Safety of local-loopback access rule

Wonderful. This crappy thing doesn't even have a "allow ip from any to any via lo0" rule by default?

Yes.

Who cares? Kerio is supposed to f*ck up your network connection, not to provide security.

Reply to
Sebastian Gottschalk
Loading thread data ...

Hello,

I'm using Cygwin's Xwindows. When I launch applications that connect to the windowing system, the Kerio Personal Firewall 2.1.5 catches it. I launched a few Xwindows applications to characterize the accesses:

Local Remote ------------- :1120 127.0.0.1:1034 :1122 127.0.0.1:1034 :1123 127.0.0.1:1023 :1124 127.0.0.1:1034 :1125 127.0.0.1:1125

Both TCP and UDP (outgoing) is required for most of the applications tried. I created a single rule for any application and any port to allow access for the plurality of applications:

Local_Loopback_for_Xwin ----------------------- * Protocol: TCP and UDP * Direction: Outgoing * Local endpoint: Any port, any application - Different applications use different ports e.g. 1120, 1122, 1123, 1124, 1125 * Remote endpoint: 127.0.0.1, any port - Different applications use different ports e.g. 1034, 1034, 1023, 1034, 1125 * Always permit

Since it's a local connection, is it safe to have an open-ended port specification and open-ended application specification?

The safer alternative is to specify exactly which application the rule applies to, which is less convenient. I'd need a rule for each application. Also, if some Xwindows activity or application doesn't work in the future, it might take some troubleshooting before tracking it back to the firewall.

Hopefully, the open-endedness in the rule specification sacrifices very little safety, since it's much more convenient.

Reply to
Dubious Dude

Why would it be unsafe? 127.0.0.0/8 is localhost, i.e. the local computer. It's plain stupid of Kerio to filter/report connections to

127.0.0.1 unless packets with this address arrive on the external interface.

Besides, you can't reliably restrict outbound connections anyway.

cu

59cobalt
Reply to
Ansgar -59cobalt- Wiechers

Actually, on Windows it's even sometimes possible to have any local IP running over local-loopback for local IPC via sockets, so even 192.168.0.1 to itself on lo0 should be allowed.

Reply to
Sebastian Gottschalk

You can see here, how idiotic Kerio seems to be. Maybe you want rethink, if it would be better to just use the Windows firewall.

Beside that, AFAIK Windows does not support UNIX domain sockets, so this is Ok.

Yours, VB.

Reply to
Volker Birk

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.