sygate to kero 2.1.5

[Ghost]

i have for some time been thinking of going to kero on my 98. ive read the rule set by blitzenzeus at this link:http://www.dslreports.com/forum/remark,8023708~mode=flat
but its all greek to me. is there a site/link that explains it better for a newbie like me. im familar with "advanced rules" for sygate and have acouple but id like to switch to kreo on my 98 for expermentation then someday install kero on my xp.
any suggestions would be appreciated. its not a resourse problem on my 98 just like to step up to a rule based fw.
E

[herbalist]

Eagle,
I can see why you had problems with that site. Not exactly friendly to a newer user. While I have very little experience with Sygate, I can try to cover some of the differences. Almost all functions with Kerio 2.1.5 are in the ruleset itself. This includes ICMP rules, which many firewalls separate or call advanced functions. Also, what other firewalls call server rights or permissions is also part of the ruleset, but isn't called that. Giving a program server rights or permission is basically allowing it to receive unsolicited connection requests from the internet, AKA listening. Another item Kerio treats differently is DNS resolving. This is it's own rule or group of rules with Kerio as opposed to treating it as part of the system.
I want to make a couple of basic points about setting up and using a rule based firewall like Kerio 2.1.5. First, you don't have to get everything perfect right away. You can take as long as you need to tighten up rules. You can also make backup copies of rulesets that can easily be re-imported should you edit something incorrectly and lock yourself offline. I've been using it for a few years now and am still tightening up the rules.
Start with Kerio in the "ask me first" setting. This way, you will be asked about everything that wants to connect out, including system components. This is necessary, especially during setup.
Kerio reads the ruleset from the first rule, downward. The first rule that applies will be used. In general, your first group of rules will apply to system components and functions. With 98, very few if any system components actually need internet access. The rules for ICMP functions, DNS resolving, loopback, etc belong in the first group. Most of these will be in the default ruleset Kerio starts with. You can edit them as you get the hang of it.
Rules for the different internet applications will come next. For some, all that's needed is a single rule. Others require several. Most do not need to receive unsolicited incoming requests. Exceptions are IM programs, internet answering machines, file sharing programs, etc. The rules for DNS resolving will also need it. If your internet service routinely pings you to see if you're using the IP, you might have to enable it for that too. Several dialup services do this. In most cases, you'll want to make separate rules for incoming traffic and limit it to only the specific IPs the app needs.
I have several screenshots from my system of some of the screens you'll see with Kerio 2.1.5.
Main Rule Interface The blacked out area are settings for my system I don't advertize.
Edit menu for DNS rule. The "custom address group this rule uses are the DNS servers for my internet service.
A rule for an app needing incoming permission, in this instance, the internet answering machine program, Call Wave.
The ICMP menus for these rules.
IMO, Kerio 2.1.5 is one of the best firewalls around, even compared to some very overpriced ones. If you need help setting it up, let me know.
Rick

[Ghost]

hi herbalist,
thanks for the explaination. i kinda get it right off. with sygate i dont allow any server rights or icmp traffic.
let me digest this html and prints and ill be back tomorrow. got work to do right now. i am very interested in this.
how's you 98 site doing? i installed the unoffical sp2 for 98 and i love it. for some reason i just cant get rid of my 98se :)
thanks for you time,
E
 

[herbalist]

I'm still staying with 98 too. Never could make myself trust XP. I haven't had the time to work on that site in some time. It needs updating (and completing) badly. This is just one of those years that I need 36 hour days and enough ambition to make use of them.
Let me know if you want help.
Rick

[Ghost]

i also have xp and i just got back online w/98se. its too long of a story for the forum but all is well w 98.
i love my xp and with the help of a VERY GOOD FRIEND its pretty safe.
im pretty busy here but i will get to kero by the weekend. just hang in there with me. i didnt expect an answer sooooo quick;)
thanks for the info/pics it has helped.
later,
E

[EASTER]

Ahhh Fellow 98SE Users. You know those of us who were accused of lagging behind the times and held tight to our 98's live much more comfortably on the internet then XP Users did when they jumped into those spyware/virus targets. That being said i have since upgraded to XP Pro but still have my 98SE in this same machine on another bootable drive, and to be Perfectly honest and no exaggerations, my 98 runs circles around XP hands down as for as performance and speed, and YES! especially Security!

[Ghost]

hi easter,
my 98 is the 1st pc for me and  i had a love/hate relationship with it. it was hit by a power surge from a lightening strike on a transformer just about 200' from my place and it took out the moden big time. so i bought a dell 2400 for 249.95 in late 2003. since then, with the help of a very good friend, i have a bare bones xp home that runs very fast. i had gateway send me a pci card for  it but it wouldnt work, so i stored 98. i later bought an external modem and that droped me every time i let it sit for a few seconds. then my friend told me to get a pci card and try it again. WELL it worked fine and im in love w/ 98 again. i have loaded the "unoffical sp2" for my 98 and its running very well for a 500mhz processor and 128 ram. i will eventually get 128 or 256 more ram and it will really run good then. i just cant seem to part with my 98se now;-)
but i do love my xp also and  ive put in alot of time getting it lean, fast and above all secure with my good friend that, by the way, helps people at this site.
so its time for me to get my feet wet w/ a rule based fw on my 98 and see how i like. i cant test drive my xp because my business is on it but if i like a rule based fw ill load it on xp after i have it down pat.
oh oh, i see my post is getting a bit off topic so ill close before the police come along and yell about this off topic stuff and the length:-))

E

[herbalist]

With XP, Kerio 2.1.5 will load a default ruleset that's quite different than the one for 98. XP also has more services that will need rules, many of which the average user doesn't need. Making a ruleset for 98 will be good practice for trying it on XP. On my 98 unit, Kerio actually speeds up my internet performance slightly, probably from preventing unneeded components from using up my slow connection.
Easter,
I know a lot of people don't agree with the idea of 98 being more secure, but that's the same way I feel about it. Much easier to secure a system that can be controlled and isn't bloated with countless components and services that all want internet access.
Rick

[Ghost]

hi herbalist,
alright, ive installed/setup kero. i went on the net and started each prog that needs to update and checked the approiate box for kero to set the rule for each prog so i can d/l updates. that was easy! next, i see the button that says "customize". this is where im a bit lost. what needs to be customized and how do i do that? i didnt hit the customize button so i dont know what that screen looks like. i would also like to stop all ICMP traffic and stop server rights for all progs. how do i accomplish that?
so many questions:-))

E

[herbalist]

The "customize rule" box will bring up this screen. The displayed numbers will be different than these, but the selections are in the default positions.

All the options on the customize rule screen and many more are available from the edit menu on the main rule screen, which is accessible  from the 'advanced" button on the administration screen. You can get that by right clicking on the tray icon.
This is a copy of the Default ruleset for win98. Since the first 2 colums aren't labelled in the image, I'll explain them. The column of check boxes shows which rules are in use. Only checked ones will be applied, a useful feature for experimenting. The 2nd one is the application or system component the rule applies to. ICMP rules apply to all components, as will using the "any protocol" selection.
The 3rd column, "rule description" has arrows on the left edge. There will be one or two arrows, which will be red or green. Red indicates blocked access, green indicates permitted. Arrows pointing right refer to outgoing connections. To the left referrs to incoming, or server permissions as other firewalls call it. You'll note the first rule, DNS, shows the ability to receive incoming connections, or can act as a server.
Image of DNS Edit
For this function, incoming permission is necessary so the requesting app can receive an answer to its request. If you look at the edit menu for this rule, you'll see it permits incoming on port 53 only, and UDP protocol only. You can further tighten this rule by only allowing it to connect to your internet services own DNS servers.
You can find rules that permit incoming connections by looking at the arrows on the main screen. Look for green ones pointing left. To change any you find, use the "edit" menu or double click on the rule itself. Towards the top, you'll see a drop box labelled "direction." Change it here.
As for ICMP, on the default ruleset, the next 5 rules are for this. Three of the first 4 rules pertain to echo and echo reply. If you're certain that your internet service doesn't ping you to see if you're using the connection, you can delete these. If you're unsure, just uncheck them for now. The last ICMP rule blocks all ICMP functions not expressly permitted by the first 4 ICMP rules. See next link for image of edit menu for this rule.
ICMP Blocking Rule.
I spread the screen as much as I could. The back image is the main rule screen, with the ICMP blocking rule selected. Selecting "Edit" will call up the "Filter Rule" screen on the right. Note the absence of a drop box for selecting the app it applies to. This disappears when "ICMP" or "Any" is selected at the protocol drop box. The contents of the "remote endpoint" area will change depending on what you choose here. "Any" is what you want for ICMP. Make sure "both" is selected for direction and "deny" for action. On the far right, towards the top, you'll see a button "Set ICMP". It's only displayed when ICMP is the selected protocol. Clicking it will bring up the small menu on the left, "Rule Edit-ICMP Protocol Type". Scroll to the bottom of the list and check "all ICMP." Make sure everything in the list gets checked. This will block all ICMP. If your internet service starts dropping you for no apparent reason, you'll need to re-enable the ping (echo) rules. If all runs normal, then delete them after a few days.
I suggest you keep a copy of the original ruleset so you always have a point of reference. I also suggest that you save a copy of the existing ruleset before you edit rules. You can do this from the administration screen, miscellaneous tab, where you'll see the "load" and "save" buttons. I use the date of the ruleset for the filename. One more detail on this. If you use a password to control access to the ruleset and administrative functions, this also exports with the ruleset. If you change passwords, then import a different ruleset, the password in use at that time will apply. While the password will keep unauthorized users from playing with the ruleset or shutting Kerio down, having to type it in for every rule change will get old, fast. You might want to wait on that.
Let me know if I didn't cover your questions.
Regarding:

so many questions:-))

Not a problem. I'm having fun now.
Rick

[Ghost]

hi herbalist,
ok, ive printed out your descriptions and pics, thanks, but its late here and im an early riser so ill be back to let you know how it all went tomorrow afternoon after im through with work.
again, thanks :)

E

[herbalist]

Eagle,
I'm just the opposite. I stay up late and sleep late. Been on 2nd and 3rd shift too long.
I see I missed one of your questions regarding customizing a rule for an updatable application. I'm assuming that you're referring to apps like your AV, Ad-aware, etc.
Before I go any farther, I'd like to recommend another very useful tool that free for the downloading. It's called Sam Spade. Info and download links here. It's very useful for finding who IP addresses or ranges belong to and makes setting the IP ranges for firewall rules much easier. This program can do a lot more than this as you get to understand it more.
For this purpose, it's used like this. I'll use my AV, AntiVir for example. When I start the update, AntiVir tries to connect to 62.146.66.182. I enter this IP into Sam Spade and click on the "whois" function. Sam Spade returned this info. The address belongs to Datentechnik, the owning company. It also shows an IP range of 62.146.66.176 to 62.146.66.191 for this request. So instead of making the rule for the original single IP, you make it for the IP range named, which is likely the entire range used by that server.
Most of these types of apps connect to either a single IP address or a small IP range. The bigger name AVs probably use a larger range or more than one. The updater for AntiVir for example can connect to any one of at least 8 update servers, each of which has its own IP range.
There's a couple ways you can approach this. One is to create a separate rule for each of those apps for each IP or IP range it uses. If you look at the connection requests for these apps, you'll likely see that each is always using the same port number and protocol, but one or more IP ranges. This is the tightest method, limiting each to only the exact IPs they use.
The second would be to use the "custom address group" section. You'll find this by going to the rulescreen and clicking on the miscellaneous tab.You can add the IP ranges for these type of apps to this area, then allow the requesting app to use the custom address group. Only do this with apps you know you can trust. As long as your using the "ask me first" setting, you will get an alert for any app you don't have a rule in place for for. If you do your updating manually, this works fine. If you have the updaters scheduled, you'll need rules in place. I don't let anything update itself so I don't put rules in for these. I make them ask every time. Use the method that matches your preference.
Rick

[Ghost]

whoa. im an early riser and ill have to come back to this later today. too much at 7am :lol:
E

[Ghost]

hi herbalist,
ok, i think im getting the hang of this fw, i also dont allow anything to update by itself, either my 98 or xp.
ill try Sam Spade and see how it goes. thank you for the link and ill get bck to you later tonight with some preliminary results. thanks for your indepth explaination on the above subjects. actually im not having ant trouble so far. i thought it would be a mind bender for this newbie but as i said, not bad at all. i am using the "ask me first" setting and im not getting anymore popups for the apps installed. of course im getting popups for those pesky probs from china and other places. i use Karens Who Is, so i check them out just to see who is probig my ports :)
ill swoop in  later with results :lol:

E

[herbalist]

That was one of the issues I've had with other firewalls, the lack of configurability regarding alerts. With so many of them, you either have to deal with all the alerts or shut them all off. With Kerio 2.1.5, the alerts are configurable on a per rule basis. The last thing I want from a firewall is to be told about every port scan that touches my system. Always in the way. With Kerio, the only time I see an alert is when an app changes or is newly installed or someonetries to contact me on an IM program from somewhere other than their ususal addy.
I leave mine in the ask me first setting for apps like Yahoo IM. Apps that won't need to connect to new places have a "block everything" rule after the permit rules. This way, it's the same as running in the "deny unknown" setting, but only for apps with blocking rules added.
Karens whois will also do the job for you. The whois component of Sam Spade works the same way.The advantage Sam Spade has is all the other functions and tools it has. Learning everything it can do is an education in itself. BTW, Sam Spade does use ICMP for some functions. You can accomodate this and still block ICMP for the rest of your system by putting the rules for it above the ICMP rules.
I'm going out and taking advantage of this cool, comfortable day. Will be back tonite.
Rick