Prev: Blocking ports 1024-1030 excessive?
Next: Firewall port 1105 (FTRANHC) & port 1239 (NMSD) ?
From: J44xm on 19 Dec 2005 00:12
I'm not very knowledgable about networking -- I'll say that up front.
However, I recently downgraded from Kerio Personal Firewall 4.x to 2.1.5 to
speed up my computer. And it worked. (I'm on a college network, I'll
mention.) Kerio 2.1.5 has a problem with fragmented packets. My question,
then, is how to handle these. There seems to be no consensus about how
dangerous this vulnerability is, so I'm not sure just how dangerous the hole
is. Still, I'd like to plug it if I can.

One method that's come to my attention is a simple Registry fix:
[HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\IPFILTERDRIVER\PARAMETERS]
"ENABLEFRAGMENTCHECKING"=DWORD:00000001
(http://www.dslreports.com/forum/remark,14794956)

Is this effective? If not, what freeware (preferably) or shareware can I use
to help plug the hole that Kerio 2.1.5 has? Something with a light footprint
is necessary.

Many thanks. I just can't find these answers.
--
J44xm (http://j44xm.notlong.com)
From: Volker Birk on 19 Dec 2005 04:46
J44xm <w44kz.bayvar[@]tznvy.pbz> wrote:
> I'm not very knowledgable about networking -- I'll say that up front.
> However, I recently downgraded from Kerio Personal Firewall 4.x to 2.1.5 to
> speed up my computer. And it worked. (I'm on a college network, I'll
> mention.) Kerio 2.1.5 has a problem with fragmented packets.

Why not using the Windows-Firewall? What Windows version do you run?

Yours,
VB.
--
Ein vision statement ist in aller Regel planfreies Gelalle einer Horde
realit?tsferner Spinner.
Dietz Pr?pper in d.a.s.r
From: Ric on 19 Dec 2005 20:55
On Sun, 18 Dec 2005 23:12:18 -0600, J44xm <w44kz.bayvar[@]tznvy.pbz>
wrote:

>I'm not very knowledgable about networking -- I'll say that up front.
>However, I recently downgraded from Kerio Personal Firewall 4.x to 2.1.5 to
>speed up my computer. And it worked. (I'm on a college network, I'll
>mention.) Kerio 2.1.5 has a problem with fragmented packets. My question,
>then, is how to handle these. There seems to be no consensus about how
>dangerous this vulnerability is, so I'm not sure just how dangerous the hole
>is. Still, I'd like to plug it if I can.

If an incoming connection is fragmented Kerio will accept it. Then it
will allow all traffic in both directions on that connection. Kerio is
supposed to be a packet filter and it can't filter fragmented packets.

>One method that's come to my attention is a simple Registry fix:
>[HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\IPFILTERDRIVER\PARAMETERS]
>"ENABLEFRAGMENTCHECKING"=DWORD:00000001
>(http://www.dslreports.com/forum/remark,14794956)
>
>Is this effective? If not, what freeware (preferably) or shareware can I use
>to help plug the hole that Kerio 2.1.5 has? Something with a light footprint
>is necessary.
>
>Many thanks. I just can't find these answers.

Sometimes this registry fix works, sometimes not. To test it create a
new rule to block all ICMP and make sure it is the first rule in your
list. Then type ping -l 3000 IPaddy
This creates an oversized packet that will be fragmented before it's
sent through the firewall.

If you use a router this problem should be restricted to your LAN.

Ric
From: Jeff B on 20 Dec 2005 01:33
J44xm wrote:
> I'm not very knowledgable about networking -- I'll say that up front.
> However, I recently downgraded from Kerio Personal Firewall 4.x to 2.1.5 to
> speed up my computer. And it worked. (I'm on a college network, I'll
> mention.) Kerio 2.1.5 has a problem with fragmented packets. My question,
> then, is how to handle these. There seems to be no consensus about how
> dangerous this vulnerability is, so I'm not sure just how dangerous the hole
> is. Still, I'd like to plug it if I can.
>
> One method that's come to my attention is a simple Registry fix:
> [HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\IPFILTERDRIVER\PARAMETERS]
> "ENABLEFRAGMENTCHECKING"=DWORD:00000001
> (http://www.dslreports.com/forum/remark,14794956)
>
> Is this effective? If not, what freeware (preferably) or shareware can I use
> to help plug the hole that Kerio 2.1.5 has? Something with a light footprint
> is necessary.
>
> Many thanks. I just can't find these answers.
With the ability to sync MTU size, there should never be a need for
Fragmented Packets. Unconditionally dump them all :)
you can even set maxmtu=576 and the issue just goes away.

--
---
Jeff B (remove the No-Spam to reply)
From: Volker Birk on 20 Dec 2005 07:17
Ric <me(a)privacy.net> wrote:
> If an incoming connection is fragmented Kerio will accept it. Then it
> will allow all traffic in both directions on that connection. Kerio is
> supposed to be a packet filter and it can't filter fragmented packets.

Oh-my-FSM. It's even getting worse ;-) Is this true for all Kerio versions?

I don't want to know, of how many security flaws we lost sight in your
short test.

I fear, that "Personal Firewalls" are even much worse then our test showed.

Yours,
VB.
--
Ein vision statement ist in aller Regel planfreies Gelalle einer Horde
realit?tsferner Spinner.
Dietz Pr?pper in d.a.s.r
 |  Next  |  Last
Pages: 1 2 3 4 5 6
Prev: Blocking ports 1024-1030 excessive?
Next: Firewall port 1105 (FTRANHC) & port 1239 (NMSD) ?