Kerio v 2.1.5 with a proxy server

Discussion in 'other firewalls' started by seakiwi, Nov 5, 2004.

Thread Status:
Not open for further replies.
  1. seakiwi

    seakiwi Registered Member

    Joined:
    Nov 4, 2004
    Posts:
    47
    I have been running the free version 2.1.5 of Kerio for some time now with no problems, and have pretty much refined a set of rules which works to stealth my machine, but still lets me do whatever I need to do on the internet.

    Until recently ....

    I recently installed CCProxy on my machine, and my kids machine connects to the internet via this proxy server. However, I have just run a Shields Up test at GRC and have found several open ports much to my horror. I managed to close a couple of them by disabling things in my proxy server I didnt need, such as news and telnet, but I still have three ports open. Both mail ports - 110 and 25, and 808 - which is the default port my proxy server uses for most protocols.

    Can someone please tell me what to do to at the very least, close these three ports, or preferably - stealth them? I am not particularly knowledgeable about proxy servers as this is the first time I have used one, so chances are I may have made some rules errors in Kerio for the proxy server rules.

    I could post a screenshot of my kerio rules if that would help.

    Any help anyone can offer me would be much appreciated. TIA!
     
  2. TheSnowman

    TheSnowman Guest

    Which port is the proxy SUPPOSE to use........PORT...just one..not several..!!! an certainly not your mail ports!


    proxy's normally tell you in advance which port its going to use.....if you are using internet explorer you set the proxy port number within it......then tweak your internet explorer rule.....you do have one..right?

    internet explorer Should be assigned Only certain ports....which are listed in your firewall rules........those ports should be OUTBOUND ONLY...an NOT INBOUND...................add the port the proxy needs...to the internet explore port rules.....IF YOU ARE USING IT THROUGH INTERNET EXPLORER



    this behavior you mention.....you did assign certain ports to EACH PROGRAM.....right? outlook express has its ports.......differant messengers have their particular ports......so forth and so on

    if you were using lets say Webwasher (proxy) with internet explorer.....webwasher uses port 8080.......simply add 8080 to your internet explorer port rule.........

    until you fix the problem you should consider not using the proxy....those ports you listed are constantly scanned by outsiders seeking backdoors
     
  3. TheSnowman

    TheSnowman Guest

    CCPROXY is not the type of proxy I had in mind.......look here: for info


    http://www.youngzsoft.net/ccproxy/ie.html





    am not sure I would personally want to use it.............let others comment..........an I"ll just read.........


    good luck
     
  4. thesnowman

    thesnowman Guest

    just a very quick note............an apology actually.....I did not notice your mention of it being a proxy SERVER........my bad...sorry......
     
  5. seakiwi

    seakiwi Registered Member

    Joined:
    Nov 4, 2004
    Posts:
    47
    The proxy default port settings are:

    HTTP: 808
    FTP(Web): 808
    FTP: 2121
    Gopher: 808
    Secure/SSL/HTTPS/RTSP: 808
    SOCKS/MMS: 1080
    News(NNTP): 119
    SMTP: 25
    POP3: 110
    Telnet: 23

    Telnet and news I have disabled as I don't need them.


    OK, MY machine (the one the proxy server is on) is not using IE. I am using Firefox with a TCP OUT rule only. I do have that rule set for "any port" though. So which port do I need to assign for my Firefox rule? 808?




    OK, I will attach a screenshot of my Kerio rules (two shots as I cant fit them all in one) - would you mind taking a look at them to see what I need to add/alter? I ran them past the Kerio forum guys at BroadbandReports a while back, and they said they were fine, but I may have added some since then - which is probably where I've screwed up.

    I dont understand why the mail ports are open - they never have been before.

    Thanks for your help.

    (edit .. screenshots to follow when I figure out how to make them small enough to upload)
     
  6. seakiwi

    seakiwi Registered Member

    Joined:
    Nov 4, 2004
    Posts:
    47

    To be perfectly honest, while so far, the proxy server seems to be working OK, and served it's purpose in getting my kids machine online, I do have some major concerns about the fact that there seems to be NO support whatsoever for the product. Nobody ever answers any support requests or emails, and their forums are full of people complaining about the lack of support. I am using the free version (limited to 3 users) so I havent spent any money on it like most of the posters there have, but something is definitely fishy about the company. Any particular reason why you are not sure you'd want to use it? I'd be interested in your opinion.
     
  7. TheSnowman

    TheSnowman Guest

    SeaKiwi


    my suggestion to you would wait on CrazyM to offer you his advice....he is a mod here.....an a darn good firewall expert..........being you are using a proxy server..........

    ****************
    YOU SAID:

    OK, MY machine (the one the proxy server is on) is not using IE. I am using Firefox with a TCP OUT rule only. I do have that rule set for "any port" though. So which port do I need to assign for my Firefox rule? 808?

    *******************


    nope...imo that just does not stand up.....you need to assign firefox port(s)...the same as you would internet explorer.......I don't use firefox an would prefer that someone who does step up to offer you advice.........can you wait? I simply don't know how firefox would be set to use a proxy........never ever seen firefox.... firefox needs to be config for the proxy.......just like internet explorer..........I know how thats done using IE...but not using firefox..........an wont guess




    an remember...each program has ITS OWN PORT.........




    SeaKiwi......do yourself a real favor.....learn how to make proper rules prior to using that proxy.......
    find the right ports to match programs
     
  8. TheSnowman

    TheSnowman Guest

    Have not looked indepth at the proxy.....but since you asked...nope..I would not use it..........how are you connecting....dsl..cable ?



    My friend, very sorry but I've got to get some rest....will have to say...hmm..its already morning....yup, but time was ten hours ago....LOL


    will check back......an perhaps be able to locate those port numbers...


    Best wishes
     
  9. TheSnowman

    TheSnowman Guest

    SeaKiWi


    found an old notebook....which listed the ports for internet explorer as:

    21,80,81,82,83,443,,,and (the port your proxy uses) OUTBOUND ONLY!!!




    KIWI offering firewall rules is just not my thing..........so I wont be offering further advice.........this was just a quick response......an not ment to offer instructions on making rules........that would better be left to the firewall experts................................offering rules for a program that I am not awear of its settings...could even be dangerous practice.....Firefox is an "un-known" to me........as previously stated........


    SeeYa
     
  10. CrazyM

    CrazyM Firewall Expert

    Joined:
    Feb 9, 2002
    Posts:
    2,428
    Location:
    BC, Canada
    Hi seakiwi

    Will need a little more info on the setup of the systems (LAN) involved.
    Seeing your rules would also help.

    Inbound connections for the proxy server should only be allowed for systems on the LAN, not the Internet. For the Internet, the proxy should only need outbound rules. From the ports you mentioned above:

    Proxy Inbound LAN
    Action - Permit
    Direction - Inbound
    Prototcol - TCP
    Local Port - 25, 110, 808
    Remote IP - 192.16.1.0/255.255.255.0 (LAN subnet)
    Remote Port - Any

    Proxy Outbound Internet
    Action - Permit
    Direction - Outbound
    Protocol - TCP
    Local Port - Any
    Remote IP - Any
    Remote Port - 25, 80, 110, 443 (others as required)

    Regards,

    CrazyM
     
    Last edited: Nov 6, 2004
  11. seakiwi

    seakiwi Registered Member

    Joined:
    Nov 4, 2004
    Posts:
    47
    Thanks for that, but I've decided to dump the proxy server altogether - partly due to the concerns I mentioned in a previous post about the non-existent product support, and partly because I don't want to mess about for too long with this, while I have these open ports hanging over my head. I'm used to having Kerio keep me in total stealth and I'm not much liking being exposed like this.

    The only reason I went with the proxy server in the first place is because, no matter what I try, I have never been able to get Internet Connection Sharing working between MY machine and the kids. I have run that damned wizard a hundred times, and have tried another hundred tweaks in the hope of getting ICS working, but to no avail. I have no idea why not, or what the problem is with it, but I had wasted so much time and torn out so much hair over it, that I finally threw the towel in and decided to give the proxy server a go.

    While I do realise that this might be simply due to me not having the correct rules in Kerio, I've lost confidence in CCProxy anyway, so I think it's time to lose it, and either find another better known (and trusted) proxy server, or go back to the drawing board and try to figure out why the heck I cant get ICS to work.

    Thanks for your help everyone. Much appreciated.
     
  12. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,770
    Location:
    Texas
    A router is a big help and not too expensive these days. It will pretty much free you up from worrying about being steatlh from the outside world.
    Your concerns could be directed to what is going out then. Just a thought. :)
     
  13. seakiwi

    seakiwi Registered Member

    Joined:
    Nov 4, 2004
    Posts:
    47

    Yeah, I've also been thinking about that. Do they work with dialup though? (I don't know much about them)

    I am on a dial up connection, but I'm connected 24/7 barring the occasional disconnection.
     
  14. TheSnowman

    TheSnowman Guest

    SeaKiWi


    you made a wise decision imo........an also perhaps consider the suggestion by Ron........a Router..........in the mean time..check those rules...chances are your kids use one of the messengers...the A.O.L. instant messenger port number is 5190 tcp (only) OUTBOUND
     
  15. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,770
    Location:
    Texas
    I believe there are dialup routers (don't know for sure). I did as you are doing when I used dialup, a software firewall.
    Zone Alarm is what I used at that time. It seemed to be the best choice for dialup.

    If I find any specific routers, I will post here.
     
  16. CrazyM

    CrazyM Firewall Expert

    Joined:
    Feb 9, 2002
    Posts:
    2,428
    Location:
    BC, Canada
    Is it ICS configuration or Kerio rules configuration that is causing you problems?

    I beilieve most routers are broadband/ethernet based and will not work with dial-up. Some do have dial-up backup capability via serial port for analog/ISDN modems which may meet your needs and still work if and when you migrate to broadband. However, these will likely cost more than entry level home routers.

    A couple of possibles offered by Netgear:
    Netgear FR328S
    Netgear FVS328

    Regards,

    CrazyM
     
  17. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,770
    Location:
    Texas
  18. seakiwi

    seakiwi Registered Member

    Joined:
    Nov 4, 2004
    Posts:
    47
    My original post was referring to problems I was apparently having with setting up my proxy server (CCProxy) with Kerio - to close a number of open ports that had appeared since I installed the proxy server.

    As I mentioned above, I've decided to dump that proxy server for various reasons.

    In addition to that, as I also mentioned earlier, I have had absolutely NO luck trying to get ICS working between my computer (dial up - which is always on), and my kids machine. I have file and printer sharing working fine, and both machines can 'see' each other but I cannot get them to share the internet connection no matter what I do.

    MY machine (the one with the connection) can ping the kids machine, but their machine can't ping mine. I realise this is probably part of the problem, but I have no idea how to fix it. I have run that darned ICS Wizard so many times I want to throw it out the window from a great height!

    This is probably OT for this forum now, so if a mod wants to move it elsewhere, or thinks I should start a new thread, just let me know.
     
  19. CrazyM

    CrazyM Firewall Expert

    Joined:
    Feb 9, 2002
    Posts:
    2,428
    Location:
    BC, Canada
    Hi seakiwi

    In regards to Kerio configuration have you looked through BlitzenZeus Kerio v2.x Default Replacement Rules, in particular LAN rules and ICS configuartion?

    Anything showing up in the Kerio logs on your system from the kids(LAN) system being blocked?

    Regards,

    CrazyM
     
  20. seakiwi

    seakiwi Registered Member

    Joined:
    Nov 4, 2004
    Posts:
    47
    I finally managed to get ICS working! With some help from here and another forum, I followed the following suggestion:


    On the Administration - Advanced - Miscellaneous page, check "Is running on an Internet Gateway"

    Create a rule allow, Both directions, TCP/UDP, Any port, remote address "IP of the client computer." (this can be logged and tightened considerably depending on the applications you use.

    Create a Last rule Block All IN



    This seems to have done the trick. I ran another Shields Up scan, and came up stealthed, so hopefully I have everything right now.

    One question ... I'm assuming I should have the first rule (above) somewhere at the top of my ruleset, before any blocking rules, and the second (block all IN) rule, should be at the bottom?

    The other thing I'm not sure of ... my TCP/UDP BOTH rule for my kids computer ... seems pretty loose. How could I tighten that up a little without it affecting what the kids want to do too much? All they basically do on the net is visit their favourite kids sites (OK'd by me) and email. No chat or IM and no games to speak of.

    Thanks again for your help :)
     
  21. CrazyM

    CrazyM Firewall Expert

    Joined:
    Feb 9, 2002
    Posts:
    2,428
    Location:
    BC, Canada
    The LAN rule should be at the top or close to it depending on what other rules you have. Rules are processed from the top down and once a match is made, no further filtering is done.

    Yes, your block all in should be at the bottom.

    The LAN IP's will be protected from the outside by ICS, are you wanting to limit their access with the rules? While the LAN rules could be restricted further you might want to try enabling logging for short periods while their system is in use to see what would be required for ICS in addition to any file/printer sharing rules you would want/need.

    Regards,

    CrazyM
     
  22. seakiwi

    seakiwi Registered Member

    Joined:
    Nov 4, 2004
    Posts:
    47

    Thanks for that. I have my LAN rule under my loopback and DNS rules, so that should be OK.

    No, I'm not really too worried about blocking the children's access OUT. All I really want, is to make sure I have things set up so that my Kerio ruleset applies to them exactly as it applies to my machine. It's taking me a while to get my head around exactly how this works in a networking situation, but I think I've got it sussed .. thanks! :)
     
Loading...
Thread Status:
Not open for further replies.