Kerio PFW and AOL

Discussion in 'other firewalls' started by nogi, Aug 30, 2003.

Thread Status:
Not open for further replies.
  1. nogi

    nogi Registered Member

    Joined:
    Aug 30, 2003
    Posts:
    3
    o_O

    first of all I would like to express my special thanks to CrazyM and BlitzenZeus, who are going to share plenty of their valuable expertice within this forum.
    I'm still a beginner using kerio pfw software, but start using this security tool and learning more and more about it was made pretty convenient to me by lot of information, I could already read from those both guy's.

    now I stock on some of my experimets with kerio pfw and would like to ask you for sharing some specific information related to the use of Kerio pfw and AOL, as I'm using AOL as a internet provide most time.

    would it be ok just to permit WAOL.EXE to use all ports ( in and out out) on tcp and udp, or is there any information available on which ports nad protokolls are usually used by WAOL.EXE?
    could I also limit the permit for WAOL.EXE to certain ip adresses ( adress ranges)?
    Are there any specific DNS of DHCP settings relevant with regart o to AOL?
    the kerio pfw log did not provide me any usefull information on this.

    regards
    nogi
     
  2. DolfTraanberg

    DolfTraanberg Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    676
    Location:
    Amsterdam
    I nogi,
    I don't think any firewall should be depending on the way you connect to the Internet.
    Dolf
     
  3. BlitzenZeus

    BlitzenZeus Security Expert

    Joined:
    Feb 11, 2002
    Posts:
    451
    Location:
    Oregon, USA
    Sorry, I don't like any AOL products touching my computer, let alone use their proprietary service which is overpriced. The closest I got was when Netscape installed AIM, and the AOD crap on my computer without my permission, I was pissed, it was also the last time I ever used Netscape. My best suggestion is that you find another provider personally.

    If you still want to use them, go through the connections one by one to find the patterns of normal browser traffic, and connections it might require. Do not depend on your logs, disable your block all, use the prompts, and go from there. If you wanted to cheat you could only start with being critical about its inbound connections, then tighten its outbound connections. If you do a little searching on the net you might find someone who might have already covered some aohell configurations.
     
  4. nogi

    nogi Registered Member

    Joined:
    Aug 30, 2003
    Posts:
    3
    Thanks, BlitzenZeus, for providing me the direction, how I could try to optimize my PFW rule settings with regard to AOL. AS I maybe still to much a newbe on the internet, I do prefer to stay with AOL as my primary internet provider for a while.

    maybe in a few time I could provide here on this forum my experiences and some valuable information with regard to the use of kerio pfw on AOL.

    nogi
     
  5. CrazyM

    CrazyM Firewall Expert

    Joined:
    Feb 9, 2002
    Posts:
    2,428
    Location:
    BC, Canada
    Hi nogi

    I have never used AOL as a provider, so have no direct experience with what their software may require.

    When you are prompted for WAOL.EXE what type of connection(s) is it wanting? I think you will have to determine exactly what all it requires before trying to customize your rules. First thing to try and determine would be remote services and protocols. Don't worry about addresses just yet. Without allowing all, with every new prompt create a rule allowing to the remote service/port and protocol and see if you can come up with a list.

    Do you have a good basic rule set in place already?

    ...and welcome to Wilders :).

    Regards,

    CrazyM
     
  6. BlitzenZeus

    BlitzenZeus Security Expert

    Joined:
    Feb 11, 2002
    Posts:
    451
    Location:
    Oregon, USA
    CrazyM asks some very valid questions, like did you already have a good ruleset in place already like DHCP if needed, DNS, and ICMP?

    Are familiar enough with rule based firewalls to see the pattern for things like standard browsing rules, then truely customize, and secure you rules at this point? If not are you just making permit rules, the not combining, and not customizing them later?

    Other than the standard communications like DHCP, DNS, and ICMP I wouldn't know what the proprietary software would require other than standard configurations like you would use for your browser.
     
  7. nogi

    nogi Registered Member

    Joined:
    Aug 30, 2003
    Posts:
    3
    sorry for my late reply, but I hadn't been online for a while.

    Right now I'm following the recommentdations as provided by CrazyM and BlitzenZeus in order to find out, what WAOL.EXE is doing exactly while connecting to the internert. This works like a thorny path for me as I'm still not much experienced on network/internet technology as well as with the terminology and abbreviations used hereby.

    Therefor I highly appreciate having joined this forum as here I will find competent and dedicated experts guideing me through this stuff and probably I may be also able to contribute here with some new information reagrding AOL.

    Right now my basic rule set lookspretty close on what has been recommended by "ground rule settings" proposed on "http://www.blarp.com/faq/faqmanager.cgi?file=kerio_genrules&toc=kerio#q5"

    NETBIOS: communication should be blocked completely

    DNS: I assume that AOL would work with rule set "GRS - 1.ISP(AOL) DNS - UDP",
    nevertheless I'm still using rule set "universal DNS - UDP" in order to observe the situation, both rule sets get logged, when they will match;
    once I will fell comfortable, that rule set "GRS - 1.ISP(AOL) DNS - UDP" will work, I will delete rule set "universal DNS - UDP" and will set "GRS - block other DNS" instead of it.

    DHCP: I assume I will not need for AOL

    ICMP: I'm just following the recommendation on the ground rule set definitions and they may work

    WAOL: at the time being, I have allowed this application full inbound/outbond access and I'm monitoring it's activities within the log, this may be not as safe as getting prompted each time when WAOL will connenct with a new paramenter set, but at least it let me allow to wokr with AOL until I may have understood WAOL's ways of communication and than I hope to be able to set a right set of rules for it.

    At the time being I see only three major activities of WAOL:

    1.a UDP inbound/outbound communication via remote port 5190 ( I assume the the IP adress would be dynanically asigned each time when I connect)

    2.a TCP outbound communication to remote port 80, which might be ok ?!

    3. a seldom uses TCP outbound communuication to remote port 12840 on which I have no clou at the moment, for what it is used.


    Any valuable information on this is still appreciated, I will continue to report on my experiences with AOL and Kerio on this forum ( but I appologize the frequence of my replies as I may not spend time each day on this subject ).

    nogi
     

    Attached Files:

  8. BlitzenZeus

    BlitzenZeus Security Expert

    Joined:
    Feb 11, 2002
    Posts:
    451
    Location:
    Oregon, USA
    It seems your still in over your head currently, but still want to figure this out.

    I want you to do a couple things first:
    -Go into the administration, advanced, and disable the microsoft networking tab if you haven't already.
    -On the Miscellaneous tab uncheck 'log suspocious packets' as it logs 95% garbage which are just timed out packets which are no threat.
    -On the above tab make sure that logging of packets to unopened ports is enabled.
    -Whenever you make a blocking rule, make it logging unless you don't want to have it produce any logs.

    You netbios rule is incorrect, you need two rules:
    Netbios Block 1
    App: no
    TCP/UDP
    Both Directions
    Local ports 137-139
    Remote: Any
    Deny, and logging.

    Netbios Block 2
    App: no
    TCP/UDP
    Both Directions
    Local: any
    Remote ports 137-139
    Report ip: any
    Deny, and logging


    There is no time like the present to test your dns rule, disable the one that permits all dns, and make sure the one that is restricted is working. If you need to you can make more dns rules, or even use the custom address group on the Miscellaneous tab after you pick 'custom address group' for the remote ip. You should also use a anti-spoofing rule so here is an example of some dns rules.
    AOL DNS
    App: no
    udp
    both
    local port 1024-5000
    remote addy: dns servers
    remote port 53
    permit

    DNS Alert
    App: no
    tcp/udp
    local: any
    remote port: 53
    remote addy: any
    deny, log, and alert.

    This is designed to alert you to spoofing, and when you have a new dns server. Before you add a new dns server make sure it appears in your ip configuration. 9x 'winipcfg', NT(2k,xp, etc) 'ipconfig/all', and on the correct adapter they should list their dns servers. There isn't much dns spoofing in the wild, but its nice to know you can prevent it. I leave the blocking rule as alerting, but you can take off the alert if you like.


    DHCP is used for most broadband, and many lan/ics configurations. If you do use a broadband provider then it might not seem like you need it at first, but when your dhcp lease expires your rules need to permit the renewing of the lease. Dial-up doesn't use dhcp.

    Without knowing what those icmp rules permit, here is a link giving some information on basic icmp configurations.
    http://www.wilderssecurity.com/showthread.php?t=1124;start=msg8459#msg8459

    The fact that your allowing it freely, and watching the logs isn't the best thing since you could have actually made rules from the prompts to be farther than you are now. This would also help keep track of which ports it uses better. AOL is a browser too so browser rules would apply, but just like any browser you can't restrict passive ftp transfers so leaving the upper tcp port range open for passive ftp transfers is just like not restricting the outbound tcp traffic. If you do use the browser ports you might have to permit each ftp packet.

    Start with a rules like these now:
    aol
    App: waol
    tcp
    outbound
    local ports: 1024-5000
    remote: any
    permit

    aol udp
    App: waol
    outbound - if you have to make it both directions, start assigning remote servers.
    udp
    local ports: 1024-5000
    remote port 5190
    remote address: any
    permit


    Now to talk about your ruleset, past the need for dhcp, and dns there is no need to alet svchost.exe outbound. Make a rule like this, and if use the time sync in windows then make the permit rule above the block rule.
    Timy Sync
    App: svchost
    both
    udp
    local port 123
    remote port 123
    remote address: time server
    permit

    Svchost block
    App: svchost
    both
    tcp/udp
    local: any
    remote: any
    deny, and logging


    Now since your building your ruleset you should not block the outbound past your rules, work with it. Kerio will block packets to unopened ports by default so unless its listeing, or a protocol like icmp, it won't prompt you if its not in your rules while blocking it. I have two block all rules inbound, and outbound.
    Block all inbound
    App: no
    Protocol: any
    both
    local: any
    remote: any
    deny, log

    Block all outbound
    App: no
    Protocol: any
    both
    local: any
    remote: any
    deny, log

    You should only need to use your block all in bound, if you even need to use that.

    See where you can go from there....
     
  9. JacK

    JacK Registered Member

    Joined:
    Jun 20, 2002
    Posts:
    737
    Location:
    Belgium -Li?ge
    Hi Nogi,

    Unfortunately, unlike other providers which give you 1,2 or 3 DNS IP and don't change them every other day, AOL constantly changes its DNS : you will never be able to restrict DNS as long as you will run AOHell as ISP ;(

    Maybe would it be possible to limit to a IP range, I don't know : we don't have the bad luck to have this ISP in Belgium :cool:

    Rgds,
     
  10. DolfTraanberg

    DolfTraanberg Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    676
    Location:
    Amsterdam
    dial-up doesn't work without DHCP
    Dolf
     
  11. BlitzenZeus

    BlitzenZeus Security Expert

    Joined:
    Feb 11, 2002
    Posts:
    451
    Location:
    Oregon, USA
    Don't change the subject, and no. I run XP Pro, DHCP is completely disabled at the moment, the service cannot start, and its the dialer that gathers your connection settings for you. In the years I have used dial-up, I have never had to make any allow rules for DHCP, and even when all the possible connections for dhcp were blocked, it still worked.

    What you said is unfounded, and only applies to many broadband connections, along with dynamicially assigned lan based connections.
     
  12. DolfTraanberg

    DolfTraanberg Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    676
    Location:
    Amsterdam
    Don't know about firewalls, but if you make a connection to your ISP there are two ways:
    1: You have a fixed IP address, which you can use
    2: you get an IP address assigned by your ISP. In this case DHCP is used. There is no other way.

    Dial-up connections don't have a fixed IP address by default.

    I wasn't talking about the DHCP service which you can enable in NT/XP.
    This service is used for assigning IP addresses to connecting clients, which is not the case here

    Dolf
     
  13. BlitzenZeus

    BlitzenZeus Security Expert

    Joined:
    Feb 11, 2002
    Posts:
    451
    Location:
    Oregon, USA
    Dollefie, you are incorrect.

    A different protcol gathers your connection data for you, and its something the actual dialer does. DHCP is not involved. I know this, I have been using dial-up for years, and never had to allow DHCP as it uses a different protcol. As previosly said, my dhcp is competely disabled, and I'm on dial-up right now. I had no problems connecting. I don't have any dhcp allow rules, and to repeat dhcp is disabled. If I hooked up to a broadband provider it wouldn't try to use dhcp since its disabled.

    Does that explain it? Do you need a link?
    http://www.broadbandreports.com/faq/security/2.5.1.+Kerio+and+pre-v3.0+Tiny+PFW#2525

    This thread is about this persons AOL configuration, and their own configuration. Lets leave it that way...
     
  14. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,873
    Location:
    New England
    BlitzenZeus is talking about PPP connections that use IPCP instead of DHCP in order to get assigned their IP addresses. This is also how my ISP dialup account works. I think relevant webpages that describe this would be found by searching on "PPP IPCP DIALUP ADDRESS" or similar search combinations.

    Such a topic might make an interesting new thread if anyone wants to discuss how all that works in detail. Meanwhile, back to using Kerio with AOL...
     
Thread Status:
Not open for further replies.