how-to block ads
|
Qwerky
join:2006-05-24
Adanac
| Kerio 4.2.3 packet filter rule
Posting here per instructions of the now closed Kerio forum.
As it's required for work, I've just installed Windows Live Messenger. Am trying to create permit rules for it. After allowing/logging each address it asks for over a period of time, I combined the IP addresses into an IP group and made a new rule which allows the group, then removed all the previous allowed rules. In the new rule, I allowed ports 80, 433, 1683, and 7001, TCP and UDP, outgoing. Those are the only ones it has asked for.
The problem is that every day, Kerio keeps showing pop-ups asking for permission for Windows Live Messenger, which I allow. When I analyze the rule generated, I see that the addresses are ones that I've already placed into the allowed IP Group. I can't figure out why it keeps asking for addresses already permitted.
When I examine Kerio's log, I see that there are many instances where Messenger has accessed the net without asking (using the permitted IP Group), and many instances where it has asked permission for the same addresses! The only difference is that while under the Application column both show the same path/file to the installed Windows Live Messenger executable, under the Description column the ones which didn't ask permission are listed as Windows Live Messenger, while the ones which did ask for permission are listed as 'Any other application'. Huh? What's going on here?
--
Mr. Qwerky - The Lone Stranger
Hi-Ho Tinfoil, Away!
| |
Qwerky
join:2006-05-24
Adanac
| Additional information: If I just allow the Windows Live Messenger application Outbound, I get no more requests for permission (obviously). So why does allowing this one application open the way both for 'Windows Live Messenger' and for 'Any other application'?
Put another way, why does the one application sometimes appear to Kerio as 'Windows Live Messenger', and other times appear to it as 'Any other application'?
--
Mr. Qwerky - The Lone Stranger
Hi-Ho Tinfoil, Away!
| |
Qwerky
join:2006-05-24
Adanac | reply to Qwerky
Are there no Kerio users left? | |
The Snowman
Premium
join:2007-05-20
 ·Verizon Online DSL
| reply to Qwerky
Having some issues are you......suggestion....could it be that both programs use the same ports ?
Check the setting in windows messenger...it's calling out for a reason.....locate the reason......update,etc.......do you have it set to start-up when windows starts....if so change that.
Why have you not just blocked messenger ? Get it over with. Un-block it when you use it only.
This is a brief comment but may give you some ideas. Find which ports each program needs......work from there. | |
Qwerky
join:2006-05-24
Adanac
| Hello Snowman. I do thank you for the reply.
The problem is, that there is only one program, but Kerio sees it as two different programs.
In the log, Kerio shows the absolute path, and both are the identical executable file. But, Kerio describes one as 'Windows Live Messenger' and describes the other as 'Any other application' which sound to me like a default. Rules are created for a specified executable (the Windows Live Messenger app in this case); there is no way to create a rule for something called 'Any other application', nor would I want to do that, as I don't know what such a rule would then permit to access the net.
It's not set to run at startup; I start it manually each day. But it runs all day during business hours, because I need to use it for work.
Yes, it is calling out for a reason... the intended reason. But the problem is that half the time it is silently permitted by the rules which I have created for 'Windows Live Messenger', and the other half of the time Kerio requests permission for the same address which, when I permit, shows up as 'Any other application' in the log, instead of showing as Messenger.
I'm really at a loss as to why Kerio is doing this. And very disappointed that the Kerio forum was closed--there were some real Kerio experts there!
--
Mr. Qwerky - The Lone Stranger
Hi-Ho Tinfoil, Away!
| |
anon101
@verizon.net
| Sorry I can't help any further as I don't have Kerio, but
I found this. Hope it helps:
»messenger-support.spaces.live.co···33.entry
| |
Qwerky
join:2006-05-24
Adanac
| anon101, thanks very much for the reply and the link. I appreciate your taking the time to find it!
The screenshots in that link are accurate--that is indeed the firewall which I am using. However, the text is sadly misleading when it says that you must allow Windows Live Messenger in both the in and out directions, for both the trusted and internet zones. That site, it would seem, is just a Microsoft shill, which tells one to allow anything Microsoft wants, because Microsoft can do no wrong. Microsoft knows what's good for you, even if it isn't.
In point of fact, one need only allow the outbound direction for the internet zone only, and Messenger will sail happily along without ever a prompt. In fact, that is what I have resorted to over the last week, in lieu of what I really want, which is a packet filter rule. It is the packet filter rule that is giving the problems as described earlier in this thread. Oh how I wish the Kerio experts had not vanished.
anaon101, please don't take the above rant personally, as it was not directed at you in any way, but rather at M$. I do appreciate your taking the time to help, and don't wish to discourage you from doing so in the future 
--
Mr. Qwerky - The Lone Stranger
Hi-Ho Tinfoil, Away!
| |
Caution
@verizon.net
| reply to Qwerky
Just to see what happns try making a rule for "'Any other application' and point it to 127.0.0.1 (your computer). See what stops working.
I understand what you are saying regarding "one application" but showing as two. Something is piggybacking outbound an my guess would be its related to Live Messenger as a ligit part of it. But as you said....bravo for saying it.....microsoft is a renagade so no telling what is going outbound.
At the moment I am very ill but will later try to locate more information for you.
Did you find which port Live Messenger uses ? Do so and restrict it only to that port. There is a reason for doing so. Also, you are correct in that it should only need an outbound connection.
Next, consider Trillian messenger as a replacement if it can connect to Live Messenger. I know it use to connect to msn messenger but don't know about Live Messenger. I haven't used a messenger program in years so can not say anything with absolute certainty.
Good luck ! When I am feeling better...and if I have more information to offer you I will login and PM you. | |
Qwerky
join:2006-05-24
Adanac
| Hello Caution. Thanks so much for the reply, and please take care of yourself before worrying about replying .
Yes, I believe the piggyback is likely legit according the Microsoft's peculiar point of view, though it is definitely something non-standard since it shows up that way. And as you said, Microsoft doesn't tell us what's going on.
This is the first such problem I've run up against using Kerio. Actually, this is the first time I've ever used any messaging program, but I've got a new contract and the boss wants to use it so I must. However, when he asked me to install Windows Messenger, I googled for it and installed Windows Live Messenger. I had no idea they were two different things. Would there be any advantage to removing the latter and installing the former?
Live Messenger uses TCP ports 80, 443, and 1683. It also uses port 7001, and I noticed that all connections to that port were UDP. So I have one rule for Outbound TCP/80/443/1683, and another rule for Outbound UDP/7001. Both rules use the 'Messenger' IP group, which I created and populated with all the IP addresses Messenger asked for. I used the same IP group for both the TCP and UDP rules; is that acceptable?
Thanks again for your help, and best wishes for a speedy recovery.
--
Mr. Qwerky - The Lone Stranger
Hi-Ho Tinfoil, Away!
| |
anon101
@verizon.net
| reply to Qwerky
No problem. Glad to be of some help. Good luck.
PS: rants are always allowed here otherwise there would be no members.  | |
Caution
@verizon.net
| reply to Qwerky
Since you have a choice why not just go wint Windows Messenger and see how things go. My gues is that you wil run into the same sort of problem but try it and see.
The outbound UPD should not be required. Have you tried not allowing it ?
To many Ports being used. The use of 443 would be a concern to me. I will try looking into that.
Your solution may be to install Trillian. First open an account with Windows Messenger. Afterwards you could access that account with Trillian. Trillian is more secure but of course you do have to properly set it. Which is easy. Plus with Trillian you can also use yahoo messenger, and one or two others I think. Get the free version. You can download it at filehippo dot com.
LoL, as for my getting better health wise, nope, no chance of that happening but what the hell such is life. | |
Caution
@verizon.net
| reply to Qwerky
Ports used on a Vista OS. No doubt Xp as well.
MORE INFORMATION
The following table lists the network ports that are required for various features of Windows Live Messenger 8.1 on a Windows Vista-based computer.
Feature Port that is used
Sign in to the Messenger service TCP 80, 443, 1863
Network Detection TCP 7001
UDP 9, 7001
Audio TCP 80, 443, 1863
TCP/UDP 30000 - 65535
Audio (Legacy) * UDP 5004 – 65535
Webcam and Video Conversations TCP 80
TCP/UDP 5000 - 65535
File Transfer TCP 443, 1863
TCP/UDP 1025 - 65535
File Transfer (Legacy) * TCP 6891 - 6900
Sharing Folders TCP 1863
TCP/UDP 1025 – 65535
Whiteboard and Application Sharing TCP 1503
Remote Assistance TCP 3389
TCP/UDP 49152 – 65535
Windows Live Call TCP 443, 5061
UDP 5004 - 65525
Games TCP 80, 443, 1863
TCP/UDP 1025 - 65535
»support.microsoft.com/kb/927847
Notice:
Remote Assistance TCP 3389
TCP/UDP 49152 – 65535
There is no way I would open a computer to remote access.
From the ports being used it appears Windows Live Messenger wants/needs the whole array of ports to fully work. Thats outragous!!!!!!
Windows Live Call TCP 443, 5061
UDP 5004 - 65525
That is like opening ever high port trojan port. You should be able to block all but four ports.
Okay, now we know why you are having this issue. The other services are trieing to call out.
In a business working enviorment this is not acceptable.
In the mean time CHAIN THAT DARN THING ! Use the above chart to block the ports you do not need and set Kerio not to log the blocks or alart you. | |
Qwerky
join:2006-05-24
Adanac
| reply to Caution
said by Caution :
LoL, as for my getting better health wise, nope, no chance of that happening but what the hell Hi Caution! Sorry to hear that, but best wishes anyway.
such is life. That's the second time I read that within a few hours. The other was a quote--famous last words of Australia's notorious Ned Kelly .
Thanks very much for finding all that information. Too many ports being used--I agree! Windows Live Messenger requires one to log in with name/password (I have no idea whether Windows Messenger or Trillian does the same), which I suppose would account for port 443 (https). I can see port 1863 for its service, and standard port 80, but the rest are beyond belief.
Today before starting WLM, I added a block rule below the allow rules described above, blocking all ports/services/addresses for that .exe. WLM took a very long time signing in, but after that it has worked fine all day. Note that I use it only for simple keyboard messages back and forth.
So yes, as of now it is allowed only TCP/80,443,8163 and UDP/7001. Tomorrow, if I'm feeling brave, I will disallow the UDP rule and see what happens. What would it use UDP for anyway?
I am very hesitant to take very large steps at this point, as 1) Kerio is very susceptible to crashing when creating rules from pop-ups. I've been meaning for a long time to move over to Comodo since it seems to be highly thought of, 2) I need the system to function without interrupt for work, especially with this new contract, and 3) large time constraints and deadlines at the moment.
--
Mr. Qwerky - The Lone Stranger
Hi-Ho Tinfoil, Away!
| |
The Snowman
Premium
join:2007-05-20
·Verizon Online DSL
|
What OS are you using ? If it's NOT Vista than you could take a look at Kerio 2.15 (but only if you know how to make rules for it). Comodo from what I hear is a real pain with the pop-up's........a Comodo user would better know if it is or not.....point being...just be sure you don't swap out for something worse than what you are already experiencing. People tend to forget that some of the older firewalls still do a fine job.
In your caae I honestly do not think that changing firewalls will really help much. Your problem is not with the firewall its with Windows Live Messenger.
Yes, you really should consider Trillian. I know it works with Windows Messenger......that should do the job for you just as well as that Live garbage.
If you get an infection or your client does....it's going to be passed from computer to computer.....LoL, you defintely never want to infect a client's computer.
Friend you are fighting with a PitBull using Live Messenger. Microsoft does not give anything without wanting more in return. You really need to rid yourself of that thing quickly.
Kerio worked for you before this.....stick with what works for you........its not a Kerio problem.
Not much more can be offered to you in the way of suggestions under the circumstances........I understand you are just trieing to do your job....un-fortunately, Windows Live Messenger is a pain in the buttocks.....why make life hard...find something else to use. | |
Qwerky
join:2006-05-24
Adanac
| Hello Snowman, and thanks for the reply. I'm using XP SP2 with Sunbelt Kerio. Yes, I agree 100% the problem here is not Kerio, but WLM. I was wanting to get away from Kerio (long before this issue came up) because of it's horrible habit of crashing the system when creating a new rule via a pop-up. I was looking at Comodo because some of the comparative testing showed it ranked very high, while Kerio ranked very low in those particular tests. However, I'm not anxious to take such a large step at the moment; perhaps when I have more time.
This evening I've been doing a little testing with WLM, while closely monitoring my firewall log. First, I disabled the UDP rule, and WLM continues to operate (I see the UDP blocked in the log, but it is infrequent).
From what I can see, it appears that WLM likes to use port 1863 when the user signs in; I don't see it after that, though I'm not actually passing messages with anyone at the moment. After the login, I see a lot of WLM traffic to ports 80 and 443, so those ports are apparently necessary. I even tried signing in with port 1863 blocked, and it did eventually succeed, though it took somewhat longer. So it would appear that 1863 is for login, 80,443 for messages, and UDP is not required for operation. I will have a better idea if this is so, tomorrow when I actually message someone.
I did notice, however, that the IP blocks 209.67.0.0 - 209.67.255.255 and 216.34.207.0 - 216.34.207.255 are both associated with the ads that appear in WLM, as I see them in the log when the add changes. Sam Spade says they both belong to Savvis [the latter group to Valueclick (Savvis)]. I blocked both these groups, and WLM continued to log in and function. During the brief time I tested with them blocked, I didn't see any adds appear (though there may also be other blocks used by WLM for ads). I hope that may be of help to some other WLM user who doesn't want to see the ads. I'm going to leave these groups blocked and make sure I can still message with WLM tomorrow.
Now that you've mentioned infections spreading via WLM, I am concerned. Is Trillian immune to such? Since it has been twice recommended now, I will try to find time to give it a look. Thank you both for the recommendation!
--
Mr. Qwerky - The Lone Stranger
Hi-Ho Tinfoil, Away!
| |
|
