Re: Security Newbie - DSNkong, Proxomitron, Kerio

From: Dave (dantesdigest2_at_yahoo.com)
Date: 11/17/03 

Date: 17 Nov 2003 13:58:34 -0800

yosponge@yahoo.com (sponge) wrote in message news:<8d76ec03.0311150157.7d44693c@posting.google.com>...
> On 14 Nov 2003 02:33:36 -0800, dantesdigest2@yahoo.com (Dave) wrote:
>
> >yosponge@yahoo.com (sponge) wrote in message news:<8d76ec03.0311131510.3f8b88ea@posting.google.com>...
> >> On 13 Nov 2003 08:21:54 -0800, dantesdigest2@yahoo.com (Dave)
> wrote:
> >>
> >> >Hi Everyone,
> >> >
> >> >Hope someone can help me. I'm new to this stuff and am struggling
> >> >with accomplishing a couple of things.
> >> >
> >> >I've installed all that I listed in the subject heading and have
> got
> >> >it working. A big accomplishment for me! :)
> >> >
> >> >I'm still having a couple of issues:
> >> >I can't seem to connect to my website's cpanel manager.
> >> >www.mydomain.com:2086
> >> >
> >> >I can't seem to get my FTP programs to work. I use Dreamweaver
> and
> >> >Filezilla.
> >> >
> >> >I imagine these are simple to fix, but I've been struggling for
> the
> >> >last few hours and not having any luck finding the answer in the
> >> >groups.
> >> >
> >> >Thanks in advance for any help you can offer.
> >> >
> >> >Cheers,
> >> >
> >> >Dave
> >>
> >> Did you use one of my firewall rulesets? If so, go into the rule
> list
> >> (right click Kerio's icon, select Administration, then click the
> >> Advanced button on the menu that comes up). Scroll towards the very
> >> end (don't use the square up-down arrows to scroll, use the regular
> >> Windows scrollbar.) Find the rules pertaining to whatever browser
> you
> >> use and highlight the one called (whatever) Out. For example, if
> you
> >> use Mozilla, click the one called Mozilla Out and click Edit. In
> the
> >> Remote Port field, you can either add in the ports you will use
> (like
> >> 2086), separated by commas, or you can just set this to 'any' port.
> (I
> >> do not recommend setting it to allow connection to 'any' port
> because
> >> a lot of spam sites use non-standard ports; however, I realize your
> >> needs may differ.) Click Ok, then Apply in the next menu, and Ok
> again
> >> to get out of the config screen. Everything should work fine.
> >>
> >> Sponge
> >> Sponge's Secure Solutions
> >> www.geocities.com/yosponge
> >> My new email: yosponge2 att yahoo dott com
> >
> >
> >Thanks Sponge!
> >
> >You're awesome for the amount of help you offer others. I can now
> >connect to cpanel, but still cannot FTP.
> >
> >The strange thing is that even if I turn off kerio and proxomitron
> and
> >dnskong, I still can't ftp. I was able to perfectly before I
> >installed all this stuff. When kerio is on I see that it is allowing
> >Dreamweaver to call out, but it will still not connect.
> >
> >Any thoughts?
> >
> >Thanks again,
> >
> >Dave
>
> Firewalls and FTP don't get along. In fact, FTP is very antithetical
> to a firewall's operation. There are a lot of ways around this,
> though:
>
> 1. Use FreshDownload (http://www.freshdevices.com/downfiles.html) and
> create a rule in Kerio allowing it full access. Go into Kerio's
> Advanced (rule-list) menu by right-clicking Kerio, select
> Administration, then click the Advanced button. Go down towards the
> bottom and click Insert (just make sure it's above the rule called
> "Block All".) Give it a name, select TCP/UDP, BOTH directions, and for
> application, find the installed application (it helps to run it first
> so Kerio knows it's there) and select it. Everything else in the rule
> should be left alone. (ANY local port, ANY remote port, action set to
> Permit, etc.). You should be able to FTP away, I recommend this method
> most, for a lot of reasons: Freshdownload, IMHO, is the best download
> manager on the market, and one of the few that is spyware-free and/or
> doesn't cost $20 or more. Since it only runs on demand, you will lose
> very little protection.
>
> 2. You can temporarily shut down Kerio. This is the least-recommended
> method.
>
> 3. You can set whatever FTP program you use to Passive (PASV) mode.
> You can also create or modify a rule in Kerio, allowing that program
> access to ports 20 and 21 (TCP, BOTH directions, the rest leave
> alone).
>
> 4. If you need to FTP from your browser, simply go intoi Kerio's
> rule-list menu, find your browser, and set it as follows:
>
> Rule name: <your browser name> Out
> Protocol: TCP/UDP
> Direction: BOTH
> Local Port: ANY
> Application: <your browser's location on disk>
> Remote Address: ANY (or, if you FTP to the same IP or group of IPs,
> use either single IP or network/mask to select them)
> Remote Port: ANY
> Action: Permit
>
> This is appreciably less secure than using FreshDownload, but better
> than shutting down the firewall. Unfortunately, FTP is is always a
> security problem, no matter which firewall you use.
>
> Sponge
> Sponge's Secure Solutions
> www.geocities.com/yosponge
> My new email: yosponge2 att yahoo dott com

Hi Sponge,

Thanks for your responses. I thought you might be interested in this.
 Apparently in Windows XP there is something called an Application
Layer Gateway. This needs to be set up in Kerio in order for FTPing
to be allowed. I learned this from someone else. Once I placed the
following rules in Kerio I was able to ftp from Dreamweaver. I assume
that Filezilla will work also.

Application Layer Gateway OUT
UDP/TCP OUT
Local Endpoint:
Any Port
Application: ALG.exe

Remote Endpoint:
Any address
Single Port 21

Application Layer Gateway IN
UDP/TCP IN
Local Endpoint:
Any Port
Application: ALG.exe

Remote Endpoint:
Any address
Single Port 20

Hope this info is usefull to you. From a security standpoint does it
look ok?

Cheers,

Dave

Relevant Pages

  • Re: Security Newbie - DSNkong, Proxomitron, Kerio
    ... >> Remote Port field, you can either add in the ports you will use ... >connect to cpanel, but still cannot FTP. ... When kerio is on I see that it is allowing ... than shutting down the firewall. ...
    (comp.security.firewalls)
  • Re: blocking ports 1:1024
    ... I would assume that once a connections is established, ... "Normal" FTP uses two connections: one you initialize to the remote ... server and one back from the remote server to your machine (port 20). ...
    (comp.os.linux.networking)
  • Re: ssh/scp forwarding ???
    ... I was wondering about the TCP/IP port forwarding. ... would think that you could link up your local ftp port to be forwarded to ... some user port on your ssh remote, then start up a remote-remote ftp to ...
    (comp.os.linux.networking)
  • Re: Ping: stingray
    ... well, you can try to setup for example ftp on some remote box, or ask a ... friend, make it listen on port 80. ... Then you try to ftp from your own box ...
    (alt.privacy)
  • RE: Telnet/ftp problems SBS2000
    ... Please make sure your client computers are configured as both Firewall ... will find two options "Enable folder view for FTP sites" and "Use Passive ... that the control connection has been successfully established, ... (other than port 21) ...
    (microsoft.public.windows.server.sbs)