portscanning myself? (Kerio firewall)

Hi all
I'm trying to set up the Kerio Personal Firewall and not doing too well! When I look at the log I see a large number of entries blocked TCP [127.0.0.1:80]->localhost:nnnn where nnnn is port numbers seemingly at random in the range 1001 to 1999; some ports get chosen more than others.
The version of Kerio is 2.1.5( (yes, the trailing bracket is present!)
I see a loopback permit rule in the help - but reading around it seems that was for an earlier version. Much conflicting information around, unfortunately; but some says the loopback is no longer necessary as it became hardcoded in later versions.
I have also found a source which says

and can only assume that the computer requires this - but no default rule from Kerio covers it, and I don't think it's asked me about this.
But then I've also found "advice" which have advised to delete KRNL386.EXE because it's the swapfile... hmmm.
I trawled around for a long time - presumably looking in all the wrong places? Masses of tutorials about what a port is - but little advice about what you need to let through to make the system work.
Is there any self-consistent set of guidelines available anywhere please? At the moment I can understand ports, directions and the like, but I get rather stuck when the log mentions "tcp ack attack" - presumably ack is acknowledgement so I'm looking for something like a rule which blocks pings; there are several such... but I can't find any rule which is called (or mentions in any way) "ack attack ". IGMP is blocked both ways... but IGMP isn't even in the glossary (although ICMP is). TCP and UDP I can understand but the use of "Other-2" is rather baffling. Why 2?
Would it perhaps be better to try to get hold of a different version? It rather looks like I've found v2.1.5 with v2.1.4's help. I note that since putting Kerio on I've had 2 BSODs, one requiring a power-off to get out - and the obligatory scandisk of all 15 logical drives, not just the ones which had files open.
Advice would be very thankfully received! I'd like to end up with a rule-based firewall if I can - but I have to be able to get it stable.
best wishes, HJ.

 

Hi Hugh,

Kerio started a forum: http://forums.kerio.com/

At this Board under "Other Firewalls" are a number of Kerio experts http://www.wilderssecurity.com/index.php

If you can't resolve these issues, I would suggest trying Sygate, which has Aplication based protection while allowing for rule making http://forums.sygatetech.com/vb/

Regards - Charles

 

Hi Charles
thanks masses for replying - I was getting into a bit of a frazzle with the BSODs and all. I'd already looked around the Kerio forums but kept hitting the problem that the defaults seem rather different between the various subversions... didn't get very far but will give it another go. Version 2 is now obsolete, but there is a forum for it. Not many threads though.
The other link to wilderssecurity sounds promising, will try that next.
One reason why I was trying Kerio is that it has a reputation as a "lightweight" - with only 32MB RAM and 100MHz P1 you will appreciate why! Zone Alarm wasn't too bad actually, but Kerio is certainly better in this respect particularly when launching. Do you have any guidance about how demanding Sygate is upon resources, pls?
The other thing I have to get to grips with is that we are behind a "transparent proxy" - at least I think so!? - have found a few places which offer ways of checking this, haven't done it yet. I'm wondering whether I have to make allowance for this... I suppose the more transparent it is the less it will affect things. But recently when downloading new AV defs I hit a weird error "The handle is in the wrong state for the requested operation ": looking this up I found that this error only affects NTL DSL customers who are behind such a proxy. NTL is our ISP, but the connection is an extremely normal dialup.
I mention it because, when trawling search engines and the like, there was plenty of mention of somewhat similar trouble with 127.0.0.1:80 for DSL customers. Odd, that. But then there's a whole bundle of stuff about the same port and Apaches, and a truly galling searchable reference to the Lovsan2 malware, which only leads to a blank page. Pay to "join the club" to go further - perhaps only to find it says "we no know there's no connection "? I don't know, I'm not playing that game. Did get a bit concerned about IP spoofing though, so looked 127.0.0.1 at CA, 14 hits, some "Lovgate "s among them; no Lovsan2 even among aliases.
I checked an old ZA log, and found that it had been catching what appear to be the same type of events; nothing had crashed as a result over this period. So maybe there's no correlation to the BSODs. It did make me wonder at the time why the PC was trying to talk to itself, though.
Can anyone confirm the veracity of / shed light on the quoted section in my earlier post at the top of the thread? It would be good to know if this form of communication is a normal part of system function, and what the impact of disallowing it might be...

thanks, and best wishes, HJ.

 

Hi Hugh,

I run Sygate on XP, puts approx a 9.3 MB RAM load on the system. Don't know if that's useful if what you're running is a 9X OS where the question would be 'system resources" as well as Ram. Have ZA Pro on WinME and runs fine.

The 127.0.0.1 address: AFAIK - all firewalls that I know about have provisions to block this IP. It's known as the loop-back address and the same principle operates in having that address blocked in the Hosts file, simply to keep your system from talking to itself. It becomes more complicated with networking, about which I know next to nothing

Regards - Charles

 

Thanks again Charles,
I'm making slow progress (I think!) - the "ack attack" rule for example is a rule which you don't see on the screen with the other rules - which explains why I was getting confused trying to identify which rule was causing it.
And, there are some things which don't seem to "Apply" until you've OK'd the dialogue as well... took a while to suss.
I would like to get a better handle on the nature of the communications from 127.0.0.1:80 to other localhost ports though - there does seem to be rather a lot of it at times; and, at least one of the demo screens (not for my version though) has a loopback rule which is there to permit this...
Found some references saying you get this if you "hop" to another page before the first has finished loading; but that doesn't cover all of what I'm seeing. Unless I suppose you might get the same effect if an internet connection has failed and had to reconnect...
But from what you say about other firewalls blocking the loopback, it shouldn't do any harm to leave it blocked - which has to be the safe way to go considering the mention of malware spoofing 127.0.0.1
Sygate sounds a bit on the heavy side for this not-very-powerful computer - reckon I'll persevere with Kerio for a while yet. I use CA EZ antivirus which was a good find (way back when it was InnoculateIT) - it's very undemanding on resources (and money!). It would be a shame to clobber things with the firewall.
best wishes, HJ.