others from using the software proxy.

    --Firefox Loopback--
    Outbound
    TCP
    Local: Any
    Remote: ADDRESS OR MASK - Any Port
    Allow
    No logging, or Alerting.

    --IE Loopback--
    Outbound
    UDP
    Local: Any
    Remote: ADDRESS OR MASK - Any Port
    Allow
    No logging, or Alerting.

    There has been ip spoofing used to send one way packets like for messenger spam so here is a rule to prevent outside packets that look like they are from your localhost. Its very rare to have legit traffic coming from your localhost as the source.

    --127.x Block--
    Inbound
    Any Protocol
    Local: Any
    Remote: Address 127.0.0.1
    Block
    Logging, no Alerting

    ----------------------------

    To address you ip blocking question, the rules in Kerio are processed first to last, aka top to bottom, so make sure that you examine your ruleset so your not blocking other communications, or allowing it by mistake before its blocked. If you don't already use the custom address group, stick those ip addresses in there so you only need one blocking rule for all these addresses.
     
    Last edited: Jun 29, 2004
  11. iceni60

    iceni60 ( ^o^)

    Joined:
    Jun 29, 2004
    Posts:
    5,116
    KUDOS to you BZ.thanks for your help :cool: :D :cool:
     
  12. iceni60

    iceni60 ( ^o^)

    Joined:
    Jun 29, 2004
    Posts:
    5,116
    ----------------------------
    Perfect,thanks
     
  13. hojtsy

    hojtsy Registered Member

    Joined:
    Dec 28, 2003
    Posts:
    351
    iceni60,
    Proxomitron being a HTTP proxy does not use UDP only TCP. The rules you should have for Proxomitron are:

    1) Block proxomitron OUTgoing to 127.0.0.0 (TCP/UDP)
    2) Allow proxomitron OUTgoing to anywhere (TCP only)
    3) Block proxomitron IN/OUT to anywhere (TCP/UDP)
    4) Allow browser OUTgoing from 1024-4999 to 127.0.0.1:8080, TCP
    5) Allow browser IN/OUT to 127.0.0.1:1024-4999 (TCP/UDP, needed for some silly browsers)
    6) Block browser IN/OUT to anywhere (TCP/UDP)

    The processing order of these rules result in allowing proxomitron only outgoing TCP access to non-localhost addresses. Note that proxomitron does not need any rules to accept INcoming connections from your browser, because for localhost connections Kerio only checks the OUTgoing leg of the connection. (This deffect was inherited from the unix firewall "ipTables", and is present in practically all SW firewalls). Yes I have listed the same block proxomitron rule that I nuked from your config, but with these other rules it makes sense.

    Also note that if you are using proxomitron you should NOT allow unchecked free communication inside localhost, because then any hostile SW can tunnel through the local proxy, and communicate freely with external servers.
    -hojtsy-
     
  14. iceni60

    iceni60 ( ^o^)

    Joined:
    Jun 29, 2004
    Posts:
    5,116
    and thank you too,hojtsy im alot more confident now,having had advice from the two of you.thanks
     
    Last edited: Jun 30, 2004
  15. hojtsy

    hojtsy Registered Member

    Joined:
    Dec 28, 2003
    Posts:
    351
    I also suggest to restrict DNS (UPD:53) and DHCP (UDP:67,68 ) ports to only the specific IP addresses of the DHCP and DNS servers respectively you are using. If you don't know the address of these servers you can peek it, by setting up an Allow rule for it with logging, and alarming. No other IP address should be allowed to send/receive DHCP/DNS to/from you. As you want to enforce these rules also for the trusted apps, you should put these rules quite early in the list. Restricting a port to one address is possible by creating three rules (example):
    1) Allow services.exe UDP IN/OUT from any port to MY_DNS_SERVER:53
    2) Deny any app UDP IN/OUT from localhost:any to any:53
    3) Deny any app UDP IN/OUT from localhost:53 to any:any

    This clearly restricts the DNS communication to the precise needs. Note that you possibly have two DNS servers, then you need to allow both. I only have one.
    -hojtsy-
     
  16. BlitzenZeus

    BlitzenZeus Security Expert

    Joined:
    Feb 11, 2002
    Posts:
    451
    Location:
    Oregon, USA
    Please see the sticky at the top of this thread dealing with firewall links, the link to my default replacement for Kerio 2x covers all of those :cool:
     
    Last edited: Jun 30, 2004
Thread Status:
Not open for further replies.