ghost16825
Use security metrics
Premium
join:2003-08-26
1 edit |  [Kerio 2.x] Kerio 2.2 Features (request)
The new improved rule editor. One click on the copy button creates a copy of the selected rule underneath the one selected. Undo | 
Changing double arrow behaviour | 
The other option is to have these kind of arrows instead and move the rule to the start/end without a changeable setting | 
Misc tab removes New version checks and animation settings. Can now append rulesets | 
The Microsoft Networking tab is removed. New is the ability to create multiple custom address groups | 
What clicking edit now does | 
A better menu | 
Changing tray icon behaviour |
While waiting for my approval for such an open source firewall project from Sourceforge.net which I have already submitted, I thought it would be good to get some ideas on how to improve Kerio 2x.
Here's mine: |
|
BlitzenZeus
Burnt Out Cynic
Premium,MVM
join:2000-01-13
Beaverton, OR
 ·Verizon FIOS
 ·Verizon Online DSL
4 edits | The way Kerio has been doing things, I wouldn't hold your breath, they are trying to sucker in the ZA crowd with their buggy beta bloatware.
Fix the problem with the hidden setting that blocked all traffic before the engine was loaded, the problem was if you disabled the firewall, you could not re-enable it again without some real manual effort.
Remove terms like attack from 'ack packet attack'....
Better control over the listening services, unless you enable Remote Admin, it doesn't listen, except for the required localhost service.
Remove the default ability to allow itself out tcp 80 bypassing your rules.
If you can import rules into an existing ruleset, the ability to export, and import only selected rules to/from a file.
Implicitly block all fragmented packets, at least as an option.
Real IPv6 filtering, but that is most likely a pipe dream without fully knowing/rewriting the tcp/ip interface.
Find the source of the random problems with hibernation/standby, and certain network card drivers.
Increase the default buffer size, which had to be manually changed by a few users.
I agree with most of your suggestions, and I will probably think of more as times goes by. I've used this product so long I could point out little flaws almost everywhere, but without the knowledge to fix them, there isn't much I can do. |
|
Steve_M
join:2004-09-14
Schenectady, NY
1 edit | reply to ghost16825
An option to save rules to a file that is easily edited by hand.
Programs that have been uninstalled are automatically removed from MD5 tab.
A better log viewer. Something similar to TinyLogger would be great.
The ability to limit the log size in MB, with the option to overwrite or start a new log file.
Some control over the warning popups. Weather or not to show them, and/or weather or not to show them for a particular IP. This way you could temporarily, or always disable them when doing a scan on your system. |
|
BlitzenZeus
Burnt Out Cynic
Premium,MVM
join:2000-01-13
Beaverton, OR
·Verizon FIOS
·Verizon Online DSL
2 edits | An option to save rules to a file that is easily edited by hand. Huge opportunity for user error, and possibly causing problems with invalid information/formats, let the program handle it.
said by Steve_M  :Programs that have been uninstalled are automatically removed from MD5 tab. I don't agree with this, my av generates its update program every time so it doesn't exist past being ran when checking for updates. Maybe an option.
Some control over the warning popups. Weather or not to show them, and/or weather or not to show them for a particular IP. This way you could temporarily, or always disable them when doing a scan on your system. You already have this, you have your rules, and the selection of prompt, allow all(bad), and deny all. This was already covered, you just have to use the settings effectively.
--
My hourly rates:
$25 per hour.
$35 per hour if you want to watch.
$45 per hour if you want to help.
$75 per hour if you tried to fix it, and failed.
The biggest error is sitting in front of your keyboard. |
|
Steve_M
join:2004-09-14
Schenectady, NY
| said by BlitzenZeus :Some control over the warning popups. Weather or not to show them, and/or weather or not to show them for a particular IP. This way you could temporarily, or always disable them when doing a scan on your system. You already have this, you have your rules, and the selection of prompt, allow all(bad), and deny all. This was already covered, you just have to use the settings effectively. Let me rephrase this. If you scan your system at say grc.com, it would be nice to be able to temporarily stop the popups. |
|
ghost16825
Use security metrics
Premium
join:2003-08-26
| reply to BlitzenZeus
said by BlitzenZeus :
Better control over the listening services, unless you enable Remote Admin, it doesn't listen, except for the required localhost service.
That's what I was thinking when I removed 'Check for new version' parts from the Misc tab. In my opinion, any kind of firewall connecting out is very risky, even if it is handy (eg. Remote Admin). The problem is Kerio decided to have both remote administration and local admin use the same interface, which may have been much easier to program and integrate but made secure separation much more difficult. The way I see it, have no 'Version checks' to start off. Then if the user decides that they do not want remote admin (a separate component) during installation, the firewall will simply deny any traffic which appears to have been sent by itself. I seem to remember early versions of Kerio4 or was it some versions of Kerio2x had an option for the user to decide whether to install the Admin module or not. That seemed to be on the right track.
said by BlitzenZeus :
Find the source of the random problems with hibernation/standby, and certain network card drivers.
I would suggest most of these problems lie with the lack of independence by the firewall driver. (It seems reliant on Netbios drivers/services). An independent driver would eliminate a lot of problems, I think. |
|
ghost16825
Use security metrics
Premium
join:2003-08-26
1 edit | reply to Steve_M
said by Steve_M :
An option to save rules to a file that is easily edited by hand.
Don't know if this is necessary, especially if a GUI interface exists to mix and match rule selections.
said by Steve_M :
Programs that have been uninstalled are automatically removed from MD5 tab.
Hmmm, this could be a bit tricky in that we also have to monitor exes instead of just traffic. One idea could be an option to remove MD5s if the app had not been used for X days. On the Xth day not used the firewall could perform a simple check that the present hash was the same as that stored, than remove the stored hash.
said by Steve_M :
A better log viewer. Something similar to TinyLogger would be great.
But should this app be separate from the firewall component or included? I think such an app should be separate. The power, I think in Kerio 2.15 is that the log is in a relatively raw, simply format.
said by Steve_M :
Some control over the warning popups. Weather or not to show them, and/or weather or not to show them for a particular IP. This way you could temporarily, or always disable them when doing a scan on your system.
From your follow-up post I think you mean an option like the following:
When confronted by multiple rule creation prompts/alert windows click a button to deny all open/close all open. This is a good idea. The problem is how to implement it in a way that doesn't confuse first time users, which could be a bit tricky. |
|
BlitzenZeus
Burnt Out Cynic
Premium,MVM
join:2000-01-13
Beaverton, OR
·Verizon FIOS
·Verizon Online DSL
| reply to Steve_M
said by Steve_M : said by BlitzenZeus :Some control over the warning popups. Weather or not to show them, and/or weather or not to show them for a particular IP. This way you could temporarily, or always disable them when doing a scan on your system. You already have this, you have your rules, and the selection of prompt, allow all(bad), and deny all. This was already covered, you just have to use the settings effectively. Let me rephrase this. If you scan your system at say grc.com, it would be nice to be able to temporarily stop the popups. It is still not necessary, you need to effectively use your ruleset, not just be there clicking on prompts all day.
--
My hourly rates:
$25 per hour.
$35 per hour if you want to watch.
$45 per hour if you want to help.
$75 per hour if you tried to fix it, and failed.
The biggest error is sitting in front of your keyboard. |
|
Steve_M
join:2004-09-14
Schenectady, NY
| reply to ghost16825
said by ghost16825 : said by Steve_M :
An option to save rules to a file that is easily edited by hand.
Don't know if this is necessary, especially if a GUI interface exists to mix and match rule selections. True, if the ability to mix and match was there, sounds good.
said by ghost16825 :said by Steve_M :
Programs that have been uninstalled are automatically removed from MD5 tab.
Hmmm, this could be a bit tricky in that we also have to monitor exes instead of just traffic. One idea could be an option to remove MD5s if the app had not been used for X days. On the Xth day not used the firewall could perform a simple check that the present hash was the same as that stored, than remove the stored hash. Or maybe just and option to remove unused MD5's. But that's pretty much already there.
said by ghost16825 :said by Steve_M :
A better log viewer. Something similar to TinyLogger would be great.
But should this app be separate from the firewall component or included? I think such an app should be separate. The power, I think in Kerio 2.15 is that the log is in a relatively raw, simply format. Separate would be good. Maybe offer it as a plugin. That would help reduce the bulk of the application.
said by ghost16825 :said by Steve_M :
Some control over the warning popups. Weather or not to show them, and/or weather or not to show them for a particular IP. This way you could temporarily, or always disable them when doing a scan on your system.
From your follow-up post I think you mean an option like the following: When confronted by multiple rule creation prompts/alert windows click a button to deny all open/close all open. This is a good idea. The problem is how to implement it in a way that doesn't confuse first time users, which could be a bit tricky. Maybe something like a check box on the popup that says, "Do not warn for this site" and make it a per session option. This certainly would not be very high on my to do list. It's more of a convenience, than anything else. |
|
Steve_M
join:2004-09-14
Schenectady, NY
| reply to BlitzenZeus
said by BlitzenZeus :It is still not necessary, you need to effectively use your ruleset, not just be there clicking on prompts all day. I guess your going to have to explain to me what you are talking about, or point me to a link that is relevant.
No I don't sit around all day closing prompts.. geesh |
|
BlitzenZeus
Burnt Out Cynic
Premium,MVM
join:2000-01-13
Beaverton, OR
·Verizon FIOS
·Verizon Online DSL
1 edit | If your getting prompts for listening programs, make rules to block unwanted packets to those programs... Its not that hard. Many people use block all rules, and using a block all inbound would prevent this prompts if you didn't want to setup these rules per application. |
|
Steve_M
join:2004-09-14
Schenectady, NY
| said by BlitzenZeus :If your getting prompts for listening programs, make rules to block unwanted packets to those programs... Its not that hard. Many people use block all rules, and using a block all inbound would prevent this prompts if you didn't want to setup these rules per application. Works perfectly... thank you. |
|
BlitzenZeus
Burnt Out Cynic
Premium,MVM
join:2000-01-13
Beaverton, OR | Even my default replacement touched on block all rules, and they have been used in rule based firewall for years. Its just a matter of just using the software correctly  |
|
Steve_M
join:2004-09-14
Schenectady, NY
| said by BlitzenZeus :Its just a matter of just using the software correctly Yes, that's what it boils down to.
ghost16825 ,
Putting known issues aside, perhaps one of the most important improvements, from the first time users perspective, would be an in depth help file. |
|
ghost16825
Use security metrics
Premium
join:2003-08-26
| reply to ghost16825
Ok, it seems like the project was approved.
The sourceforge site is: »sourceforge.net/projects/kerio/
The home page will be at:
»kerio.sourceforge.net/
I hope to get the home page up shortly. (Probably within the hour) |
|
BlitzenZeus
Burnt Out Cynic
Premium,MVM
join:2000-01-13
Beaverton, OR
·Verizon FIOS
·Verizon Online DSL
2 edits | Interesting, I'm not sure how to fix the code to fix certain problems, but when your settled there are a few bugs that should be fixed, like if you have a port listening on tcp only, kerio will prompt for any udp packets on the same port even though nothing is listening on udp.
This should be an interesting project, and you have got your first beta tester waiting.
--
My hourly rates:
$25 per hour.
$35 per hour if you want to watch.
$45 per hour if you want to help.
$75 per hour if you tried to fix it, and failed.
The biggest error is sitting in front of your keyboard. |
|
mers2
Premium,MVM
join:2004-03-20
USA
clubs:
·AT&T U-Verse
| reply to ghost16825
I will be watching this project as I'm one of those who have waited in vain for Kerio to get it's act together. I think you'll there are plenty of people who will be willing to beta test.
--
"Think for yourself and let others enjoy the privilege of doing so too." - Voltaire |
|
ghost16825
Use security metrics
Premium
join:2003-08-26
1 edit | Ok, the website is now up. All we need now are developers and feedback. Took me a while to upload it because I thought Sourceforge supported scp but not ssh.
»kerio.sourceforge.net/ |
|
Steve_M
join:2004-09-14
Schenectady, NY | Outstanding! |
|
ghost16825
Use security metrics
Premium
join:2003-08-26
| reply to BlitzenZeus
said by BlitzenZeus :like if you have a port listening on tcp only, kerio will prompt for any udp packets on the same port even though nothing is listening on udp. Hmm. Here's a question: How would this work for say a port scanner? Maybe this needs a checkbox ticked by default not a implicit rule. |
|
