Problem with Kerio.

[Aaron]

Emmanuel,
I already have logging on, so I'll take a look. However,I'm not
really up to speed with configuring Kerio yet.
My understanding is that the ports may be visible, but they're
still closed. As far as stealth mode is concerned, see this link:

http://www.blarp.com/faq/faqmanager.cgi?file=kerio_basic&toc=kerio#q9

Right. Stealth is over-rated. It sure sounds cool though.

I even went totally without a firewall for a long time recently. Must
have been under the radar.

Technically if you are not running another servers, it's possible to get
all your ports closed without using a firewall at all. But it's a pain to
do , because windows insists on opening all sorts of unnecessary ports.

Not much you can do about outbound filtering without a firewall though.
So you still have to be careful about installing trojans,spyware etc.



Aaron

 

[Aaron]

The fact that Sygate and ZA both allowed traffic that Kerio didn't
just bolsters my already strong conviction that you can't beat it. Not
only is it the best free firewall, it's better than most you pay for.

Not exactly. I think In the case of ZA (perhaps even Sygate I havent
tested this) it selectively stealths the IDENT port hence you don't see
this problem.

See the link below

http://news.grc.com/port_113.htm

"One of the things that first caught my eye about the Zone Alarm personal
firewall (aside from the fact that is was free) was that it has always
been very clever about handling IDENT's port 113. I recall being
impressed and thinking "these guys really know what they're doing". When
Zone Alarm receives an inbound connection request for port 113, it checks
to see whether the computer has recently initiated any outbound
connections to the remote server sending the IDENT request. If not, the
IDENT packet is simply dropped, stealthing the protected machine. But if
the user does have an existing "relationship" with the sender of the
IDENT request, the IDENT packet is allowed to pass through Zone Alarm's
firewall protection so that the user's system can respond normally (which
usually means immediately returning a closed status for the port). This
means that Zone Alarm is a "stateful packet inspecting personal
firewall", not just a simpler static packet filter. "

So in fact, Kerio (altough also a stateful packet filter) is inferior
here.



Aaron

 

[Aaron]

you may be intrested in this site ( posted at firewall group)that
contains some kerio presets.
http://geocities.com/yosponge/updates.html
me

I don't use this.


Aaron
--

 

[Aaron]

donut,
I just tried doing that and it doesn't work. I still might be doing
something incorrectly, but from

http://www.blarp.com/faq/faqmanager.cgi?file=kerio_other&toc=kerio#q2:

the following:

"The way KPF currently is, you cannot expose a single closed port on
your system so that selected servers could get the 'closed port' reply
back and not the others. There is a hidden 'Packet to unopened port
received' rule you can not configure and which precedes any rule you
might create."

The above text you quote is not relevant, what we are sugguesting is
OPENING that (and only that) port (IE allow inwards to port 113). The FAQ
is talking about the impossibility of showing "CLOSED" for port 113 and
"Stealth" for the rest.





Aaron

 

[bassbag]

I don't use this.


Aaron

I dont use kerio either? but i think john does
me

 

[donut]

"The way KPF currently is, you cannot expose a single closed port on
your system so that selected servers could get the 'closed port' reply
back and not the others. There is a hidden 'Packet to unopened port
received' rule you can not configure and which precedes any rule you
might create."

And I disagree with this. All you have to do is create a rule that allows
the traffic from a specific IP.


For example:

Rule Name: Allow port 113 IDENT from POP3 server

Protocol: TCP and UDP
Direction: Incoming

Remote endpoint-
Address Type: Single address
Host address: (enter the IP of the POP3 server)

Rule valid: Always

Action: Permit

Writing rules for Kerio is very simple and gives the user far more control
over what the firewall does.

 

[Aaron]

I dont use kerio either? but i think john does
me

I mean I use Kerio but I don't use the rule sets in the above url.

Aaron

 

[Aaron]

Inferior is open to debate. It all depends on what the end user wants.

Well given that you stated earlier that "The fact that Sygate and ZA both
allowed traffic that Kerio didn't just bolsters my already strong
conviction that you can't beat it. Not only is it the best free
firewall..."

I'm glad to see you agree that "best" depends on what the end user
wants.Suffice to say the way ZA handles it is acceptable (and in my view
superior to a dumb packet filter, but what do I know) and not a design
fault.

Of course, you probably already know this, but I thought it best not to
leave other less experienced users the impression that ZA was defective.

I personally don't want a firewall that decides _anything_ on it's
own. I can see how this would perhaps be a problem for a newbie user,
but I'm not a newbie user. It's apples and ornages.

I bow to your undoubted expertise of course.


Aaron

 

[bassbag]

I mean I use Kerio but I don't use the rule sets in the above url.

Aaron

Ahh I see.I dont know what the ruleset at the site consists of ,but some
posters seem to think they are a good baseline for newbies to kerio.
me

 

[Alastair Smeaton]

Ahh I see.I dont know what the ruleset at the site consists of ,but some
posters seem to think they are a good baseline for newbies to kerio.
me

I think it is for more than just newbies. While I cannot use Kerio
2.15 as it crashes my XP box, the rules covered a lot of ad sites,
spyware, gator type stuff as well.

Sponge's lists are good for sparing me gaving to do some work myself,
while teaching me about which ports etc to block

cheers

 

[bassbag]

I think it is for more than just newbies. While I cannot use Kerio
2.15 as it crashes my XP box, the rules covered a lot of ad sites,
spyware, gator type stuff as well.

Sponge's lists are good for sparing me gaving to do some work myself,
while teaching me about which ports etc to block

cheers

Yes although i dont use kerio myself , there seems to be rulesets for
beginners to advanced users.
me

 

[John Corliss]

@corp.supernews.com:




The above text you quote is not relevant, what we are sugguesting is
OPENING that (and only that) port (IE allow inwards to port 113). The FAQ
is talking about the impossibility of showing "CLOSED" for port 113 and
"Stealth" for the rest.

Kinda thought that might be the case. See my reply to donut (below).

Thanks for your help, Aaron.

 

[John Corliss]

And I disagree with this. All you have to do is create a rule that allows
the traffic from a specific IP.

For example:

Rule Name: Allow port 113 IDENT from POP3 server

Protocol: TCP and UDP
Direction: Incoming

I presume "Single port" and "113" as well as "Only selected below" and
"c:\program files\mozilla.org\mozilla\mozilla.exe" (since that's my
mail reader).

Remote endpoint-
Address Type: Single address
Host address: (enter the IP of the POP3 server)

Rule valid: Always

Action: Permit

Writing rules for Kerio is very simple and gives the user far more control
over what the firewall does.

It didn't work at first. Turns out that it needed "Any program"
instead of only Mozilla. This is the same mistake I was making this
morning. I was also only allowing TCP.

I've always been moving the rule way up in the order too.

As it turns out, I just had to set up a rule for my ISP's website
server. FTP access was also slow.

I'm wondering how many other servers are going to request an IDENT.

Now I'm on stealth mode again, can FTP and get my email faster. Thanks
for your help, donut!

 

[Mel]

Inferior is open to debate. It all depends on what the end user wants.

I personally don't want a firewall that decides _anything_ on it's own.

Once your firewall has correctly determined that you wish to permit a
connection to a server; If it is necessary as part of the protocol to permit
a specific incoming packet in its establishment, I see no advantage in a
firewall not automatically allowing it by default.


Isn't there a very similar situation with FTP servers in non passive mode?

As I recall for a firewall to permit FTP it has to detect that an outgoing
FTP connection is being established on one port by the client and
automatically permit an incoming connection initiated by FTP server
to the client via a second port?

I thought Kerio could decide this for itself rather than requiring a rule to
be added for each server?

I've used Kerio, Sygate and Zonealarm. In my view all are inferior
in some aspects and superior in others. My ideal firewall would
have various features from all three.

 

[donut]

I presume "Single port" and "113" as well as "Only selected below" and
"c:\program files\mozilla.org\mozilla\mozilla.exe" (since that's my
mail reader).

Right. <embarrassed grin>

Failing to specify that would leave the all ports open, but still only to
the specified IP.

 

[donut]

I'm wondering how many other servers are going to request an IDENT.

I've never had any except for my email POP3 server.

I've never had any problem with FTP, but others have reported problems with
FTP and Kerio unless the FTP app was set to PASV mode. I use WS-FTP.
Perhaps the problems are with others.

 

[donut]

The concept of closed vs. stealth has been beaten to death in the security
groups, with the consensus being that stealth is used to market firewalls
and it doesn't make a whole lot of difference. Some go so far as to say
that stealth is worse than closed because the absence of a ping response
tells a port scanner that something is indeed there.

I don't subscribe to that: it seems to me that "invisible" is better than
"I'm here but not letting you in."

All I know is that I have had absolutely no problems of any kind since
learning how to use Kerio properly. That's enough for me.

I will confess that I was dumb enough to go messing around using IE with
install on demand enabled, visited a malicious site, and found that a virus
had been downloaded onto my hard disk, despite Kerio. If the port to IE is
open, anything can come through if you allow it.

So, the firewall is only a part of the whole solution. I am using AVG and
it went off immediately. A good, up to date AV app, and regular scans for
Trojans and viruses is also needed.

 

[Blinky the Shark]

Ahh I see.I dont know what the ruleset at the site consists of ,but some
posters seem to think they are a good baseline for newbies to kerio.

For the record, the one I link for rule sets and advice is this one --
starting with Section 5 (and 1, if needed):

http://www.blarp.com/faq/faqmanager.cgi?toc=kerio

 

[=?ISO-8859-1?Q?=BBQ=AB?=]

It didn't work at first. Turns out that it needed "Any program"
instead of only Mozilla. This is the same mistake I was making
this morning.

This worked without setting up a local IDENT server? I wonder what
your machine is returning as an IDENT response.

I was also only allowing TCP.

That should be fine, IDENT uses only TCP.

I've always been moving the rule way up in the order too.

As it turns out, I just had to set up a rule for my ISP's website
server. FTP access was also slow.

I'm wondering how many other servers are going to request an
IDENT.

It sounds like your ISP is running a lot of old server software. The
only time I have run into the IDENT response delay problem, it has
been with IRC servers. Opening my port 113 to the IRC server made no
difference in the delay unless I also set up an IDENT server to
respond to the incoming requests.

Now I'm on stealth mode again, can FTP and get my email faster.
Thanks for your help, donut!

I'm glad you've got it worked out thanks to donut. I just wish I
were not confused about how the solutions works. ;-)

 

[John Corliss]

(clipped)
The concept of closed vs. stealth has been beaten to death in the security
groups, with the consensus being that stealth is used to market firewalls
and it doesn't make a whole lot of difference. Some go so far as to say
that stealth is worse than closed because the absence of a ping response
tells a port scanner that something is indeed there.

I don't subscribe to that: it seems to me that "invisible" is better than
"I'm here but not letting you in."

All I know is that I have had absolutely no problems of any kind since
learning how to use Kerio properly. That's enough for me.

I will confess that I was dumb enough to go messing around using IE with
install on demand enabled, visited a malicious site, and found that a virus
had been downloaded onto my hard disk, despite Kerio. If the port to IE is
open, anything can come through if you allow it.

So, the firewall is only a part of the whole solution. I am using AVG and
it went off immediately. A good, up to date AV app, and regular scans for
Trojans and viruses is also needed.

You're preaching to the choir about AV progs. Also, about IE. 80)>

The only virus I've *ever* caught was Happy99 a long time ago. I
practice "safe surfing".