Release of Kerio Personal Firewall 4.0.6 in Kerio

Release of Kerio Personal Firewall 4.0.6 in Kerio - Tiny Support http://www.dslreports.com/forum/r8338989 en Fri, 27 Nov 2009 05:43:34 EDT Fri, 27 Nov 2009 05:43:34 EDT Re: Release of Kerio Personal Firewall 4.0.6 http://www.dslreports.com/forum/remark,8648950 lawrenceong : thanks madirish.

that's what i did and everything seems to run fine now...

lawrence]]> http://www.dslreports.com/forum/remark,8648950 Sun, 30 Nov 2003 18:20:25 EDT Re: Release of Kerio Personal Firewall 4.0.6 http://www.dslreports.com/forum/remark,8646044 madirish : Hi lawrenceong welcom!

Kerio has a problem with its web filtering.I'm using the current version-4.0.8 and added servers to the exception,urls and the like.Sometimes everything works as it should then "bam" something screws up.I am not using the web filter now,using a local proxy(web washer) and everything is back to normal.I think the best thing for you to do is uncheck web filtering for now(maybe use a proxy instead)it ain't right.]]> http://www.dslreports.com/forum/remark,8646044 Sun, 30 Nov 2003 11:55:39 EDT Re: Release of Kerio Personal Firewall 4.0.6 http://www.dslreports.com/forum/remark,8645367 lawrenceong : Hello,

I was wondering if someone can help me with KPF 4.0.6. I downloaded the newest version and am using it on Windows 98. With Web filtering enabled, no matter which button I uncheck, the computer will hang when it tries to download a .zip or .exe. I'm unsure if it hangs on other types of files, as these are the only ones I tested...

Any advise?

thanks,
Lawrence]]> http://www.dslreports.com/forum/remark,8645367 Sun, 30 Nov 2003 10:10:37 EDT and what about the others? http://www.dslreports.com/forum/remark,8472873 Mplus : And...
is TPF5.1 better or worse than
1. Kerio 2.1.5
2. Kerio 4
Looking to hear from you
Itsme]]> http://www.dslreports.com/forum/remark,8472873 Tue, 11 Nov 2003 08:15:38 EDT Re: Release of Kerio Personal Firewall 4.0.6 http://www.dslreports.com/forum/remark,8436134 bookshelf : are you guys using the new version or the old version 2.1.6? ]]> http://www.dslreports.com/forum/remark,8436134 Thu, 06 Nov 2003 20:21:14 EDT Re: Release of Kerio Personal Firewall 4.0.6 http://www.dslreports.com/forum/remark,8419212 Curley : You're Welcome Paul. :)]]> http://www.dslreports.com/forum/remark,8419212 Wed, 05 Nov 2003 04:00:12 EDT Re: Release of Kerio Personal Firewall 4.0.6 http://www.dslreports.com/forum/remark,8415084 ghost16825 : Did you check BZ's default ruleset? If you believe it is flawed you should tell him. Could what you're talking about be caused by allowing localhost inbound? On my ruleset, I have only specified localhost outbound, with Proxo outbound as well.

As for those comments about leaktests some of them aren't about strict firewall functions rather application blocking and dll injection. I still believe a software firewall should mimic its physical equivalent to some degree. A physical firewall is a layer which is resistant to fire, preserving the rest of the house and giving you TIME rather than anything else. A software firewall should stick to stopping traffic at entrances rather than the corridors which lead to these entrances. The firewall should only interrogate traffic going through the main entrance rather than stopping traffic that is connected to the main entrance somehow.

These "leaktests" don't worry me because I only accept that outbound traffic goes to a remote port 80 or 443. If it is trojan which wants my browser to go to a http link or a secure site I do not care. That is a risk I am willing to take.

Probably Kerio 2.15's main weakness if you can call it that is inbound malformed packets.

To me, the ideal Kerio firewall would keep the rule method, add the ability to add more than one custom group, and be tied to a snort ids. With the ids you should be able to specify for each of the signatures what takes priority; your rules or the ids signature.]]> http://www.dslreports.com/forum/remark,8415084 Tue, 04 Nov 2003 18:29:40 EDT Re: Release of Kerio Personal Firewall 4.0.6 http://www.dslreports.com/forum/remark,8408621 Paul_C8 :

said by Curley :
Hi Paul,

You might want to take a look at Look'n'Stop's firewall. »www.looknstop.com/En/index2.htm

There forums can be found here: »www.wilderssecurity.com/index.php?board=13

Thanks Curly, looks interesting.
--
"It's a damn poor mind that can only think of one way to spell a word." - Andrew Jackson]]> http://www.dslreports.com/forum/remark,8408621 Tue, 04 Nov 2003 00:30:12 EDT Re: Release of Kerio Personal Firewall 4.0.6 http://www.dslreports.com/forum/remark,8403303 anon : Hello ghost16825!

Have no illusions. Tooleaky, Yalta and the other leaktest can be easily adopted to use other browsers: Mozilla, Opera, whatever! And detecting your default browser is a piece of cake. So You can block IE to stop the demo, but trojans can readily implement firewall passing communication trough your favourite browser. Or will you block all browsers?! :-)

Yours,
HSandor]]> http://www.dslreports.com/forum/remark,8403303 Mon, 03 Nov 2003 15:48:37 EDT Re: Release of Kerio Personal Firewall 4.0.6 http://www.dslreports.com/forum/remark,8403191 anon : Hello,
I would like to reply to the post:

-Quote-------------------------------------------------
By the way, I haven't had any problems configuring loopback around proxomitron, myself, so long as there are proper denies to compliment the allows. That is, I have to "allow IE out TCP remote 127.0.0.1:8080", or whatever you set up, to your proxy port... it's then critical to follow that with "deny any app out TCP or UDP remote 127.0.0.1:8080". And position those rules carefully. There can't be any inadvertent exceptions above the deny...
------------------------------------------------------

I known this ruleset all too well. Well! Where is the Allow Inbound on 8080 for Proxomitron ?! Yeah, that's right, it's not necessary! Maybe you denied that one already. Try Denying Proxomitron altogether, both directions. Guess what happens! You should get an alert that Proxomitron is accepting Inbound communication from 127.0.0.1:1025. But NO! You do not get this alert, Proxomitron connects to your browser happily, communicates, retrieves the address to load, and then get caught when it's connecting Outbound.

What this means? Sorry to repeat myself, but it seems that everybody is so sure of himself, they do not bother to actually read the problem:
Every application can accept Inbound connections from localhost if the Outbound end of the communication was Allowed. Yes, even if the accepting application was explicitely denied from any communication whatsoever!

This seemingly minor vulnerability can easily be exploited to steal private info, and leak it into the internet, withouth ever being caught by Kerio. I can elaborate if anybody is interested.

Yours,
HSandor]]> http://www.dslreports.com/forum/remark,8403191 Mon, 03 Nov 2003 15:38:24 EDT Re: Release of Kerio Personal Firewall 4.0.6 http://www.dslreports.com/forum/remark,8399691 Curley : Hi Paul,

You might want to take a look at Look'n'Stop's firewall. »www.looknstop.com/En/index2.htm

There forums can be found here: »www.wilderssecurity.com/index.php?board=13]]> http://www.dslreports.com/forum/remark,8399691 Mon, 03 Nov 2003 04:32:10 EDT Re: Release of Kerio Personal Firewall 4.0.6 http://www.dslreports.com/forum/remark,8399506 Paul_C8 : Bleh, I'm with gwion on this 4.x line. If anyone knows of another firewall still in production that caters better to the kerio 2.x crowd please post. I like kerio 2.1.5, but I'd like it even better if it was still worked on.
--
"It's a damn poor mind that can only think of one way to spell a word." - Andrew Jackson]]> http://www.dslreports.com/forum/remark,8399506 Mon, 03 Nov 2003 03:05:29 EDT Re: Release of Kerio Personal Firewall 4.0.6 http://www.dslreports.com/forum/remark,8393660 madirish : Hi foyap.Actually it works pretty smoothly.I can highlight a rule and then use my middle mouse button and scroll up and down.Or I can left click and hold the scroll bar and move up and down very nicely.Other versions were very choppy in movement,but 4.0.6 seems ok.]]> http://www.dslreports.com/forum/remark,8393660 Sun, 02 Nov 2003 13:13:05 EDT Re: Release of Kerio Personal Firewall 4.0.6 http://www.dslreports.com/forum/remark,8393269 foyap : Said by madirish"While reading this,running Mozilla,NAV2002,Abtrusion Protector,Web Washer-opened Kerio to advanced filter rules and started Task Manager my cpu usage was 4%.It now takes about a second to open kerio and another second to go to whatever module I want.They are improving some things."

Ya, you are right. But did you try to scroll up and down on your advance filter rule set after you opened it? I found that the display will hang there for about 10 seconds, after you scroll the bar up and down for few time.]]> http://www.dslreports.com/forum/remark,8393269 Sun, 02 Nov 2003 12:23:38 EDT Re: Release of Kerio Personal Firewall 4.0.6 http://www.dslreports.com/forum/remark,8385140 madirish : said by foyap:"One thing I felt very bad about KPF V.4 is, when I open the advance packet filter and the system security, it will consume 100% of my CPU Usage and it takes about 10 seconds or more to display the page."

While reading this,running Mozilla,NAV2002,Abtrusion Protector,Web Washer-opened Kerio to advanced filter rules and started Task Manager my cpu usage was 4%.It now takes about a second to open kerio and another second to go to whatever module I want.They are improving some things.]]> http://www.dslreports.com/forum/remark,8385140 Sat, 01 Nov 2003 11:30:10 EDT Re: Release of Kerio Personal Firewall 4.0.6 http://www.dslreports.com/forum/remark,8383788 foyap : One thing I felt very bad about KPF V.4 is, when I open the advance packet filter and the system security, it will consume 100% of my CPU Usage and it takes about 10 seconds or more to display the page.]]> http://www.dslreports.com/forum/remark,8383788 Sat, 01 Nov 2003 04:47:41 EDT Re: Release of Kerio Personal Firewall 4.0.6 http://www.dslreports.com/forum/remark,8368020 gwion : OK... let's stay focused, educating, not chastising... :)

Most leaktests are passable, with sound rules. But the problem is, yes, I like that... "scaretests." Some of them are designed to test things packet filters don't have anything to do with... others are more like nMap scans, and that's mostly relevant with a simple packet filter... I use nMap over the LAN, here, for my own tests. I have yet to test 4.x, personally, like that, but I take a position that I'm not spending a few hours testing something that could still change materially by tomorrow morning ;)...

By the way, I haven't had any problems configuring loopback around proxomitron, myself, so long as there are proper denies to compliment the allows. That is, I have to "allow IE out TCP remote 127.0.0.1:8080", or whatever you set up, to your proxy port... it's then critical to follow that with "deny any app out TCP or UDP remote 127.0.0.1:8080". And position those rules carefully. There can't be any inadvertent exceptions above the deny...

I do believe 100% user control of loopback is an absolute requirement for a packet filter... and suggest that any shortcomings in that regard, Kerio or any other firewall, are well-intentioned MS style "oversimplifications at the expense of total granular security" for "idiot proofing". The only legitimate implicit would have to be tied only and directly to the firewall app, to ensure it can't be locked out, but it has to be strict and narrow, only for localhost, etc., and -only- for the firewall...

By the way, nice aside thought, too... for those who don't use IE, it's probably a VERY good idea to block it entirely, and set an alert... any app can be written to call IE to provide an "invisible window" to give it internet access with total transparency, and that isn't configurable in windows... if you don't use IE, it's a natural firewall tunnelling trojan helper app on your system (in fact, one of a few reasons I insist on a proxy filter I can set up this way on localhost is just this, but I digress...) I've characterized that as an architectural flaw in IE and the win32 API, not a "firewall leak." I believe that no app should ever be designed to access anything, anywhere, without telling the user about it in no uncertain terms, and providing a way of limiting or shutting down the feature... but, again, I digress... but this is one of those features that really doesn't help me feel comfortable when MS says, "we're getting serious about security... really... we are... trust us!"
--
Y Ddraig Goch Ddyry Cychwyn
[text was edited by author 2003-10-30 12:59:10]
]]> http://www.dslreports.com/forum/remark,8368020 Thu, 30 Oct 2003 12:56:29 EDT Re: Release of Kerio Personal Firewall 4.0.6 http://www.dslreports.com/forum/remark,8365596 ghost16825 : All the leaktests or should I say "scaretests" passed on my computer, which uses Kerio 2.15 according to my standards.

Nearly all of them connect to a website using TCP protocol, connecting to something on remote port 80. Excuse ME, but this comes down to browser security rather than a "weakness" in the firewall.

If you're going to use this "leak-tests" (scaretests) get them to connect to a non-standard port on a website instead to properly test your rules.

As for the one which opens IE and gets it to connect, well I always have a rule for IE called deny all, because I never use it so it didn't work.

There is have an allow rule for SVCHOST.EXE if you have already made a DHCP rule before it according to BZ's ruleset, and even if you do you should never allow it to communicate to any address, any port.

As usual, this comes down to YOUR rules, not mind reading by the firewall. (What a silly concept!)
There is no such thing as default security ratings only relative terms of security for your configuration.

Your post is an example at its finest of "scare security" by a person who doesn't seem to know much about security themselves.
[text was edited by author 2003-10-30 04:59:55]
]]> http://www.dslreports.com/forum/remark,8365596 Thu, 30 Oct 2003 04:54:46 EDT Re: Release of Kerio Personal Firewall 4.0.6 http://www.dslreports.com/forum/remark,8356550 purelander : Dear Kerio,

i have simple advices for you that will help you get back on track:

1. focus on firewall, 99% of Kerio users hate all in one app, you fail to know your users' preference.

2. go back to 2.1.5, improve on it so that is passes all the leak tests here:
»perso.wanadoo.fr/jugesoftware/fi···est.html

3. make it lighter, if possible.

if you do the above, Kerio will be perfect.
--
Real knowledge is to know the extent of one's ignorance ~ Confucius]]> http://www.dslreports.com/forum/remark,8356550 Wed, 29 Oct 2003 06:51:20 EDT Re: Release of Kerio Personal Firewall 4.0.6 http://www.dslreports.com/forum/remark,8356298 anon : I am suprised to hear that localhost filtering is crippled in 4.0.6, because I think it was already crippled in 2.1.5!

You know (in 2.1.5) if you allow Outbound 127.0.0.1:8080 for your browser (want to use proxomitron), then absolutely any kind of application can accept the connection initiated by your browser. Yes, any application can listen on 8080, and accept Inbound connections from localhost without filtering or MD5, if the Outbound end of the communication channel was Allowed. No matter if you Deny that application, or Deny Inbound to 8080, it passes without questions.

How can this be more crippled in 4.0.6?

regards,
HSandor]]> http://www.dslreports.com/forum/remark,8356298 Wed, 29 Oct 2003 04:15:05 EDT Re: Release of Kerio Personal Firewall 4.0.6 http://www.dslreports.com/forum/remark,8349344 Curley : Well.. I figured id give this new version a try since I haven't tried the last couple releases. I really thought that by now things would be looking much better, but I guess not.

I imported in my old 2.x rules, turned off the IDS, turned off predefined network rules and then proceeded to grc.com to run there tests. All the tests passed fine, but in the logs I noticed only traffic to local ports 1030, 1032, 1034 for TCP were showing up as being blocked. So I restarted my computer and went back again to run the tests all over again. This time only traffic to local ports 1025, 1027, 1029 showed up as being blocked??? Also for ICMP in the logs it doesn't show what ICMP type it is, all it tells you is that its ICMP. For IGMP in the logs, all that shows up is the number 2 under protocol. I reported this to Kerio way back and they acknowledged it, but still haven't done a thing about it. So basically the logs are useless still after all this time. The System security part sounds like its getting worse and the new password protection doesn't sound very good either.

Its really quite sad to think that after all this time since the last v2.1.4 was released some 1 1/2 years ago, this is where we are at now. Honestly, it just seems like Kerio has been stuck in the mud all this time and doesn't have a clue to what they are doing anymore. I remember beta testing version 2 and Kerio being really on the ball with things, listening to its users and taking action right away. Now it seems like they still listen, but there's no action. Perhaps its all due to a change at the top in developers, I don't know. Stanislav Kolar did a wonderful job with version 2, but now the head guy is Tomas Soukup.

Personally, I plan on sticking with version 2.1.5. I don't really have much confidence in Kerio anymore like I once did. If you want system security you can just use SSM for that and for web filtering Proxomitron. Once the 2.x version of Kerio gets outdated ill probably just move on to Look'n'Stop's firewall.
[text was edited by author 2003-10-29 00:20:52]
]]> http://www.dslreports.com/forum/remark,8349344 Tue, 28 Oct 2003 12:27:19 EDT Re: Release of Kerio Personal Firewall 4.0.6 http://www.dslreports.com/forum/remark,8347179 ghost16825 : The really, really dumb thing about this is that these ad-ons come from the open source community and no one has a problem with them in their separate form.

If you look at the help files-> at the IDS -> it mentions it uses the snort engine and also in the help files -> Web makes use of open source standards for web blocking from what I can remember. (No, kpf4 is not on my machine any more)

How a program can be cobbled together when it uses open standards which have heaps of support is beyond me.]]> http://www.dslreports.com/forum/remark,8347179 Tue, 28 Oct 2003 04:25:05 EDT Re: Release of Kerio Personal Firewall 4.0.6 http://www.dslreports.com/forum/remark,8346893 gwion : Oh, I don't doubt the skill, just that we have no idea what sort of separation agreements they signed with Tiny ;) ... Tiny has the sandboxing stuff, and I'll bet they made very sure they kept it, when the dev teams split... I sure would have...

I agree, entirely... modules are something I've been suggesting throughout this project. Some people just don't want all of these functions...

IDS' are fickle critters... for those unfamiliar with the basic concepts, they can be downright scary. They false by nature, if they're half decent, and they tend to be useless, if they're tamed to be user friendly... with Snort, you just comment out problematic rules in the conf's... but you have to know what to comment out... I defer on that one... Chicken Little was a novice using an SFDS ("sky falling detection system"), y'know ;)... I haven't looked that deeply at that part, yet, to pass judgement...
--
Y Ddraig Goch Ddyry Cychwyn]]> http://www.dslreports.com/forum/remark,8346893 Tue, 28 Oct 2003 02:27:51 EDT Re: Release of Kerio Personal Firewall 4.0.6 http://www.dslreports.com/forum/remark,8345013 ghost16825 : Probably the biggest problem is separation of modules.
Trying to be a bit of Proxomitron,a bit of a popup blocker, a bit of an IDS tied firewall doesn't work.

My suggestions:

Get rid of the IDS "priority" system. If the IDS is going to be tied to snort rules you should have control over which signatures to log and which snort signatures get priority over your rules.

Get rid of the ad-blocking, cookie stuff altogether.

App blocking is not complex enough in its present form. Perhaps the best option for the System Security module would be to specify which programs you DON'T want to allow to run and let the rest do what they like. This would avoid the messy situations of which program is allowed to run what, which I don't think Kerio has the skill to do (eg SSM)
Password protection at all times is a must.]]> http://www.dslreports.com/forum/remark,8345013 Mon, 27 Oct 2003 21:53:44 EDT Re: Release of Kerio Personal Firewall 4.0.6 http://www.dslreports.com/forum/remark,8344845 gwion : Nothing, really. It's just a stark departure from the old metaphor. The packet filters are actually a bit better. But I liked the extreme light weight of the old versions, and the minimal GUI. And I like the idea of system security, as they refer to the start controls. In theory, I think it's a far more comprehensive suite.

Problem is, as I've confided to some others, NOBODY, and I do mean NOBODY wants us to have anything as granular and simple and just plain user configurable as the Unix packet filters that literally abound... for BSD and Linux, and so forth. Windows firewalling is literally in bondage to the MS metaphor of oversimplification, massive GUI, massive resource waste... making the simple complex, to make the complex simple, if that makes sense...

No... I don't entirely dislike it, at all. But I do dislike the resource profile. I fully understand their need to make a living, too, so the pay to play features are fine, with me, and the free version's perfectly servicible, for a free version. And I dislike this seeming willy-nilly, year long betaing process. And the seeming lack of a coherent plan, from the outset.

I like making firewalling more accessible for avverage users, too. But I'm adament that power users should never have to compromise their demands, for ease of use. In fact, one nice thing, here, is the way they do allow you to use a preroll, or select a user config, on the filters...

But if I want to shut down localhost:1080, for example, I think I have a right to expect a reputable firewall to allow that... compromising, like that, for the sake of idiot-proofing, is one of the things a lot of us trash MS for. But it's not really just MS, it's the whole community writing to MS platforms.

I'm really glad you asked, because I don't really want to "thrash 'em," I don't thrash ZAP or other products, but those products have always had that metaphor, too, in fairness... I respect their hard work, and I certainly LIKE the idea that they're sort of the "little guys" in this business (so is Tiny, really)... a lot of the problems in communication are, after all, issues of scale. They have to develop a firewall, and they aren't Symantec... sometimes, I do wish they would "brag" that, rather than seeming a little self-conscious about it :) ... hell. I LIKE dealing with a small business. That's the American spirit, and the Czech spirit, too ;) ... you have a great idea, you market it, all that. Sometimes, I think they think we'll mistrust a small group, when reality is that it's usually the other way around... but I digress...

OK, Gwion... say a few good things... here we go...

- much more configurable custom packet filter IF...

- System security's a great feature... so long as it's solid. False security's obviously a terrible risk...

- Web filters are, too. How many people have a real problem securing a Proxo-type filter? Here's an alternative for them... and it seems to do what it should.

A few bad thins I already mentioned... but the reason's not dislike, it's a sincere desire to see a product get better. Sometimes, the biggest favor you can do the Emperor is telling him where and when he's naked.. ;)

A few wishes?
- A simpler, lighter GUI.
- More concern for the working features, less for the glitz.
- NO built-in limitations, whatsoever, of any kind, on the packet filtering component. That's the core of a "conventional" firewall. There should be not ONE thing I can do with IPchains or IPF I can't do with my win32 firewall... NOT ONE. It's doable. And it's good design to do.
- if something's known buggy, don't even PUT it in a release version... better - use plugins for the value added features. That way, I don't have useless code on the system, if I choose to disable something.

Now, just briefly, let me refer to that localhost thing. In a sandbox-centric firewall like Tiny, it's less burdensome, but in a pcaket-filter-centric one, like Kerio, it's entirely inexcusible. I haven't done any testing on that, but if it's in fact true, you can't make absolute rules for loopback, then it's a "bug," not a feature (unless your name's Gates)... fine to implicit rule the firewall's own communications, but anything a millimeter beyond that isn't fine. It's a limitation on what you can do with the core component of the wall. And best form, Tiny, would be to include a full featured packet filter, even if the sandboxing makes it less critical. One shouldn't have to compromise, on very trivially implementable features, just because they aren't "critical" -- redundency, especially when you're learning and just getting started, is a great thing.

Well, I better turn this over to you folks... but I'm glad you asked that - I didn't mean to sound overly harsh, just trying to be a good beta tester, and share my negative impressions, along with my positive ones, and maybe I got a little too focused on the minuses... I really do want to thank the developers for their continued hard work. Coding's not easy, I have enough trouble writing a quick TCL routine or perl script that doesn't screw up royally in its first ten iterations -- SNAFU's the rule of my own minor coding exploits ... and I fully appreciate that.

But this firewall became fairly dear to my heart, in its "old" incarnation... closest thing I ever found to a solid, dependable minimalist packet filter I could run on NT, 2k, even 9x, and any upgrade I decided to adopt down the road. It's hard to let go of that... :)

OK, crew, let's hear the comments... here's our chance to help out on the next version, it's your forum... let us know what you think... and thanks, very much, Kerio. That hard work definitely doesn't go unnoticed... we're just doing our job, too, best we can, over here on our side... :)
--
Y Ddraig Goch Ddyry Cychwyn]]> http://www.dslreports.com/forum/remark,8344845 Mon, 27 Oct 2003 21:35:23 EDT Re: Release of Kerio Personal Firewall 4.0.6 http://www.dslreports.com/forum/remark,8344296 DropnPackets : Greetings to all

Does anyone now where Loopback security has gone?

Does the new kerio release provide loopback security?

I have not installed the release ver, but their previous releases didn't!

And Tiny doesn't either, please see

»www.tinysoftware.com/forum/showt···adid=540

Comments please

Cheers]]> http://www.dslreports.com/forum/remark,8344296 Mon, 27 Oct 2003 20:29:37 EDT Re: Release of Kerio Personal Firewall 4.0.6 http://www.dslreports.com/forum/remark,8344270 Lex Luthor : gwion, what exactly do you not like about kerio 4?

I was a 2.1.x user and now use 4. I'm very happy with it. I've seen no major bugs, had no problems, don't find that it uses up much CPU or an excess of RAM. It's easy to configure and powerful. I really don't see an excess of "bloat".

I'm surprised that more of the 2.1.x users aren't happy with 4.]]> http://www.dslreports.com/forum/remark,8344270 Mon, 27 Oct 2003 20:27:07 EDT Re: Release of Kerio Personal Firewall 4.0.6 http://www.dslreports.com/forum/remark,8343687 gwion : Well... passwording a firewall GUI is not trivial, and it's not a luxury. It's a solid line of defense against scripted tampering, and in an environment where, for example, the kids use your computer as users, they still have complete access to the firewall from the tray. Without a password, any user can circumvent any rule, no problem. Of course, in that scenario, you probably want the paid version, frankly, even if you don't use the webfilters... remote logging and admin, alone, are worth having in that sort of environment.

As for those start controls, well, there's one way to eliminate bugs... just burn out half the kitchen... ;) No more bugs... no more cabinets, no more stove... but no more bugs...

I still think there's an audience who'll find this a nice firewall, but I doubt many of the existing users will. My own feeling's always been that Kerio users have represented a more articulate user class... people who may not be true "power users," but who are at least willing to spend some extra time learning, in return for added granularity and control. These people aren't going to be pleased. I predict Tiny might be getting a few orders, when this goes pure gold, frankly. And I predict we'll be supporting 2.x, here, for a while to come. We may do an "official" poll, somewhere down the road. I would prefer to wait for a final, stable release, but I'm really curious, overall, among existing Kerio users, how many will upgrade, how many will sit tight with 2.x, and how many might be climbing down the ratlines for the longboat, as we speak... ?

Personally, I liked the direction 3.x was going, but I'm less inclined to like what I've seen since 4.x came out... To be a little brutal, I don't buy hardware to support basic firewalling. That was part of the glory of 2.x, to me, it was light, dependable and straightforward. Heavy GUI's and "generic security, suitable for everyday use, some settling and discoloration may occur in shipping" just doesn't do much for me... it was how I found this firewall, in the first place. I was looking for a -simple-, light, configurable firewall, in the model of IPfilter or such, and that wasn't OS-centric, so I could run it under NT, 2k, or whatever OS I might upgrade to, later on.

Yes, Tiny dropped their old metaphor, too, but Tiny also added "industrial strength features" that account for the added resource profile, and the departure from the simple packet filter... seems to me that 85% of what Kerio 4.x adds is GUI and cuteness. And GUI and cuteness are two features I'm relatively unwilling to sacrifice my system resources to support, unless they add a LOT to the functionality and usability of my system. To tell the truth, a pretty firewall isn't what I want, as I'm fond of saying in help threads, what most of us want is to "just make it work." :)
--
Y Ddraig Goch Ddyry Cychwyn]]> http://www.dslreports.com/forum/remark,8343687 Mon, 27 Oct 2003 19:27:46 EDT Re: Release of Kerio Personal Firewall 4.0.6 http://www.dslreports.com/forum/remark,8343319 madirish :

said by Lex Luthor :
Is password protection only for registered users? I let the 30 days expire and web filtering, etc is restricted, but so is password protection. The box is just greyed out and can't be selected.

I think it is.I registered Kerio(liscence works for 2.1.5 and 4 series).We won't know all the particulars,I guess,until the final comes out and Kerio says for sure what is what.]]> http://www.dslreports.com/forum/remark,8343319 Mon, 27 Oct 2003 18:51:11 EDT Re: Release of Kerio Personal Firewall 4.0.6 http://www.dslreports.com/forum/remark,8343063 Lex Luthor : Is password protection only for registered users? I let the 30 days expire and web filtering, etc is restricted, but so is password protection. The box is just greyed out and can't be selected.]]> http://www.dslreports.com/forum/remark,8343063 Mon, 27 Oct 2003 18:25:26 EDT Re: Release of Kerio Personal Firewall 4.0.6 http://www.dslreports.com/forum/remark,8342328 madirish : Well,after trying it out for awhile the password protection is not what it was in 2.1.5 .

Finally got some of the password protection working(don't know why).If you're logged out and you make a change in the advanced packet filitering you will be prompted for a password.BUT if you donot logout, Kerio assumes that it is you that is making the changes .If you forget to logout,anyone can make changes to the firewall.

In 2.1.5,you enabled password,and had to type in the password to get in period.After closing out,goto get back in you had to re-type the password first.Not the case with 4.0.6,forget to logoff and anyone can get in!]]> http://www.dslreports.com/forum/remark,8342328 Mon, 27 Oct 2003 17:17:42 EDT Re: Release of Kerio Personal Firewall 4.0.6 http://www.dslreports.com/forum/remark,8340429 anon : "..I've done minor testing so far, but the fact that they crippled the system security module makes this a horrible release. I didn't think it could get any worse... I was wrong..."

Thanks for still keeping an eye on this project. I have given up on them as they have ruined a nice prog.

Cudni]]> http://www.dslreports.com/forum/remark,8340429 Mon, 27 Oct 2003 13:16:35 EDT Re: Release of Kerio Personal Firewall 4.0.6 http://www.dslreports.com/forum/remark,8340422 madirish : said by BlitzenZues

" Password protection, and Remote admin apparently are part of the paid version, which is not even mentioned in the help file correctly with association with the free version."

unfortunately I have a paid for version.:(]]> http://www.dslreports.com/forum/remark,8340422 Mon, 27 Oct 2003 13:15:53 EDT Re: Release of Kerio Personal Firewall 4.0.6 http://www.dslreports.com/forum/remark,8340160 BlitzenZeus : "Serious Security problem! When you give a program permission to launch other programs, those programs are now launched, and automatically allowed to start without user input. So if a trusted program launches a malicious program it will be started by default!!! Now any script ran from a trusted application will be able to run loose on a system!"

1: You allow explorer.exe to launch other programs.
2: A script tell it to launch malicious.exe, and malicious.exe is set to be allowed to start by default.
3: Malicious.exe is launched without user input.

That is what I'm talking about, please read the rest of the paragraph.
--
My hourly rates:
$25 per hour.
$35 per hour if you want to watch.
$45 per hour if you want to help.
$75 per hour if you tried to fix it, and failed.
[text was edited by author 2003-10-27 12:52:35]
]]> http://www.dslreports.com/forum/remark,8340160 Mon, 27 Oct 2003 12:36:42 EDT Re: Release of Kerio Personal Firewall 4.0.6 http://www.dslreports.com/forum/remark,8340117 matunga :

said by BlitzenZeus :
Less secure than before!
When you give a program permission to launch other programs, those programs are now launched, and automatically allowed to start without user input.

it's not right?]]> http://www.dslreports.com/forum/remark,8340117 Mon, 27 Oct 2003 12:30:16 EDT Re: Release of Kerio Personal Firewall 4.0.6 http://www.dslreports.com/forum/remark,8340084 matunga : - system security icons bug corrected!
- I still have continuously "BAD TRAFFIC LOOPBACK TRAFFIC" messages in intrusion log from 127.0.0.1 to 127.0.0.1 (IN direction). It's my modem problem or my ISP network or what? ]]> http://www.dslreports.com/forum/remark,8340084 Mon, 27 Oct 2003 12:25:58 EDT Re: Release of Kerio Personal Firewall 4.0.6 http://www.dslreports.com/forum/remark,8339949 BlitzenZeus : Less secure than before!

Serious Security problem! When you give a program permission to launch other programs, those programs are now launched, and automatically allowed to start without user input. So if a trusted program launches a malicious program it will be started by default!!! Now any script ran from a trusted application will be able to run loose on a system! Thanks for making the system security module useless Kerio!

Password protection, and Remote admin apparently are part of the paid version, which is not even mentioned in the help file correctly with association with the free version.

I've done minor testing so far, but the fact that they crippled the system security module makes this a horrible release. I didn't think it could get any worse... I was wrong...
--
My hourly rates:
$25 per hour.
$35 per hour if you want to watch.
$45 per hour if you want to help.
$75 per hour if you tried to fix it, and failed.
[text was edited by author 2003-10-27 12:56:23]
]]> http://www.dslreports.com/forum/remark,8339949 Mon, 27 Oct 2003 12:06:01 EDT Re: Release of Kerio Personal Firewall 4.0.6 http://www.dslreports.com/forum/remark,8339860 madirish : DLED the 4.0.6 build.Uninstalled 4.0.4 and installed 4.0.6 .Went to log on to internet and launched Firebird(browser).Kerio prompted me if I wanted Firebird to access the internet.Checked my rules and Kerio did not pick up the .exe for Firebird.After I showed Kerio the .exe there weren't any problems.

Went to GRC and ran scan for 1056 ports.Passed.
Then I checked the logs(network logs) and all that was showing blocked was my "block all" rule (all block rules are set to log).I also noticed that there was no red light on my Kerio icon in sys tray only green.

I clicked on edit for all my block rules(network security>packet filter)and then clicked ok.Reran the GRC test and now the logs are showing Block ICMP,Block all in,Block local ports(still showing only green light at Kerio icon).

Ticked the password protection (overview>preferences) and set my password.Exited Kerio and got back in with no prompt for a password.Deleted a rule and still no prompt for a password.Changed some settings,exited no prompt.Logged out(right click on Kerio icon in sys tray)went back into Kerio and reinstalled the rule I deleted and reset the other changes I made,no prompt for a password.]]> http://www.dslreports.com/forum/remark,8339860 Mon, 27 Oct 2003 11:53:51 EDT Release of Kerio Personal Firewall 4.0.6 http://www.dslreports.com/forum/remark,8338989 Kerio : Hello,

Kerio Personal Firewall 4.0.6 has been released.
You can download it at »www.kerio.com/dwn/kpf4-en-win.exe or check for updates from KPF admin.

MD5 hash of the package:
FDD77C6F9E49962146FB0A4B23B2B513 kerio-pf-4.0.6-en-win.exe

Changes since 4.0.4:
- fixed registration on WIN 98, ME
- fixed bug when Group name contains '&'

+ czech localization
+ password protection
+ remote administration
+ added ability to inspect gzipped http
+ logging and alerts can be turned on/off directly by clicking on rule line in network/system security
+ firewall can now be exited when popup window is shown]]> http://www.dslreports.com/forum/remark,8338989 Mon, 27 Oct 2003 09:39:50 EDT