Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Computer Security > Kerio 2.1.5 problem?

Reply
Thread Tools

Kerio 2.1.5 problem?

 
 
Kerodo
Guest
Posts: n/a
 
      05-09-2004
I'm writing because I think I might have discovered some kind of Kerio
2.1.5 problem and I'd like to hear anyone's thoughts or ideas on it.

I've been doing plenty of research and I think I've got my Kerio rules
nailed down pretty tight here. I've used parts of sponge's rules and
others as well, and as far as I can tell my rules should be blocking all
incoming traffic that I don't want as well as outbound traffic not
authorized and so on.

What I'm seeing here is a couple times a day there's Outbound ICMP Type
3 going out to random IP addresses. I also see Type 3 outbound to my
ISP's DNS Servers, but that doesn't bother me. It's apparently being
triggered by the DNS servers somehow. Everytime there's outbound Type 3
to DNS, it's because of some corresponding incoming DNS, so that's no
problem.

The random outbound Type 3 however, doesn't appear to be related to
anything. What I'm concerned about is that packets are somehow getting
IN thru the firewall without my permission and triggering this outbound
Type 3 to random IPs. What else could possibly cause or trigger
outbound type 3?

I turned on logging for ALL my rules, even DNS, DHCP and so on.
Everything. When I see the outbound type 3 there doesn't appear to be
any other events logged that relate to it in any way, timewise or
otherwise, so there's nothing I can see causing it. But SOMETHING has
to be triggering it, right?

Could this be a hole in Kerio itself somehow? Packets occasionally
getting in without being logged or permitted by me? There doesn't
appear to be any other explanation...

Any ideas on this one? It does concern me. Something doesn't seem
right here...

I've also ran Sygate 5.5 and this behavior does NOT occur in Sygate,
which does log EVERYTHING. So it seems to be a problem specific to
Kerio 2.1.5.

I'm running Win2k on a standalone system, not networked to any other
pc's, on a cable connection, etc.


--
Kerodo
 
Reply With Quote
 
 
 
 
scroob
Guest
Posts: n/a
 
      05-09-2004
Kerodo <kerodo~nospam~(E-Mail Removed)> wrote in
news:(E-Mail Removed):

> What I'm seeing here is a couple times a day there's Outbound ICMP Type
> 3 going out to random IP addresses.


Disallow all ICMP, in and out. I've been doing it for years and haven't
seen a single bad result.
 
Reply With Quote
 
 
 
 
Kerodo
Guest
Posts: n/a
 
      05-09-2004
In article <(E-Mail Removed)>, http://www.velocityreviews.com/forums/(E-Mail Removed)
says...
> Kerodo <kerodo~nospam~(E-Mail Removed)> wrote in
> news:(E-Mail Removed):
>
> > What I'm seeing here is a couple times a day there's Outbound ICMP Type
> > 3 going out to random IP addresses.

>
> Disallow all ICMP, in and out. I've been doing it for years and haven't
> seen a single bad result.
>


My concern is that the Outbound ICMP type 3 is an indication that UDP is
getting In thru the firewall somehow without my permission. So far I
see no explanation for it. Looks like there's a hole in Kerio somehow..
I've even tried using a brand new default rule set and just configuring
my dns servers as a custom group but the same problem occurs again.
Something tells me this isn't good..

--
Kerodo
 
Reply With Quote
 
scroob
Guest
Posts: n/a
 
      05-09-2004
Kerodo <kerodo~nospam~(E-Mail Removed)> wrote in
news:(E-Mail Removed):

> My concern is that the Outbound ICMP type 3 is an indication that UDP
> is getting In thru the firewall somehow without my permission. So far
> I see no explanation for it. Looks like there's a hole in Kerio
> somehow.. I've even tried using a brand new default rule set and just
> configuring my dns servers as a custom group but the same problem
> occurs again. Something tells me this isn't good..


I wouldn't worry. I see outbound ICMP attempts all the time. It's always
the TCPIP Kernel Driver and the address is always that of my ISP, which
leads me to believe that it's trying to respond to something that the ISP
server asked it.
 
Reply With Quote
 
Kerodo
Guest
Posts: n/a
 
      05-09-2004
In article <(E-Mail Removed)>, (E-Mail Removed)
says...
> Kerodo <kerodo~nospam~(E-Mail Removed)> wrote in
> news:(E-Mail Removed):
>
> > My concern is that the Outbound ICMP type 3 is an indication that UDP
> > is getting In thru the firewall somehow without my permission. So far
> > I see no explanation for it. Looks like there's a hole in Kerio
> > somehow.. I've even tried using a brand new default rule set and just
> > configuring my dns servers as a custom group but the same problem
> > occurs again. Something tells me this isn't good..

>
> I wouldn't worry. I see outbound ICMP attempts all the time. It's always
> the TCPIP Kernel Driver and the address is always that of my ISP, which
> leads me to believe that it's trying to respond to something that the ISP
> server asked it.
>

Yes, I see outbound icmp 3 to my ISP's DNS servers, but the ones I'm
worried about are icmp 3 to other random addresses.
--
Kerodo
 
Reply With Quote
 
ric
Guest
Posts: n/a
 
      05-10-2004
On Sun, 9 May 2004 10:31:44 -0700, Kerodo
<kerodo~nospam~(E-Mail Removed)> wrote:

>In article <(E-Mail Removed)>, (E-Mail Removed)
>says...
>> Kerodo <kerodo~nospam~(E-Mail Removed)> wrote in
>> news:(E-Mail Removed):
>>
>> > My concern is that the Outbound ICMP type 3 is an indication that UDP
>> > is getting In thru the firewall somehow without my permission. So far
>> > I see no explanation for it. Looks like there's a hole in Kerio
>> > somehow.. I've even tried using a brand new default rule set and just
>> > configuring my dns servers as a custom group but the same problem
>> > occurs again. Something tells me this isn't good..

>>
>> I wouldn't worry. I see outbound ICMP attempts all the time. It's always
>> the TCPIP Kernel Driver and the address is always that of my ISP, which
>> leads me to believe that it's trying to respond to something that the ISP
>> server asked it.
>>

>Yes, I see outbound icmp 3 to my ISP's DNS servers, but the ones I'm
>worried about are icmp 3 to other random addresses.


Determining the subtype might help narrow it down a bit.
It's probably 2 - Protocol unreachable or 3 - Port unreachable.

For example, there might be a rule that allows any protocol on a
certain port, but the specified protocol is unavailable.
 
Reply With Quote
 
Kerodo
Guest
Posts: n/a
 
      05-10-2004
In article <(E-Mail Removed)>, (E-Mail Removed)
says...
> On Sun, 9 May 2004 10:31:44 -0700, Kerodo
> <kerodo~nospam~(E-Mail Removed)> wrote:
>
> >In article <(E-Mail Removed)>, (E-Mail Removed)
> >says...
> >> Kerodo <kerodo~nospam~(E-Mail Removed)> wrote in
> >> news:(E-Mail Removed):
> >>
> >> > My concern is that the Outbound ICMP type 3 is an indication that UDP
> >> > is getting In thru the firewall somehow without my permission. So far
> >> > I see no explanation for it. Looks like there's a hole in Kerio
> >> > somehow.. I've even tried using a brand new default rule set and just
> >> > configuring my dns servers as a custom group but the same problem
> >> > occurs again. Something tells me this isn't good..
> >>
> >> I wouldn't worry. I see outbound ICMP attempts all the time. It's always
> >> the TCPIP Kernel Driver and the address is always that of my ISP, which
> >> leads me to believe that it's trying to respond to something that the ISP
> >> server asked it.
> >>

> >Yes, I see outbound icmp 3 to my ISP's DNS servers, but the ones I'm
> >worried about are icmp 3 to other random addresses.

>
> Determining the subtype might help narrow it down a bit.
> It's probably 2 - Protocol unreachable or 3 - Port unreachable.
>
> For example, there might be a rule that allows any protocol on a
> certain port, but the specified protocol is unavailable.
>

Yes, however I don't think I can determine the subtype in Kerio. I
pretty much tried everything here, including using various rule sets,
some by "experts", and the problem persists. So I've given up and am
now running Kerio 4.0.16. It doesn't seem to have this problem, oddly
enough.. Only thing I miss in 4.xx is some decent logging..
--
Kerodo
 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Kerio Personal fire wall VERY slow to load in XP rifleman Computer Support 6 09-20-2006 10:10 AM
New edition Kerio Personal Firewall (freeware limited version) enemy@private.org Computer Support 0 04-04-2004 12:50 PM
KERIO Winroute - what SETTINGS after migration from v4 to v5.1.7 ? reply@newsgroup.please Computer Support 0 12-10-2003 02:18 PM
Kerio 2.1.5 blocking MS SQL remote server mhicaoidh Computer Support 0 09-01-2003 06:13 AM
Kerio Personal Firewall deemac Computer Support 9 07-02-2003 02:41 AM



Advertisments