Problem with Kerio.

[John Corliss]

(clipped)

Actually, as I mentioned, instead of "only selected below" and
Mozilla, I went with "any program".

 

[John Corliss]

This worked without setting up a local IDENT server? I wonder what
your machine is returning as an IDENT response.


That should be fine, IDENT uses only TCP.

I saw that both here:

http://www.blarp.com/faq/faqmanager.cgi?file=kerio_other&toc=kerio#q2

and in my Kerio log. Since I'd tried that earlier in the day and the
rules I made then didn't work, I was just following what donut said.
Was going to try just TCP when I found the time. Guess I just found
the time. I just changed it to TCP only and it works fine both for my
email and ftp to the ISP web page server.

It sounds like your ISP is running a lot of old server software. The
only time I have run into the IDENT response delay problem, it has
been with IRC servers. Opening my port 113 to the IRC server made no
difference in the delay unless I also set up an IDENT server to
respond to the incoming requests.

Well, when I installed Mozilla I told it to go ahead and include the
IRC Chat module. That might be what's going on. On the other hand, I
don't see any IDENT server running in the background when I look at
Process Explorer's (from Sysinternals) list.

I'm glad you've got it worked out thanks to donut. I just wish I
were not confused about how the solutions works. ;-)

Guess I'm a little confused too. Happy that it works though.

 

[Aaron]

I think it is for more than just newbies. While I cannot use Kerio
2.15 as it crashes my XP box, the rules covered a lot of ad sites,
spyware, gator type stuff as well.

Though, I know lots of people rave about this, I find this pretty
useless, I have already stated this before and why. It doesn't hurt
though if you want it, but pointless.

Sponge's lists are good for sparing me gaving to do some work myself,
while teaching me about which ports etc to block

Sponge's default lists for the apps are a little too loose for my taste
(understandable since it's suitable for everyone) and you can tighten it
furthur , you do better to configure it according to the rule set
samples given at http://www.dslreports.com/forum/kerio.

Many of the rulesets there are based on common apps (proxo,pegasus etc)
commonly used by people here too, so it's a much better fit. Excellent
discussion on the problems of proxo and FTP, loopback rules etc.

cheers

Aaron

 

[Aaron]

The concept of closed vs. stealth has been beaten to death in the
security groups, with the consensus being that stealth is used to
market firewalls and it doesn't make a whole lot of difference. Some
go so far as to say that stealth is worse than closed because the
absence of a ping response tells a port scanner that something is
indeed there.

I don't subscribe to that: it seems to me that "invisible" is better
than "I'm here but not letting you in."

I'm surpised you hold that view. What you say is logical, except
invisible isnt really invisible as you stated above.

All I know is that I have had absolutely no problems of any kind since
learning how to use Kerio properly. That's enough for me.

I never had problems before I used Kerio. I never had problems after I
used Kerio.

I will confess that I was dumb enough to go messing around using IE
with install on demand enabled, visited a malicious site, and found
that a virus had been downloaded onto my hard disk, despite Kerio. If
the port to IE is open, anything can come through if you allow it.

Well of course. Add a proxy server to filter HTTP . A favourite is
Proxomitron as you know. For the ultra paranoid, run SSM as well.



Aaron

 

[Aaron]

And I disagree with this. All you have to do is create a rule that
allows the traffic from a specific IP.


For example:

Rule Name: Allow port 113 IDENT from POP3 server

Protocol: TCP and UDP
Direction: Incoming

Remote endpoint-
Address Type: Single address
Host address: (enter the IP of the POP3 server)

Rule valid: Always

Action: Permit

Technically that would leave you open if something is listening.

Aaron

 

[Aaron]

Makes sense, the inbound packet is actually looking for a app that
listens on 113, mozilla isn't. If you had a real IDENT server, you would
specify that, but since you don't "any" is the best choice.

This worked without setting up a local IDENT server? I wonder what
your machine is returning as an IDENT response.

Probably deny since nothing is listening on TCP 113.

The idea of the 113 rule is such that the firewall does not do anything
at all to inbound packets addressed to port 113 . But because no
application (ie a real Indent server) is listening , the deny request is
sent back. This is exactly the same case as if John was not using a
firewall at all. That is Without a firewall John's machine will show up
as closed on 113 anyway hence stopping the repeat auth requests










Aaron

 

[=?ISO-8859-1?Q?=BBQ=AB?=]

Probably deny since nothing is listening on TCP 113.

The idea of the 113 rule is such that the firewall does not do
anything at all to inbound packets addressed to port 113 . But
because no application (ie a real Indent server) is listening ,
the deny request is sent back. This is exactly the same case as if
John was not using a firewall at all. That is Without a firewall
John's machine will show up as closed on 113 anyway hence stopping
the repeat auth requests

This makes good sense. Thank you for the explanation.

 

[=?ISO-8859-1?Q?=BBQ=AB?=]

Now I'm on stealth mode again, can FTP and get my email faster.

I've just realized why I got so confused. in
<Aaron gives a good
explanation that I think is right, but it would mean your port 113 is
not stealthed at all, just closed. If <https://grc.com/x/portprobe=
113> reports it closed, I can relax.

 

[Aaron]

I've just realized why I got so confused. in
<Aaron gives a good
explanation that I think is right, but it would mean your port 113 is
not stealthed at all, just closed. If <https://grc.com/x/portprobe=
113> reports it closed, I can relax.

Well since the rule specifies only his mail server ip's he will appear
stealth to everyone else except his mail server to whom he will appear
closed. Not too bad.



Aaron

 

[=?ISO-8859-1?Q?=BBQ=AB?=]

Well since the rule specifies only his mail server ip's he will
appear stealth to everyone else except his mail server to whom he
will appear closed. Not too bad.

Thanks. I understand all the pieces of this, but I had some sort of
mental block wrt the big picture. I think I've got it finally, and can
quit pestering you.