Kerio Rules, I need some help/advice

CrazyM, Tassie, Jack & the gang...

Thank you for all the helpful input. I've tested now a couple of firewals against PCFlank. Kerio, no matter what I do, continues to show warnings on their tests...When I do their Advanced Port Scan it shows port 80 as CLOSED but not stealthed. When I run the same test on grc however, it shows PORT 80 as stealthed.

I also tested SygatePro - EVERYTHING is stealthed on every test I've run against - on PCFLANK as well as 5 other sites, including PORT 80. Since SYGATE comes up full stealth on PCFLANK's tests everytime, it makes me question as to whether Kerio is simply not providing the same level of protection.

I realize if that's the case, it's probably my error in my rulesets but I can not seem to stealth that port on PCFLANK consistently no matter what I try.

This is my first try with a rules-based firewall and I'm beginning to think I'm not smart enough to use one yet. I don't want to open myself out of ingnorance because of improper settings.

Do any of you run Kerio, and if so, is it showing up as SAFE on PCFLANK's QuickTEST or are you also getting warnings?

 

Hello,

As largely discussed before, you are not more or less secure with Closed or Blocked.

But if a developper advertise is product can make your Stealth, it has to do what it says.

I have no problem with KPF to be in stealth mode for any port.

Rgds,

 

Hi darksky.

It's not often I can get PCFlank to work for me simply because I am behind my ISP's Proxy, and it states as such.

But on the occasions I have somehow managed to get the right IP I have always come up Stealthed on everything.

Iam currently using KPF no probs. I only did a full scan at Sygate's site of each of the options and all BLOCKED.

Good luck with Sygate, as I believe it is a nice FW.

I have tried Sygate, and it was great, BUT, it conflicted with my PC-cillin AV [even said in their conflicts page, that it conflicts with PC-cillin and to UNINSTALL PC-Cillin.] So I went to KPF and am not sorry in the least.

Cheers, TAS.

 

Does this one ever work? I've never ever accessed it before despite many tries now and in the past. All I get is some geek error message.,"403"

Just for fun, I've disenabled everything from webwasher ,proxo,host files, IEspyad,firewall,DNSkong,Autopac file, still no avail...

 

Hey Darksky you dont seem to get what we are saying, probably my fault.

Basically Stealth is as secure as Blocked. The idea of stealth is that by dropping packets and not responding ,hackers wont know you are there.... Supposedly this is safer than "blocked" where you respond "No" but give away the fact that you are there..

However to be truly stealthed you have to control how routers in front of you respond. You might not respond to a probe, but the lack of response itself is a dead give away to hackers, because if you were truly not there, someone (probably your isp router) would respond that noone at that ip address is there. But your router knows you are there , so it wont send the message. This is a dead give away.

The second reason is that "Some of the firewall test sites are not always consistent or correct for any number of reasons." as stated by CrazyM. You can read more about this if you are interested, but I always take the whole stealth business with a pinch of salt . I've seen people post that you can be considered stealthed on GRC, even with no firewall, which is strange when you think about it. This just tells me that scanners are inconsistent depending on what assumptions it makes..

Basically if your ports are shown to be blocked, don't go crazy if you can't get stealthed on some sites. I'll rather spend more time learning about other aspects of security, like hardening your OS, and tightening up your firewall rules.,learning about encryption, threats to privacy and more,

 

Yes. But when you think about it though, this means that the typical user who does not run email servers or webservers doesn't need to keep many (any?) ports open.

Assuming that such a user manages to close down EVERY listening port by Windows (a great feat I'm sure), would he need a firewall? After all everything is blocked already.

Of course, the argument for using a firewall now rests solely on outbound protection to check trojans and spyware correct?

 

Hi,

No, not your fault at all. Your explanation is clear. The additional points you made regarding routers were also most helpful.

I was drawing the conclusion that because I was getting consisent stealth results with SyGate and inconsistent "closed" results with Kerio, that I may have misconfigured my ruleset.

From your comments it sounds as if stealth vs closed is not as big of issue as I had assumed and that my Kerio results may mean I'm not any less protected with Kerio than with Sygate.

Thanks.

 

Hi

Come to think of it, it's not the clarity of my responses you should be worried about,. It's the accuracy that you should be worried about.

 

Hi JayK,

Yes, and not only on GRC but on all sites running stealth tests.

Depend on the provider : some (very seldom) using a transparent proxy or something of the kind, it was discussed and prooved on Kerio yahoogroups when KPF didn't yet succeeded stealth tests.

BTW, on scanner test sites, Stealth= Blocked (like Sygate and GRC for instance) (rejected request)
and Closed when the request is denied

Rgds,

 

>Does this one ever work? I've never ever accessed it before despite many tries now and in the past. All I get is some geek error message.,"403"

Just for fun, I've disenabled everything from webwasher ,proxo,host files, IEspyad,firewall,DNSkong,Autopac file, still no avail...

Hi JayK

LOL, You sound like I do when I try PCFlanks. I very rarely get that to work, but with Blackcode I haven't failed yet. [See page 2 of this thread and my posted pic]. I also had only scanned last night again from there and no probs.

Cheers.

 

The problem with "Defence in depth" is that if something is blocked, you have no idea what is causing it,espically if they dont have any signals.

Still generally I have learnt how to recognise url blocked due to proxomitron,hostfile or firewall...