The Site > Old Forums > Kerio - Tiny Support > [KerioBeta] Kerio 4.0 beta 1 is out

[KerioBeta] Kerio 4.0 beta 1 is out

Thanks for the announcement Joerg. If anyone is trying it, feel free to post a few screenshots
--
Pinky: I think so Brain, but if we give peas a chance, won't the lima beans feel left out?

reply to -Joerg-
Thank you very much. I see the webpage at Kerio is yet to update the link, so I'll sticky this until they get it posted there. As always, keep in mind, beta means "under development," so I don't recommend that everyone beat a path over and try it out, just those of us who want to participate in testing and have a look at the next generation, and who are willing to put up with rough edges and potential undiscovered issues for the sake of development and debugging...
--
"Y Ddraig Goch Ddyry Cychwyn"

reply to Zupe
I tried it Zupe for a little while. It was nice and had an IDS database built into it. But it wasn't on the system long enough for me get to screen shots.

It is off the system for now. Because I didn't like the interface very much. It seemed like they were trying to be Sygate and not Kerio or ZAF. I couldn't find where to create my rules, and when I eventually found it it was more confusing to me than me trying to customize a rule using Sygate. I guess I like the concept of what they were trying to do, but didn't like the GUI at all.

So it is back to 2.1.5 for me and BID.:(
--
Just my 2 bits.

said by gt7697c:

---

Because I didn't like the interface very much. It seemed like they were trying to be Sygate and not Kerio or ZAF. I couldn't find where to create my rules, and when I eventually found it it was more confusing to me than me trying to customize a rule using Sygate. I guess I like the concept of what they were trying to do, but didn't like the GUI at all.

---

Yes I tried that feature. With all the changes I do to my system...I learned to backup the rules to a Floppy so I always have the latest backup etc. I also had to use the Convert Rules programs....which crashed...but was able to convert the rules over to something KPFbeta4 could see...unfortunately it didn't see anything at all...and therefore wasn't keying of any of the rules. At least for me it didn't work at all.

I did like the IDS feature, but I doubt the sigs were as much as what BID uses or Snort.
--
Just my 2 bits.

reply to -Joerg-
Trying to compete with the bloatware boys... I'm not impressed.

The reason I use Kerio and Tiny before that was it had a "Simple Complexity" which sounds oxymoronic, but with the same settings you could be completely anal or as loose as you wanted without going into 5 different screens.

I guess I'm a dinosaur when it comes to firewalls, I like them when they worked, and didn't have to be made so a 10 year old(or a 40 year old) could use a rule based firewall without much effort when they are highly complex at their core. This is why I can't stand the Norton firewalls, as I used AtGuard before Symantec bought out AtGuard to use it in their Norton firewalls.

Try to please everyone, and you loose everything that you are...
--
Everything I thought It'd be is nothing like it is - Linkin Park

reply to -Joerg-
Grrrr... OK. Looks like it came with the conversion utility for 2.x rules. That's great. But don't bother trying to import a 3.x ruleset, it's the big blue button that does nothing. Nor stop the service and drop in the old 3.0 rules... seems there's a good reason the big blue button doesn't work; it doesn't have to. It didn't parse the filter rules at all. After I rebooted there were a few settings from my 3.x set, but the rules were blank, even though the file was still there, where I transplanted it. Seems the format's changed from 3.x, I suppose... but... catch-a-tweneetoo, the translator is for 2.x.

I suppose I'll import my old 2.x rules, for now, then tune them as time permits. Good thing I saved the backup.

Otherwise, looks alright, so far. Yes, GUI's going to take some getting used to, indeed. I really thought the MMC console metaphor was nice, myself. Well... time to dig out the old ruleset and get started. Damn. I like the new rules, that allow multiple IP's, ports, etc., in lists, and worked a good while on those 3.x rules. Now I'm back at square one.
--
"Y Ddraig Goch Ddyry Cychwyn"

Gwion,
Be prepared for some problems when you convert your 2.x rules. I tried it earlier and it caused a problem with XP wanting to send an error to M$, plus no rules were converted over to the new format.
_________

BlitzenZeus,

It would be nice if they gave a UI option at install.

Would you like to have:

10 year old GUI?

or

Normal GUI?

Same with the other features, like:

Do you want the Packet Filter?

or

The packet Filter and the IDS?

It would be nice...instead of the bloat.
--
Just my 2 bits.

reply to -Joerg-
Conversion from 2.1.5 doesn't work for me either. Nothing happens and I'm usually very creative in these cases. I'll try again tomorrow (a time zone problem...GMT+0100 for those who know what that means).

reply to -Joerg-
Heh.. forget the rule converter, advanced packet filter rules don't even work.

reply to -Joerg-
Ok, I just spent about an hour playing around with this (reinstalled 2.1.5 for now, though I may give it another shot when I have more time), and here are my comments:

The Good:

- Application Filtering

- IDS

- Multiple non-consecutive ranges allowed in rules creation

- Grouping of Advanced Rules (for example, can create a group called Internet Browsers containing IE and Opera, etc. I didn't get far enough to determine whether rules can be made on a groupwide basis)

The Bad: Just about everything else

- The rule converter converts just fine, but the config file doesn't import into the new version, and if you try to import it or copy it in manually, it says it's invalid or just ignores it

- I still hate the interface, though it's slightly better than I remember 3.0 being

- Beyond just the dumbed down look of the interface, it makes no sense at first glance. It took me about 30 minutes to figure out how to get to the advanced filter screen without waiting for an app. to prompt me

- The firewall itself crashed twice while creating normal rules on application popups, and also caused 3 blue screen stop errors. I've only had a blue screen stop error once in over a year of using XP prior to this. I think the stop errors may have resulted from my trying to delete some of the default rules before creating advanced rules to cover basic operations, but this still shouldn't happen

- No indication of how slider settings and the rules they create interact with user created rules and which takes precedence
--
Pinky: I think so Brain, but if we give peas a chance, won't the lima beans feel left out?
[text was edited by author 2003-05-19 21:06:03]

reply to -Joerg-
Well... it will make rules - manually. Real fun. But neither the converted 2.x file nor my 3.0 file would register. Advanced screen was just blank for both, after a careful service stop and restart (since import is plain non-functional in the interface). And I haven't had much time to explore, yet, but the word's out, forget any easy way of getting your old rules, 2.x OR 3,x, into the firewall.

Also, a quick look at my taskman tells me that the firewall, itself, is amazingly light... even with the added functionality... then, look down at the GUI, which conveniently runs separately - yes. 5 megs all by itself for a pretty face. A firewall that does this much, in under five megs? Great. A five meg GUI? ahhhh... no comment.

Filter rules look great, yes, but they're directly taken from 3.0, and they worked beautifully, as did the app start component, in the last beta.

The problem with the GUI hanging on shutdown is mercifully gone, by the way ... but I'm literally fit to be tied, after all the work I put into my 3.0 rules... and they're now a dead letter. It wouldn't be THAT bad, if the converted 2.0's could be patched in while I re-create, but that's buggy, too... this'll probably be my last set of remarks for tonight, I'll need some time to get a ruleset built... so best of luck, brave souls. Happy testing...

PS- and as for selectable features, what I would like to see would be a "simple" GUI like this if you want it, and an "advanced" GUI for the people who just want a bare bones interface into the rules... and to close, I really want to know, do they honestly expect the power users to continually rebuild their ruleset for every release? That's a pain. A royal pain. Oh, right... and I also noted immediately... no passwords on the GUI, again...

PPS- oh, here's another news flash. You have to now cut'n'paste the application path into a rule; there's no directory popup to locate the file... y'kno, that's always a nice touch where you need to find an executable...

--
"Y Ddraig Goch Ddyry Cychwyn"

[text was edited by author 2003-05-19 21:17:28]

[text was edited by author 2003-05-19 21:25:34]

reply to -Joerg-
Alright, already. Put on the ruby slippers... click your mouse three times on the "install" app for two-one-five... restart and import the old ruleset. Re4peat after me, "there's no place like home."

I'm done, for the moment. I don't intend to spend several hours recreating the ruleset I had tuned like a fine violin on 3.0 - and it worked, and worked well, and the tragedy is that I thought the filter rules were perfect in the earliest 3.x betas, yet they tinkered them and tinkered them, until:

- they removed the "prompt for action" selection, so it's back to allow or deny; that was damn useful, and I was using it very effectively in 3.x beta. Damn it.

- they removed "block" as an option several betas ago, another option I can see some very good uses for, especially within the LAN, so a port can be blocked but not stealthed... granted, a limited range of appropriate uses, but useful in its place...

- they removed "ip and port" as an option in the listbox. That was useful, too. You could combine several rules into one, that way, and create a sensible logic based rules title.

All that irritates me, somewhat. Those were good features, and they worked. Meanwhile, we cited a whole laundry list of things that needed work, and through six incarnations, those things were never even addressed. However, rules constructs that worked from day one, and were the shining star of the beta releases, were kibitzed with mercilessly from every release to the next.

Overall, I'm getting the feeling they're writing a firewall to fit a GUI. Period. And the GUI isn't what protects my machine, the firewall is.

What the hell was ever wrong with the plain-jane interface Kerio's had since it was TPFW? I like it. It works. And it adds nothing to the bloat factor.

I would be happiest if they could put the full filter rules upgrades package under the old faithful GUI and leave well enough alone. Just add a button or tab or two for the app starts and IDS and so forth. Of the two new interfaces, I liked the MMS metaphor, best. At least it made sense to me. On a positive note, they did away with separate advanced and simple GUIs, and that's good. It was annoying to have to bounce between two of them, and couldn't have simplified development, either. But on a downside, I stared at this UI for at least ten minutes, wondering where the "use windows defaults" button was, so I could make it more ... standards compliant ... but it isn't there.

So, if I want the better rules format, I guess I have to accept the new look, eventually... as much as I hate it... but6 if they keep gutting the functionality of the new rules construction screens, I don't think it'll be a problem, it'll be the same as 2.x, by the time they finish. Seems as if they want to tease the power users who like the finest granularity with a very sound, workable implementation, then pull all of the working additional functionality out on us in the next release. Why is an eternal mystery to me. The packet filter was rock solid from the first, it was the other stuff that needed work, and the other stuff never got the work.

Start and start others also worked fine, by the way. Better be quiet, or they may gut out the granularity from that, too...

Overall, 4.x seems like an improvement, in some ways, and it looks like they may have tightened up the code a little (f'rinstance, hanging the GUI on shutdown was never something that inspired my confidence that there was much "tightness" in that part, at least...) --- and face it, making an accessible version for new or casual users is good, Kerio's a good firewall, and it would be nice to have some features so new users or users who just don't want to be bothered can use it more easily. But building "just another cloned mainstream firewall" isn't what I have in mind; that's a fast track to losing long term users, and then having to compete like hell with every other security business on the planet to get new ones. The niche audience is going to be angry, too, because nobody else makes a straightforward, granular, basic packet filter firewall like this, anymore, for windows. Looks as if Kerio doesn't want to, either. Damn shame.

Finally - As a rule, GUI's are built to fit code, code isn't rewritten to fit the GUI. You could give me a TCL frontend over a command line firewall, and, if it does the job, and does it with the maximum user configurability and directness, I'm happy. This thing looks like a Christmas tree they decorated every day from Thanksgiving going forward, and, come Midwinter Night, they discovered they decorated so lavishly they didn't have any room, underneath, for the gifts...

PS- yes, I'll test. But not on this machine, and not yet. ... I'm not throwing in the towel, by any means, but I want to wait things out. And I'm just annoyed with the rules import thing. After all, it is a beta. But the continuous removal of nice new features in the packet filter is really irritating me. Granularity is what hooked me on this product originally. The more of it the better... it distresses me to see a good feature yanked and trashed. Uhhh, welll... especially when I have it in use in a ruleset, and have to get to liking it just in time to have to reconfigure the danged rules to do without it!

--
"Y Ddraig Goch Ddyry Cychwyn"

[text was edited by author 2003-05-19 22:53:20]

reply to -Joerg-
I generally like it; looks pretty smooth.

Anybody using this on a laptop? Anybody try to hibernate their machine with this installed?

Laptop can not enter hibernate mode with Kerio installed. That doesn't work well for me. Anybody else seeing this?

Overall I think Kerio v3 (and what I have seen of ver4) are outstanding firewall products.

said by FirewallUser:

---

I generally like it; looks pretty smooth.

---

quote:

---

Anybody try to hibernate their machine with this installed?

---

reply to -Joerg-
I'll second that. I do think that Kerio is still an excellent firewall. I don't want my comments misinterpreted as being a trash on the whole direction they're taking, but as constructive advice. As long as the advanced config works, us old timers can adapt, no doubt about it, to the rest.

I noticed that it definitely felt more stable, and the code issues from beta 3 got some tightening up. Very good. It's still a beta, of course. Soon as I can get a proper testbed set up, I'll have more comments. For right now, I can't really say much more, because I really will need to readapt my ruleset from 3.0, because I was using "prompt for action" in more than a few rules, and I was tweaking constantly, assuming I would be able to import them somehow, for 4.x --- bad assumption, of course ... there'll be one reason that a lot of us will want to upgrade, by the way, even if we don't like the new features (or, like me, the GUI)... and that's the ability to do lists of IP in the rules. That was something that should have been added ages ago. It makes a huge difference in ruleset size and complexity... enjoy, and let's keep the comments flowing.
--
"Y Ddraig Goch Ddyry Cychwyn"

reply to gt7697c
Does this beta have a built in Loopback rule????

Can you create rules with it to stop 127.0.0.1:8080???

I tried using it again, but gave up as the UI just doesn't make any sense to me at all.:(
--
Just my 2 bits.

reply to -Joerg-
Yep. You'll have to disable the builtins to get rid of it, too... I won't be able to make detailed comments until I get it up on a test machine, but you could see if it can be deleted from the "trusted" range, and if that sticks, if you're going to run builtins for a while... last beta would "forget" every change you made to the custom ranges as soon as you shutdown and restarted... it looks as if disabling builtins means either picking the "high" setting for net security, or setting custom rules, picking "block" for everything... I can't figure out which, or is it either, or... duh... no, I don't much like the GUI, either, as you might have guessed...
--
"Y Ddraig Goch Ddyry Cychwyn"