Re: Kerio PFW 2.14 - Safe?

From: Kerodo (kerodonospamkenny_at_hotmail.com)
Date: 09/09/04


Date: Thu, 9 Sep 2004 11:05:26 -0700

In article <41405562.6080308@pc-tiede.de>, tiede@pc-tiede.de says...
> Kerodo wrote:
> > In article <MPG.1ba9020846f0e67998978f@news.east.earthlink.net>,
> > Casey@nosuch.net says...
> >
> >>Looks like Kerio v2.1 does have stateful packet inspection.
> >>Quoted from the Kerio 2.1 User's Guide:
> >>"The main principal behing a firewall such as KPF is stateful
> >>inspection. This ensures that Personal Firewall only allows
> >>communication initiated from within the local network"
> >>Casey
> >
> >
> > Casey... on second thought, I'm fairly sure that despite what the user's
> > guide says, it does not have SPI. I've seen several references to this
> > in various forums and other groups..
> >
> > And I've seen things to dispute this here as well. If Kerio had SPI
> > then I would not see outbound ICMP type 3 packets to my DNS servers at
> > times. Kerio would only accept responses to DNS initiated by my system.
> > This is however not the case.
> >
>
> ICMP type 3 means "destination-unreachable". This is exactly the answer I
> would expect if the system in question blocks all incoming traffic except
> for traffic on initiated connections.
>
> If Kerio hadn't SPI it couldn't determine whether incoming packets are
> related to one of your initiated connections or not. So you couldn't see
> anything on the internet, since Kerio would block *all* incoming packets.
> It may be true that it's not possible to use Kerio's SPI for finer filter
> rules, but Kerio *must* have it.

I think not Felix. But I could be wrong.

I have conducted tests here with Kerio 4.1 beta, which DOES have
stateful inspection now, and I don't see any of this outbound ICMP 3
traffic to DNS servers at all. In Kerio 2.1.5 I do see it. This
further supports my thoughts that SPI should block this incoming DNS
traffic if working properly, and it doesn't in Kerio 2.

However, I'm certainly no expert, so I may be totally wrong...

-- 
Kerodo


Relevant Pages

  • Re: Kerio PFW 2.14 - Safe?
    ... >>would expect if the system in question blocks all incoming traffic except ... >>If Kerio hadn't SPI it couldn't determine whether incoming packets are ... >>related to one of your initiated connections or not. ... >>It may be true that it's not possible to use Kerio's SPI for finer filter ...
    (comp.security.firewalls)
  • Re: Kerio PFW 2.14 - Safe?
    ... >>Looks like Kerio v2.1 does have stateful packet inspection. ... If Kerio had SPI ... If Kerio hadn't SPI it couldn't determine whether incoming packets are ...
    (comp.security.firewalls)