The Site > Old Forums > Kerio - Tiny Support > [Kerio 2.x] Kerio 2.2 Features (request)

reply to ghost16825

Re: News update Tue, 04 Jan 2005 07:54:23 GMT

said by Steve_M:

---

I guess I'm missing the point as to why the temporary rules are so important, or why they are needed in the first place. I do hope you still plan to have a option to disable this feature.

---

When do you feel that the first release will be available?

reply to ghost16825

Re: [Kerio 2.x] Kerio 2.2 Features (request)

reply to ghost16825
Well, one thing that's sorely missing in 2.1.5 is the option of "prompt me", which I believe they did incorporate in 4.x, but you have to take the whole mess to get the improved packet filters. I always miss that.

Now that's said, it will be a lot of work, trying to build a packet filter ground up. And it should be doe in C or some similar high-order language. Otherwise, performance and integration won't be optimal. And it has to be more than just a TDI packet filter. It has to hook NDIS.

Those aren't "biblical requirements," but to get anything even approaching the 2.x code, that's where you need to start. And the firewall has to minimally understand how to defend itself. By way of reminder, in 2.x, it does this by a few mechanisms. First, it prevents rule tampering by keeping the last verified ruleset in memory, and then, at shutdown, verifying the disk copy against the "last known good" copy in memory. A lot of people who've tried editing the conf files manually discovered this in their travels... no, it's not a "bug" - this really is a feature. Next, it encrypts the ruleset by default. And discourages, by design, running with it unencrypted regularly. Ever seen the reminder popup, "your config isn't encrypted" at boot? Again, a feature. It also has the registry key, "AlwaysSecure," that cuts off all network access if the driver stops unexpectedly.

Speaking of the registry, it's probably a good idea, as the Kerio/Tiny guys did, to use the registry for improtant configs as little as possible, and prefer a compartmentalized approach, using dedicated configuration files that the firewall directly controls access to. Use access controls effectively, too, in the install. I'm just thinking aloud... forgive the patchwork, here...

And make sure the services load (as noted above) in a proper order. Go a step farther, and investigate possibly using dependency groups for synchronizing starts. Figure out a way to prevent logins before the wall is fully loaded... well, maybe I'm getting a little in the clouds, now ...

... one thing not head in the clouds. Make sure the service installs with appropriate ACL's, and can't be manually stopped in CP or with a net stop by a user, at least without a prompt, first. That goes miles towards securing against scripted exploitation...

just a few thoughts... way off the top of the ol' head-bone... like I said, thinking out loud...
--
Semper Eadem

- ... his original destination's just another story that he loves to tell.

You brought up a point, I miss a feature in AtGuard where you could setup a filter to ignore traffic, basically allowing you to log traffic, and it would pass it on to the next filter.

I don't want an option to have a packet be processed by more rules, except for the hopefully simple option of setting up a rule for ignoring traffic for the purpose of logging it separately.
--
My hourly rates:
$25 per hour.
$35 per hour if you want to watch.
$45 per hour if you want to help.
$75 per hour if you tried to fix it, and failed.
The biggest error is sitting in front of your keyboard.

reply to ghost16825

Re: News update Tue, 04 Jan 2005 07:54:23 GMT

Can't this thread be made sticky?

reply to ghost16825

Re: [Kerio 2.x] Kerio 2.2 Features (request)

reply to ghost16825
Thanks for taking on this project... I have been using 2.1.5 since it came out, and recently when i bought a new laptop i installed it there----but it has a system destroying Kerio & Winxp & Toshiba Hibernate problem--so back to MSFT Firewall.

I know the Firewall is top priority, but i want to suggest, somewhere down on the line, PLEASE include the ability to Hibernate....

i'm anxiously waiting to try it----

thanks,
ron

i have no idea where the problem is---the laptop as mentioned is new, so it comes with XP SP2. My dell laptop with Win98 (not SE) has no problem with 2.1.5.

I also posted on the one thread at Kerio and on Yahoo group. there is no solution which works in all putrs... well the solution was NOT to use Hibernation!!

I'm using XP SP2 Firewall--i hope it continues to work!!!

I only posted this, so Ghost might consider Hibernation an "feature" once the Firewall is working and he runs out of things to do----

ron

quote:

---

I only posted this, so Ghost might consider Hibernation an "feature" once the Firewall is working and he runs out of things to do----

---

I have a Toshiba s231. before i close the lid (which puts it in Hibernation), i close all programs i was running on the task bar. the other programs are still unning---Toshiba Power Monitor, ATI video controller, etc. As mentioned, the XP SP2 Firewall has no problems--at least for about a week now...

the real problem is it works on my putr sometimes. But when it fails, i get a bsod on reload--or whatever it's called when it comes out of Hibernation--which says a SERIOUS error has occured. this is documented over on the Kerio 2 forum. it also causes some other programs to crash/not run correctly.

one other thing of interest---In order to get my putr back running correctly, i must do a restore--not just an Add/Remove programs----EVEN if i do the A/R BEFORE any "Serious Error" occurs. This says to me something in the Registry is getting changed on Kerio install, but not getting restored to original value/deleted or?? when 2.1.5 is Removed.... I suppose it could be replacing a key XP file and not restoring during the Add/Remove.

ron

i never had the XP Firewall running when Kerio was installed....i just have run it since i reformatted/reinstalled to clean all the garbage left from the "Serious error".

I'm thru expermenting with 2.1.5. On my Tosh Laptop i'll use XP Firewall till Ghost sez he thinks it'll work with Hibernation. I use 2.1.5 on the other 2 desktops----

ron

quote:

---

I'm thru expermenting with 2.1.5. On my Tosh Laptop i'll use XP Firewall till Ghost sez he thinks it'll work with Hibernation.

---

reply to ghost16825
I like Kerio 2.x very much. Unfortunately it is stopped.

Thanks for you guys to keep it go on!

Looking forward to the new release!

reply to ghost16825
Well, we'll keep helping with 2.x until it's deprecated by time, bad boys and technology ...

It's an unique idea, and the fact it's so unique is sad. It's a basic packet filter, and, with proper background and education, it's all you need for packet filtering --- no sandboxes, no web filters, just a pure and true software packet filter.

That's my idea of a good, useful security app. No mystery, no add ons. Low profile, run it on your win9x P1 box without any sweat, and you know exactly what to expect from it. It filters ports, protocols and apps... a "classic" software firewall.

Just FYI, we have it archived, so it's still available, for those who want it... it's on the BBR FTP server. And we'll provide support and a place to discuss the app until it's completely useless... which, I think, is quite a long way off... certain apps are just classics, and that's where I place Kerio 2.1.5 ...
--
Semper Eadem

... that's the news from Lake Wobegon,
where all the women are strong,
all the men are good-looking,
and all the children are above average.