Kerio 2.1.5 ruleset for Avast proxies

[Jarmo P]

This was made starting from Blitzen Zeus's template that can be found at dslreports kerio forum.

System part:

'My loopback' rules are made to not allow applications connecting to those excluded ports any proxy allowance unless explicit told in apps rules later.

DHCP and DNS are for my cable modem connection in case anyone is interested. No need for broadcast DHCP.
The unticked 'my cable DHCP MAC change' is needed only when changing cable to different network card on the fly/changing card's MAC address to acquire a new IP number.


Applications part:

The WS rules for browsers for webshield proxy is followed by a deny all other applications rule.

Same is also done to Thunderbird and OE and then denied email scanning proxy for any other apps after that.

I give this to all firewall experts to examine and find faults, hehe.

I have also a question to Avast team. Instant Messaging is also done by proxy? If so, is it ashwebsv.exe and in my example also Yahoo messenger and Skype need to have a 'WS' rule for them in my ruleset to have that protection?

Jarmo

[Jarmo P]

No more rule based firewall users here?

I remember some used outpost and kerio 4.
Kerio 4 has the option to use it like an application firewall. So maybe no firewall experts here?

Really thought my post would interest kerio users and also other rule based firewall users.

With 'Standard loopback' ticked Internet Explorer gets out even when no rule specified for it. No difference to Sygate even though so many people here were bashing a totally good firewall just cause it allowed software out through a benign proxy. Point is that skillfull users can prevent that behaviour with Kerio, not though with Sygate.

I also got no answer from avast team how instant messaging provider works? How is it different from standard shield? If it is the same, why given an option to tick or untick different IMs. Or is it somekind of local proxy?

[neal62]

Possibly the reason you have not got any answers is that the majority of the users here are SATISFIED with the firewall they use no matter what the name of their firewall is. I am satisfied with mine for instance, does a very good job. Have a nice day. 
 Oh if interested read some information about Kerio 2.1.5 version by going HERE.

[Jarmo P]

Neal, best place to find information about kerio 2.1.5 is of course it's own forum:
http://www.dslreports.com/forum/kerio

There are rulesets given by people, most important is I guess the so called BZ ruleset. And other information about the firewall.
Another site to recommend these days is:
http://www.wilderssecurity.com/index.php
But there is also much passionate talks too about whose software is better than others that confuse the information there can be gathered.

My post is also given here to help users with avast proxies to configure their firewall. Sded has posted in this forum also some very usefull information.

Remember a rule based firewall is only as good or bad as rules given to it. 

EDIT
Alwill team still not willing to share information about their IM protection?
With webshield one can always go and test with eicar test virus.
Also with email shield, one can get to be send a test virus in email if not the ISP is not scanning that traffic as a service.
One site, my former antivirus:
http://www.norman.com/Virus/Antivirus_testfile
Sorry if it is part finnish language that web site.

But how can one test if IM provider is working or just placebo one believes is there?

[Jarmo P]

Still no answer Alwill team?
How your IM protection works, is it not a proxy or not?
How to configure it to a rule based firewall to get it working !

[igor]

No, avast! IM protection is not performed as a proxy. Basically, avast! scans the files downloaded by specific process (on disk), so there's no need for additional firewall configuration.

[Jarmo P]

Thanks for the reply Igor.
I just read after your answer from the avast! antivirus help file the page 'Resident Protection Providers'.
I guess the key word in that short page was "downloaded".
So I believe p2p shield also to be done with no local proxy cause it has that keyword "downloaded". 

[Lars-Erik]

No, avast! IM protection is not performed as a proxy. Basically, avast! scans the files downloaded by specific process (on disk), so there's no need for additional firewall configuration.

But wouldn't the standard shield catch both IM and P2P files with viruses?
They have to be saved to disk, and then the standard shield would catch it?
So what is the need for the IM and P2P shileds (except using resources)?

BTW:  Why is the WebShield dropping speed from 5000 kpbs to 4500 kpbs
         That's quite a performace hit. Doesn't the "intelligent steam scan" work here?

[Lisandro]

They have to be saved to disk, and then the standard shield would catch it?

Only if you set Standard Shield to High sensitivity level, scanning all files open/created/modified.
For me, which does not use this security level, the providers allow best balance between performance and security. They're better than just using high rate of resources by Standard Shield.

[Lars-Erik]

Only if you set Standard Shield to High sensitivity level, scanning all files open/created/modified.

I have scan created/modified files on, but only for predfined types.
So you are saying that these modules add "scan all files" for IM and P2P.

Do they use the same files (read: do they add memory usage)?
If they do, then I guess there is nothing to save turning them off :-)

I'll do a test and see if they affect anything (memory usage, network speed etc)

[Lisandro]

So you are saying that these modules add "scan all files" for IM and P2P.

At least is what they promise to. I hope the programmers correct me if I'm wrong in this assumption.