What should my svchost rule be in Kerio 2.1.5?

Discussion in 'other firewalls' started by subferno, Sep 2, 2008.

Thread Status:
Not open for further replies.
  1. subferno

    subferno Registered Member

    Joined:
    Oct 3, 2004
    Posts:
    87
    I am switching over to Kerio 2.1.5.

    Svchost has always been an unknown entity to me and had always allowed free reign. What is a good rule that I should create for it to have better security?

    Many Thanks
     
  2. Kerodo

    Kerodo Registered Member

    Joined:
    Oct 5, 2004
    Posts:
    7,784
    Only allow what it absolutely needs.... If you're in XP, then you'll need to allow Svchost for DNS lookups on remote 53 to your ISP's servers. But I'd wait for Kerio to prompt you on anything else, and then set up a very specific rule for only what is absolutely necessary....
     
  3. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    Svchosts performs several functions, some of which are of no use to the average user. The port number it tries to use often points to the particular function it's trying to perform. The How to Optimize Security in Kerio 2.1.5 -Learning Thread 3 covers a lot of this in detail. One more thing. On most users PCs, there's no reason to allow incoming traffic to svchost, save for traffic on port 53 as kerodo mentioned, and then only to your DNS IPs. Svchost is on occasion used by malware to connect out and at times to receive incoming traffic. The IP address and port number being used are usually your best indicators of this. See http://en.wikipedia.org/wiki/SVChost.exe for more info.
     
  4. Seer

    Seer Registered Member

    Joined:
    Feb 12, 2007
    Posts:
    1,596
    Location:
    Singidunum
    On XP, if you are on a single PC, no LAN, then no comms are needed by svchost. So no rules. But maybe you want to sync time with the internet? lol
     
  5. Kerodo

    Kerodo Registered Member

    Joined:
    Oct 5, 2004
    Posts:
    7,784
    Who or what does his DNS lookups then? ;)
     
  6. Seer

    Seer Registered Member

    Joined:
    Feb 12, 2007
    Posts:
    1,596
    Location:
    Singidunum
    Hi Kerodo.

    If you disable Windows' DNS client service, and fix the IPs of your ISP DNS servers in NIC properties, then your apps that require lookups will communicate directly with ISP servers, bypassing svchost.
    On a side note, this will put a small amount of stress on your ISP, but how fast your DNS replies will be depends on the quality of the ISP. I haven't noticed any slowdowns with my and always had DNS service disabled.

    Cheers,
     
  7. Kerodo

    Kerodo Registered Member

    Joined:
    Oct 5, 2004
    Posts:
    7,784
    Ok, that's true, your apps will do it if you set it up that way. That probably isn't the norm though. Also not sure why you'd prefer the apps doing the lookups and you'd also lose whatever caching the DNS Client provides. But true, it can be done that way...

    Course there is always Treewalk if you want caching and don't like Svchost and the MS DNS Client.
     
  8. subferno

    subferno Registered Member

    Joined:
    Oct 3, 2004
    Posts:
    87
    Please review my rules below. How should I prioritize my rules as well. Are there any that I lack or need?

    Thank You
     

    Attached Files:

Loading...
Thread Status:
Not open for further replies.