dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
9637
ghost16825
Use security metrics
Premium Member
join:2003-08-26

1 edit

ghost16825

Premium Member

[Kerio 2.x] Kerio 2.2 Features (request)

Click for full size
The new improved rule editor. One click on the copy button creates a copy of the selected rule underneath the one selected. Undo

Changing double arrow behaviour

The other option is to have these kind of arrows instead and move the rule to the start/end without a changeable setting

Misc tab removes New version checks and animation settings. Can now append rulesets
Click for full size
The Microsoft Networking tab is removed. New is the ability to create multiple custom address groups
Click for full size
What clicking edit now does

A better menu

Changing tray icon behaviour
No, Kerio will not be releasing another version of 2x from what I am aware. But threads like »[Kerio 2.x] What next? have sparked my imagination a bit.
While waiting for my approval for such an open source firewall project from Sourceforge.net which I have already submitted, I thought it would be good to get some ideas on how to improve Kerio 2x.
Here's mine:
BlitzenZeus
Burnt Out Cynic
Premium Member
join:2000-01-13

4 edits

BlitzenZeus

Premium Member

The way Kerio has been doing things, I wouldn't hold your breath, they are trying to sucker in the ZA crowd with their buggy beta bloatware.

Fix the problem with the hidden setting that blocked all traffic before the engine was loaded, the problem was if you disabled the firewall, you could not re-enable it again without some real manual effort.

Remove terms like attack from 'ack packet attack'....

Better control over the listening services, unless you enable Remote Admin, it doesn't listen, except for the required localhost service.

Remove the default ability to allow itself out tcp 80 bypassing your rules.

If you can import rules into an existing ruleset, the ability to export, and import only selected rules to/from a file.

Implicitly block all fragmented packets, at least as an option.

Real IPv6 filtering, but that is most likely a pipe dream without fully knowing/rewriting the tcp/ip interface.

Find the source of the random problems with hibernation/standby, and certain network card drivers.

Increase the default buffer size, which had to be manually changed by a few users.

I agree with most of your suggestions, and I will probably think of more as times goes by. I've used this product so long I could point out little flaws almost everywhere, but without the knowledge to fix them, there isn't much I can do.
Steve_M
join:2004-09-14
Schenectady, NY

1 edit

Steve_M to ghost16825

Member

to ghost16825
An option to save rules to a file that is easily edited by hand.

Programs that have been uninstalled are automatically removed from MD5 tab.

A better log viewer. Something similar to TinyLogger would be great.

The ability to limit the log size in MB, with the option to overwrite or start a new log file.

Some control over the warning popups. Weather or not to show them, and/or weather or not to show them for a particular IP. This way you could temporarily, or always disable them when doing a scan on your system.
BlitzenZeus
Burnt Out Cynic
Premium Member
join:2000-01-13

2 edits

BlitzenZeus

Premium Member

An option to save rules to a file that is easily edited by hand.
Huge opportunity for user error, and possibly causing problems with invalid information/formats, let the program handle it.
said by Steve_M:
Programs that have been uninstalled are automatically removed from MD5 tab.
I don't agree with this, my av generates its update program every time so it doesn't exist past being ran when checking for updates. Maybe an option.
Some control over the warning popups. Weather or not to show them, and/or weather or not to show them for a particular IP. This way you could temporarily, or always disable them when doing a scan on your system.
You already have this, you have your rules, and the selection of prompt, allow all(bad), and deny all. This was already covered, you just have to use the settings effectively.
Steve_M
join:2004-09-14
Schenectady, NY

Steve_M

Member

said by BlitzenZeus:

Some control over the warning popups. Weather or not to show them, and/or weather or not to show them for a particular IP. This way you could temporarily, or always disable them when doing a scan on your system.
You already have this, you have your rules, and the selection of prompt, allow all(bad), and deny all. This was already covered, you just have to use the settings effectively.
Let me rephrase this. If you scan your system at say grc.com, it would be nice to be able to temporarily stop the popups.
ghost16825
Use security metrics
Premium Member
join:2003-08-26

ghost16825 to BlitzenZeus

Premium Member

to BlitzenZeus
said by BlitzenZeus:
Better control over the listening services, unless you enable Remote Admin, it doesn't listen, except for the required localhost service.
That's what I was thinking when I removed 'Check for new version' parts from the Misc tab. In my opinion, any kind of firewall connecting out is very risky, even if it is handy (eg. Remote Admin). The problem is Kerio decided to have both remote administration and local admin use the same interface, which may have been much easier to program and integrate but made secure separation much more difficult. The way I see it, have no 'Version checks' to start off. Then if the user decides that they do not want remote admin (a separate component) during installation, the firewall will simply deny any traffic which appears to have been sent by itself. I seem to remember early versions of Kerio4 or was it some versions of Kerio2x had an option for the user to decide whether to install the Admin module or not. That seemed to be on the right track.
said by BlitzenZeus:
Find the source of the random problems with hibernation/standby, and certain network card drivers.
I would suggest most of these problems lie with the lack of independence by the firewall driver. (It seems reliant on Netbios drivers/services). An independent driver would eliminate a lot of problems, I think.
ghost16825

1 edit

ghost16825 to Steve_M

Premium Member

to Steve_M
said by Steve_M:
An option to save rules to a file that is easily edited by hand.
Don't know if this is necessary, especially if a GUI interface exists to mix and match rule selections.
said by Steve_M:
Programs that have been uninstalled are automatically removed from MD5 tab.
Hmmm, this could be a bit tricky in that we also have to monitor exes instead of just traffic. One idea could be an option to remove MD5s if the app had not been used for X days. On the Xth day not used the firewall could perform a simple check that the present hash was the same as that stored, than remove the stored hash.
said by Steve_M:
A better log viewer. Something similar to TinyLogger would be great.
But should this app be separate from the firewall component or included? I think such an app should be separate. The power, I think in Kerio 2.15 is that the log is in a relatively raw, simply format.
said by Steve_M:
Some control over the warning popups. Weather or not to show them, and/or weather or not to show them for a particular IP. This way you could temporarily, or always disable them when doing a scan on your system.

From your follow-up post I think you mean an option like the following:
When confronted by multiple rule creation prompts/alert windows click a button to deny all open/close all open. This is a good idea. The problem is how to implement it in a way that doesn't confuse first time users, which could be a bit tricky.
BlitzenZeus
Burnt Out Cynic
Premium Member
join:2000-01-13

BlitzenZeus to Steve_M

Premium Member

to Steve_M
said by Steve_M:
said by BlitzenZeus:


Some control over the warning popups. Weather or not to show them, and/or weather or not to show them for a particular IP. This way you could temporarily, or always disable them when doing a scan on your system.
You already have this, you have your rules, and the selection of prompt, allow all(bad), and deny all. This was already covered, you just have to use the settings effectively.
Let me rephrase this. If you scan your system at say grc.com, it would be nice to be able to temporarily stop the popups.
It is still not necessary, you need to effectively use your ruleset, not just be there clicking on prompts all day.
Steve_M
join:2004-09-14
Schenectady, NY

Steve_M to ghost16825

Member

to ghost16825
said by ghost16825:

said by Steve_M:
An option to save rules to a file that is easily edited by hand.
Don't know if this is necessary, especially if a GUI interface exists to mix and match rule selections.
True, if the ability to mix and match was there, sounds good.
said by ghost16825:

said by Steve_M:
Programs that have been uninstalled are automatically removed from MD5 tab.
Hmmm, this could be a bit tricky in that we also have to monitor exes instead of just traffic. One idea could be an option to remove MD5s if the app had not been used for X days. On the Xth day not used the firewall could perform a simple check that the present hash was the same as that stored, than remove the stored hash.
Or maybe just and option to remove unused MD5's. But that's pretty much already there.
said by ghost16825:

said by Steve_M:
A better log viewer. Something similar to TinyLogger would be great.
But should this app be separate from the firewall component or included? I think such an app should be separate. The power, I think in Kerio 2.15 is that the log is in a relatively raw, simply format.
Separate would be good. Maybe offer it as a plugin. That would help reduce the bulk of the application.
said by ghost16825:

said by Steve_M:
Some control over the warning popups. Weather or not to show them, and/or weather or not to show them for a particular IP. This way you could temporarily, or always disable them when doing a scan on your system.

From your follow-up post I think you mean an option like the following:
When confronted by multiple rule creation prompts/alert windows click a button to deny all open/close all open. This is a good idea. The problem is how to implement it in a way that doesn't confuse first time users, which could be a bit tricky.
Maybe something like a check box on the popup that says, "Do not warn for this site" and make it a per session option. This certainly would not be very high on my to do list. It's more of a convenience, than anything else.
Steve_M

Steve_M to BlitzenZeus

Member

to BlitzenZeus
said by BlitzenZeus:

It is still not necessary, you need to effectively use your ruleset, not just be there clicking on prompts all day.
I guess your going to have to explain to me what you are talking about, or point me to a link that is relevant.


No I don't sit around all day closing prompts.. geesh
BlitzenZeus
Burnt Out Cynic
Premium Member
join:2000-01-13

1 edit

BlitzenZeus

Premium Member

If your getting prompts for listening programs, make rules to block unwanted packets to those programs... Its not that hard. Many people use block all rules, and using a block all inbound would prevent this prompts if you didn't want to setup these rules per application.
Steve_M
join:2004-09-14
Schenectady, NY

Steve_M

Member

said by BlitzenZeus:

If your getting prompts for listening programs, make rules to block unwanted packets to those programs... Its not that hard. Many people use block all rules, and using a block all inbound would prevent this prompts if you didn't want to setup these rules per application.
Works perfectly... thank you.
BlitzenZeus
Burnt Out Cynic
Premium Member
join:2000-01-13

BlitzenZeus

Premium Member

Even my default replacement touched on block all rules, and they have been used in rule based firewall for years. Its just a matter of just using the software correctly
Steve_M
join:2004-09-14
Schenectady, NY

Steve_M

Member

said by BlitzenZeus:

Its just a matter of just using the software correctly
Yes, that's what it boils down to.

ghost16825 See Profile,

Putting known issues aside, perhaps one of the most important improvements, from the first time users perspective, would be an in depth help file.
ghost16825
Use security metrics
Premium Member
join:2003-08-26

ghost16825

Premium Member

Ok, it seems like the project was approved.

The sourceforge site is: »sourceforge.net/projects/kerio/

The home page will be at:
»kerio.sourceforge.net/

I hope to get the home page up shortly. (Probably within the hour)
BlitzenZeus
Burnt Out Cynic
Premium Member
join:2000-01-13

2 edits

BlitzenZeus

Premium Member

Interesting, I'm not sure how to fix the code to fix certain problems, but when your settled there are a few bugs that should be fixed, like if you have a port listening on tcp only, kerio will prompt for any udp packets on the same port even though nothing is listening on udp.

This should be an interesting project, and you have got your first beta tester waiting.

mers2
Premium Member
join:2004-03-20
USA

mers2 to ghost16825

Premium Member

to ghost16825
I will be watching this project as I'm one of those who have waited in vain for Kerio to get it's act together. I think you'll there are plenty of people who will be willing to beta test.
ghost16825
Use security metrics
Premium Member
join:2003-08-26

1 edit

ghost16825

Premium Member

Ok, the website is now up. All we need now are developers and feedback. Took me a while to upload it because I thought Sourceforge supported scp but not ssh.

»kerio.sourceforge.net/
Steve_M
join:2004-09-14
Schenectady, NY

Steve_M

Member

Outstanding!
ghost16825
Use security metrics
Premium Member
join:2003-08-26

ghost16825 to BlitzenZeus

Premium Member

to BlitzenZeus
said by BlitzenZeus:

like if you have a port listening on tcp only, kerio will prompt for any udp packets on the same port even though nothing is listening on udp.
Hmm. Here's a question: How would this work for say a port scanner? Maybe this needs a checkbox ticked by default not a implicit rule.
VirtualLarry
Premium Member
join:2003-08-01

VirtualLarry to Steve_M

Premium Member

to Steve_M
said by Steve_M:

Let me rephrase this. If you scan your system at say grc.com, it would be nice to be able to temporarily stop the popups.
I have a specific rule for those IPs that I can manually enabled or disable at will. I think that a good idea, would be the ability to create a rule, and then additionally specify that control over that rule should be displayed on the outer-most UI for the firewall, like in a submenu off of the pop-up context menu that pops up from the icon in the systray notification area.

The other idea would be for having transparent, or "trigger" rules, and allowing admin-specified rules and user rules, with the ability for some of them to be prioritized over one another. This would allow the admin to specify some "absolute" control rules, and still allow the user to have some control over their networking environment.
VirtualLarry

VirtualLarry to ghost16825

Premium Member

to ghost16825
said by ghost16825:

When confronted by multiple rule creation prompts/alert windows click a button to deny all open/close all open. This is a good idea. The problem is how to implement it in a way that doesn't confuse first time users, which could be a bit tricky.
One idea would be to maintain and display a queue of connection requests/traffic/etc., possibly sorted/filtered on a per-app, or really, any particular arbitrary attribute, and additionally allow the user to, with a single click, define a rule around that attribute, whether it be app, IP, port, protocol, or what. Possibly there could be a "rule-creation palette" area below the prompt-queue display, and by clicking attributes in turn, it would further specify attributes to be applied to the rule being formed, and then click to create the rule.

One thing that definately should be added, is a rule-creation timestamp, or perhaps logging the rule creations, such that it would be possible to "undo" them, or otherwise roll-back the ruleset, possibly on a filtered basis.
VirtualLarry

VirtualLarry to Steve_M

Premium Member

to Steve_M
said by Steve_M:

Maybe something like a check box on the popup that says, "Do not warn for this site" and make it a per session option. This certainly would not be very high on my to do list. It's more of a convenience, than anything else.
Yes, that's something that I've wanted for a long time, per-session rules. (Kind of like "session" vs. "permanent" cookies in browsers.)

A few other questions/ideas - should application/process-control be implemented? At what granularity? Should OS kernel components attempting network communications or listening be monitored? What about LSPs?

tictacsrt
But What Is The Reason And Why?
Premium Member
join:2002-01-16
ohio

tictacsrt to ghost16825

Premium Member

to ghost16825
That would be great Kerio revived again!sorry im no help on that tho.
anyone know much about antihacker for now.
ghost16825
Use security metrics
Premium Member
join:2003-08-26

1 recommendation

ghost16825

Premium Member

Progress update Thu, 16 Dec 2004 02:05 GMT

said by VirtualLarry:
I think that a good idea, would be the ability to create a rule, and then additionally specify that control over that rule should be displayed on the outer-most UI for the firewall, like in a submenu off of the pop-up context menu that pops up from the icon in the systray notification area.
Kind of get what you mean here, but not quite well enough. Perhaps some kind of 'screenshot' would be helpful.
said by VirtualLarry:
The other idea would be for having transparent, or "trigger" rules, and allowing admin-specified rules and user rules, with the ability for some of them to be prioritized over one another. This would allow the admin to specify some "absolute" control rules, and still allow the user to have some control over their networking environment.
At this stage, I will rule this out as part of the architecture of KerioKlone. The idea of separate "user" and "admin" control seems to work well for application sandboxes like SSM. But for a firewall application which can already have password protected rulesets....well I just do not see the real benefits. Of course, there may be many others who believe such a thing is very beneficial. Remember, the feature-set for the first milestone has not been finalized.
said by VirtualLarry:
One idea would be to maintain and display a queue of connection requests/traffic/etc., possibly sorted/filtered on a per-app, or really, any particular arbitrary attribute, and additionally allow the user to, with a single click, define a rule around that attribute, whether it be app, IP, port, protocol, or what. Possibly there could be a "rule-creation palette" area below the prompt-queue display, and by clicking attributes in turn, it would further specify attributes to be applied to the rule being formed, and then click to create the rule.
If I understand this correctly you mean more elaborate behaviour based on a feature listed on the webpage 'User option for Rule prompts - have the...'
said by VirtualLarry:
One thing that definately should be added, is a rule-creation timestamp, or perhaps logging the rule creations, such that it would be possible to "undo" them, or otherwise roll-back the ruleset, possibly on a filtered basis.

I believe a similar kind of feature has been posted on the website.
said by VirtualLarry:
Yes, that's something that I've wanted for a long time, per-session rules.
From the the response I have received, something along the lines of "session", "expiring" rules will definitely be included as a must feature.
said by VirtualLarry:
should application/process-control be implemented?

There will definitely be no application sandboxing. Executable only hashing will occur for any network seeking applications. Md5 hashing for all used components of an application is an idea that has been thought of. However, the effectiveness of this does not seem worth the inclusion. A big problem is that compoments change frequently, executables hardly ever. (It seems like IE hijacking is the only thing which in practice would ever be detected by this feature)
said by VirtualLarry:
Should OS kernel components attempting network communications or listening be monitored? What about LSPs?
The idea is to have as low as possible driver. LSPs are definitely something to think about.

Thanks for your responses VirtualLarry.

---------------------------------------------------

As a general rule, this project is after as generic as possible solutions, with minimal menu cascades and mouse clicks, especially for commonly used features.

By generic I mean more of an emphasis on being able to solve many kinds of certain situations to part a degree, rather than a feature only solving a single situation to all of a degree.

As the versions progress, and as user behaviour drifts towards any specific behaviour then this kind of detailed control will be added. This also applies to any kind of "AI" type of behaviour like full SPI as in KPF4.

I would also like to remind everyone that the Features page »kerio.sourceforge.net/fe ··· res.html will be updated quite regularly (almost daily) over the next few weeks. I welcome all feedback. As far as coding goes, developers are very much needed. Many of you may be happy to hear that a few developers have already contacted me to volunteer their time. This is much appreciated. I should point out that web coders are also welcome, to deal with 'Feature voting'.
Steve_M
join:2004-09-14
Schenectady, NY

Steve_M to VirtualLarry

Member

to VirtualLarry

Re: [Kerio 2.x] Kerio 2.2 Features (request)

said by VirtualLarry:

I have a specific rule for those IPs that I can manually enabled or disable at will. I think that a good idea, would be the ability to create a rule, and then additionally specify that control over that rule should be displayed on the outer-most UI for the firewall, like in a submenu off of the pop-up context menu that pops up from the icon in the systray notification area.
I thought about creating such a rule long ago. But that's just another rule that has to be processed by the firewall. Unless it's only enabled when needed, like you described.

You can use a block all incoming rule, but then you get no prompts. However, if you set the rule to log, and review your log as you should, you would still be aware of blocked attempts.

I'm pretty much to the point of being satisfied with my rules, and no longer care to see the prompts. So the block all incoming (Log) rule works for me.

Back to a point that I made earlier, "perhaps one of the most important improvements, from the first time users perspective, would be an in depth help file."

An in depth help file would give the first time user the necessary information to administer this firewall correctly.

I think that such a help file should also include a "how to" section, covering common rules for certain task.

The end result would be a true rule based firewall, that is not bloated with enhancements to help the first time user, yet could be successfully administered by most first time users that are willing to read the documentation.
Steve_M

2 edits

Steve_M to ghost16825

Member

to ghost16825

Re: Progress update Thu, 16 Dec 2004 02:05 GMT

said by ghost16825:



Many of you may be happy to hear that a few developers have already contacted me to volunteer their time. This is much appreciated.
Not just happy ghost16825 See Profile, try ecstatic
ghost16825
Use security metrics
Premium Member
join:2003-08-26

1 edit

ghost16825 to Steve_M

Premium Member

to Steve_M

Re: [Kerio 2.x] Kerio 2.2 Features (request)

said by Steve_M:
An in depth help file would give the first time user the necessary information to administer this firewall correctly.
Your concern has been noted. This project aims to have at least some kind of help file for the first milestone release. However, as with almost any software project, help documentation is almost always created last, which may affect its quality unfortunately. This is a sad fact for the end user, but rather true.
ghost16825

ghost16825

Premium Member

KhaineBOT's feature requests

This is a reply to the features requested in »KerioKlone open source firewall project started :
said by Khaine:
Powerful plug-in architecture – should allow the seamless integration of other tools and feature enhancements i.e. Snort, enhanced log-file reader, ad-blocker
At this stage I would say I am against this concept. I think the purpose of KerioKlone (as it is for the present called) is to be a strict rules based firewall which does a limited set of tasks very well. See the FAQ as to why snort and a log-reader will not be included. (»kerio.sourceforge.net/faq.html). I have to admit that the concept of a plugin architecture sounds great in theory. In practice, there are many potential problems. Second, there are many software firewalls around. I can only think of one off the top of my head that had any type of plugin system - and then it seemed a gimmick. (No plugins were produced in the public or private domain for this firewall, from what I am aware).
said by Khaine:
Ability to group applications i.e. Have a web-browser group and apply one set of rules to it, and be able to have firefox and ie in that group
There definitely seems to be some demand for grouping of applications in a second additional interface as well as the original rule ordered one. What is not clear to me at the moment is how most of those requesting application grouping will use this property. (The features page should have one example of an interface.) I believe it is for readability..at least I did initially. Perhaps you could elaborate on the sequence of steps you envision leading up the text I quoted.
said by Khaine:
Ability to specify remote location by either IP or DNS

Yes, I think this is a must-have feature. Of course there needs to be a decided set of actions to perform if resolving cannot take place.
Steve_M
join:2004-09-14
Schenectady, NY

Steve_M to ghost16825

Member

to ghost16825

Re: [Kerio 2.x] Kerio 2.2 Features (request)

said by ghost16825:

However, as with almost any software project, help documentation is almost always created last, which may affect it's quality unfortunately. This is a sad fact for the end user, but rather true.
I wouldn't imagine that a comprehensive help system could be developed until the project had matured. I was thinking toward a final, or almost final release.

I've thought about this allot, and the scope of this project is a good one. Fix the known problems, and stick to the same basic design of a true rule based firewall.

For making things a bit more comfortable for the first time user, I would submit that the help system be the solution. In other words, if the end user is willing to read the documentation, he or she should be able to find the help that they need. Unlike the help provided with 2x.