Kerio 4

If you're using Kerio 4.1 or higher, you need to turn on the logging packets to unopened ports option. If you're using a version prior to

4.1 then there is no logging of packets to closed ports. Only open ports.

That said, Kerio 4's logging is generally buggy and terrible. Kerio may work fine and block incoming packets, but if you're looking for good logging you better look elsewhere... ;)

How many devices are on your network?

Are any of them using DHCP?

Thanks for the info. I have another question. Almost all of the intrusions logged are from the same source - 192.168.0.132. My home network is

192.168.0.0, which causes me to wonder if somehow the network is causing the problem. The description of the intrusions is 'ICMP L3retriever Ping'. These happen whether the second computer is on or not, so I am not sure what is happening. Is it a real intrusion or something with my network?

Don Dunlap

It's something from your network. I get all sorts of junk reported (all ICMP) from file & printer sharing in the network.

Johnie

Thanks again. I kind of figured that it was. It would have been too much of a coincidence if it had been from outside the network.

Don Dunlap

Sounds like something with your network, although I'm not familiar with networks, so I can't help much there.

A good place for questions is also the Kerio forum at

Someone there might be able to help with specifics..

"Don Dunlap" wrote in news:eb57b$41a8a7c1$45234fec$ snipped-for-privacy@allthenewsgroups.com:

You can just tell Kerio I would think like any other PFW solution to trust private side IP(s) including the router device IP and be done with it.

Duane :)

Yeah, I would have thought that when I set the local network as a trusted zone, it would ignore ALL local traffic. Instead it insists on logging certain local ICMP and NETBIOS packets as intrusions.

I have no control over which type of ICMP & NETBIOS packets are flagged, but these include "ICMP L3retriever Ping". Presumably these are blocked as well.

I can select not to log "medium priority" intrusions but then I could miss a genuine alert.

Is it done this way because it could be exploited from the web?

I 'm not too concerned about it myself because I am behind a hardware NAT firewall/router anyway. (may be I should be!)

On this issue, Kerio flags up a lot of "Port Scans" from external sources. How come these are getting thro' my hardware firewall?

Johnie

Netgear DG834 router / SPI firewall / ADSL modem.

Johnie.

What brand router is this? A NAT router is not 100% bullet proof but should stop most unsolicited scans.

Duane :)

Johnie wrote in news:41a9de28_2@127.0.0.1:

As far as a scan coming through the NAT router with SPI, you sure nothing on the computer behind the router is making a solicitation for traffic? Are you doing port forwarding? What ports(s) are the scans coming in on past the router? You sure Kerio 4 is it is not getting a false positive on the IDS?

Duane :)

There are a few that are this. The rest not impossible but I doubt it.

No.

Here's a couple of intrusion log entries:- (doesn't seem to log useful stuff like port number and protocol) :

Johnie wrote in news:41aa6554$1_2@127.0.0.1:

I don't know. If you're getting responses from unsolicited traffic from a remote IP that the PFW solution is responding to that the router should be stopping, then I would have to question the router set-up and a possible mis-configuration or the router and its firmware are not up to the task of stopping it for some reason. Actually, I would be on the phone about this with Tech Support on the router.

Duane :)

Will do!

Thanks Duane.