Re: [Kerio 2.x] My Kerio 2.1.5 rules based on BZ's

Author	All Replies
FTLNewsFeed join:2003-12-16 Brooklyn, NY	reply to Lilla1 Re: [Kerio 2.x] My Kerio 2.1.5 rules based on BZ's Hi Lilla, Just a quick comment. The rule Loopback (no software proxy) is redundant in your rule set since TCP Loopbacks are caught and allowed by your Loopback - Standard rule. As far as FTP I just set the 'Remote Port' to 'Any' since I don't know what port the FTP Server will connect to me (or me to it) on. FTLNewsFeed -- "A woman never runs away, a woman never hides away in order to survive." -Ayumi Hamasaki from her song "Real Me"
FTLNewsFeed join:2003-12-16 Brooklyn, NY	to forum · permalink · 2004-02-22 00:50:10 · (locked)
Lilla1 join:2002-04-22 Fall City, WA	said by FTLNewsFeed : The rule Loopback (no software proxy) is redundant in your rule set since TCP Loopbacks are caught and allowed by your Loopback - Standard rule. Thanks for pointing that out, I have deleted it. I missed the obvious on that one. said by FTLNewsFeed : As far as FTP I just set the 'Remote Port' to 'Any' since I don't know what port the FTP Server will connect to me (or me to it) on. The Remote port range I am using is based upon BZ's "permit all (tcp 21, 5001-65535)" approach quoted below... He gives this range for IE passive FTP, and I assume then that I can apply its to my other FTP apps too. If I've gotten it wrong, or not quite right, please advise. BZ 2003-12-31 13:59:52 The way passive ftp works is you never have to accept inbound ftp communications on tcp 20 which would run like a server, and most ftp servers run as passive these days. A range more like tcp 5000-65535 outbound is better [than 1024-65535] at this point for IE when it comes to ftp communications, along with allowing it out tcp 21. BZ 2004-01-03 14:21:29 When it comes to ftp communications I ether run permit all (tcp 21,65535), or I have it ask me for posts not already allowed. You need to choose which one you want to do, permitting every outbound ftp connection past the first outbound tcp 21 connection can be annoying, but allows more control. I keep both variations for each browser in my ruleset so I can switch them anytime I want. It will be much more annoying to enable/disable the rule every time you do any ftp downloads, so you need to choose if your going to do the permit all (tcp 21, 5001-65535), or having to permit every outbound ftp communication. Straight FTP programs should be ok for the outbound communications allowed, just as long as they don't run as a server, unless your dealing with a standard ftp server which required to connect to your computer on port 20 [active FTP]. This will be rare, and you might make a rule to toggle on if you need to if it happens often.
Lilla1 join:2002-04-22 Fall City, WA	to forum · permalink · 2004-02-22 13:14:59 · (locked)


Thursday, 03-Dec 14:02:49	Terms of Use \| Privacy Policy \| Hosting by www.nac.net - DSL,Hosting & Co-lo \| feedback \| contact over 10 years online! © 1999-2009 dslreports.com. page compression OFF