Serious Kerio Problem

Discussion in 'other firewalls' started by Eliot, Sep 10, 2003.

Thread Status:
Not open for further replies.
  1. Eliot

    Eliot Registered Member

    Joined:
    Aug 8, 2003
    Posts:
    854
    Location:
    Arkansas, USA
    :eek: If I grant any program the ability for incoming(hence, yahoo, trillian for file & voice) it completely opens the port. This occurs on 2.15 and 4.0.2. You cannot send files without incoming access and can't be stealth with it. I have been configuring firewalls for ages now and gotten very good at rule based walls too. I am really just looking to see if anyone else noticed this. You can connect to yahoo messenger, then open a command prompt. Type netstat and look at the ports yahoo has in use. If you have given it access to incoming and you scan that port at grc.com you WILL BE OPEN. The only way to close it is to disable incoming access. :doubt: :doubt:

    Any comments would be greatly appreciated. Thank you ;)
     
  2. DolfTraanberg

    DolfTraanberg Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    676
    Location:
    Amsterdam
    You only have to allow inbound connections for SERVER programs.
    Dolf
     
  3. Eliot

    Eliot Registered Member

    Joined:
    Aug 8, 2003
    Posts:
    854
    Location:
    Arkansas, USA
    Yahoo requires SERVER access to send and receive files :'( That opens the port it connects to for anyone to access. :'(
     
  4. CrazyM

    CrazyM Firewall Expert

    Joined:
    Feb 9, 2002
    Posts:
    2,428
    Location:
    BC, Canada
    Hi Eliot

    If you allow incoming with any firewall, you are doing just that, allowing inbound traffic destined to that local service/port to pass through the firewall to your system.

    For that local service/port to be open still requires a service or application on your system to be listening on that port, otherwise it would just respond as closed to any connection attempts.

    Running a service or application on your system that requires allowing inbound connections is always a risk. Security now falls on the service or application that is listening for these inbound connections and what exploits it may be vulnerable to. The firewall just allows or denies connections to the system.

    In this case, with Kerio, your rule(s) allowing inbound would only apply to the application specified in the rule. Any additional security would have to be obtained by the proper and safe configuration of the application that is listening for those connections on your system.

    Disabling the rule(s) for incoming connections when not using those specific features that require it, is a simple solution and easily done in Kerio. That is why most rule based firewall configurations allow for the enabling/disabling of rules as required.

    Regards,

    CrazyM
     
  5. BlitzenZeus

    BlitzenZeus Security Expert

    Joined:
    Feb 11, 2002
    Posts:
    451
    Location:
    Oregon, USA
    I'm not up for defending Kerio, but I might as well....

    Another application based firewall user who assumes he knows how to run another firewall, and blames it on the firewall when they don't configure it correctly. Its all in your configuration, and settings. Read the entire help file, and you need to learn how to use it correctly before ranting about it. Its your configuration...

    Also the others are correct that once you allow connections inbound which are not restricted to ip addresses then you remove your stealth from everyone else, and possibly MAKE YOURSELF A SERVER. Its the same with every program, which you fail to realize.

    Did you set your internet connection trusted in the trusted area, and are you using the simple application settings? If so then that was your first big mistake, and you didn't ever bother yourself with reading the help file to set that correctly.
     
  6. Eliot

    Eliot Registered Member

    Joined:
    Aug 8, 2003
    Posts:
    854
    Location:
    Arkansas, USA
    Its funny that IT IS CONFIGURED VIA THE HELP FILE and it opens the port for anything that scans it. Any help would be greatly appreciated. Dogging my knowledge will get us no where. Thanks.
     
  7. BlitzenZeus

    BlitzenZeus Security Expert

    Joined:
    Feb 11, 2002
    Posts:
    451
    Location:
    Oregon, USA
    Find out what port range is used for its file transfers, and allow those so your not permitting every port it might use. If it uses one static port like a server then it will be a visible server, but if its dynamically assigned just block the ports its listening on while idle that are used for outbound connections, you might even block the local port range 1024-5000 if doesn't interfere, and only allow those ports used file transfer inbound.

    This will have to be done via the rules, and not the simple application filtering. The simple configuration also gets the traffic first so you will have to set the permission to ask, or just delete the program from the application rules listing.

    The simiple controls are too simple, and would allow way too much, which is why I'm against the simple controls not having an option to be disabled. So to make it so your rules do all the work do this, but I hope you understand how to configure a rule based firewall.
    -Disable predefined network settings
    -Remove all the programs in the network settings possible, and set the rest to 'ask' for all settings.
    -Disable the IDS as it will interfere with your rules.

    Now your rules control all the traffic in the firewall.
     
  8. Eliot

    Eliot Registered Member

    Joined:
    Aug 8, 2003
    Posts:
    854
    Location:
    Arkansas, USA
    I found a way using your suggestions there to make it work. I just did what you said and gave Trillian access to the internet, leaving it to ask me for server access. I can send files no problem now. However, when I attempt to receive one, all I have to do is click "Permit" and DO NOT CHECK the remember box nor make a rule and it goes thru fine. I just cannot make a rule or check the "ZA" looking rule. It also helps that it asks me where as it did not before. I think it was that ********(insert bad word here,lol) IDS being enabled that was causing me not to be "asked" Thank you very much BlitzenZeus. I really appreciate your helping out there as the help file did not suffice in this matter. You however did. ;) :)
     
  9. BlitzenZeus

    BlitzenZeus Security Expert

    Joined:
    Feb 11, 2002
    Posts:
    451
    Location:
    Oregon, USA
    Actually, most of that was covered in the help file, and the method you picked requires you to permit everything manually. If you want to do that, fine....

    You can use the advanced rules with the simple settings, so you don't have to permit this every time. As said before, you have to set it to ask in the simple settings, then just make a rule to block the ports its always listening on that are not used for file transfers, and permit the port range you need to allow for file transfers. That way your still stealth, and you don't have to permit it every time when setup correctly. However that is something you have to do, and maybe a web search would turn up the ports you need to allow.
     
Loading...
Thread Status:
Not open for further replies.