Re: Kerio's Primary DNS Server Rule
gram pappy wrote:
| PCR <pcrrcp@netzero.net> wrote:
|> gram pappy wrote:
|>| in-line below:
|>|
|>|>PCR <pcrrcp@netzero.net> wrote:
|>|> Updating...
|>|>
|>|>> PCR wrote:
|>|>>> gram pappy wrote:
|>|>>> Reply, (sorry not a quick answer) in-line below:
|>|>>>
|>|>> It's quicker than I've been these past four years, gram pappy,
|>|>> thanks. Also, my own beloved grandfather, himself, could shovel
|>|>> snow quicker than me some 22 years ago in his 90's! More below...
|>|>>
|>|>>>> "PCR" <pcrrcp@netzero.net> wrote in message
|>|>>>> news:%23GMM4FIzHHA.4712@TK2MSFTNGP04.phx.gbl...
|>|>>>> In order to end 17 years of intense study after just 4 or so, I
|>|>>>> hope
|>|>>>> for a quick answer to the following question. Here is my Kerio
|>|>>>> "Primary DNS Server" rule, got from some expert & currently
|>|>>>> modified
|>|>>>> only in that I now include the entire NetZero/Juno address range
|>|>>>> (where earlier I tried to determine just the ones NetZero seemed
|>|>>>> to want to use)...
|>|>>>>
|>|>>>> Protocol: UDP, both directions
|>|>>>>
|>|>>>> Local Endpoint-- Ports: 1024-5000
|>|>>>> -- Application: Any
|>|>>>> Remote Endpoint-- Address: Entire NetZero/Juno range
|>|>>>> -- Port: 53
|>|>>>> ANY app can use it, as currently written. Here are the ones I've
|>|>>>> caught...
|>|>>>>
|>|>>>> (a) EXEC.EXE NetZero Internet
|>|>>>> (b) IEXPLORE.EXE
|>|>>>> (c) no owner << eeek?
|>|>>>> (d) AVAST.SETUP
|>|>>>> (e) ASHMAISV.EXE avast! e-Mail Scanner Service
|>|>>>> (f) PFWADMIN.EXE Kerio Personal Firewall Console
|>|>>>>
|>|>>>> Here's the "no owner". There is only this one, but I haven't
|>|>>>> been tracking this rule long...
|>|>>>>
|>|>>>> 2,[20/Jul/2007 21:15:04] Rule 'Primary DNS Server': Permitted:
|>|>>>> In UDP,
|>|>>>> 64.136.44.74:53->localhost:1055, Owner: no owner
|>|>>>>
|>|>>>> Here is one "AVAST.SETUP". ODD, but I guess legit-- I have no
|>|>>>> program actually named AVAST.SETUP, & no .exe at all in the
|>|>>>> folder mentioned...
|>|>>>>
|>|>>>> 2,[17/Jul/2007 22:30:14] Rule 'Avast! UDP': Permitted: Out UDP,
|>|>>>> localhost:1045->64.136.44.74:53, Owner: C:\PROGRAM FILES\ALWIL
|>|>>>> SOFTWARE\AVAST4\SETUP\AVAST.SETUP
|>|>>>>
|>|>>>> Questions...
|>|>>>>
|>|>>>> (1) Is it legit for IE to be using it?
|>|>>>>
|>|>>> Gram pappy: Yes, as long as Remote IP is in NetZero IP Range.
|>|>>>
|>|>> Me: What makes that safe? Can some app grab control of IE & do
|>|>> bad things with this?
|>|>>
|>| I don't know, but the experts say you must allow this DNS rule to
|>| access the internet.
|>
|> More study is warranted, I'm sure. HOWEVER, a new rule that blocks IE
|> from all NetZero addresses-- UDP/TCP, both directions, all ports...
|> showed all continues to work-- even uploads & downloads, even at FTP
|> sites. I took a download from...
|>
ftp://ftp.microsoft.com/
|>
|> And at...
|>
http://www.speakeasy.net/speedtest
|>
|> ... uplaods & downloads were happening at approximately the same
|> speeds with the new rule switched on or off!
|>
| Yes it is a puzzle, I just have never seen DNS server rules to block
| applications.
SORRY... I set that IE rule up just right-- BUT forgot to click to DENY
the access. When denied, the FTP site announced it wouldn't fully work.
The message was hidden behind a frozen OE screen. SO...
You & those experts were right, IE must have UDP access to the NetZero
sites, port 53, for full functionality at FTP sites, anyhow. Here is one
of six log entries, all involving "localhost:1025", but with various
NetZero addresses...
1,[28/Jul/2007 13:15:24] Rule 'DNS Alert (Log, Alert)': Blocked: Out
UDP, localhost:1205->64.136.44.74:53, Owner: C:\PROGRAM FILES\INTERNET
EXPLORER\IEXPLORE.EXE
No good! It's GOT to be allowed-- or don't go clicking an FTP site!
| I now only use NetZero(free) as a backup ISP, as my primary ISP is now
| Xanadoo Wireless and it too allows DNS, server port 53 access for:
| AVG AV update
| Internet Explorer
| Outlook Express
| Firefox
| SpywareBlaster update
| Don't know why these are not using there own rules and ports I have
| set...!!! more digging, more study is right.
Agreed. So... I've added IE to the other 4 that are explicitely
allowed...
(a) EXEC.exe NetZero Internet
(b) AVAST.SETUP
(c) ASHMAISV.exe avast! e-Mail Scanner Service
(d) ASHWEBSV.exe avast! Web Scanner
(e) IExplore.exe
Let's see how that goes, & whether the "no owner's" can be stopped that
way & uneventfully.
So far, still so good preventing PFWADMIN.exe & RPCSS.exe any UPD/TCP
access at all. Others I prevent that way are PERSFW.exe, CIJ3P2PS.exe, &
RNAAPP.exe.
|>|>>>> (2) Should I block PFWADMIN.EXE?
|>|>>>> [NOTE: In another rule (probably by yosponge)
|>|>>>> PersFW.exe (Kerio Personal Firewall Engine) IS blocked.]
|>|>>>>
|>|>>> Gram pappy: Yes, I use a combination of Spunge, Shaolin and
|>|>>> BlitzenZeus rulesets. They block both
|>|>>> Persfw and Pfwadmin.
|>|>>
|>|>> Me: I'm a mishmosh, myself, possibly of the same experts.
|>|>> But finally I want to know what it's about!
|>|>>
|>|> Update: I've blocked PFWADMIN.EXE now too;
|>|> so far, nothing untoward has happened.
|>|>
|>| Looking back at my yosponge data, on his web page he says it is
|>| usually safe to allow PERSFW.EXE, but in his ruleset he has it
|>| blocked?...!!! I have blocked both for years...
|>
|> I'm blocking both too now-- but I remain vigilant for the first sign
|> of a catastrophe & will continue to remain so for six years!
|>
|>|>>>> (3) I guess I must get rid of that "no owner",
|>|>>>> but could it just be some kind of Kerio glitch?
|>|>>>>
|>|>>> Gram pappy: Don't see problem as long as Remote IP
|>|>>> is in NetZero IP Range.
|>|>>>
|>|>> Me: Why? NOW, probably due to better tracking, I've got SIX
|>|>> more of those so far today. They always are INCOMING...
|>|>>
|>|>> 2,[24/Jul/2007 15:09:06] Rule 'Primary DNS Server': Permitted: In
|>|>> UDP,
|>|>> 64.136.44.74:53->localhost:1589, Owner: no owner
|>|>>
|>|>> 2,[24/Jul/2007 15:09:20] Rule 'Primary DNS Server': Permitted: In
|>|>> UDP,
|>|>> 64.136.44.74:53->localhost:1641, Owner: no owner
|>|>>
|>|>> 2,[24/Jul/2007 15:09:22] Rule 'Primary DNS Server': Permitted: In
|>|>> UDP,
|>|>> 64.136.28.121:53->localhost:1641, Owner: no owner
|>|>>
|>|>> 2,[24/Jul/2007 15:09:58] Rule 'Primary DNS Server': Permitted: In
|>|>> UDP,
|>|>> 64.136.44.74:53->localhost:1702, Owner: no owner
|>|>>
|>|>> 2,[24/Jul/2007 15:10:54] Rule 'Primary DNS Server': Permitted: In
|>|>> UDP,
|>|>> 64.136.44.74:53->localhost:1880, Owner: no owner
|>|>>
|>|>> 2,[24/Jul/2007 15:10:58] Rule 'Primary DNS Server': Permitted: In
|>|>> UDP,
|>|>> 64.136.44.74:53->localhost:1884, Owner: no owner
|>|>>
|>| If I set a last rule to block all other incomming TCP, I will get
|>| these. I have read to not have such a rule... Other causes are
|>| shown here:
http://www.mynetwatchman.com/kb/res-falsepos.htm
|>
|> I've read through that thrice-- but more readings will be necessary!
|> I'm thinking, the way to kill the no owner's is to code 4 DNS Server
|> rules-- one for each app I want to allow...
|>
|> (a) EXEC.EXE NetZero Internet
|> (b) AVAST.SETUP
|> (c) ASHMAISV.EXE avast! e-Mail Scanner Service
|> (d) ASHWEBSV.EXE avast! Web Scanner
IEXPLORE had to be added in!
|>
|> I'm going to try that soon! No other app will be allowed to use the
|> NetZero addresses to send/receive DNS after that!
|>
| Good luck...!!!
Thanks. Well, you know, I've just added IExplore to it for FTP access
(at least). Soon, I will go online again & see whether that settles it.
Hopefully, nothing else will require DNS access to those NetZero sites &
all continues to work! Then, it will be on to fine tune my other rules!
|>|>>>> (4) Am I leaving myself prone to mayhem by letting
|>|>>>> ANY app use this rule-- as the "expert" coded it?
|>|>>>> But, why hasn't it happened yet-- or has it????
|>|>>>>
|>|>>> Gram pappy: No, standard for ISP DNS servers.
|>|>>>
|>|>> Me: What prevents an ill result when any app can do it?
|>|>>>
|>| I don't think so, but if you want to tighten this down you can set
|>| up a seperate rule for NetZero's primary and secondary DNS servers.
|>| Last I looked they have three(64.136.16.21, 64.136.20.21,
|>| 64.136.28.21).
|>
|> Well, I used to have just four addresses in my Primary DNS Server
|> rule, but recently I've included the entire NetZero/Juno range into
|> it. Therefore, I divine this one rule acts BOTH as a primary & a
|> secondary-- & then some!
|>
| I too use the NetZero address range for DNS servers. Just don't know
| why DNS is overriding the application rules...
What do you mean by overriding the rules? Do you mean you don't know why
IE (for example) uses NetZero addresses instead of MS addresses? I
wonder... if I code a rule in Kerio permitting IE to have UDP access to
MS addresses-- would it stop using the NetZero ones?
|>|>>>> (4) Why is it restricted to using ports 1024-5000 & 53?
|>|>>>>
|>|>>> Gram pappy: I assume you are refering to Local ports 1024-5000,
|>|>>> some say to narrow down even more to
|>|>>> 1031-4999.
|>|>>> See Steve Gibson as to why.
|>|>>>
https://www.grc.com/port_1024.htm
|>|>>> And I assume you are refering to Remote port
|>|>>> 53,
|>|>>> that is normal for ISP DNS servers.
|>|>>>
|>|>> Me: OK, I'm clicking that now. You are right in your assumptions.
|>|>> Are you implying-- so long as it goes to & comes from Port
|>|>> 53, NetZero will assure no foul play is involved?
|>|>>
|>|> Update: Clicking that URL produces a requestor saying
|>|> "Revocation information for the security certificate for this site
|>|> is not
|>|> available". I click NOT to proceed, but the site has already
|>|> loaded, anyhow. But it's going to take several readings before I
|>|> can even formulate a question. One thing: Port 5000 isn't mentioned
|>|> there-- only
|>|> 1024-1030 & maybe 1433 and 1434.
|>|>
|>| At the top of that grc page is a search box left of "Jump" type in
|>| 5000 then click Jump and it will go right to it. Can use the jump
|>| box to look up
|>| any port info...
|>
|> OK, thanks. These are referring to "local endpoint" ports, which are
|> ports here in my machine. Here, currently, is the last 'Primary DNS
|> Server' to happen...
|>
|> 2,[27/Jul/2007 17:40:38] Rule 'Primary DNS Server': Permitted: In
|> UDP,
|> 64.136.28.120:53->localhost:1321, Owner: C:\PROGRAM FILES\ALWIL
|> SOFTWARE\AVAST4\ASHMAISV.EXE
|>
|> That was 5 minutes ago-- but I have no port 1321 open for any of the
|> 3 ASHMAISV.EXE showing in Kerio. Looks like these ports are created &
|> closed on an as needed basis. Is it ASHMAISV.EXE that will create a
|> port 5000, if it needs to? That should be OK, if it is avast! doing
|> it, I think, especially as the rule only permits avast! remote
|> addresses. Therefore...
|>
|> Wouldn't I be OK to restrict DNS by application, instead of worrying
|> over ports?
|>
| Have not read about or seen examples of this...
I'm going to shoot for it, beginning with this DNS rule. In the end, the
only rules with "any application" in them will be DENIAL's. All of the
PERMIT's I hope to be on a per application basis! And they ONLY will be
permitted to addresses I know are legit. That's the plan!
Too bad Kerio doesn't allow a list of applications in a single rule,
though, as it does do with ports & addresses. SO, currently I have 5 DNS
Server rules now-- instead of just one. However, I'd have half a
million, if addresses & ports were singular too!
|>| Other ref info:
|>|
|>
http://homepage.ntlworld.com/robin.d.h.walker/cmtips/security.html#persfire
|>| Down a ways on this page is a good section on Personal firewalls.
|>| In that section is a broken link to master firewall guru Robert
|>| Graham... Remember? I sent you this l-o-n-g web page link about
|>| last year. (no bonking on head
Good head smoking stuff in
|>| there... The good link:
|>|
|>
http://www.linuxsecurity.com/resource_files/firewalls/firewall-seen.html
|>|
|>| Another good l-o-n-g firewall web page:
|>|
|>
http://www.dslreports.com/faq/security/2.5.1._Kerio_and_pre-v3.0_Tiny_PFW
|>|
|>| OK, a short firewall port web page:
|>|
http://www.ja.net/cert/bcp/lanports.html
|>
|> Uhuh, thanks. Those are the ones I've been reading these part 4
|> years, yea. BUT they always require at least one more additional
|> reading! OK, yea, thanks, gram pappy.
|>
|>| good night, err, good morning...
|>
|> Good evening. And thanks again.
|>
| When you get Kerio rules all set up, are even now, you can go to GRC's
| Shields UP!! page and test for holes in your firewall. On 2nd page do
| the first three test. Some say firewall port test results showing
| 'Stealth'
| are misleading,,, but this test will quickly show any open ports... If
| you
| get a Kerio popup wanting access during test, deny it, and your logs
| will
| have quite a few denials recorded... The Link:
|
|
https://www.grc.com/x/ne.dll?bh0bkyd2
Thanks. I may have been there & passed before. However, I will go again
when through with my current machinations.
|
|>|>>> -
|>|>>> gram
|>|>>>
|> --
|> Thanks or Good Luck,
|> There may be humor in this post, and,
|> Naturally, you will not sue,
|> Should things get worse after this,
|> PCR
|>
pcrrcp@netzero.net
--
Thanks or Good Luck,
There may be humor in this post, and,
Naturally, you will not sue,
Should things get worse after this,
PCR
pcrrcp@netzero.net