Re: kerio: (1) Former freeness, & (2) Filter rules precedence

From: sponge (yosponge_at_yahoo.com)
Date: 06/01/03 

Date: 1 Jun 2003 01:00:32 -0700

On 1 Jun 2003 03:40:37 GMT, Fred Ma <fma@doe.carleton.ca> wrote:

>Alastair Smeaton wrote:
>>
>> Kerio came about when developers from Tiny split from the parent
>> company.
>>
>> Kerio is free from www.kerio.com
>>
>> Tiny is now payware
>> --
>> Alastair Smeaton
>
>Thanks for clarifying, Alastair. Kerio is in fact
>what I have. And I did find it at their website
>after a 2nd look (it's not one of the 4 product
>photos shown at the top, but it is under the
>products menu, which seems to show up a little
>jumbled on my PC due to use of Large Font).

Ok, I take it you are using v2.1.5, as opposed to the beta like 3.5
and 4. If you're using a beta, I'd drop it as 2.1.5 is the latest
stable release.

That said, Kerio is a rules-based firewall, so the precendence is in
the orders the rule are listed top-to-bottom in the Advanced menu. If
you seem to be getting conflicting precedence, odds are your rules are
not configured correctly -- and probably not tight enough.

You don't say explicitly if you are using SSH as a client or a host or
both, but I get the feeling you use it on a server.
Generally, a rule for SSH for a client should look something like
this:
Rule Name: Allow SSH from Subnet #1
Direction: INCOMING
Protocol: TCP & UDP
Local Port: 22
Application: C:\Program Files\Cygwin\CYGWIN.EXE
Remote Endpoint: Address/Mask (enter base address in first line,
subnet mask in second line)
Remote Port: ANY
Action: PERMIT

Rule Name: Allow SSH from Subnet #2
Direction: INCOMING
Protocol: TCP & UDP
Local Port: 22
Application: C:\Program Files\Cygwin\CYGWIN.EXE
Remote Endpoint: Address/Mask (enter base address in first line,
subnet mask in second line)
Remote Port: ANY
Action: PERMIT

Rule Name:Block SSH from all other Networks
Direction: OUTGOING
Protocol: TCP & UDP
Local Port: 22
Application: C:\Program Files\Cygwin\CYGWIN.EXE
Remote Endpoint: Address/Mask (enter base address in first line,
subnet mask in second line)
Remote Port: ANY
Action: DENY

The latter rule blocks everything not specifically allowed in the
previous two (or however many) rules. If you have a "Block All" rule
at the very end of your firewall rules list, you really don't need to
bother with the latter rule because a "Block All" rule blocks
everything not permitted by previous rules.

If you're running SSH on a client, you'd flip directions and also flip
the Local Port and Remote Port entries. If your SSH is tied to a
specific local port, then, obviously, you'd want to put that port in
place of "ANY".

I'm not sure what port ranges are allowable for OpenSSH. When in
doubt, you can always create a "relaxed rule" and observe a the
behavior of an application and the protocols it uses, and tighen your
rules based on that. For example, create a single rule like so:

Rule Name: Allow SSH and Observe it
Direction: BOTH
Protocol: TCP & UDP
Local Port: ANY
Application: C:\Program Files\Cygwin\CYGWIN.EXE
Remote Endpoint: ANY
Remote Port: ANY
Action: PERMIT
Log: YES
Alert Me When this Rule Matches: YES

This is an easy way to figure out how to configure Kerio (or any
rules-based firewall) for anything. You can then tighten things up by
specifying the needed local ports, remote ports, remote addresses, and
so on as you see fit.

Sponge
Sponge's Anti-Spyware Source
www.geocities.com/yosponge

Relevant Pages

  • Re: kerio: (1) Former freeness, & (2) Filter rules precedence
    ... a rule for SSH for a client should look something like ... > Local Port: 22 ... > Remote Port: ANY ...
    (comp.security.firewalls)
  • Re: kerio: (1) Former freeness, & (2) Filter rules precedence
    ... > sponge wrote: ... a rule for SSH for a client should look something like ... >> the Local Port and Remote Port entries. ...
    (comp.security.firewalls)
  • Re: IP tunneling
    ... If you can ssh into your UK account with support for port forwarding, then all you need to do is tell your browser to use the port forward as its proxy server. ... Where local-port is the port you are going to point the browser at, remote port is the port you ssh into at the other end. ...
    (uk.comp.os.linux)
  • Re: ssh gives "Permission denied, please try again"
    ... port 22 on your internal machine, so you will need to keep ssh up to ... I configure the router to forward a different external port to 22 on my ... For good measure pick usernames that are none obvious, ... root/password: 163 times ...
    (uk.comp.os.linux)
  • [NEWS] SSH service at Dell DRAC4 Denial of Service (Mocana)
    ... SSH service at Dell DRAC4 Denial of Service ... Dell Remote Access Card 4 allows customers to effectively manage ... After the use of such a port scanner, ...
    (Securiteam)