Kerio 2.1.5

Archived from groups: comp.security.firewalls (More info?)

Hi,

I often see people in here mention Kerio 2.1.5 as their software
firewall. Is this "old" build particular good or what's the reason for
choosing this over Kerio 4 (or another software firewall)?

/Troels
14 answers Last reply
More about kerio
  1. Archived from groups: comp.security.firewalls (More info?)

    Taking a moment's reflection, Troels Jensen mused:
    |
    | I often see people in here mention Kerio 2.1.5 as their software
    | firewall. Is this "old" build particular good or what's the reason for
    | choosing this over Kerio 4 (or another software firewall)?

    Both. Kerio 2.1.5 was a very good build, and very stream lined. Many
    people still prefer it to other firewalls because of how bloated the code
    has become in them (ad blockers, AV, web filters, etc).
  2. Archived from groups: comp.security.firewalls (More info?)

    "Troels Jensen" <bred085@yahoo.com> wrote in message news:ktgGc.22350$Vf.1155756@news000.worldonline.dk...
    > Hi,
    >
    > I often see people in here mention Kerio 2.1.5 as their software
    > firewall. Is this "old" build particular good or what's the reason for
    > choosing this over Kerio 4 (or another software firewall)?
    >
    > /Troels

    I have the licence to 4 but don't use it any more, and prefer 2.1.5
    simply because it's easier to setup, and imo more versatile. I love
    the automatic denial of ownerless packets.
  3. Archived from groups: comp.security.firewalls (More info?)

    In article <ktgGc.22350$Vf.1155756@news000.worldonline.dk>, bred085
    @yahoo.com says...
    > Hi,
    >
    > I often see people in here mention Kerio 2.1.5 as their software
    > firewall. Is this "old" build particular good or what's the reason for
    > choosing this over Kerio 4 (or another software firewall)?
    >
    > /Troels
    >
    Kerio 2.1.5 is excellent, however it does have one vulnerability that
    most people seem to either ignore or not know about. See this link:

    http://www.mickeytheman.com/boardnation/Wc6b68755c9123.htm

    I can verify that this fragmented packet vulnerability exists in 2.1.5
    and earlier, and that someone could potentially get malicious packets
    past the firewall. It might not be that likely to happen, but it's
    possible..

    I perfected my rules in Kerio 2.x and then imported them into Kerio 4,
    which doesn't have this vulnerability. Seems to work great. The only
    thing I miss in Kerio 4.x is the lack of logging of packets to unopened
    ports..

    --
    Kerodo
  4. Archived from groups: comp.security.firewalls (More info?)

    Well you consider it a vulnerablity, but has it been proven that its still a
    problem considering how old the alert is?

    I can't stand 4x, and I still run 2x.

    "Kerodo" <kerodonospamkenny@hotmail.com> wrote in message
    news:MPG.1b539feb96d91055989697@news.west.cox.net...
    > In article <ktgGc.22350$Vf.1155756@news000.worldonline.dk>, bred085
    > @yahoo.com says...
    >> Hi,
    >>
    >> I often see people in here mention Kerio 2.1.5 as their software
    >> firewall. Is this "old" build particular good or what's the reason for
    >> choosing this over Kerio 4 (or another software firewall)?
    >>
    >> /Troels
    >>
    > Kerio 2.1.5 is excellent, however it does have one vulnerability that
    > most people seem to either ignore or not know about. See this link:
    >
    > http://www.mickeytheman.com/boardnation/Wc6b68755c9123.htm
    >
    > I can verify that this fragmented packet vulnerability exists in 2.1.5
    > and earlier, and that someone could potentially get malicious packets
    > past the firewall. It might not be that likely to happen, but it's
    > possible..
    >
    > I perfected my rules in Kerio 2.x and then imported them into Kerio 4,
    > which doesn't have this vulnerability. Seems to work great. The only
    > thing I miss in Kerio 4.x is the lack of logging of packets to unopened
    > ports..
    >
    > --
    > Kerodo
  5. Archived from groups: comp.security.firewalls (More info?)

    In article <GooGc.64082$OB3.21182@bgtnsc05-news.ops.worldnet.att.net>,
    replytonewsroup@server.com says...
    > "Kerodo" <kerodonospamkenny@hotmail.com> wrote in message
    > news:MPG.1b539feb96d91055989697@news.west.cox.net...
    > > In article <ktgGc.22350$Vf.1155756@news000.worldonline.dk>, bred085
    > > @yahoo.com says...
    > >> Hi,
    > >>
    > >> I often see people in here mention Kerio 2.1.5 as their software
    > >> firewall. Is this "old" build particular good or what's the reason for
    > >> choosing this over Kerio 4 (or another software firewall)?
    > >>
    > >> /Troels
    > >>
    > > Kerio 2.1.5 is excellent, however it does have one vulnerability that
    > > most people seem to either ignore or not know about. See this link:
    > >
    > > http://www.mickeytheman.com/boardnation/Wc6b68755c9123.htm
    > >
    > > I can verify that this fragmented packet vulnerability exists in 2.1.5
    > > and earlier, and that someone could potentially get malicious packets
    > > past the firewall. It might not be that likely to happen, but it's
    > > possible..
    > >
    > > I perfected my rules in Kerio 2.x and then imported them into Kerio 4,
    > > which doesn't have this vulnerability. Seems to work great. The only
    > > thing I miss in Kerio 4.x is the lack of logging of packets to unopened
    > > ports..
    > >
    > > --
    > > Kerodo

    > Well you consider it a vulnerablity, but has it been proven that its still a
    > problem considering how old the alert is?
    >
    > I can't stand 4x, and I still run 2x.

    Yes, I've verified that it's still happening here in 2.1.5. I actually
    stumbled upon it by accident.

    Here's how you can see it if you're so inclined. In my area, the
    Messenger spammers are using this exploit to try to get thru firewalls
    that are vulnerable to it.

    I first noticed outbound ICMP type 3 packets that were going to
    addresses other than my DNS Servers. This is an indication that UPD
    packets are getting thru the firewall inbound somehow. This, in fact,
    is the result of the fragmented packet getting thru. What the spammers
    are doing is sending a fragmented packet and then another packet to port
    1026 immediately after the fragmented packet. Kerio 2.x accepts the
    fragmented packet AND the packet immediately following it, ignoring all
    your rules.

    I installed Sygate 5.5 and could see the two packets coming in
    (fragmented and the packet following the fragmented one). Only Sygate
    was smart enough to block the 2nd packet, as it should and as Kerio
    should, but isn't.

    What you should do is enable logging in 2.1.5 of outbound ICMP type 3
    and see if you see any packets going out to addresses other than your
    ISP's DNS Servers. If you do, then it's happening on your machine also.
    It may not happen to some people if the spammers are not hitting your IP
    range. Some people insist that it's not happening to them.

    I don't know much about the technical details of this fragmented packet
    exploit, but I've seen it reported in some Linux related arena's also.

    I don't really love Kerio 4.x that much either, but I find I can use my
    Kerio 2.x rules in Kerio 4 and Kerio 4 is safer in that it's not
    vulnerable to this exploit. They have apparently fixed this problem in
    version 4.xx. Kerio 4 has some bugs still, and I wouldn't dream of
    trying any of the current beta's, but I'm using 4.0.16 here with fairly
    good results with my Kerio 2.x rule set. I much prefer Kerio 2.1.5
    also, but the vulnerability bothers me, so I use Kerio 4.

    To each his own I guess...

    --
    Kerodo
  6. Archived from groups: comp.security.firewalls (More info?)

    Curious, you confirmed it still existed, how? Will it bypass standard rules
    with associated ports, any port, and rules that block all tcp/ip protocols?

    "Kerodo" <kerodonospamkenny@hotmail.com> wrote in message
    news:MPG.1b539feb96d91055989697@news.west.cox.net...
    > In article <ktgGc.22350$Vf.1155756@news000.worldonline.dk>, bred085
    > @yahoo.com says...
    >> Hi,
    >>
    >> I often see people in here mention Kerio 2.1.5 as their software
    >> firewall. Is this "old" build particular good or what's the reason for
    >> choosing this over Kerio 4 (or another software firewall)?
    >>
    >> /Troels
    >>
    > Kerio 2.1.5 is excellent, however it does have one vulnerability that
    > most people seem to either ignore or not know about. See this link:
    >
    > http://www.mickeytheman.com/boardnation/Wc6b68755c9123.htm
    >
    > I can verify that this fragmented packet vulnerability exists in 2.1.5
    > and earlier, and that someone could potentially get malicious packets
    > past the firewall. It might not be that likely to happen, but it's
    > possible..
    >
    > I perfected my rules in Kerio 2.x and then imported them into Kerio 4,
    > which doesn't have this vulnerability. Seems to work great. The only
    > thing I miss in Kerio 4.x is the lack of logging of packets to unopened
    > ports..
    >
    > --
    > Kerodo
  7. Archived from groups: comp.security.firewalls (More info?)

    In article <jDoGc.64119$OB3.40885@bgtnsc05-news.ops.worldnet.att.net>,
    replytonewsroup@server.com says...
    > Curious, you confirmed it still existed, how? Will it bypass standard rules
    > with associated ports, any port, and rules that block all tcp/ip protocols?
    >
    Yep, please see my other post where I try to explain it. It bypasses
    all rules and gets in directly thru the firewall internal rules. It's
    basically a bug in the way Kerio handles fragmented packets...
    --
    Kerodo
  8. Archived from groups: comp.security.firewalls (More info?)

    Well, I will see if I can reproduce this at all on my system, I'm very
    familiar with how Kerio 2x works, and I've just setup monitoring of outbound
    icmp 3 with my dns servers filtered from the results. I will try to post back
    tomorrow to confirm, or deny your results from my system as I should get at
    least one fragmented packet in that time frame.

    "Kerodo" <kerodonospamkenny@hotmail.com> wrote in message
    news:MPG.1b53b5e376db18bd989698@news.west.cox.net...
    > In article <GooGc.64082$OB3.21182@bgtnsc05-news.ops.worldnet.att.net>,
    > replytonewsroup@server.com says...
    >> "Kerodo" <kerodonospamkenny@hotmail.com> wrote in message
    >> news:MPG.1b539feb96d91055989697@news.west.cox.net...
    >> > In article <ktgGc.22350$Vf.1155756@news000.worldonline.dk>, bred085
    >> > @yahoo.com says...
    >> >> Hi,
    >> >>
    >> >> I often see people in here mention Kerio 2.1.5 as their software
    >> >> firewall. Is this "old" build particular good or what's the reason for
    >> >> choosing this over Kerio 4 (or another software firewall)?
    >> >>
    >> >> /Troels
    >> >>
    >> > Kerio 2.1.5 is excellent, however it does have one vulnerability that
    >> > most people seem to either ignore or not know about. See this link:
    >> >
    >> > http://www.mickeytheman.com/boardnation/Wc6b68755c9123.htm
    >> >
    >> > I can verify that this fragmented packet vulnerability exists in 2.1.5
    >> > and earlier, and that someone could potentially get malicious packets
    >> > past the firewall. It might not be that likely to happen, but it's
    >> > possible..
    >> >
    >> > I perfected my rules in Kerio 2.x and then imported them into Kerio 4,
    >> > which doesn't have this vulnerability. Seems to work great. The only
    >> > thing I miss in Kerio 4.x is the lack of logging of packets to unopened
    >> > ports..
    >> >
    >> > --
    >> > Kerodo
    >
    >> Well you consider it a vulnerablity, but has it been proven that its still
    >> a
    >> problem considering how old the alert is?
    >>
    >> I can't stand 4x, and I still run 2x.
    >
    > Yes, I've verified that it's still happening here in 2.1.5. I actually
    > stumbled upon it by accident.
    >
    > Here's how you can see it if you're so inclined. In my area, the
    > Messenger spammers are using this exploit to try to get thru firewalls
    > that are vulnerable to it.
    >
    > I first noticed outbound ICMP type 3 packets that were going to
    > addresses other than my DNS Servers. This is an indication that UPD
    > packets are getting thru the firewall inbound somehow. This, in fact,
    > is the result of the fragmented packet getting thru. What the spammers
    > are doing is sending a fragmented packet and then another packet to port
    > 1026 immediately after the fragmented packet. Kerio 2.x accepts the
    > fragmented packet AND the packet immediately following it, ignoring all
    > your rules.
    >
    > I installed Sygate 5.5 and could see the two packets coming in
    > (fragmented and the packet following the fragmented one). Only Sygate
    > was smart enough to block the 2nd packet, as it should and as Kerio
    > should, but isn't.
    >
    > What you should do is enable logging in 2.1.5 of outbound ICMP type 3
    > and see if you see any packets going out to addresses other than your
    > ISP's DNS Servers. If you do, then it's happening on your machine also.
    > It may not happen to some people if the spammers are not hitting your IP
    > range. Some people insist that it's not happening to them.
    >
    > I don't know much about the technical details of this fragmented packet
    > exploit, but I've seen it reported in some Linux related arena's also.
    >
    > I don't really love Kerio 4.x that much either, but I find I can use my
    > Kerio 2.x rules in Kerio 4 and Kerio 4 is safer in that it's not
    > vulnerable to this exploit. They have apparently fixed this problem in
    > version 4.xx. Kerio 4 has some bugs still, and I wouldn't dream of
    > trying any of the current beta's, but I'm using 4.0.16 here with fairly
    > good results with my Kerio 2.x rule set. I much prefer Kerio 2.1.5
    > also, but the vulnerability bothers me, so I use Kerio 4.
    >
    > To each his own I guess...
    >
    > --
    > Kerodo
  9. Archived from groups: comp.security.firewalls (More info?)

    In article <cUoGc.64165$OB3.8082@bgtnsc05-news.ops.worldnet.att.net>,
    replytonewsroup@server.com says...

    > Well, I will see if I can reproduce this at all on my system, I'm very
    > familiar with how Kerio 2x works, and I've just setup monitoring of outbound
    > icmp 3 with my dns servers filtered from the results. I will try to post back
    > tomorrow to confirm, or deny your results from my system as I should get at
    > least one fragmented packet in that time frame.

    Very good.. The only way I was able to see this is because the messenger
    spammers were using it here. You may or may not see the same thing
    there, depending upon whether you're getting hit by the spammers as well
    or not. Hopefully you'll see it also. I was seeing at least a few per
    day here..

    In my opinion, the vulnerability isn't THAT big of a deal, but I believe
    that it does exist. I ran Kerio 2.1.5 for a long time here. Someone
    would have to deliberately target your IP address, and then know that
    you were vulnerable to this exploit, and then hand craft packets to get
    thru the firewall to hit specific ports, and so on. The odds of that
    happening to someone are very remote I think.. For all practical
    purposes, you could probably run 2.1.5 without worrying much.

    At any rate, I'm using Kerio 4 here despite it's other limitations..
    Please let us know if you can verify that outbound type 3 is happening
    there also.


    --
    Kerodo
  10. Archived from groups: comp.security.firewalls (More info?)

    I've gotten no icmp 3 outbound packets to other than my dns servers, and you
    would think I would have gotten one at least by now.

    You said that it bypassed all your rules, well that is something that would
    have to be tested with different, even special configurations to pin point
    where how it exactly happens, and it sounds like it was assumed on the
    situation. If you move your icmp rules below a series of rules, one blocking
    all inbound udp to any port, and one blocking all inbound any protocol. Those
    blocking rules would both be logging, and then you would try to see if you
    still get those icmp 3 outbound packets. However your rules before this must
    not interfere with the configuration either, and if you run your configuration
    with the gateway option enabled that could have been the problem.

    Either way, I can't say why its happening on your system, but I will not
    assume that its the vulnerbility without more proof. It needs to be
    reproduceable, and it could be something your rules allowed, which is highly
    possible due to the way the udp allow rules work.

    Anyway, take care.

    "Kerodo" <kerodonospamkenny@hotmail.com> wrote in message
    news:MPG.1b53bdfd10d4887d98969a@news.west.cox.net...
    > In article <cUoGc.64165$OB3.8082@bgtnsc05-news.ops.worldnet.att.net>,
    > replytonewsroup@server.com says...
    >
    >> Well, I will see if I can reproduce this at all on my system, I'm very
    >> familiar with how Kerio 2x works, and I've just setup monitoring of
    >> outbound
    >> icmp 3 with my dns servers filtered from the results. I will try to post
    >> back
    >> tomorrow to confirm, or deny your results from my system as I should get at
    >> least one fragmented packet in that time frame.
    >
    > Very good.. The only way I was able to see this is because the messenger
    > spammers were using it here. You may or may not see the same thing
    > there, depending upon whether you're getting hit by the spammers as well
    > or not. Hopefully you'll see it also. I was seeing at least a few per
    > day here..
    >
    > In my opinion, the vulnerability isn't THAT big of a deal, but I believe
    > that it does exist. I ran Kerio 2.1.5 for a long time here. Someone
    > would have to deliberately target your IP address, and then know that
    > you were vulnerable to this exploit, and then hand craft packets to get
    > thru the firewall to hit specific ports, and so on. The odds of that
    > happening to someone are very remote I think.. For all practical
    > purposes, you could probably run 2.1.5 without worrying much.
    >
    > At any rate, I'm using Kerio 4 here despite it's other limitations..
    > Please let us know if you can verify that outbound type 3 is happening
    > there also.
    >
    >
    > --
    > Kerodo
  11. Archived from groups: comp.security.firewalls (More info?)

    In article <FrCGc.203746$Gx4.174023@bgtnsc04-news.ops.worldnet.att.net>,
    replytonewsroup@server.com says...
    > I've gotten no icmp 3 outbound packets to other than my dns servers, and you
    > would think I would have gotten one at least by now.
    >
    > You said that it bypassed all your rules, well that is something that would
    > have to be tested with different, even special configurations to pin point
    > where how it exactly happens, and it sounds like it was assumed on the
    > situation. If you move your icmp rules below a series of rules, one blocking
    > all inbound udp to any port, and one blocking all inbound any protocol. Those
    > blocking rules would both be logging, and then you would try to see if you
    > still get those icmp 3 outbound packets. However your rules before this must
    > not interfere with the configuration either, and if you run your configuration
    > with the gateway option enabled that could have been the problem.
    >
    > Either way, I can't say why its happening on your system, but I will not
    > assume that its the vulnerbility without more proof. It needs to be
    > reproduceable, and it could be something your rules allowed, which is highly
    > possible due to the way the udp allow rules work.
    >
    > Anyway, take care.

    Well, that's interesting. However, just because a vulnerability isn't
    being exploited doesn't mean that it doesn't exist.. Based on what I
    saw here, I'm convinced that it's a problem, and I've gone to Kerio 4
    which doesn't have that problem using the same identical rule set that I
    used in Kerio 2.1.5. I think you're IP just isn't being hit by the
    messenger spammers, that's all, so you can't see it happening in real
    time.

    Anyway, you must do as you see fit. The odds that someone would exploit
    the vulnerability are admittedly slim. I've gone with Kerio 4 because I
    feel more secure that way.

    Thanks for trying though... perhaps someone else will see it also...

    --
    Kerodo
  12. Archived from groups: comp.security.firewalls (More info?)

    Can someone post a link where i can get KPF 2.1.5

    Thanks

    Bill D


    In article <ktgGc.22350$Vf.1155756@news000.worldonline.dk>, bred085
    @yahoo.com says...
    > Hi,
    >
    > I often see people in here mention Kerio 2.1.5 as their software
    > firewall. Is this "old" build particular good or what's the reason for
    > choosing this over Kerio 4 (or another software firewall)?
    >
    > /Troels
    >
  13. Archived from groups: comp.security.firewalls (More info?)

    Bill Driscoll <billyd@cox.net> wrote in
    news:MPG.1b59ad2630905a7f989688@news.east.cox.net:

    > Can someone post a link where i can get KPF 2.1.5
    >
    > Thanks
    >
    > Bill D

    http://download.kerio.com/dwn/kpf/kerio-pf-2.1.5-en-win.exe
  14. Archived from groups: comp.security.firewalls (More info?)

    On Mon, 5 Jul 2004 20:01:30 -0700, in comp.security.firewalls
    Kerodo <kerodonospamkenny@hotmail.com> wrote:

    >What you should do is enable logging in 2.1.5 of outbound ICMP type 3

    And how would one do that, exactly?
Ask a new question

Read More

Firewalls Security Software Networking