how-to block ads
|
| page: 1 · 2  |
BlitzenZeus
Burnt Out Cynic
Premium,MVM
join:2000-01-13
Beaverton, OR
 ·Verizon FIOS
4 edits | BZ Kerio 2x Default Replacement Update
For the latest version, please use "FINAL RELEASE DOWNLOAD" link, above.
NOTE:
Moderated to add attachment of and link to "FINAL RELEASE."
»/r0/down···inal.zip
(Mirrors "final" link in the attachments.) | |
BlitzenZeus
Burnt Out Cynic
Premium,MVM
join:2000-01-13
Beaverton, OR
·Verizon FIOS
1 edit | BZ Kerio 2x Default Replacement Update
This is not provided to help you learn how to use the firewall by any means, but only replacement from the default rules. If you need help configuring it for your system make a new thread please since it applies to your configuration. Do not e-mail, or IM me about any questions please.
Changes:
There have been a few major changes, but nothing to make you want to start all over again unless you really want to. You can look over the ruleset, and compare it to the previous version to see if you want to make those changes yourself. Please don't ask how to make those changes in this thread as much of it is basic operation of how to use the program.
Pre-Download:
If you use a router, make sure you know the ip address of your router before you do any of this, and if you don't know the ip address of your router you need to check your manual or ask in the forum for your hardware.
For Lan configurations, there are a few predefined rules, but they are not guaranteed to work for your setup so you should know what you need to allow for your network. I have setup the lan rules very loose so you will have to secure them later as they were meant to work for most configurations.
4x
I will do little to no support with these rules in 4x, with 4x released too early as final release its still very buggy, and many of its settings are conflicting. It also has a huge problem with not logging events. While people can import this into 4x, the only thing I suggest is seeing this thread on disabling the simple settings as much as possible.
»[Kerio] 4x Turn this back into a real rule based firewall!
Basic steps:
-Download Kerio 2.1.5, and this replacement.
-Disconnect from the internet, pull the cat5 cable(s) if you have to. Make sure that you will not be automatically connected to the internet again after you reboot, otherwise your system will not be protected. It is also advisable you disconnect from any lan your connected to.(This might make your boot longer since your computer might try to get a dhcp response that it won't get until you reconnect your cables).
-Uninstall any other firewall you have on the system completely, but keep the install around if something happens. Reboot.
-Install Kerio 2.1.5, and reboot.
-Save the default rules, and then Load the downloaded ruleset in the miscellaneous tab of the administration.
-After you have configured the rules with the information you have offline for things like your router, then connect, and start customizing your rules.
Where you Load, or Save your ruleset
Custom IP Blocking:
This is offered as an example, instead of blocking a ip address like the two above rules, or range in a rule you can use the custom address group so you only need one blocking rule. This way you just add the address, or range to the custom address group. This is not an excuse to not use your hosts file, but for sites might be called by ip address which bypass your hosts file. If you don't know what your hosts file is, that is something to you can ask the security forum.
If you choose to use this, obviously don't use the custom address group for your dns rules.
Custom Address Group
Router:
If you have a router make sure the Router Configuration rule is configured with the correct ip address, and then enable the rule.
Lan Rules:
These will not work for all setups, but you can edit them for your needs.
Known Lan Broadcast
This might not apply to your lan, you can always edit, or delete the rule.
Lan Range Bypass
There are rules for two common ranges, and you should know which range your lan runs on. Its suggested you edit the range to only the used ip addresses, or make separate rules per machine.
DHCP Host - Lans run on Dynamic addressing, and ICS
If the computer Kerio is installed on provides dhcp for other computers on the network then you need to enable the DHCP Host rule, and your other lan rules will allow DHCP reply for allowed local ip ranges. If you use ICS, and kerio is installed on the host machine you must have this rule enabled.
ICS Configurations:
If this machine will be a ICS host, then you should check the 'Is Running on Internet Gateway' option, uncheck 'Log Packets Addressed to Unopened Port, and uncheck 'Log suspicious Packets in the miscellaneous area under advanced. While using an ICS configurations with the gateway option checked you must use a block all inbound rule at the end of your ruleset. In some cases it was possible to do it without check the option, but lets just do it this way so it should work. You will have to use your block all inbound rule now to drop packets to unopened ports instead of sending a closed reply if you rules don't block it first. As far as open connections go, your rules will still apply. You might have to check your logs for connections that are not working among the blocked probes.
Loopback:
The standard loopback allows all traffic with the localhost loopback, and if you use a software proxy you will want to configure the port ranges to exclude any ports used for software proxies, which you will have to make allow rules per program so you don't have the proxy be a hole in your firewall. You can also make separate rules for programs that require loopback access, and not use any general loopback rules.
Proxy Loopback
Here is a link to help with software proxy configurations.
»[Kerio] Generic Rule Set for Kerio (Proxy and no Proxy)
DHCP:
If your on broadband you most likely use DHCP, even if its provided by your router, or another machine on your lan. If you use dial-up, you don't use dhcp, and you can uncheck the unrestricted DHCP rule.
Routers, and Lans
If your computer gets its connection from a router, or another machine on the lan then the router or lan rules should already allow this. You should be able to disable the the unrestricted dhcp rule without assigning a dhcp server.
Often the DHCP server in your ip configuration is correct, however at times its not. The unrestricted rule is logging for a reason, when your connection is active, release, and renew your connection. The server in the logs is the server you want to use in the Custom DHCP rule. After you put that server in the assigned rule, disable the Unrestricted DHCP rule.
If you don't know how to release/renew your connection if you need to, see ip configuration below.
Assigned DHCP
DNS:
This is required for everything, when you try to visit www.site.com, this is how your computer figures out which numbered ip address belongs to that name. You can simply just open your ip configuration, the put those dns servers in your rules. Once you specify your dns servers disable the unrestricted rule. If you don't know how find the ip configuration information, see below.
As a note, the Unrestricted DNS rule is logging, to be an incentive to actually configure the DNS settings. If you find that your getting alerts from the Custom DNS Alert rule, make sure that the servers are in your ip configuration before adding adding them to your rules. If you have multiple providers, or a provider that rotates it might be easier to use the custom address group. You can make more dns rules, even use ip ranges, but don't leave gaps in the addresses. If they are not right next to each other than make a rule for each one if you do it that way.
If you do use the custom address group, do not use the custom ip blocking at the same time since that will kill your dns communications.
Assigned DNS
ICMP:
This ICMP is pre-configured for most uses, and if you want others to ping you, all you have to do is enable the In ICMP 8 Inbound Ping/Trace rule.
Various Blocking Rules:
Verisign DNS Abuse: With the recent abusive behavior of the verisign corporation they have disrupted many internet protocols, so this will help restore you connection to as normal as possible by blocking a couple key ip addresses.
IGMP: Used for lans, the lan bypass rules, and router rule would cover this if really needed.
IPv6: Yet another recent scan of computers looking for others with IPv6 working, 99% of normal users won't have to deal with IPv6.
NetBios Block: Your lan rules should permit the communications you need, and netbios should have nothing to do with internet communications.
Windows Services Block: This blocks standard NT services which should have nothing to do with the internet.
Local Ports Block: The lower standard ports are being scanned recently, so this was added. Its possible this will block real traffic, so you can edit the port range, or disable the rule if you really need to.
Block all rules:
When you starting making your own rules, make sure they are above the block all rules, and in most cases if you need to use them, you only need to use the Block all inbound rule. Like it was said above, you will need to use the inbound rule when your machine is the ICS host.
Applications always above the block all rules
IP configuration:
In 9x/ME systems the command is winipcfg which you can run from the start menu, and it is GUI based.
In NT based systems, open the command prompt, and the program is 'ipconfig'. Type 'ipconfig /?' to see its commands.
If you need help with either of these programs ask in The Microsoft Forum please.
DOWNLOAD:
The download contains two versions, the standard version which is what we talked about in this thread, and the advanced version.
 Download BZ Kerio 2x Default Replacement Update 2
This Default Replacement has been Updated:
Downloas the Final Version of this Default Replacement
Information on last release
Advanced version
Anybody who feels they know enough of rule based firewalls to use the advanced version should be able to make their own rulesets already. Rules to control your lan via subnets, and anti-spoofing rules are in this version. Less support will be provided for the advanced version since the users should know what they are doing.
Advanced Additions
If you have any questions
Please do not ask any questions about your configuration, do not post any screenshots of your configuration, and consider that this is an option I am providing to be more secure from the beginning. Only questions about this default configuration directly please, and please keep those questions in this thread. No IM's, or e-mail please. When you start your own thread for questions about your custom configuration, it would be helpful to mention that you started using my default replacement ruleset, and which version. This is the second update.
You can incorporate these rules into your own ruleset if you like, but please understand what they do before you do. Copying others rules might not help when you don't understand what your permitting.
The intent of this thread is not how to teach you how to use the firewall, that is something which takes experience, and knowledge as Kerio is far from Plug n Pray. This thread merely is providing a ruleset which is more secure than the default ruleset provided with Kerio. You still have to setup your own rules, learn how to use the program correctly, and by no means is this configuration guaranteed to work for everybody.
I thank Gwion for his assistance on this project 
--
My hourly rates:
$25 per hour.
$35 per hour if you want to watch.
$45 per hour if you want to help.
$75 per hour if you tried to fix it, and failed.
[text was edited by author 2003-09-21 05:56:20] | |
gwion
wild colonial boy
Premium,ExMod 2001-08
join:2000-12-28
Pittsburgh, PA
1 edit | reply to BlitzenZeus
OLD - hashes for first release. Hashes for final release appear below. Please download the FINAL RELEASE, and refer to the "fingerprints" later in this thread to verify the .conf files. Thanks...
Calculating hash of 25124 bytes file `C:\...\BZkerio2xadvanced-u2.conf`...
SHA-256 : 1CAD0780194589515A8C73A05342AC080E7C8BF9F15827CC97235614B6514575
SHA-512 : EA4A16D4E2E95486C259288BC35D017510606EDDAC40B4315B45329678D0DEC717C43FD9974F94E4E7 98AD7FBA 935A919FD4C6CFD2F87DC791097A019EF79847
MD5 : BC3901E6214C513AEBE68687B0253C7F
RIPEMD-160 : F9069DD2E77332511AAA9F3F391092D47095802A
CRC-32 : C48F34C2
Calculation took 0.015 seconds
____________________________________________
Calculating hash of 18302 bytes file `C:\...\BZkerio2xstandard-u2.conf`...
SHA-256 : FEBC654A458A6D4790B1F1F83689C8888DFA6BB40427CDA63284FD5B72BD614A
SHA-512 : A9549A2DDF363C8C21FF1564FE741DAF85CD2405B593035D2E055FAD21B7BBED58D066D4E0207C1616 ECAD0DAD F9D02E070AE205A2F3CE720560AA4EF4B17903
MD5 : 1D2C149023505378F4BEEE5F1075D569
RIPEMD-160 : 8BC86C818C87205250091F4E90BA65C6EB921BB6
CRC-32 : 740B7F63
Calculation took 0.016 seconds
--
Every knot was once straight rope...
[text was edited by author 2003-09-21 04:09:13] | |
BlitzenZeus
Burnt Out Cynic
Premium,MVM
join:2000-01-13
Beaverton, OR
·Verizon FIOS
| reply to BlitzenZeus
Preventing localhost IP spoofing
I thought about making an update, but there is really one main change that people could easily do themselves. So here is the link, and you can apply it if you want to.
»Preventing IP spoofing of the localhost
Note for advanced users: You already have a rule in place you can edit so you don't need to make another blocking rule. Delete the 127.0.0.0 anti-spoofing rule, and edit the 127.x anti-spoofing rule to the range 127.0.0.0-127.255.255.255 from 127.0.0.2-etc... after making the change to the loopback rules.
--
My hourly rates:
$25 per hour.
$35 per hour if you want to watch.
$45 per hour if you want to help.
$75 per hour if you tried to fix it, and failed.
[text was edited by author 2003-09-27 11:27:16] | |
jfahrner
join:2003-09-25
Germany
| reply to BlitzenZeus
Hello BlitzenZeus,
I found the following sentence in the kerio documentation:
"If you have a stand-alone computer that is not connected to a local network, only enable the option 'For Microsoft Networking Use These Rules Instead Of Filter rules'. Leave all other options off. This will disable all communication for Microsoft Networks as it is not relevant to this scenario."
In your configuration, this option is NOT checked.
Is there any reason why you didn't check this?
Regards
Jochen | |
gwion
wild colonial boy
Premium,ExMod 2001-08
join:2000-12-28
Pittsburgh, PA
| reply to BlitzenZeus
Sure. Because it's provided for in the rules. That just automates by wizard the blocking of 137, 138, 139, etc. and makes it easy to add LAN allows in the private trust range. It could be used with the rules, too, as redundency, but it would be -less-, rather than more comprehensive, since the custom rules block 135, too, which wasn't considered imnportant by anybody (except me) until about two months ago when somebody actually did what I've been warning about for years, and exploited that wide open WinRPC endpoint map port... 
It's a call... either use the preconfigured or make a rule. But if you use preconfigured, remember, you want to block the DCOM-RPC nonsense, that has no more business on the internet than NetBios traffic...
--
Every knot was once straight rope... | |
BlitzenZeus
Burnt Out Cynic
Premium,MVM
join:2000-01-13
Beaverton, OR
·Verizon FIOS
| Thanks Gwion, and your not the only one who was blocking 135
That feature tries to do two things, but the fact is, your rules can do a much better job, while controlling access to your shares in windows leaves you more secure overall.
I never saw the need for the addition of the tab at all, and it can possibly even make you more vulnerable now.
--
My hourly rates:
$25 per hour.
$35 per hour if you want to watch.
$45 per hour if you want to help.
$75 per hour if you tried to fix it, and failed. | |
pgoelz
join:2001-12-26
Rochester, MI
| reply to BlitzenZeus
Guys, I'm a bit confused.
In our LAN, we use TCP/IP for internet and IPX for the LAN. File sharing is NOT enabled over TCP/IP. Under that scenario, do the settings under the "Microsoft Networking" tab have any effect? I have always used the "For Microsoft Networking, use these rules" checkbox, but I have never been sure it had any relevance on a system where NETBIOS is NOT enabled over TCP/IP.
If those settings do NOT affect IPX LAN traffic, then I also assume I can leave them in place in case one of our PCs is accidentally left with NETBIOS enabled over TCP/IP. It happened just last week on my laptop because Billy defaults everything to enabled.
Do I got it right?
Paul
--
Paul Goelz, Rochester Hills, MI
Model Helicopter, music and astronomy pages:
http://pgoelz.com | |
BlitzenZeus
Burnt Out Cynic
Premium,MVM
join:2000-01-13
Beaverton, OR
·Verizon FIOS
| The MS tab covers netbios, and attempts to control access to shares with netbios over tcp/ip. Also these rules are made to work with netbios configurations since that is what most people run.
I'm not familiar with ipx configurations, but if it uses normal ip addressing then you likely would have to use some lan allow rules. If it works like NetBeui then it would run as its own protocol, separate from those rules, and settings.
If netbios is enabled on one of your machines, you could leave it enabled if you have to in the case where the rules/settings are not needed, but it obviously would only talk to other machines for shares access that run netbios. In this case I wouldn't have them enabled at all, and just keep track of the port 137-139 hits on your other machines as it will try to advertise itself.
--
My hourly rates:
$25 per hour.
$35 per hour if you want to watch.
$45 per hour if you want to help.
$75 per hour if you tried to fix it, and failed. | |
jfahrner
join:2003-09-25
Germany
| reply to BlitzenZeus
Hello,
I think TCP port 113 should be opened. This is because of auth protocol for some mail servers. It is described in RFC 1413.
When this port is not opened, it causes a significant delay during login on some mail servers. Even if there is no listener on this port, the server waits for a response in his attempt to open this port.
Regards
Jochen | |
BlitzenZeus
Burnt Out Cynic
Premium,MVM
join:2000-01-13
Beaverton, OR
·Verizon FIOS
| Its rare to find it used on mail servers these days, more like outdated mail servers, and its mostly irc servers that still use this.
If anyone must allow this, only allow it from the servers that require it, and allowing it from any address will prevent you from being stealth, for those who care about it.
Inbound tcp Server.IP: Any -> Your.IP: 113
Remember this is a starting template, I will not include it at this time, and people can make the rule themselves if they really need to. Being stealth goes against RFC protocols anyway so stating RFC doesn't mean anything here, and there would be more comments about how people were not stealth than you could even think of if I allowed port 113.
--
My hourly rates:
$25 per hour.
$35 per hour if you want to watch.
$45 per hour if you want to help.
$75 per hour if you tried to fix it, and failed. | |
ghost16825
Use security metrics
Premium
join:2003-08-26
|  reply to BlitzenZeus
In your advanced rules under zero octet rule are these rules really only necessary for LAN connections? Are they really rules to block ad servers or just to prevent spoofing for LAN connections?
[text was edited by author 2003-10-14 06:35:14] | |
BlitzenZeus
Burnt Out Cynic
Premium,MVM
join:2000-01-13
Beaverton, OR
·Verizon FIOS
| They are not ad-blocking rules by any means, but are meant to block packets which could have a spoofed source ip address. The anti-spoofing rules are used for private/unused ip ranges which should not be used over internet connections. If you do run a lan, the allow rules when enabled, and configured correctly for your setup will compensate for these blocking rules before they effect your connections.
As an example some have found they are getting packets from 192.168.0.100 when they are not even on a network of any kind, and the packets are actually messenger spam targeted towards udp port 1026. This way you can't trace the real source, and if it got through you might see a messenger window on your desktop advertising something.
--
My hourly rates:
$25 per hour.
$35 per hour if you want to watch.
$45 per hour if you want to help.
$75 per hour if you tried to fix it, and failed. | |
bogape
join:2003-02-25
New Zealand
1 edit | reply to BlitzenZeus
re your Windows Services Block (Log) rule you block local ports 135,445,500.
should not this be 5000 as per your earlier post
»Just one example of rules
edit: port 500 UDP Ipsec Services.
should i just add 5000 then and keep 500?
just found your answer on a previous post
»win xp services block rule | |
BlitzenZeus
Burnt Out Cynic
Premium,MVM
join:2000-01-13
Beaverton, OR
·Verizon FIOS
1 edit | reply to BlitzenZeus
Minor Update
Rules:
- Changed loopback rules to outbound, and to specific subnet. There should not be issues with this, otherwise you can just edit the rule back to a single address with 127.0.0.1 still in the rule.
-Deleted one rule, and edited another anti-spoofing rule covering the 127.x range due to the change in loopback rules.
Settings:
-Logging of packets to opened ports has been disabled, if you really want to log these packets just re-enable the setting in the miscellaneous tab under advanced.
Nothing special about this update, just a couple things people could have done themselves after they downloaded the ruleset.
--
My hourly rates:
$25 per hour.
$35 per hour if you want to watch.
$45 per hour if you want to help.
$75 per hour if you tried to fix it, and failed. | |
BlitzenZeus
Burnt Out Cynic
Premium,MVM
join:2000-01-13
Beaverton, OR
·Verizon FIOS
| I made a typo which I didn't double check before I released this update, even the previous thread had the correct mask, although it should be outbound only.
»Preventing IP spoofing of the localhost
So 127.0.0.0/255.0.0.0 is correct for the mask when used for the loopback.
--
My hourly rates:
$25 per hour.
$35 per hour if you want to watch.
$45 per hour if you want to help.
$75 per hour if you tried to fix it, and failed. | |
BlitzenZeus
Burnt Out Cynic
Premium,MVM
join:2000-01-13
Beaverton, OR
·Verizon FIOS
| Final release of this default replacement
- Fixed the typo noted in previous post.
- Added the 'Custom Address Group DNS' rule which any user could have made, and since I use this template myself when I start over I also added it for myself.
There is no reason to start over again, I mainly just wanted to fix my typo. Images of the rulesets are in the .zip file for examination/comparison.
Due to severe lack of free time lately I might not be around to assist users who have questions about using the ruleset, or its configuration on your computer. Please make sure you read the FAQs, and search the forum to see if your question has already been answered.
--
My hourly rates:
$25 per hour.
$35 per hour if you want to watch.
$45 per hour if you want to help.
$75 per hour if you tried to fix it, and failed. | |
BlitzenZeus
Burnt Out Cynic
Premium,MVM
join:2000-01-13
Beaverton, OR
·Verizon FIOS
| reply to BlitzenZeus
This is a thread I did a long time ago, and its still valid today, its just kinda fallen through the cracks. If your wondering if Kerio 2x is the kind of firewall for you, you might want to read this thread.
»Do you need, or know enough to use TPF/KPF?
--
My hourly rates:
$25 per hour.
$35 per hour if you want to watch.
$45 per hour if you want to help.
$75 per hour if you tried to fix it, and failed.
The biggest error is sitting in front of your keyboard. | |
zippythezipp
join:2001-10-21
Canada | reply to BlitzenZeus
I still use Kerio 2.x on 3 of my pc's and would like to thank you for the default replacement template and this thread.;)
Have a great day. | |
gwion
wild colonial boy
Premium,ExMod 2001-08
join:2000-12-28
Pittsburgh, PA
| reply to BlitzenZeus
FINAL RELEASE :
Calculating hash of 18867 bytes file `E:\...\BZ Kerio 2x Default Replacement - Standard - Final.conf`...
SHA-256 : B2AAB8877E543A2839E201BE7283F463C0EFA10E199ABF122CF1D0F195B7DC44
SHA-512 : 8A3513C75CE3C012E6A485677C8DCDBF0B9ADA17AC47C048EDFA23A7B2873C8092E06C638A51872AA2 A8F0FC0118 F2E43B9E7AE4C8B57AA5E3D8458CDEA59B6E
MD5 : 680B537B426C791216BC5B33124E66EB
RIPEMD-160 : E46065A06A08FA7ABA68B69AA5E1B9283C14056D
CRC-32 : 81D0973E
Calculation took 0.015 seconds
Calculating hash of 25135 bytes file `E:\...\BZ Kerio 2x Default Replacment - Advanced - Final.conf`...
SHA-256 : 4AF8EBD4457D077B951909413D131C1A35DDAF101E215D17A5513DB457D98FC1
SHA-512 : D8496582DD05E65E0A0049A20373DAAAD033DA160D8BF4D64B35B967EB3257797E82FD5B70DA1B5A97 50D49662D5 25ECCC40B78EC84AD13216A9D617C8B29F20
MD5 : 0EBFDA1392D21160C7352F343CAAE667
RIPEMD-160 : 26C1F31011D84B3B090C7DF095FD4959DF7C80F6
CRC-32 : F4268B09
Calculation took 0.016 seconds
--
Semper Eadem
- ... his original destination's just another story that he loves to tell. | |
|
