Archived from groups: comp.security.firewalls (
More info?)
"Casey" <casey@nosuch.net> wrote in message
news:MPG.1b3d1d97bf5b96498973a@news.west.earthlink.net...
> In article <10d6nq89k4oe04d@corp.supernews.com>, dvader@deathstar.mil
says...
> > >Hi Crash. My firewall is Sygate. But in the past I read so much about
> > >Kerio 215 that I decided to try it and learn something about it.
> > >My understanding was that everyting is blocked by default and you must
> > >allow anything in or out. Is this incorrect?
> >
> > It depends. There are three security policies, "Deny Unknown," "Ask Me
First,"
> > and "Allow Unknown." If you select the Deny Unknown policy, then
everything is
> > blocked by default unless you have a rule to allow it.
> >
> > The policy is selected with a slide switch that you will see when you
first open
> > Firewall Administration. This page shows snapshots of the three
policies. Read
> > the descriptions. I'm big on snapshots so I don't have to explain
everything.
> >
> >
http://lists.gpick.com/crashsite/tips/kerio/keriomodes.htm
> >
> > The "Advanced" button will take you to the rule list, where you can
create and
> > edit specific rules.
> >
> Thanks Crash. I'll go back and refresh on 2.1.5.
> Casey
In Advanced->Miscellaneous, click "[] log Into File (filter.log)", also "[]
Log Packets
Addressed to Unopened Ports" and "[] Log Suspicious Packets". These last two
catch an enormous amount of garbage, particularly packets with no owner.
Here's my setup:
Description Protocol Local Remote Owner Status
DNS primary UDP(Both) [any port] [DNS primary]:[53] SERVICES.EXE Permit
DNS secondary UDP(Both) [any port] [DNS secondary]:[53] SERVICES.EXE
Permit
POP3 UDP/TCP(Out) [Any Port] [Surfbest POP3]:[110] MSIMN.EXE Permit
NNTP TCP(Out) [Any Port] [Supernews]:[119] MSIMN.EXE Permit
SMTP TCP(Out) [25] [Surfbest SMTP]:[25] MSIMN.EXE Permit
HTTP TCP(Out) [Any Port] [Any Address]:[80] IEXPLORE.EXE Permit
Internet Explorer (cache) UDP(Out) [Any Port] [127.0.0.1]:[Any Port]
IEXPLORE.EXE Permit
Outlook Express (cache) UDP(Out) [Any Port] [127.0.0.1]:[Any Port]
MSIMN.EXE Permit
Outlook Express (HTTP) TCP(Out) [Any Port] [Any Address]:[80] MSIMN.EXE
Permit
FTP control TCP(Both) [Any Port] [Any Address]:[21] IEXPLORE.EXE Permit
FTP data TCP(Both) [Any Port] [Any Address]:[20] IEXPLORE.EXE Permit
AVG Update downloader TCP(Both) [Any Port] [Any Address]:[80] AVGINET.EXE
Permit
PING [8] Echo Request ICMP(In) [Any Port] [Any Address] Any Application
Permit
PING [0] Echo Reply ICMP(Out) [Any Port] [Any Address] Any Application
Permit
Rest of the ICMP messages ICMP(Both) [Any Port] [Any Address] Any
Application Deny
Bootp & TFTP UDP(Both) [67-69] [Any Address]:[Any Port] Any Application
Deny
Ports 135,137-9,445 TCP(In) [135,137-9,445] [Any Address]:[Any Port]
Any Application Deny
Host Process for win32 TCP(In) [Any Port] [Any Address]:[Any Port]
SVCHOST.EXE Deny
Task Scheduler UDP/TCP(In) [Any Port] [Any Address]:[Any Port] MSTASK.EXE
Deny
SYSTEM UDP/TCP(In) [Any Port] [Any Address]:[Any Port] SYSTEM Deny
Pity the formatting is lost ;-)
This is just a text record, just in case I lost the .conf file.
Save your .conf file whenever you make changes.
Your needs may differ, e.g. I use FTP to update my webpage.
Text in brackets e.g. [DNS Primary] indicate known addresses,
which I also list, but not shown here. You can get these addresses
by logging everything, to start, and examining the log record.
The log record is simply a text file in the Kerio directory.
Alan