Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Control » rules over rules and still blocking
  •  
johnsan

Messages: 5
Karma: 0
Send a private message to this user
I notice that 50% of the topics are about KWF blocks something which it shouldn't.
I ran is serveral of these problems, but never before under WR4.25
Even a simple thing like "open it all" (I would define this rile as Any/Any/Permit/no-NAT) is NOT opening all and a lot of things get blocked.
And at last, the build-in" default rule which blocks "unknown" can't be removed. (Maybe in the registry? any idea?).

As long as I can't RELIABLE open KWF and later ADD selective blocks, this KWF remains not suitable for our network and I have to stick to the WR4.25 until Kerio come up with some clear answers.
  •  
Pavel Dobry (Kerio)

Messages: 5245
Karma: 251
Send a private message to this user
johnsan wrote on Mon, 26 April 2004 12:26

I notice that 50% of the topics are about KWF blocks something which it shouldn't.
I ran is serveral of these problems, but never before under WR4.25
Even a simple thing like "open it all" (I would define this rile as Any/Any/Permit/no-NAT) is NOT opening all and a lot of things get blocked.
And at last, the build-in" default rule which blocks "unknown" can't be removed. (Maybe in the registry? any idea?).

As long as I can't RELIABLE open KWF and later ADD selective blocks, this KWF remains not suitable for our network and I have to stick to the WR4.25 until Kerio come up with some clear answers.


The "Any" rule above truly allows all connections (and doesn't perform NAT).

There are two most frequent situations when something doesn't work:
1. There is an another NAT or packet filter on the same computer (i.e. RRAS (!), personal firewall, ICS etc.).
2. Application uses some port reserved to standard service (6666, 2000, etc.). KWF have special modules for protocol inspection of communication to those ports. If the application is using standard port for its own communication but doesn't use the correct protocol, KWF will not pass it through.

Please note, KWF uses slightly different approach than WRP4 in order to provide better protection against a new threats from the Internet.
  •  
johnsan

Messages: 5
Karma: 0
Send a private message to this user
Pavel,
That's a new information, which I havn't heared before
(2) ... is blocking ports which use non-standart protocols.

We run several stock trading softwares and they don't work (even with the "any/any/noNAT". There is no RRAS or others on the W2k server here. A WR4.25-analysis shows that we it uses port 16xx plus 80+21.

Is there any way to get KWF "hands-off" from this what you mentioned under #2 before?
Will a rule for 16xx port let KWF back-off? And if so, why doesn't the any/any rule work?

[Updated on: Thu, 29 April 2004 08:15]

  •  
toxic

Messages: 5
Karma: 0
Send a private message to this user
johnsan wrote on Mon, 26 April 2004 12:26


As long as I can't RELIABLE open KWF and later ADD selective blocks, this KWF remains not suitable for our network and I have to stick to the WR4.25 until Kerio come up with some clear answers.


I have to second this opinion. I'd rather not waste my time attempting to figure out why user's tcpip and internet based applications are not working as expected. My approach to network administration has *ALWAYS* been 'leave it all open and block problematic connections -- after all, thats what the logs are for isn't it?

I've played around with KWF 6.0 beta and I had to say that the whole protocol inspector and magical traffic blocking stinks. Even when you think you have everything wide open, the protocol inspector can mis-identify traffic and mangle it. Then, there's always the case where the following <any source> <any destination> <any service> <allow all> rule doesnt work.

Winroute should offer you the ability to take either approach -- either locked down tight with open exclusions or wide open with selective blocks.
  •  
johnsan

Messages: 5
Karma: 0
Send a private message to this user
That brings it down to a simple question:
Is there a way to DISABLE the protocol-inspector?

Pls help.

FYI, the only reason I have to upgrage WR4.25 to KWF is the link fail-over funtion (I need it for my 2 leased lines)

[Updated on: Sat, 01 May 2004 11:56]

  •  
Pavel Dobry (Kerio)

Messages: 5245
Karma: 251
Send a private message to this user
johnsan wrote on Sat, 01 May 2004 11:56

That brings it down to a simple question:
Is there a way to DISABLE the protocol-inspector?

Pls help.

FYI, the only reason I have to upgrage WR4.25 to KWF is the link fail-over funtion (I need it for my 2 leased lines)


Well, I have a simple question too. Smile
Did you read the manual?

You can disable it by two ways:
1. For particular traffic policy rule http://www.kerio.com/manual/kwf/en/ch05s02.html
2. Globally for whole service http://www.kerio.com/manual/kwf/en/ch08s03.html

Detailed information about protocol inspectors in KWF can be found in our Knowledge Base http://support.kerio.com/index.php?_a=knowledgebase&_j=q uestiondetails&_i=106&nav=+%26gt%3B+%3Ca+href%3D%27i ndex.php%3F_a%3Dknowledgebase%26_j%3Dsubcat%26_i%3D2%27%3EKe rio+WinRoute+Firewall%3C%2Fa%3E.
Previous Topic: i installed it and...
Next Topic: KWF conflict with bittorrent?
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Mon Nov 20 14:28:34 CET 2017

Total time taken to generate the page: 0.00448 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.