Kerio Personall FireWall

Discussion in 'other firewalls' started by FireDancer, Jul 25, 2003.

Thread Status:
Not open for further replies.
  1. FireDancer

    FireDancer Registered Member

    Joined:
    Jul 24, 2003
    Posts:
    316
    Hello,

    I am new to the board and new to firewalls. Currently useing NS 7.1 cable modem linkseys 4 port router. I use SpyBot S&D, AdWare 6.0, HijackThis, AVG 6.0 AV. I recently
    installed Kerio Personall FireWall and am in need of some advise. I installed and ran my applications one at a time
    and the only settings I made was to tell Kerio to change the protocall of each aplication to TCP/UDP both ways.
    Disabled DNS resolve as well. I am totaly ignorant to how to set up fire wall and its all latin to me. Are my settings any good? I would like to learn more about all the protocalls and such so that I am knowledgable with
    my software and how to properly set it to its max potential. Any comments good or bad would be greatly appreciated. o_O

    Best Regards
    FireDancer
     
  2. CrazyM

    CrazyM Firewall Expert

    Joined:
    Feb 9, 2002
    Posts:
    2,428
    Location:
    BC, Canada
    Hello FireDancer

    Have a look at this recent post and you will see some posts by BlitzenZeus and myself that may be helpful in getting you going.

    Feel free to ask any specific questions in regards to your rule set. A screen shot always helps (edit any IP's not for public consumption).

    Regards,

    CrazyM
     
  3. CrazyM

    CrazyM Firewall Expert

    Joined:
    Feb 9, 2002
    Posts:
    2,428
    Location:
    BC, Canada
    Most of the common applications you will be using will only require TCP outbound to the required remote service. You will need some UDP rules for things like DNS.

    The following might help explain a little:

    Common Internet Services

    When you open your browser to go to a web site, or your e-mail client to check for mail, your system initiates an outbound request for that specific remote service using the TCP protocol.

    Some common remote services used by most every day are:
    HTTP/port 80 (web browsing), HTTPS/port 443 (secure web sites), HTTP Proxy/port 8080 (web proxy sites), POP3/port 110 (to receive e-mail), SMTP/port 25 (to send e-mail), NNTP/port 119 (for news groups).

    Rules for common remote services should permit TCP outbound traffic to that remote service.
    Example:
    Protocol: TCP
    Direction: Outbound
    Remote service/port: 80 (HTTP) for web browsing.

    Ephemeral Ports - Temp Range

    When initiating outbound requests for common remote services, your system will use ports some refer to as "ephemeral ports" or the "temp range" for the local portion of these connections. The default Windows ephemeral ports or temp range is 1024-5000. These would be the standard ports used locally for most connections to remote services. Thus your custom rule would allow local service/port 1024-5000. Most firewalls default your rules to any local service/port. Restricting the rule to the ephemeral ports or temp range for local service/port is just a means of tightening up your rule(s). It also would alert you to something using non-standard services/ports.

    This would apply for all rules using common remote services such as HTTP, POP3, SMTP, NNTP, etc.
    Example:
    Local service/port: 1024-5000

    Combined with the example from Common Internet Services you have the following general rule of thumb for connections to common remote services:

    Your Rule
    Protocol: TCP
    Direction: Outbound
    Remote service/port: 80 (HTTP)
    Local service/port: 1024-5000

    Restricting Local service/port to the ephemeral ports or "temp range" is also applicable to some non application specific rules that use common services. An example would be your DNS rules.

    Regards,

    CrazyM
     
  4. BlitzenZeus

    BlitzenZeus Security Expert

    Joined:
    Feb 11, 2002
    Posts:
    451
    Location:
    Oregon, USA
    Well to start off, by allowing everything you have basically made your firewall almost useless, and must understand that if you don't know what your doing you can make even bigger holes than with these simple application oriented firewalls like ZA.

    Also most rule based firewalls are very simlar. but they are don't all work exactly the same. While it is not the same firewall, CrazyM, and others have worked towards a site for AtGuard, and the Norton firewalls. AtGaurd was bought by Symantec to make norton so at the core they are still mostly the same, and the AtGuard configurations could help you also as its quite similar to Kerio.
    Customizing AtGuard/NIS Rules

    Sit on this for a day, or two if you have to. After you have made your first changes in the rules, and are stuck attach a image of just your ruleset so we might be able to help you with it.

    I hope CrazyM doesn't mind, but I'm not always around for this kind of stuff. The link CrazyM provided will lead to another link which is a forum in which my example thread is hosted, it has quite a few people who are also helpful when helping others with Kerio if you don't find your answers here.
     
  5. Tassie_Devils

    Tassie_Devils Global Moderator

    Joined:
    May 8, 2002
    Posts:
    2,514
    Location:
    State Queensland, Australia
    Hi FireDancer, welcome :D

    I have a fantastic site for you re Kerio.

    Anything you need to know setting up, etc. If even has the "rulesets" written out for the main security, a lot of common apps, like IE and OE, WMP, RP, etc.

    Gives detailed information on all settings, info, help, etc.

    But also check CrazyM and BlitzenZeus threads, I also learnt things in general from them.

    The funny thing is a mate only pointed me to this site just today, lol, so can't take the credit [Thanks LoPhatPhuud :) ]

    Go here: http://www.blarp.com/faq/faqmanager.cgi?toc=kerio

    Cheers, TAS
     
  6. FireDancer

    FireDancer Registered Member

    Joined:
    Jul 24, 2003
    Posts:
    316
    I am sorry all,

    It seems my comprehension level just isnt where it needs to be on this subject!!! SLAP ME WITH A BRICK! I have read all that you have posted but for some reason it just seems to be a foreign language.. I have NEVER been this thick skulled in my life. ROFL the funny thing is that last night while im trying to read all that you have so kindly put up for me my cpu is getting pop up messages that some remote ip address wants to d load something to my puter (arghhh) of course I told it no all 3 times!!! I got frustrated and decided to remove the firewall and go back to my ZA free for now until I can understand more. And to add to my problems I have a second puter shareing the cable connect so theres is another can of worms opened. I just wanted to say I am sorry for waisting your time as it could probably be used better else where for some one who GETS IT!!! I am also embarresed to say that I do not know how to create a screen shot!!! I am new to puters and maybe should consider useing something else like a string and 2 cans for my communication I would probably be better off!!! I love my puter and saved for a long time to be able to get it and now I just dont know how to use it for
    what it was intended for :doubt: due to the fact that there are alot of malicious people out there in the world.

    Best Regards,
    FireDancer :oops:
     
  7. BlitzenZeus

    BlitzenZeus Security Expert

    Joined:
    Feb 11, 2002
    Posts:
    451
    Location:
    Oregon, USA
    Neither of the links we provided would provide pop-ups, either that is a messenger, or a system messenger installed. If not, its spyware you let on the system yourself, or through your loose configuration.
    Stopping Windows Messenger Spam

    Take a little more time if you need, but if you really don't understand this information its ok, you might consider SyGate Free, or another one of those application oriented firewalls.
     
  8. FireDancer

    FireDancer Registered Member

    Joined:
    Jul 24, 2003
    Posts:
    316
    Hi,

    Thanks I really appreciate the help.

    I will get it figured out sooner or later with whatever firewall i choose ;) and as far as a loose config....
    I was trying to get it configured at the time I got the
    notifications of a unwanted down load to my puter.
    I ran all my spyware software and none was found :)
    btw what would be the differance with Sygate to Kerio?
    dont they all need rules set? I think the problem I am haveing is I dont understand why and when to set a
    rule. Whats good and whats bad?

    FireDancer
     
  9. BlitzenZeus

    BlitzenZeus Security Expert

    Joined:
    Feb 11, 2002
    Posts:
    451
    Location:
    Oregon, USA
    Did you happen to visit the last link I gave you? Are you sure that link isn't your problem? Otherwise it would be some kind of spyware.

    SyGate Free is Application oriented, which means you basically allow the program to use the internet, or not. To be a server, or not. etc... I personally don't like it because the configuration is too simplistic, but for somebody starting out they will be a good start.
     
  10. Tassie_Devils

    Tassie_Devils Global Moderator

    Joined:
    May 8, 2002
    Posts:
    2,514
    Location:
    State Queensland, Australia
    Hi FireDancer.

    Sorry to hear re your problems, but Blitzen is right, it is either Windows Messenger Service itself being left on or some form of spyware.
    Make sure you visit that last link of BlitzenZeus' as that will disable your WMS.

    DO NOT confuse that with Messenger chat programs, it won't stop that if you want that feature. It's mainly used to Networked systems to send messages to each other.

    You do not say what your OS is. If XP it is really advisable to get XPAntiSpy which halts a number of hidden options that are really loopholes in XP.

    It will completely disable WMS itself, stop auto-updates, etc. etc. These are reversible.

    Here: http://www.xpantispy.org/

    If its the latter, Spyware, you really need to have your system cleaned first.
    With either AdAware or Spybot S&D [Most Use BOTH] :)

    AdAware: http://www.lavasoft.nu/

    Spybot S&D: http://security.kolla.de/index.php?lang=en&page=download

    Check those first, then try Kerio, you won't be disappointed. :)

    Cheers TAS
     

    Attached Files:

    • wms.gif
      wms.gif
      File size:
      15.7 KB
      Views:
      1,278
  11. FireDancer

    FireDancer Registered Member

    Joined:
    Jul 24, 2003
    Posts:
    316
    Hey There

    I use Spy Bot S&D and Adware 6.0 also I use HijackThis and I find nothing my AV says I have no viruses.

    I am running Windows98SE and SP1

    Regards,

    FireDancer

    P.S. can anyone tell me how make the screen shots and I could post what I have so far in Kerio
     
  12. CrazyM

    CrazyM Firewall Expert

    Joined:
    Feb 9, 2002
    Posts:
    2,428
    Location:
    BC, Canada
    Have a look at this post for some software that may help with the screenshots.

    Regards,

    CrazyM
     
  13. FireDancer

    FireDancer Registered Member

    Joined:
    Jul 24, 2003
    Posts:
    316
    CrazyM,

    Gonna try this again.. the upload folder at Wilders was full and could not get to work so I gave up for the night.
    As far as writing rules this is what I have and btw thanks for the screen shot software was a big help. As I was adding rules I would logg an application and some applications even though they had rules allready would prompt me again as if it had never accsessed the net...
    Stange.Maybe I have done something wrong and another thing I found strange was I opened my AV and spybot and they went right to the net with out asking.
    Well heres the screen shot Im sure you will be able to tell me what I did wrong
    Thanks for all your paticence and help
    Regards
    FireDancer
     

    Attached Files:

  14. FireDancer

    FireDancer Registered Member

    Joined:
    Jul 24, 2003
    Posts:
    316
    Hello All,

    Well I am re posting a new screen shot as I feel the last was a abomination.!.!.! as I did not have any netBios rules installed and I feel that the order of the rules was very poor. I am haveing a better day today as I hope you all are haveing a good day as well!!

    I have a few questions about the screen shot below.

    1 In mt DHCP Brodcast Rule the remote address should be the mask of my IP correct?

    2 In my DHCP the remote address should be my Ip address correct? port 67

    3 As final rule down the list a bit further I have BLOCK INBOUND SYSTEM PORTS in this setting I was trying to get it to let me input ports 0-1023 and the lowest it will take is 1-1023, does anyone know why and is this a good final rule and position?

    4 I use AVG and have the rule set TCP(out) local ports 1024-4999 remote any address port 80. The reason I am wondering if this is correct is that sofware like this could be logging to several differant places to get updates correct? Do I need a inbound rule for all my software that requires a download to my CPU?

    I hope my fresh start is looking better then last and think with much reading and much more to go I am feeling a little more confident in making rules and understanding them :) he he eh got a long way to go to catch up to you all..... CrazyM thanks so much of all the post yours where most helpful and more patcience oriented. No dis respect to the others I am sure you all are very good at what you do. On with the show heres my new screen shot hope all is good!!! :rolleyes:

    Regards,
    FireDancer
     

    Attached Files:

  15. FireDancer

    FireDancer Registered Member

    Joined:
    Jul 24, 2003
    Posts:
    316
    sorry for top line being blocked out I didnt see that it reads:

    NET BIOS BLOCK UDP/TCP both any port any address 137-139 any application


    :)
     
  16. BlitzenZeus

    BlitzenZeus Security Expert

    Joined:
    Feb 11, 2002
    Posts:
    451
    Location:
    Oregon, USA
    Ok, well are you on a broadband provider, then you likely need those DHCP rules.

    With the command 'ipconfig/all' you can see your dns servers, you should consider putting your dns server in a couple rules. Then you make a similar rule to block other dns with logging, and alerting. This way programs can't slip out by trying to fake a dns connection.

    Here is an example of icmp rules you might want to look at. Once change in this configuration is you don't really need to let icmp type 3 outbound after testing I have done, but you still can if you like.
    Example ICMP Rules

    Take note that Kerio will block packets to non-listening ports by default. So you don't really need that sys port blocking rule, but its ok if you leave it there too. Just make sure its logging.

    You need to make a loopback rule, see a attached image, and you can change your IE rule to TCP only. Place this above all your application rules like IE, OE, and below your system rules like dhcp, and icmp, etc...

    About local ports 1024-5000, sometimes programs use ports out of this range for stanard uses. However if you want to you can limit IE, and OE to 1024-5000 for their local port range. Same for the DNS rule. The -4999 thing was there was a service listening on 5000, but just put 5000 if your going to limit the local port range.

    It seems your copying the examples pretty well, but I just hope your understanding what your doing. If you don't you will in time if you do some research. Keep in mind that the order of your rules does play a huge role, if it blocked before its permitted, it will never be allowed. If its allowed before its blocked, it cannot be blocked.

    Edit: Here's a quickie I just did to give you an example which was similar to your rules.
     

    Attached Files:

  17. DolfTraanberg

    DolfTraanberg Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    676
    Location:
    Amsterdam
    You might want to block port 135 udp/tcp as well..
    Dolf
     
  18. BlitzenZeus

    BlitzenZeus Security Expert

    Joined:
    Feb 11, 2002
    Posts:
    451
    Location:
    Oregon, USA
    In their last example he already had a rule to block this communication.
     
Loading...
Thread Status:
Not open for further replies.