Re: Kerio PFW 2.14 - Safe?
From: Kerodo (kerodonospamkenny_at_hotmail.com)
Date: Thu, 9 Sep 2004 11:05:26 -0700
In article <email@example.com>, firstname.lastname@example.org says...
> Kerodo wrote:
> > In article <MPG.email@example.com>,
> > Casey@nosuch.net says...
> >>Looks like Kerio v2.1 does have stateful packet inspection.
> >>Quoted from the Kerio 2.1 User's Guide:
> >>"The main principal behing a firewall such as KPF is stateful
> >>inspection. This ensures that Personal Firewall only allows
> >>communication initiated from within the local network"
> > Casey... on second thought, I'm fairly sure that despite what the user's
> > guide says, it does not have SPI. I've seen several references to this
> > in various forums and other groups..
> > And I've seen things to dispute this here as well. If Kerio had SPI
> > then I would not see outbound ICMP type 3 packets to my DNS servers at
> > times. Kerio would only accept responses to DNS initiated by my system.
> > This is however not the case.
> ICMP type 3 means "destination-unreachable". This is exactly the answer I
> would expect if the system in question blocks all incoming traffic except
> for traffic on initiated connections.
> If Kerio hadn't SPI it couldn't determine whether incoming packets are
> related to one of your initiated connections or not. So you couldn't see
> anything on the internet, since Kerio would block *all* incoming packets.
> It may be true that it's not possible to use Kerio's SPI for finer filter
> rules, but Kerio *must* have it.
I think not Felix. But I could be wrong.
I have conducted tests here with Kerio 4.1 beta, which DOES have
stateful inspection now, and I don't see any of this outbound ICMP 3
traffic to DNS servers at all. In Kerio 2.1.5 I do see it. This
further supports my thoughts that SPI should block this incoming DNS
traffic if working properly, and it doesn't in Kerio 2.
However, I'm certainly no expert, so I may be totally wrong...