Kerio Firewall - the "Final block" rules

Greetings folk.

A question please (and as I'm a non-techie guy I'll try to describe this in simple terms)

I'm using the Kerio 2.1.5 firewall. I've replaced their default ruleset with BlitzenZ's "Replacement rules"

Now, the final two rules in the "Replacement rules" are "total blocking" rules. They were unticked when loaded into Kerio and one is only supposed to enable them after you have got your Application rules sorted out (viz. allowing Internet Explorer, Outlook Express etc to connect to the Internet)

While one is getting the Application rules sorted, there are a number of "allow" and "Block" rules ABOVE the Application rules. The "block" rules are for things like NetBios, Out ICMP, IGMP both directions etc. etc.

O.K. My question is this ....

If I enable those two final "block all" rules, can I get rid of all the other blocking rules?

So, my rule set would be as follows (from the top down)

Loopback rule - allow
Other "allowing" rules as per the Replacement set
Application rules - allow
Final 2 "block all" rules.

Those final 2 rules are for Any protocal, both directions, all ports, all addresses etc. so it seems to me that they would automatically cover all the other blocking rules "above" them.

I'd appreciate your advice and feedback on this folks.

Take care ...

Dr. Mac

 

I assume that you're referring to BZs ruleset. The BZ rulest is best regarded as a pattern that needs to be matched to your system, not an actual replacement. If you look at the How to Optimize Security in Kerio 2.1.5 -Learning Thread 3, it goes into detail about how to do this. A couple of the members also found a problem with how Kerio handles network-mask rules, which the BZ ruleset uses. If you intend to use BZs rules, I'd change the IPs to either network-range or single IP, whichever applies.

Regarding the last 2 rules, it's impossible to give a definite answer without knowing exactly how specific the rules you're using are. Final blocking are not actually necessary and in some cases, not even desirable. Unless you're using Kerio's lowest setting (permit unknown), everything not already allowed is going to be blocked anyway. You can also accomplish the same thing by raising its setting to "deny unknown". I prefer to use the middle "ask me first" setting combined with blocking rules for specific apps that won't need to receive or send any other traffic that what I've already allowed. Here's an example using my mailer rules.
The allow rule:

The blocking rule:

The blocking rule can be set for both directions if you choose, as long as it follows the allow rule. I chose not to add outbound in case I wanted to add a newsgroup, in which case I'll be asked what to allow. If malware tries to abuse my mailer and use it to connect out elsewhere, I'll also be alerted.

Regarding the blocking rules higher up the ruleset, the location of rules in the set matters with Kerio. It starts at the top, using the first rule that applies. Rules for traffic that you want blocked for everything need to be above any rules that might allow it. Many of the rules in BZs ruleset are for various network setups (the rules whose IPs begin with 10, 169, 172, and 192, aka private IP ranges) and won't apply to your system at all. If you're behind a router, most of the traffic those rules are written for will never reach your system anyway.

The standard loopback rule in BZs ruleset should be treated as an example only, not used as a actual rule. As written, it will allow any app (including malware) not specifically blocked to create a local (loopback) connection and connect using another app that is permitted. I'd make loopback rules specific for applications that have a legitimate need for such traffic only and block the rest. An example of a legitimate use of loopback traffic, browser thru Proxomitron that's specific for one app using one port:

You describe yourself as a non-techie, so some of this might be more that you're ready for, like the loopback rules. There's no reason that you can't treat your ruleset as a work in progress. You can even have several rulesets , one you use normally and several to experiment with if you want. I'd suggest not using BZs ruleset for anything more than a guide. If you're willing to learn how the rules really work and what the different traffic is for, I'd start over with no rules at all and make them one at a time so they exactly match your system and internet service. Kerio's strength is its ability to be very specific in what it allows, what it logs, and alerts to. The Kerio learning thread is a good place to start. If you like, we can move this to it since it also is a work in progress that can help others.

 

Greetings Noone_particular.

Good Lord !!!!!!!!!!!!!

You must have taken hours to write that excellent and detailed reply, complete with the helpful screenshots.

I am very, VERY impressed!

And VERY grateful. Thank you so much.

I'll most certainly start to adjust and tweak my rules as per your suggestions, and will also try to work my way slowly through the Learning Thread 3.

========================================

NO ... please don't move this thread just yet! I'm now going to take a full screen-shot of your post and print it off for my reference.

========================================

Just to bring you up to date ... yes ... I've still got System Safety Monitor up and running and it runs very well on my Win98se box. In fact, with both Kerio and SSM running I haven't noticed any slowdowns at all. And as you suggested a few weeks back, having these two apps should provide me with a very good level of security.

Again ... many, many thinks for your input. A masterpiece indeed.

Go well ...

Dr. Mac

 

Glad to hear the combination works for you. I use it with several operating systems, 9X and NT. Instead of slowing them like many security apps do, they can actually speed a system up slightly when used with the right rules. By blocking traffic that serves no useful purpose to the user, Kerio can actually make the internet a bit faster. It's not enough of an increase for a DSL or cable user to notice but a dialup user can often feel the change. The same applies to SSM on low power units. By preventing processes that don't contribute something to the user, more processor power and memory is available for the users tasks. I've installed that combination with 98 on PCs as weak as 166mhz and was pleasantly suprised. Sure, it was slow, but it was usable, which is more than I expected to get.

When you're ready, there's one more app that's just as light as Kerio and SSM that complements them nicely and fills the one big void in that packages coverage. It's Proxomitron, one of the best web content filters in existence. Like many good apps, it's not maintained, the author is dead, but others still maintain rulesets and updated certificates for it. Like the other 2 apps, it's rule based and is best if you have some understanding of the content to be filtered. In this case, that's HTML and if you want to go that far, javascript. It can block scripts, ads, sites, modify browser headers, user agents, referrers, supports user made whitelists of sites with varying permissions, remote proxies, much more. The default filter set is a good start and can be customized as you get used to it or left on the default setting indefinitely. This one can really speed up the net by blocking all the garbage on the pages.

Another member made a page for 98 users that showed an easy way to protect the registry and other startup locations used by 98. If you're interested and am familiar with DOS, the page is here.

 

Sunday Afternoon (in England)

Greetings again Noone_particular

Thanks for your updates above.

I shall certainly follow your link to take a look at the program you mentioned, then will see what that post has to say about protecting your Win98 system.

Regarding DOS ... yes ... although I'm not a techie, I am very comfortable in DOS. In fact, this is one of the big reasons (apart from finances of course) why I LOVE my 98 operating system and have not "upgraded" to XP.

In the past I have tended to fiddle far too much with files that should be strictly left alone and have totally crashed my box more times than I can remember. I used to have a progream called Nuts and Bolts and used that to get rid of files that I couldn't see any use for at all ... like win.com !!! You can imagine what happened when I then tried to use my computer !!!

In most cases, DOS has saved the day.

Right ... now to go take a look at the two links you kindly provided.

Go well and take good care ...

Dr. Mac