Guest PCR Posted July 22, 2007 Posted July 22, 2007 In order to end 17 years of intense study after just 4 or so, I hope for a quick answer to the following question. Here is my Kerio "Primary DNS Server" rule, got from some expert & currently modified only in that I now include the entire NetZero/Juno address range (where earlier I tried to determine just the ones NetZero seemed to want to use)... Primary DNS Server rule Protocol: UDP, both directions Local Endpoint-- Ports: 1024-5000 -- Application: Any Remote Endpoint-- Address: Entire NetZero/Juno range -- Port: 53 ANY app can use it, as currently written. Here are the ones I've caught... (a) EXEC.EXE NetZero Internet (b) IEXPLORE.EXE © no owner << eeek? (d) AVAST.SETUP (e) ASHMAISV.EXE avast! e-Mail Scanner Service (f) PFWADMIN.EXE Kerio Personal Firewall Console Here's the "no owner". There is only this one, but I haven't been tracking this rule long... 2,[20/Jul/2007 21:15:04] Rule 'Primary DNS Server': Permitted: In UDP, 64.136.44.74:53->localhost:1055, Owner: no owner Here is one "AVAST.SETUP". ODD, but I guess legit-- I have no program actually named AVAST.SETUP, & no .exe at all in the folder mentioned... 2,[17/Jul/2007 22:30:14] Rule 'Avast! UDP': Permitted: Out UDP, localhost:1045->64.136.44.74:53, Owner: C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\SETUP\AVAST.SETUP Questions... (1) Is it legit for IE to be using it? (2) Should I block PFWADMIN.EXE? [NOTE: In another rule (probably by yosponge) PersFW.exe (Kerio Personal Firewall Engine) IS blocked.] (3) I guess I must get rid of that "no owner", but could it just be some kind of Kerio glitch? (4) Am I leaving myself prone to mayhem by letting ANY app use this rule-- as the "expert" coded it? But, why hasn't it happened yet-- or has it???? (4) Why is it restricted to using ports 1024-5000 & 53? -- Thanks or Good Luck, There may be humor in this post, and, Naturally, you will not sue, Should things get worse after this, PCR pcrrcp@netzero.net
Guest gram pappy Posted July 23, 2007 Posted July 23, 2007 Re: Kerio's Primary DNS Server Rule Reply, (sorry not a quick answer) in-line below: "PCR" <pcrrcp@netzero.net> wrote in message news:%23GMM4FIzHHA.4712@TK2MSFTNGP04.phx.gbl... In order to end 17 years of intense study after just 4 or so, I hope for a quick answer to the following question. Here is my Kerio "Primary DNS Server" rule, got from some expert & currently modified only in that I now include the entire NetZero/Juno address range (where earlier I tried to determine just the ones NetZero seemed to want to use)... Primary DNS Server rule Protocol: UDP, both directions Local Endpoint-- Ports: 1024-5000 -- Application: Any Remote Endpoint-- Address: Entire NetZero/Juno range -- Port: 53 ANY app can use it, as currently written. Here are the ones I've caught... (a) EXEC.EXE NetZero Internet (b) IEXPLORE.EXE © no owner << eeek? (d) AVAST.SETUP (e) ASHMAISV.EXE avast! e-Mail Scanner Service (f) PFWADMIN.EXE Kerio Personal Firewall Console Here's the "no owner". There is only this one, but I haven't been tracking this rule long... 2,[20/Jul/2007 21:15:04] Rule 'Primary DNS Server': Permitted: In UDP, 64.136.44.74:53->localhost:1055, Owner: no owner Here is one "AVAST.SETUP". ODD, but I guess legit-- I have no program actually named AVAST.SETUP, & no .exe at all in the folder mentioned... 2,[17/Jul/2007 22:30:14] Rule 'Avast! UDP': Permitted: Out UDP, localhost:1045->64.136.44.74:53, Owner: C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\SETUP\AVAST.SETUP Questions... (1) Is it legit for IE to be using it? Yes, as long as Remote IP is in NetZero IP Range. (2) Should I block PFWADMIN.EXE? [NOTE: In another rule (probably by yosponge) PersFW.exe (Kerio Personal Firewall Engine) IS blocked.] Yes, I use a combination of Spunge, Shaolin and BlitzenZeus rulesets. They block both Persfw and Pfwadmin. (3) I guess I must get rid of that "no owner", but could it just be some kind of Kerio glitch? Don't see problem as long as Remote IP is in NetZero IP Range. (4) Am I leaving myself prone to mayhem by letting ANY app use this rule-- as the "expert" coded it? But, why hasn't it happened yet-- or has it???? No, standard for ISP DNS servers. (4) Why is it restricted to using ports 1024-5000 & 53? I assume you are refering to Local ports 1024-5000, some say to narrow down even more to 1031-4999. See Steve Gibson as to why. https://www.grc.com/port_1024.htm And I assume you are refering to Remote port 53, that is normal for ISP DNS servers. - gram -- Thanks or Good Luck, There may be humor in this post, and, Naturally, you will not sue, Should things get worse after this, PCR pcrrcp@netzero.net
Guest Ian Posted July 23, 2007 Posted July 23, 2007 Re: Kerio's Primary DNS Server Rule If you're using a NAT router you can generally set the firewall to only allow incoming DNS replies from the router's IP address. (and if you like from the ISP's nameservers too) - packets from a source port of 53 shouldn't be arriving from anywhere else, if they do, then they are suspicious. HST, win9x doesn't have the DNS-client vulnerabilities that NT/XP does. AFAIK a 9x system cannot easily be attacked by way of intentionally-malformed DNS packets, so the need to filter DNS is questionable.
Guest BoB Posted July 23, 2007 Posted July 23, 2007 Re: Kerio's Primary DNS Server Rule On Mon, 23 Jul 2007 00:07:16 -0500, "gram pappy" <nospam@example.invalid> wrote: >Reply, (sorry not a quick answer) in-line below: > >"PCR" <pcrrcp@netzero.net> wrote in message >news:%23GMM4FIzHHA.4712@TK2MSFTNGP04.phx.gbl... > >Here is one "AVAST.SETUP". ODD, but I guess legit-- I have no program >actually named AVAST.SETUP, & no .exe at all in the folder mentioned... > >2,[17/Jul/2007 22:30:14] Rule 'Avast! UDP': Permitted: Out UDP, >localhost:1045->64.136.44.74:53, Owner: C:\PROGRAM FILES\ALWIL >SOFTWARE\AVAST4\SETUP\AVAST.SETUP AVAST.SETUP appears to be established only during updates. Under Avast Advanced tab|Application's MD5, Paths and MD5 check will show 'bad path' and 'app does not exist'. This is normal. BoB
Guest PCR Posted July 23, 2007 Posted July 23, 2007 Re: Kerio's Primary DNS Server Rule BoB wrote: | On Mon, 23 Jul 2007 00:07:16 -0500, "gram pappy" | <nospam@example.invalid> wrote: | |>Reply, (sorry not a quick answer) in-line below: |> |>"PCR" <pcrrcp@netzero.net> wrote in message |>news:%23GMM4FIzHHA.4712@TK2MSFTNGP04.phx.gbl... |> |>Here is one "AVAST.SETUP". ODD, but I guess legit-- I have no program |>actually named AVAST.SETUP, & no .exe at all in the folder |>mentioned... |> |>2,[17/Jul/2007 22:30:14] Rule 'Avast! UDP': Permitted: Out UDP, |>localhost:1045->64.136.44.74:53, Owner: C:\PROGRAM FILES\ALWIL |>SOFTWARE\AVAST4\SETUP\AVAST.SETUP | | | AVAST.SETUP appears to be established only during updates. | | Under Avast Advanced tab|Application's MD5, Paths and MD5 | check will show 'bad path' and 'app does not exist'. | This is normal. Thanks, BoB. I think you mean... "Kerio icon, Administration, Advanced button, Application's MD5 tab" You are right that "C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\SETUP\AVAST.SETUP" is also listed there. I guess it is some kind of invisible subtask or "thread" or "handle" or something started by another avast! program-- because there is nothing named "AVAST.SETUP" that I can find in any folder I've got. Let me see whether it shows up in Process Explorer... it DOESN'T show in any window as anything-- but, I guess it is as you say. It will come/go on an as needed basis. I guess it has to be legit. I'm still trying to digest the other responses, & will post to them after my 2nd walk. | BoB -- Thanks or Good Luck, There may be humor in this post, and, Naturally, you will not sue, Should things get worse after this, PCR pcrrcp@netzero.net
Guest Curt Christianson Posted July 23, 2007 Posted July 23, 2007 Re: Kerio's Primary DNS Server Rule I think it's his second walk to the refrigerator! <rvvf> -- HTH, Curt Windows Support Center http://www.aumha.org Practically Nerded,... http://dundats.mvps.org/Index.htm "PCR" <pcrrcp@netzero.net> wrote in message news:%23eca5YXzHHA.988@TK2MSFTNGP02.phx.gbl... | BoB wrote: || On Mon, 23 Jul 2007 00:07:16 -0500, "gram pappy" || <nospam@example.invalid> wrote: || ||>Reply, (sorry not a quick answer) in-line below: ||> ||>"PCR" <pcrrcp@netzero.net> wrote in message ||>news:%23GMM4FIzHHA.4712@TK2MSFTNGP04.phx.gbl... ||> ||>Here is one "AVAST.SETUP". ODD, but I guess legit-- I have no program ||>actually named AVAST.SETUP, & no .exe at all in the folder ||>mentioned... ||> ||>2,[17/Jul/2007 22:30:14] Rule 'Avast! UDP': Permitted: Out UDP, ||>localhost:1045->64.136.44.74:53, Owner: C:\PROGRAM FILES\ALWIL ||>SOFTWARE\AVAST4\SETUP\AVAST.SETUP || || || AVAST.SETUP appears to be established only during updates. || || Under Avast Advanced tab|Application's MD5, Paths and MD5 || check will show 'bad path' and 'app does not exist'. || This is normal. | | Thanks, BoB. I think you mean... | "Kerio icon, Administration, Advanced button, Application's MD5 tab" | | You are right that "C:\PROGRAM FILES\ALWIL | SOFTWARE\AVAST4\SETUP\AVAST.SETUP" is also listed there. I guess it is | some kind of invisible subtask or "thread" or "handle" or something | started by another avast! program-- because there is nothing named | "AVAST.SETUP" that I can find in any folder I've got. Let me see whether | it shows up in Process Explorer... it DOESN'T show in any window as | anything-- but, I guess it is as you say. It will come/go on an as | needed basis. I guess it has to be legit. | | I'm still trying to digest the other responses, & will post to them | after my 2nd walk. | | || BoB | | -- | Thanks or Good Luck, | There may be humor in this post, and, | Naturally, you will not sue, | Should things get worse after this, | PCR | pcrrcp@netzero.net | |
Guest PCR Posted July 24, 2007 Posted July 24, 2007 Re: Kerio's Primary DNS Server Rule Curt Christianson wrote: | I think it's his second walk to the refrigerator! <rvvf> There's nothing in my own refrigerator, Christianson-- I swear to the Pope! It's not even plugged in anymore! I have to walk at least once a day, or I will not eat. | -- | HTH, | Curt | | Windows Support Center | http://www.aumha.org | Practically Nerded,... | http://dundats.mvps.org/Index.htm | | "PCR" <pcrrcp@netzero.net> wrote in message | news:%23eca5YXzHHA.988@TK2MSFTNGP02.phx.gbl... || BoB wrote: ||| On Mon, 23 Jul 2007 00:07:16 -0500, "gram pappy" ||| <nospam@example.invalid> wrote: ||| |||>Reply, (sorry not a quick answer) in-line below: |||> |||>"PCR" <pcrrcp@netzero.net> wrote in message |||>news:%23GMM4FIzHHA.4712@TK2MSFTNGP04.phx.gbl... |||> |||>Here is one "AVAST.SETUP". ODD, but I guess legit-- I have no |||>program actually named AVAST.SETUP, & no .exe at all in the folder |||>mentioned... |||> |||>2,[17/Jul/2007 22:30:14] Rule 'Avast! UDP': Permitted: Out UDP, |||>localhost:1045->64.136.44.74:53, Owner: C:\PROGRAM FILES\ALWIL |||>SOFTWARE\AVAST4\SETUP\AVAST.SETUP ||| ||| ||| AVAST.SETUP appears to be established only during updates. ||| ||| Under Avast Advanced tab|Application's MD5, Paths and MD5 ||| check will show 'bad path' and 'app does not exist'. ||| This is normal. || || Thanks, BoB. I think you mean... || "Kerio icon, Administration, Advanced button, Application's MD5 tab" || || You are right that "C:\PROGRAM FILES\ALWIL || SOFTWARE\AVAST4\SETUP\AVAST.SETUP" is also listed there. I guess it || is some kind of invisible subtask or "thread" or "handle" or || something started by another avast! program-- because there is || nothing named "AVAST.SETUP" that I can find in any folder I've got. || Let me see whether it shows up in Process Explorer... it DOESN'T || show in any window as anything-- but, I guess it is as you say. It || will come/go on an as needed basis. I guess it has to be legit. || || I'm still trying to digest the other responses, & will post to them || after my 2nd walk. || || ||| BoB || || -- || Thanks or Good Luck, || There may be humor in this post, and, || Naturally, you will not sue, || Should things get worse after this, || PCR || pcrrcp@netzero.net -- Thanks or Good Luck, There may be humor in this post, and, Naturally, you will not sue, Should things get worse after this, PCR pcrrcp@netzero.net
Guest PCR Posted July 24, 2007 Posted July 24, 2007 Re: Kerio's Primary DNS Server Rule gram pappy wrote: | Reply, (sorry not a quick answer) in-line below: It's quicker than I've been these past four years, gram pappy, thanks. Also, my own beloved grandfather, himself, could shovel snow quicker than me some 22 years ago in his 90's! More below... | "PCR" <pcrrcp@netzero.net> wrote in message | news:%23GMM4FIzHHA.4712@TK2MSFTNGP04.phx.gbl... | In order to end 17 years of intense study after just 4 or so, I hope | for a quick answer to the following question. Here is my Kerio | "Primary DNS Server" rule, got from some expert & currently modified | only in that I now include the entire NetZero/Juno address range | (where earlier I tried to determine just the ones NetZero seemed to | want to use)... | | Primary DNS Server rule | | Protocol: UDP, both directions | Local Endpoint-- Ports: 1024-5000 | -- Application: Any | Remote Endpoint-- Address: Entire NetZero/Juno range | -- Port: 53 | | ANY app can use it, as currently written. Here are the ones I've | caught... | | (a) EXEC.EXE NetZero Internet | (b) IEXPLORE.EXE | © no owner << eeek? | (d) AVAST.SETUP | (e) ASHMAISV.EXE avast! e-Mail Scanner Service | (f) PFWADMIN.EXE Kerio Personal Firewall Console | | Here's the "no owner". There is only this one, but I haven't been | tracking this rule long... | | 2,[20/Jul/2007 21:15:04] Rule 'Primary DNS Server': Permitted: In UDP, | 64.136.44.74:53->localhost:1055, Owner: no owner | | Here is one "AVAST.SETUP". ODD, but I guess legit-- I have no program | actually named AVAST.SETUP, & no .exe at all in the folder | mentioned... | | 2,[17/Jul/2007 22:30:14] Rule 'Avast! UDP': Permitted: Out UDP, | localhost:1045->64.136.44.74:53, Owner: C:\PROGRAM FILES\ALWIL | SOFTWARE\AVAST4\SETUP\AVAST.SETUP | | Questions... | | (1) Is it legit for IE to be using it? Gram pappy: Yes, as long as Remote IP is in NetZero IP Range. Me: What makes that safe? Can some app grab control of IE & do bad things with this? | (2) Should I block PFWADMIN.EXE? | [NOTE: In another rule (probably by yosponge) | PersFW.exe (Kerio Personal Firewall Engine) IS blocked.] Gram pappy: Yes, I use a combination of Spunge, Shaolin and BlitzenZeus rulesets. They block both Persfw and Pfwadmin. Me: I'm a mishmosh, myself, possibly of the same experts. But finally I want to know what it's about! | (3) I guess I must get rid of that "no owner", | but could it just be some kind of Kerio glitch? Gram pappy: Don't see problem as long as Remote IP is in NetZero IP Range. Me: Why? NOW, probably due to better tracking, I've got SIX more of those so far today. They always are INCOMING... 2,[24/Jul/2007 15:09:06] Rule 'Primary DNS Server': Permitted: In UDP, 64.136.44.74:53->localhost:1589, Owner: no owner 2,[24/Jul/2007 15:09:20] Rule 'Primary DNS Server': Permitted: In UDP, 64.136.44.74:53->localhost:1641, Owner: no owner 2,[24/Jul/2007 15:09:22] Rule 'Primary DNS Server': Permitted: In UDP, 64.136.28.121:53->localhost:1641, Owner: no owner 2,[24/Jul/2007 15:09:58] Rule 'Primary DNS Server': Permitted: In UDP, 64.136.44.74:53->localhost:1702, Owner: no owner 2,[24/Jul/2007 15:10:54] Rule 'Primary DNS Server': Permitted: In UDP, 64.136.44.74:53->localhost:1880, Owner: no owner 2,[24/Jul/2007 15:10:58] Rule 'Primary DNS Server': Permitted: In UDP, 64.136.44.74:53->localhost:1884, Owner: no owner | (4) Am I leaving myself prone to mayhem by letting | ANY app use this rule-- as the "expert" coded it? | But, why hasn't it happened yet-- or has it???? Gram pappy: No, standard for ISP DNS servers. Me: What prevents an ill result when any app can do it? | | (4) Why is it restricted to using ports 1024-5000 & 53? Gram pappy: I assume you are refering to Local ports 1024-5000, some say to narrow down even more to 1031-4999. See Steve Gibson as to why. https://www.grc.com/port_1024.htm And I assume you are refering to Remote port 53, that is normal for ISP DNS servers. Me: OK, I'm clicking that now. You are right in your assumptions. Are you implying-- so long as it goes to & comes from Port 53, NetZero will assure no foul play is involved? | - | gram | | | -- | Thanks or Good Luck, | There may be humor in this post, and, | Naturally, you will not sue, | Should things get worse after this, | PCR | pcrrcp@netzero.net -- Thanks or Good Luck, There may be humor in this post, and, Naturally, you will not sue, Should things get worse after this, PCR pcrrcp@netzero.net
Guest PCR Posted July 24, 2007 Posted July 24, 2007 Re: Kerio's Primary DNS Server Rule Ian wrote: | If you're using a NAT router you can generally set the firewall to | only allow incoming DNS replies from the router's IP address. Thanks, Ian. That may apply to someone else, but not to me. | (and if | you like from the ISP's nameservers too) - packets from a source port | of 53 shouldn't be arriving from anywhere else, if they do, then they | are suspicious. Let's see... looks like, yea... some expert's rule I've copied called "DNS Alert (Log, Alert)" DOES block UDP/TCP both directions, any local port, any application, any address, port 53. It is the next rule AFTER the Primary DNS Server rule, meaning it won't hinder that one. SO... I'm good with that! It USED to happen a lot, like... 1,[17/Jul/2007 22:29:10] Rule 'DNS Alert (Log, Alert)': Blocked: In UDP, 64.136.44.74:53->localhost:1030, Owner: C:\PROGRAM FILES\NETZERO\EXEC.EXE HOWEVER, I haven't seen it since allowing the Primary DNS Server to have all Netzero/Juno addresses. I guess I was right to do that. Hmph! I've just inexplicably been bumped off the NET! Usually, NetZero puts up a warning timer requestor for me to click, but I didn't get one just now. (I did earlier, but clicked it in time!) Here is the last item in my Kerio .log... 2,[24/Jul/2007 16:55:00] Rule 'ZCast': Permitted: Out TCP, localhost:2048->64.136.44.66:6789, Owner: C:\PROGRAM FILES\NETZERO\EXEC.EXE Can that be what bumped me off? | HST, win9x doesn't have the DNS-client vulnerabilities that NT/XP | does. AFAIK a 9x system cannot easily be attacked by way of | intentionally-malformed DNS packets, so the need to filter DNS is | questionable. Does a packet have to be malformed to do ill? Why can't a well-formed one do it?
Guest PCR Posted July 24, 2007 Posted July 24, 2007 Re: Kerio's Primary DNS Server Rule Updating... PCR wrote: | gram pappy wrote: || Reply, (sorry not a quick answer) in-line below: | | It's quicker than I've been these past four years, gram pappy, thanks. | Also, my own beloved grandfather, himself, could shovel snow quicker | than me some 22 years ago in his 90's! More below... | || "PCR" <pcrrcp@netzero.net> wrote in message || news:%23GMM4FIzHHA.4712@TK2MSFTNGP04.phx.gbl... || In order to end 17 years of intense study after just 4 or so, I hope || for a quick answer to the following question. Here is my Kerio || "Primary DNS Server" rule, got from some expert & currently modified || only in that I now include the entire NetZero/Juno address range || (where earlier I tried to determine just the ones NetZero seemed to || want to use)... || || Primary DNS Server rule || || Protocol: UDP, both directions || Local Endpoint-- Ports: 1024-5000 || -- Application: Any || Remote Endpoint-- Address: Entire NetZero/Juno range || -- Port: 53 || || ANY app can use it, as currently written. Here are the ones I've || caught... || || (a) EXEC.EXE NetZero Internet || (b) IEXPLORE.EXE || © no owner << eeek? || (d) AVAST.SETUP || (e) ASHMAISV.EXE avast! e-Mail Scanner Service || (f) PFWADMIN.EXE Kerio Personal Firewall Console || || Here's the "no owner". There is only this one, but I haven't been || tracking this rule long... || || 2,[20/Jul/2007 21:15:04] Rule 'Primary DNS Server': Permitted: In || UDP, || 64.136.44.74:53->localhost:1055, Owner: no owner || || Here is one "AVAST.SETUP". ODD, but I guess legit-- I have no program || actually named AVAST.SETUP, & no .exe at all in the folder || mentioned... || || 2,[17/Jul/2007 22:30:14] Rule 'Avast! UDP': Permitted: Out UDP, || localhost:1045->64.136.44.74:53, Owner: C:\PROGRAM FILES\ALWIL || SOFTWARE\AVAST4\SETUP\AVAST.SETUP || || Questions... || || (1) Is it legit for IE to be using it? | | Gram pappy: Yes, as long as Remote IP is in NetZero IP Range. | | Me: What makes that safe? Can some app grab control of IE & do bad | things with this? | || (2) Should I block PFWADMIN.EXE? || [NOTE: In another rule (probably by yosponge) || PersFW.exe (Kerio Personal Firewall Engine) IS blocked.] | | Gram pappy: Yes, I use a combination of Spunge, Shaolin and | BlitzenZeus rulesets. They block both Persfw | and Pfwadmin. | | Me: I'm a mishmosh, myself, possibly of the same experts. | But finally I want to know what it's about! Update: I've blocked PFWADMIN.EXE now too; so far, nothing untoward has happened. || (3) I guess I must get rid of that "no owner", || but could it just be some kind of Kerio glitch? | | | Gram pappy: Don't see problem as long as Remote IP | is in NetZero IP Range. | | Me: Why? NOW, probably due to better tracking, I've got SIX | more of those so far today. They always are INCOMING... | | 2,[24/Jul/2007 15:09:06] Rule 'Primary DNS Server': Permitted: In UDP, | 64.136.44.74:53->localhost:1589, Owner: no owner | | 2,[24/Jul/2007 15:09:20] Rule 'Primary DNS Server': Permitted: In UDP, | 64.136.44.74:53->localhost:1641, Owner: no owner | | 2,[24/Jul/2007 15:09:22] Rule 'Primary DNS Server': Permitted: In UDP, | 64.136.28.121:53->localhost:1641, Owner: no owner | | 2,[24/Jul/2007 15:09:58] Rule 'Primary DNS Server': Permitted: In UDP, | 64.136.44.74:53->localhost:1702, Owner: no owner | | 2,[24/Jul/2007 15:10:54] Rule 'Primary DNS Server': Permitted: In UDP, | 64.136.44.74:53->localhost:1880, Owner: no owner | | 2,[24/Jul/2007 15:10:58] Rule 'Primary DNS Server': Permitted: In UDP, | 64.136.44.74:53->localhost:1884, Owner: no owner | || (4) Am I leaving myself prone to mayhem by letting || ANY app use this rule-- as the "expert" coded it? || But, why hasn't it happened yet-- or has it???? | | Gram pappy: No, standard for ISP DNS servers. | | Me: What prevents an ill result when any app can do it? | || || (4) Why is it restricted to using ports 1024-5000 & 53? | | Gram pappy: I assume you are refering to Local ports 1024-5000, | some say to narrow down even more to 1031-4999. | See Steve Gibson as to why. | https://www.grc.com/port_1024.htm | And I assume you are refering to Remote port 53, | that is normal for ISP DNS servers. | | Me: OK, I'm clicking that now. You are right in your assumptions. | Are you implying-- so long as it goes to & comes from Port 53, | NetZero will assure no foul play is involved? Update: Clicking that URL produces a requestor saying "Revocation information for the security certificate for this site is not available". I click NOT to proceed, but the site has already loaded, anyhow. But it's going to take several readings before I can even formulate a question. One thing: Port 5000 isn't mentioned there-- only 1024-1030 & maybe 1433 and 1434. || - || gram || || || -- || Thanks or Good Luck, || There may be humor in this post, and, || Naturally, you will not sue, || Should things get worse after this, || PCR || pcrrcp@netzero.net
Guest Curt Christianson Posted July 25, 2007 Posted July 25, 2007 Re: Kerio's Primary DNS Server Rule You know PCR...somehow I believe you! Take care. -- HTH, Curt Windows Support Center http://www.aumha.org Practically Nerded,... http://dundats.mvps.org/Index.htm "PCR" <pcrrcp@netzero.net> wrote in message news:uIlL6QizHHA.4816@TK2MSFTNGP04.phx.gbl... | Curt Christianson wrote: || I think it's his second walk to the refrigerator! <rvvf> | | There's nothing in my own refrigerator, Christianson-- I swear to the | Pope! It's not even plugged in anymore! I have to walk at least once a | day, or I will not eat. | || -- <snipped>
Guest PCR Posted July 25, 2007 Posted July 25, 2007 Re: Kerio's Primary DNS Server Rule Curt Christianson wrote: | You know PCR...somehow I believe you! It's actually true. It began during my second big diet some 7 years ago. | Take care. You too. | -- | HTH, | Curt | | Windows Support Center | http://www.aumha.org | Practically Nerded,... | http://dundats.mvps.org/Index.htm | | "PCR" <pcrrcp@netzero.net> wrote in message | news:uIlL6QizHHA.4816@TK2MSFTNGP04.phx.gbl... || Curt Christianson wrote: ||| I think it's his second walk to the refrigerator! <rvvf> || || There's nothing in my own refrigerator, Christianson-- I swear to the || Pope! It's not even plugged in anymore! I have to walk at least once || a day, or I will not eat. || ||| -- | <snipped> -- Thanks or Good Luck, There may be humor in this post, and, Naturally, you will not sue, Should things get worse after this, PCR pcrrcp@netzero.net
Guest gram pappy Posted July 27, 2007 Posted July 27, 2007 Re: Kerio's Primary DNS Server Rule in-line below: >PCR <pcrrcp@netzero.net> wrote: > Updating... > >> PCR wrote: >>> gram pappy wrote: >>> Reply, (sorry not a quick answer) in-line below: >>> >> It's quicker than I've been these past four years, gram pappy, >> thanks. Also, my own beloved grandfather, himself, could shovel snow >> quicker than me some 22 years ago in his 90's! More below... >> >>>> "PCR" <pcrrcp@netzero.net> wrote in message >>>> news:%23GMM4FIzHHA.4712@TK2MSFTNGP04.phx.gbl... >>>> In order to end 17 years of intense study after just 4 or so, I >>>> hope >>>> for a quick answer to the following question. Here is my Kerio >>>> "Primary DNS Server" rule, got from some expert & currently >>>> modified >>>> only in that I now include the entire NetZero/Juno address range >>>> (where earlier I tried to determine just the ones NetZero seemed to >>>> want to use)... >>>> >>>> Protocol: UDP, both directions >>>> >>>> Local Endpoint-- Ports: 1024-5000 >>>> -- Application: Any >>>> Remote Endpoint-- Address: Entire NetZero/Juno range >>>> -- Port: 53 >>>> ANY app can use it, as currently written. Here are the ones I've >>>> caught... >>>> >>>> (a) EXEC.EXE NetZero Internet >>>> (b) IEXPLORE.EXE >>>> © no owner << eeek? >>>> (d) AVAST.SETUP >>>> (e) ASHMAISV.EXE avast! e-Mail Scanner Service >>>> (f) PFWADMIN.EXE Kerio Personal Firewall Console >>>> >>>> Here's the "no owner". There is only this one, but I haven't been >>>> tracking this rule long... >>>> >>>> 2,[20/Jul/2007 21:15:04] Rule 'Primary DNS Server': Permitted: In >>>> UDP, >>>> 64.136.44.74:53->localhost:1055, Owner: no owner >>>> >>>> Here is one "AVAST.SETUP". ODD, but I guess legit-- I have no >>>> program actually named AVAST.SETUP, & no .exe at all in the folder >>>> mentioned... >>>> >>>> 2,[17/Jul/2007 22:30:14] Rule 'Avast! UDP': Permitted: Out UDP, >>>> localhost:1045->64.136.44.74:53, Owner: C:\PROGRAM FILES\ALWIL >>>> SOFTWARE\AVAST4\SETUP\AVAST.SETUP >>>> >>>> Questions... >>>> >>>> (1) Is it legit for IE to be using it? >>>> >>> Gram pappy: Yes, as long as Remote IP is in NetZero IP Range. >>> >> Me: What makes that safe? Can some app grab control of IE & do bad >> things with this? >> I don't know, but the experts say you must allow this DNS rule to access the internet. >>>> (2) Should I block PFWADMIN.EXE? >>>> [NOTE: In another rule (probably by yosponge) >>>> PersFW.exe (Kerio Personal Firewall Engine) IS blocked.] >>>> >>> Gram pappy: Yes, I use a combination of Spunge, Shaolin and >>> BlitzenZeus rulesets. They block both Persfw >>> and Pfwadmin. >> >> Me: I'm a mishmosh, myself, possibly of the same experts. >> But finally I want to know what it's about! >> > Update: I've blocked PFWADMIN.EXE now too; > so far, nothing untoward has happened. > Looking back at my yosponge data, on his web page he says it is usually safe to allow PERSFW.EXE, but in his ruleset he has it blocked?...!!! I have blocked both for years... >>>> (3) I guess I must get rid of that "no owner", >>>> but could it just be some kind of Kerio glitch? >>>> >>> Gram pappy: Don't see problem as long as Remote IP >>> is in NetZero IP Range. >>> >> Me: Why? NOW, probably due to better tracking, I've got SIX >> more of those so far today. They always are INCOMING... >> >> 2,[24/Jul/2007 15:09:06] Rule 'Primary DNS Server': Permitted: In >> UDP, >> 64.136.44.74:53->localhost:1589, Owner: no owner >> >> 2,[24/Jul/2007 15:09:20] Rule 'Primary DNS Server': Permitted: In >> UDP, >> 64.136.44.74:53->localhost:1641, Owner: no owner >> >> 2,[24/Jul/2007 15:09:22] Rule 'Primary DNS Server': Permitted: In >> UDP, >> 64.136.28.121:53->localhost:1641, Owner: no owner >> >> 2,[24/Jul/2007 15:09:58] Rule 'Primary DNS Server': Permitted: In >> UDP, >> 64.136.44.74:53->localhost:1702, Owner: no owner >> >> 2,[24/Jul/2007 15:10:54] Rule 'Primary DNS Server': Permitted: In >> UDP, >> 64.136.44.74:53->localhost:1880, Owner: no owner >> >> 2,[24/Jul/2007 15:10:58] Rule 'Primary DNS Server': Permitted: In >> UDP, >> 64.136.44.74:53->localhost:1884, Owner: no owner >> If I set a last rule to block all other incomming TCP, I will get these. I have read to not have such a rule... Other causes are shown here: http://www.mynetwatchman.com/kb/res-falsepos.htm >>>> (4) Am I leaving myself prone to mayhem by letting >>>> ANY app use this rule-- as the "expert" coded it? >>>> But, why hasn't it happened yet-- or has it???? >>>> >>> Gram pappy: No, standard for ISP DNS servers. >>> >> Me: What prevents an ill result when any app can do it? >>> I don't think so, but if you want to tighten this down you can set up a seperate rule for NetZero's primary and secondary DNS servers. Last I looked they have three(64.036.16.21, 64.136.20.21, 64.136.28.21). >>>> (4) Why is it restricted to using ports 1024-5000 & 53? >>>> >>> Gram pappy: I assume you are refering to Local ports 1024-5000, >>> some say to narrow down even more to >>> 1031-4999. >>> See Steve Gibson as to why. >>> https://www.grc.com/port_1024.htm >>> And I assume you are refering to Remote port >>> 53, >>> that is normal for ISP DNS servers. >>> >> Me: OK, I'm clicking that now. You are right in your assumptions. >> Are you implying-- so long as it goes to & comes from Port >> 53, NetZero will assure no foul play is involved? >> > Update: Clicking that URL produces a requestor saying > "Revocation information for the security certificate for this site is > not > available". I click NOT to proceed, but the site has already loaded, > anyhow. But it's going to take several readings before I can even > formulate a question. One thing: Port 5000 isn't mentioned there-- > only > 1024-1030 & maybe 1433 and 1434. > At the top of that grc page is a search box left of "Jump" type in 5000 then click Jump and it will go right to it. Can use the jump box to look up any port info... Other ref info: http://homepage.ntlworld.com/robin.d.h.walker/cmtips/security.html#persfire Down a ways on this page is a good section on Personal firewalls. In that section is a broken link to master firewall guru Robert Graham... Remember? I sent you this l-o-n-g web page link about last year. (no bonking on head ;) Good head smoking stuff in there... The good link: http://www.linuxsecurity.com/resource_files/firewalls/firewall-seen.html Another good l-o-n-g firewall web page: http://www.dslreports.com/faq/security/2.5.1._Kerio_and_pre-v3.0_Tiny_PFW OK, a short firewall port web page: http://www.ja.net/cert/bcp/lanports.html good night, err, good morning... >>> - >>> gram >>> >>>> -- >>>> Thanks or Good Luck, >>>> There may be humor in this post, and, >>>> Naturally, you will not sue, >>>> Should things get worse after this, >>>> PCR >>>> pcrrcp@netzero.net
Guest PCR Posted July 27, 2007 Posted July 27, 2007 Re: Kerio's Primary DNS Server Rule gram pappy wrote: | in-line below: | |>PCR <pcrrcp@netzero.net> wrote: |> Updating... |> |>> PCR wrote: |>>> gram pappy wrote: |>>> Reply, (sorry not a quick answer) in-line below: |>>> |>> It's quicker than I've been these past four years, gram pappy, |>> thanks. Also, my own beloved grandfather, himself, could shovel snow |>> quicker than me some 22 years ago in his 90's! More below... |>> |>>>> "PCR" <pcrrcp@netzero.net> wrote in message |>>>> news:%23GMM4FIzHHA.4712@TK2MSFTNGP04.phx.gbl... |>>>> In order to end 17 years of intense study after just 4 or so, I |>>>> hope |>>>> for a quick answer to the following question. Here is my Kerio |>>>> "Primary DNS Server" rule, got from some expert & currently |>>>> modified |>>>> only in that I now include the entire NetZero/Juno address range |>>>> (where earlier I tried to determine just the ones NetZero seemed |>>>> to want to use)... |>>>> |>>>> Protocol: UDP, both directions |>>>> |>>>> Local Endpoint-- Ports: 1024-5000 |>>>> -- Application: Any |>>>> Remote Endpoint-- Address: Entire NetZero/Juno range |>>>> -- Port: 53 |>>>> ANY app can use it, as currently written. Here are the ones I've |>>>> caught... |>>>> |>>>> (a) EXEC.EXE NetZero Internet |>>>> (b) IEXPLORE.EXE |>>>> © no owner << eeek? |>>>> (d) AVAST.SETUP |>>>> (e) ASHMAISV.EXE avast! e-Mail Scanner Service |>>>> (f) PFWADMIN.EXE Kerio Personal Firewall Console |>>>> |>>>> Here's the "no owner". There is only this one, but I haven't been |>>>> tracking this rule long... |>>>> |>>>> 2,[20/Jul/2007 21:15:04] Rule 'Primary DNS Server': Permitted: In |>>>> UDP, |>>>> 64.136.44.74:53->localhost:1055, Owner: no owner |>>>> |>>>> Here is one "AVAST.SETUP". ODD, but I guess legit-- I have no |>>>> program actually named AVAST.SETUP, & no .exe at all in the folder |>>>> mentioned... |>>>> |>>>> 2,[17/Jul/2007 22:30:14] Rule 'Avast! UDP': Permitted: Out UDP, |>>>> localhost:1045->64.136.44.74:53, Owner: C:\PROGRAM FILES\ALWIL |>>>> SOFTWARE\AVAST4\SETUP\AVAST.SETUP |>>>> |>>>> Questions... |>>>> |>>>> (1) Is it legit for IE to be using it? |>>>> |>>> Gram pappy: Yes, as long as Remote IP is in NetZero IP Range. |>>> |>> Me: What makes that safe? Can some app grab control of IE & do bad |>> things with this? |>> | I don't know, but the experts say you must allow this DNS rule to | access the internet. More study is warranted, I'm sure. HOWEVER, a new rule that blocks IE from all NetZero addresses-- UDP/TCP, both directions, all ports... showed all continues to work-- even uploads & downloads, even at FTP sites. I took a download from... ftp://ftp.microsoft.com/ And at... http://www.speakeasy.net/speedtest .... uplaods & downloads were happening at approximately the same speeds with the new rule switched on or off! |>>>> (2) Should I block PFWADMIN.EXE? |>>>> [NOTE: In another rule (probably by yosponge) |>>>> PersFW.exe (Kerio Personal Firewall Engine) IS blocked.] |>>>> |>>> Gram pappy: Yes, I use a combination of Spunge, Shaolin and |>>> BlitzenZeus rulesets. They block both Persfw |>>> and Pfwadmin. |>> |>> Me: I'm a mishmosh, myself, possibly of the same experts. |>> But finally I want to know what it's about! |>> |> Update: I've blocked PFWADMIN.EXE now too; |> so far, nothing untoward has happened. |> | Looking back at my yosponge data, on his web page he says it is | usually safe to allow PERSFW.EXE, but in his ruleset he has it | blocked?...!!! I have blocked both for years... I'm blocking both too now-- but I remain vigilant for the first sign of a catastrophe & will continue to remain so for six years! |>>>> (3) I guess I must get rid of that "no owner", |>>>> but could it just be some kind of Kerio glitch? |>>>> |>>> Gram pappy: Don't see problem as long as Remote IP |>>> is in NetZero IP Range. |>>> |>> Me: Why? NOW, probably due to better tracking, I've got SIX |>> more of those so far today. They always are INCOMING... |>> |>> 2,[24/Jul/2007 15:09:06] Rule 'Primary DNS Server': Permitted: In |>> UDP, |>> 64.136.44.74:53->localhost:1589, Owner: no owner |>> |>> 2,[24/Jul/2007 15:09:20] Rule 'Primary DNS Server': Permitted: In |>> UDP, |>> 64.136.44.74:53->localhost:1641, Owner: no owner |>> |>> 2,[24/Jul/2007 15:09:22] Rule 'Primary DNS Server': Permitted: In |>> UDP, |>> 64.136.28.121:53->localhost:1641, Owner: no owner |>> |>> 2,[24/Jul/2007 15:09:58] Rule 'Primary DNS Server': Permitted: In |>> UDP, |>> 64.136.44.74:53->localhost:1702, Owner: no owner |>> |>> 2,[24/Jul/2007 15:10:54] Rule 'Primary DNS Server': Permitted: In |>> UDP, |>> 64.136.44.74:53->localhost:1880, Owner: no owner |>> |>> 2,[24/Jul/2007 15:10:58] Rule 'Primary DNS Server': Permitted: In |>> UDP, |>> 64.136.44.74:53->localhost:1884, Owner: no owner |>> | If I set a last rule to block all other incomming TCP, I will get | these. I | have read to not have such a rule... Other causes are shown here: | http://www.mynetwatchman.com/kb/res-falsepos.htm I've read through that thrice-- but more readings will be necessary! I'm thinking, the way to kill the no owner's is to code 4 DNS Server rules-- one for each app I want to allow... (a) EXEC.EXE NetZero Internet (b) AVAST.SETUP © ASHMAISV.EXE avast! e-Mail Scanner Service (d) ASHWEBSV.EXE avast! Web Scanner I'm going to try that soon! No other app will be allowed to use the NetZero addresses to send/receive DNS after that! |>>>> (4) Am I leaving myself prone to mayhem by letting |>>>> ANY app use this rule-- as the "expert" coded it? |>>>> But, why hasn't it happened yet-- or has it???? |>>>> |>>> Gram pappy: No, standard for ISP DNS servers. |>>> |>> Me: What prevents an ill result when any app can do it? |>>> | I don't think so, but if you want to tighten this down you can set up | a seperate rule for NetZero's primary and secondary DNS servers. Last | I looked they have three(64.036.16.21, 64.136.20.21, 64.136.28.21). Well, I used to have just four addresses in my Primary DNS Server rule, but recently I've included the entire NetZero/Juno range into it. Therefore, I divine this one rule acts BOTH as a primary & a secondary-- & then some! |>>>> (4) Why is it restricted to using ports 1024-5000 & 53? |>>>> |>>> Gram pappy: I assume you are refering to Local ports 1024-5000, |>>> some say to narrow down even more to |>>> 1031-4999. |>>> See Steve Gibson as to why. |>>> https://www.grc.com/port_1024.htm |>>> And I assume you are refering to Remote port |>>> 53, |>>> that is normal for ISP DNS servers. |>>> |>> Me: OK, I'm clicking that now. You are right in your assumptions. |>> Are you implying-- so long as it goes to & comes from Port |>> 53, NetZero will assure no foul play is involved? |>> |> Update: Clicking that URL produces a requestor saying |> "Revocation information for the security certificate for this site is |> not |> available". I click NOT to proceed, but the site has already loaded, |> anyhow. But it's going to take several readings before I can even |> formulate a question. One thing: Port 5000 isn't mentioned there-- |> only |> 1024-1030 & maybe 1433 and 1434. |> | At the top of that grc page is a search box left of "Jump" type in | 5000 then click Jump and it will go right to it. Can use the jump box | to look up | any port info... OK, thanks. These are referring to "local endpoint" ports, which are ports here in my machine. Here, currently, is the last 'Primary DNS Server' to happen... 2,[27/Jul/2007 17:40:38] Rule 'Primary DNS Server': Permitted: In UDP, 64.136.28.120:53->localhost:1321, Owner: C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHMAISV.EXE That was 5 minutes ago-- but I have no port 1321 open for any of the 3 ASHMAISV.EXE showing in Kerio. Looks like these ports are created & closed on an as needed basis. Is it ASHMAISV.EXE that will create a port 5000, if it needs to? That should be OK, if it is avast! doing it, I think, especially as the rule only permits avast! remote addresses. Therefore... Wouldn't I be OK to restrict DNS by application, instead of worrying over ports? | Other ref info: | http://homepage.ntlworld.com/robin.d.h.walker/cmtips/security.html#persfire | Down a ways on this page is a good section on Personal firewalls. | In that section is a broken link to master firewall guru Robert | Graham... | Remember? I sent you this l-o-n-g web page link about last year. | (no bonking on head ;) Good head smoking stuff in there... The good | link: | http://www.linuxsecurity.com/resource_files/firewalls/firewall-seen.html | | Another good l-o-n-g firewall web page: | http://www.dslreports.com/faq/security/2.5.1._Kerio_and_pre-v3.0_Tiny_PFW | | OK, a short firewall port web page: | http://www.ja.net/cert/bcp/lanports.html Uhuh, thanks. Those are the ones I've been reading these part 4 years, yea. BUT they always require at least one more additional reading! OK, yea, thanks, gram pappy. | good night, err, good morning... Good evening. And thanks again. |>>> - |>>> gram |>>> |>>>> -- |>>>> Thanks or Good Luck, |>>>> There may be humor in this post, and, |>>>> Naturally, you will not sue, |>>>> Should things get worse after this, |>>>> PCR |>>>> pcrrcp@netzero.net -- Thanks or Good Luck, There may be humor in this post, and, Naturally, you will not sue, Should things get worse after this, PCR pcrrcp@netzero.net
Guest gram pappy Posted July 28, 2007 Posted July 28, 2007 Re: Kerio's Primary DNS Server Rule PCR <pcrrcp@netzero.net> wrote: > gram pappy wrote: >| in-line below: >| >|>PCR <pcrrcp@netzero.net> wrote: >|> Updating... >|> >|>> PCR wrote: >|>>> gram pappy wrote: >|>>> Reply, (sorry not a quick answer) in-line below: >|>>> >|>> It's quicker than I've been these past four years, gram pappy, >|>> thanks. Also, my own beloved grandfather, himself, could shovel >|>> snow quicker than me some 22 years ago in his 90's! More below... >|>> >|>>>> "PCR" <pcrrcp@netzero.net> wrote in message >|>>>> news:%23GMM4FIzHHA.4712@TK2MSFTNGP04.phx.gbl... >|>>>> In order to end 17 years of intense study after just 4 or so, I >|>>>> hope >|>>>> for a quick answer to the following question. Here is my Kerio >|>>>> "Primary DNS Server" rule, got from some expert & currently >|>>>> modified >|>>>> only in that I now include the entire NetZero/Juno address range >|>>>> (where earlier I tried to determine just the ones NetZero seemed >|>>>> to want to use)... >|>>>> >|>>>> Protocol: UDP, both directions >|>>>> >|>>>> Local Endpoint-- Ports: 1024-5000 >|>>>> -- Application: Any >|>>>> Remote Endpoint-- Address: Entire NetZero/Juno range >|>>>> -- Port: 53 >|>>>> ANY app can use it, as currently written. Here are the ones I've >|>>>> caught... >|>>>> >|>>>> (a) EXEC.EXE NetZero Internet >|>>>> (b) IEXPLORE.EXE >|>>>> © no owner << eeek? >|>>>> (d) AVAST.SETUP >|>>>> (e) ASHMAISV.EXE avast! e-Mail Scanner Service >|>>>> (f) PFWADMIN.EXE Kerio Personal Firewall Console >|>>>> >|>>>> Here's the "no owner". There is only this one, but I haven't been >|>>>> tracking this rule long... >|>>>> >|>>>> 2,[20/Jul/2007 21:15:04] Rule 'Primary DNS Server': Permitted: In >|>>>> UDP, >|>>>> 64.136.44.74:53->localhost:1055, Owner: no owner >|>>>> >|>>>> Here is one "AVAST.SETUP". ODD, but I guess legit-- I have no >|>>>> program actually named AVAST.SETUP, & no .exe at all in the >|>>>> folder mentioned... >|>>>> >|>>>> 2,[17/Jul/2007 22:30:14] Rule 'Avast! UDP': Permitted: Out UDP, >|>>>> localhost:1045->64.136.44.74:53, Owner: C:\PROGRAM FILES\ALWIL >|>>>> SOFTWARE\AVAST4\SETUP\AVAST.SETUP >|>>>> >|>>>> Questions... >|>>>> >|>>>> (1) Is it legit for IE to be using it? >|>>>> >|>>> Gram pappy: Yes, as long as Remote IP is in NetZero IP Range. >|>>> >|>> Me: What makes that safe? Can some app grab control of IE & do bad >|>> things with this? >|>> >| I don't know, but the experts say you must allow this DNS rule to >| access the internet. > > More study is warranted, I'm sure. HOWEVER, a new rule that blocks IE > from all NetZero addresses-- UDP/TCP, both directions, all ports... > showed all continues to work-- even uploads & downloads, even at FTP > sites. I took a download from... > ftp://ftp.microsoft.com/ > > And at... > http://www.speakeasy.net/speedtest > > ... uplaods & downloads were happening at approximately the same > speeds with the new rule switched on or off! > Yes it is a puzzle, I just have never seen DNS server rules to block applications. I now only use NetZero(free) as a backup ISP, as my primary ISP is now Xanadoo Wireless and it too allows DNS, server port 53 access for: AVG AV update Internet Explorer Outlook Express Firefox SpywareBlaster update Don't know why these are not using there own rules and ports I have set...!!! more digging, more study is right. >|>>>> (2) Should I block PFWADMIN.EXE? >|>>>> [NOTE: In another rule (probably by yosponge) >|>>>> PersFW.exe (Kerio Personal Firewall Engine) IS blocked.] >|>>>> >|>>> Gram pappy: Yes, I use a combination of Spunge, Shaolin and >|>>> BlitzenZeus rulesets. They block both Persfw >|>>> and Pfwadmin. >|>> >|>> Me: I'm a mishmosh, myself, possibly of the same experts. >|>> But finally I want to know what it's about! >|>> >|> Update: I've blocked PFWADMIN.EXE now too; >|> so far, nothing untoward has happened. >|> >| Looking back at my yosponge data, on his web page he says it is >| usually safe to allow PERSFW.EXE, but in his ruleset he has it >| blocked?...!!! I have blocked both for years... > > I'm blocking both too now-- but I remain vigilant for the first sign > of a catastrophe & will continue to remain so for six years! > >|>>>> (3) I guess I must get rid of that "no owner", >|>>>> but could it just be some kind of Kerio glitch? >|>>>> >|>>> Gram pappy: Don't see problem as long as Remote IP >|>>> is in NetZero IP Range. >|>>> >|>> Me: Why? NOW, probably due to better tracking, I've got SIX >|>> more of those so far today. They always are INCOMING... >|>> >|>> 2,[24/Jul/2007 15:09:06] Rule 'Primary DNS Server': Permitted: In >|>> UDP, >|>> 64.136.44.74:53->localhost:1589, Owner: no owner >|>> >|>> 2,[24/Jul/2007 15:09:20] Rule 'Primary DNS Server': Permitted: In >|>> UDP, >|>> 64.136.44.74:53->localhost:1641, Owner: no owner >|>> >|>> 2,[24/Jul/2007 15:09:22] Rule 'Primary DNS Server': Permitted: In >|>> UDP, >|>> 64.136.28.121:53->localhost:1641, Owner: no owner >|>> >|>> 2,[24/Jul/2007 15:09:58] Rule 'Primary DNS Server': Permitted: In >|>> UDP, >|>> 64.136.44.74:53->localhost:1702, Owner: no owner >|>> >|>> 2,[24/Jul/2007 15:10:54] Rule 'Primary DNS Server': Permitted: In >|>> UDP, >|>> 64.136.44.74:53->localhost:1880, Owner: no owner >|>> >|>> 2,[24/Jul/2007 15:10:58] Rule 'Primary DNS Server': Permitted: In >|>> UDP, >|>> 64.136.44.74:53->localhost:1884, Owner: no owner >|>> >| If I set a last rule to block all other incomming TCP, I will get >these. >| I have read to not have such a rule... Other causes are shown here: >| http://www.mynetwatchman.com/kb/res-falsepos.htm > > I've read through that thrice-- but more readings will be necessary! > I'm thinking, the way to kill the no owner's is to code 4 DNS Server > rules-- one for each app I want to allow... > > (a) EXEC.EXE NetZero Internet > (b) AVAST.SETUP > © ASHMAISV.EXE avast! e-Mail Scanner Service > (d) ASHWEBSV.EXE avast! Web Scanner > > I'm going to try that soon! No other app will be allowed to use the > NetZero addresses to send/receive DNS after that! > Good luck...!!! >|>>>> (4) Am I leaving myself prone to mayhem by letting >|>>>> ANY app use this rule-- as the "expert" coded it? >|>>>> But, why hasn't it happened yet-- or has it???? >|>>>> >|>>> Gram pappy: No, standard for ISP DNS servers. >|>>> >|>> Me: What prevents an ill result when any app can do it? >|>>> >| I don't think so, but if you want to tighten this down you can set up >| a seperate rule for NetZero's primary and secondary DNS servers. Last >| I looked they have three(64.136.16.21, 64.136.20.21, 64.136.28.21). > > Well, I used to have just four addresses in my Primary DNS Server > rule, but recently I've included the entire NetZero/Juno range into > it. Therefore, I divine this one rule acts BOTH as a primary & a > secondary-- & then some! > I too use the NetZero address range for DNS servers. Just don't know why DNS is overriding the application rules... >|>>>> (4) Why is it restricted to using ports 1024-5000 & 53? >|>>>> >|>>> Gram pappy: I assume you are refering to Local ports 1024-5000, >|>>> some say to narrow down even more to >|>>> 1031-4999. >|>>> See Steve Gibson as to why. >|>>> https://www.grc.com/port_1024.htm >|>>> And I assume you are refering to Remote port >|>>> 53, >|>>> that is normal for ISP DNS servers. >|>>> >|>> Me: OK, I'm clicking that now. You are right in your assumptions. >|>> Are you implying-- so long as it goes to & comes from Port >|>> 53, NetZero will assure no foul play is involved? >|>> >|> Update: Clicking that URL produces a requestor saying >|> "Revocation information for the security certificate for this site >|> is not >|> available". I click NOT to proceed, but the site has already >|> loaded, anyhow. But it's going to take several readings before I >|> can even formulate a question. One thing: Port 5000 isn't mentioned >|> there-- only >|> 1024-1030 & maybe 1433 and 1434. >|> >| At the top of that grc page is a search box left of "Jump" type in >| 5000 then click Jump and it will go right to it. Can use the jump box >| to look up >| any port info... > > OK, thanks. These are referring to "local endpoint" ports, which are > ports here in my machine. Here, currently, is the last 'Primary DNS > Server' to happen... > > 2,[27/Jul/2007 17:40:38] Rule 'Primary DNS Server': Permitted: In UDP, > 64.136.28.120:53->localhost:1321, Owner: C:\PROGRAM FILES\ALWIL > SOFTWARE\AVAST4\ASHMAISV.EXE > > That was 5 minutes ago-- but I have no port 1321 open for any of the 3 > ASHMAISV.EXE showing in Kerio. Looks like these ports are created & > closed on an as needed basis. Is it ASHMAISV.EXE that will create a > port 5000, if it needs to? That should be OK, if it is avast! doing > it, I think, especially as the rule only permits avast! remote > addresses. Therefore... > > Wouldn't I be OK to restrict DNS by application, instead of worrying > over ports? > Have not read about or seen examples of this... >| Other ref info: >| > http://homepage.ntlworld.com/robin.d.h.walker/cmtips/security.html#persfire >| Down a ways on this page is a good section on Personal firewalls. >| In that section is a broken link to master firewall guru Robert >| Graham... Remember? I sent you this l-o-n-g web page link about >| last year. (no bonking on head ;) Good head smoking stuff in there... >| The good link: >| > http://www.linuxsecurity.com/resource_files/firewalls/firewall-seen.html >| >| Another good l-o-n-g firewall web page: >| > http://www.dslreports.com/faq/security/2.5.1._Kerio_and_pre-v3.0_Tiny_PFW >| >| OK, a short firewall port web page: >| http://www.ja.net/cert/bcp/lanports.html > > Uhuh, thanks. Those are the ones I've been reading these part 4 years, > yea. BUT they always require at least one more additional reading! OK, > yea, thanks, gram pappy. > >| good night, err, good morning... > > Good evening. And thanks again. > When you get Kerio rules all set up, are even now, you can go to GRC's Shields UP!! page and test for holes in your firewall. On 2nd page do the first three test. Some say firewall port test results showing 'Stealth' are misleading,,, but this test will quickly show any open ports... If you get a Kerio popup wanting access during test, deny it, and your logs will have quite a few denials recorded... The Link: https://www.grc.com/x/ne.dll?bh0bkyd2 >|>>> - >|>>> gram >|>>> > -- > Thanks or Good Luck, > There may be humor in this post, and, > Naturally, you will not sue, > Should things get worse after this, > PCR > pcrrcp@netzero.net
Guest PCR Posted July 28, 2007 Posted July 28, 2007 Re: Kerio's Primary DNS Server Rule PCR wrote: ....snip | More study is warranted, I'm sure. HOWEVER, a new rule that blocks IE | from all NetZero addresses-- UDP/TCP, both directions, all ports... | showed all continues to work-- even uploads & downloads, even at FTP | sites. I took a download from... | ftp://ftp.microsoft.com/ | | And at... | http://www.speakeasy.net/speedtest | | ... uplaods & downloads were happening at approximately the same | speeds with the new rule switched on or off! WRONG! Oooops, unfortunately the rule was permitting access-- not denying it! When the oversight was corrected & the FTP site was clicked... looked like OE froze. Behind it was a requestor saying that the FTP was loaded, BUT some function(s) would not work. Therefore... IE must be allowed UPD, both directions, at the NetZero addresses for full NET functionality. Sorry!
Guest PCR Posted July 28, 2007 Posted July 28, 2007 Re: Kerio's Primary DNS Server Rule gram pappy wrote: | PCR <pcrrcp@netzero.net> wrote: |> gram pappy wrote: |>| in-line below: |>| |>|>PCR <pcrrcp@netzero.net> wrote: |>|> Updating... |>|> |>|>> PCR wrote: |>|>>> gram pappy wrote: |>|>>> Reply, (sorry not a quick answer) in-line below: |>|>>> |>|>> It's quicker than I've been these past four years, gram pappy, |>|>> thanks. Also, my own beloved grandfather, himself, could shovel |>|>> snow quicker than me some 22 years ago in his 90's! More below... |>|>> |>|>>>> "PCR" <pcrrcp@netzero.net> wrote in message |>|>>>> news:%23GMM4FIzHHA.4712@TK2MSFTNGP04.phx.gbl... |>|>>>> In order to end 17 years of intense study after just 4 or so, I |>|>>>> hope |>|>>>> for a quick answer to the following question. Here is my Kerio |>|>>>> "Primary DNS Server" rule, got from some expert & currently |>|>>>> modified |>|>>>> only in that I now include the entire NetZero/Juno address range |>|>>>> (where earlier I tried to determine just the ones NetZero seemed |>|>>>> to want to use)... |>|>>>> |>|>>>> Protocol: UDP, both directions |>|>>>> |>|>>>> Local Endpoint-- Ports: 1024-5000 |>|>>>> -- Application: Any |>|>>>> Remote Endpoint-- Address: Entire NetZero/Juno range |>|>>>> -- Port: 53 |>|>>>> ANY app can use it, as currently written. Here are the ones I've |>|>>>> caught... |>|>>>> |>|>>>> (a) EXEC.EXE NetZero Internet |>|>>>> (b) IEXPLORE.EXE |>|>>>> © no owner << eeek? |>|>>>> (d) AVAST.SETUP |>|>>>> (e) ASHMAISV.EXE avast! e-Mail Scanner Service |>|>>>> (f) PFWADMIN.EXE Kerio Personal Firewall Console |>|>>>> |>|>>>> Here's the "no owner". There is only this one, but I haven't |>|>>>> been tracking this rule long... |>|>>>> |>|>>>> 2,[20/Jul/2007 21:15:04] Rule 'Primary DNS Server': Permitted: |>|>>>> In UDP, |>|>>>> 64.136.44.74:53->localhost:1055, Owner: no owner |>|>>>> |>|>>>> Here is one "AVAST.SETUP". ODD, but I guess legit-- I have no |>|>>>> program actually named AVAST.SETUP, & no .exe at all in the |>|>>>> folder mentioned... |>|>>>> |>|>>>> 2,[17/Jul/2007 22:30:14] Rule 'Avast! UDP': Permitted: Out UDP, |>|>>>> localhost:1045->64.136.44.74:53, Owner: C:\PROGRAM FILES\ALWIL |>|>>>> SOFTWARE\AVAST4\SETUP\AVAST.SETUP |>|>>>> |>|>>>> Questions... |>|>>>> |>|>>>> (1) Is it legit for IE to be using it? |>|>>>> |>|>>> Gram pappy: Yes, as long as Remote IP is in NetZero IP Range. |>|>>> |>|>> Me: What makes that safe? Can some app grab control of IE & do |>|>> bad things with this? |>|>> |>| I don't know, but the experts say you must allow this DNS rule to |>| access the internet. |> |> More study is warranted, I'm sure. HOWEVER, a new rule that blocks IE |> from all NetZero addresses-- UDP/TCP, both directions, all ports... |> showed all continues to work-- even uploads & downloads, even at FTP |> sites. I took a download from... |> ftp://ftp.microsoft.com/ |> |> And at... |> http://www.speakeasy.net/speedtest |> |> ... uplaods & downloads were happening at approximately the same |> speeds with the new rule switched on or off! |> | Yes it is a puzzle, I just have never seen DNS server rules to block | applications. SORRY... I set that IE rule up just right-- BUT forgot to click to DENY the access. When denied, the FTP site announced it wouldn't fully work. The message was hidden behind a frozen OE screen. SO... You & those experts were right, IE must have UDP access to the NetZero sites, port 53, for full functionality at FTP sites, anyhow. Here is one of six log entries, all involving "localhost:1025", but with various NetZero addresses... 1,[28/Jul/2007 13:15:24] Rule 'DNS Alert (Log, Alert)': Blocked: Out UDP, localhost:1205->64.136.44.74:53, Owner: C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE No good! It's GOT to be allowed-- or don't go clicking an FTP site! | I now only use NetZero(free) as a backup ISP, as my primary ISP is now | Xanadoo Wireless and it too allows DNS, server port 53 access for: | AVG AV update | Internet Explorer | Outlook Express | Firefox | SpywareBlaster update | Don't know why these are not using there own rules and ports I have | set...!!! more digging, more study is right. Agreed. So... I've added IE to the other 4 that are explicitely allowed... (a) EXEC.exe NetZero Internet (b) AVAST.SETUP © ASHMAISV.exe avast! e-Mail Scanner Service (d) ASHWEBSV.exe avast! Web Scanner (e) IExplore.exe Let's see how that goes, & whether the "no owner's" can be stopped that way & uneventfully. So far, still so good preventing PFWADMIN.exe & RPCSS.exe any UPD/TCP access at all. Others I prevent that way are PERSFW.exe, CIJ3P2PS.exe, & RNAAPP.exe. |>|>>>> (2) Should I block PFWADMIN.EXE? |>|>>>> [NOTE: In another rule (probably by yosponge) |>|>>>> PersFW.exe (Kerio Personal Firewall Engine) IS blocked.] |>|>>>> |>|>>> Gram pappy: Yes, I use a combination of Spunge, Shaolin and |>|>>> BlitzenZeus rulesets. They block both |>|>>> Persfw and Pfwadmin. |>|>> |>|>> Me: I'm a mishmosh, myself, possibly of the same experts. |>|>> But finally I want to know what it's about! |>|>> |>|> Update: I've blocked PFWADMIN.EXE now too; |>|> so far, nothing untoward has happened. |>|> |>| Looking back at my yosponge data, on his web page he says it is |>| usually safe to allow PERSFW.EXE, but in his ruleset he has it |>| blocked?...!!! I have blocked both for years... |> |> I'm blocking both too now-- but I remain vigilant for the first sign |> of a catastrophe & will continue to remain so for six years! |> |>|>>>> (3) I guess I must get rid of that "no owner", |>|>>>> but could it just be some kind of Kerio glitch? |>|>>>> |>|>>> Gram pappy: Don't see problem as long as Remote IP |>|>>> is in NetZero IP Range. |>|>>> |>|>> Me: Why? NOW, probably due to better tracking, I've got SIX |>|>> more of those so far today. They always are INCOMING... |>|>> |>|>> 2,[24/Jul/2007 15:09:06] Rule 'Primary DNS Server': Permitted: In |>|>> UDP, |>|>> 64.136.44.74:53->localhost:1589, Owner: no owner |>|>> |>|>> 2,[24/Jul/2007 15:09:20] Rule 'Primary DNS Server': Permitted: In |>|>> UDP, |>|>> 64.136.44.74:53->localhost:1641, Owner: no owner |>|>> |>|>> 2,[24/Jul/2007 15:09:22] Rule 'Primary DNS Server': Permitted: In |>|>> UDP, |>|>> 64.136.28.121:53->localhost:1641, Owner: no owner |>|>> |>|>> 2,[24/Jul/2007 15:09:58] Rule 'Primary DNS Server': Permitted: In |>|>> UDP, |>|>> 64.136.44.74:53->localhost:1702, Owner: no owner |>|>> |>|>> 2,[24/Jul/2007 15:10:54] Rule 'Primary DNS Server': Permitted: In |>|>> UDP, |>|>> 64.136.44.74:53->localhost:1880, Owner: no owner |>|>> |>|>> 2,[24/Jul/2007 15:10:58] Rule 'Primary DNS Server': Permitted: In |>|>> UDP, |>|>> 64.136.44.74:53->localhost:1884, Owner: no owner |>|>> |>| If I set a last rule to block all other incomming TCP, I will get |>| these. I have read to not have such a rule... Other causes are |>| shown here: http://www.mynetwatchman.com/kb/res-falsepos.htm |> |> I've read through that thrice-- but more readings will be necessary! |> I'm thinking, the way to kill the no owner's is to code 4 DNS Server |> rules-- one for each app I want to allow... |> |> (a) EXEC.EXE NetZero Internet |> (b) AVAST.SETUP |> © ASHMAISV.EXE avast! e-Mail Scanner Service |> (d) ASHWEBSV.EXE avast! Web Scanner IEXPLORE had to be added in! |> |> I'm going to try that soon! No other app will be allowed to use the |> NetZero addresses to send/receive DNS after that! |> | Good luck...!!! Thanks. Well, you know, I've just added IExplore to it for FTP access (at least). Soon, I will go online again & see whether that settles it. Hopefully, nothing else will require DNS access to those NetZero sites & all continues to work! Then, it will be on to fine tune my other rules! |>|>>>> (4) Am I leaving myself prone to mayhem by letting |>|>>>> ANY app use this rule-- as the "expert" coded it? |>|>>>> But, why hasn't it happened yet-- or has it???? |>|>>>> |>|>>> Gram pappy: No, standard for ISP DNS servers. |>|>>> |>|>> Me: What prevents an ill result when any app can do it? |>|>>> |>| I don't think so, but if you want to tighten this down you can set |>| up a seperate rule for NetZero's primary and secondary DNS servers. |>| Last I looked they have three(64.136.16.21, 64.136.20.21, |>| 64.136.28.21). |> |> Well, I used to have just four addresses in my Primary DNS Server |> rule, but recently I've included the entire NetZero/Juno range into |> it. Therefore, I divine this one rule acts BOTH as a primary & a |> secondary-- & then some! |> | I too use the NetZero address range for DNS servers. Just don't know | why DNS is overriding the application rules... What do you mean by overriding the rules? Do you mean you don't know why IE (for example) uses NetZero addresses instead of MS addresses? I wonder... if I code a rule in Kerio permitting IE to have UDP access to MS addresses-- would it stop using the NetZero ones? |>|>>>> (4) Why is it restricted to using ports 1024-5000 & 53? |>|>>>> |>|>>> Gram pappy: I assume you are refering to Local ports 1024-5000, |>|>>> some say to narrow down even more to |>|>>> 1031-4999. |>|>>> See Steve Gibson as to why. |>|>>> https://www.grc.com/port_1024.htm |>|>>> And I assume you are refering to Remote port |>|>>> 53, |>|>>> that is normal for ISP DNS servers. |>|>>> |>|>> Me: OK, I'm clicking that now. You are right in your assumptions. |>|>> Are you implying-- so long as it goes to & comes from Port |>|>> 53, NetZero will assure no foul play is involved? |>|>> |>|> Update: Clicking that URL produces a requestor saying |>|> "Revocation information for the security certificate for this site |>|> is not |>|> available". I click NOT to proceed, but the site has already |>|> loaded, anyhow. But it's going to take several readings before I |>|> can even formulate a question. One thing: Port 5000 isn't mentioned |>|> there-- only |>|> 1024-1030 & maybe 1433 and 1434. |>|> |>| At the top of that grc page is a search box left of "Jump" type in |>| 5000 then click Jump and it will go right to it. Can use the jump |>| box to look up |>| any port info... |> |> OK, thanks. These are referring to "local endpoint" ports, which are |> ports here in my machine. Here, currently, is the last 'Primary DNS |> Server' to happen... |> |> 2,[27/Jul/2007 17:40:38] Rule 'Primary DNS Server': Permitted: In |> UDP, |> 64.136.28.120:53->localhost:1321, Owner: C:\PROGRAM FILES\ALWIL |> SOFTWARE\AVAST4\ASHMAISV.EXE |> |> That was 5 minutes ago-- but I have no port 1321 open for any of the |> 3 ASHMAISV.EXE showing in Kerio. Looks like these ports are created & |> closed on an as needed basis. Is it ASHMAISV.EXE that will create a |> port 5000, if it needs to? That should be OK, if it is avast! doing |> it, I think, especially as the rule only permits avast! remote |> addresses. Therefore... |> |> Wouldn't I be OK to restrict DNS by application, instead of worrying |> over ports? |> | Have not read about or seen examples of this... I'm going to shoot for it, beginning with this DNS rule. In the end, the only rules with "any application" in them will be DENIAL's. All of the PERMIT's I hope to be on a per application basis! And they ONLY will be permitted to addresses I know are legit. That's the plan! Too bad Kerio doesn't allow a list of applications in a single rule, though, as it does do with ports & addresses. SO, currently I have 5 DNS Server rules now-- instead of just one. However, I'd have half a million, if addresses & ports were singular too! |>| Other ref info: |>| |> http://homepage.ntlworld.com/robin.d.h.walker/cmtips/security.html#persfire |>| Down a ways on this page is a good section on Personal firewalls. |>| In that section is a broken link to master firewall guru Robert |>| Graham... Remember? I sent you this l-o-n-g web page link about |>| last year. (no bonking on head ;) Good head smoking stuff in |>| there... The good link: |>| |> http://www.linuxsecurity.com/resource_files/firewalls/firewall-seen.html |>| |>| Another good l-o-n-g firewall web page: |>| |> http://www.dslreports.com/faq/security/2.5.1._Kerio_and_pre-v3.0_Tiny_PFW |>| |>| OK, a short firewall port web page: |>| http://www.ja.net/cert/bcp/lanports.html |> |> Uhuh, thanks. Those are the ones I've been reading these part 4 |> years, yea. BUT they always require at least one more additional |> reading! OK, yea, thanks, gram pappy. |> |>| good night, err, good morning... |> |> Good evening. And thanks again. |> | When you get Kerio rules all set up, are even now, you can go to GRC's | Shields UP!! page and test for holes in your firewall. On 2nd page do | the first three test. Some say firewall port test results showing | 'Stealth' | are misleading,,, but this test will quickly show any open ports... If | you | get a Kerio popup wanting access during test, deny it, and your logs | will | have quite a few denials recorded... The Link: | | https://www.grc.com/x/ne.dll?bh0bkyd2 Thanks. I may have been there & passed before. However, I will go again when through with my current machinations. | |>|>>> - |>|>>> gram |>|>>> |> -- |> Thanks or Good Luck, |> There may be humor in this post, and, |> Naturally, you will not sue, |> Should things get worse after this, |> PCR |> pcrrcp@netzero.net -- Thanks or Good Luck, There may be humor in this post, and, Naturally, you will not sue, Should things get worse after this, PCR pcrrcp@netzero.net
Recommended Posts