The Site > Old Forums > Kerio - Tiny Support > [Kerio 2.x] What next?

[Kerio 2.x] What next?

Look n Stop was a possibility I considered, or even Tiny 6.x. However I have used both... Tiny is really more than I need, and the firewall in it is not as configurable. LnS is a packet filter first, and a application filter second. The ease of how Kerio, and programs like Kerio allow you to make rules per application makes it easier to do complex configurations.

I know you remember AtGuard, they shared simple complexity in their firewall configurations, and configuring Kerio was even easier as it blocked packets to ports without a listening destination by default, along with some others things that it does better, however I still miss the 'ignore' filters.

I listed off all the software firewalls I have used in another thread, and I had to think about some of the names as it was quite a list. Nothing has compared to Tiny/Kerio 2x in my mind for ease of complex configurations, and only LnS and Tiny 6.x come close without being bloated GUI fluff.

Kerio 4x, don't make me laugh.... They still haven't fully fixed bugs reported in the original betas when I did beta test them last time I checked.

I have a feeling that just like AtGuard, I won't abandon it until the operating system doesn't support it correctly, just like I had to drop AtGuard when I moved to an NT OS due to severe compatibility issues as it never had full support for NT systems. You couldn't even access the logs, and it could no longer verify even the path of programs anymore, besides the fact it had no native crc checking.
--
My hourly rates:
$25 per hour.
$35 per hour if you want to watch.
$45 per hour if you want to help.
$75 per hour if you tried to fix it, and failed.
The biggest error is sitting in front of your keyboard.

reply to hpguru
Honestly, 4.x should be dumped in favor of updating 2.x for bug fixes. THey tuned me off in 3.x and because of that I figured that wouldn't make 4.x any better.

For users like me I doubt it is going away anytime soon.

reply to hpguru
I too have considered Look N Stop. I also like 8 Signs Firewall but it has no outbound protection and although its inbound protection is superb I doubt I'd really need its features behind a router. Of course I ran Conseal for many months with its scant outbound protection without an incident prior to switching permanantly to Kerio. That is a big no-no for a lot of folks but I credit Conseal and Kerio for setting my standards pretty high as far as what I think makes a good firewall.
--
Boundlessly expands the sky and nothing stops the white clouds from freely flying about.

reply to hpguru
Look'N'Stop also

reply to hpguru

quote:

---

Honestly, 4.x should be dumped in favor of updating 2.x for bug fixes

---

reply to hpguru
I used Kerio 2.14 and then 2.15 for years, but finally I got tired of the disappearing rules. Oh yeah, I know the work around to prevent this, but why should I have the hassle? Also, I have never received an alert for AnalogX Net Stat Live, on the other hand, Look N Stop does alert, but why not Kerio? Makes me wonder if Kerio needs to be checked for who knows what else may be slipping through.
However, that said, it is the most configurable of all the rule based firewalls, IMHO, and it taught me a lot about networking security.

Did you happen to read what the topic started asked for?? Disappearing rules is only a rare problem for the most part which is caused by the operating system, and you don't realize what the hell your talking about with Analogx Netstat live. Your running into its application control which runs separately from the rules, and nothing is leaking through...
--
My hourly rates:
$25 per hour.
$35 per hour if you want to watch.
$45 per hour if you want to help.
$75 per hour if you tried to fix it, and failed.
The biggest error is sitting in front of your keyboard.

reply to hpguru
What about commercial firewall products ? I find web pages about these firewalls quite often, but I don't know if they're good enough... And there's so many of them, too...

reply to BlitzenZeus
First - I may not know what "the hell" I'm talking about, but it seems that you sure do. This is no way to respond to my post. You should correct me were I'm wrong, and then spend a little time to explain, as you have done before in many other posts, thus helping, instead of ridiculing me.

reply to hpguru
Well Tiny 5.5 and 6 are doing a good job. Zonealarm 5.x seems to be doing well too. Norton is nothing but a good firewall with loads of garbage. Look n Stop is lean but does not stand up when it comes to quality. When I checked on grc.com many ports were closed and a couple were left open. So no matter what firewall you install once you are set check and make sure all ports are stealthed. You can go to symantec.com, grc.com or pcflank.com to get your setup checked out. Peace.

Jammy

From what you said, you have no idea how to correctly configure Look n Stop, and this is where most rule based firewalls fault, the users. People blame the program, and but its their lack of knowledge, if not their unwillingness to learn which is the real problem.

Real Kerio users don't consider ZA, or Norton alternatives. I used the program that Symantec bought to make Norton, and over the years they perverted the program to the point that even the people who have stuck with Norton have dumped it.
--
My hourly rates:
$25 per hour.
$35 per hour if you want to watch.
$45 per hour if you want to help.
$75 per hour if you tried to fix it, and failed.
The biggest error is sitting in front of your keyboard.

reply to BlitzenZeus

reply to hpguru
I recently looked at SoftPerfect Personal Firewall. Though I have yet to install or test it.

»www.softperfect.com/products/firewall/

From the web site description, it's a rule based packet filtering firewall similar to Kerio 2x, but it lacks any application based control. Hard to tell from the screen shots just how configurable it would be.

reply to Steve_M
Its the fault of your OS, not Kerio, if you disable write catching for your storage devices, which might not be what you want to do, this should prevent it. However that is not what this thread is about, and I can't reproduce it at all in the way it happens on your system as I always shutdown logged into an account with no ill effects.
--
My hourly rates:
$25 per hour.
$35 per hour if you want to watch.
$45 per hour if you want to help.
$75 per hour if you tried to fix it, and failed.
The biggest error is sitting in front of your keyboard.

reply to hpguru
As far as Kerio "losing" rules - I can reproduce that on any OS. I'm not talking about shutting down, I'm talking about actively corrupting Kerio's in-memory rules list in such a way that the order gets re-arranged, or rules (usually the most recently added ones) get "lost".

The XP shutdown issue is a different one, but it is also certainly real, perhaps a most serious problem since it is not limited to Kerio. I question MS's priorities, when they deem a design that is intended to shut down quickly, rather than properly, as a "better" design choice. I guess they want to appear superior in OS benchmarks that monitor boot/shutdown speeds.

As far as firewalls.. I've contemplated that issue as well. In fact, I've gone as far as not running any 3rd-party firewalls on this XP SP1 box that I'm on right now (I know, I know, foolish is me), because Kerio 2.x seems to have problems on XP with FUS enabled, Kerio 4.x is ... well, a POS, Tiny is ... designed for aliens with an IQ higher than Einstein (ok, I joke, but not by much), Look 'N Stop, last time I checked, they were finally just beginning to implement SPI, and couldn't handle running any P2P apps that opened a lot of connections - in other words, no-where near ready for prime-time. So I don't really know which ones are "good" any more.

At various times I've contemplated writing my own. I came up with some ideas for a rules-based firewall that allowed you to define rules for both specific applications, as well as "application classes", that you could them define applications as being part of. For example, all "web browser" applications, could be allowed unlimited port 80 outbound, without having to configure each one. Thus simplifying rule-creation. Also, rule-creation would allow a "rollback", so that if you made a wrong decision, you could "undo". That is a feature that I feel a lot of rule-based filewalls should have, when dealing with users new to the concept. Otherwise, most users accidentally lock themselves out, and then uninstall the firewall in short order. Another feature, and one that I think ZoneLabs is also implementing, is the ability to collectively share rules for apps, such that you could rely on the wisdom of others for creating your rule sets. (Kind of like your default replacement Kerio ruleset, BZ, except collectively created/voted upon.) The final, but original idea that I had, was to compile the rules into an assembly-language DFA, so that the rules-processing would be fast. Hopefully, very fast.

However, those are all just ideas thus far. I have x86 assembly-language programming experience, but not a lot regarding mucking about with Windows' internals and writing network drivers and things.

Oh yes, one last thing - the firewall would be open source, so there would be a guarantee of "no funny business" too.

So if anyone has any pointers, or good ideas on how to do something like that, I'm all ears. This world needs a good, truely-free firewall. Then again, I suppose one could just run *nix. Been contemplating that too, what with MS supposedly dropping W2K SP5. I dislike XP. Sorry for being slightly OT, was thinking perhaps everyone could contribute their "wish list" of what would constitute the "perfect" packet-filtering firewall, along with ease-of-use and good security.

There are several GNU-license firewall for Windows projects out there. None seems to be very mature at this time, unfortunately.

»osswin.sourceforge.net/#firewall
(links to several different projects)
»www.governmentsecurity.org/forum···pic=4537

Also, at the "official" Kerio forum, there's been some talk about asking whether the code for Kerio 2.x could be opened up à la Netscape/Mozilla. It's not clear that anything has or will come from this, however:
»forums.kerio.com/index.php?t=msg···ff4915f1

reply to Steve_M

reply to VirtualLarry
Yes, try Sourceforge. I think that will save you a lot of time. It seems there are a lot more Windows firewall projects there then the last time I looked. One that caught my eye was »sourceforge.net/projects/firewallpapi/ - it might be a good way to get you started. (Don't forget the "Log last prompt" feature) You might want to start a new thread for this. Also see: »Open Source Windows Firewall?

Back to the topic I have switched to the Windows Firewall (gasp) recently as Kerio2x does not seem to allow standby/hibernate on my machine. (Affects some and not others). Windows Firewall used to seem ok until you forget all those apps which try to phone home. Case in point: Was using Winamp 2x the other day - phoned home - hung itself trying to phone home - when it recovered it had downloaded a page telling me to upgrade immediately because of that Winamp 5x flaw which does not affect 2x! As for other rule-based firewalls I remember trying a previous version of LockAndStop which seemed rather unstable and clunky for me. I have yet to find anything which comes close to Kerio2x in terms of resources and power. That Tiny Firewall sounds well made, but I doubt that I really need that much application sandboxing. I have also heard it is rather hefty in terms of resources.

reply to hpguru
...Jetico personal firewall.
Having played a bit(!) with it, it's the closest I'd walk out from Kerio 2.1.5. It does have some abstracts that I don't like, but it reminds me of some Linux firewall solutions.

But, I'd stay with 2.1.5 as long as my job at hand needs to be done on WinXP platform. Anything else, including everyday's browsing, nat,... is going through my Linux box and iptables.

Try Jetico PF (»www.jetico.com/), you migh like it. It's in the beta, which makes it ideally placed for requests and direct development input.

Cheers,
SGT