DavidGGG
join:2007-07-06
Chesterfield, VA
| reply to BlitzenZeus
Re: BZ Kerio 2x Default Replacement Update
Thanks for an invaluable post, without it I wouldn't have dared to use K2.1.5.
I posted the following, which is suggestions on how K2.1.5 may be used by "Dummies": »[Kerio 2.x] Kerio 2.1.5 "for Dummies"
I put this remark here since it's a direct extension to BZ's rule set, and to make it easier for those who are interested to find it. Also, to make sure BZ doesn't miss the chance to comment on it (hope to catch you in a good mood though!  ). |
|
MQY
join:2003-08-19
Flushing, NY | reply to BlitzenZeus
good learning, thank you |
|
Wildcatboy
Premium,Mod
join:2000-10-30
Toronto, ON |  reply to BlitzenZeus
(topic move) BZ Kerio 2x Default Replacement Update
Moderator Action
The post that was here, has been moved to a new topic .. »ICS Configuration Settings
stated reason was: Moved to its own thread. |
|
Sudy Nim
@sk.ca | reply to BlitzenZeus
Re: BZ Kerio 2x Default Replacement Update
That's great to know. Thanks for your help. I've got some questions, which I'll post in a new thread. |
|
BlitzenZeus
Burnt Out Cynic
Premium,MVM
join:2000-01-13
Beaverton, OR | reply to Sudy Nim
It should still work how it was intended, but things like the verisign dns abuse rule might be useless now as that problem was rectified, however it should not hurt to leave it enabled, if necessary it can be disabled or deleted. |
|
Sudy Nim
@sk.ca | reply to BlitzenZeus
BZ, thanks muchly! 
Is this ruleset still as valid (mid 2006) as when posted in 2003? |
|
Spencer67
join:2003-06-30
United State | reply to gwion
BlitzenZeus thank you very much for all of your help, love this firewall. |
|
gwion
wild colonial boy
Premium,ExMod 2001-08
join:2000-12-28
Pittsburgh, PA | reply to gwion
(topic move) BZ Kerio 2x Default Replacement Update
Moderator Action
The post that was here, and all followups to it, were moved to a new topic .. »BZ Kerio 2x Default question |
|
gwion
wild colonial boy
Premium,ExMod 2001-08
join:2000-12-28
Pittsburgh, PA
| reply to BlitzenZeus
Re: BZ Kerio 2x Default Replacement Update
FINAL RELEASE :
Calculating hash of 18867 bytes file `E:\...\BZ Kerio 2x Default Replacement - Standard - Final.conf`...
SHA-256 : B2AAB8877E543A2839E201BE7283F463C0EFA10E199ABF122CF1D0F195B7DC44
SHA-512 : 8A3513C75CE3C012E6A485677C8DCDBF0B9ADA17AC47C048EDFA23A7B2873C8092E06C638A51872AA2 A8F0FC0118 F2E43B9E7AE4C8B57AA5E3D8458CDEA59B6E
MD5 : 680B537B426C791216BC5B33124E66EB
RIPEMD-160 : E46065A06A08FA7ABA68B69AA5E1B9283C14056D
CRC-32 : 81D0973E
Calculation took 0.015 seconds
Calculating hash of 25135 bytes file `E:\...\BZ Kerio 2x Default Replacment - Advanced - Final.conf`...
SHA-256 : 4AF8EBD4457D077B951909413D131C1A35DDAF101E215D17A5513DB457D98FC1
SHA-512 : D8496582DD05E65E0A0049A20373DAAAD033DA160D8BF4D64B35B967EB3257797E82FD5B70DA1B5A97 50D49662D5 25ECCC40B78EC84AD13216A9D617C8B29F20
MD5 : 0EBFDA1392D21160C7352F343CAAE667
RIPEMD-160 : 26C1F31011D84B3B090C7DF095FD4959DF7C80F6
CRC-32 : F4268B09
Calculation took 0.016 seconds
--
Semper Eadem
- ... his original destination's just another story that he loves to tell. |
|
zippythezipp
join:2001-10-21
Canada | reply to BlitzenZeus
I still use Kerio 2.x on 3 of my pc's and would like to thank you for the default replacement template and this thread.;)
Have a great day. |
|
BlitzenZeus
Burnt Out Cynic
Premium,MVM
join:2000-01-13
Beaverton, OR
 ·Verizon FIOS
 ·Verizon Online DSL
| reply to BlitzenZeus
This is a thread I did a long time ago, and its still valid today, its just kinda fallen through the cracks. If your wondering if Kerio 2x is the kind of firewall for you, you might want to read this thread.
»Do you need, or know enough to use TPF/KPF?
--
My hourly rates:
$25 per hour.
$35 per hour if you want to watch.
$45 per hour if you want to help.
$75 per hour if you tried to fix it, and failed.
The biggest error is sitting in front of your keyboard. |
|
BlitzenZeus
Burnt Out Cynic
Premium,MVM
join:2000-01-13
Beaverton, OR
·Verizon FIOS
·Verizon Online DSL
| reply to BlitzenZeus
Final release of this default replacement
- Fixed the typo noted in previous post.
- Added the 'Custom Address Group DNS' rule which any user could have made, and since I use this template myself when I start over I also added it for myself.
There is no reason to start over again, I mainly just wanted to fix my typo. Images of the rulesets are in the .zip file for examination/comparison.
Due to severe lack of free time lately I might not be around to assist users who have questions about using the ruleset, or its configuration on your computer. Please make sure you read the FAQs, and search the forum to see if your question has already been answered.
--
My hourly rates:
$25 per hour.
$35 per hour if you want to watch.
$45 per hour if you want to help.
$75 per hour if you tried to fix it, and failed. |
|
BlitzenZeus
Burnt Out Cynic
Premium,MVM
join:2000-01-13
Beaverton, OR
·Verizon FIOS
·Verizon Online DSL
| reply to BlitzenZeus
I made a typo which I didn't double check before I released this update, even the previous thread had the correct mask, although it should be outbound only.
»Preventing IP spoofing of the localhost
So 127.0.0.0/255.0.0.0 is correct for the mask when used for the loopback.
--
My hourly rates:
$25 per hour.
$35 per hour if you want to watch.
$45 per hour if you want to help.
$75 per hour if you tried to fix it, and failed. |
|
BlitzenZeus
Burnt Out Cynic
Premium,MVM
join:2000-01-13
Beaverton, OR
·Verizon FIOS
·Verizon Online DSL
1 edit | reply to BlitzenZeus
Minor Update
Rules:
- Changed loopback rules to outbound, and to specific subnet. There should not be issues with this, otherwise you can just edit the rule back to a single address with 127.0.0.1 still in the rule.
-Deleted one rule, and edited another anti-spoofing rule covering the 127.x range due to the change in loopback rules.
Settings:
-Logging of packets to opened ports has been disabled, if you really want to log these packets just re-enable the setting in the miscellaneous tab under advanced.
Nothing special about this update, just a couple things people could have done themselves after they downloaded the ruleset.
--
My hourly rates:
$25 per hour.
$35 per hour if you want to watch.
$45 per hour if you want to help.
$75 per hour if you tried to fix it, and failed. |
|
bogape
join:2003-02-25
New Zealand
1 edit | reply to BlitzenZeus
re your Windows Services Block (Log) rule you block local ports 135,445,500.
should not this be 5000 as per your earlier post
»Just one example of rules
edit: port 500 UDP Ipsec Services.
should i just add 5000 then and keep 500?
just found your answer on a previous post
»win xp services block rule |
|
BlitzenZeus
Burnt Out Cynic
Premium,MVM
join:2000-01-13
Beaverton, OR
·Verizon FIOS
·Verizon Online DSL
| reply to ghost16825
They are not ad-blocking rules by any means, but are meant to block packets which could have a spoofed source ip address. The anti-spoofing rules are used for private/unused ip ranges which should not be used over internet connections. If you do run a lan, the allow rules when enabled, and configured correctly for your setup will compensate for these blocking rules before they effect your connections.
As an example some have found they are getting packets from 192.168.0.100 when they are not even on a network of any kind, and the packets are actually messenger spam targeted towards udp port 1026. This way you can't trace the real source, and if it got through you might see a messenger window on your desktop advertising something.
--
My hourly rates:
$25 per hour.
$35 per hour if you want to watch.
$45 per hour if you want to help.
$75 per hour if you tried to fix it, and failed. |
|
ghost16825
Use security metrics
Premium
join:2003-08-26
|  reply to BlitzenZeus
In your advanced rules under zero octet rule are these rules really only necessary for LAN connections? Are they really rules to block ad servers or just to prevent spoofing for LAN connections?
[text was edited by author 2003-10-14 06:35:14] |
|
BlitzenZeus
Burnt Out Cynic
Premium,MVM
join:2000-01-13
Beaverton, OR
·Verizon FIOS
·Verizon Online DSL
| reply to jfahrner
Its rare to find it used on mail servers these days, more like outdated mail servers, and its mostly irc servers that still use this.
If anyone must allow this, only allow it from the servers that require it, and allowing it from any address will prevent you from being stealth, for those who care about it.
Inbound tcp Server.IP: Any -> Your.IP: 113
Remember this is a starting template, I will not include it at this time, and people can make the rule themselves if they really need to. Being stealth goes against RFC protocols anyway so stating RFC doesn't mean anything here, and there would be more comments about how people were not stealth than you could even think of if I allowed port 113.
--
My hourly rates:
$25 per hour.
$35 per hour if you want to watch.
$45 per hour if you want to help.
$75 per hour if you tried to fix it, and failed. |
|
jfahrner
join:2003-09-25
Germany
| reply to BlitzenZeus
Hello,
I think TCP port 113 should be opened. This is because of auth protocol for some mail servers. It is described in RFC 1413.
When this port is not opened, it causes a significant delay during login on some mail servers. Even if there is no listener on this port, the server waits for a response in his attempt to open this port.
Regards
Jochen |
|
BlitzenZeus
Burnt Out Cynic
Premium,MVM
join:2000-01-13
Beaverton, OR
·Verizon FIOS
·Verizon Online DSL
| reply to pgoelz
The MS tab covers netbios, and attempts to control access to shares with netbios over tcp/ip. Also these rules are made to work with netbios configurations since that is what most people run.
I'm not familiar with ipx configurations, but if it uses normal ip addressing then you likely would have to use some lan allow rules. If it works like NetBeui then it would run as its own protocol, separate from those rules, and settings.
If netbios is enabled on one of your machines, you could leave it enabled if you have to in the case where the rules/settings are not needed, but it obviously would only talk to other machines for shares access that run netbios. In this case I wouldn't have them enabled at all, and just keep track of the port 137-139 hits on your other machines as it will try to advertise itself.
--
My hourly rates:
$25 per hour.
$35 per hour if you want to watch.
$45 per hour if you want to help.
$75 per hour if you tried to fix it, and failed. |
|
