Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Control » KWF FTP and Protocol inspector
  •  
Kire

Messages: 24
Karma: 0
Send a private message to this user
Can anyone tell me what the protocol inspector exactly does?

I'm running KWF with a simple set of traffic rules of which the protocol inspector was set to 'Default' for all rules.

Because of hanging of the KWF frequently Kerio advised me to turn of the Protocol Inspector for all rules because that would take too much time for the KWF.

Well, what happened was that our financial guy wasn't able to use his banking program that uses FTP anymore. After switching all Protocol Inspectors to 'Default' again his FTP worked again.

So obviously the Protocol Inspector does something to the data instead of only analyzing..... Evil or Very Mad
  •  
feite

Messages: 523
Karma: 0
Send a private message to this user
The FTP protocol inspector takes care of accepting responses from the FTP server (banking computer) on another port than the outgoing.
  •  
Kire

Messages: 24
Karma: 0
Send a private message to this user
Alright, but what I don't understand that if I set the Protocol Inspector for the NAT rule to 'None' it doesn't work and if it's set to 'Default' it does work.

(In the meantime I found out that only the Protocol Inspector for the NAT rule has to be set to 'Default' to make it work)

I understand from the documentation that if no protocol inspector is set it still runs default inspection for that rule. But what, how and why? And what use is the option of 'Default' if still some inspection is done when the rule is set to 'None' Confused

[Updated on: Thu, 28 October 2004 21:28]

  •  
feite

Messages: 523
Karma: 0
Send a private message to this user
In KWF is a list of services. The FTP protocol is listed there. If you open the FTP service you will see the FTP protocol inspector is selected there. When you select 'Default' in the traffic rule this means that the traffic rule uses the protocol inspector that is selected at the service. If you specify 'None' or 'Other' you overrule the choice made at the service. KWF always uses a basic simple inspector that takes care of allowing response traffic in. You only create a traffic rule for outgoing traffic and KWF permits the answer packets to flow through the firewall to the client pc. To do that it needs to inspect the packets you send out. It only allows answer back in that originated from the site you connected to and that fit in the packetsequence. This works answer packets that arrive on the corresponding port. FTP traffic uses 2 ports (20, 21) so it can not make the match. The FTP protocol inspector sees to that.
  •  
Kire

Messages: 24
Karma: 0
Send a private message to this user
So, if I understand correctly:

If the Protocol Inspector is set to 'Default' for the NAT rule (service is set to 'Any') it examines the data according to the FTP protocol. And if set to 'None' it uses a basic simple inspector.... Remains my question: how come it doesn't work in the latter case.

Kerio told me it could have something to do because the used FTP application uses active FTP which means a different port is indeed used for the data sent back.

So if the FTP service in KWF uses the FTP protocol if 'Default' is selected and that Protocol Inspector allows data being sent back on another port then I get the picture. It would mean indeed that the basic simple inspector that is used if 'None' is selected doesn't allow other ports.
  •  
feite

Messages: 523
Karma: 0
Send a private message to this user
You can split the traffic rule in two:

rule 1 (the first (top) rule in the list):

name: ftp from lan to internet
source: LAN
dest: internet
service: FTP
translation: default outgoing interface
protocol inspector: default

name: other traffic from lan to internet
source: LAN
dest: internet
service: any
translation: default outgoing interface
protocol inspector: none

This way the protocol inspector for FTP will be used. Any other service will have no specific inspector.

For security reasons its better to create rules for each specific type of connection. The second rule in allows all traffic from the LAN to the internet. This means that everyone (spy-ware included) can connect to any source on the internet...

Best practice is to make a rule as narrow / specific as you can.
  •  
Kire

Messages: 24
Karma: 0
Send a private message to this user
Ok, thanx a lot.

I get the picture of the protocol inspector mechanism now.

Just hope that Kerio will fix my other problems with KWF. I had to shut it down this week and at the moment the KMS running on the same pc is reacting much better.
  •  
Syafril Hermansyah

Messages: 45
Karma: 0
Send a private message to this user
On Thu, 28 Oct 2004 15:26:15 -0400
Kire wrote:

> Alright, but what I don't understand that if I set the Protocol Inspector for
> the NAT rule to 'None' it doesn't work and if it's set to 'Default' it does
> work.
>
> (In the meantime I found out that only the Protocol Inspector for the NAT rule
> has to be set to 'Default' to make it work)
>
> I understand from the documentation that if no protocol inspector is set it
> still runs default inspection for that rule. But what, how and why?

With Protocol Inspector set to default (ON), client can use "active connection",
while if you set it off client need to use passive connection (pasv) for FTP.
There is setting for pasv connection either on broser (Internet Explorer) or any
ftpclient.


--
syafril
-------
Syafril Hermansyah




Previous Topic: Kerio WinRoute Firewall 6.0.8 released
Next Topic: Authenticating
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Sat Nov 18 12:45:27 CET 2017

Total time taken to generate the page: 0.00465 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.