New to Kav AntiHacker

Discussion in 'other firewalls' started by subferno, Aug 27, 2006.

Thread Status:
Not open for further replies.
  1. subferno

    subferno Registered Member

    Joined:
    Oct 3, 2004
    Posts:
    87
    I am trialing KIS right now and I am a little confused about how the firewall works.

    Previously, I used Agnitum Outpost. Whenever a program needs access to the web, I allow outbound rights to the specific address using certain ports. Thats all I need for the rule.

    How come in AntiHacker, a program that tries to access the web would first direct to 68.12.16.30 before hitting the target address? The IP address is COX ISP, which is what I am using.

    Thanks
     
  2. Kerodo

    Kerodo Registered Member

    Joined:
    Oct 5, 2004
    Posts:
    7,779
    68.12.16.30 is probably a Cox DNS server, so it's doing a DNS lookup before it hits the site you're going to. If it's remote port 53 then it's DNS.
     
  3. subferno

    subferno Registered Member

    Joined:
    Oct 3, 2004
    Posts:
    87
    I lack a lot of firewall terminology but DNS lookup seems harmless. Why do I have to set rules to allow this for apps that access the web?
     
  4. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    Normally "svchost" would perform DNS lookup,.. have you disabled the "DNS client" service?
     
  5. subferno

    subferno Registered Member

    Joined:
    Oct 3, 2004
    Posts:
    87
    If it is through the initial setup of AntiHacker, yes I have disabled

    In addition, AH seems to ask for permission more than what Outpost would do. Is there some automated rule in Outpost that I can also apply to AH to have the same simplicity?
     
  6. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    Outpost uses a "DNS cache" so there will be less DNS lookups, AH does not have this.
    You could create a "packet filter" rule for DNS in AH, which all applications could use?
     
  7. subferno

    subferno Registered Member

    Joined:
    Oct 3, 2004
    Posts:
    87
    Would it be like:

    Allow-
    Outbound TCP
    Remote Port 53

    ?
     
  8. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    Allow UDP remote port 53
    You can also add local ports 1024-4999 to the rule.
     
  9. subferno

    subferno Registered Member

    Joined:
    Oct 3, 2004
    Posts:
    87
    Thanks, that cleared up a lot of requests.

    One final question about KIS related to the popups in the bottom right corner.
    Is there any setting to make it appear and stay on top of other windows? Sometimes it pops up and then hides below other stuff without me noticing.
     
  10. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    Not sure,.. it as been a while since I installed KIS. You could wait for a reply here ( I could always install to check), or you could ask at the Kaspersky forum


    .
     
  11. Mem

    Mem Registered Member

    Joined:
    Mar 7, 2005
    Posts:
    292
    subferno-
    Depending on how tight you want your rules to be you may want to add your ISP DNS server IP's to that rule. If the ISP changes DNS server IP's and you don't have them included though you will lose the DNS until you add them. A way around this is if you have a router you can have it access the ISP DNS and then use it as a relay to your LAN PC's. If the router is 192.168.1.1 and can relay, you would only need 192.168.1.1 in the global DNS rule even if the ISP changes servers.

    KIS disables the DNS cache service due to some cache poisoning concern and the DNS rule is applied for each application instead of globally so a rouge app couldn't use remote port 53 to communicate out.
     
  12. subferno

    subferno Registered Member

    Joined:
    Oct 3, 2004
    Posts:
    87
    I actually do have a router. Would you be walk me through the process of setting this rule up for me please?

    Do I just set up the remote address to my router? How do I need to configure my router?
     
  13. Mem

    Mem Registered Member

    Joined:
    Mar 7, 2005
    Posts:
    292
    I don't know your router model but generally:

    Router:
    WAN - Set the DNS server IP's to be obtained automatically from the ISP.
    LAN, DHCP or NAT setting - look for 'DNS server for LAN use' setting and set that to the IP of the router on the LAN (probably something like 192.168.1.1).

    Firewall rule:
    To the global DNS rule you created in "Rules for packet filtering" select the rule-> edit. The remote IP address and remote port boxes should be checked. In the rule description box at the bottom click the 'Enter IP address' highlighted and add the LAN router IP. The rule should read:

    Allow Outbound (stream) UDP packets, where:
    Remote IP address : 192.168.1.1 (substitute your actual router LAN IP here)
    Remote Port: 53

    Click OK back to top of Kaspersky. If you have a problem with web pages loading, you can always remove the remote IP address for troubleshooting.
     
  14. subferno

    subferno Registered Member

    Joined:
    Oct 3, 2004
    Posts:
    87
    I have configured my router and firewall as you have described but it doesn't seem to be working. Each internet access is requesting to use port 53 (DNS lookup?) again like just when I didn't have the global DNS rule. But the remote address is the COX ISP and not the 192.168.1.1 address like what I would think.
     
  15. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    subferno,
    If you want to follow this route, then you need to set your PC as a fixed IP with fixed DNS server.
    I have attached a pic to show the settings I have just made on this PC,.. the example shown is using 192.168.123.254 which is my router (this is then the gateway and DNS server address). The setup is from W2K (but is similar to XP). The IP address you enter, will be for the PC,.. this must not be the same as the gateway, and not end in .255 (which is the broadcast address). If you are using more than on PC behind your router, then you should make all PC`s fixed IP (different IP of course) to stop possible conflicts.
    As your router is 192.168.1.1, then in the pic, simply replace 192.168.123.254 with 192.168.1.1
    EDIT:
    Your fixed IP address (due to your router IP) would need to be between 192.168.1.2-192.168.1.254. The subnet mask would be the same as shown.
     

    Attached Files:

    Last edited: Aug 30, 2006
  16. subferno

    subferno Registered Member

    Joined:
    Oct 3, 2004
    Posts:
    87
    Thanks for your help. I will give this a shot.
     
Loading...
Thread Status:
Not open for further replies.