how-to block ads
|
Kerio
join:2003-07-18
| Release of Kerio Personal Firewall 4.0.6
Hello,
Kerio Personal Firewall 4.0.6 has been released.
You can download it at »www.kerio.com/dwn/kpf4-en-win.exe or check for updates from KPF admin.
MD5 hash of the package:
FDD77C6F9E49962146FB0A4B23B2B513 kerio-pf-4.0.6-en-win.exe
Changes since 4.0.4:
- fixed registration on WIN 98, ME
- fixed bug when Group name contains '&'
+ czech localization
+ password protection
+ remote administration
+ added ability to inspect gzipped http
+ logging and alerts can be turned on/off directly by clicking on rule line in network/system security
+ firewall can now be exited when popup window is shown | |
madirish
Premium
join:2003-08-04
Cleveland, OH
| DLED the 4.0.6 build.Uninstalled 4.0.4 and installed 4.0.6 .Went to log on to internet and launched Firebird(browser).Kerio prompted me if I wanted Firebird to access the internet.Checked my rules and Kerio did not pick up the .exe for Firebird.After I showed Kerio the .exe there weren't any problems.
Went to GRC and ran scan for 1056 ports.Passed.
Then I checked the logs(network logs) and all that was showing blocked was my "block all" rule (all block rules are set to log).I also noticed that there was no red light on my Kerio icon in sys tray only green.
I clicked on edit for all my block rules(network security>packet filter)and then clicked ok.Reran the GRC test and now the logs are showing Block ICMP,Block all in,Block local ports(still showing only green light at Kerio icon).
Ticked the password protection (overview>preferences) and set my password.Exited Kerio and got back in with no prompt for a password.Deleted a rule and still no prompt for a password.Changed some settings,exited no prompt.Logged out(right click on Kerio icon in sys tray)went back into Kerio and reinstalled the rule I deleted and reset the other changes I made,no prompt for a password. | |
BlitzenZeus
Burnt Out Cynic
Premium,MVM
join:2000-01-13
Beaverton, OR
 ·Verizon FIOS
 ·Verizon Online DSL
| reply to Kerio
Less secure than before!
Serious Security problem! When you give a program permission to launch other programs, those programs are now launched, and automatically allowed to start without user input. So if a trusted program launches a malicious program it will be started by default!!! Now any script ran from a trusted application will be able to run loose on a system! Thanks for making the system security module useless Kerio!
Password protection, and Remote admin apparently are part of the paid version, which is not even mentioned in the help file correctly with association with the free version.
I've done minor testing so far, but the fact that they crippled the system security module makes this a horrible release. I didn't think it could get any worse... I was wrong...
--
My hourly rates:
$25 per hour.
$35 per hour if you want to watch.
$45 per hour if you want to help.
$75 per hour if you tried to fix it, and failed.
[text was edited by author 2003-10-27 12:56:23] | |
matunga
join:2003-07-26 | reply to Kerio
- system security icons bug corrected!
- I still have continuously "BAD TRAFFIC LOOPBACK TRAFFIC" messages in intrusion log from 127.0.0.1 to 127.0.0.1 (IN direction). It's my modem problem or my ISP network or what? | |
matunga
join:2003-07-26
| reply to BlitzenZeus
said by BlitzenZeus  :
Less secure than before!
When you give a program permission to launch other programs, those programs are now launched, and automatically allowed to start without user input.
it's not right? | |
BlitzenZeus
Burnt Out Cynic
Premium,MVM
join:2000-01-13
Beaverton, OR
·Verizon FIOS
·Verizon Online DSL
| "Serious Security problem! When you give a program permission to launch other programs, those programs are now launched, and automatically allowed to start without user input. So if a trusted program launches a malicious program it will be started by default!!! Now any script ran from a trusted application will be able to run loose on a system!"
1: You allow explorer.exe to launch other programs.
2: A script tell it to launch malicious.exe, and malicious.exe is set to be allowed to start by default.
3: Malicious.exe is launched without user input.
That is what I'm talking about, please read the rest of the paragraph.
--
My hourly rates:
$25 per hour.
$35 per hour if you want to watch.
$45 per hour if you want to help.
$75 per hour if you tried to fix it, and failed.
[text was edited by author 2003-10-27 12:52:35] | |
madirish
Premium
join:2003-08-04
Cleveland, OH
| reply to BlitzenZeus
said by BlitzenZues
" Password protection, and Remote admin apparently are part of the paid version, which is not even mentioned in the help file correctly with association with the free version."
unfortunately I have a paid for version.:( | |
Cudni
@217.158.x.x
| reply to BlitzenZeus
"..I've done minor testing so far, but the fact that they crippled the system security module makes this a horrible release. I didn't think it could get any worse... I was wrong..."
Thanks for still keeping an eye on this project. I have given up on them as they have ruined a nice prog.
Cudni | |
madirish
Premium
join:2003-08-04
Cleveland, OH
| reply to Kerio
Well,after trying it out for awhile the password protection is not what it was in 2.1.5 .
Finally got some of the password protection working(don't know why).If you're logged out and you make a change in the advanced packet filitering you will be prompted for a password.BUT if you donot logout, Kerio assumes that it is you that is making the changes .If you forget to logout,anyone can make changes to the firewall.
In 2.1.5,you enabled password,and had to type in the password to get in period.After closing out,goto get back in you had to re-type the password first.Not the case with 4.0.6,forget to logoff and anyone can get in! | |
Lex Luthor
Premium,Mod
join:2000-09-17
Hicksville, NY | Is password protection only for registered users? I let the 30 days expire and web filtering, etc is restricted, but so is password protection. The box is just greyed out and can't be selected. | |
madirish
Premium
join:2003-08-04
Cleveland, OH
| said by Lex Luthor :
Is password protection only for registered users? I let the 30 days expire and web filtering, etc is restricted, but so is password protection. The box is just greyed out and can't be selected.
I think it is.I registered Kerio(liscence works for 2.1.5 and 4 series).We won't know all the particulars,I guess,until the final comes out and Kerio says for sure what is what. | |
gwion
wild colonial boy
Premium,ExMod 2001-08
join:2000-12-28
Pittsburgh, PA
| reply to Kerio
Well... passwording a firewall GUI is not trivial, and it's not a luxury. It's a solid line of defense against scripted tampering, and in an environment where, for example, the kids use your computer as users, they still have complete access to the firewall from the tray. Without a password, any user can circumvent any rule, no problem. Of course, in that scenario, you probably want the paid version, frankly, even if you don't use the webfilters... remote logging and admin, alone, are worth having in that sort of environment.
As for those start controls, well, there's one way to eliminate bugs... just burn out half the kitchen...  No more bugs... no more cabinets, no more stove... but no more bugs...
I still think there's an audience who'll find this a nice firewall, but I doubt many of the existing users will. My own feeling's always been that Kerio users have represented a more articulate user class... people who may not be true "power users," but who are at least willing to spend some extra time learning, in return for added granularity and control. These people aren't going to be pleased. I predict Tiny might be getting a few orders, when this goes pure gold, frankly. And I predict we'll be supporting 2.x, here, for a while to come. We may do an "official" poll, somewhere down the road. I would prefer to wait for a final, stable release, but I'm really curious, overall, among existing Kerio users, how many will upgrade, how many will sit tight with 2.x, and how many might be climbing down the ratlines for the longboat, as we speak... ?
Personally, I liked the direction 3.x was going, but I'm less inclined to like what I've seen since 4.x came out... To be a little brutal, I don't buy hardware to support basic firewalling. That was part of the glory of 2.x, to me, it was light, dependable and straightforward. Heavy GUI's and "generic security, suitable for everyday use, some settling and discoloration may occur in shipping" just doesn't do much for me... it was how I found this firewall, in the first place. I was looking for a -simple-, light, configurable firewall, in the model of IPfilter or such, and that wasn't OS-centric, so I could run it under NT, 2k, or whatever OS I might upgrade to, later on.
Yes, Tiny dropped their old metaphor, too, but Tiny also added "industrial strength features" that account for the added resource profile, and the departure from the simple packet filter... seems to me that 85% of what Kerio 4.x adds is GUI and cuteness. And GUI and cuteness are two features I'm relatively unwilling to sacrifice my system resources to support, unless they add a LOT to the functionality and usability of my system. To tell the truth, a pretty firewall isn't what I want, as I'm fond of saying in help threads, what most of us want is to "just make it work." 
--
Y Ddraig Goch Ddyry Cychwyn | |
Lex Luthor
Premium,Mod
join:2000-09-17
Hicksville, NY
Host:
OptimumOnline
Users Find Hot Deals
Users find Hot Dea..
Requests for Hot D..
| gwion, what exactly do you not like about kerio 4?
I was a 2.1.x user and now use 4. I'm very happy with it. I've seen no major bugs, had no problems, don't find that it uses up much CPU or an excess of RAM. It's easy to configure and powerful. I really don't see an excess of "bloat".
I'm surprised that more of the 2.1.x users aren't happy with 4. | |
DropnPackets
join:2003-10-27
|  reply to Kerio
Greetings to all
Does anyone now where Loopback security has gone?
Does the new kerio release provide loopback security?
I have not installed the release ver, but their previous releases didn't!
And Tiny doesn't either, please see
»www.tinysoftware.com/forum/showt···adid=540
Comments please
Cheers | |
gwion
wild colonial boy
Premium,ExMod 2001-08
join:2000-12-28
Pittsburgh, PA
| reply to Lex Luthor
Nothing, really. It's just a stark departure from the old metaphor. The packet filters are actually a bit better. But I liked the extreme light weight of the old versions, and the minimal GUI. And I like the idea of system security, as they refer to the start controls. In theory, I think it's a far more comprehensive suite.
Problem is, as I've confided to some others, NOBODY, and I do mean NOBODY wants us to have anything as granular and simple and just plain user configurable as the Unix packet filters that literally abound... for BSD and Linux, and so forth. Windows firewalling is literally in bondage to the MS metaphor of oversimplification, massive GUI, massive resource waste... making the simple complex, to make the complex simple, if that makes sense...
No... I don't entirely dislike it, at all. But I do dislike the resource profile. I fully understand their need to make a living, too, so the pay to play features are fine, with me, and the free version's perfectly servicible, for a free version. And I dislike this seeming willy-nilly, year long betaing process. And the seeming lack of a coherent plan, from the outset.
I like making firewalling more accessible for avverage users, too. But I'm adament that power users should never have to compromise their demands, for ease of use. In fact, one nice thing, here, is the way they do allow you to use a preroll, or select a user config, on the filters...
But if I want to shut down localhost:1080, for example, I think I have a right to expect a reputable firewall to allow that... compromising, like that, for the sake of idiot-proofing, is one of the things a lot of us trash MS for. But it's not really just MS, it's the whole community writing to MS platforms.
I'm really glad you asked, because I don't really want to "thrash 'em," I don't thrash ZAP or other products, but those products have always had that metaphor, too, in fairness... I respect their hard work, and I certainly LIKE the idea that they're sort of the "little guys" in this business (so is Tiny, really)... a lot of the problems in communication are, after all, issues of scale. They have to develop a firewall, and they aren't Symantec... sometimes, I do wish they would "brag" that, rather than seeming a little self-conscious about it ... hell. I LIKE dealing with a small business. That's the American spirit, and the Czech spirit, too ... you have a great idea, you market it, all that. Sometimes, I think they think we'll mistrust a small group, when reality is that it's usually the other way around... but I digress...
OK, Gwion... say a few good things... here we go...
- much more configurable custom packet filter IF...
- System security's a great feature... so long as it's solid. False security's obviously a terrible risk...
- Web filters are, too. How many people have a real problem securing a Proxo-type filter? Here's an alternative for them... and it seems to do what it should.
A few bad thins I already mentioned... but the reason's not dislike, it's a sincere desire to see a product get better. Sometimes, the biggest favor you can do the Emperor is telling him where and when he's naked..
A few wishes?
- A simpler, lighter GUI.
- More concern for the working features, less for the glitz.
- NO built-in limitations, whatsoever, of any kind, on the packet filtering component. That's the core of a "conventional" firewall. There should be not ONE thing I can do with IPchains or IPF I can't do with my win32 firewall... NOT ONE. It's doable. And it's good design to do.
- if something's known buggy, don't even PUT it in a release version... better - use plugins for the value added features. That way, I don't have useless code on the system, if I choose to disable something.
Now, just briefly, let me refer to that localhost thing. In a sandbox-centric firewall like Tiny, it's less burdensome, but in a pcaket-filter-centric one, like Kerio, it's entirely inexcusible. I haven't done any testing on that, but if it's in fact true, you can't make absolute rules for loopback, then it's a "bug," not a feature (unless your name's Gates)... fine to implicit rule the firewall's own communications, but anything a millimeter beyond that isn't fine. It's a limitation on what you can do with the core component of the wall. And best form, Tiny, would be to include a full featured packet filter, even if the sandboxing makes it less critical. One shouldn't have to compromise, on very trivially implementable features, just because they aren't "critical" -- redundency, especially when you're learning and just getting started, is a great thing.
Well, I better turn this over to you folks... but I'm glad you asked that - I didn't mean to sound overly harsh, just trying to be a good beta tester, and share my negative impressions, along with my positive ones, and maybe I got a little too focused on the minuses... I really do want to thank the developers for their continued hard work. Coding's not easy, I have enough trouble writing a quick TCL routine or perl script that doesn't screw up royally in its first ten iterations -- SNAFU's the rule of my own minor coding exploits ... and I fully appreciate that.
But this firewall became fairly dear to my heart, in its "old" incarnation... closest thing I ever found to a solid, dependable minimalist packet filter I could run on NT, 2k, even 9x, and any upgrade I decided to adopt down the road. It's hard to let go of that...
OK, crew, let's hear the comments... here's our chance to help out on the next version, it's your forum... let us know what you think... and thanks, very much, Kerio. That hard work definitely doesn't go unnoticed... we're just doing our job, too, best we can, over here on our side...
--
Y Ddraig Goch Ddyry Cychwyn | |
ghost16825
Use security metrics
Premium
join:2003-08-26
| reply to Kerio
Probably the biggest problem is separation of modules.
Trying to be a bit of Proxomitron,a bit of a popup blocker, a bit of an IDS tied firewall doesn't work.
My suggestions:
Get rid of the IDS "priority" system. If the IDS is going to be tied to snort rules you should have control over which signatures to log and which snort signatures get priority over your rules.
Get rid of the ad-blocking, cookie stuff altogether.
App blocking is not complex enough in its present form. Perhaps the best option for the System Security module would be to specify which programs you DON'T want to allow to run and let the rest do what they like. This would avoid the messy situations of which program is allowed to run what, which I don't think Kerio has the skill to do (eg SSM)
Password protection at all times is a must. | |
gwion
wild colonial boy
Premium,ExMod 2001-08
join:2000-12-28
Pittsburgh, PA
| reply to Kerio
Oh, I don't doubt the skill, just that we have no idea what sort of separation agreements they signed with Tiny ... Tiny has the sandboxing stuff, and I'll bet they made very sure they kept it, when the dev teams split... I sure would have...
I agree, entirely... modules are something I've been suggesting throughout this project. Some people just don't want all of these functions...
IDS' are fickle critters... for those unfamiliar with the basic concepts, they can be downright scary. They false by nature, if they're half decent, and they tend to be useless, if they're tamed to be user friendly... with Snort, you just comment out problematic rules in the conf's... but you have to know what to comment out... I defer on that one... Chicken Little was a novice using an SFDS ("sky falling detection system"), y'know ... I haven't looked that deeply at that part, yet, to pass judgement...
--
Y Ddraig Goch Ddyry Cychwyn | |
ghost16825
Use security metrics
Premium
join:2003-08-26
| The really, really dumb thing about this is that these ad-ons come from the open source community and no one has a problem with them in their separate form.
If you look at the help files-> at the IDS -> it mentions it uses the snort engine and also in the help files -> Web makes use of open source standards for web blocking from what I can remember. (No, kpf4 is not on my machine any more)
How a program can be cobbled together when it uses open standards which have heaps of support is beyond me. | |
Curley
join:2002-04-10
Michigan
|  reply to Kerio
Well.. I figured id give this new version a try since I haven't tried the last couple releases. I really thought that by now things would be looking much better, but I guess not.
I imported in my old 2.x rules, turned off the IDS, turned off predefined network rules and then proceeded to grc.com to run there tests. All the tests passed fine, but in the logs I noticed only traffic to local ports 1030, 1032, 1034 for TCP were showing up as being blocked. So I restarted my computer and went back again to run the tests all over again. This time only traffic to local ports 1025, 1027, 1029 showed up as being blocked??? Also for ICMP in the logs it doesn't show what ICMP type it is, all it tells you is that its ICMP. For IGMP in the logs, all that shows up is the number 2 under protocol. I reported this to Kerio way back and they acknowledged it, but still haven't done a thing about it. So basically the logs are useless still after all this time. The System security part sounds like its getting worse and the new password protection doesn't sound very good either.
Its really quite sad to think that after all this time since the last v2.1.4 was released some 1 1/2 years ago, this is where we are at now. Honestly, it just seems like Kerio has been stuck in the mud all this time and doesn't have a clue to what they are doing anymore. I remember beta testing version 2 and Kerio being really on the ball with things, listening to its users and taking action right away. Now it seems like they still listen, but there's no action. Perhaps its all due to a change at the top in developers, I don't know. Stanislav Kolar did a wonderful job with version 2, but now the head guy is Tomas Soukup.
Personally, I plan on sticking with version 2.1.5. I don't really have much confidence in Kerio anymore like I once did. If you want system security you can just use SSM for that and for web filtering Proxomitron. Once the 2.x version of Kerio gets outdated ill probably just move on to Look'n'Stop's firewall.
[text was edited by author 2003-10-29 00:20:52] | |
hsandor
| reply to ghost16825
I am suprised to hear that localhost filtering is crippled in 4.0.6, because I think it was already crippled in 2.1.5!
You know (in 2.1.5) if you allow Outbound 127.0.0.1:8080 for your browser (want to use proxomitron), then absolutely any kind of application can accept the connection initiated by your browser. Yes, any application can listen on 8080, and accept Inbound connections from localhost without filtering or MD5, if the Outbound end of the communication channel was Allowed. No matter if you Deny that application, or Deny Inbound to 8080, it passes without questions.
How can this be more crippled in 4.0.6?
regards,
HSandor | |
|
