Lilla1
join:2002-04-22
Fall City, WA
4 edits | [Kerio 2.x] My Kerio 2.1.5 rules based on BZ's please critique
Part 1 - Standard Rules | 
Part 2 - Applications |
o Windows XP Home 2002 (includes SP1).
o Stand alone computer rules only for now, later I will add rules for simple 2 PC Windows network via cross-over cable. This network is currently disconnected.
o Earthlink dial-up internet connection. WinXP ICF is disabled.
o My Kerio 2.15 rules are based upon "BZ Kerio 2.x Default Replacement Update", Standard rule set.
BlitzenZeuz, your rule set has helped me so very much. Thank you for all of your help. With your wonderful rule set I feel like I'm on the right path.
Are my FTP rules are OK?
Should I drop my "Loopback(no software proxy)" rule? I notice that it is not included in gt7697c Generic No Proxy rule set. This was recommended back when I was using 2.1.4
How to you specify application is SYSTEM? I see that on some peoples rules, but how do you set it to that?
Thanks to all,
Lilla |
|
FTLNewsFeed
join:2003-12-16
Brooklyn, NY
| Re: [Kerio 2.x] My Kerio 2.1.5 rules based on BZ's
Hi Lilla,
Just a quick comment. The rule Loopback (no software proxy) is redundant in your rule set since TCP Loopbacks are caught and allowed by your Loopback - Standard rule.
As far as FTP I just set the 'Remote Port' to 'Any' since I don't know what port the FTP Server will connect to me (or me to it) on.
FTLNewsFeed
--
"A woman never runs away, a woman never hides away in order to survive." -Ayumi Hamasaki from her song "Real Me" |
|
Lilla1
join:2002-04-22
Fall City, WA
| said by FTLNewsFeed  :
The rule Loopback (no software proxy) is redundant in your rule set since TCP Loopbacks are caught and allowed by your Loopback - Standard rule.
Thanks for pointing that out, I have deleted it. I missed the obvious on that one.
said by FTLNewsFeed :
As far as FTP I just set the 'Remote Port' to 'Any' since I don't know what port the FTP Server will connect to me (or me to it) on.
The Remote port range I am using is based upon BZ's "permit all (tcp 21, 5001-65535)" approach quoted below... He gives this range for IE passive FTP, and I assume then that I can apply its to my other FTP apps too. If I've gotten it wrong, or not quite right, please advise.
BZ 2003-12-31 13:59:52
The way passive ftp works is you never have to accept inbound ftp communications on tcp 20 which would run like a server, and most ftp servers run as passive these days. A range more like tcp 5000-65535 outbound is better [than 1024-65535] at this point for IE when it comes to ftp communications, along with allowing it out tcp 21.
BZ 2004-01-03 14:21:29
When it comes to ftp communications I ether run permit all (tcp 21,65535), or I have it ask me for posts not already allowed. You need to choose which one you want to do, permitting every outbound ftp connection past the first outbound tcp 21 connection can be annoying, but allows more control. I keep both variations for each browser in my ruleset so I can switch them anytime I want. It will be much more annoying to enable/disable the rule every time you do any ftp downloads, so you need to choose if your going to do the permit all (tcp 21, 5001-65535), or having to permit every outbound ftp communication.
Straight FTP programs should be ok for the outbound communications allowed, just as long as they don't run as a server, unless your dealing with a standard ftp server which required to connect to your computer on port 20 [active FTP]. This will be rare, and you might make a rule to toggle on if you need to if it happens often. |
|
Lilla1
join:2002-04-22
Fall City, WA
4 edits | reply to Lilla1
Re: [Kerio 2.x] My Kerio 2.1.5 rules based on BZ's please critiq
Some additional information about my system...
There are two WinXP/IE6 options that affect FTP, and thus FTP rules. The settings I am currently using are:
o In IE6, Advanced tab.
checked Use Passive FTP (def=unchecked)
o In Folder Options, View tab.
checked Enable Folder view of FTP sites (def=checked)
Have Windows Updates corrected the oddities related to these settings that are discussed below?
gt7697c 2003-04-21 2003-04-21 20:18:19
Many have suggested that if you enable Passive FTP this causes IE to use the higher numbers....and in my testing today of IE and FTP surfing this is not true. What I found that causes IE to use the High Port numbers was the disabling of Enable FTP Folder View in IE.
TheWizeGuy 2003-04-21 20:18:19
Well the real problem is Microsoft completely disabled the "Use Passive FTP etc" check box in IE 6 and Passive FTP is now turned on/off by using the Enable FTP Folder View check box. Ethereal shows that the Passive FTP box no longer does anything.
gt7697c 2003-04-21 11:03:08
The reason I don't want to use Folder View is because there was an Exploit that allowed a malicious person to execute embedded script, here is some more reading on it: cert.uni-stuttgart.de/archive/bugtraq/..
TheWizeGuy 2003-04-23 09:47:45
Right in IE 6.0 you will be using passive FTP because MS disabled the "Use Passive option" and made it default. The only way to disable Passive FTP is to "Enable Folder View of FTP sites". |
|
ghost16825
Use security metrics
Premium
join:2003-08-26
1 edit | reply to Lilla1
Re: [Kerio 2.x] My Kerio 2.1.5 rules based on BZ's
I have to say this is one of the better rulesets I have seen. There's not very much to criticise in it. Regardless, now that you seem pretty happy with it, it's important to see where the weakest parts are even if there's nothing you can do to restrict the rule further.
Here's my suggestions:
1. Being on a dialup it is highly unlikely you need DHCP through svchost for the connection to work properly. (Perhaps only if you have a local are network). This isn't a security risk but there's no point having it there if it's not needed. Disable DHCP Client through Services and specify primary and alternate addresses in your connection instead of selecting "Get DNS addresses automatically" in your connection properties. (This causes DHCP Client to start Automatically)
2. Some people end their local port range at 4999 instead of 5000. (1024-4999) because of SSDP Discovery Service. (Incoming->5000). Do so if it makes you feel any safer.
3. See if you can come up with a list of IP addresses for Spybot.
4. Just a preference of mine:
For your browser rules I would create a rule which includes remote ports which you encounter all the time without fail:
Browser Allow TCP Out 1024-5000 Any address 80,21,443 (Perhaps 8080 and 81 as well if you encounter these on a daily basis)
And then a logged rule underneath:
Outside of Browser rules TCP Out 1024-5000 Any address 81-65535 or the much safer suggested 5001-65535 allow log
OR Two rules:
Outside of Browser rules common TCP Out any address 81,8080 log
Outside of Browser rules TCP Out any address 5000-65535 alert and log
To get SYSTEM rules take off come of your Windows specific rules, (local port 135,1025-1026,5000) and visit grc.com and do the shields up test. You should get a SYSTEM alert in their somewhere. If this doesn't work you may need to turn on a useless Windows Service which you don't need to get an effect.
I would take off your local port range for explorer(block) and perhaps make it both UDP/TCP both directions, just for the sake of it.
Looking at your rules the biggest weakness is a trojan attaching itself to an application with any address port 80 and sending data to port 80 of the attacker's computer. That said, everyone's probably vulnerable to such a thing and there's little you can do about it; you probably have a better chance of winning the lotto than this occuring if you practise safe computing.
In the future if you decide to implement some kind of local proxy filtering (eg. Proxomitron) just be aware that localhost filtering (eg localhost:8080 out allow followed by localhost:8080 in deny) just doesn't work in Kerio 2.15/4 |
|
TheWiseGuy
Dog And Butterfly
Premium,MVM
join:2002-07-04
Yonkers, NY | reply to Lilla1
Try setting the Loopback rule to only allow packets OUT and see if you have any problems. I believe it should work and will allow you to block spoofed packets with a source IP of 127.0.0.1
--
Dog and Butterfly |
|
FTLNewsFeed
join:2003-12-16
Brooklyn, NY
| Someone, I believe BZ, said that the spoof can be avoided if you specify a network/mask of 127.0.0.0/255.0.0.0 instead of the 127.0.0.1 IP addy, any way the network/mask is what I use in my rule set (UDP/TCP Both). Right now Firefox is sitting with a TCP Loopback the I believe a Out only filter would stop, haven't tested to make sure though.
FTLNewsFeed
--
"A woman never runs away, a woman never hides away in order to survive." -Ayumi Hamasaki from her song "Real Me" |
|
Lilla1
join:2002-04-22
Fall City, WA
1 edit | reply to ghost16825
said by ghost16825 :
I have to say this is one of the better rulesets I have seen. There's not very much to criticise in it. Regardless, now that you seem pretty happy with it, it's important to see where the weakest parts are even if there's nothing you can do to restrict the rule further.
I'm delighted that you like my rule set (work in progress), I give credit to BZ's wonderful rule set. I endevor to follow the lead of those that understand firewalls, because most of it is greek to me.
said by ghost16825 :
Some people end their local port range at 4999 instead of 5000. (1024-4999) because of SSDP Discovery Service. (Incoming->5000). Do so if it makes you feel any safer.
I used 1024-5000 because that's what BZ uses in his rule set, and because I have disabled UPnP and SSDP. Still I suppose I could use 1024-4999 as an added safety net.
Below is some discussion that relates to this:
BZ 2003-09-22 00:32:21
Q: I notice on your rule set that you have ports 135, 445 and 500?? for xp services block. Is it 500 or 5000?
BZ: Its 500, and 5000(UPnP) is easily turned off, it’s not even as huge as a threat as it was made out to be. However you could add 5000 to that list, but once you do the task below, it won't be listening anymore. You don't even need those services.
Start -> Run: services.msc
In the properties of these services, stop, and disable them. SSDP Discovery Protocol, and Universal Plug n' Pray.
said by ghost16825 :
3. See if you can come up with a list of IP addresses for Spybot.
Good idea. Done.
said by ghost16825 :
I would take off your local port range for explorer(block) and perhaps make it both UDP/TCP both directions, just for the sake of it.
Good idea. Done.
Thanks for all the ideas you gave me, some I am still thinking about.
Lilla |
|
Lilla1
join:2002-04-22
Fall City, WA
3 edits | reply to Lilla1
Re: [Kerio 2.x] My Kerio 2.1.5 rules based on BZ's please critiq
Part 1 - Advanced Rules | 
Part 2 - Application Rules |
Actually, there was only two changes from the standard rule set, 1) change to tighter loopback rules, and 2) add some Anti-Spoofing block rules.
I've now learned that "IP Spoofing" is happening on my computer, but I was not aware of it until I upgraded from BZ's standard rule set to BZ's advanced rule set.
Because I made significant changes, I decided to post my updated rule set.
As before, your comments are appreciated and more...
Lilla |
|
