Kerio [2.1.5] Error "Rule Set Full"

[Guest]

Archived from groups: comp.security.firewalls (More info?)

Adding a custom rule, (never seen this before) >
"rule set full".
Trimmed off some fluff rules to accommodate the items
being added - would like to know if this is "normal"
behaviour for Kerio...

>TIA


--
siljaline

 

[Guest]

Archived from groups: comp.security.firewalls (More info?)

>Adding a custom rule, (never seen this before) >
>"rule set full".
>Trimmed off some fluff rules to accommodate the items
>being added - would like to know if this is "normal"
>behaviour for Kerio...

I've never run across it, but I'm not surprised that there is an upper limit.
How many rules did it take you to reach that point?

I don't make rules to block specific threats. I block all then add rules to
enable specific functions (browser, DNS, etc.).
--
Dave "Crash" Dummy - A weapon of mass destruction
crash@gpick.com?subject=Techtalk (Do not alter!)
http://lists.gpick.com

 

[Guest]

Archived from groups: comp.security.firewalls (More info?)

On Thu, 17 Jun 2004 02:31:40 -0400, "siljaline"
<siljaline@invalid.com> wrote:

>Adding a custom rule, (never seen this before) >
>"rule set full".
>Trimmed off some fluff rules to accommodate the items
>being added - would like to know if this is "normal"
>behaviour for Kerio...
>
>>TIA
>

have come across this many times before - esp when using Sponge's
rules, of which there are many

If you are like me and sometimes just say "allow all the time" when a
request is made, you can then go back and combine several
automatically generated rules into one - giving you more room.

e.g. app asks for outgoing tcp on port x - you allow - creates one
rule

it then asks for incoming tcp on port x - you allow - creates another
rule

and so on.

You may well know this, but if not, it might help.

cheers
--

Alastair Smeaton

 

[Guest]

Archived from groups: comp.security.firewalls (More info?)

On Thu, 17 Jun 2004 08:05:09 +0100, Alastair Smeaton <smeaton@dsl.pipex.com>
wrote:
<snip>
>You may well know this, but if not, it might help.

It does, cheers...
Speaking of the old Sponge, haven't seen hide nor hare of him in ages....

~Silj



--
siljaline

 

[Bob]

Archived from groups: comp.security.firewalls (More info?)

On Thu, 17 Jun 2004 03:18:50 -0400, siljaline <siljaline@invalid.com>
wrote:

>On Thu, 17 Jun 2004 08:05:09 +0100, Alastair Smeaton <smeaton@dsl.pipex.com>
>wrote:
><snip>
>>You may well know this, but if not, it might help.
>
>It does, cheers...
>Speaking of the old Sponge, haven't seen hide nor hare of him in ages....
>
>~Silj

Me either, let's hope he's just taking an extended and well
deserved vacation.

How many rules did it take to hit the wall? I have pretty well
settled in with 44 rules including 'block all'. Am I getting
close?

BoB

 

[Guest]

Archived from groups: comp.security.firewalls (More info?)

On Thu, 17 Jun 2004 11:52:22 -0400, BoB <me@privacy.net> wrote:

>How many rules did it take to hit the wall? I have pretty well
>settled in with 44 rules including 'block all'. Am I getting
>close?

My rule set is forced to take a sudden diet of sorts.
I lost count at user-assigned rules ~100 with the default rules, (XP Pro)
Had never thought that the rule set could max-out...

Regards,

~Silj


--
siljaline

 

[Guest]

Archived from groups: comp.security.firewalls (More info?)

""Crash" Dummy" <dvader@deathstar.mil> wrote in message
news:10d30u537ekql06@corp.supernews.com...
> >Adding a custom rule, (never seen this before) >
> >"rule set full".
> >Trimmed off some fluff rules to accommodate the items
> >being added - would like to know if this is "normal"
> >behaviour for Kerio...
>
> I've never run across it, but I'm not surprised that there is an upper
limit.
> How many rules did it take you to reach that point?
>
> I don't make rules to block specific threats. I block all then add rules
to
> enable specific functions (browser, DNS, etc.).
> --
> Dave "Crash" Dummy - A weapon of mass destruction

I don't have any rules that 'block all', and 20 rules in all - and
Ive had no invasion for months. Just curious, how to you block
all, by setting a port 'range' deny of 1-65535?

 

[Guest]

Archived from groups: comp.security.firewalls (More info?)

>I don't have any rules that 'block all', and 20 rules in all - and
>Ive had no invasion for months. Just curious, how to you block
>all, by setting a port 'range' deny of 1-65535?

If you don't care about logging, you can just set the general security level to
"Deny Unknown." That will block anything that does not have an explicit rule
allowing it, but it won't log blocked requests. If you want to log blocked
requests, you will need one or more "Block All" rules, depending on how you want
to categorize the events. I have separate rules for in or out, TCP, UDP, ICMP,
but a single rule for any protocol, either direction will work just fine.

Here is a snapshot of my "Block All" rule for inbound TCP:

http://lists.gpick.com/crashsite/tips/blockall.png

Notice that the logging option is checked. That is really the only reason I have
the rule.
--
Dave "Crash" Dummy - A weapon of mass destruction
crash@gpick.com?subject=Techtalk (Do not alter!)
http://lists.gpick.com

 

[Bob]

Archived from groups: comp.security.firewalls (More info?)

On Thu, 17 Jun 2004 18:25:15 -0400, siljaline <siljaline@invalid.com>
wrote:

>On Thu, 17 Jun 2004 11:52:22 -0400, BoB <me@privacy.net> wrote:
>
>>How many rules did it take to hit the wall? I have pretty well
>>settled in with 44 rules including 'block all'. Am I getting
>>close?
>
>My rule set is forced to take a sudden diet of sorts.
>I lost count at user-assigned rules ~100 with the default rules, (XP Pro)
>Had never thought that the rule set could max-out...
>
>Regards,
>
>~Silj

Thanks for the number.

On my Win98SE, I have:

3 UDP/TCP used for blocking

3 UDP, 1 limits DNS to my ISP addresses, 1 blocks all other DNS,
1 for DHCP of port 68.

3 ICMP 1 for In, 1 for Out, 1 for blocking all other

1 IGMP for blocking

1 TCP and 1 UDP for blocking incoming RPCSS

The other 32 are TCP or UDP and related to specific programs I
use that access the internet, except for the final 'block all'.

The first 12 listed above are based on Sponge's recommendations.
Those dozen pretty well cover me from all the info I've been able
to gather. I had 2.1.4 for a year, setup more or less the same, but
have been fine tuning 2.1.5 since it came out. So far not a hitch.

I can't quite figure how you are using over a 100, but I am far
from knowledgeable on Kerio and unfamiliar with the requirements
of protecting XP.

BoB

 

[Bob]

Archived from groups: comp.security.firewalls (More info?)

>>I don't have any rules that 'block all', and 20 rules in all - and
>>Ive had no invasion for months. Just curious, how to you block
>>all, by setting a port 'range' deny of 1-65535?

I have no interest in logging so my 'block all' requires only one
entry. I must disable it whenever I want to install a new program
that accesses the internet and when I upgrade one of my AV's etc,
since new rules cannot be semi-automatically be established unless
I do.

My 'block all' is:

Description: Block All
Protocol: Any
Direction: Both
Remote endpoint: Any address
Rule valid: Always
Action: Deny

BoB

 

[casey]

Archived from groups: comp.security.firewalls (More info?)

In article <10d30u537ekql06@corp.supernews.com>, dvader@deathstar.mil says...
> >Adding a custom rule, (never seen this before) >
> >"rule set full".
> >Trimmed off some fluff rules to accommodate the items
> >being added - would like to know if this is "normal"
> >behaviour for Kerio...
>
> I've never run across it, but I'm not surprised that there is an upper limit.
> How many rules did it take you to reach that point?
>
> I don't make rules to block specific threats. I block all then add rules to
> enable specific functions (browser, DNS, etc.).
>
Hi Crash. My firewall is Sygate. But in the past I read so much about
Kerio 215 that I decided to try it and learn something about it.
My understanding was that everyting is blocked by default and you must
allow anything in or out. Is this incorrect?
Thanks, Casey

 

[Guest]

Archived from groups: comp.security.firewalls (More info?)

>Hi Crash. My firewall is Sygate. But in the past I read so much about
>Kerio 215 that I decided to try it and learn something about it.
>My understanding was that everyting is blocked by default and you must
>allow anything in or out. Is this incorrect?

It depends. There are three security policies, "Deny Unknown," "Ask Me First,"
and "Allow Unknown." If you select the Deny Unknown policy, then everything is
blocked by default unless you have a rule to allow it.

The policy is selected with a slide switch that you will see when you first open
Firewall Administration. This page shows snapshots of the three policies. Read
the descriptions. I'm big on snapshots so I don't have to explain everything.

http://lists.gpick.com/crashsite/tips/kerio/keriomodes.htm

The "Advanced" button will take you to the rule list, where you can create and
edit specific rules.
--
Dave "Crash" Dummy - A weapon of mass destruction
crash@gpick.com?subject=Techtalk (Do not alter!)
http://lists.gpick.com

 

[casey]

Archived from groups: comp.security.firewalls (More info?)

In article <10d6nq89k4oe04d@corp.supernews.com>, dvader@deathstar.mil says...
> >Hi Crash. My firewall is Sygate. But in the past I read so much about
> >Kerio 215 that I decided to try it and learn something about it.
> >My understanding was that everyting is blocked by default and you must
> >allow anything in or out. Is this incorrect?
>
> It depends. There are three security policies, "Deny Unknown," "Ask Me First,"
> and "Allow Unknown." If you select the Deny Unknown policy, then everything is
> blocked by default unless you have a rule to allow it.
>
> The policy is selected with a slide switch that you will see when you first open
> Firewall Administration. This page shows snapshots of the three policies. Read
> the descriptions. I'm big on snapshots so I don't have to explain everything.
>
> http://lists.gpick.com/crashsite/tips/kerio/keriomodes.htm
>
> The "Advanced" button will take you to the rule list, where you can create and
> edit specific rules.
>
Thanks Crash. I'll go back and refresh on 2.1.5.
Casey

 

[Guest]

Archived from groups: comp.security.firewalls (More info?)

"Casey" <casey@nosuch.net> wrote in message
news:MPG.1b3d1d97bf5b96498973a@news.west.earthlink.net...
> In article <10d6nq89k4oe04d@corp.supernews.com>, dvader@deathstar.mil
says...
> > >Hi Crash. My firewall is Sygate. But in the past I read so much about
> > >Kerio 215 that I decided to try it and learn something about it.
> > >My understanding was that everyting is blocked by default and you must
> > >allow anything in or out. Is this incorrect?
> >
> > It depends. There are three security policies, "Deny Unknown," "Ask Me
First,"
> > and "Allow Unknown." If you select the Deny Unknown policy, then
everything is
> > blocked by default unless you have a rule to allow it.
> >
> > The policy is selected with a slide switch that you will see when you
first open
> > Firewall Administration. This page shows snapshots of the three
policies. Read
> > the descriptions. I'm big on snapshots so I don't have to explain
everything.
> >
> > http://lists.gpick.com/crashsite/tips/kerio/keriomodes.htm
> >
> > The "Advanced" button will take you to the rule list, where you can
create and
> > edit specific rules.
> >
> Thanks Crash. I'll go back and refresh on 2.1.5.
> Casey

In Advanced->Miscellaneous, click "[] log Into File (filter.log)", also "[]
Log Packets
Addressed to Unopened Ports" and "[] Log Suspicious Packets". These last two
catch an enormous amount of garbage, particularly packets with no owner.

Here's my setup:

Description Protocol Local Remote Owner Status

DNS primary UDP(Both) [any port] [DNS primary]:[53] SERVICES.EXE Permit
DNS secondary UDP(Both) [any port] [DNS secondary]:[53] SERVICES.EXE
Permit
POP3 UDP/TCP(Out) [Any Port] [Surfbest POP3]:[110] MSIMN.EXE Permit
NNTP TCP(Out) [Any Port] [Supernews]:[119] MSIMN.EXE Permit
SMTP TCP(Out) [25] [Surfbest SMTP]:[25] MSIMN.EXE Permit
HTTP TCP(Out) [Any Port] [Any Address]:[80] IEXPLORE.EXE Permit
Internet Explorer (cache) UDP(Out) [Any Port] [127.0.0.1]:[Any Port]
IEXPLORE.EXE Permit
Outlook Express (cache) UDP(Out) [Any Port] [127.0.0.1]:[Any Port]
MSIMN.EXE Permit
Outlook Express (HTTP) TCP(Out) [Any Port] [Any Address]:[80] MSIMN.EXE
Permit
FTP control TCP(Both) [Any Port] [Any Address]:[21] IEXPLORE.EXE Permit
FTP data TCP(Both) [Any Port] [Any Address]:[20] IEXPLORE.EXE Permit
AVG Update downloader TCP(Both) [Any Port] [Any Address]:[80] AVGINET.EXE
Permit
PING [8] Echo Request ICMP(In) [Any Port] [Any Address] Any Application
Permit
PING [0] Echo Reply ICMP(Out) [Any Port] [Any Address] Any Application
Permit
Rest of the ICMP messages ICMP(Both) [Any Port] [Any Address] Any
Application Deny
Bootp & TFTP UDP(Both) [67-69] [Any Address]:[Any Port] Any Application
Deny
Ports 135,137-9,445 TCP(In) [135,137-9,445] [Any Address]:[Any Port]
Any Application Deny
Host Process for win32 TCP(In) [Any Port] [Any Address]:[Any Port]
SVCHOST.EXE Deny
Task Scheduler UDP/TCP(In) [Any Port] [Any Address]:[Any Port] MSTASK.EXE
Deny
SYSTEM UDP/TCP(In) [Any Port] [Any Address]:[Any Port] SYSTEM Deny

Pity the formatting is lost ;-)

This is just a text record, just in case I lost the .conf file.
Save your .conf file whenever you make changes.
Your needs may differ, e.g. I use FTP to update my webpage.
Text in brackets e.g. [DNS Primary] indicate known addresses,
which I also list, but not shown here. You can get these addresses
by logging everything, to start, and examining the log record.
The log record is simply a text file in the Kerio directory.

Alan