Hello All,

Writing today to again to :( ask about some things, and hope I dont look
to dumb in doing so. I have been really struggeling with understanding
what DHCP, DNS, ICMP and IGMP is and how it works and why?

What orders they should go in and why? For a few days now I have been
reading from differant links and I find they all have one thing in
common... it's all "Techno Talk". I have read that to make your firewall
good and secure it is "critical" to make the order of your rules work.


When I installed my firewall and opened up the rules tab I got scared..
. but I did notice they came with defaults so I thought to myself, self
this wont be to hard.. boy was I wrong. Im one of those guys that if I
can see it or touch it and watch it work I can understand it.. in my
neck of the woods we call that (simple) or a "corn fed country **** !
LOL! well you get the idea anyways.

I have set or for lack of a better word..(HIJACKED) some rules for my
frewall and I dont feel by doing this I am learning anything but to steal
and be ignorant to what I am doing. I have some questions for you so bear
with me ok?

Rule number 3 is DHCP UDP both ways Local any/any(68) remote XXX.XXX.XX(67)
in this DHCP rule XXX.XXX.XX would be my IP address that my router gives off
correct? And below that I have DHCP broadcast TCP out local any(68) remote
XXX.XXX.XXX(67) would be the sub net mask correct?
Whats the differance between DHCP and DHCP Broadcast? what does DHCP do?

Rule 4 I have set for DNS. I made 2 rules 1 each for XXX.XXX.XXX which would
be my isp's DNS servers correct? I made these rules because I think that
I would not always be using one specific address and so I can make 2 rules
in the case that I dont connect to one I can always connect to the other
What is DNS's specific job?

What does ICMP do?

Now to the really fun part :) ICMP ugh... I have several rules set for this
Incoming ping 8 Inbound any/any which I think.. means Echo Request i.e. are
you there? I would think that needs to go Outbound???

next outgoing ping 0, 3, 11 inbound any/any well lets just say im lost here
0= echo reply 3= destination unreachable 11= time limit exceeded. I think
that it depends on who is knocking on the door as to what answer I am gonna
give. 0 would be I am here and alive 3 would be I am unreachable and 11
would be you took to long!!! am I close?

Next I have outgoing ping 3, 8 now this I dont get 3 dstination unreachable
and 8 echo request... who is unreachable? and who is making the request?

next I have outgoing reply 0, 8 these are to me, ask and answer
0= asnswer.. yes i am here and alive 8 asking if they are there?
If I am even remotly close then these orders are bad correct?

Block all other ICMP would be if I get a responce other then what I
have listed i.e. a 10 or a 15 ignore it!!!!????

Below I am posting a screen shot of my current rules hope some one
can take a good look at them and tell me if my firewall is working
properly or if I need changes and if so for what reasons.
As you can tell I am far from being a GURU... LOL maybe I should
keep my day job huh? :D. I greatly appreciate Wilders Security
for helping me and all the patcience by Wilders put into a
Knuckle Head like me!!!! :)

Best Regards,
Desperatly Wanting To Learn
FireDancer

Your trying to take advice you don't understand from multiple sources, and use all of them. That is the problem since its making you confused because you don't understand the material. You have been given many links, and examples. Not everyone does it the same way, when you understand rule based firewalls you develop your own way of working with it since the configurations can be highly complex.

To alter the rules you have right there, here's my suggetions:

DHCP Broadcast - Change the remote to 255.255.255.255 which is the correct address.

DNS - If those are your DNS servers that should be fine, but also note you can use your custom address group. You can stick all your DNS servers in there so you only need one DNS rule.

ICMP - I will do inline rules

[_] In ICMP 8 (Allow Remote Ping/Trace) - Enable this when you want to, and you can even make one of these rules with a certain remote address so only that site will be allowed to ping you. You can also see this link which was previously posted for your viewing. Example ICMP Configuration (http://www.broadbandreports.com/forum/remark,2649460~root=kerio~mode=flat) Note this suggestion doesn't 100% match the link, but for a basic configuration you will be fine.

[X] In ICMP 0, 3, 11
[X] Out ICMP 0,3,8
[X] Block all ICMP

With your system ports blocking rule, you can delete the first netbios rule you have, and move the second one below your block all ports rule. I don't recommed that you have your block all ports rule on alert, and you should rename it to 'Block lower ports' as its not a true block all rule.

The order of the rules only is important for function, however many peole like me keep them orgainzed into groups while also considering their order so they work properly. If you want something allowed, make sure there is no rule above it that would block it first, and if you want something blocked, make sure there is no rule that would allow it first.

As far as how protocols work, that's getting into more advanced 'techno babble', but if you want to learn more about them just go on google. I don't have any 'how they work' links, all of my links are technical with all of their protocols, types, codes, etc... without explaining what they are.

Hi FireDancer

{QUOTE-> Writing today to again to ask about some things, and hope I dont look to dumb in doing so. I have been really struggeling with understanding what DHCP, DNS, ICMP and IGMP is and how it works and why? <-QUOTE}

Better to ask, learn and get it right than leave yourself wide open :).

{QUOTE-> What orders they should go in and why? <-QUOTE}

Generally speaking you will want to keep what I refer to as System Rules, at the top of your rule set. These will include what you have mentioned: ICMP, DNS, Bootp/DHCP and Loopback. The reason for this is that they are required for your system to function properly.

While some may have a different order, my rule of thumb is:
ICMP
DNS
Bootp/DHCP
Loopback

{QUOTE-> Rule number 3 is DHCP UDP both ways Local any/any(68) remote XXX.XXX.XX(67) in this DHCP rule XXX.XXX.XX would be my IP address that my router gives off correct? <-QUOTE}

Your Bootp/DHCP rules allow you to obtain and renew your IP address from a DHCP server. The IP address of your DHCP server will be available when you run ipconfig /all.

{QUOTE-> And below that I have DHCP broadcast TCP out local any(68) remote XXX.XXX.XXX(67) would be the sub net mask correct? <-QUOTE}

This rule should be UDP and the broadcast address is 255.255.255.255

{QUOTE-> Whats the differance between DHCP and DHCP Broadcast? <-QUOTE}

The first rule being restricted to your DHCP server(s) is just to limit/tighten up the rule set. Most default Bootp/DHCP rules allow in/out to any address. When obtaining/renewing your IP your system will use a broadcast to do this.

{QUOTE-> Rule 4 I have set for DNS. I made 2 rules 1 each for XXX.XXX.XXX which would be my isp's DNS servers correct? I made these rules because I think that I would not always be using one specific address and so I can make 2 rules in the case that I dont connect to one I can always connect to the other <-QUOTE}

Your DNS rules look fine and it is a good idea to restrict those to your ISP's DNS servers. If you have multiple DNS servers (my ISP has 4), you could use BlitzenZeus' suggestion and add them to the custom address group allowing for one rule.

{QUOTE-> What is DNS's specific job? <-QUOTE}

One basic function of DNS servers is to look up and convert www.wilderssecurity.com (which you type into your browser) and convert it to an actual IP address (66.227.68.99) that the internet uses.

{QUOTE-> What does ICMP do? <-QUOTE}

Basically for network (Internet) error messages and troubleshooting.

Most user will only require to allow a few ICMP types.

Allow ICMP, Inbound, type 0 (echo reply), type 3 (destination unreachable), type 11 (time exceeded)

Allow ICMP, Outbound, type 3 (destination unreachable), type 8 (echo request)

This will allow you to ping and traceroute other systems (types 0, 8, 11) and the type 3 helps with high speed connections and allowing troublesome connections to time out properly.

The following will cover what I would consider the most basic requirements.

ICMP Rules

Allow ICMP, Inbound, type 0, 3, 11
Allow ICMP, Outbound, type 3, 8
Block ICMP, direction Both, Any, Log.

DNS Rules

Allow UDP, direction Both, remote service/port 53, remote address "your ISP DNS server"

Bootp/DHCP Rules

Allow UDP, direction Both, local service/port 68, local address Any, remote service/port 67, remote address "Your DHCP server"

Allow UDP, Outbound, local service/port 68, local address Any, remote service/port 67, remote address 255.255.255.255

LoopBack Rules

Allow TCP/UDP, direction both, local service/port Any, local address 127.0.0.1, remote service/port Any, remote address 127.0.0.1

Regards,

CrazyM

Edit: first Bootp/DHCP rule direction to Both

Hi CrazyM and BlitzenZues

I have studied your most recent post to me and I am now understanding a little bit more about the specific "Rules" and how they work. I want to thank you both for giving me the answers I needed. I have made a few changes to my rules per your instructions/advice/teaching and came up with what I belive to be a basic, but secure set up for my needs.

I want to ask a question here and see if I am correct in my thinking.
As fas as DHCP goes.. could you per say stack the rules for UDP both ways in and out? So to set a single rule. As CrazyM explained to me in his post the DHCP rule would need a inbound and a outbound to obtain and renew your IP address so I am assumeing that the out bound UDP is in affect keeping me in contact with my ISP. And the inbound UDP is keeping my ISP in contact with me. This is what keeps me "ALWAYS" connected via cable modem correct? this being a constant loop for only me and my ISP.

Could I stack the rule for UDP both ways to handle the traffic ways in one rule? Or does this defeat the the local and remote enpoints, IP and sub net mask?

Example: DHCP UDP both ways local any 68 remote XXX.XXX.XXX/XXX.XXX.XXX 67 (would this example work?) (IP add) (sub net)

DNS resolves my request to a particular site www.blah.blah and converts it to 111.111.111.0 thru the particular severs I use AND only thos servers not just any. Correct?

BlitzenZeus, with making a DNS rule for all servers, I opened the rule up and in remote address
it gives me the the Cusom Address to click on but no where do I see where to enter the address's
does this function automaticly detect your addresses or??? am I doing something wrong?

ICMP is the request and responce of who I am pinging, or is pinging me
and what I have set in my rules will dictate this as to how it is asked and asnswerd correct?

Loop Back enables me to stay connected to whatever site I am visiting. Sending data packets back and forth from a site to me and keeping the connection. UDP/TCP Am I correct?

In as much as rules... Thanks to Blitzen' I now have something stuck in my head.. and it was exactly what I was looking for in laymen terms.

Quote: The order of the rules only is important for function, however many peole like me keep them orgainzed into groups while also considering their order so they work properly. If you want something allowed, make sure there is no rule above it that would block it first, and if you want something blocked, make sure there is no rule that would allow it first.

this above statement cleared alot up for me as for some reason in recent posts from others (wink Blitzen!) I was not getting it.

CrazyM thanks for the help with order of basic rules it gives me a starting point. If I am understanding correctly it is not the order
(by classification)... meaning if you start with DHCP settings or DNS settings or ICMP settings as long as the rules all filter from the top to the bottom of the list. Running the defaults would give you basic protection but in essence, but would not be very tight if you did not make tweaks to the local/remote end points or ports

And as Blitzen so elequently put it keeping your setting in order such as DHCP at top next DNS settings and so on down the list makes for easier and neater controling of rules.

I have decided to go with set up in this order for rules
and feel comfortable with all setting at this time incuded is a screen shot of current rules
I would appreciate any responces... Again HUGE Thanks to CrazyM and BlitzenZues!!!


Sorry bout the long post I just wanted to get all I could in so that I wont have to bother you
both so much... but as for picking your brains :) I am not sure i am ready to give that up!!!! LOL

DHCP
DNS
ICMP
Block all other ICMP
Block all other IGMP (theres a whole new set of questons!!! LOL)
LoopBack
Block all lower ports 1-1023 (period) as Blitzen said it was not a real rule set to Block ALL Ports!
NetBios
Applications/Software Updates

Best Regards,
FireDancer

Hi FireDancer

{QUOTE-> As fas as DHCP goes.. could you per say stack the rules for UDP both ways in and out? <-QUOTE}

You could have one rule, UDP, direction both, local port 68, remote port 67, but the addresses would have to be left to any.

On reviewing my earlier post and seeing your rules as they are now, just change your first DHCP rule to direction Both. This allows connections both ways with the trusted DHCP server. You will still require your broadcast rule which is fine. This separate outbound is still required because this outbound request (broadcast) will not be allowed by the first rule.

{QUOTE-> DNS resolves my request to a particular site www.blah.blah and converts it to 111.111.111.0 thru the particular severs I use AND only thos servers not just any. Correct? <-QUOTE}

Correct.

{QUOTE-> BlitzenZeus, with making a DNS rule for all servers, I opened the rule up and in remote address it gives me the the Cusom Address to click on but no where do I see where to enter the address's does this function automaticly detect your addresses or??? am I doing something wrong? <-QUOTE}

In the advanced admin there should be tab/location for custom addresses. There you can add trusted IP's, such as DNS servers, and then use the option of Custom Addresses in your rule(s).

{QUOTE-> ICMP is the request and responce of who I am pinging, or is pinging me
and what I have set in my rules will dictate this as to how it is asked and asnswerd correct? <-QUOTE}

I would change the wording for your first few ICMP rules for clarification.
Inbound ICMP type 8 (disabled)
Inbound ICMP type 0, 3, 11
Outbound ICMP type 0, 3, 8
With your block other ICMP rule, these ICMP rules will allow you to ping and traceroute other systems. Remote systems will not be able to ping you. If you enable your first rule, Inbound ICMP type 8, then remote systems will be able to ping you. (Note you will have to add Outbound type 0 to your Outbound rule)

{QUOTE-> Loop Back enables me to stay connected to whatever site I am visiting. Sending data packets back and forth from a site to me and keeping the connection. UDP/TCP Am I correct? <-QUOTE}

The Loopback rule allows your system and applications to talk to themselves, so to speak. These communications are restricted to 127.0.0.1 or localhost, which is your own system. They do not leave your system. If you look in the connections window, you will see Kerio utilizes loopback to communicate with itself. IE also uses UDP loopback to function properly as another example you will see in the connections window.

Regards,

CrazyM

Hi FireDancer

Just to keep life interesting, I notice in your sig that your behind a router. You could always configure your system with a static IP and do away with your DHCP rules.

Regards,

CrazyM

CrazyM,

Hi there thanks for all the help and would static be benificial? I went to the advance admin and highlight rule I want to edit DNS and when I click on remote port
options I see Custom Addresses but can not chane it or type there. There is also a ability to select network/Range and thats how I have it now when you click those you get 2 boxes First Add: Last Add: so I enterd one in one box and the other in the other :) rofl

Hey! you think im getting handle on this stuff? :)

As far as ICMP are you saying I need to add another rule or was that optional?

Very Best Regards,
FireDancer

{QUOTE-> quoting: FireDancer link=board=23;threadid=11903;start=0#msg76962 date=1059696808]
Hi there thanks for all the help and would static be benificial? <-QUOTE}

It can be depending on what advanced features of your router you may use. It can also be helpful when defining firewall rules for LAN systems. If these are not concern, don't worry.

{QUOTE-> I went to the advance admin and highlight rule I want to edit DNS and when I click on remote port options I see Custom Addresses but can not chane it or type there. There is also a ability to select network/Range and thats how I have it now when you click those you get 2 boxes First Add: Last Add: so I enterd one in one box and the other in the other <-QUOTE}

Using the range is fine if your DNS server IP's are sequential. If not, you are better off to have individual rules or add them to the custom address list and then use that option in the rule. (Have you added your DNS servers to the custom address list?)

{QUOTE-> Hey! you think im getting handle on this stuff? :) <-QUOTE}

:)

{QUOTE-> As far as ICMP are you saying I need to add another rule or was that optional? <-QUOTE}

Just add type 0 to your Outbound ICMP rule.

Regards,

CrazyM

CrazyM,

LAN features hmmm lets see I have a second puter shareing the accsess but no shared file/printer
to be honest I think that 2 or more shareing is considered LAN.

As far as DNS rule I guess I can make 2 rules as I can not find where to add the address to once I click on the option custom address (nothing opens up for me to type in)

Static.... hmmm CrazyM are you trying to make me Crazy!!LOL I am just getting this down rofl :D but if it is more benificial then I want to learn.. well I just want to learn period!

My firewall protects just my puter right? If so I need to put something simple on my kids as only God knows what my oldest daughter lets happen :(

Regards,
FireDancer 8)

{QUOTE-> quoting: FireDancer link=board=23;threadid=11903;start=0#msg76969 date=1059698992]
As far as DNS rule I guess I can make 2 rules as I can not find where to add the address to once I click on the option custom address (nothing opens up for me to type in) <-QUOTE}

You first have to add your DNS server IP's to the custom address group. You will find this under administration > firewall > advanced > miscellaneous

Once entered there, you only need to select custom addresses in your rule.

Regards,

CrazyM

Hi FireDancer

After all this hard work, be sure to save off your rule set. You can do this under administration > miscellaneous > firewall configuration files.

Once saved (by default to the Kerio directory), copy it elsewhere for safe keeping. If you ever have to reinstall you can then just load that .conf file without having to redo your rules. This file is also portable between systems.

{QUOTE-> quoting: FireDancer link=board=23;threadid=11903;start=0#msg76969 date=1059698992]My firewall protects just my puter right? If so I need to put something simple on my kids as only God knows what my oldest daughter lets happen :( <-QUOTE}

Yes just your system. You could install Kerio on the other system, load your saved .conf file as a good start for a rule set for that system. If it ends up being quite different, save it once it is done with a different name.

Regards,

CrazyM

{QUOTE-> quoting: FireDancer link=board=23;threadid=11903;start=0#msg76969 date=1059698992]
LAN features hmmm lets see I have a second puter shareing the accsess but no shared file/printer to be honest I think that 2 or more shareing is considered LAN. <-QUOTE}

If you should decide to enable file/printer sharing, be sure to password protect it. In Kerio you can go to the Microsoft Networking tab and enter a trusted address group = your LAN. This will allow basic sharing without having to make specific rules for it.

Regards,

CrazyM

Hi CrazyM,

I got the custom address' in and working :)
Do I need to have (enable DNS resolve) check marked?

As far as the other system in the house I just installed AVG 6.0 and free ZA as they are both easy for my daughter to use and give some decent protection.

ZA I set it for here applications and will check it frequently to make sure there are no problems

BTW I sent you a e mail hope you get a chance to look at it and give me some input. I want to thank you very very much for all the hard work you have put in today I feel it really paid off. ;D ;D


Very Best Regards,
FireDancer

{QUOTE-> quoting: FireDancer link=board=23;threadid=11903;start=0#msg77016 date=1059720414]
I got the custom address' in and working :) <-QUOTE}

That is good, and helps keep down the number of rules.

{QUOTE-> Do I need to have (enable DNS resolve) check marked? <-QUOTE}

No, you can leave that disabled. That is for resolving addressess in the logs.

{QUOTE-> As far as the other system in the house I just installed AVG 6.0 and free ZA as they are both easy for my daughter to use and give some decent protection.

ZA I set it for here applications and will check it frequently to make sure there are no problems <-QUOTE}

Sounds good.

{QUOTE-> BTW I sent you a e mail hope you get a chance to look at it and give me some input. I want to thank you very very much for all the hard work you have put in today I feel it really paid off. ;D ;D <-QUOTE}

Glad we could be of help and check your mail :)

Regards,

CrazyM