Firewall setup for wireless laptop

I've been using Kerio 2.1.5 for years under WinXP and BZ's rules with great success. I also have used it for "non-tech" users who are quite happy with it.

My question is if it's hardy enough for a wireless laptop (used by non-tech users) which will be roaming about on different networks. Obviously I don't want to set it to blindly trust every network it connects to, and I don't want the users to have to go in and tweak settings everytime they move to a different network.

Is there a simple setup solution with Kerio? I've been looking at moving them to either OA Free or OP Free, but I don't know if that's solving anything or just moving the problem to a different application.

Are there specific rules that should be put in place (or taken out) for a wireless "roaming" setup? I suppose with OA/OP Free I could set different "trusted" rules for the wireless adapter vs. the ethernet port? ie. when they're plugged in at home (ethernet) it would be "trusted", but when using wireless it would be untrusted?

For example, with my Kerio ruleset I would think of:

• disabling the "router configuration" rule (Any Protocol/Any Port/routerIP)
• enabling "Unrestricted DNS" (UDP(both dir)/Ports 49152-65535/Any address:53) because who knows what ISP they'd be connecting to each time.
• And what about DHCP? Would I just go with "Unrestricted DHCP" (UDP(both dir)/localhost:68/Any address:67)? Or is there a better way to lock that down?

Any recommendations (for setting up rules) and/or success stories would be appreciated. I'm not looking for a firewallX vs. firewallY comparison unless there's a specific reason like "FirewallX doesn't work well in that scenario".

Thanks,
TR

 

Assorted bunch of hints below, nothing comprehensive
- Yes, disable router config rule, but almost no point since your rule seems to have routerIP included and that's unlikely to be hit in a hotspot. I actually don't know what a router configuration rule is. You mean the http to the router connection?
- No, don't allow unrestricted DNS. Instead, in the Network properties for TCP/IP protocol for the wireless adapter, as well as the wired, use OpenDNS addresses instead (208.67.222.222 and 208.67.220.220). Ditto in Kerio.
I don't think you need to limit DNS local ports to the 49152-65535. They sometimes use lower numbers.
- Yes, I think you need to have unrestricted DHCP. If they visit known places, you could collect the DHCP addresses (I did that), but usually it's rough to do if the places are unpredictable.

In Kerio is a Microsoft filesharing tab - if enabled, make sure only the home IPs are there in the Custom group - router and LAN computers.
In the rules, if you don't have then for NetBIOS, make rules UDP/TCP(both) from 1028-5000 local to remote 135,137-139,445 for Custom group only, and
TCP/UDP(both) from 135,137-139,445 of custom group IPs to local ports 1028-5000.
135 and 137-139 are used by SYSTEM, 445 by svchost. Both apps can actually get any port permissions so long as you keep svchost and system on the LAN and you trust all computers on the LAN (some people with trojan-downloading-teenagers do not like that).

Block mail. Many of those hotspots do not have any security.
Block all ports other than 80 and 443 for the browsers.

Bottom line - if you setup everything for the home situation, then Kerio will block any of those when not connected to the custom LAN addresses. Worked for me. Log reviews were very helpful in setting up, so as you setup, do log everything for a while.

So, that's just few suggestions. If you go along with something from above, and expand it for your home needs, you will not have to make a home or away configuration, though that is an option. Such configuration can be reloaded before going roaming. I don't like to maintain two configurations though.

I don't think another firewall will make it any easier. Roaming the hotspots is rough to setup. And some firewalls will automatically discover a new network and trust them and that might cause problems.
I never used BZ rules, though I read the stuff and they're great. It's difficult to answer your question because obviously you've customised those rules by now, and even then I'd have trouble. So this is the best I can add now.

 

Thanks for the info, I appreciate the input.

Good tips about setting the DNS servers; I hadn't really thought about that. I usually limit the server IPs in the firewall, but not directly with the TCP/IP settings.
Blocking mail is a problem, since that's one task they want to do while roaming about with the laptop (netbook, actually).
I'm currently trying out OA Free and Avast to see how they work together. I think OA might be a bit easier to troubleshoot than Kerio for non-tech-users, especially with the online help and support forums. Plus, once it's setup it should be pretty quiet.
The other reason I'm trying OA is I finally have to look for a replacement for Kerio on my WinXP Pro PC ... it fails every 4th or 5th startup and I suspect it's due to having two NICs. Though I suppose I could always try disabling one of them.

Anyway, thanks for the suggestions. They're good no matter what firewall I go with.