Kerio 2.1.5 problem?

Discussion in 'Computer Security' started by Kerodo, May 9, 2004.

  1. Kerodo

    Kerodo Guest

    I'm writing because I think I might have discovered some kind of Kerio
    2.1.5 problem and I'd like to hear anyone's thoughts or ideas on it.

    I've been doing plenty of research and I think I've got my Kerio rules
    nailed down pretty tight here. I've used parts of sponge's rules and
    others as well, and as far as I can tell my rules should be blocking all
    incoming traffic that I don't want as well as outbound traffic not
    authorized and so on.

    What I'm seeing here is a couple times a day there's Outbound ICMP Type
    3 going out to random IP addresses. I also see Type 3 outbound to my
    ISP's DNS Servers, but that doesn't bother me. It's apparently being
    triggered by the DNS servers somehow. Everytime there's outbound Type 3
    to DNS, it's because of some corresponding incoming DNS, so that's no
    problem.

    The random outbound Type 3 however, doesn't appear to be related to
    anything. What I'm concerned about is that packets are somehow getting
    IN thru the firewall without my permission and triggering this outbound
    Type 3 to random IPs. What else could possibly cause or trigger
    outbound type 3?

    I turned on logging for ALL my rules, even DNS, DHCP and so on.
    Everything. When I see the outbound type 3 there doesn't appear to be
    any other events logged that relate to it in any way, timewise or
    otherwise, so there's nothing I can see causing it. But SOMETHING has
    to be triggering it, right?

    Could this be a hole in Kerio itself somehow? Packets occasionally
    getting in without being logged or permitted by me? There doesn't
    appear to be any other explanation...

    Any ideas on this one? It does concern me. Something doesn't seem
    right here...

    I've also ran Sygate 5.5 and this behavior does NOT occur in Sygate,
    which does log EVERYTHING. So it seems to be a problem specific to
    Kerio 2.1.5.

    I'm running Win2k on a standalone system, not networked to any other
    pc's, on a cable connection, etc.


    --
    Kerodo
     
    Kerodo, May 9, 2004
    #1
    1. Advertising

  2. Kerodo

    scroob Guest

    Kerodo <kerodo~nospam~> wrote in
    news::

    > What I'm seeing here is a couple times a day there's Outbound ICMP Type
    > 3 going out to random IP addresses.


    Disallow all ICMP, in and out. I've been doing it for years and haven't
    seen a single bad result.
     
    scroob, May 9, 2004
    #2
    1. Advertising

  3. Kerodo

    Kerodo Guest

    In article <>,
    says...
    > Kerodo <kerodo~nospam~> wrote in
    > news::
    >
    > > What I'm seeing here is a couple times a day there's Outbound ICMP Type
    > > 3 going out to random IP addresses.

    >
    > Disallow all ICMP, in and out. I've been doing it for years and haven't
    > seen a single bad result.
    >


    My concern is that the Outbound ICMP type 3 is an indication that UDP is
    getting In thru the firewall somehow without my permission. So far I
    see no explanation for it. Looks like there's a hole in Kerio somehow..
    I've even tried using a brand new default rule set and just configuring
    my dns servers as a custom group but the same problem occurs again.
    Something tells me this isn't good..

    --
    Kerodo
     
    Kerodo, May 9, 2004
    #3
  4. Kerodo

    scroob Guest

    Kerodo <kerodo~nospam~> wrote in
    news::

    > My concern is that the Outbound ICMP type 3 is an indication that UDP
    > is getting In thru the firewall somehow without my permission. So far
    > I see no explanation for it. Looks like there's a hole in Kerio
    > somehow.. I've even tried using a brand new default rule set and just
    > configuring my dns servers as a custom group but the same problem
    > occurs again. Something tells me this isn't good..


    I wouldn't worry. I see outbound ICMP attempts all the time. It's always
    the TCPIP Kernel Driver and the address is always that of my ISP, which
    leads me to believe that it's trying to respond to something that the ISP
    server asked it.
     
    scroob, May 9, 2004
    #4
  5. Kerodo

    Kerodo Guest

    In article <>,
    says...
    > Kerodo <kerodo~nospam~> wrote in
    > news::
    >
    > > My concern is that the Outbound ICMP type 3 is an indication that UDP
    > > is getting In thru the firewall somehow without my permission. So far
    > > I see no explanation for it. Looks like there's a hole in Kerio
    > > somehow.. I've even tried using a brand new default rule set and just
    > > configuring my dns servers as a custom group but the same problem
    > > occurs again. Something tells me this isn't good..

    >
    > I wouldn't worry. I see outbound ICMP attempts all the time. It's always
    > the TCPIP Kernel Driver and the address is always that of my ISP, which
    > leads me to believe that it's trying to respond to something that the ISP
    > server asked it.
    >

    Yes, I see outbound icmp 3 to my ISP's DNS servers, but the ones I'm
    worried about are icmp 3 to other random addresses.
    --
    Kerodo
     
    Kerodo, May 9, 2004
    #5
  6. Kerodo

    ric Guest

    On Sun, 9 May 2004 10:31:44 -0700, Kerodo
    <kerodo~nospam~> wrote:

    >In article <>,
    >says...
    >> Kerodo <kerodo~nospam~> wrote in
    >> news::
    >>
    >> > My concern is that the Outbound ICMP type 3 is an indication that UDP
    >> > is getting In thru the firewall somehow without my permission. So far
    >> > I see no explanation for it. Looks like there's a hole in Kerio
    >> > somehow.. I've even tried using a brand new default rule set and just
    >> > configuring my dns servers as a custom group but the same problem
    >> > occurs again. Something tells me this isn't good..

    >>
    >> I wouldn't worry. I see outbound ICMP attempts all the time. It's always
    >> the TCPIP Kernel Driver and the address is always that of my ISP, which
    >> leads me to believe that it's trying to respond to something that the ISP
    >> server asked it.
    >>

    >Yes, I see outbound icmp 3 to my ISP's DNS servers, but the ones I'm
    >worried about are icmp 3 to other random addresses.


    Determining the subtype might help narrow it down a bit.
    It's probably 2 - Protocol unreachable or 3 - Port unreachable.

    For example, there might be a rule that allows any protocol on a
    certain port, but the specified protocol is unavailable.
     
    ric, May 10, 2004
    #6
  7. Kerodo

    Kerodo Guest

    In article <>,
    says...
    > On Sun, 9 May 2004 10:31:44 -0700, Kerodo
    > <kerodo~nospam~> wrote:
    >
    > >In article <>,
    > >says...
    > >> Kerodo <kerodo~nospam~> wrote in
    > >> news::
    > >>
    > >> > My concern is that the Outbound ICMP type 3 is an indication that UDP
    > >> > is getting In thru the firewall somehow without my permission. So far
    > >> > I see no explanation for it. Looks like there's a hole in Kerio
    > >> > somehow.. I've even tried using a brand new default rule set and just
    > >> > configuring my dns servers as a custom group but the same problem
    > >> > occurs again. Something tells me this isn't good..
    > >>
    > >> I wouldn't worry. I see outbound ICMP attempts all the time. It's always
    > >> the TCPIP Kernel Driver and the address is always that of my ISP, which
    > >> leads me to believe that it's trying to respond to something that the ISP
    > >> server asked it.
    > >>

    > >Yes, I see outbound icmp 3 to my ISP's DNS servers, but the ones I'm
    > >worried about are icmp 3 to other random addresses.

    >
    > Determining the subtype might help narrow it down a bit.
    > It's probably 2 - Protocol unreachable or 3 - Port unreachable.
    >
    > For example, there might be a rule that allows any protocol on a
    > certain port, but the specified protocol is unavailable.
    >

    Yes, however I don't think I can determine the subtype in Kerio. I
    pretty much tried everything here, including using various rule sets,
    some by "experts", and the problem persists. So I've given up and am
    now running Kerio 4.0.16. It doesn't seem to have this problem, oddly
    enough.. Only thing I miss in 4.xx is some decent logging..
    --
    Kerodo
     
    Kerodo, May 10, 2004
    #7
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. deemac

    Kerio Personal Firewall

    deemac, Jun 30, 2003, in forum: Computer Support
    Replies:
    9
    Views:
    810
    Blinky the Shark
    Jul 2, 2003
  2. mhicaoidh

    Kerio 2.1.5 blocking MS SQL remote server

    mhicaoidh, Sep 1, 2003, in forum: Computer Support
    Replies:
    0
    Views:
    941
    mhicaoidh
    Sep 1, 2003
  3. rifleman

    Kerio Personal fire wall VERY slow to load in XP

    rifleman, Sep 2, 2003, in forum: Computer Support
    Replies:
    6
    Views:
    1,307
    CSCMikrotuki
    Sep 20, 2006
  4. Replies:
    0
    Views:
    366
  5. mario

    Kerio 4.1.10 problem

    mario, Feb 14, 2004, in forum: NZ Computing
    Replies:
    13
    Views:
    561
    mario
    Feb 16, 2004
Loading...

Share This Page