Kerio PFW and AOL

first of all I would like to express my special thanks to CrazyM and BlitzenZeus, who are going to share plenty of their valuable expertice within this forum.
I'm still a beginner using kerio pfw software, but start using this security tool and learning more and more about it was made pretty convenient to me by lot of information, I could already read from those both guy's.

now I stock on some of my experimets with kerio pfw and would like to ask you for sharing some specific information related to the use of Kerio pfw and AOL, as I'm using AOL as a internet provide most time.

would it be ok just to permit WAOL.EXE to use all ports ( in and out out) on tcp and udp, or is there any information available on which ports nad protokolls are usually used by WAOL.EXE?
could I also limit the permit for WAOL.EXE to certain ip adresses ( adress ranges)?
Are there any specific DNS of DHCP settings relevant with regart o to AOL?
the kerio pfw log did not provide me any usefull information on this.

regards
nogi

 

I nogi,
I don't think any firewall should be depending on the way you connect to the Internet.
Dolf

 

Sorry, I don't like any AOL products touching my computer, let alone use their proprietary service which is overpriced. The closest I got was when Netscape installed AIM, and the AOD crap on my computer without my permission, I was pissed, it was also the last time I ever used Netscape. My best suggestion is that you find another provider personally.

If you still want to use them, go through the connections one by one to find the patterns of normal browser traffic, and connections it might require. Do not depend on your logs, disable your block all, use the prompts, and go from there. If you wanted to cheat you could only start with being critical about its inbound connections, then tighten its outbound connections. If you do a little searching on the net you might find someone who might have already covered some aohell configurations.

 

Thanks, BlitzenZeus, for providing me the direction, how I could try to optimize my PFW rule settings with regard to AOL. AS I maybe still to much a newbe on the internet, I do prefer to stay with AOL as my primary internet provider for a while.

maybe in a few time I could provide here on this forum my experiences and some valuable information with regard to the use of kerio pfw on AOL.

nogi

 

Hi nogi

I have never used AOL as a provider, so have no direct experience with what their software may require.

When you are prompted for WAOL.EXE what type of connection(s) is it wanting? I think you will have to determine exactly what all it requires before trying to customize your rules. First thing to try and determine would be remote services and protocols. Don't worry about addresses just yet. Without allowing all, with every new prompt create a rule allowing to the remote service/port and protocol and see if you can come up with a list.

Do you have a good basic rule set in place already?

...and welcome to Wilders .

Regards,

CrazyM

 

CrazyM asks some very valid questions, like did you already have a good ruleset in place already like DHCP if needed, DNS, and ICMP?

Are familiar enough with rule based firewalls to see the pattern for things like standard browsing rules, then truely customize, and secure you rules at this point? If not are you just making permit rules, the not combining, and not customizing them later?

Other than the standard communications like DHCP, DNS, and ICMP I wouldn't know what the proprietary software would require other than standard configurations like you would use for your browser.

 

sorry for my late reply, but I hadn't been online for a while.

Right now I'm following the recommentdations as provided by CrazyM and BlitzenZeus in order to find out, what WAOL.EXE is doing exactly while connecting to the internert. This works like a thorny path for me as I'm still not much experienced on network/internet technology as well as with the terminology and abbreviations used hereby.

Therefor I highly appreciate having joined this forum as here I will find competent and dedicated experts guideing me through this stuff and probably I may be also able to contribute here with some new information reagrding AOL.

Right now my basic rule set lookspretty close on what has been recommended by "ground rule settings" proposed on "http://www.blarp.com/faq/faqmanager.cgi?file=kerio_genrules&toc=kerio#q5"

NETBIOS: communication should be blocked completely

DNS: I assume that AOL would work with rule set "GRS - 1.ISP(AOL) DNS - UDP",
nevertheless I'm still using rule set "universal DNS - UDP" in order to observe the situation, both rule sets get logged, when they will match;
once I will fell comfortable, that rule set "GRS - 1.ISP(AOL) DNS - UDP" will work, I will delete rule set "universal DNS - UDP" and will set "GRS - block other DNS" instead of it.

DHCP: I assume I will not need for AOL

ICMP: I'm just following the recommendation on the ground rule set definitions and they may work

WAOL: at the time being, I have allowed this application full inbound/outbond access and I'm monitoring it's activities within the log, this may be not as safe as getting prompted each time when WAOL will connenct with a new paramenter set, but at least it let me allow to wokr with AOL until I may have understood WAOL's ways of communication and than I hope to be able to set a right set of rules for it.

At the time being I see only three major activities of WAOL:

1.a UDP inbound/outbound communication via remote port 5190 ( I assume the the IP adress would be dynanically asigned each time when I connect)

2.a TCP outbound communication to remote port 80, which might be ok ?!

3. a seldom uses TCP outbound communuication to remote port 12840 on which I have no clou at the moment, for what it is used.


Any valuable information on this is still appreciated, I will continue to report on my experiences with AOL and Kerio on this forum ( but I appologize the frequence of my replies as I may not spend time each day on this subject ).

nogi

 

It seems your still in over your head currently, but still want to figure this out.

I want you to do a couple things first:
-Go into the administration, advanced, and disable the microsoft networking tab if you haven't already.
-On the Miscellaneous tab uncheck 'log suspocious packets' as it logs 95% garbage which are just timed out packets which are no threat.
-On the above tab make sure that logging of packets to unopened ports is enabled.
-Whenever you make a blocking rule, make it logging unless you don't want to have it produce any logs.

You netbios rule is incorrect, you need two rules:
Netbios Block 1
App: no
TCP/UDP
Both Directions
Local ports 137-139
Remote: Any
Deny, and logging.

Netbios Block 2
App: no
TCP/UDP
Both Directions
Local: any
Remote ports 137-139
Report ip: any
Deny, and logging

There is no time like the present to test your dns rule, disable the one that permits all dns, and make sure the one that is restricted is working. If you need to you can make more dns rules, or even use the custom address group on the Miscellaneous tab after you pick 'custom address group' for the remote ip. You should also use a anti-spoofing rule so here is an example of some dns rules.
AOL DNS
App: no
udp
both
local port 1024-5000
remote addy: dns servers
remote port 53
permit

DNS Alert
App: no
tcp/udp
local: any
remote port: 53
remote addy: any
deny, log, and alert.
This is designed to alert you to spoofing, and when you have a new dns server. Before you add a new dns server make sure it appears in your ip configuration. 9x 'winipcfg', NT(2k,xp, etc) 'ipconfig/all', and on the correct adapter they should list their dns servers. There isn't much dns spoofing in the wild, but its nice to know you can prevent it. I leave the blocking rule as alerting, but you can take off the alert if you like.


DHCP is used for most broadband, and many lan/ics configurations. If you do use a broadband provider then it might not seem like you need it at first, but when your dhcp lease expires your rules need to permit the renewing of the lease. Dial-up doesn't use dhcp.

Without knowing what those icmp rules permit, here is a link giving some information on basic icmp configurations.
http://www.wilderssecurity.com/showthread.php?t=1124;start=msg8459#msg8459

The fact that your allowing it freely, and watching the logs isn't the best thing since you could have actually made rules from the prompts to be farther than you are now. This would also help keep track of which ports it uses better. AOL is a browser too so browser rules would apply, but just like any browser you can't restrict passive ftp transfers so leaving the upper tcp port range open for passive ftp transfers is just like not restricting the outbound tcp traffic. If you do use the browser ports you might have to permit each ftp packet.

Start with a rules like these now:
aol
App: waol
tcp
outbound
local ports: 1024-5000
remote: any
permit

aol udp
App: waol
outbound - if you have to make it both directions, start assigning remote servers.
udp
local ports: 1024-5000
remote port 5190
remote address: any
permit

Now to talk about your ruleset, past the need for dhcp, and dns there is no need to alet svchost.exe outbound. Make a rule like this, and if use the time sync in windows then make the permit rule above the block rule.
Timy Sync
App: svchost
both
udp
local port 123
remote port 123
remote address: time server
permit

Svchost block
App: svchost
both
tcp/udp
local: any
remote: any
deny, and logging

Now since your building your ruleset you should not block the outbound past your rules, work with it. Kerio will block packets to unopened ports by default so unless its listeing, or a protocol like icmp, it won't prompt you if its not in your rules while blocking it. I have two block all rules inbound, and outbound.
Block all inbound
App: no
Protocol: any
both
local: any
remote: any
deny, log

Block all outbound
App: no
Protocol: any
both
local: any
remote: any
deny, log
You should only need to use your block all in bound, if you even need to use that.

See where you can go from there....

 

Hi Nogi,

Unfortunately, unlike other providers which give you 1,2 or 3 DNS IP and don't change them every other day, AOL constantly changes its DNS : you will never be able to restrict DNS as long as you will run AOHell as ISP ;(

Maybe would it be possible to limit to a IP range, I don't know : we don't have the bad luck to have this ISP in Belgium

Rgds,

 

dial-up doesn't work without DHCP
Dolf

 

Don't change the subject, and no. I run XP Pro, DHCP is completely disabled at the moment, the service cannot start, and its the dialer that gathers your connection settings for you. In the years I have used dial-up, I have never had to make any allow rules for DHCP, and even when all the possible connections for dhcp were blocked, it still worked.

What you said is unfounded, and only applies to many broadband connections, along with dynamicially assigned lan based connections.

 

Don't know about firewalls, but if you make a connection to your ISP there are two ways:
1: You have a fixed IP address, which you can use
2: you get an IP address assigned by your ISP. In this case DHCP is used. There is no other way.

Dial-up connections don't have a fixed IP address by default.

I wasn't talking about the DHCP service which you can enable in NT/XP.
This service is used for assigning IP addresses to connecting clients, which is not the case here

Dolf

 

Dollefie, you are incorrect.

A different protcol gathers your connection data for you, and its something the actual dialer does. DHCP is not involved. I know this, I have been using dial-up for years, and never had to allow DHCP as it uses a different protcol. As previosly said, my dhcp is competely disabled, and I'm on dial-up right now. I had no problems connecting. I don't have any dhcp allow rules, and to repeat dhcp is disabled. If I hooked up to a broadband provider it wouldn't try to use dhcp since its disabled.

Does that explain it? Do you need a link?
http://www.broadbandreports.com/faq/security/2.5.1.+Kerio+and+pre-v3.0+Tiny+PFW#2525

This thread is about this persons AOL configuration, and their own configuration. Lets leave it that way...