Sign in with
Sign up | Sign in
Your question

Problem with Kerio - please help!

Last response: in Networking
Share
Anonymous
May 25, 2004 2:26:05 PM

Archived from groups: comp.security.firewalls (More info?)

Hi,

I accidentally switched off my computer before windows had finished
closing down. When I restarted it the disc check came up with a load
of errors which were reported to have been 'truncated' and then
desktop appeared as per normal.

I did another reboot cos some things weren't working right and now the
only problem I have is with kerio.

It's as if kerio has started from scratch & I've been informed
everytime a program wants to access the net - and created rules
appropriately.

I keep getting informed that such-and-such from the net wants to
access different ports (particularly 1025 & 1026) and I used to have a
'block all' rule which (I think) prevented this.

The trouble is (if its not already apparent) that I don't know much
about computers in general and kerio in particular - I may even still
have the block all rule but in case its 'gone' could anyone tell me
what it is please? preferably in nice easy steps! :) 

Thanks in advance,

--

John Latter

Model of an Internal Evolutionary Mechanism (based on an extension to homeostasis) linking Stationary-Phase Mutations to the Baldwin Effect.
http://members.aol.com/jorolat/TEM.html

'Where Darwin meets Lamarck?' Discussion Egroup
http://groups.yahoo.com/group/evomech

More about : problem kerio

Anonymous
May 25, 2004 3:16:43 PM

Archived from groups: comp.security.firewalls (More info?)

"John Latter" <jorolat@msn.com> wrote in message
news:rp36b0hr0jsas8dulc8gcp7trf5k59mjq1@4ax.com...
> Hi,
>
> I accidentally switched off my computer before windows had finished
> closing down. When I restarted it the disc check came up with a load
> of errors which were reported to have been 'truncated' and then
> desktop appeared as per normal.
>
> I did another reboot cos some things weren't working right and now the
> only problem I have is with kerio.
>
> It's as if kerio has started from scratch & I've been informed
> everytime a program wants to access the net - and created rules
> appropriately.
>
> I keep getting informed that such-and-such from the net wants to
> access different ports (particularly 1025 & 1026) and I used to have a
> 'block all' rule which (I think) prevented this.
>
> The trouble is (if its not already apparent) that I don't know much
> about computers in general and kerio in particular - I may even still
> have the block all rule but in case its 'gone' could anyone tell me
> what it is please? preferably in nice easy steps! :) 

Save your configuration (Administration->Miscellaneous->Save) when
ever you make changes, so that you can reload a version, when things
go wrong. I also maintain a text file version, e.g.

Filter Rules Both == In\Out
------------

Description Protocol Local Remote Owner Status

DNS primary UDP(Both) [any port] [DNS primary]:[53] SERVICES.EXE Permit
DNS secondary UDP(Both) [any port] [DNS secondary]:[53] SERVICES.EXE
Permit
POP3 UDP/TCP(Out) [Any Port] [Surfbest POP3]:[110] MSIMN.EXE Permit
NNTP TCP(Out) [Any Port] [Supernews]:[119] MSIMN.EXE Permit
SMTP TCP(Out) [25] [Surfbest SMTP]:[25] MSIMN.EXE Permit
HTTP TCP(Out) [Any Port] [Any Address]:[80] IEXPLORE.EXE Permit
Internet Explorer (cache) UDP(Out) [Any Port] [127.0.0.1]:[Any Port]
IEXPLORE.EXE Permit
Outlook Express (cache) UDP(Out) [Any Port] [127.0.0.1]:[Any Port]
MSIMN.EXE Permit
Inbound 127.0.0.1 UDP/TCP(In) [Any Port] [127.0.0.1]:[Any Port] Any
Application Deny
Outlook Express (HTTP) TCP(Out) [Any Port] [Any Address]:[80] MSIMN.EXE
Permit
FTP control TCP(Both) [Any Port] [Any Address]:[21] IEXPLORE.EXE Permit
FTP data TCP(Both) [Any Port] [Any Address]:[20] IEXPLORE.EXE Permit
AVG Update downloader TCP(Both) [Any Port] [AVG1]:[80] AVGINET.EXE
Permit
AVG Update downloader TCP(Both) [Any Port] [AVG2]:[80] AVGINET.EXE
Permit
PING [8] Echo Request ICMP(In) [Any Port] [Any Address] Any Application
Permit
PING [0] Echo Reply ICMP(Out) [Any Port] [Any Address] Any Application
Permit
Rest of the ICMP messages ICMP(Both) [Any Port] [Any Address] Any
Application Deny
Bootp & TFTP UDP(Both) [67-69] [Any Address]:[Any Port] Any Application
Deny
Ports 135,137-9,445,1026 TCP(In) [135,137-9,445,1026] [Any Address]:[Any
Port] Any Application Deny
Ports 500,1027 TCP(In) [500,1027] [Any Address]:[Any Port] Any
Application Deny
Host Process for win32 TCP(In) [Any Port] [Any Address]:[Any Port]
SVCHOST.EXE Deny

My tabbed file looks a real mess here, ask if you have questions.

You can get the addresses of your DNS servers by running ipconfig /all

This firewall is still being tweaked, but I haven't had any viruses in 4
weeks.
Run Active Ports (http://www.ntutility.com) to locate 'listening ports' and
block
incoming TCP to them (except the Kerio listening ports, of course)

Initially log everything and set alerts on things that you're not sure of.
Use a good anti-virus (e.g. AVG7 - www.grisoft.com) and check your system
for infections every day.
Anonymous
May 25, 2004 5:11:43 PM

Archived from groups: comp.security.firewalls (More info?)

John Latter <jorolat@msn.com> wrote in message news:<rp36b0hr0jsas8dulc8gcp7trf5k59mjq1@4ax.com>...
> Hi,
>
> I accidentally switched off my computer before windows had finished
> closing down.

> I did another reboot cos some things weren't working right and now the
> only problem I have is with kerio.
>
> It's as if kerio has started from scratch & I've been informed
> everytime a program wants to access the net - and created rules
> appropriately.

Unless a Kerio expert has a better idea, it sounds like some of your
files have become corrupted. If Kerio was operating at the time you
powered down your computer, one or more of its files may have been
open, and so now they're in a state Kerio can't use. Probably the
simplest solution would be to completely uninstall Kerio, including
erasing the contents of the Kerio folder, then reinstall. You would
have to re-train Kerio at this point, but it should retain all it
learns.
Related resources
Anonymous
May 25, 2004 8:15:25 PM

Archived from groups: comp.security.firewalls (More info?)

>Subject: Re: Problem with Kerio - please help!
>From: "Alan Illeman" illemann@surfbest.net
>Date: 25/05/2004 16:16 GMT Daylight Time
>Message-id: <10b6or411ne88b7@news.supernews.com>
>
>
>"John Latter" <jorolat@msn.com> wrote in message
>news:rp36b0hr0jsas8dulc8gcp7trf5k59mjq1@4ax.com...
>> Hi,
>>
>> I accidentally switched off my computer before windows had finished
>> closing down. When I restarted it the disc check came up with a load
>> of errors which were reported to have been 'truncated' and then
>> desktop appeared as per normal.
>>
>> I did another reboot cos some things weren't working right and now the
>> only problem I have is with kerio.
>>
>> It's as if kerio has started from scratch & I've been informed
>> everytime a program wants to access the net - and created rules
>> appropriately.
>>
>> I keep getting informed that such-and-such from the net wants to
>> access different ports (particularly 1025 & 1026) and I used to have a
>> 'block all' rule which (I think) prevented this.
>>
>> The trouble is (if its not already apparent) that I don't know much
>> about computers in general and kerio in particular - I may even still
>> have the block all rule but in case its 'gone' could anyone tell me
>> what it is please? preferably in nice easy steps! :) 
>
>Save your configuration (Administration->Miscellaneous->Save) when
>ever you make changes, so that you can reload a version, when things
>go wrong. I also maintain a text file version, e.g.
>
>Filter Rules Both == In\Out
>------------
>
>Description Protocol Local Remote Owner Status
>
>DNS primary UDP(Both) [any port] [DNS primary]:[53] SERVICES.EXE Permit
>DNS secondary UDP(Both) [any port] [DNS secondary]:[53] SERVICES.EXE
>Permit
>POP3 UDP/TCP(Out) [Any Port] [Surfbest POP3]:[110] MSIMN.EXE Permit
>NNTP TCP(Out) [Any Port] [Supernews]:[119] MSIMN.EXE Permit
>SMTP TCP(Out) [25] [Surfbest SMTP]:[25] MSIMN.EXE Permit
>HTTP TCP(Out) [Any Port] [Any Address]:[80] IEXPLORE.EXE Permit
>Internet Explorer (cache) UDP(Out) [Any Port] [127.0.0.1]:[Any Port]
>IEXPLORE.EXE Permit
>Outlook Express (cache) UDP(Out) [Any Port] [127.0.0.1]:[Any Port]
>MSIMN.EXE Permit
>Inbound 127.0.0.1 UDP/TCP(In) [Any Port] [127.0.0.1]:[Any Port] Any
>Application Deny
>Outlook Express (HTTP) TCP(Out) [Any Port] [Any Address]:[80] MSIMN.EXE
>Permit
>FTP control TCP(Both) [Any Port] [Any Address]:[21] IEXPLORE.EXE Permit
>FTP data TCP(Both) [Any Port] [Any Address]:[20] IEXPLORE.EXE Permit
>AVG Update downloader TCP(Both) [Any Port] [AVG1]:[80] AVGINET.EXE
>Permit
>AVG Update downloader TCP(Both) [Any Port] [AVG2]:[80] AVGINET.EXE
>Permit
>PING [8] Echo Request ICMP(In) [Any Port] [Any Address] Any Application
>Permit
>PING [0] Echo Reply ICMP(Out) [Any Port] [Any Address] Any Application
>Permit
>Rest of the ICMP messages ICMP(Both) [Any Port] [Any Address] Any
>Application Deny
>Bootp & TFTP UDP(Both) [67-69] [Any Address]:[Any Port] Any Application
>Deny
>Ports 135,137-9,445,1026 TCP(In) [135,137-9,445,1026] [Any Address]:[Any
>Port] Any Application Deny
>Ports 500,1027 TCP(In) [500,1027] [Any Address]:[Any Port] Any
>Application Deny
>Host Process for win32 TCP(In) [Any Port] [Any Address]:[Any Port]
>SVCHOST.EXE Deny
>
>My tabbed file looks a real mess here, ask if you have questions.
>
>You can get the addresses of your DNS servers by running ipconfig /all
>
>This firewall is still being tweaked, but I haven't had any viruses in 4
>weeks.
>Run Active Ports (http://www.ntutility.com) to locate 'listening ports' and
>block
>incoming TCP to them (except the Kerio listening ports, of course)
>
>Initially log everything and set alerts on things that you're not sure of.
>Use a good anti-virus (e.g. AVG7 - www.grisoft.com) and check your system
>for infections every day.
>

Thanks for replying Alan but I really am hopeless at this. I thought I might
have saved my settings some time ago and in the process of reloading I managed
to lose all of my rules.

Consequently I'm starting from scratch again but I don't know which to deny so
I'm permitting everything.

Could you tell me how to create a "Block All" rule please?

Regards,

Jorolat


Model of an Internal Evolutionary Mechanism
http://members.aol.com/jorolat/TEM.html

'Where Darwin meets Lamarck?' Discussion Egroup
http://groups.yahoo.com/group/evomech
Anonymous
May 25, 2004 8:15:26 PM

Archived from groups: comp.security.firewalls (More info?)

In article <20040525121525.05832.00001851@mb-m03.aol.com>,
jorolat@aol.com says...
> Thanks for replying Alan but I really am hopeless at this. I thought I might
> have saved my settings some time ago and in the process of reloading I managed
> to lose all of my rules.
>
> Consequently I'm starting from scratch again but I don't know which to deny so
> I'm permitting everything.
>
> Could you tell me how to create a "Block All" rule please?

John, no offense here at all, but if you're that uncomfortable with
Kerio's rules and such, you might be much better off with another
firewall that takes care of all those details for you. Sygate is a
pretty good one. At the bottom of this page there's a download link for
the free version: http://smb.sygate.com/buy/download_buy.htm. It works
well...


--
Kerodo
Anonymous
May 25, 2004 9:37:14 PM

Archived from groups: comp.security.firewalls (More info?)

X-No-archive: yes

"John Latter" <jorolat@aol.com> wrote in message
news:20040525121525.05832.00001851@mb-m03.aol.com...
>
[snip]
>
> Thanks for replying Alan but I really am hopeless at this. I thought I
might
> have saved my settings some time ago and in the process of reloading I
managed
> to lose all of my rules.
>
> Consequently I'm starting from scratch again but I don't know which to
deny so
> I'm permitting everything.
>
> Could you tell me how to create a "Block All" rule please?

You don't really want a rule to block all, do you? When you install Kerio
2.1.5
it suggests some rules, and you can modify/add to those. Also use some/all
the
rules that I provided. I was 'hopeless' at first, but I just read and
studied and
improved.

Additionally to the rules I suggested, make sure that
Administration->Advanced->
Miscellaneous->Log into file - is enabled. Also enable "Log Packets
Addressed
To Unopened Ports" and "Log Suspicious Packets"

dslreports has a file "section 2_5_1_Kerio and pre-v3_0 PFW" providing some
tips for using Kerio 2.1.5, but some of them don't work for me. For example,
it
suggests that after the permitted ICMP rules, you place a rule that denies
all types.
It also suggest that the order of the rules is very important, and again, I
disagree.

Keep off the internet until you are completely satisfied with the integrity
of your
firewall, and stay with newsgroups for a while. I stayed off for 3 days -
but I'm
a slow learner ;-) Better to have too many rules, at first. Set them to log
the results
and study the log file: Firewall Status -> Logs -> Firewall Log. Before you
rightclick
on the log file window, to clear it, save the contents of c:\Program
Files\Kerio\
Personal Firewall\filter.log - to another text file, as a permanent record.

Some other firewalls may be 'better' but what ever firewall you use, you'll
eventually have to understand the protocols. I started out with Kerio 4
(even
bought a licence) - but now prefer Kerio 2.1.5

You can also email me if you wish ( replace illemann with alananne ).
Anonymous
May 26, 2004 1:57:14 AM

Archived from groups: comp.security.firewalls (More info?)

"Alan Illeman" <illemann@surfbest.net> wrote in
news:10b6or411ne88b7@news.supernews.com:

<Snipola>
> This firewall is still being tweaked, but I haven't had any viruses in 4
> weeks.
<Snipola>

For some reason I'm having difficulty with this statement. 4 weeks?
I've been internetting for about 8+ years and I have had a firewall
less than half that time.

In all that time I've only been infected once, about two months ago.
It was my own fault though. I connected to the net with an out of the
box win2k system with no firewall. But it was no big deal as it was
a test setup and I was planning on reformatting anyway.

Perhaps I'm just lucky.

Brian
--
Sed quis custodiet ipsos Custodes?
Anonymous
May 26, 2004 1:57:15 AM

Archived from groups: comp.security.firewalls (More info?)

"Skywise" <into@oblivion.nothing.com> wrote in message
news:_iPsc.10340$be.9631@newsread2.news.pas.earthlink.net...
> "Alan Illeman" <illemann@surfbest.net> wrote in
> news:10b6or411ne88b7@news.supernews.com:
>
> <Snipola>
> > This firewall is still being tweaked, but I haven't had any viruses in 4
> > weeks.
> <Snipola>
>
> For some reason I'm having difficulty with this statement. 4 weeks?
> I've been internetting for about 8+ years and I have had a firewall
> less than half that time.
>
> In all that time I've only been infected once, about two months ago.
> It was my own fault though. I connected to the net with an out of the
> box win2k system with no firewall. But it was no big deal as it was
> a test setup and I was planning on reformatting anyway.
>
> Perhaps I'm just lucky.

Maybe. I've been using Win95 since its inception without a firewall
until March of this year - and never had a virus. A newer machine,
newer software, and voila - all manner of problems. Prior to March
I didn't really know what a firewall was!

Alan
Anonymous
May 26, 2004 3:21:35 AM

Archived from groups: comp.security.firewalls (More info?)

On Tue, 25 May 2004 13:31:06 -0700, Kerodo
<kerodonospamkenny@hotmail.com> wrote:

>In article <20040525121525.05832.00001851@mb-m03.aol.com>,
>jorolat@aol.com says...
>> Thanks for replying Alan but I really am hopeless at this. I thought I might
>> have saved my settings some time ago and in the process of reloading I managed
>> to lose all of my rules.
>>
>> Consequently I'm starting from scratch again but I don't know which to deny so
>> I'm permitting everything.
>>
>> Could you tell me how to create a "Block All" rule please?
>
>John, no offense here at all, but if you're that uncomfortable with
>Kerio's rules and such, you might be much better off with another
>firewall that takes care of all those details for you. Sygate is a
>pretty good one. At the bottom of this page there's a download link for
>the free version: http://smb.sygate.com/buy/download_buy.htm. It works
>well...

No offense taken Kerodo! :) 

In fact I had thought of returning to ZoneAlarm (if it's still free)
cos I had it once before but I might give Sygate a go instead.

--

John Latter

Model of an Internal Evolutionary Mechanism (based on an extension to homeostasis) linking Stationary-Phase Mutations to the Baldwin Effect.
http://members.aol.com/jorolat/TEM.html

'Where Darwin meets Lamarck?' Discussion Egroup
http://groups.yahoo.com/group/evomech
Anonymous
May 26, 2004 3:22:59 AM

Archived from groups: comp.security.firewalls (More info?)

On Tue, 25 May 2004 17:37:14 -0400, "Alan Illeman"
<illemann@surfbest.net> wrote:

>X-No-archive: yes
>
>"John Latter" <jorolat@aol.com> wrote in message
>news:20040525121525.05832.00001851@mb-m03.aol.com...
>>
>[snip]
>>
>> Thanks for replying Alan but I really am hopeless at this. I thought I
>might
>> have saved my settings some time ago and in the process of reloading I
>managed
>> to lose all of my rules.
>>
>> Consequently I'm starting from scratch again but I don't know which to
>deny so
>> I'm permitting everything.
>>
>> Could you tell me how to create a "Block All" rule please?
>
>You don't really want a rule to block all, do you? When you install Kerio
>2.1.5
>it suggests some rules, and you can modify/add to those. Also use some/all
>the
>rules that I provided. I was 'hopeless' at first, but I just read and
>studied and
>improved.
>
>Additionally to the rules I suggested, make sure that
>Administration->Advanced->
>Miscellaneous->Log into file - is enabled. Also enable "Log Packets
>Addressed
>To Unopened Ports" and "Log Suspicious Packets"
>
>dslreports has a file "section 2_5_1_Kerio and pre-v3_0 PFW" providing some
>tips for using Kerio 2.1.5, but some of them don't work for me. For example,
>it
>suggests that after the permitted ICMP rules, you place a rule that denies
>all types.
>It also suggest that the order of the rules is very important, and again, I
>disagree.
>
>Keep off the internet until you are completely satisfied with the integrity
>of your
>firewall, and stay with newsgroups for a while. I stayed off for 3 days -
>but I'm
>a slow learner ;-) Better to have too many rules, at first. Set them to log
>the results
>and study the log file: Firewall Status -> Logs -> Firewall Log. Before you
>rightclick
>on the log file window, to clear it, save the contents of c:\Program
>Files\Kerio\
>Personal Firewall\filter.log - to another text file, as a permanent record.
>
>Some other firewalls may be 'better' but what ever firewall you use, you'll
>eventually have to understand the protocols. I started out with Kerio 4
>(even
>bought a licence) - but now prefer Kerio 2.1.5
>
>You can also email me if you wish ( replace illemann with alananne ).
>

Thanks Alan! If I had the time I might do as you suggest (I certainly
have the interest) but for the moment I think I'll try a simpler
firewall.

--

John Latter

Model of an Internal Evolutionary Mechanism (based on an extension to homeostasis) linking Stationary-Phase Mutations to the Baldwin Effect.
http://members.aol.com/jorolat/TEM.html

'Where Darwin meets Lamarck?' Discussion Egroup
http://groups.yahoo.com/group/evomech
Anonymous
May 26, 2004 3:23:54 AM

Archived from groups: comp.security.firewalls (More info?)

On 25 May 2004 13:11:43 -0700, google@n1pop.cjb.net (N1POP) wrote:

>John Latter <jorolat@msn.com> wrote in message news:<rp36b0hr0jsas8dulc8gcp7trf5k59mjq1@4ax.com>...
>> Hi,
>>
>> I accidentally switched off my computer before windows had finished
>> closing down.
>
>> I did another reboot cos some things weren't working right and now the
>> only problem I have is with kerio.
>>
>> It's as if kerio has started from scratch & I've been informed
>> everytime a program wants to access the net - and created rules
>> appropriately.
>
>Unless a Kerio expert has a better idea, it sounds like some of your
>files have become corrupted. If Kerio was operating at the time you
>powered down your computer, one or more of its files may have been
>open, and so now they're in a state Kerio can't use. Probably the
>simplest solution would be to completely uninstall Kerio, including
>erasing the contents of the Kerio folder, then reinstall. You would
>have to re-train Kerio at this point, but it should retain all it
>learns.

I never thought of trying that N1POP - if it doesn't work then I'm
gonna try Sygate!

--

John Latter

Model of an Internal Evolutionary Mechanism (based on an extension to homeostasis) linking Stationary-Phase Mutations to the Baldwin Effect.
http://members.aol.com/jorolat/TEM.html

'Where Darwin meets Lamarck?' Discussion Egroup
http://groups.yahoo.com/group/evomech
Anonymous
May 26, 2004 1:01:13 PM

Archived from groups: comp.security.firewalls (More info?)

"John Latter" <jorolat@msn.com> wrote in message
news:p nh7b094b65dbkq99lg48jp9lt6op7kc42@4ax.com...
>
> Thanks Alan! If I had the time I might do as you suggest (I certainly
> have the interest) but for the moment I think I'll try a simpler
> firewall.
>
You'll have to learn sometime ;-)

Look for these FAQs posted every 2 weeks in comp.answers, news.answers
and other ngs, both maintained by Uri Raz

(1)
TCP/IP Resources List
This posting contains a list of various resources (books, web sites,
FAQS, newsgroups, and useful net techniques) intended to help a newbie
to learn about the TCP/IP suite of protocols.
Primary indexed copy - http://www.private.org.il/tcpip_rl.html
Secondary indexless copy -
http://www.faqs.org/faqs/internet/tcp-ip/resource-list/...

(2)
TCP/IP Applications FAQ
http://www.private.org.il/mini-tcpip.faq.html

Good luck
Anonymous
May 27, 2004 12:46:03 PM

Archived from groups: comp.security.firewalls (More info?)

On Wed, 26 May 2004 09:01:13 -0400, "Alan Illeman"
<illemann@surfbest.net> wrote:

>
>"John Latter" <jorolat@msn.com> wrote in message
>news:p nh7b094b65dbkq99lg48jp9lt6op7kc42@4ax.com...
>>
>> Thanks Alan! If I had the time I might do as you suggest (I certainly
>> have the interest) but for the moment I think I'll try a simpler
>> firewall.
>>
> You'll have to learn sometime ;-)
>
> Look for these FAQs posted every 2 weeks in comp.answers, news.answers
> and other ngs, both maintained by Uri Raz
>
>(1)
>TCP/IP Resources List
>This posting contains a list of various resources (books, web sites,
> FAQS, newsgroups, and useful net techniques) intended to help a newbie
> to learn about the TCP/IP suite of protocols.
> Primary indexed copy - http://www.private.org.il/tcpip_rl.html
> Secondary indexless copy -
>http://www.faqs.org/faqs/internet/tcp-ip/resource-list/...
>
>(2)
>TCP/IP Applications FAQ
>http://www.private.org.il/mini-tcpip.faq.html
>
>Good luck
>
>

Thanks for the links Alan!

--

John Latter

Model of an Internal Evolutionary Mechanism (based on an extension to homeostasis) linking Stationary-Phase Mutations to the Baldwin Effect.
http://members.aol.com/jorolat/TEM.html

'Where Darwin meets Lamarck?' Discussion Egroup
http://groups.yahoo.com/group/evomech
!