Personal Firewalls

Kerio Personal Firewall


Kerio is Tiny Personal Firewall under a different name. Guess it was sold and/or branched. A more powerful alternative to the basic version ZoneAlarm. Unlike ZA, Kerio works on a gateway to protect a LAN connected to the Net... but experience shows that it is not heavy duty in this role; So don't be surprised if you experience occasional problems if using Kerio in this role.

Also, since open NetBios ports is a classic mistake, Kerio comes with a specific configuration tab to close those ports from the Net (although some users say that it's not reliable, and prefer to not use this, and build their own rules instead.)

Generally speaking, the rules that Kerio build for you automatically if you let it are (to quote a users) "weak and flawed. The default rules that come with the firewall are worthless, and will not protect anyone from the Internet. Going one step furter, the old stand-by rules passed down from AtGuard days and rewitten for for Tiny, are woefully out-of-date and have holes large enough for a truck-load of exploits to drive through." You've been warned :-)


  1. Dowload and install from the vendor's site
  2. Reboot, even if running W2K
  3. Get rid of all the default rules, as most of them can be agregated into a few, general rules
  4. If this host is acting as a gateway, test from both this host and other hosts on the LAN

Here's a basic configuration, for a single host (ie. not acting as a gateway) connected in ADSL:


Here's one for a W2K using ICS to act as a gateway to the Internet:

As you can see, you need to allow other hosts on the LAN to go through this host on their way to the Net. Checking "Is running on Internet Gateway" is not enough. Remember to add the LAN network address in the Custom Address Group in the Miscellaneous tab.

As added protection, I added a catch-all DENY ALL rule. Since rules are applied top to bottom, this rule has to be the last in your list. This catch-all rule with make the gateway stealth.

To let users work with an FTP server on the Net using the default active mode, add a rule to allow incoming TCP packets from any server, source port 20.

Important: If you are connected through a cable-modem, it is possible that your ISP pings your host regularly to see if it's still alive. In this case, write a rule to let incoming PINGs from your ISP, or you will experience mysterious disconnections after a certain amount of time.

Some users have reported that Kerio doesn't support gateways as well as eg. Sygate, since it's originally meant to run on a stand alone host.


According to the different Kerio forums I checked, the default filtering rules provided by Kerio are not good. Hence your having to dive into this right from the beginning.

First of all, some users prefer to not use the Microsoft Networking tab, and build their own rules to protect their LAN from attacks aimed at the NetBios stuff.

Also, to protect against spyware, ie. legit software that connects out to the Net without telling you and for no reason (eg. why would an HTML editor like Namo WebEditor connect to the mothership without asking my permission? ;-)), some users prefer to write rules to specifically allow such and such application to connect out, and forbid all others.

I recommend you start with a basic and working configuration which allows any outgoing connects (thanks to Kerio being stateful, responses are handled automagically), and, if you are running some service such as a WWW server on this gateway that must be reachable from the Net, allow those specific incoming connections, while banning all other flows.

Windows EXEs

Windows Ports


  1. As with any firewall, order matters, eg. if the first rule denies any connection, you can have all the permit rules below, it won't work. Use the up and down arrows on the right side of the Filter Rules dialog
  2. You can set up a group of Custom Address Group (Miscellaneous tab in the Administration | Firewall Configuration dialog)
  3. If this firewall is running on a host acting as gateway, make sure you check "Is running on Internet Gateway" in the same dialog to ease configuration
  4. Not sure what the difference is between one-way and bidirectional flows. Since Kerio is stateful, why should we have to choose bidirectional at all? UDP?
  5. When making any change to the list of rules, make sure you click on Apply/OK, and close/reopen. Otherwise, changes are not displayed (but are be activated once you clicked on Appy)


What does "UsrRsltMd5AddApp: You have too many application already registered!!" mean?

Too many files listed in the MD5 program listing within Admin. Delete duplicates and old programs, save, and restart.

How to go back to default rules?

persfw.conf is your current ruleset.  I believe that if you stop the firewall and rename that file, you'd be back at the default rules. Kerio should remake the original persfw.conf file with the original rules when the firewall is restarted.  Deleting or renaming the file makes no difference other than that if something went wrong, you could change the name back if you only renamed it.

Stat.conf contains your settings for Kerio's status window.

What does Both Directions mean?

Since Kerio is a stateful firewall, why would I need those?

By default, Kerio allows Microsoft-DS/SYSTEM to connect out to TCP 445. Shoud I keep this rule?

No, it is unneeded and will cause you a tremendous amount of grief. You should be able to remove this rule. It certainly shouldn't be allowed TCP access. Ugh!

Why do I have to allow "Generic Host Process for Win32 Services" to let a private host access a web server on the Net?


Tiny Personal Firewall

Here's a working set of filtering rules for TPF 2.0.15A on a W2K Pro host running as an Internet gateway

As of now, I have no idea what IP Protocol 2 (I unchecked it), and I doubt this is a secure configuation (eg. allow incoming UDP datagrams from any host...).


Look'n Stop


The basic, free version doesn't offer as much control as Kerio (eg. allowing/denying based on remote IP or port), and doesn't work on a gateway host.

??? "If you are using ZoneAlarm on the gateway computer of a shared Internet connection, check that the computers in your local network have been added to your Trusted Zone. If you do decide anyway to use free ZoneAlarm on the ICS gateway machine, Internet Zone must be set to Medium setting (ZoneAlarm on the ICS client machines can have Internet Zone set to High).  Note that if the Internet Zone is set to medium, the PC will not be stealthed, so this is not recommended.

On some systems, Generic Host Process (GHP) or SERVICES.EXE may ask for server rights to connect to DNS; if so, add your DNS servers to your Trusted zone only; then give server rights to GHP and SERVICES.EXE for the Trusted zone only. In addition, ZoneAlarm does not have automatic network configuration, so the ICS network must be added to the Trusted Zone manually."????



Deerfield personal Firewall (free 30 day trial)

Norton Personal Firewall


Should I allow any outgoing traffic?

Trojans and worms do their damage by using your system as a "launching pad" for their payloads. Outbound traffic monitoring is as important as inbound traffic monitoring. It's up to you whether you want to spend time configuring your host when installing a firewall, and update it every time you add an application that needs to connect out.

Which anti-virus software should I use?

Many users recommended AntiVir Guard, AVG, Avast, and NAI's Stinger.

Why do I have trouble using FTP?

FTP comes in two flavours - Active and Passive. Most ftp clients (including WSFTP) are active unless explicitly told to be passive.

With Active FTP, the process looks like this.

  1. FTP Client Connects into FTP server on port 21: (Random port) ---> (Server:21)
  2. FTP Client logs into FTP server using the connection
  3. FTP Client requests Directory listing and gives a random *local* port as a target)
  4. FTP Server connects to specified port from port 20 (New Random port) <--- (Server:20)
  5. FTP server sends directory listing across connection opened in (4)

With Passive FTP, the process looks like this:

  1. FTP Client Connects into FTP server on port 21: (Random port) ---> (Server:21)
  2. FTP Client logs into FTP server using the connection
  3. FTP Client requests Directory listing and specifies Passive)
  4. FTP Server Sends random port number back along connection already opened
  5. FTP Client connects to FTP server on the port specified by the server (New Random port) ---> (Server:Random port)
  6. FTP server sends directory listing across connection opened in (5)

Now working from there - if you are using Active mode, you *must* have a rule that allows the ftp server to connect back to you. otherwise, you must set your ftp client to Passive mode *and* allow your client to connect to any port on the server.

You only have three options:

In any case, the second approach should work. If it does not, there is something else in your configuration that shouldn't be there.

Why is the MTA running on my gateway slow to send out e-mail?

One likely possibility is an Identd check on Port 113, some FTP or e-mail servers check Port 113 though most of these normally still work but are very slow. Try a rule Allow, IN, Local Port 113, Remote IP - (IP of server), Remote Port - any.

Application-specific information

Rules for loopback

From a pragmatic standpoint, I would recommend having a permit-all rule on loopback, i.e., to for ICMP, UDP and TCP traffic... In fact, I have such a rule. :-) However, I do not run any specific services on loopback. They're all bound to the local IP address of my Ethernet interface (which happens to be 10.x.x.x at home and a class B address at work). That's a local SMTP server, POP3 service, HTTP, FTP, SOCKS4 proxies...

Blocking port 135-139, 445

Since those are the best candidates for intrusion, create a rule near the top of your rules: Rule 2 (DENY external access) UDP (In) Remote port: Any Remote Address: Any Local ports: 135-139,445 (ports used by Windows Messenger).

To block port 135 specifically, you can also do it via the registry (set "N" for the HKEY_LOCAL_MACHINE\Software\Microsoft\OLE registry key "EnableDCOM" named value) as per MS Knowledge Base Article 158508.

Yahoo Messenger

By default, once you're chatting with someone, an incoming connection is made from this remote host. To avoir having to open a port each time (and since most people use dynamic IPs, it changes each time), change the Connection settings to "Firewall with no proxies"

Internet Explorer

When you launch IE and run Kerio's Status applet, you will see that IE listens on a UDP port (1459.) Basically Internet Explorer is attempting to look at the temporary files cache to determine if the page is currently in memory (in which case it does not need to be downloaded again,) of if it is new and needs to be downloaded. IE will function without access, but will wait for a timeout to continue.

You would be far better off in creating a UDP loopback rule to allow*all programs* to access the loopback address. As this address is located within the machine, and does not go out to the Internet, there is no danger in allowing all programs to use it. (There areseveral other programs besides IE that use a loopback for various functions.)

Always remember however, that UDP should never be allowed in or out through the firewall, unless you know the specific programs & address that those programs are accessing. UDP is connectionless and can be used to ebstablish an unauthorized connection by an outside party. Basically I would recommend you set up UDP rules (ONLY) for DHCP (if your ISP uses this, probably don't need it if you are using PPP) & DNS. Then the basic loopback (discssed above) and that's all! Allowing ANY other access for UDP can open a can of worms.




Scanning your host