Kerio 2.15 questions

As a general rule, the best idea when you want to create a ruleset is to start with a single Deny All rule and build from there. It is very hard to use a set of rules created by someone else because each computer and each network have their own specificity. So, for instance, a ruleset that works perfectly for me might leave big security holes on someone else computer.

 

noone_particular - Thanks for taking the time to give a detailed critique of my set. I appreciate that.

Does that really mattter? It will have no effect either way.

I have made the above change you suggested. Thanks.

What port(s) should I allow for SVCHOST.exe? I am using the default rule from the BZ template, so it is not mine.

Thant's correct.

Yes it is. Yahoo games requires certain ports, as does Yahoo fantasy sports. 995 and 587 are email related.

I use Miranda for Yahoo, MSN and AOL, along with the occassional file tranfer.

I have a rule for port 9. I must have been prompted to created that rule after I posted the set here. My apologies. I have taken your suggestion and restricted the MSN server rules (ports 7001 and 9 only?) to the address range 207.46.26.200 to 207.46.27.255.

I might as well just delete that rule as I run no programs via proxies and can see having no use for the 127.0.0.1 rule.

Wouldn't that be exactly what I do not want to do, putting my deny rules first? If I did that then the priority would be given to the block rules, since they would be at the top of the set, correct? That is why I have a time-sensitive rule that block everything at 1 am at the top of my set. I was under the impressesion that deny rules were always placed after accept rules.

 

Having "check for new version" causes Kerio to try to connect to their server. Unchecking just stops an unneeded connection. Not important unless you have a usage cap or are on dialup, in which case it will cause the PC to dial out immediately after bootup.

Without knowing what services you actually use, I can't say for certain that you need to allow any to begin with. Depending on your setup, svchost.exe handles many functions, including some basic networking tasks. Do you use the DNS service? Are you using DHCP or static IPs on your LAN? These functions use svchost.exe. They use ports 53, 67, and 68 and would have to be allowed. A lot of the other services that use svchost are running by default but chances are that you aren't using many of them. The Kerio learning thread went into a lot of detail regarding XP services and the ports/protocols each uses. I'd disable the existing svchost rules and let Kerio prompt you when it tries to connect. If the prompt is for a service you use or need, allow it. If not, block it. You can usually find out if the particular connection is needed by blocking it temporarily and seeing if it causes any problems.

Regarding the loopback rule, you may find that your browsers want to establish loopback connections. I'm not sure what function these connections serve. I usually use a single IP (127.0.0.1) for loopback rules and specify the port if it's required. Ad Muncher might also require a loopback rule if it inserts itself as a proxy. I've never used it so I don't know what it needs.

Rule position not so much a matter of priority. It's establishing the order you want Kerio to use when applying the rules. I'll use your timed rule for an example. During the time period that rule is active, none of the rules below it mean anything because that first rule applies to all traffic. If you put an "allow" rule above it for Opera for instance, your timed rule would block everything except Opera. If you have a rule towards the bottom of the ruleset that blocks all traffic to and from a specific application, it may still be able to gain internet access by using certain rules above the blocking rule. If you have a rule that allows DNS traffic for any application and that rule is above the apps blocking rule that app will have access to the DNS servers. If the DNS rules don't specify addresses, the blocked app could potentially connect anywhere as long as it used port 53 to do it. The main reason I put blocking rules at the top is to prevent permit rules from acting like exceptions to the blocking rules. Quite often, more than one rule can apply to any given traffic. It really depends on exactly what you're blocking. Example, a rule that blocks all traffic to the NETBIOS ports should be at the top of the list so that no other permit rule can function as a bypass. When you want to block all traffic on specific port(s), all traffic to/from a specific IP range, or all traffic for a specific application or executable, these work best at the top of the ruleset.

I hate to keep saying "it depends..." but the application you're working with and what you want to accomplish are always factors in deciding where a rule should go. A couple of hypothetical examples.
You want to allow the browser to connect out to anywhere except for one IP range (specific game servers the kids play way too much). You'd make a blocking rule for the browser with the IP range of the server as the remote endpoint. After this rule, add a permit all outbound rule for the browser. The browser can now go anywhere except for that one IP range.

My old Yahoo IM rules are another example. Yahoo listened on one port (5051 I think) for incoming UDP from a specific IP range. It also needed to connect out on port 5050 using TCP to another range. Several of Yahoo's features connected directly to the contacts IP, making it necessary for it to be able to connect out to any IP address. It also displayed banner ads from about 4 different IP ranges that I didn't want to see and weren't necessary to its operation. To accomplish this, (working from memory, it's been years since I used Yahoo IM) the rules (all for ypager.exe only) went like this:

Rule allowing incoming UDP on port 5051 from the IP range of the Yahoo server.
Rule allowing outbound TCP on port 5050 to the IP range of the Yahoo server.
Rules blocking outbound TCP to the IP ranges of the adservers.
Rule allowing outbound TCP on ports 80 and 443 to any IP.

Yahoo IM had all the necessary access to their servers that it needed to work properly. I could accept new contact and connect to them without seeing firewall alerts. All the ads were blocked.

When a blocking rule is for a specific application, it's best to keep it with the rest of the rules for that application. Loopback rules for specific applications should also stay with the rest of the rules for that app. If the loopback rule is port specific, such as would be used with proxy software, the position of the rules for all the involved applications as they relate to each other becomes important. An example would be the browser connecting thru Proxomitron or Privoxy. Specific rules aside, an application with its rules at the top of the ruleset won't perform any better than it would if its rules were at the bottom. It only takes a few milliseconds for the firewall to process the ruleset. Traffic permitted by rules at the top does not affect traffic permitted by rules at the bottom of the ruleset.

I hope this helps and that I haven't made this more confusing than it was. If you need help with specific rules, let me know and I'll do what I can. Firewall rules can be somewhat intimidating if you're new to it but once you get used to it, it isn't all that difficult. One more thing. If you don't already have one, pick up a good whois utility. Sam Spade 1.14 is one of the best. Extremely powerful tool. The programs homepage is gone but the site is still on archive.org. Sam Spade is still available at Major Geeks.