Kerio Rules

Hi

Had it installed a few days, seems fine, but just wanted to see if I should tweak any of these rules. Still a few applications that I let online that I haven't ran yet, but I don't think they will be the problem, it's just all this stuff at the top I don't really understand.

 

Not really my firewall, but I thought I might direct you to the Tiny-Kerio FAQ at DSLR http://www.dslreports.com/faq/security/2.5.1.+Kerio+and+pre-v3.0+Tiny+PFW .
After that, there's the associated forum at http://www.dslreports.com/forum/kerio .

Some of your rules (especially up near the top) look a bit loose to me and it should be possible for you to tighten them up, I believe. Check those two URLs above for some tips.

 

Hi,

I should not use a general loopback rule but only for the needed applications, like IE and OE for instance.
DNS rules only for your ISP DNS servers.

You might have a look here :
http://tinylink.com/?jX9T2MsOVq

(French but the rules are edited in Eng)

Rgds,

 

Cheers.

I changed the loopback so only IE uses it.

Sounds lazy but do I really need to go through all that lot?
It'll take ages

I don't like ZA, too bulky, so maybe Outpost or Sygate are better for me
if you need to really setup all this stuff?

 

The basic problem is pretty much the same with all of the rules-based firewalls. And, in saying that, I specifically include Tiny/Kerio/Sygate/Outpost/LnS/NIS/NPF. (And the rules are pretty much translatable from any of the above to any other. Indeed, the people that write recommended rulesets for one often collaborate with people writing rulesets for another.)

However, there's no need to freak out about all this. Most of them start off with a set of default rules that are at least as rigorous as what you would find with the free version of Zone Alarm. Take your time, do it at your leisure (and you'll learn a lot more about firewalls in the process).

What we're talking about here is tightening the rules up as much as possible to reflect your specific needs and requirements, based on your particular system configuration -- that's all.

There's admittedly a bit of esoterica in all this, but if you just take it one step at a time, you'll do just fine.

 

if you arent willing to spend time and tweak your rules for Kerio then i would suggest a different firewall.

Sygate personal firewall is very easy to use. it is an application based firewall with the capabilities to make advanced rules if you want to.
http://soho.sygate.com/products/shield_ov.htm

this site will help you learn about it. very good info
http://home.bellsouth.net/p/s/community.dll?ep=16&groupid=60610&ck=&userid=1&userpw=.&uh=1,0,

plus they have a support forum if you need it.
http://forums.sygatetech.com/

 

Hi

Well if Kerio default rules are more rigorous than ZA anyway, i'll do it at my own pace like you say

And i'm a single user home pc, using Windows 2000 and connecting to the net using NTL Cable STB connected by NIC if that makes any difference.

 

JacK,

Does the following link lead to the same discussion in English?
http://www.blarp.com/faq/faqmanager.cgi?toc=kerio (plus maybe some other information?

 

Jaxson.

The rules in Kerio aren't that hard to configure.
I did it.I thought it would be much more difficult.

A Google search helped me a lot.I saw a lot of options.Some I used,some I didn't.
I added 6 rules and while that doesn't seem like much,I'm comfortable with that for now.

I'm sure that I will have to tweak my rules.
But most of "my" rules are set.The default rules took care of most of my concerns.

 

Hello Joseph,

Not really, I know the KPF FAQ , NL and Blarp (nice guy BTW) where you will find the basic rules, on the french given link you will find tighter rules for people seaking more control on KFP.

Nice WE,

 

Hi jaxson

You have already been provided with some good links. Here are a few more to look at for some ideas:

Customizing Rules
System Wide
Global Permit/Block
Application
Final Block

Although the terminology varies from product to product, the concept or intent of the rules remain the same. (ie. Remote Address Kerio refers to as Remote Endpoint)

As a starting point for your application rules, you may want to look at restricting them to the remote services/ports you will need. Right now your application rules permit outbound to any remote service/port.

Example:
Internet Explorer: remote service/port - 80, 443, 8080
Microsoft Outlook: remote service/port - 25, 110

Default rules with the Kerio install that you can probably remove:
Local Security Authority System
Microsoft DS
Services and Controller App
Generic Host Process

The Reply from DHCP should already be covered by the default DHCP near the top of your rule set.

The loopback rule concern can be dealt with a number of different ways. If you choose to go on a per application basis that is fine. I have attached an image of a rule set as an example only and to provide you with some ideas and it uses per application loopback rules. Note if you use a final block for outbound, make sure you enable logging as this will usually disable the rule assistant/wizard in most products and you will not be prompted for new applications wanting to access the network. They will just be blocked and logged. As has already been suggested, there is no one rule set for everyone. You will have to determine what best suits your needs.

For some of your specific applications, you may need to enable logging for short periods while using the application to determine just what local and remote services/ports and addresses are used to help determine how you customize the rules for those applications.

edit to update image and text accordingly - CrazyM

Regards,

CrazyM

 

Hi

Thanks for all the helpful replies. Here are my latest rules after editing
from your advice.

Are my basic system rules ok?

Ive edited some applications a little, but I don't know what port they use and stuff, anyone able to help with MSN and Kazaa as they are quite common.

 

Hey Jaxson,

You got the basic rules set up good IMO.

I don't know the ports regarding Kazaa and MSN.
CrazyM mentioned enabling logging and watching the programs for info on the ports and addresses that are used.
I hadn't thought of that.

 

Jaxson -

For the very first rule, I'd block Kerio itself from TCP & UDP. This might sound weird but it provides a little protection should the firewall itself be compromised.

Then put a rule right beneath the DNS rule blocking all traffic to and from Port 53 (remote). Since you have DNS already as restricted as it can be there is no point in allowing Port 53 traffic to continue further down the list. Ditto for DHCP.

I would also enable that last rule blocking everything.

You should consider adding some spyware IP filters if you plan on using IE and IRC, since a lot of the spyware out there likes to hijack IE, and if you use auto DCC on IRC you can get something loaded on your system quite easily.

All in all it looks like a good setup.

Sponge
Sponge's Anti-Spyware Source
www.geocities.com/yosponge

 

Nice catch LWM

A more effective way would be to have two rules:

Block inbound netbios
protocol: tcp/udp
direction: inbound
local service/ports: 135-139
remote service/ports: any
any address

Block outbound netbios
protocol: tcp/udp
direction: outbound
local service/ports: any
remote service/ports: 135-139
any address

If he activates his final block rule, that would also cover the above.

Regards,

CrazyM

 

Hello,

I should add a second DNS rule :

Description: Other DNS
Protocol: TCP and UDP
Direction: Both
Local Port: Any
Local App.: Any
Remote Address Type: Any
Port type: Single
Port number: 53
Action Deny

Special applications ports to open for MSN and others :

http://www.practicallynetworked.com/sharing/app_port_list.htm

for Kazaa :

Description: Kazaa out
Protocol: TCP
Direction: Outbound
Remote Address Type: Any
Local Port: Any
Remote Port: 1214
Action: Allow

Description: Kazaa in
Protocol: TCP
Direction: Inbound
Remote Address Type: Any
Local Port: 1214
Remote Port: Any
Action: Allow

Description: Kazaa HTTP
Protocol: TCP
Direction: Outbound
Remote Address Type: Any
RemotePort: 80-83, 443, 1080, 3128, 8080, 8088, 11523
Action: Allow

Rgds,

 

Since I am now using Sygate free version and we are posting screen shots, I thought I would add a few and any of those people using Sygate Pro's advanced features can then chime in at any point.

 

Notice in the screenshot above the grayed out check boxes.
Those sure look like important and cool options to me.

 

The next two screen shots are the application advanced rule sets
configuration area.

 

.

 

.

 

sponge:

I'll add that rule, so I need to block persfw.exe and pfwadmin.exe?

Added the DNS and DHCP ones to, a few other people also said.

LowWaterMark:

I got that rule from:

http://www.blarp.com/faq/faqmanager.cgi?file=kerio_genrules&toc=kerio

So I just added it, thought it would be right if it was in there FAQ

CrazyM:

Will add those.

JacK:

I tried those Kazaa rules but it just won't connect me to Kazaa with them.
It starts asking me to let it connect to loads of different UDP ports and when I deny it doesn't connect me.

 

Also

I'll enable the block everything else rule when I have conigures all my apps.

Another thing though the opened connection window I don't get. Here is a screenshot, what are all them things listening? Should they be listed there?

Black parts ive marked are just covering my IP.